Re: [FOSSology] Hi I have a questions before using fossology
On Thu, 2020-04-02 at 09:40 +0200, Nicolas Toussaint via lists.fossology.org wrote: > Hi, > Nice discussion - generally inciting users to secure their Fossology > instance sounds pretty good to me :) +1 :^) > > This might be good. I note that this script > > https://github.com/Orange-OpenSource/Fossology-Docker-Deploy-Scripts/blob/master/setup-container-web.sh > > does that in the Docker setup. Perhaps we merge some of that data > > into the official install? I'm writing some docs as we speak, I'll > > suggest a merge or PR. Of course M. Toussaint might as well. > That's a pretty good idea ; these scripts are run after deploying > the > Docker containers, > but [some of] the configuration steps could be imported directly > in > the Fossology > source code as post-installation scripts. > > This would > 1/ make the features available to non-Docker instances > 2/ simplify the docker-specific scripts These two goals are likely going to be hugely helpful for new installs. Currently it can be a little confusing for new folks because upon install they're dumped into a docker container spitting out Apache logs. For a seasoned administrator this is okay I suppose but it is somewhat disimilar to what might be "best practice" for a typical container install. > 3/ ease maintenance of the scripts This is likely also a big benefit, especially if there is a plan to move to php7.4 for example. Currently the Docker files are using Debian Stretch because they need php7.0-cli. That's fine, but Debian will be going into a Freeze soon which means the End of Life for Stretch as old-stable is on the horizon. There is LTS support for Stretch ( https://wiki.debian.org/LTS) but it is done by companies and does not receive Debian's security support. > Happy to help if going this way. I would love to discuss things with you and get your input (and of course Michael's and everyone on this list). I share you goals of making install simpler and more modular. Cheers, Jeremiah > Nico > > On 02/04/2020 00:31, Michael C. Jaeger wrote: > > Hi, > > > > for all contributions: > > > > * it would be good have an issue, I have created one: > > https://github.com/fossology/fossology/issues/1676 > > * consider open a PR here, you can do this from your fork: > > https://github.com/fossology/fossology/pulls > > * a help with contributing guidelines is here: > > https://github.com/fossology/fossology/blob/master/CONTRIBUTING.md > > * most importantly: > > https://github.com/fossology/fossology/blob/master/CONTRIBUTING.md#git-commit-conventions > > > > Kind regards, > >Michael > > > > > On 1. Apr 2020, at 22:50, Jeremiah C. Foster > > > wrote: > > > > > > On Wed, 2020-04-01 at 18:52 +, Michael C. Jaeger wrote: > > > > Hi, > > > > > > > > Please go ahead, sound good in general, just allow me to > > > > understand the cases here > > > > > > > > * either we add a 127.0.0.1 / snakeoil certificate and then > > > > there will be an error message in the browser that hostname > > > > does not match the cert when accessing the fossology over the > > > > network (server setup) > > > - Yes. With a 127.0.0.1 we will get a warning in the browser when > > > accessing it over the network. > > > > > > > * or we try to determine the hostname but then there will be > > > > the same error when accessing the localhost? > > > - I cannot say for sure. There may be a clever way to do this. > > > For example, it may be possible to edit an install script with > > > the hostname and generate the self-signed cert. But, and this is > > > kind of a big but, it will still throw a warning. > > > > > > > How about an optional step in the install as a script? > > > This is likely the best approach. This way it can be an argument > > > like "--self-signed-cert" or "--install-cert" to the script that > > > the end user has to consciously add on. This way you'd likely > > > have the flexibility to people to reuse their existing > > > certificates, choose a self-signed cert, or simply ignore it > > > entirely if they don't care. > > > > > > Thanks for your replies, it helps me know where my patches are > > > likely to land and prioritizes my contributions. > > > > > > Cheers, > > > > > > Jeremiah > > > > > > > Kind regards, Michael > > > > > > > > From: "Foster, Jeremiah" > > > > Date: Wednesday, 1. April 2020 at 20:45 >
Re: [FOSSology] Hi I have a questions before using fossology
