| chat.freenode.net #tryton log beginning Fri May 12 00:00:01 CEST 2017 | ||
| 2017-05-12 00:39 -!- nineinchnick(~jwas@109.231.19.93) has joined #tryton | ||
| 2017-05-12 01:04 -!- nineinchnick(~jwas@109.231.19.93) has joined #tryton | ||
| 2017-05-12 01:44 -!- JosDzG(~Thunderbi@189.250.99.119) has joined #tryton | ||
| 2017-05-12 02:23 -!- csotelo(~csotelo@2001:1388:49c4:4f41:9332:92db:5529:247) has joined #tryton | ||
| 2017-05-12 02:43 -!- JosDzG(~Thunderbi@189.250.99.119) has joined #tryton | ||
| 2017-05-12 02:46 -!- JosDzG(~Thunderbi@189.250.99.119) has joined #tryton | ||
| 2017-05-12 03:07 -!- csotelo(~csotelo@2001:1388:49c4:6280:45de:b59b:b457:1437) has joined #tryton | ||
| 2017-05-12 05:04 -!- VaticanCameos(~VaticanCa@171.61.153.190) has joined #tryton | ||
| 2017-05-12 05:16 -!- VaticanCameos(~VaticanCa@171.61.153.190) has joined #tryton | ||
| 2017-05-12 05:51 -!- JanGB(~jan@ip92343817.dynamic.kabel-deutschland.de) has joined #tryton | ||
| 2017-05-12 06:04 -!- thaneor1(~ldlc6@179.26.153.56) has joined #tryton | ||
| 2017-05-12 06:42 -!- semarie(~semarie@unaffiliated/semarie) has joined #tryton | ||
| 2017-05-12 06:49 -!- VaticanCameos(~VaticanCa@171.61.153.190) has joined #tryton | ||
| 2017-05-12 07:23 -!- Timitos(~kpreisler@host-88-217-184-172.customer.m-online.net) has joined #tryton | ||
| 2017-05-12 07:37 -!- dj_xatra(~dj_xatra@217.166.83.130) has joined #tryton | ||
| 2017-05-12 08:12 -!- xcodinas(~xcodinas@5.134.115.102) has joined #tryton | ||
| 2017-05-12 08:22 -!- xcodinas(~xcodinas@5.134.115.102) has joined #tryton | ||
| 2017-05-12 08:59 -!- mrichez(~smuxi@mail.saluc.com) has joined #tryton | ||
| 2017-05-12 09:02 -!- cedk(~ced@gentoo/developer/cedk) has joined #tryton | ||
| 2017-05-12 09:04 -!- rpit(~rpit@2a02:908:e672:7480:56ee:75ff:fe0d:d3c7) has joined #tryton | ||
| 2017-05-12 09:19 -!- dmollerm(~dmollerm@170.red-80-28-119.adsl.static.ccgg.telefonica.net) has joined #tryton | ||
| 2017-05-12 09:29 -!- VaticanCameos(~VaticanCa@223.190.122.254) has joined #tryton | ||
| 2017-05-12 09:36 <sisalp> hello, I find a drawback to new certificate policy of the client : With let's encrypt you must expose trytond to the internet to get/renew a certificate. | ||
| 2017-05-12 09:39 <Timitos> sisalp: you are not forced to use letsencrypt. you can use any certification authority you want | ||
| 2017-05-12 09:42 <dmollerm> sisalp: and afaik, you can still autosign your certificate and install it in the client machines | ||
| 2017-05-12 09:44 <sisalp> dmollerm: I'm not aware, can you tell me more ? | ||
| 2017-05-12 09:45 <sisalp> Timitos: With most providers, I cannot automate the setup. | ||
| 2017-05-12 09:46 <Timitos> sisalp: you only need to expose the domain to the internet to get the letsencrypt certificate. but there is no need to expose the trytond | ||
| 2017-05-12 09:47 <dmollerm> sisalp: https://unix.stackexchange.com/questions/90450/adding-a-self-signed-certificate-to-the-trusted-list | ||
| 2017-05-12 09:49 <dmollerm> sisalp: this can be achieved in Windows an Mac clients as well. A tryton>=4.4 client should recognize a system CA, but I haven't tried this out yet. | ||
| 2017-05-12 09:49 <sisalp> Timitos: correct, but I have some homework to understand how I can. | ||
| 2017-05-12 09:52 <dmollerm> sisalp: indeed all this is very interesting, but I usually I require the aid of sysadmins/devops to get the SSL certs on place | ||
| 2017-05-12 09:57 <sisalp> dmollerm: Thank you. I had a look, it is too complex to ask every user to setup his pc. | ||
| 2017-05-12 10:03 <pokoli> sisalp: have you thought about exposing an nginx proxy in front of trytond? | ||
| 2017-05-12 10:04 <pokoli> sisalp: the ngignx proxy will be respoinsible of managing ssl certificates and static files | ||
| 2017-05-12 10:04 <sisalp> pokoli: why nginx ? | ||
| 2017-05-12 10:04 <pokoli> sisalp: because letencript can automatically renew certificates with letsencript | ||
| 2017-05-12 10:05 <pokoli> last letsencrit should be nginx, sorry | ||
