Your message dated Wed, 28 May 2008 19:33:50 +0200
with message-id <[EMAIL PROTECTED]>
and subject line Re: Bug#482189: postgresql-common: Should generate it's own
certificates instead of using the snakeoil
has caused the Debian Bug report #482189,
regarding postgresql-common: Should generate it's own certificates instead of
using the snakeoil
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
482189: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=482189
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: postgresql-common
Severity: wishlist
Hi there!
It would be preferable to have a seperate private key and certificate
for the postgresql server, instead of using the snakeoil certificate by
default. I'd propose that you use make-ssl-cert (from ssl-cert, which is
already depended on) to create a "postgresql.(pem|key)" and use these.
Other packages (like dovecot, courier, ejabberd, ...) already do this.
I fully understand that this makes no difference for security purposes,
but it would make certificate/key management easier and more obvious.
After the recent PRNG problems it took me quite a bit to find all used
SSL certificates, and I /thought/ the snakeoil cert was unused, only to
find that postgresql wouldn't (re-)start after the removal of
ssl-cert-snakeoil.pem.
Feel free to close this bug if you think this is a no-no.
Thanks,
Christian
-- System Information:
Debian Release: 4.0
APT prefers stable
APT policy: (500, 'stable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-6-686
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL
set to en_US.UTF-8)
--
Christian Hofstaedtler
--- End Message ---
--- Begin Message ---
Hi again,
Martin Pitt [2008-05-21 15:36 +0200]:
> Actually the idea of ssl-cert was to make management easier, and you
> can get all your services to use a "good" certificate by just
> replacing this.
>
> So I am reluctant to change it back, in the interest of avoiding
> copying all the SSL cert management code around.
> [...]
> That's exactly why ssl-cert should be updated in etch-security as
> well, similar to http://www.ubuntu.com/usn/usn-612-4.
I did not see any objection to my points above, thus I close this
report again. Thank you!
Martin
--
Martin Pitt | http://www.piware.de
Ubuntu Developer (www.ubuntu.com) | Debian Developer (www.debian.org)
signature.asc
Description: Digital signature
--- End Message ---
