On Thu, 2020-04-02 at 09:40 +0200, Nicolas Toussaint via lists.fossology.org wrote: > Hi, > Nice discussion - generally inciting users to secure their Fossology > instance sounds pretty good to me :)
+1 :^) > > This might be good. I note that this script > > https://github.com/Orange-OpenSource/Fossology-Docker-Deploy-Scripts/blob/master/setup-container-web.sh > > does that in the Docker setup. Perhaps we merge some of that data > > into the official install? I'm writing some docs as we speak, I'll > > suggest a merge or PR. Of course M. Toussaint might as well. > That's a pretty good idea ; these scripts are run after deploying > the > Docker containers, > but [some of] the configuration steps could be imported directly > in > the Fossology > source code as post-installation scripts. > > This would > 1/ make the features available to non-Docker instances > 2/ simplify the docker-specific scripts These two goals are likely going to be hugely helpful for new installs. Currently it can be a little confusing for new folks because upon install they're dumped into a docker container spitting out Apache logs. For a seasoned administrator this is okay I suppose but it is somewhat disimilar to what might be "best practice" for a typical container install. > 3/ ease maintenance of the scripts This is likely also a big benefit, especially if there is a plan to move to php7.4 for example. Currently the Docker files are using Debian Stretch because they need php7.0-cli. That's fine, but Debian will be going into a Freeze soon which means the End of Life for Stretch as old-stable is on the horizon. There is LTS support for Stretch ( https://wiki.debian.org/LTS) but it is done by companies and does not receive Debian's security support. > Happy to help if going this way. I would love to discuss things with you and get your input (and of course Michael's and everyone on this list). I share you goals of making install simpler and more modular. Cheers, Jeremiah > Nico > > On 02/04/2020 00:31, Michael C. Jaeger wrote: > > Hi, > > > > for all contributions: > > > > * it would be good have an issue, I have created one: > > https://github.com/fossology/fossology/issues/1676 > > * consider open a PR here, you can do this from your fork: > > https://github.com/fossology/fossology/pulls > > * a help with contributing guidelines is here: > > https://github.com/fossology/fossology/blob/master/CONTRIBUTING.md > > * most importantly: > > https://github.com/fossology/fossology/blob/master/CONTRIBUTING.md#git-commit-conventions > > > > Kind regards, > > Michael > > > > > On 1. Apr 2020, at 22:50, Jeremiah C. Foster <jfos...@luxoft.com> > > > wrote: > > > > > > On Wed, 2020-04-01 at 18:52 +0000, Michael C. Jaeger wrote: > > > > Hi, > > > > > > > > Please go ahead, sound good in general, just allow me to > > > > understand the cases here > > > > > > > > * either we add a 127.0.0.1 / snakeoil certificate and then > > > > there will be an error message in the browser that hostname > > > > does not match the cert when accessing the fossology over the > > > > network (server setup) > > > - Yes. With a 127.0.0.1 we will get a warning in the browser when > > > accessing it over the network. > > > > > > > * or we try to determine the hostname but then there will be > > > > the same error when accessing the localhost? > > > - I cannot say for sure. There may be a clever way to do this. > > > For example, it may be possible to edit an install script with > > > the hostname and generate the self-signed cert. But, and this is > > > kind of a big but, it will still throw a warning. > > > > > > > How about an optional step in the install as a script? > > > This is likely the best approach. This way it can be an argument > > > like "--self-signed-cert" or "--install-cert" to the script that > > > the end user has to consciously add on. This way you'd likely > > > have the flexibility to people to reuse their existing > > > certificates, choose a self-signed cert, or simply ignore it > > > entirely if they don't care. > > > > > > Thanks for your replies, it helps me know where my patches are > > > likely to land and prioritizes my contributions. > > > > > > Cheers, > > > > > > Jeremiah > > > > > > > Kind regards, Michael > > > > > > > > From: "Foster, Jeremiah" <jfos...@luxoft.com> > > > > Date: Wednesday, 1. April 2020 at 20:45 > > > > To: "fossol...@fossology.org" <fossol...@fossology.org>, > > > > "Jaeger, Michael C. (CT RDA SSI DOS-DE)" < > > > > michael.c.jae...@siemens.com> > > > > Subject: Re: [FOSSology] Hi I have a questions before using > > > > fossology > > > > > > > > On Wed, 2020-04-01 at 18:25 +0000, Jaeger, Michael C. wrote: > > > > > Hi, > > > > > > > > > > I am not sure how the creation of a self signed certificate > > > > > as part of the installation of the FOSSology software > > > > > improves the situation. > > > > Well, in Debian, the self-signed "snake oil" cert can get you > > > > up and running with https quickly. If it were part of the > > > > default FOSSology install then we'd be encouraging encryption > > > > of passwords and other important data upon installation. > > > > Currently there are lots of warnings that might be ignored > > > > (bad) or improperly fixed (not so bad, depending). > > > > > > > > > From a technical point of view, of course, we could even add > > > > > a self signed certificate creation step in the post install > > > > > operations. > > > > This might be good. I note that this script > > > > https://github.com/Orange-OpenSource/Fossology-Docker-Deploy-Scripts/blob/master/setup-container-web.sh > > > > does that in the Docker setup. Perhaps we merge some of that > > > > data into the official install? I'm writing some docs as we > > > > speak, I'll suggest a merge or PR. Of course M. Toussaint might > > > > as well. :-) > > > > > > > > > But, for most cases, would self signed certificates work > > > > > right out of the box? – we need to know the hostname of the > > > > > machine we re on … maybe this is possible, but I, just do not > > > > > know how reliably you can determine