| 2017-05-12 10:05 <sisalp> pokoli: it does well with apache too | ||
| 2017-05-12 10:05 <pokoli> sisalp: You can use apache if you prefer also | ||
| 2017-05-12 10:06 <sisalp> pokoli: I do, but my problem is at client level | ||
| 2017-05-12 10:07 <sisalp> pokoli: regarding Timitos, the way to ask a cert on the web and then serve clients on the lan is not yet clear for me. | ||
| 2017-05-12 10:08 <pokoli> sisalp: but once you have a verified CA (which is the case with letsencrypt) then you don't have any problem in client level | ||
| 2017-05-12 10:08 <pokoli> sisalp: can you explain a little bit how is your setup? specially the lan part | ||
| 2017-05-12 10:10 <sisalp> pokoli: right now I have no working setup able 1) to deliver services automatically 2) to keep trytond private on a LAN. | ||
| 2017-05-12 10:14 <sisalp> pokoli: regarding the lan I have a real case : The lan is simulated between containers behind a firewall. I also think a customer may ask for a LAN only solution and I may be in trouble, but I don't have this case. | ||
| 2017-05-12 10:16 <Timitos> sisalp: for the lan szenario i would prefer not to use a letsencrypt cert and if necessary stick with a manual solution | ||
| 2017-05-12 10:18 <pokoli> sisalp: if the lan is simulted you should get a certificate for the public domain | ||
| 2017-05-12 10:19 <sisalp> Timitos: Unfortunatly manual is not an option for me. I may limit the use to sao, but it is a pity. | ||
| 2017-05-12 10:19 <pokoli> sisalp: and for lan, then it makes sense to install custom ca to clients. As you are suposed to controll all the machines conecting | ||
| 2017-05-12 10:20 <pokoli> sisalp: instead of limiting, you can provide and advice on how to install CA | ||
| 2017-05-12 10:20 <dmollerm> sisalp: for a LAN-only scenario, if the server domain name is not public, you are forced to self-signed certs or to drop SSL altogether | ||
| 2017-05-12 10:23 <dmollerm> sisalp: but if the server name domain actually exists and you can require your DNS provider to point it anywhere you can still get your certs signed by any public CA while keeping the actual trytond server on the LAN | ||
| 2017-05-12 10:28 <sisalp> As a consequence, I'm figuring out what are the sao limitations today compared to Tryton client. | ||
| 2017-05-12 10:32 <sisalp> dmollerm: if I close access from the WEB, I think, I won't get lets'encrypt certificates. | ||
| 2017-05-12 10:34 <cedk> sisalp: but sao will require exactly the same constraint against certificate | ||
| 2017-05-12 10:35 <cedk> sisalp: browsers require valid SSL certificate | ||
| 2017-05-12 10:36 -!- nicoe(~nicoe@85.201.184.151) has joined #tryton | ||
| 2017-05-12 10:36 <sisalp> cedk: mine doesn't. Up to now my firefox proposes a security exception. | ||
| 2017-05-12 10:37 <pokoli> sisalp: because the CA used to sign the certificate is not trusted | ||
| 2017-05-12 10:37 <cedk> sisalp: you can not rely on people skipping security exception | ||
| 2017-05-12 10:37 <cedk> sisalp: it is the same as if you had no SSL | ||
| 2017-05-12 10:38 <sisalp> cedk: do you really mean it ? | ||
| 2017-05-12 10:38 <semarie> it is more a kind of opportinistic encyption than no encryption. mitm is possible, but passive monitoring isn't | ||
| 2017-05-12 10:39 <dmollerm> sisalp: if you teach your users to accept SSL exceptions, they will do so in an eventual MITM attack/domain hijack, which is the whole thing SSL tries to save you from | ||
| 2017-05-12 10:39 <sisalp> semarie: what is mitm ? | ||
| 2017-05-12 10:39 <semarie> Man-In-The-Middle | ||
| 2017-05-12 10:39 <sisalp> man in the middle, sorry | ||
| 2017-05-12 10:40 <cedk> sisalp: for me, your best solution will be to use a SSL proxy for all your installations | ||
| 2017-05-12 10:40 <cedk> sisalp: with probably a wildcard domain name | ||
| 2017-05-12 10:41 <sisalp> regarding man-in-the-middle, we have the same problem with ssh first connection | ||
| 2017-05-12 10:42 <cedk> sisalp: no the hostname of the SSL certificate is checked | ||
