[Ach] Config for Prosody XMPP server

Jeroen Massar jeroen at massar.ch
Sun Apr 27 16:44:26 CEST 2014


On 2014-04-27 16:36, Matthew Wild wrote:
[..]
> One big issue for us is that when people set their own cipher strings
> they are permanently overriding, not complementing, our
> carefully-chosen defaults. This means that if we provide a new release
> with updated defaults, they will not benefit from this.

You bring up a very good point.

Maybe it is a good idea to have a section in the document that states
something like:
----
  We do not provide defaults for the following projects as their
  developers are providing strict properly secure defaults for
  their software out of the box.

  The following software and versions benefit from this.
---

The only very extremely big problem with this is though that the version
that is released by a project might not match at all the configuration
defaults by a distribution....

Hence, I guess if something like the above would be added to the doc
that the list should contain:
  software name | version | url-of-page-which-describes-defaults

the latter then covers why those defaults are chosen etc.

Of course, the ACH project is then not 'responsible' (just like there is
minimal responsibility in the rest of the doc) for failures of those
settings...

Greets,
 Jeroen




More information about the Ach mailing list