Hi, Nice discussion - generally inciting users to secure their Fossology instance sounds pretty good to me :) This might be good. I note that this script https://github.com/Orange-OpenSource/Fossology-Docker-Deploy-Scripts/blob/master/setup-container-web.sh does that in the Docker setup. Perhaps we merge some of that data into the official install? I'm writing some docs as we speak, I'll suggest a merge or PR. Of course M. Toussaint might as well. That's a pretty good idea ; these scripts are run after deploying the Docker containers, but [some of] the configuration steps could be imported directly in the Fossology source code as post-installation scripts. This would 1/ make the features available to non-Docker instances 2/ simplify the docker-specific scripts 3/ ease maintenance of the scripts Happy to help if going this way. Nico On 02/04/2020 00:31, Michael C. Jaeger wrote: Hi, for all contributions: * it would be good have an issue, I have created one: https://github.com/fossology/fossology/issues/1676 * consider open a PR here, you can do this from your fork: https://github.com/fossology/fossology/pulls * a help with contributing guidelines is here: https://github.com/fossology/fossology/blob/master/CONTRIBUTING.md * most importantly: https://github.com/fossology/fossology/blob/master/CONTRIBUTING.md#git-commit-conventions Kind regards, Michael On 1. Apr 2020, at 22:50, Jeremiah C. Foster wrote: On Wed, 2020-04-01 at 18:52 +, Michael C. Jaeger wrote: Hi, Please go ahead, sound good in general, just allow me to understand the cases here * either we add a 127.0.0.1 / snakeoil certificate and then there will be an error message in the browser that hostname does not match the cert when accessing the fossology over the network (server setup) - Yes. With a 127.0.0.1 we will get a warning in the browser when accessing it over the network. * or we try to determine the hostname but then there will be the same error when accessing the localhost? - I cannot say for sure. There may be a clever way to do this. For example, it may be possible to edit an install script with the hostname and generate the self-signed cert. But, and this is kind of a big but, it will still throw a warning. How about an optional step in the install as a script? This is likely the best approach. This way it can be an argument like "--self-signed-cert" or "--install-cert" to the script that the end user has to consciously add on. This way you'd likely have the flexibility to people to reuse their existing certificates, choose a self-signed cert, or simply ignore it entirely if they don't care. Thanks for your replies, it helps me know where my patches are likely to land and prioritizes my contributions. Cheers, Jeremiah Kind regards, Michael From: "Foster, Jeremiah" Date: Wednesday, 1. April 2020 at 20:45 To: "fossol...@fossology.org" , "Jaeger, Michael C. (CT RDA SSI DOS-DE)" Subject: Re: [FOSSology] Hi I have a questions before using fossology On Wed, 2020-04-01 at 18:25 +, Jaeger, Michael C. wrote: Hi, I am not sure how the creation of a self signed certificate as part of the installation of the FOSSology software improves the situation. Well, in Debian, the self-signed "snake oil" cert can get you up and running with https quickly. If it were part of the default FOSSology install then we'd be encouraging encryption of passwords and other important data upon installation. Currently there are lots of warnings that might be ignored (bad) or improperly fixed (not so bad, depending). From a technical point of view, of course, we could even add a self signed certificate creation step in the post install operations. This might be good. I note that this script https://github.com/Orange-OpenSource/Fossology-Docker-Deploy-Scripts/blob/master/setup-container-web.sh does that in the Docker setup. Perhaps we merge some of that data into the official install? I'm writing some docs as we speak, I'll suggest a merge or PR. Of course M. Toussaint might as well. :-) But, for most cases, would self signed certificates work right out of the box? – we need to know the hostname of the machine we re on … maybe this is possible, but I, just do not know how reliably you can determine the hostname. And if some is using the fossology in a localhost setup, is it helpful to create a certificate with the hostname and then the user call localhost and the certificate does not match … I am missing the possibilies here, please let me know how this could work. Likely no, because we don't know the domain name and getting a cert from Let's Encrypt or another CA will require that you know, and control, the domain. To get around this, the Debian snake oil cert uses the localhost ip address 127.0.0.1. I have not seen a documentation (as part of the FOSSology documentation) of how to create a self signed certi
Re: [FOSSology] Hi I have a questions before using fossology
