Re: [FOSSology] [FOSSology-devel] New YouTube video - FOSSology Installation from Source

[Jeremiah C. Foster]

I think it’s a great idea to do this kind of video. I’ll try and review in the 
coming week because I think FOSSology is kind of hard to install. Also, there 
is lots of duplicated , out of date, and confusing documentation around 
installation which I think can be helped with explanatory video.

Great initiative Gaurav!

Jeremiah

On Jan 2, 2021, at 07:57, Gaurav Mishra  wrote:


*** THIS IS AN EXTERNAL EMAIL: Please do not reply, click on any links, or open 
any attachments unless you trust the sender and know that the content is safe. 
***
Hello All,

We have a new video on the FOSSology’s YouTube 
channel . It is 
recorded on the topic of installing FOSSology from source.

You can watch the video here: https://youtu.be/q12KwmPYZG4

Please leave your feedback as comments on the video or mail them directly to 
us. We will be happy to hear from you and improve our future videos.

Here is to a prosperous 2021! Have a wonderful new year!

With warm regards,
Gaurav Mishra




This e-mail and any attachment(s) are intended only for the recipient(s) named 
above and others who have been specifically authorized to receive them. They 
may contain confidential information. If you are not the intended recipient, 
please do not read this email or its attachment(s). Furthermore, you are hereby 
notified that any dissemination, distribution or copying of this e-mail and any 
attachment(s) is strictly prohibited. If you have received this e-mail in 
error, please immediately notify the sender by replying to this e-mail and then 
delete this e-mail and any attachment(s) or copies thereof from your system. 
Thank you.


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#3422): https://lists.fossology.org/g/fossology/message/3422
Mute This Topic: https://lists.fossology.org/mt/79441378/21656
Group Owner: fossology+ow...@lists.fossology.org
Unsubscribe: https://lists.fossology.org/g/fossology/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [FOSSology] Fossology scan result

[Jeremiah C. Foster]

Hi Prasaath,


For your use case I think that the recommendations given previously are likely 
correct; scancode for individual projects (in nearly any programming language) 
with the appropriate flags for license and copyright, and then use FOSSology 
for ISOs.

Scancode is faster for smaller projects because you don't have the overhead of 
a web server, database, etc. but FOSSology provides better tooling to drill 
down and manage licenses at the file level for large ISOs and tarballs.


There are, of course, other tools in the ecosystem, but I think for your use 
case you'll get a lot of mileage from those two.


Cheers,


Jeremiah


From: fossology@lists.fossology.org  on behalf 
of Prasaath Ramasamy (prasaara) via lists.fossology.org 

Sent: Tuesday, September 22, 2020 6:30:57 AM
To: Michael C. Jaeger
Cc: Anupam Ghosh; Mishra, Gaurav; Prasad Iyer (prasadiy); Shiv Majji (smajji); 
Ted Gauthier (tedg); fossol...@fossology.org
Subject: Re: [FOSSology] Fossology scan result

*** THIS IS AN EXTERNAL EMAIL: Please do not reply, click on any links, or open 
any attachments unless you trust the sender and know that the content is safe. 
***


Thanks Michael, I will check those links. My use case is to have a scanner to 
scan source code (from diff technologies like java, python, ruby etc) and also 
ISO images and give the license and component details.

-Prasaath

-Original Message-
From: Michael C. Jaeger 
Sent: Monday, September 21, 2020 6:13 PM
To: Prasaath Ramasamy (prasaara) 
Cc: Anupam Ghosh ; Mishra, Gaurav 
; Prasad Iyer (prasadiy) ; Shiv 
Majji (smajji) ; Ted Gauthier (tedg) ; 
fossol...@fossology.org
Subject: Re: [FOSSology] Fossology scan result

Hello,

please note there are more open source tools out there, for example for 
component analysis:

* SW360 Antenna: https://github.com/eclipse/antenna
* And the tools from the ACT Initiative: 
https://www.linuxfoundation.org/press-release/2019/12/the-linux-foundations-automated-compliance-work-garners-new-funding-advances-tools-development/
* it depends a little on for which technology you re trying to identify the 
components from.

As for snippet scanning, I there're maybe open source attempts to tackle it, 
but could you describe maybe the use case that you have? It sounds like you 
would like to have one tool that does all the three things at once? (license 
scnaning, snippet scanning, SCA)

Kind regards, Michael


> On 21. Sep 2020, at 12:23, Anupam Ghosh  wrote:
>
> Hello Prasaath,
>
> Fossology is mainly design to scan licenses/copyrights information
> from your package, so, Fossology does not look into code-snippets or 
> dependencies inside source package.
>
> For code-snippet identification or dependency identification you have to use 
> a third party software.
>
> With regards,
> Anupam
>
> From: fossology@lists.fossology.org  On
> Behalf Of Prasaath Ramasamy (prasaara) via lists.fossology.org
> Sent: Monday, September 21, 2020 8:42 AM
> To: fossol...@fossology.org; Mishra, Gaurav (CT RDA SSI ISF-IN)
> 
> Cc: Prasad Iyer (prasadiy) ; Shiv Majji (smajji)
> ; Ted Gauthier (tedg) 
> Subject: Re: [FOSSology] Fossology scan result
>
> Hello Fossology Team,
>
> Can you let me know if the component name identification is possible along 
> with the discovered license ?
>
> -Prasaath
>
> From: Prasaath Ramasamy (prasaara)
> Sent: Wednesday, September 16, 2020 3:37 PM
> To: fossol...@fossology.org
> Cc: Prasad Iyer (prasadiy) ; Shiv Majji (smajji)
> ; Ted Gauthier (tedg) 
> Subject: Fossology scan result
>
> Hello team,
>
> I tried scanning a couple of Java source code and python source code and the 
> fossology tool was able to give me a list of all licenses (like Apache, MIT 
> etc..) but I am not able to find the corresponding component names (i.e. 
> activation, ant, apache-commons-logging etc…). Is there a way in the 
> fossology tool to get component names ?
>
> -Prasaath
>