| 2017-05-12 10:43 <cedk> at Gandi an wildcard certificate is at 120€/year: https://www.gandi.net/ssl | ||
| 2017-05-12 10:44 <cedk> I guess letsencrypt forced them to reduce their prices | ||
| 2017-05-12 10:47 <sisalp> cedk: what do you mean by "the hostname of the SSL certificate is checked" ? | ||
| 2017-05-12 10:49 <cedk> sisalp: the hostname of the connection is checked to match the CN's of the certificate | ||
| 2017-05-12 10:50 <sisalp> cedk: you mean with ssh ? | ||
| 2017-05-12 10:50 <cedk> sisalp: otherwise anybody with a signed certificate could behave as anybody | ||
| 2017-05-12 10:50 <cedk> sisalp: I do not understand what ssh has to do here | ||
| 2017-05-12 10:52 <sisalp> cedk: because I mentionned the case of MITM with ssh, and you answered "the hostname of the SSL certificate is checked" | ||
| 2017-05-12 10:53 <cedk> sisalp: ha you talked about ssh, I though you talked about ssl | ||
| 2017-05-12 10:53 <sisalp> cedk: ;-) | ||
| 2017-05-12 10:56 <cedk> sisalp: so yes it is like for standard ssh | ||
| 2017-05-12 10:57 <sisalp> cedk: wildcard certificate is a possibility if I enforce a single domain name to everybody. I'm afraid these certs are "single level", I mean you can have toto.domain.com, but not titi.toto.domain.com | ||
| 2017-05-12 10:57 <cedk> sisalp: but it is worst because ssh is used by trained people while browser is used by everybody | ||
| 2017-05-12 10:58 <cedk> sisalp: wildcard is wildcard so it is as deep as you want | ||
| 2017-05-12 10:58 <semarie> cedk: it seems to me that *.example.com will works only for one level. | ||
| 2017-05-12 10:59 -!- Telesight(~anthony@4dae0c97.ftth.telfortglasvezel.nl) has joined #tryton | ||
| 2017-05-12 11:02 <cedk> indeed https://en.wikipedia.org/wiki/Wildcard_certificate | ||
| 2017-05-12 11:08 <cedk> but you do not really need deeper hostname for hosting service | ||
| 2017-05-12 11:09 <cedk> if it is enough for google with appspot.com, it should also be for you :-) | ||
| 2017-05-12 11:40 <sisalp> cedk: I think I need a * cert per IP, because *.toto.domain.com and *.tata.domain.com go to different IPs. | ||
| 2017-05-12 11:41 <cedk> sisalp: you can share the certificate | ||
| 2017-05-12 11:44 <sisalp> cedk: may be, but not all servers are under my exclusive control. | ||
| 2017-05-12 11:45 <sisalp> Thank you all for your inputs, will figure out what is best to open free subscriptions to Tryton 4.4 as soon as possible. | ||
| 2017-05-12 12:09 <sisalp> hi, another question : I don't find the upload menu to update a document .odt model. Do you know where it sits ? | ||
| 2017-05-12 12:12 <cedk> sisalp: you mean a report? | ||
| 2017-05-12 12:14 <sisalp> cedk: invoice for example | ||
| 2017-05-12 12:16 <cedk> sisalp: in administration > UI > action > report | ||
| 2017-05-12 12:19 <sisalp> cedk: on content field, I get 4 icons. Select/Open/save as and erase (in french) | ||
| 2017-05-12 12:20 <sisalp> cedk: Open opens LibreOffice. Do I edit the document directly on the server ? | ||
| 2017-05-12 12:21 <sisalp> cedk: Is Select an upload function ? | ||
| 2017-05-12 12:22 <cedk> sisalp: yes select is to set the value of the field | ||
| 2017-05-12 12:23 <sisalp> cedk: so I save it to download it, then edit it locally, then Select to upload it, right ? | ||
| 2017-05-12 12:24 <sisalp> cedk: and so my invoice is modified for this database. | ||
| 2017-05-12 12:25 <sisalp> And what is the use of Open ? It seems to download in /tmp and edit. Correct ? | ||
| 2017-05-12 12:26 <cedk> sisalp: yes | ||
| 2017-05-12 12:28 <cedk> sisalp: the client can not detect when the edition is done so it can not automatically update the field | ||
| 2017-05-12 12:28 <cedk> sisalp: or it will have to be blocked until the edition is done | ||
| 2017-05-12 12:29 <sisalp> cedk: excellent. and it looks the same on sao. | ||
| 2017-05-12 12:30 <sisalp> cedk: by the way "print directly" means "get pdf" ? | ||
| 2017-05-12 12:34 <cedk> sisalp: no it means it is send to the printer | ||
