incubator-resilientdb icon indicating copy to clipboard operation
incubator-resilientdb copied to clipboard
verified publisher icon apache

what are the public/private keys used for?

Open pjfanning opened this issue 1 year ago • 2 comments

Shouldn't these files be generated uniquely by the build as opposed to having hardcoded files checked in. Couldn't it be a security issue if someone deploys your app and uses these keys or certs?

It is not ideal to include any binary files in a release of an Apache project. Reviewers will find them and start asking why they are there. You cannot include compiled artifacts in a source release so ASF contributors are looking for binary files to see if there is anything untoward.

./scripts/deploy/data/cert/node6.key.key.pri
./scripts/deploy/data/cert/node6.key.key.pub
./scripts/deploy/data/cert/node6.key.pri
./scripts/deploy/data/cert/node6.key.pub
./scripts/deploy/data/cert/node7.key.key.pri
./scripts/deploy/data/cert/node7.key.key.pub
./scripts/deploy/data/cert/node7.key.pri
./scripts/deploy/data/cert/node7.key.pub
./scripts/deploy/data/cert/node8.key.key.pri
./scripts/deploy/data/cert/node8.key.key.pub
./scripts/deploy/data/cert/node8.key.pri
./scripts/deploy/data/cert/node8.key.pub
./scripts/deploy/data/cert/node9.key.key.pri
./scripts/deploy/data/cert/node9.key.key.pub
./scripts/deploy/data/cert/node9.key.pri
./scripts/deploy/data/cert/node9.key.pub
./service/tools/data/cert/node6.key.key.pri
./service/tools/data/cert/node6.key.key.pub
./service/tools/data/cert/node6.key.pri
./service/tools/data/cert/node6.key.pub
./service/tools/data/cert/node7.key.key.pri
./service/tools/data/cert/node7.key.key.pub
./service/tools/data/cert/node7.key.pri
./service/tools/data/cert/node7.key.pub
./service/tools/data/cert/node8.key.key.pri
./service/tools/data/cert/node8.key.key.pub
./service/tools/data/cert/node8.key.pri
./service/tools/data/cert/node8.key.pub
./service/tools/data/cert/node9.key.key.pri
./service/tools/data/cert/node9.key.key.pub
./service/tools/data/cert/node9.key.pri
./service/tools/data/cert/node9.key.pub

pjfanning avatar Jun 23 '24 22:06 pjfanning

Hi pjfanning

This is not hardcoded files. The binary is generated by the BUILD files. The keys will be generated when you deploy the application using the deploy tools. Each time you deploy the application, it will use different pub/pri keys.

cjcchen avatar Oct 06 '24 19:10 cjcchen

@cjcchen those files are in the apache-resilientdb-1.10.0-incubating-src.tar.gz

They should not appear in this file. We should not be shipping keys in ASF source releases.

pjfanning avatar Oct 06 '24 19:10 pjfanning

Already be removed in the new release.

cjcchen avatar Oct 15 '25 02:10 cjcchen