Hi, for all contributions: * it would be good have an issue, I have created one: https://github.com/fossology/fossology/issues/1676 * consider open a PR here, you can do this from your fork: https://github.com/fossology/fossology/pulls * a help with contributing guidelines is here: https://github.com/fossology/fossology/blob/master/CONTRIBUTING.md * most importantly: https://github.com/fossology/fossology/blob/master/CONTRIBUTING.md#git-commit-conventions Kind regards, Michael > On 1. Apr 2020, at 22:50, Jeremiah C. Foster wrote: > > On Wed, 2020-04-01 at 18:52 +, Michael C. Jaeger wrote: >> Hi, >> >> Please go ahead, sound good in general, just allow me to understand the >> cases here >> >> * either we add a 127.0.0.1 / snakeoil certificate and then there will be an >> error message in the browser that hostname does not match the cert when >> accessing the fossology over the network (server setup) > > - Yes. With a 127.0.0.1 we will get a warning in the browser when accessing > it over the network. > >> * or we try to determine the hostname but then there will be the same error >> when accessing the localhost? > > - I cannot say for sure. There may be a clever way to do this. For example, > it may be possible to edit an install script with the hostname and generate > the self-signed cert. But, and this is kind of a big but, it will still throw > a warning. > >> How about an optional step in the install as a script? > > This is likely the best approach. This way it can be an argument like > "--self-signed-cert" or "--install-cert" to the script that the end user has > to consciously add on. This way you'd likely have the flexibility to people > to reuse their existing certificates, choose a self-signed cert, or simply > ignore it entirely if they don't care. > > Thanks for your replies, it helps me know where my patches are likely to land > and prioritizes my contributions. > > Cheers, > > Jeremiah > >> >> Kind regards, Michael >> >> From: "Foster, Jeremiah" >> Date: Wednesday, 1. April 2020 at 20:45 >> To: "fossol...@fossology.org" , "Jaeger, Michael C. >> (CT RDA SSI DOS-DE)" >> Subject: Re: [FOSSology] Hi I have a questions before using fossology >> >> On Wed, 2020-04-01 at 18:25 +, Jaeger, Michael C. wrote: >>> Hi, >>> >>> I am not sure how the creation of a self signed certificate as part of the >>> installation of the FOSSology software improves the situation. >> >> Well, in Debian, the self-signed "snake oil" cert can get you up and running >> with https quickly. If it were part of the default FOSSology install then >> we'd be encouraging encryption of passwords and other important data upon >> installation. Currently there are lots of warnings that might be ignored >> (bad) or improperly fixed (not so bad, depending). >> >>> From a technical point of view, of course, we could even add a self signed >>> certificate creation step in the post install operations. >> >> This might be good. I note that this script >> https://github.com/Orange-OpenSource/Fossology-Docker-Deploy-Scripts/blob/master/setup-container-web.sh >> does that in the Docker setup. Perhaps we merge some of that data into the >> official install? I'm writing some docs as we speak, I'll suggest a merge or >> PR. Of course M. Toussaint might as well. :-) >> >>> But, for most cases, would self signed certificates work right out of the >>> box? – we need to know the hostname of the machine we re on … maybe this is >>> possible, but I, just do not know how reliably you can determine the >>> hostname. And if some is using the fossology in a localhost setup, is it >>> helpful to create a certificate with the hostname and then the user call >>> localhost and the certificate does not match … I am missing the possibilies >>> here, please let me know how this could work. >> >> Likely no, because we don't know the domain name and getting a cert from >> Let's Encrypt or another CA will require that you know, and control, the >> domain. To get around this, the Debian snake oil cert uses the localhost ip >> address 127.0.0.1. >> >>> I have not seen a documentation (as part of the FOSSology documentation) of >>> how to create a self signed certificate. >> >> Okay, I'll suggest what is hopefully a simple, easy-to-understand process >> since I think at least having these instructions helps support better >> security practice. I'll also hack on the
Re: [FOSSology] Hi I have a questions before using fossology
On Wed, 2020-04-01 at 18:52 +, Michael C. Jaeger wrote: Hi, Please go ahead, sound good in general, just allow me to understand the cases here * either we add a 127.0.0.1 / snakeoil certificate and then there will be an error message in the browser that hostname does not match the cert when accessing the fossology over the network (server setup) - Yes. With a 127.0.0.1 we will get a warning in the browser when accessing it over the network. * or we try to determine the hostname but then there will be the same error when accessing the localhost? - I cannot say for sure. There may be a clever way to do this. For example, it may be possible to edit an install script with the hostname and generate the self-signed cert. But, and this is kind of a big but, it will still throw a warning. How about an optional step in the install as a script? This is likely the best approach. This way it can be an argument like "--self-signed-cert" or "--install-cert" to the script that the end user has to consciously add on. This way you'd likely have the flexibility to people to reuse their existing certificates, choose a self-signed cert, or simply ignore it entirely if they don't care. Thanks for your replies, it helps me know where my patches are likely to land and prioritizes my contributions. Cheers, Jeremiah Kind regards, Michael From: "Foster, Jeremiah" Date: Wednesday, 1. April 2020 at 20:45 To: "fossol...