This e-mail and any attachment(s) are intended only for the recipient(s) named 
above and others who have been specifically authorized to receive them. They 
may contain confidential information. If you are not the intended recipient, 
please do not read this email or its attachment(s). Furthermore, you are hereby 
notified that any dissemination, distribution or copying of this e-mail and any 
attachment(s) is strictly prohibited. If you have received this e-mail in 
error, please immediately notify the sender by replying to this e-mail and then 
delete this e-mail and any attachment(s) or copies thereof from your system. 
Thank you.


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#3402): https://lists.fossology.org/g/fossology/message/3402
Mute This Topic: https://lists.fossology.org/mt/76884403/21656
Group Owner: fossology+ow...@lists.fossology.org
Unsubscribe: https://lists.fossology.org/g/fossology/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=

Re: [FOSSology] Fossology Obligation feature improvement - export to csv and run on scanner results

[Jeremiah C. Foster]

On Tue, 2020-06-02 at 23:52 +0200, Michael C. Jaeger wrote:
> Hi,
>
> right now the idea is to have RAG per FOSSology server instance,
> meaning how the administrator of an instance wants to set it to.

Seems flexible.

> However, even this might be still inflexible, because "red" licenses
> or obligations are even not a good category for an entire
> organisation, but maybe per case.

Good point. I know that this is sometimes the case in the organizations
I work with.

> Maybe the future for fossology will not be about the RAG for
> obligations, but the use cases for files and RAG for these
> accordingly. ( a file can be green or red, depending on whatever
> analysis result)

+1

> Regarding the colouring in the reporting, I think it is just a matter
> of "no one did it so far". So, one solution could be to write issue
> and work on it:
>
> https://github.com/fossology/fossology/issues/1727
>
> Kind regards,
>   Michael

Regards,

Jeremiah

> > On 2. Jun 2020, at 17:57, Jeremiah C. Foster 
> > wrote:
> >
> > On Mon, 2020-06-01 at 10:51 +, Woźnicki Paweł - Partner Hurt
> > via lists.fossology.org wrote:
> > > Hello All
> > >
> > > Have you ever thought about improving functionality of Fossology
> > > Obligation feature
> > > Currently Fossology 3.8.0 allows to configure obligations on a
> > > specific conditions and provides a possibility to mark the
> > > findings in a proper way (RED, GREEN colour in the Doc report)
> > > but at the moment it is not quite handy.
> > > The obligations in the output Unified report are not coloured and
> > > I think it would be also interesting to export obligation results
> > > also to another reports like CSV in a form of additional column
> > > indicating obligation state (Approved, Denied, to Verify)
> > >
> >
> > My personal view is that colors in the report is a good idea. I do
> > wonder about how to do this however. Firstly, the usual 'RAG' (Red,
> > Amber, Green) colors are likely not flexible enough, but this is
> > bikeshedding. What is likely really important is for FOSSology
> > users to have their own colors in conjunction with their own
> > policy. After all, some companies will mark as "red" those licenses
> > that other companies considerd "green". If there is a flexible,
> > rules-based policy engine then the various colors can be assigned
> > based on the policy on a per organization basis. Is this part of
> > your intended implementation?
> >
> > Regards,
> >
> > Jeremiah
> >
> >
> >
> > This e-mail and any attachment(s) are intended only for the
> > recipient(s) named above and others who have been specifically
> > authorized to receive them. They may contain confidential
> > information. If you are not the intended recipient, please do not
> > read this email or its attachment(s). Furthermore, you are hereby
> > notified that any dissemination, distribution or copying of this e-
> > mail and any attachment(s) is strictly prohibited. If you have
> > received this e-mail in error, please immediately notify the sender
> > by replying to this e-mail and then delete this e-mail and any
> > attachment(s) or copies thereof from your system. Thank you.
> > 



This e-mail and any attachment(s) are intended only for the recipient(s) named 
above and others who have been specifically authorized to receive them. They 
may contain confidential information. If you are not the intended recipient, 
please do not read this email or its attachment(s). Furthermore, you are hereby 
notified that any dissemination, distribution or copying of this e-mail and any 
attachment(s) is strictly prohibited. If you have received this e-mail in 
error, please immediately notify the sender by replying to this e-mail and then 
delete this e-mail and any attachment(s) or copies thereof from your system. 
Thank you.

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.

