> We started discussing this in January, but the thread died off without
> reaching conclusion:
> http://lists.alioth.debian.org/pipermail/pkg-shibboleth-devel/2010-
> January/001565.html
> I doubt we can do anything about this so close to release, but if at all
> possible, we should.
As per the o
> Don't you think it's kind of an openssl bug to create the key material
> with full permissions? Shouldn't it creat("keyfile", 0600)?
Would be nice I suppose.
> This aside, I'd recommend working around the issue by creating the key
> file beforehand with restricted permissions, and not touching
Actually, I think I was confusing your original umask fix with this
submitted patch:
https://bugs.internet2.edu/jira/browse/SSPCPP-281
That has a -u option for controlling the user, and I suppose having a group
option would make sense also.
It would help if folks could collaborate and suggest th
> Thank you for the offer! I think it's going to be a bit tricky for you to
> do something upstream that will also work in Debian without modifications,
> since you won't be able to rely on the group that we're creating as part
> of the package installation, so I suspect we should probably carry a
> Note that we can't just use umask 177 in the Debian version of this script
> since Debian runs shibd as a non-root user and then won't be able to read
> the certificate. For Debian, we should set the group ownership to the
> shibd user we create and make the file group-readable.
If there's a be
Faidon Liambotis wrote on 2009-10-08:
> Yes, I've verified that they work in my setup. As Scott said before,
> there more than a dozen scenarios (literally!) and I'm not able to test
> each one of them. However, they work in the couple that I've tried and
> the fixes are with upstream's (Scott) ble
Florian Weimer wrote on 2009-10-07:
>> Scott and Russ, under which conditions did you see the specific opensaml
>> code to be inlined on shibboleth-sp2?
>
> Does shibboleth-sp2 create invoke a constructor of that class? Do the
> compiled binaries contain any reference to the vtable?
There are nu
Faidon Liambotis wrote on 2009-10-07:
> Scott and Russ, under which conditions did you see the specific opensaml
> code to be inlined on shibboleth-sp2?
The version of opensaml released on the Internet2 site, which is 2.2.1,
includes an inline version of the MetadataCredentialCriteria "matches" m
Florian Weimer wrote on 2009-10-07:
>> OK, will do. How should we handle the fact that the newer xmltooling is
>> breaking the "old" (as in, lenny) opensaml2/shibboleth-sp2?
>
> We could theoretically add a Conflicts: to a new upload of xmltooling,
> but this is unnecessary. We don't do this for
Russ Allbery wrote on 2009-10-06:
> Ack, I'm sorry. I didn't realize that, so yes, that will indeed be a
> problem.
Sorry, I didn't understand that the fixes were being published separately,
since I was reviewing them simultaneously.
As it stands, I see now that the advisory I wrote should mak
Faidon Liambotis wrote on 2009-10-06:
> I think the problem is in the following change:
>* SECURITY: Correctly honor the "use" attribute of SAML
> metadata to honor restrictions to signing or encryption. This is a
> partial fix; the complete fix also requires a new version of the
>
Russ Allbery wrote on 2009-06-10:
> http://marc.info/?t=9696307713&r=1&w=2 seems to point at this error
> being either a bug in how the OpenSSL routines are called or a bug in
> the certificate configuration. Since it works for you manually with
> curl, I suspect there's something different be
12 matches
Mail list logo
