Package: prosody Version: 0.9.7-2+deb8u3 Severity: normal Hello,
thank you for maintaining prosody! Currently prosody is added to group ssl-cert so it can read the snakeoil private certificate. I don't know why should prosody need to use the snakeoil certificate at all now that we have letsencrypt (see #767741); however I am rather uneasy at the idea that my XMPP server can access whatever is in /etc/ssl/private. Since snakeoil certificates are symlinked into /etc/prosody/certs anyway, would it be possible, instead of adding prosody to the group ssl-cert, to copy the snakeoil certificates in /etc/prosody/certs during postinst, and set their permissions to be read by prosody? That way prosody could access the snakeoil certificates only. Enrico -- System Information: Debian Release: stretch/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.8.0-2-amd64 (SMP w/4 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