View/Reply Online (#3369): https://lists.fossology.org/g/fossology/message/3369
Mute This Topic: https://lists.fossology.org/mt/74630198/21656
Group Owner: fossology+ow...@lists.fossology.org
Unsubscribe: https://lists.fossology.org/g/fossology/unsub  
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [FOSSology] Fossology Obligation feature improvement - export to csv and run on scanner results

[Jeremiah C. Foster]

On Mon, 2020-06-01 at 10:51 +, Woźnicki Paweł - Partner Hurt via 
lists.fossology.org wrote:
Hello All

Have you ever thought about improving functionality of Fossology Obligation 
feature
Currently Fossology 3.8.0 allows to configure obligations on a specific 
conditions and provides a possibility to mark the findings in a proper way 
(RED, GREEN colour in the Doc report) but at the moment it is not quite handy.
The obligations in the output Unified report are not coloured and I think it 
would be also interesting to export obligation results also to another reports 
like CSV in a form of additional column indicating obligation state (Approved, 
Denied, to Verify)

My personal view is that colors in the report is a good idea. I do wonder about 
how to do this however. Firstly, the usual 'RAG' (Red, Amber, Green) colors are 
likely not flexible enough, but this is bikeshedding. What is likely really 
important is for FOSSology users to have their own colors in conjunction with 
their own policy. After all, some companies will mark as "red" those licenses 
that other companies considerd "green". If there is a flexible, rules-based 
policy engine then the various colors can be assigned based on the policy on a 
per organization basis. Is this part of your intended implementation?

Regards,

Jeremiah




This e-mail and any attachment(s) are intended only for the recipient(s) named 
above and others who have been specifically authorized to receive them. They 
may contain confidential information. If you are not the intended recipient, 
please do not read this email or its attachment(s). Furthermore, you are hereby 
notified that any dissemination, distribution or copying of this e-mail and any 
attachment(s) is strictly prohibited. If you have received this e-mail in 
error, please immediately notify the sender by replying to this e-mail and then 
delete this e-mail and any attachment(s) or copies thereof from your system. 
Thank you.

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.

View/Reply Online (#3367): https://lists.fossology.org/g/fossology/message/3367
Mute This Topic: https://lists.fossology.org/mt/74630198/21656
Group Owner: fossology+ow...@lists.fossology.org
Unsubscribe: https://lists.fossology.org/g/fossology/unsub  
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[FOSSology] FOSSology installation documentation

[Jeremiah C. Foster]

Hi,

Using the Docker installation instructions, it gets confusing about
halfway down; https://hub.docker.com/r/fossology/fossology

Essentially there are two ways to install FOSSology using containers;

1. Single Docker container
2. Multiple containers via Docker compose

The multiple container method is closer to what most people expect
since containers are often used with 'microservices' and separated.

I've tried to adjust the README to reflect this situation and attempted
to clarify, it's in a PR here:
https://github.com/fossology/fossology/pull/1679

Lastly, I think it might be wise to deprecate the single container
install solution as it doesn't provide for data persistence. Having had
to reboot my container a couple of times for configuration and testing,
I've lost data which is kinda bad UX. In addition, the Docker compose
solution feels closer to best practices, works well, and persists data
properly. Also, having one solution for containers will likely be less
for the project to maintain.

Regards,

Jeremiah



This e-mail and any attachment(s) are intended only for the recipient(s) named 
above and others who have been specifically authorized to receive them. They 
may contain confidential information. If you are not the intended recipient, 
please do not read this email or its attachment(s). Furthermore, you are hereby 
notified that any dissemination, distribution or copying of this e-mail and any 
attachment(s) is strictly prohibited. If you have received this e-mail in 
error, please immediately notify the sender by replying to this e-mail and then 
delete this e-mail and any attachment(s) or copies thereof from your system. 
Thank you.

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.

View/Reply Online (#3359): https://lists.fossology.org/g/fossology/message/3359
Mute This Topic: https://lists.fossology.org/mt/72859167/21656
Group Owner: fossology+ow...@lists.fossology.org
Unsubscribe: https://lists.fossology.org/g/fossology/unsub  
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [FOSSology] debian package confusion

[Jeremiah C. Foster]

Hi Udo,

I'm not sure which is the authoritative Debian repo. But, I know a little about 
the URLs you've provided;

1. In general, the /debian dir in a project's source code repo is the 
authoritative code they use to build packages
2. Salsa is Debian's Gitlab instance that a lot of package maintainers in 
Debian use

Often I've seen this workflow; someone works in Salsa to modify a package, they 
then test and make sure their work is lintian clean so it gets into Debian. 
Then they file the appropriate issue in the appropriate place (upstream often, 
Debian's BTS as well as Gitlab so you can bring it to the attention of the 
Debian Matainer(s).) Then once there is an upload to the archive, the issues 
usually get closed automagically if you've set the right options in your 
debian/changelog file.

I don't know the official process for FOSSology but I would hazard a guess and 
say that if you file an issue and then send a pull request in the FOSSology 
GitHub repo that might be the most effective way to land patches in the near 
term.
Regards,

Jeremiah

On Mon, 2020-04-06 at 08:04 -0700, udo.rader via lists.fossology.org wrote:

Hi,

trying to setup a new fossology instance based on debian, I noticed there are 
some confusing and sometimes even contradicting resources.

First, there is are the "old" releases on http://fossology.org/releases/

Then there are the efforts on salsa.debian.org, ie 
https://salsa.debian.org/fossology-team/fossology

And then we have "releases" on github, that also produce .deb packages for 
example for debian buster: https://github.com/fossology/fossology/releases

My current attempt to (very successfully) install fossology on debian buster is 
based on the latter.

So what is the current packaging status of fossology when it comes to debian 
(alike) environments?

Thanks





This e-mail and any attachment(s) are intended only for the recipient(s) named 
above and others who have been specifically authorized to receive them. They 
may contain confidential information. If you are not the intended recipient, 
please do not read this email or its attachment(s). Furthermore, you are hereby 
notified that any dissemination, distribution or copying of this e-mail and any 
attachment(s) is strictly prohibited. If you have received this e-mail in 
error, please immediately notify the sender by replying to this e-mail and then 
delete this e-mail and any attachment(s) or copies thereof from your system. 
Thank you.

