On Thu, Nov 9, 2017 at 3:16 PM, Waldek Kozaczuk <jwkozac...@gmail.com> wrote:
> Yep I had similar thoughts about security. I would imagine that on AWS one > would have a "build" EC2 instance where he/she would run capstan and spin a > "stem" OSv instance to upload files to and take snapshot to create new AMI. > The stem instance should NOT have a public IP and be only available from > same VPC. > > As far as security goes there are even more potential vulnerability > problems depending how OSv is built. For example httpserver module by > default has both read and write (destructive) operations (delete files) > which is pretty much wide open unless you configure it to use client > certificate with HTTPS. Therefore I suggested adding read-only mode here - > https://github.com/cloudius-systems/osv/issues/820 (which I am planning > to work on soon). > > Also I am curious what version of openssl does OSv use. I remember there > was this huge security hole in openssl 2-3 years ago ( > http://heartbleed.com/). Which openssl version is OSv using? > That's a good question. The OSv kernel doesn't use openssl, and applications can pick up whichever version of this library they want, but if you're asking about the httpserver, that uses modules/openssl, which takes openssl from external/, which is sad (see https://github.com/cloudius-systems/osv/issues/743). The stuff in external is pretty old, I think two years old :-( -- You received this message because you are subscribed to the Google Groups "OSv Development" group. To unsubscribe from this group and stop receiving emails from it, send an email to osv-dev+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