@fossology.org" , "Jaeger, Michael C. (CT RDA SSI DOS-DE)" Subject: Re: [FOSSology] Hi I have a questions before using fossology On Wed, 2020-04-01 at 18:25 +, Jaeger, Michael C. wrote: Hi, I am not sure how the creation of a self signed certificate as part of the installation of the FOSSology software improves the situation. Well, in Debian, the self-signed "snake oil" cert can get you up and running with https quickly. If it were part of the default FOSSology install then we'd be encouraging encryption of passwords and other important data upon installation. Currently there are lots of warnings that might be ignored (bad) or improperly fixed (not so bad, depending). From a technical point of view, of course, we could even add a self signed certificate creation step in the post install operations. This might be good. I note that this script https://github.com/Orange-OpenSource/Fossology-Docker-Deploy-Scripts/blob/master/setup-container-web.sh<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FOrange-OpenSource%2FFossology-Docker-Deploy-Scripts%2Fblob%2Fmaster%2Fsetup-container-web.sh=02%7C01%7Cmichael.c.jaeger%40siemens.com%7C51a95f9727cf41c6613808d7d66ce1f4%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C637213635456677949=RfiQxtSt0bBNSKF2lrFgf9iRLXMToyY7qtaCc6OpnkY%3D=0> does that in the Docker setup. Perhaps we merge some of that data into the official install? I'm writing some docs as we speak, I'll suggest a merge or PR. Of course M. Toussaint might as well. :-) But, for most cases, would self signed certificates work right out of the box? – we need to know the hostname of the machine we re on … maybe this is possible, but I, just do not know how reliably you can determine the hostname. And if some is using the fossology in a localhost setup, is it helpful to create a certificate with the hostname and then the user call localhost and the certificate does not match … I am missing the possibilies here, please let me know how this could work. Likely no, because we don't know the domain name and getting a cert from Let's Encrypt or another CA will require that you know, and control, the domain. To get around this, the Debian snake oil cert uses the localhost ip address 127.0.0.1. I have not seen a documentation (as part of the FOSSology documentation) of how to create a self signed certificate. Okay, I'll suggest what is hopefully a simple, easy-to-understand process since I think at least having these instructions helps support better security practice. I'll also hack on the configuration and set up (as little as possible) to make it easy-ish to have this OOTB. Cheers, Jeremiah Kind regards, Michael From: on behalf of "Jeremiah C. Foster" Date: Wednesday, 1. April 2020 at 18:43 To: "fossol...@fossology.org" Subject: Re: [FOSSology] Hi I have a questions before using fossology On Tue, 2020-03-31 at 21:42 +, Michael C. Jaeger wrote: Hello, thanks for reaching out to us. To your questions: *) is source code leaking out from a fossology server? Answer: 1. Usually not , the fossology solution is entire self contained. You can run fossology entirely without access to the internet. The main point why you would need Internet access is about updating your OS and packages. 2. But please understand that despite the FOSSology server can run everything on its own database, it your responsibility to secure your server
Re: [FOSSology] Hi I have a questions before using fossology
Hi, Please go ahead, sound good in general, just allow me to understand the cases here * either we add a 127.0.0.1 / snakeoil certificate and then there will be an error message in the browser that hostname does not match the cert when accessing the fossology over the network (server setup) * or we try to determine the hostname but then there will be the same error when accessing the localhost? How about an optional step in the install as a script? Kind regards, Michael From: "Foster, Jeremiah" Date: Wednesday, 1. April 2020 at 20:45 To: "fossol...