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.

View/Reply Online (#3358): https://lists.fossology.org/g/fossology/message/3358
Mute This Topic: https://lists.fossology.org/mt/72813385/21656
Group Owner: fossology+ow...@lists.fossology.org
Unsubscribe: https://lists.fossology.org/g/fossology/unsub  
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [FOSSology] License Violation Detection

[Jeremiah C. Foster]

On Fri, 2020-04-03 at 08:47 -0700, surbhi140...@gmail.com wrote:
Can I do license violation detection with fossology. If yes how to do that?

Well, that likely depends on which license and what you mean by "violation." 
You likely are going to have to define "violation" in terms of your own policy. 
Fossology can "clear" licenses, you can read more about it here: 
https://www.fossology.org/get-started/basic-workflow/#bw2

Cheers,

Jeremiah




This e-mail and any attachment(s) are intended only for the recipient(s) named 
above and others who have been specifically authorized to receive them. They 
may contain confidential information. If you are not the intended recipient, 
please do not read this email or its attachment(s). Furthermore, you are hereby 
notified that any dissemination, distribution or copying of this e-mail and any 
attachment(s) is strictly prohibited. If you have received this e-mail in 
error, please immediately notify the sender by replying to this e-mail and then 
delete this e-mail and any attachment(s) or copies thereof from your system. 
Thank you.

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.

View/Reply Online (#3356): https://lists.fossology.org/g/fossology/message/3356
Mute This Topic: https://lists.fossology.org/mt/72751303/21656
Group Owner: fossology+ow...@lists.fossology.org
Unsubscribe: https://lists.fossology.org/g/fossology/unsub  
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [FOSSology] Hi I have a questions before using fossology

[Jeremiah C. Foster]

On Thu, 2020-04-02 at 09:40 +0200, Nicolas Toussaint via
lists.fossology.org wrote:
> Hi,
> Nice discussion - generally inciting users to secure their Fossology
> instance sounds pretty good to me :)

+1  :^)

> > This might be good. I note that this script
> > https://github.com/Orange-OpenSource/Fossology-Docker-Deploy-Scripts/blob/master/setup-container-web.sh
> > does that in the Docker setup. Perhaps we merge some of that data
> > into the official install? I'm writing some docs as we speak, I'll
> > suggest a merge or PR. Of course M. Toussaint might as well.
> That's a pretty good idea ; these scripts are run after deploying
> the
> Docker containers,
>   but [some of] the configuration steps could be imported directly
> in
> the Fossology
>   source code as post-installation scripts.
>
> This would
> 1/ make the features available to non-Docker instances
> 2/ simplify the docker-specific scripts

These two goals are likely going to be hugely helpful for new installs.
Currently it can be a little confusing for new folks because upon
install they're dumped into a docker container spitting out Apache
logs. For a seasoned administrator this is okay I suppose but it is
somewhat disimilar to what might be "best practice" for a typical
container install.

> 3/ ease maintenance of the scripts

This is likely also a big benefit, especially if there is a plan to
move to php7.4 for example. Currently the Docker files are using Debian
Stretch because they need php7.0-cli. That's fine, but Debian will be
going into a Freeze soon which means the End of Life for Stretch as
old-stable is on the horizon. There is LTS support for Stretch (
https://wiki.debian.org/LTS) but it is done by companies and does not
receive Debian's security support.

> Happy to help if going this way.

I would love to discuss things with you and get your input (and of
course Michael's and everyone on this list). I share you goals of
making install simpler and more modular.

Cheers,

Jeremiah

> Nico
>
> On 02/04/2020 00:31, Michael C. Jaeger wrote:
> > Hi,
> >
> > for all contributions:
> >
> > * it would be good have an issue, I have created one:
> > https://github.com/fossology/fossology/issues/1676
> > * consider open a PR here, you can do this from your fork:
> > https://github.com/fossology/fossology/pulls
> > * a help with contributing guidelines is here:
> > https://github.com/fossology/fossology/blob/master/CONTRIBUTING.md
> > * most importantly:
> > https://github.com/fossology/fossology/blob/master/CONTRIBUTING.md#git-commit-conventions
> >
> > Kind regards,
> >Michael
> >
> > > On 1. Apr 2020, at 22:50, Jeremiah C. Foster 
> > > wrote:
> > >
> > > On Wed, 2020-04-01 at 18:52 +, Michael C. Jaeger wrote:
> > > > Hi,
> > > >
> > > > Please go ahead, sound good in general, just allow me to
> > > > understand the cases here
> > > >
> > > > * either we add a 127.0.0.1 / snakeoil certificate and then
> > > > there will be an error message in the browser that hostname
> > > > does not match the cert when accessing the fossology over the
> > > > network (server setup)
> > > - Yes. With a 127.0.0.1 we will get a warning in the browser when
> > > accessing it over the network.
> > >
> > > > * or we try to determine the hostname but then there will be
> > > > the same error when accessing the localhost?
> > > - I cannot say for sure. There may be a clever way to do this.
> > > For example, it may be possible to edit an install script with
> > > the hostname and generate the self-signed cert. But, and this is
> > > kind of a big but, it will still throw a warning.
> > >
> > > > How about an optional step in the install as a script?
> > > This is likely the best approach. This way it can be an argument
> > > like "--self-signed-cert" or "--install-cert" to the script that
> > > the end user has to consciously add on. This way you'd likely
> > > have the flexibility to people to reuse their existing
> > > certificates, choose a self-signed cert, or simply ignore it
> > > entirely if they don't care.
> > >
> > > Thanks for your replies, it helps me know where my patches are
> > > likely to land and prioritizes my contributions.
> > >
> > > Cheers,
> > >
> > > Jeremiah
> > >
> > > > Kind regards, Michael
> > > >
> > > > From: "Foster, Jeremiah" 
> > > >

