On Sun, Jul 23, 2017 at 09:35:12AM +0200, Reimar Döffinger wrote: > On 23.07.2017, at 09:27, Reimar Döffinger <reimar.doeffin...@gmx.de> wrote: > > > On 21.07.2017, at 15:31, Ricardo Constantino <wiia...@gmail.com> wrote: > > > >> On 18 July 2017 at 02:12, Gerion Entrup <gerion.entrup.ff...@flump.de> > >> wrote: > >>> Am Dienstag, 18. Juli 2017, 01:52:53 CEST schrieb Reimar Döffinger: > >>>> On 18.07.2017, at 00:59, James Almer <jamr...@gmail.com> wrote: > >>>> > >>>>> On 7/17/2017 7:49 PM, Moritz Barsnick wrote: > >>>>>> On Mon, Jul 10, 2017 at 13:53:02 +0300, Boris Pek wrote: > >>>>>>> Latest news about this topic: > >>>>>>> https://groups.google.com/a/chromium.org/forum/#!topic/net-dev/FKXe-76GO8Y > >>>>>> > >>>>>> Ah, thanks, I neglected to report this, because I thought it was an > >>>>>> issue with my Opera Developer (48), which uses the Chrome engine. Opera > >>>>>> (like Chrome) recently reports ffmpeg.org's certificate as revoked, but > >>>>>> I found no tool which could verify this... > >>>>> > >>>>> The cert is by StartCom. Afaik everyone blacklisted certs issued by them > >>>>> after a certain date, and now some, like Google, are also blacklisting > >>>>> certs issued before that date as well. > >>>>> Mozilla hasn't done the latter yet, so Firefox doesn't complain about > >>>>> it, but i guess a new cert is overdue. > >>>> > >>>> New certs are already being generated, but nobody had the time to do the > >>>> transition, there is a risk of the automation failing > >>>> (I think the web server needs to be made to reload the certificate, > >>>> which is problematic as an ordinary user and there is no way I'd ever > >>>> run any of that letsencrypt stuff as root), > >>> This seems to work as cronjob: > >>> ``` > >>> #!/bin/sh > >>> > >>> su -c "certbot renew 2>/dev/null | grep 'No renewals' >/dev/null" > >>> letsencrypt -s /bin/bash > >>> if [ $? -eq 1 ]; then > >>> service nginx reload > >>> fi > >>> ``` > > > > This is what scares me most: people running things as horrible as certbot > > (written by people who think it is ok to download and install a compiler > > without even asking before on a web server) AS ROOT. > > These things have no reason to and should not be designed to run as root. > > Anyway, the switch is done, but it might be good if at least one other > > person monitors certificate validity, if it ever goes below 20 days > > something went badly wrong. > > Btw the comodo certificate Michael mentioned is a domain-validation > certificate for 7x the price of what startcom asked for a personal validation > certificate (which almost nobody else even offers, just for organizations). > That's the CA system in a nutshell: highway robbery prices spiced with the > laughable security track record you get for it.
7x makes me sad ... btw trac.ffmpeg.org, trac.mplayerhq.hu, patchwork.ffmpeg.org are on 2 additional seperate virtual boxes and seem to still use startcom [...] -- Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety -- Benjamin Franklin
signature.asc
Description: Digital signature
_______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
