Daniel Sahlberg wrote on Wed, 20 Jan 2021 07:12 +00:00: > Den ons 20 jan. 2021 kl 00:16 skrev Nathan Hartman <hartman.nat...@gmail.com>: > > On Mon, Jan 18, 2021 at 4:17 AM Daniel Sahlberg > > <daniel.l.sahlb...@gmail.com> wrote: > > > * No SSL at the moment. I suggest to install certbot and a Let's encrypt > > > certificate. (Should renewal notices go to dev@?) > > > > Is there any sensitive information in them? If yes, private@, if not, > > dev@ should be fine. > > Don't think there should be anything sensitive, worst case is probably > "Your site's certificate has not been updated and is now EOL, you need > to update". I've put it to dev@ and we might reconsider later on.
I see you used CN=svn-haxx.apache.org on the certificate. Please run this by Infra. It's conceivable that having a *.apache.org site that _doesn't_ use the wildcard cert might impact the wildcard's reputation in some way (e.g., break certificate pinning rules in plugins such as HTTPS Everywhere). [We aren't going to get a copy of the wildcard cert on a PMC VM, but Infra might do an SSL-terminating reverse proxy for us from a box they control.] Second, I'm not happy about setting the address to dev@, for several reasons. One, it's not development-related traffic. Two, IIRC in Let's Encrypt the email address given is the "owner's" address, so if LE ever need to contact the PMC for whatever reason, automated or otherwise, that's the address they'd use. Such traffic should go to private@. I'm aware you aren't on that list, Daniel. We'll just have to loop you in on relevant threads. That would mirror the ACL configuration (for /repos/private/pmc/subversion/machines, and, IIRC, Infra's puppet repos too). Cheers, Daniel