@fossology.org" , "Jaeger, Michael C. (CT RDA SSI DOS-DE)" Subject: Re: [FOSSology] Hi I have a questions before using fossology On Wed, 2020-04-01 at 18:25 +, Jaeger, Michael C. wrote: Hi, I am not sure how the creation of a self signed certificate as part of the installation of the FOSSology software improves the situation. Well, in Debian, the self-signed "snake oil" cert can get you up and running with https quickly. If it were part of the default FOSSology install then we'd be encouraging encryption of passwords and other important data upon installation. Currently there are lots of warnings that might be ignored (bad) or improperly fixed (not so bad, depending). From a technical point of view, of course, we could even add a self signed certificate creation step in the post install operations. This might be good. I note that this script https://github.com/Orange-OpenSource/Fossology-Docker-Deploy-Scripts/blob/master/setup-container-web.sh<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FOrange-OpenSource%2FFossology-Docker-Deploy-Scripts%2Fblob%2Fmaster%2Fsetup-container-web.sh=02%7C01%7Cmichael.c.jaeger%40siemens.com%7C51a95f9727cf41c6613808d7d66ce1f4%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C637213635456677949=RfiQxtSt0bBNSKF2lrFgf9iRLXMToyY7qtaCc6OpnkY%3D=0> does that in the Docker setup. Perhaps we merge some of that data into the official install? I'm writing some docs as we speak, I'll suggest a merge or PR. Of course M. Toussaint might as well. :-) But, for most cases, would self signed certificates work right out of the box? – we need to know the hostname of the machine we re on … maybe this is possible, but I, just do not know how reliably you can determine the hostname. And if some is using the fossology in a localhost setup, is it helpful to create a certificate with the hostname and then the user call localhost and the certificate does not match … I am missing the possibilies here, please let me know how this could work. Likely no, because we don't know the domain name and getting a cert from Let's Encrypt or another CA will require that you know, and control, the domain. To get around this, the Debian snake oil cert uses the localhost ip address 127.0.0.1. I have not seen a documentation (as part of the FOSSology documentation) of how to create a self signed certificate. Okay, I'll suggest what is hopefully a simple, easy-to-understand process since I think at least having these instructions helps support better security practice. I'll also hack on the configuration and set up (as little as possible) to make it easy-ish to have this OOTB. Cheers, Jeremiah Kind regards, Michael From: on behalf of "Jeremiah C. Foster" Date: Wednesday, 1. April 2020 at 18:43 To: "fossol...@fossology.org" Subject: Re: [FOSSology] Hi I have a questions before using fossology On Tue, 2020-03-31 at 21:42 +, Michael C. Jaeger wrote: Hello, thanks for reaching out to us. To your questions: *) is source code leaking out from a fossology server? Answer: 1. Usually not , the fossology solution is entire self contained. You can run fossology entirely without access to the internet. The main point why you would need Internet access is about updating your OS and packages. 2. But please understand that despite the FOSSology server can run everything on its own database, it your responsibility to secure your server installation from being hacked. One first task would be to enable a connection using https. Is there documentation on doing this? I understand that there is plenty of documentation already on the internet that describes using TLS and certificates with apache and nginx, but there doesn't appear to be a ton of documentation on the way that FOSSology sets things up. For example, FOSSology does not appear add a self-signed cert which would enable https upon installation. Am I mistaken, is there more info on this? Regards, Jeremiah This e-mail and any attachment(s) are intended only for the recipient(s) named above and others who have been specifically authorized to receive them. They may contain confidential information. If you are not the intended recipient, please do not read this email or its attachment(s). Furthermore, you are hereby notif
Re: [FOSSology] Hi I have a questions before using fossology
On Wed, 2020-04-01 at 18:25 +, Jaeger, Michael C. wrote: Hi, I am not sure how the creation of a self signed certificate as part of the installation of the FOSSology software improves the situation. Well, in Debian, the self-signed "snake oil" cert can get you up and running with https quickly. If it were part of the default FOSSology install then we'd be encouraging encryption of passwords and other important data upon installation. Currently there are lots of warnings that might be ignored (bad) or improperly fixed (not so bad, depending). From a technical point of view, of course, we could even add a self signed certificate creation step in the post install operations. This might be good. I note that this script https://github.com/Orange-OpenSource/Fossology-Docker-Deploy-Scripts/blob/master/setup-container-web.sh does that in the Docker setup. Perhaps we merge some of that data into the official install? I'm writing some docs as we speak, I'll suggest a merge or PR. Of course M. Toussaint might as well. :-) But, for most cases, would self signed certificates work right out of the box? – we need to know the hostname of the machine we re on … maybe this is possible, but I, just do not know how reliably you can determine the hostname. And if some is using the fossology in a localhost setup, is it helpful to create a certificate with the hostname and then the user call localhost and the certificate does not match … I am missing the possibilies here, please let me know how this could work. Likely no, because we don't know the domain name and getting a cert from Let's Encrypt or another CA will require that you know, and control, the domain. To get around this, the Debian snake oil cert uses the localhost ip address 127.0.0.1. I have not seen a documentation (as part of the FOSSology documentation) of how to create a self signed certificate. Okay, I'll suggest what is hopefully a simple, easy-to-understand process since I think at least having these instructions helps support better security practice. I'll also hack on the configuration and set up (as little as possible) to make it easy-ish to have this OOTB. Cheers, Jeremiah Kind regards, Michael From: on behalf of "Jeremiah C. Foster" Date: Wednesday, 1. April 2020 at 18:43 To: "fossol...@fossology.org" Subject: Re: [FOSSology] Hi I have a questions before using fossology On Tue, 2020-03-31 at 21:42 +, Michael C. Jaeger wrote: Hello, thanks for reaching out to us. To your questions: *) is source code leaking out from a fossology server? Answer: 1. Usually not , the fossology solution is entire self contained. You can run fossology entirely without access to the internet. The main point why you would need Internet access is about updating your OS and packages. 2. But please understand that despite the FOSSology server can run everything on its own database, it your responsibility to secure your server installation from being hacked. One first task would be to enable a connection using https. Is there documentation on doing this? I understand that there is plenty of documentation already on the internet that describes using TLS and certificates with apache and nginx, but there doesn't appear to be a ton of documentation on the way that FOSSology sets things up. For example, FOSSology does not appear add a self-signed cert which would enable https upon installation. Am I mistaken, is there more info on this? Regards, Jeremiah This e-mail and any attachment(s) are intended only for the recipient(s) named above and others who have been specifically authorized to receive them. They may contain confidential information. If you are not the intended recipient, please do not read this email or its attachment(s). Furthermore, you are hereby notified that any dissemination, distribution or copying of this e-mail and any attachment(s) is strictly prohibited. If you have received this e-mail in error, please immediately notify the sender by replying to this e-mail and then delete this e-mail and any attachment(s) or copies thereof from your system. Thank you. This e-mail and any attachment(s) are intended only for the recipient(s) named above and others who have been specifically authorized to receive them. They may contain confidential information. If you are not the intended recipient, please do not read this email or its attachment(s). Furthermore, you are hereby notified that any dissemination, distribution or copying of this e-mail and any attachment(s) is strictly prohibited. If you have received this e-mail in error, please immediately notify the sender by replying to this e-mail and then delete this e-mail and any attachment(s) or copies thereof from your system. Thank you. -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. Vi
Re: [FOSSology] Hi I have a questions before using fossology
Hi, I am not sure how the creation of a self signed certificate as part of the installation of the FOSSology software improves the situation. From a technical point of view, of course, we could even add a self signed certificate creation step in the post install operations. But, for most cases, would self signed certificates work right out of the box? – we need to know the hostname of the machine we re on … maybe this is possible, but I, just do not know how reliably you can determine the hostname. And if some is using the fossology in a localhost setup, is it helpful to create a certificate with the hostname and then the user call localhost and the certificate does not match … I am missing the possibilies here, please let me know how this could work. I have not seen a documentation (as part of the FOSSology documentation) of how to create a self signed certificate. Kind regards, Michael From: on behalf of "Jeremiah C. Foster" Date: Wednesday, 1. April 2020 at 18:43 To: "fossol...@fossology.org" Subject: Re: [FOSSology] Hi I have a questions before using fossology On Tue, 2020-03-31 at 21:42 +, Michael C. Jaeger wrote: Hello, thanks for reaching out to us. To your questions: *) is source code leaking out from a fossology server? Answer: 1. Usually not , the fossology solution is entire self contained. You can run fossology entirely without access to the internet. The main point why you would need Internet access is about updating your OS and packages. 