I think this is a good idea. My only suggestion would be to perhaps add a reminder after make (or make install) for any packages that will need additional installation; such as db_ or (if modified tls).
For example, if tls and db_mysql are installed, a message echoed to terminal such as "Please remember to run kamdbctl create" and "Please remember to run kamctl tls generate-certificate" etc. --fred On 07/20/2015 02:58 PM, Daniel-Constantin Mierla wrote: > Hello, > > (cross-posting as it impacts users as well) > > Currently we generate and install the TLS self-signed certificates when > tls module is installed, including them in the debian packages (and I > guess in rpms). > > Debian has a policy of reproducible builds, meaning that from same > source tree snapshot the same binary packages should result. > > Even more important considering the impact on security, it would be > better that the certificates are generated locally on the installation > server, to be distinct. Right now, people relying on default > installation config/certificates (and I guess there are many, at least > in testing phase), are exposed to eavesdropping, because the private key > is available in public packages. > > My proposal is to move generation of self signed certificates to kamctl. > There can be a kamctl.tls file to be deployed by the tls package (same > is done by kamctl.mysql, being part of mysql package), which should add > a new group of commands, among them something like: > > kamctl tls generate-certificate > > The drawback is that before enabling tls and starting kamailio, one has > to run the above command. We can document that in tls module readme and > in kamailio.cfg in the comments related to WITH_TLS define. > > Anyone with comments, pros/cons? > > Other suggestions on how to address the reproducible builds as well as > solve the security issue for the default installation? > > Cheers, > Daniel > _______________________________________________ sr-dev mailing list [email protected] http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev
