Bug#1004662: prosody: postinst keeps messing with snakeoil certs
Hi, On 3/15/22 10:29, Martin wrote: On 2022-02-01 23:07, Martin wrote: There have been a number of prosody package bugs related to snakeoil certs. I wonder, if it is worth the trouble? For most real world installations, people get LE certs or buy them or they have their own CA. Maybe prosody package should just drop the whole snakeoil stuff? Now that 0.12 is released, it would be nice to get rid of this blocker. Is there a good reason to cling to snakeoil certificates? No one that I'm aware of. I'm in favor of just remove that part. -- - | ,''`. | | : :' : | | `. `' Victor Seva | |`-PGP Key ID: 0x51A09B18CF5A5068 | - OpenPGP_0x51A09B18CF5A5068.asc Description: OpenPGP public key OpenPGP_signature Description: OpenPGP digital signature
Bug#1004662: prosody: postinst keeps messing with snakeoil certs
On 2022-02-01 23:07, Martin wrote: > There have been a number of prosody package bugs related to snakeoil > certs. I wonder, if it is worth the trouble? > > For most real world installations, people get LE certs or buy them or > they have their own CA. > > Maybe prosody package should just drop the whole snakeoil stuff? Now that 0.12 is released, it would be nice to get rid of this blocker. Is there a good reason to cling to snakeoil certificates?
Bug#1004662: prosody: postinst keeps messing with snakeoil certs
On 2022-01-31 12:21, Julien Cristau wrote:
> prosody's postinst seems to insist on creating
> /etc/prosody/certs/localhost.{crt,key}, but does this in a fragile way.
There have been a number of prosody package bugs related to snakeoil
certs. I wonder, if it is worth the trouble?
For most real world installations, people get LE certs or buy them or
they have their own CA.
Maybe prosody package should just drop the whole snakeoil stuff?
Bug#1004662: prosody: postinst keeps messing with snakeoil certs
Package: prosody
Version: 0.11.13-1
Severity: serious
Control: found -1 0.11.9-2+deb11u2
X-Debbugs-Cc: jcris...@debian.org
prosody's postinst seems to insist on creating
/etc/prosody/certs/localhost.{crt,key}, but does this in a fragile way.
They're created as symlinks, but the call to ln is guarded by "test -e",
which doesn't actually test for the existence of a symlink, and returns
false if the symlink exists but is dangling.
It seems to me these links should only be created on first install, if
anything, and not re-created at each postinst invocation, especially if
the actual configuration doesn't use it.
The recent security updates resulted in:
> Setting up prosody (0.11.9-2+deb11u2) ...
> ln: failed to create symbolic link '/etc/prosody/certs/localhost.crt': File
> exists
> dpkg: error processing package prosody (--configure):
> installed prosody package post-installation script subprocess returned error
> exit status 1
until I went and manually deleted the dangling symlinks.
Cheers,
Julien