2. But please understand that despite the FOSSology server can run everything on its own database, it your responsibility to secure your server installation from being hacked. One first task would be to enable a connection using https. Is there documentation on doing this? I understand that there is plenty of documentation already on the internet that describes using TLS and certificates with apache and nginx, but there doesn't appear to be a ton of documentation on the way that FOSSology sets things up. For example, FOSSology does not appear add a self-signed cert which would enable https upon installation. Am I mistaken, is there more info on this? Regards, Jeremiah This e-mail and any attachment(s) are intended only for the recipient(s) named above and others who have been specifically authorized to receive them. They may contain confidential information. If you are not the intended recipient, please do not read this email or its attachment(s). Furthermore, you are hereby notified that any dissemination, distribution or copying of this e-mail and any attachment(s) is strictly prohibited. If you have received this e-mail in error, please immediately notify the sender by replying to this e-mail and then delete this e-mail and any attachment(s) or copies thereof from your system. Thank you. -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#3345): https://lists.fossology.org/g/fossology/message/3345 Mute This Topic: https://lists.fossology.org/mt/72670290/21656 Group Owner: fossology+ow...@lists.fossology.org Unsubscribe: https://lists.fossology.org/g/fossology/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [FOSSology] Hi I have a questions before using fossology
On Tue, 2020-03-31 at 21:42 +, Michael C. Jaeger wrote: Hello, thanks for reaching out to us. To your questions: *) is source code leaking out from a fossology server? Answer: 1. Usually not , the fossology solution is entire self contained. You can run fossology entirely without access to the internet. The main point why you would need Internet access is about updating your OS and packages. 2. But please understand that despite the FOSSology server can run everything on its own database, it your responsibility to secure your server installation from being hacked. One first task would be to enable a connection using https. Is there documentation on doing this? I understand that there is plenty of documentation already on the internet that describes using TLS and certificates with apache and nginx, but there doesn't appear to be a ton of documentation on the way that FOSSology sets things up. For example, FOSSology does not appear add a self-signed cert which would enable https upon installation. Am I mistaken, is there more info on this? Regards, Jeremiah This e-mail and any attachment(s) are intended only for the recipient(s) named above and others who have been specifically authorized to receive them. They may contain confidential information. If you are not the intended recipient, please do not read this email or its attachment(s). Furthermore, you are hereby notified that any dissemination, distribution or copying of this e-mail and any attachment(s) is strictly prohibited. If you have received this e-mail in error, please immediately notify the sender by replying to this e-mail and then delete this e-mail and any attachment(s) or copies thereof from your system. Thank you. -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#3342): https://lists.fossology.org/g/fossology/message/3342 Mute This Topic: https://lists.fossology.org/mt/72670290/21656 Group Owner: fossology+ow...@lists.fossology.org Unsubscribe: https://lists.fossology.org/g/fossology/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [FOSSology] Hi I have a questions before using fossology
Thank you for your kind explanation I hope there's only good things in your future. James 2020년 4월 1일 (수) 오전 6:42, Jaeger, Michael C. 님이 작성: > Hello, > > > > thanks for reaching out to us. To your questions: > > > > *) is source code leaking out from a fossology server? Answer: > > > >1. Usually not , the fossology solution is entire self contained. You >can run fossology entirely without access to the internet. The main point >why you would need Internet access is about updating your OS and packages. >2. But please understand that despite the FOSSology server can run >everything on its own database, it your responsibility to secure your >server installation from being hacked. One first task would be to enable a >connection using https. >3. How do Monk or Nomos work? The scan for license statements, not >source code snippets. As such, all the database information required to >identify licensing statements in your uploads / source code comes with the >installation of the fossology. In fact all the information is put in a file >on the dev side for convenience to add new licenses (ref. > > https://github.com/fossology/fossology/blob/master/install/db/licenseRef.json >) >4. From the next version / latest master, FOSSology will be able, if >you activate this, to query the