On 8/21/07, Natanael Copa <[EMAIL PROTECTED]> wrote: > Hi, > > I use the gentoo framework to build binary packages. I noticed that most > packages creates the ssl certificate during src_install(). This makes > all binary packages contain the ssl certs which is a security threat. > > The net-nds/openldap package has understood this and calls docert from > pkg_postinst() and even includes this comment: > > # You cannot build SSL certificates during src_install that will make > # binary packages containing your SSL key, which is both a security > risk > # and a misconfiguration if multiple machines use the same key and > cert. > # Additionally, it overwrites > > The net-im/ejabberd seems to create ssl cert from antoher script. > > The vulnerable packages are: > > app-admin/conserver > mail-mta/postfix > net-analyzer/sguil-server > net-firewall/nufw > net-ftp/netkit-ftpd > net-irc/ptlink-ircd > net-irc/unrealircd > net-mail/cyrus-imapd > net-mail/cyrus-imspd > net-mail/dovecot > net-misc/stunnel > net-nntp/inn > www-servers/nginx > > Should I create a bug for every vulnerable package? > > >From a binary packagers perspective I would really prefer to create the > certs from init.d script.
Generating certs from init.d is a bad idea IMHO. It makes it way too easy to automatically generate new certs in the event that old ones are moved (if you are talking about the service starting, detecting no certs, generating some, then using them). I guess you could do like /etc/init.d/SERVICE certgen, but that too is probably a hack (not really what init scripts are for). I personally would generate the certs on a trusted server/workstation and then push them to the machine post-install using slack or cfengine or puppet. I don't see why (in a generic package like a gentoo ebuild) you would do anything but create a generic cert 'so it works out of the box'. You are certainly entitled to edit the ebuild's postinst to do whatever :) PS: I'll try to get to these tonight, you can just file a tracker bug for them. > > Thanks! > > Natanael Copa > > -- > [EMAIL PROTECTED] mailing list > > -- [EMAIL PROTECTED] mailing list