| 2017-05-12 12:37 <sisalp> cedk: so I choose pdf in extension model if I want it as pdf | ||
| 2017-05-12 12:39 <sisalp> cedk: even if I prefer the client, it seems to me that sao has reached up to the client level in terms of capabilities. | ||
| 2017-05-12 12:40 <pokoli> sisalp: there are still some minor features missing | ||
| 2017-05-12 12:40 <pokoli> sisalp: for example, right click menú on relation fields and tree views | ||
| 2017-05-12 12:55 -!- JanGB(~jan@ip92343817.dynamic.kabel-deutschland.de) has joined #tryton | ||
| 2017-05-12 13:03 -!- mariomop(~quassel@host73.181-10-43.telecom.net.ar) has joined #tryton | ||
| 2017-05-12 13:06 <sisalp> pokoli: Thank you. All the functions of the product are operational with sao. It may do the trick until I revisit the client connectivity aspect. | ||
| 2017-05-12 14:52 -!- JanGB(~jan@ip92343817.dynamic.kabel-deutschland.de) has joined #tryton | ||
| 2017-05-12 15:35 -!- smarro(~sebastian@181.16.7.104) has joined #tryton | ||
| 2017-05-12 16:15 -!- csotelo_at_work(~csotelo@179.43.99.44) has joined #tryton | ||
| 2017-05-12 16:23 <csotelo_at_work> hello coders | ||
| 2017-05-12 16:24 <csotelo_at_work> cedk, I have a question related to the tryton icon | ||
| 2017-05-12 16:24 <csotelo_at_work> could I use it for icon for slack local team ?? | ||
| 2017-05-12 16:26 <cedk> csotelo_at_work: for me, I see no problem as far as it is in relation with Tryton | ||
| 2017-05-12 16:27 <csotelo_at_work> thanks | ||
| 2017-05-12 16:28 <csotelo_at_work> and yes, I would use it just for bitbucket for free and open source local peruvian modules and a possible slack chanel if I could get other people or users connect to it | ||
| 2017-05-12 16:30 <csotelo_at_work> I have modules locate slike account_invoice_pe, account_pe, party_pe, currency_sunat_pe | ||
| 2017-05-12 16:30 <csotelo_at_work> that are free and open source | ||
| 2017-05-12 16:32 <cedk> csotelo_at_work: still ok as far as you do not try to impersonate the Tryton project | ||
| 2017-05-12 16:34 <csotelo_at_work> cedk, definetely I wouldnt do that | ||
| 2017-05-12 16:34 <csotelo_at_work> I just looking for improve peruvian locale modules for tryton | ||
| 2017-05-12 16:44 <cedk> csotelo_at_work: I do not doubt ;-) just telling the rules | ||
| 2017-05-12 16:45 <csotelo_at_work> of course :) | ||
| 2017-05-12 17:20 <csotelo_at_work> I was looking on before days for contribute as coder on the main project and modules. However in my first attempt it was very hard, even though I have a degree in computer science and some years already working as a coder and now as as Project Manager, I found it no easy to understand some work flows or tickets, I hope to be able to contribute later and been part of it :) | ||
| 2017-05-12 17:25 -!- kstenger(~karla@r186-54-24-97.dialup.adsl.anteldata.net.uy) has joined #tryton | ||
| 2017-05-12 17:57 -!- JosDzG(~Thunderbi@189.250.43.248) has joined #tryton | ||
| 2017-05-12 18:02 <pokoli> csotelo_at_work: feel free to ask here (or in ML) the workflows that you don't understand | ||
| 2017-05-12 18:03 <csotelo_at_work> pokoli, thanks!!! | ||
| 2017-05-12 18:06 -!- thaneor(~ldlc6@179.26.119.197) has joined #tryton | ||
| 2017-05-12 18:21 -!- JanGB(~jan@ip92343817.dynamic.kabel-deutschland.de) has joined #tryton | ||
| 2017-05-12 19:19 -!- Telesight(~anthony@4dae0c97.ftth.telfortglasvezel.nl) has joined #tryton | ||
| 2017-05-12 20:03 -!- thaneor(~ldlc6@179.26.119.197) has joined #tryton | ||
| 2017-05-12 20:04 -!- kstenger1(~karla@r190-133-246-124.dialup.adsl.anteldata.net.uy) has joined #tryton | ||
| 2017-05-12 20:55 -!- JosDzG(~Thunderbi@189.250.43.248) has joined #tryton | ||
| 2017-05-12 21:06 -!- JosDzG(~Thunderbi@189.250.43.248) has joined #tryton | ||
| 2017-05-12 22:00 -!- semarie(~semarie@unaffiliated/semarie) has joined #tryton | ||
| 2017-05-12 22:03 -!- smarro(~sebastian@181.16.7.104) has joined #tryton | ||
| 2017-05-12 23:47 -!- csotelo_at_work(~csotelo@190.42.17.12) has joined #tryton |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!