Tres Seaver wrote:
...
We also distribute a private key to be used for sftp. (Shouldn't there
be a corresponding public key?) This seems like a very bad idea too.
Keys should be generated inside 'mkzopeinstance.py', never shipped. We
should probably add scripts for (re)doing the generation,
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Jim Fulton wrote:
I'll probably reveal my ignorance of SSL here, but it is worrisome to me
that we distribute a PEM file that contains a default server key and
certificate. This seems like an exceedingly bad idea.
It is.
We also distribute a