Re: [FOSSology] Hi I have a questions before using fossology

[Jeremiah C. Foster]

On Wed, 2020-04-01 at 18:52 +, Michael C. Jaeger wrote:
Hi,

Please go ahead, sound good in general, just allow me to understand the cases 
here

* either we add a 127.0.0.1 / snakeoil certificate and then there will be an 
error message in the browser that hostname does not match the cert when 
accessing the fossology over the network (server setup)

- Yes. With a 127.0.0.1 we will get a warning in the browser when accessing it 
over the network.

* or we try to determine the hostname but then there will be the same error 
when accessing the localhost?

- I cannot say for sure. There may be a clever way to do this. For example, it 
may be possible to edit an install script with the hostname and generate the 
self-signed cert. But, and this is kind of a big but, it will still throw a 
warning.

How about an optional step in the install as a script?

This is likely the best approach. This way it can be an argument like 
"--self-signed-cert" or "--install-cert" to the script that the end user has to 
consciously add on. This way you'd likely have the flexibility to people to 
reuse their existing certificates, choose a self-signed cert, or simply ignore 
it entirely if they don't care.

Thanks for your replies, it helps me know where my patches are likely to land 
and prioritizes my contributions.

Cheers,

Jeremiah


Kind regards, Michael

From: "Foster, Jeremiah" 
Date: Wednesday, 1. April 2020 at 20:45
To: "fossol...@fossology.org" , "Jaeger, Michael C. 
(CT RDA SSI DOS-DE)" 
Subject: Re: [FOSSology] Hi I have a questions before using fossology

On Wed, 2020-04-01 at 18:25 +, Jaeger, Michael C. wrote:
Hi,

I am not sure how the creation of a self signed certificate as part of the 
installation of the FOSSology software improves the situation.

Well, in Debian, the self-signed "snake oil" cert can get you up and running 
with https quickly. If it were part of the default FOSSology install then we'd 
be encouraging encryption of passwords and other important data upon 
installation. Currently there are lots of warnings that might be ignored (bad) 
or improperly fixed (not so bad, depending).

From a technical point of view, of course, we could even add a self signed 
certificate creation step in the post install operations.

This might be good. I note that this script 
https://github.com/Orange-OpenSource/Fossology-Docker-Deploy-Scripts/blob/master/setup-container-web.sh<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FOrange-OpenSource%2FFossology-Docker-Deploy-Scripts%2Fblob%2Fmaster%2Fsetup-container-web.sh&data=02%7C01%7Cmichael.c.jaeger%40siemens.com%7C51a95f9727cf41c6613808d7d66ce1f4%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C637213635456677949&sdata=RfiQxtSt0bBNSKF2lrFgf9iRLXMToyY7qtaCc6OpnkY%3D&reserved=0>
 does that in the Docker setup. Perhaps we merge some of that data into the 
official install? I'm writing some docs as we speak, I'll suggest a merge or 
PR. Of course M. Toussaint might as well. :-)

But, for most cases, would self signed certificates work right out of the box? 
– we need to know the hostname of the machine we re on … maybe this is 
possible, but I, just do not know how reliably you can determine the hostname. 
And if some is using the fossology in a localhost setup, is it helpful to 
create a certificate with the hostname and then the user call localhost and the 
certificate does not match … I am missing the possibilies here, please let me 
know how this could work.

Likely no, because we don't know the domain name and getting a cert from Let's 
Encrypt or another CA will require that you know, and control, the domain. To 
get around this, the Debian snake oil cert uses the localhost ip address 
127.0.0.1.

I have not seen a documentation (as part of the FOSSology documentation) of how 
to create a self signed certificate.

Okay, I'll suggest what is hopefully a simple, easy-to-understand process since 
I think at least having these instructions helps support better security 
practice. I'll also hack on the configuration and set up (as little as 
possible) to make it easy-ish to have this OOTB.

Cheers,
Jeremiah


Kind regards,
  Michael

From:  on behalf of "Jeremiah C. Foster" 

Date: Wednesday, 1. April 2020 at 18:43
To: "fossol...@fossology.org" 
Subject: Re: [FOSSology] Hi I have a questions before using fossology

On Tue, 2020-03-31 at 21:42 +, Michael C. Jaeger wrote:
Hello,

  thanks for reaching out to us. To your questions:

*) is source code leaking out from a fossology server? Answer:


  1.  Usually  not , the fossology solution is entire self contained. You can 
run fossology entirely without access to the internet. The main point why you 
would need Internet access is about updating your OS and packages.
  2.  But please understand that despite the FOSSology server can run 
ev

Re: [FOSSology] Hi I have a questions before using fossology

[Jeremiah C. Foster]

On Wed, 2020-04-01 at 18:25 +, Jaeger, Michael C. wrote:
Hi,

I am not sure how the creation of a self signed certificate as part of the 
installation of the FOSSology software improves the situation.

