[Ach] Config for Prosody XMPP server
Aaron Zauner
azet at azet.org
Sun Apr 27 23:09:12 CEST 2014
Hi,
Jeroen Massar wrote:
> On 2014-04-27 16:36, Matthew Wild wrote:
> [..]
>> One big issue for us is that when people set their own cipher strings
>> they are permanently overriding, not complementing, our
>> carefully-chosen defaults. This means that if we provide a new release
>> with updated defaults, they will not benefit from this.
While I totally agree the issue we faced last autumn was that most
software projects shipped insane default configurations or packages for
linux distros did that for a given software. This might change and is -
of course - not true for every software project out there.
> Maybe it is a good idea to have a section in the document that states
> something like:
> ----
> We do not provide defaults for the following projects as their
> developers are providing strict properly secure defaults for
> their software out of the box.
>
> The following software and versions benefit from this.
> ---
The thing is - we do not always agree with upstream software devs. - a
good example would be Firefox. Although they seem to be working hard to
get proper security nowadays.
>
> The only very extremely big problem with this is though that the version
> that is released by a project might not match at all the configuration
> defaults by a distribution....
>
> Hence, I guess if something like the above would be added to the doc
> that the list should contain:
> software name | version | url-of-page-which-describes-defaults
>
> the latter then covers why those defaults are chosen etc.
>
> Of course, the ACH project is then not 'responsible' (just like there is
> minimal responsibility in the rest of the doc) for failures of those
> settings...
We currently provide a list of compatability with every recommendation
(as far as it's possible) see "tested with" fields. I know that some are
missing, simply because people contributed stuff they never tested or
there has not been enough testing going on. Please contribute to that :)
Aaron
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://lists.cert.at/pipermail/ach/attachments/20140427/8ae04e90/attachment.sig>
More information about the Ach
mailing list