IRC logs of #tryton for Friday, 2017-05-12

chat.freenode.net #tryton log beginning Fri May 12 00:00:01 CEST 2017
-!- nineinchnick(~jwas@109.231.19.93) has joined #tryton00:39
-!- nineinchnick(~jwas@109.231.19.93) has joined #tryton01:04
-!- JosDzG(~Thunderbi@189.250.99.119) has joined #tryton01:44
-!- csotelo(~csotelo@2001:1388:49c4:4f41:9332:92db:5529:247) has joined #tryton02:23
-!- JosDzG(~Thunderbi@189.250.99.119) has joined #tryton02:43
-!- JosDzG(~Thunderbi@189.250.99.119) has joined #tryton02:46
-!- csotelo(~csotelo@2001:1388:49c4:6280:45de:b59b:b457:1437) has joined #tryton03:07
-!- VaticanCameos(~VaticanCa@171.61.153.190) has joined #tryton05:04
-!- VaticanCameos(~VaticanCa@171.61.153.190) has joined #tryton05:16
-!- JanGB(~jan@ip92343817.dynamic.kabel-deutschland.de) has joined #tryton05:51
-!- thaneor1(~ldlc6@179.26.153.56) has joined #tryton06:04
-!- semarie(~semarie@unaffiliated/semarie) has joined #tryton06:42
-!- VaticanCameos(~VaticanCa@171.61.153.190) has joined #tryton06:49
-!- Timitos(~kpreisler@host-88-217-184-172.customer.m-online.net) has joined #tryton07:23
-!- dj_xatra(~dj_xatra@217.166.83.130) has joined #tryton07:37
-!- xcodinas(~xcodinas@5.134.115.102) has joined #tryton08:12
-!- xcodinas(~xcodinas@5.134.115.102) has joined #tryton08:22
-!- mrichez(~smuxi@mail.saluc.com) has joined #tryton08:59
-!- cedk(~ced@gentoo/developer/cedk) has joined #tryton09:02
-!- rpit(~rpit@2a02:908:e672:7480:56ee:75ff:fe0d:d3c7) has joined #tryton09:04
-!- dmollerm(~dmollerm@170.red-80-28-119.adsl.static.ccgg.telefonica.net) has joined #tryton09:19
-!- VaticanCameos(~VaticanCa@223.190.122.254) has joined #tryton09:29
sisalphello, I find a drawback to new certificate policy of the client : With let's encrypt you must expose trytond to the internet to get/renew a certificate.09:36
Timitossisalp: you are not forced to use letsencrypt. you can use any certification authority you want09:39
dmollermsisalp: and afaik, you can still autosign your certificate and install it in the client machines09:42
sisalpdmollerm: I'm not aware, can you tell me more ?09:44
sisalpTimitos: With most providers, I cannot automate the setup.09:45
Timitossisalp: you only need to expose the domain to the internet to get the letsencrypt certificate. but there is no need to expose the trytond09:46
dmollermsisalp: https://unix.stackexchange.com/questions/90450/adding-a-self-signed-certificate-to-the-trusted-list09:47
dmollermsisalp: this can be achieved in Windows an Mac clients as well. A tryton>=4.4 client should recognize a system CA, but I haven't tried this out yet.09:49
sisalpTimitos: correct, but I have some homework to understand how I can.09:49
dmollermsisalp: indeed all this is very interesting, but I usually I require the aid of sysadmins/devops to get the SSL certs on place09:52
sisalpdmollerm: Thank you. I had a look, it is too complex to ask every user to setup his pc.09:57
pokolisisalp: have you thought about exposing an nginx proxy in front of trytond?10:03
pokolisisalp: the ngignx proxy will be respoinsible of managing ssl certificates and static files10:04
sisalppokoli: why nginx ?10:04
pokolisisalp: because letencript can automatically renew certificates with letsencript10:04
pokolilast letsencrit should be nginx, sorry10:05
sisalppokoli: it does well with apache too10:05
pokolisisalp: You can use apache if you prefer also10:05
sisalppokoli: I do, but my problem is at client level10:06
sisalppokoli: regarding Timitos, the way to ask a cert on the web and then serve clients on the lan is not yet clear for me.10:07
pokolisisalp: but once you have a verified CA (which is the case with letsencrypt) then you don't have any problem in client level10:08
pokolisisalp: can you explain a little bit how is your setup? specially the lan part10:08
sisalppokoli: right now I have no working setup able 1) to deliver services automatically 2) to keep trytond private on a LAN.10:10
sisalppokoli: regarding the lan I have a real case : The lan is simulated between containers behind a firewall. I also think a customer may ask for a LAN only solution and I may be in trouble, but I don't have this case.10:14
Timitossisalp: for the lan szenario i would prefer not to use a letsencrypt cert and if necessary stick with a manual solution10:16
pokolisisalp: if the lan is simulted you should get a certificate for the public domain10:18
sisalpTimitos: Unfortunatly manual is not an option for me. I may limit the use to sao, but it is a pity.10:19
pokolisisalp: and for lan, then it makes sense to install custom ca to clients. As you are suposed to controll all the machines conecting10:19
