Hi, for all contributions:
* it would be good have an issue, I have created one: https://github.com/fossology/fossology/issues/1676 * consider open a PR here, you can do this from your fork: https://github.com/fossology/fossology/pulls * a help with contributing guidelines is here: https://github.com/fossology/fossology/blob/master/CONTRIBUTING.md * most importantly: https://github.com/fossology/fossology/blob/master/CONTRIBUTING.md#git-commit-conventions Kind regards, Michael > On 1. Apr 2020, at 22:50, Jeremiah C. Foster <jfos...@luxoft.com> wrote: > > On Wed, 2020-04-01 at 18:52 +0000, Michael C. Jaeger wrote: >> Hi, >> >> Please go ahead, sound good in general, just allow me to understand the >> cases here >> >> * either we add a 127.0.0.1 / snakeoil certificate and then there will be an >> error message in the browser that hostname does not match the cert when >> accessing the fossology over the network (server setup) > > - Yes. With a 127.0.0.1 we will get a warning in the browser when accessing > it over the network. > >> * or we try to determine the hostname but then there will be the same error >> when accessing the localhost? > > - I cannot say for sure. There may be a clever way to do this. For example, > it may be possible to edit an install script with the hostname and generate > the self-signed cert. But, and this is kind of a big but, it will still throw > a warning. > >> How about an optional step in the install as a script? > > This is likely the best approach. This way it can be an argument like > "--self-signed-cert" or "--install-cert" to the script that the end user has > to consciously add on. This way you'd likely have the flexibility to people > to reuse their existing certificates, choose a self-signed cert, or simply > ignore it entirely if they don't care. > > Thanks for your replies, it helps me know where my patches are likely to land > and prioritizes my contributions. > > Cheers, > > Jeremiah > >> >> Kind regards, Michael >> >> From: "Foster, Jeremiah" <jfos...@luxoft.com> >> Date: Wednesday, 1. April 2020 at 20:45 >> To: "fossol...@fossology.org" <fossol...@fossology.org>, "Jaeger, Michael C. >> (CT RDA SSI DOS-DE)" <michael.c.jae...@siemens.com> >> Subject: Re: [FOSSology] Hi I have a questions before using fossology >> >> On Wed, 2020-04-01 at 18:25 +0000, Jaeger, Michael C. wrote: >>> Hi, >>> >>> I am not sure how the creation of a self signed certificate as part of the >>> installation of the FOSSology software improves the situation. >> >> Well, in Debian, the self-signed "snake oil" cert can get you up and running >> with https quickly. If it were part of the default FOSSology install then >> we'd be encouraging encryption of passwords and other important data upon >> installation. Currently there are lots of warnings that might be ignored >> (bad) or improperly fixed (not so bad, depending). >> >>> From a technical point of view, of course, we could even add a self signed >>> certificate creation step in the post install operations. >> >> This might be good. I note that this script >> https://github.com/Orange-OpenSource/Fossology-Docker-Deploy-Scripts/blob/master/setup-container-web.sh >> does that in the Docker setup. Perhaps we merge some of that data into the >> official install? I'm writing some docs as we speak, I'll suggest a merge or >> PR. Of course M. Toussaint might as well. :-) >> >>> But, for most cases, would self signed certificates work right out of the >>> box? – we need to know the hostname of the machine we re on … maybe this is >>> possible, but I, just do not know how reliably you can determine the >>> hostname. And if some is using the fossology in a localhost setup, is it >>> helpful to create a certificate with the hostname and then the user call >>> localhost and the certificate does not match … I am missing the possibilies >>> here, please let me know how this could work. >> >> Likely no, because we don't know the domain name and getting a cert from >> Let's Encrypt or another CA will require that you know, and control, the >> domain. To get around this, the Debian snake oil cert uses the localhost ip >> address 127.0.0.1. >> >>> I have not seen a documentation (as part of the FOSSology documentation) of >>> how to create a self signed certificate. >> >> Okay, I'll suggest what is hopefully a simple, easy-to-understand process >> since I think at least having these instructions helps support better >> security practice. I'll also hack on the configuration and set up (as little >> as possible) to make it easy-ish to have this OOTB. >> >> Cheers, >> Jeremiah >> >> >>> Kind regards, >>> Michael >>> >>> From: <fossology@lists.fossology.org> on behalf of "Jeremiah C. Foster" >>> <jfos...@luxoft.com> >>> Date: Wednesday, 1. April 2020 at 18:43 >>> To: "fossol...@fossology.org" <fossol...@fossology.org> >>> Subject: Re: [FOSSology] Hi I have a questions before using fossology >>> >>> On Tue, 2020-03-31 at 21:42 +0000, Michael C. Jaeger wrote: >>>> Hello, >>>> >>>> thanks for reaching out to us. To your questions: >>>> >>>> *) is source code leaking out from a fossology server? Answer: >>>> >>>> • Usually not , the fossology solution is entire self contained. You >>>> can run fossology entirely without access to the internet. The main point >>>> why you would need Internet access is about updating your OS and packages. >>>> • But please understand that despite the FOSSology server can run >>>> everything on its own database, it your responsibility to secure your >>>> server installation from being hacked. One first task would be to enable a >>>> connection using https. >>> >>> Is there documentation on doing this? I understand that there is plenty of >>> documentation already on the internet that describes using TLS and >>> certificates with apache and nginx, but there doesn't appear to be a ton of >>> documentation on the way that FOSSology sets things up. For example, >>> FOSSology does not appear add a self-signed cert which would enable https >>> upon installation. Am I mistaken, is there more info on this? >>> >>> Regards, >>> >>> Jeremiah >>> >>> >>> This e-mail and any attachment(s) are intended only for the recipient(s) >>> named above and others who have been specifically authorized to receive >>> them. They may contain confidential information. If you are not the >>> intended recipient, please do not read this email or its attachment(s). >>> Furthermore, you are hereby notified that any dissemination, distribution >>> or copying of this e-mail and any attachment(s) is strictly prohibited. If >>> you have received this e-mail in error, please immediately notify the >>> sender by replying to this e-mail and then delete this e-mail and any >>> attachment(s) or copies thereof from your system. Thank you. >> >> >> This e-mail and any attachment(s) are intended only for the recipient(s) >> named above and others who have been specifically authorized to receive >> them. They may contain confidential information. If you are not the intended >> recipient, please do not read this email or its attachment(s). Furthermore, >> you are hereby notified that any dissemination, distribution or copying of >> this e-mail and any attachment(s) is strictly prohibited. If you have >> received this e-mail in error, please immediately notify the sender by >> replying to this e-mail and then delete this e-mail and any attachment(s) or >> copies thereof from your system. Thank you. >> > > > This e-mail and any attachment(s) are intended only for the recipient(s) > named above and others who have been specifically authorized to receive them. > They may contain confidential information. If you are not the intended > recipient, please do not read this email or its attachment(s). Furthermore, > you are hereby notified that any dissemination, distribution or copying of > this e-mail and any attachment(s) is strictly prohibited. If you have > received this e-mail in error, please immediately notify the sender by > replying to this e-mail and then delete this e-mail and any attachment(s) or > copies thereof from your system. Thank you. > -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#3350): https://lists.fossology.org/g/fossology/message/3350 Mute This Topic: https://lists.fossology.org/mt/72670290/21656 Group Owner: fossology+ow...@lists.fossology.org Unsubscribe: https://lists.fossology.org/g/fossology/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