Well, in Debian, the self-signed "snake oil" cert can get you up and running 
with https quickly. If it were part of the default FOSSology install then we'd 
be encouraging encryption of passwords and other important data upon 
installation. Currently there are lots of warnings that might be ignored (bad) 
or improperly fixed (not so bad, depending).

From a technical point of view, of course, we could even add a self signed 
certificate creation step in the post install operations.

This might be good. I note that this script 
https://github.com/Orange-OpenSource/Fossology-Docker-Deploy-Scripts/blob/master/setup-container-web.sh
 does that in the Docker setup. Perhaps we merge some of that data into the 
official install? I'm writing some docs as we speak, I'll suggest a merge or 
PR. Of course M. Toussaint might as well. :-)

But, for most cases, would self signed certificates work right out of the box? 
– we need to know the hostname of the machine we re on … maybe this is 
possible, but I, just do not know how reliably you can determine the hostname. 
And if some is using the fossology in a localhost setup, is it helpful to 
create a certificate with the hostname and then the user call localhost and the 
certificate does not match … I am missing the possibilies here, please let me 
know how this could work.

Likely no, because we don't know the domain name and getting a cert from Let's 
Encrypt or another CA will require that you know, and control, the domain. To 
get around this, the Debian snake oil cert uses the localhost ip address 
127.0.0.1.

I have not seen a documentation (as part of the FOSSology documentation) of how 
to create a self signed certificate.

Okay, I'll suggest what is hopefully a simple, easy-to-understand process since 
I think at least having these instructions helps support better security 
practice. I'll also hack on the configuration and set up (as little as 
possible) to make it easy-ish to have this OOTB.

Cheers,
Jeremiah


Kind regards,
  Michael

From:  on behalf of "Jeremiah C. Foster" 

Date: Wednesday, 1. April 2020 at 18:43
To: "fossol...@fossology.org" 
Subject: Re: [FOSSology] Hi I have a questions before using fossology

On Tue, 2020-03-31 at 21:42 +, Michael C. Jaeger wrote:
Hello,

  thanks for reaching out to us. To your questions:

*) is source code leaking out from a fossology server? Answer:


  1.  Usually  not , the fossology solution is entire self contained. You can 
run fossology entirely without access to the internet. The main point why you 
would need Internet access is about updating your OS and packages.
  2.  But please understand that despite the FOSSology server can run 
everything on its own database, it your responsibility to secure your server 
installation from being hacked. One first task would be to enable a connection 
using https.

Is there documentation on doing this? I understand that there is plenty of 
documentation already on the internet that describes using TLS and certificates 
with apache and nginx, but there doesn't appear to be a ton of documentation on 
the way that FOSSology sets things up. For example, FOSSology does not appear 
add a self-signed cert which would enable https upon installation. Am I 
mistaken, is there more info on this?

Regards,

Jeremiah



This e-mail and any attachment(s) are intended only for the recipient(s) named 
above and others who have been specifically authorized to receive them. They 
may contain confidential information. If you are not the intended recipient, 
please do not read this email or its attachment(s). Furthermore, you are hereby 
notified that any dissemination, distribution or copying of this e-mail and any 
attachment(s) is strictly prohibited. If you have received this e-mail in 
error, please immediately notify the sender by replying to this e-mail and then 
delete this e-mail and any attachment(s) or copies thereof from your system. 
Thank you.




This e-mail and any attachment(s) are intended only for the recipient(s) named 
above and others who have been specifically authorized to receive them. They 
may contain confidential information. If you are not the intended recipient, 
please do not read this email or its attachment(s). Furthermore, you are hereby 
notified that any dissemination, distribution or copying of this e-mail and any 
attachment(s) is strictly prohibited. If you have received this e-mail in 
error, please immediately notify the sender by replying to this e-mail and then 
delete this e-mail and any attachment(s) or copies thereof from your system. 
Thank you.

-=-=-=-=-=-=-=-=-=-=-=-
Links: You rece

Re: [FOSSology] Hi I have a questions before using fossology

[Jeremiah C. Foster]

On Tue, 2020-03-31 at 21:42 +, Michael C. Jaeger wrote:
Hello,

  thanks for reaching out to us. To your questions:

*) is source code leaking out from a fossology server? Answer:


  1.  Usually  not , the fossology solution is entire self contained. You can 
run fossology entirely without access to the internet. The main point why you 
would need Internet access is about updating your OS and packages.
  2.  But please understand that despite the FOSSology server can run 
everything on its own database, it your responsibility to secure your server 
installation from being hacked. One first task would be to enable a connection 
using https.

Is there documentation on doing this? I understand that there is plenty of 
documentation already on the internet that describes using TLS and certificates 
with apache and nginx, but there doesn't appear to be a ton of documentation on 
the way that FOSSology sets things up. For example, FOSSology does not appear 
add a self-signed cert which would enable https upon installation. Am I 
mistaken, is there more info on this?

Regards,

Jeremiah



This e-mail and any attachment(s) are intended only for the recipient(s) named 
above and others who have been specifically authorized to receive them. They 
may contain confidential information. If you are not the intended recipient, 
please do not read this email or its attachment(s). Furthermore, you are hereby 
notified that any dissemination, distribution or copying of this e-mail and any 
attachment(s) is strictly prohibited. If you have received this e-mail in 
error, please immediately notify the sender by replying to this e-mail and then 
delete this e-mail and any attachment(s) or copies thereof from your system. 
Thank you.

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.

