Moritz Muehlenhoff wrote: > gforge > > ----- Forwarded message from Roland Mas <lolando@debian.org> ----- > > The gforge-web-apache2 package in sid and lenny sets up the website > with a dummy certificate if none is found existing. Users are then > encouraged to replace it with a "real" one. The dummy certificate in > question is the Snake Oil one, so it should already be known as a weak > one (even without the SSL bug), but I guess at least some users accept > it without a second thought. It would probably make sense to set up > another certificate on new installs, but I'm not sure whether to > replace old Snake Oil ones. > > ----- End forwarded message ----- I've edited this to the following, because speculation about what to do didn't seem right for the key-rollover page. <p> The gforge-web-apache2 package in sid and lenny sets up the website with a dummy certificate if no existing certificate is found. Users are then encouraged to replace it with a "real" one. The dummy certificate in question is the Snake Oil one, so it should already be known as a weak one (even without the SSL bug), but some users may accept it without a second thought. </p> It would be good to have some concrete instuctions for the user though. Also, if stable is not affected, we should say that explicitly. -- see shy jo
Attachment:
signature.asc
Description: Digital signature