software heritage REST API: fossology >computes a SHA256 value and sends this to the Software Heritage API. You >can test this functionality in 3.8.0-RC1 > > > > *) Regarding the export of files only: I think there is a featzre to limit > SPDX reporting to only files where licenses have been found, which can be > switched on in the Conf setion -> SPDX Report Settings -> Ignore files with > no info in SPDX … when you have opened an upload. Is that what you were > looking for? This made especially for uploads where only few files contain > license information and 1000 other files do not. Then SPDX files still list > all files with NOASSERTION. If you do not want that there is this switch. > > > > Hope these answers help and please follow up on FOSSology, if you see the > need for clarification, > > > > Michael > > > > *From: * on behalf of TV레전드 < > 482...@gmail.com> > *Date: *Tuesday, 31. March 2020 at 05:28 > *To: *"fossol...@fossology.org" > *Subject: *[FOSSology] Hi I have a questions before using fossology > > > > Hi dear. > > > > Nice meet you > > i am korean james > > > > We company is looking for open source analysis tools > > so I installed fossology as docker version and tested it > > and result is good performence. > > > > > > > > i have a 2 questions > > > > 1. Isn't my source code leaked when I used the solution? I know Monk Agent > to use DB, Please explain > > > > 2. Is there a way to export only the files that have been cleared when the > report is drawn? > > - report is there is no distinction between files that are cleared from > fossology and those that are not > > > > Thanks for running this great tool. > > > -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#3341): https://lists.fossology.org/g/fossology/message/3341 Mute This Topic: https://lists.fossology.org/mt/72670290/21656 Group Owner: fossology+ow...@lists.fossology.org Unsubscribe: https://lists.fossology.org/g/fossology/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [FOSSology] Hi I have a questions before using fossology
Hello, thanks for reaching out to us. To your questions: *) is source code leaking out from a fossology server? Answer: 1. Usually not , the fossology solution is entire self contained. You can run fossology entirely without access to the internet. The main point why you would need Internet access is about updating your OS and packages. 2. But please understand that despite the FOSSology server can run everything on its own database, it your responsibility to secure your server installation from being hacked. One first task would be to enable a connection using https. 3. How do Monk or Nomos work? The scan for license statements, not source code snippets. As such, all the database information required to identify licensing statements in your uploads / source code comes with the installation of the fossology. In fact all the information is put in a file on the dev side for convenience to add new licenses (ref. https://github.com/fossology/fossology/blob/master/install/db/licenseRef.json) 4. From the next version / latest master, FOSSology will be able, if you activate this, to query the software heritage REST API: fossology computes a SHA256 value and sends this to the Software Heritage API. You can test this functionality in 3.8.0-RC1 *) Regarding the export of files only: I think there is a featzre to limit SPDX reporting to only files where licenses have been found, which can be switched on in the Conf setion -> SPDX Report Settings -> Ignore files with no info in SPDX … when you have opened an upload. Is that what you were looking for? This made especially for uploads where only few files contain license information and 1000 other files do not. Then SPDX files still list all files with NOASSERTION. If you do not want that there is this switch. Hope these answers help and please follow up on FOSSology, if you see the need for clarification, Michael From: on behalf of TV레전드 <482...@gmail.com> Date: Tuesday, 31. March 2020 at 05:28 To: "fossol...@fossology.org" Subject: [FOSSology] Hi I have a questions before using fossology Hi dear. Nice meet you i am korean james We company is looking for open source analysis tools so I installed fossology as docker version and tested it and result is good performence. i have a 2 questions 1. Isn't my source code leaked when I used the solution? I know Monk Agent to use DB, Please explain 2. Is there a way to export only the files that have been cleared when the report is drawn? - report is there is no distinction between files that are cleared from fossology and those that are not Thanks for running this great tool. -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#3340): https://lists.fossology.org/g/fossology/message/3340 Mute This Topic: https://lists.fossology.org/mt/72670290/21656 Group Owner: fossology+ow...@lists.fossology.org Unsubscribe: https://lists.fossology.org/g/fossology/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
