antoine at nagafix
Dec 22, 2004, 10:21 AM
Post #9 of 12
On Wed, 2004-12-22 at 11:46 -0500, James Hiscock wrote:
Re: postfix ebuild with default certificates
[In reply to]
> > And end up having unused certificate files in /etc/ ? Hmm.
> The certs aren't that big, so it's not a huge waste of space... <shrug>
I wasn't thinking about space, just clutter and confusion.
> > The thing is, if they were generated it wouldn't be so bad,
> > but as pointed out earlier, these certs are included as-is. AFAIK.
> > It doesn't make it obvious at all. Saying "you need to run mkcert"
> > would.
> They are generated, though: looking through
> /usr/portage/mail-mta/postfix/postfix-2.1.5-r1.ebuild indicates that
> it inherits from ssl-cert (see /usr/portage/eclass/ssl-cert), which in
> turn generates a new SSL certificate given a set of parameters... so
> every time you install/upgrade postfix, you'll get a newly generated
> certificate... in other words, the ebuild is already running mkcert
> for you...
That isn't so bad.
> I must've missed it when somebody pointed out that the certs are
> included as-is... but from my fifteen minutes of investigation, it
> doesn't look that way to me at all...
I must have dreamt it...
> > We make it easier for the user not to pay attention by making him
> > believe he is using secure certs.
> What's so insecure about them? Am I missing something here?
Nothing, if they are generated!
> gentoo-security [at] gentoo mailing list
gentoo-security [at] gentoo mailing list