View/Reply Online (#3342): https://lists.fossology.org/g/fossology/message/3342
Mute This Topic: https://lists.fossology.org/mt/72670290/21656
Group Owner: fossology+ow...@lists.fossology.org
Unsubscribe: https://lists.fossology.org/g/fossology/unsub  
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [FOSSology] Debian package for FOSSology

[Jeremiah C. Foster]

Hi Nicolas,

This looks really interesting. I will definitely take a look at your scripts. 
Thanks!

Jeremiah


From: fossology@lists.fossology.org on behalf of Nicolas Toussaint via 
Lists.Fossology.Org 
Sent: Tuesday, March 17, 2020 4:07 AM
To: fossology@lists.fossology.org
Cc: fossology@lists.fossology.org
Subject: Re: [FOSSology] Debian package for FOSSology

Hi,

I use the docker-compose file pointed to by Michael, so I get 3 containers for 
Web + DB + Scheduler, all this work very well.
If of any use to anyone, I have shared the scripts I use to automatically 
deploy and configure my [pre]production servers.
It's here: https://github.com/Orange-OpenSource/Fossology-Docker-Deploy-Scripts

Nico

On 17/03/2020 01:21, Michael C. Jaeger wrote:

Hi,help is always welcome. Have you seen that BTW?  
https://github.com/fossology/fossology/blob/master/docker-compose.ymlI see the 
point you make with the reverse proxy setup as well. If you find a good 
solution / contribute a good improvement, you re welcome of course. For 
postgresql it is easy maybe for the Web server part you would need 
configurations accordingly of course. Right now FOSSology uses mod-php to 
execute the php files for serving Web pages. Kind regards,  Michael

On 17. Mar 2020, at 01:12, Foster, Jeremiah 
 wrote:On Mon, 2020-03-16 at 
22:48 +0100, Michael C. Jaeger wrote:

Hi,it is for this:https://salsa.debian.org/fossology-team/fossology

Oh, it's in salsa already!? That's good news.And there's an 
ITP:https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=924659

-> not ready, work in progress.

Understood. :-)I wonder if the packaging is a good time to review the 
overallarchitecture of FOSSology? I say that because I think that the 
Dockerimage might use some love. It ships with it both apache and 
Postgresswhich is somewhat different from the micro-architecture approach 
thatdocker lends itself to. I can't run the docker image because I have anginx 
as a reverse proxy / web server and apache needs to bind to port80 in the 
container and that means I need to edit the docker file, etc.It would seem to 
me that if you're clearly defining the dependencies inthe packaging then you 
can use that to shrink the docker image to justthe FOSSology application, 
allowing users to use their web server ofchoice and install Postgres 
separately.Cheers,JeremiahThis e-mail and any 
attachment(s) are intended only for the recipient(s) named above and others who 
have been specifically authorized to receive them. They may contain 
confidential information. If you are not the intended recipient, please do not 
read this email or its attachment(s). Furthermore, you are hereby notified that 
any dissemination, distribution or copying of this e-mail and any attachment(s) 
is strictly prohibited. If you have received this e-mail in error, please 
immediately notify the sender by replying to this e-mail and then delete this 
e-mail and any attachment(s) or copies thereof from your system. Thank you.


-- Nicolas ToussaintOBS - Orange Business Services - Lyon, FranceTel: +33 608 
763 559





This e-mail and any attachment(s) are intended only for the recipient(s) named 
above and others who have been specifically authorized to receive them. They 
may contain confidential information. If you are not the intended recipient, 
please do not read this email or its attachment(s). Furthermore, you are hereby 
notified that any dissemination, distribution or copying of this e-mail and any 
attachment(s) is strictly prohibited. If you have received this e-mail in 
error, please immediately notify the sender by replying to this e-mail and then 
delete this e-mail and any attachment(s) or copies thereof from your system. 
Thank you.

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.

View/Reply Online (#3332): https://lists.fossology.org/g/fossology/message/3332
Mute This Topic: https://lists.fossology.org/mt/72008045/21656
Group Owner: fossology+ow...@lists.fossology.org
Unsubscribe: https://lists.fossology.org/g/fossology/unsub  
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [FOSSology] Debian package for FOSSology

[Jeremiah C. Foster]

On Tue, 2020-03-17 at 01:21 +0100, Michael C. Jaeger wrote:
> Hi,
>
> help is always welcome. Have you seen that BTW?
>
 https://github.com/fossology/fossology/blob/master/docker-compose.yml

I did look at that, thanks. I think that's super useful. One question
about that is how tied to Postgres 9.6 is it? 9.6 is 4 years old now,
though still supported. While Postgres recommends using the latest
possible release, maybe there are design or functional reasons to still
use 9.6? FWIW the final release of 9.6 is scheduled for Nov. 2021.[0]

> I see the point you make with the reverse proxy setup as well. If you
> find a good solution / contribute a good improvement, you re welcome
> of course. For postgresql it is easy maybe for the Web server part
> you would need configurations accordingly of course.

Yes, I think that is the low hanging fruit - to create a containerized
Postgres based on the docker-compose file above that is separate from
the FOSSology container. Then, pull out the Postgres part from the
existing container. After that, removing the web server from the
current FOSSology container and either requiring a reverse proxy, or a
generic web server, or something different.

Of course, copious documentation will help and I'll try to do that for
any of my changes.

>  Right now FOSSology uses mod-php to execute the php files for
> serving Web pages.

Good to know. So the external dependencies are a web server that runs
php via mod-php and a SQL server that can speak psql (meaning
Postgres)?