the hostname. And if some > > > > > is using the fossology in a localhost setup, is it helpful to > > > > > create a certificate with the hostname and then the user call > > > > > localhost and the certificate does not match … I am missing > > > > > the possibilies here, please let me know how this could work. > > > > Likely no, because we don't know the domain name and getting a > > > > cert from Let's Encrypt or another CA will require that you > > > > know, and control, the domain. To get around this, the Debian > > > > snake oil cert uses the localhost ip address 127.0.0.1. > > > > > > > > > I have not seen a documentation (as part of the FOSSology > > > > > documentation) of how to create a self signed certificate. > > > > Okay, I'll suggest what is hopefully a simple, easy-to- > > > > understand process since I think at least having these > > > > instructions helps support better security practice. I'll also > > > > hack on the configuration and set up (as little as possible) to > > > > make it easy-ish to have this OOTB. > > > > > > > > Cheers, > > > > Jeremiah > > > > > > > > > > > > > Kind regards, > > > > > Michael > > > > > > > > > > From: <fossology@lists.fossology.org> on behalf of "Jeremiah > > > > > C. Foster" <jfos...@luxoft.com> > > > > > Date: Wednesday, 1. April 2020 at 18:43 > > > > > To: "fossol...@fossology.org" <fossol...@fossology.org> > > > > > Subject: Re: [FOSSology] Hi I have a questions before using > > > > > fossology > > > > > > > > > > On Tue, 2020-03-31 at 21:42 +0000, Michael C. Jaeger wrote: > > > > > > Hello, > > > > > > > > > > > > thanks for reaching out to us. To your questions: > > > > > > > > > > > > *) is source code leaking out from a fossology server? > > > > > > Answer: > > > > > > > > > > > > • Usually not , the fossology solution is entire self > > > > > > contained. You can run fossology entirely without access to > > > > > > the internet. The main point why you would need Internet > > > > > > access is about updating your OS and packages. > > > > > > • But please understand that despite the FOSSology > > > > > > server can run everything on its own database, it your > > > > > > responsibility to secure your server installation from > > > > > > being hacked. One first task would be to enable a > > > > > > connection using https. > > > > > Is there documentation on doing this? I understand that there > > > > > is plenty of documentation already on the internet that > > > > > describes using TLS and certificates with apache and nginx, > > > > > but there doesn't appear to be a ton of documentation on the > > > > > way that FOSSology sets things up. For example, FOSSology > > > > > does not appear add a self-signed cert which would enable > > > > > https upon installation. Am I mistaken, is there more info on > > > > > this? > > > > > > > > > > Regards, > > > > > > > > > > Jeremiah > > > > > > > > > > > > > > > This e-mail and any attachment(s) are intended only for the > > > > > recipient(s) named above and others who have been > > > > > specifically authorized to receive them. They may contain > > > > > confidential information. If you are not the intended > > > > > recipient, please do not read this email or its > > > > > attachment(s). Furthermore, you are hereby notified that any > > > > > dissemination, distribution or copying of this e-mail and any > > > > > attachment(s) is strictly prohibited. If you have received > > > > > this e-mail in error, please immediately notify the sender by > > > > > replying to this e-mail and then delete this e-mail and any > > > > > attachment(s) or copies thereof from your system. Thank you. > > > > > > > > This e-mail and any attachment(s) are intended only for the > > > > recipient(s) named above and others who have been specifically > > > > authorized to receive them. They may contain confidential > > > > information. If you are not the intended recipient, please do > > > > not read this email or its attachment(s). Furthermore, you are > > > > hereby notified that any dissemination, distribution or copying > > > > of this e-mail and any attachment(s) is strictly prohibited. If > > > > you have received this e-mail in error, please immediately > > > > notify the sender by replying to this e-mail and then delete > > > > this e-mail and any attachment(s) or copies thereof from your > > > > system. Thank you. > > > > > > > > > > This e-mail and any attachment(s) are intended only for the > > > recipient(s) named above and others who have been specifically > > > authorized to receive them. They may contain confidential > > > information. If you are not the intended recipient, please do not > > > read this email or its attachment(s). Furthermore, you are hereby > > > notified that any dissemination, distribution or copying of this > > > e-mail and any attachment(s) is strictly prohibited. If you have > > > received this e-mail in error, please immediately notify the > > > sender by replying to this e-mail and then delete this e-mail and > > > any attachment(s) or copies thereof from your system. Thank you. > > > > > > > ________________________________ This e-mail and any attachment(s) are intended only for the recipient(s) named above and others who have been specifically authorized to receive them. They may contain confidential information. If you are not the intended recipient, please do not read this email or its attachment(s). Furthermore, you are hereby notified that any dissemination, distribution or copying of this e-mail and any attachment(s) is strictly prohibited. If you have received this e-mail in error, please immediately notify the sender by replying to this e-mail and then delete this e-mail and any attachment(s) or copies thereof from your system. Thank you. -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#3354): https://lists.fossology.org/g/fossology/message/3354 Mute This Topic: https://lists.fossology.org/mt/72670290/21656 Group Owner: fossology+ow...@lists.fossology.org Unsubscribe: https://lists.fossology.org/g/fossology/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
