Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

what are the public/private keys used for? #149

Open
pjfanning opened this issue Jun 23, 2024 · 2 comments
Open

what are the public/private keys used for? #149

pjfanning opened this issue Jun 23, 2024 · 2 comments

Comments

@pjfanning
Copy link

Shouldn't these files be generated uniquely by the build as opposed to having hardcoded files checked in.
Couldn't it be a security issue if someone deploys your app and uses these keys or certs?

It is not ideal to include any binary files in a release of an Apache project. Reviewers will find them and start asking why they are there. You cannot include compiled artifacts in a source release so ASF contributors are looking for binary files to see if there is anything untoward.

./scripts/deploy/data/cert/node6.key.key.pri
./scripts/deploy/data/cert/node6.key.key.pub
./scripts/deploy/data/cert/node6.key.pri
./scripts/deploy/data/cert/node6.key.pub
./scripts/deploy/data/cert/node7.key.key.pri
./scripts/deploy/data/cert/node7.key.key.pub
./scripts/deploy/data/cert/node7.key.pri
./scripts/deploy/data/cert/node7.key.pub
./scripts/deploy/data/cert/node8.key.key.pri
./scripts/deploy/data/cert/node8.key.key.pub
./scripts/deploy/data/cert/node8.key.pri
./scripts/deploy/data/cert/node8.key.pub
./scripts/deploy/data/cert/node9.key.key.pri
./scripts/deploy/data/cert/node9.key.key.pub
./scripts/deploy/data/cert/node9.key.pri
./scripts/deploy/data/cert/node9.key.pub
./service/tools/data/cert/node6.key.key.pri
./service/tools/data/cert/node6.key.key.pub
./service/tools/data/cert/node6.key.pri
./service/tools/data/cert/node6.key.pub
./service/tools/data/cert/node7.key.key.pri
./service/tools/data/cert/node7.key.key.pub
./service/tools/data/cert/node7.key.pri
./service/tools/data/cert/node7.key.pub
./service/tools/data/cert/node8.key.key.pri
./service/tools/data/cert/node8.key.key.pub
./service/tools/data/cert/node8.key.pri
./service/tools/data/cert/node8.key.pub
./service/tools/data/cert/node9.key.key.pri
./service/tools/data/cert/node9.key.key.pub
./service/tools/data/cert/node9.key.pri
./service/tools/data/cert/node9.key.pub
@cjcchen
Copy link
Contributor

cjcchen commented Oct 6, 2024

Hi pjfanning

This is not hardcoded files. The binary is generated by the BUILD files.
The keys will be generated when you deploy the application using the deploy tools. Each time you deploy the application, it will use different pub/pri keys.

@pjfanning
Copy link
Author

@cjcchen those files are in the apache-resilientdb-1.10.0-incubating-src.tar.gz

They should not appear in this file. We should not be shipping keys in ASF source releases.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@cjcchen @pjfanning