I note that there are a couple supported versions of PHP's runtime in
the docs - is that the plan going forward to support them both? Is new
development happening more in a particular version?

Regards,

Jeremiah


0. https://www.postgresql.org/support/versioning/



This e-mail and any attachment(s) are intended only for the recipient(s) named 
above and others who have been specifically authorized to receive them. They 
may contain confidential information. If you are not the intended recipient, 
please do not read this email or its attachment(s). Furthermore, you are hereby 
notified that any dissemination, distribution or copying of this e-mail and any 
attachment(s) is strictly prohibited. If you have received this e-mail in 
error, please immediately notify the sender by replying to this e-mail and then 
delete this e-mail and any attachment(s) or copies thereof from your system. 
Thank you.

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.

View/Reply Online (#3331): https://lists.fossology.org/g/fossology/message/3331
Mute This Topic: https://lists.fossology.org/mt/72008045/21656
Group Owner: fossology+ow...@lists.fossology.org
Unsubscribe: https://lists.fossology.org/g/fossology/unsub  
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [FOSSology] Debian package for FOSSology

[Jeremiah C. Foster]

On Mon, 2020-03-16 at 22:48 +0100, Michael C. Jaeger wrote:
> Hi,
>
> it is for this:
>
> https://salsa.debian.org/fossology-team/fossology

Oh, it's in salsa already!? That's good news.

And there's an ITP:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=924659

> -> not ready, work in progress.

Understood. :-)

I wonder if the packaging is a good time to review the overall
architecture of FOSSology? I say that because I think that the Docker
image might use some love. It ships with it both apache and Postgress
which is somewhat different from the micro-architecture approach that
docker lends itself to. I can't run the docker image because I have a
nginx as a reverse proxy / web server and apache needs to bind to port
80 in the container and that means I need to edit the docker file, etc.

It would seem to me that if you're clearly defining the dependencies in
the packaging then you can use that to shrink the docker image to just
the FOSSology application, allowing users to use their web server of
choice and install Postgres separately.

Cheers,

Jeremiah



This e-mail and any attachment(s) are intended only for the recipient(s) named 
above and others who have been specifically authorized to receive them. They 
may contain confidential information. If you are not the intended recipient, 
please do not read this email or its attachment(s). Furthermore, you are hereby 
notified that any dissemination, distribution or copying of this e-mail and any 
attachment(s) is strictly prohibited. If you have received this e-mail in 
error, please immediately notify the sender by replying to this e-mail and then 
delete this e-mail and any attachment(s) or copies thereof from your system. 
Thank you.

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.

View/Reply Online (#3327): https://lists.fossology.org/g/fossology/message/3327
Mute This Topic: https://lists.fossology.org/mt/72008045/21656
Group Owner: fossology+ow...@lists.fossology.org
Unsubscribe: https://lists.fossology.org/g/fossology/unsub  
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [FOSSology] Debian package for FOSSology

[Jeremiah C. Foster]

On Mon, 2020-03-16 at 16:53 -0500, Bryan Sutula wrote:
> > Does anyone know if there is an ITP for FOSSology? My cursory check
> > via reportbug showed nothing.
>
> I'd love to see it done again, but don't have the time to pursue it.

I'll try to help. I'll poke around in the salsa repo that Michael sent
a link to. Good to see there's an ITP:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=924659

Thanks for digging that work from Matt Taggart, I hadn't seen that.

Cheers,

Jeremiah



This e-mail and any attachment(s) are intended only for the recipient(s) named 
above and others who have been specifically authorized to receive them. They 
may contain confidential information. If you are not the intended recipient, 
please do not read this email or its attachment(s). Furthermore, you are hereby 
notified that any dissemination, distribution or copying of this e-mail and any 
attachment(s) is strictly prohibited. If you have received this e-mail in 
error, please immediately notify the sender by replying to this e-mail and then 
delete this e-mail and any attachment(s) or copies thereof from your system. 
Thank you.

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.

View/Reply Online (#3326): https://lists.fossology.org/g/fossology/message/3326
Mute This Topic: https://lists.fossology.org/mt/72008045/21656
Group Owner: fossology+ow...@lists.fossology.org
Unsubscribe: https://lists.fossology.org/g/fossology/unsub  
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[FOSSology] Debian package for FOSSology

[Jeremiah C. Foster]

Hi,

I see that there is a debian directory in the top level git dir of
FOSSology, so I assume someone is building debs for FOSSology. Where
are these debs being built? In OBS? Because I don't see FOSSology in
Debian unstable or stable though I think it might be good to have
there.

Does anyone know if there is an ITP for FOSSology? My cursory check via
reportbug showed nothing.

Regards,

Jeremiah



This e-mail and any attachment(s) are intended only for the recipient(s) named 
above and others who have been specifically authorized to receive them. They 
may contain confidential information. If you are not the intended recipient, 
please do not read this email or its attachment(s). Furthermore, you are hereby 
notified that any dissemination, distribution or copying of this e-mail and any 
attachment(s) is strictly prohibited. If you have received this e-mail in 
error, please immediately notify the sender by replying to this e-mail and then 
delete this e-mail and any attachment(s) or copies thereof from your system. 
Thank you.

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.

View/Reply Online (#3324): https://lists.fossology.org/g/fossology/message/3324
Mute This Topic: https://lists.fossology.org/mt/72008045/21656
Group Owner: fossology+ow...@lists.fossology.org
Unsubscribe: https://lists.fossology.org/g/fossology/unsub  
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-