pokolisisalp: instead of limiting, you can provide and advice on how to install CA10:20
dmollermsisalp: for a LAN-only scenario, if the server domain name is not public, you are forced to self-signed certs or to drop SSL altogether10:20
dmollermsisalp: but if the server name domain actually exists and you can require your DNS provider to point it anywhere you can still get your certs signed by any public CA while keeping the actual trytond server on the LAN10:23
sisalpAs a consequence, I'm figuring out what are the sao limitations today compared to Tryton client.10:28
sisalpdmollerm: if I close access from the WEB, I think, I won't get lets'encrypt certificates.10:32
cedksisalp: but sao will require exactly the same constraint against certificate10:34
cedksisalp: browsers require valid SSL certificate10:35
-!- nicoe(~nicoe@85.201.184.151) has joined #tryton10:36
sisalpcedk: mine doesn't. Up to now my firefox proposes a security exception.10:36
pokolisisalp: because the CA used to sign the certificate is not trusted10:37
cedksisalp: you can not rely on people skipping security exception10:37
cedksisalp: it is the same as if you had no SSL10:37
sisalpcedk: do you really mean it ?10:38
semarieit is more a kind of opportinistic encyption than no encryption. mitm is possible, but passive monitoring isn't10:38
dmollermsisalp: if you teach your users to accept SSL exceptions, they will do so in an eventual MITM attack/domain hijack, which is the whole thing SSL tries to save you from10:39
sisalpsemarie: what is mitm ?10:39
semarieMan-In-The-Middle10:39
sisalpman in the middle, sorry10:39
cedksisalp: for me, your best solution will be to use a SSL proxy for all your installations10:40
cedksisalp: with probably a wildcard domain name10:40
sisalpregarding man-in-the-middle, we have the same problem with ssh first connection10:41
cedksisalp: no the hostname of the SSL certificate is checked10:42
cedkat Gandi an wildcard certificate is at 120€/year: https://www.gandi.net/ssl10:43
cedkI guess letsencrypt forced them to reduce their prices10:44
sisalpcedk: what do you mean by "the hostname of the SSL certificate is checked" ?10:47
cedksisalp: the hostname of the connection is checked to match the CN's of the certificate10:49
sisalpcedk: you mean with ssh ?10:50
cedksisalp: otherwise anybody with a signed certificate could behave as anybody10:50
cedksisalp: I do not understand what ssh has to do here10:50
sisalpcedk: because I mentionned the case of MITM with ssh, and you answered "the hostname of the SSL certificate is checked"10:52
cedksisalp: ha you talked about ssh, I though you talked about ssl10:53
sisalpcedk: ;-)10:53
cedksisalp: so yes it is like for standard ssh10:56
sisalpcedk: wildcard certificate is a possibility if I enforce a single domain name to everybody. I'm afraid these certs are "single level", I mean you can have toto.domain.com, but not titi.toto.domain.com10:57
cedksisalp: but it is worst because ssh is used by trained people while browser is used by everybody10:57
cedksisalp: wildcard is wildcard so it is as deep as you want10:58
semariecedk: it seems to me that *.example.com will works only for one level.10:58
-!- Telesight(~anthony@4dae0c97.ftth.telfortglasvezel.nl) has joined #tryton10:59
cedkindeed https://en.wikipedia.org/wiki/Wildcard_certificate11:02
cedkbut you do not really need deeper hostname for hosting service11:08
cedkif it is enough for google with appspot.com, it should also be for you :-)11:09
sisalpcedk:  I think I need a * cert per IP, because *.toto.domain.com and *.tata.domain.com go to different IPs.11:40
cedksisalp: you can share the certificate11:41
sisalpcedk: may be, but not all servers are under my exclusive control.11:44
sisalpThank you all for your inputs, will figure out what is best to open free subscriptions to Tryton 4.4 as soon as possible.11:45
sisalphi, another question : I don't find the upload menu to update a document .odt model. Do you know where it sits ?12:09
cedksisalp: you mean a report?12:12
sisalpcedk: invoice for example12:14
cedksisalp: in administration > UI > action > report12:16
sisalpcedk: on content field, I get 4 icons. Select/Open/save as and erase (in french)12:19
sisalpcedk: Open opens LibreOffice. Do I edit the document directly on the server ?12:20
sisalpcedk: Is Select an upload function ?12:21
cedksisalp: yes select is to set the value of the field12:22
sisalpcedk: so I save it to download it, then edit it locally, then Select to upload it, right ?12:23
sisalpcedk: and so my invoice is modified for this database.12:24
sisalpAnd what is the use of Open ? It seems to download in /tmp and edit. Correct ?12:25
cedksisalp: yes12:26
cedksisalp: the client can not detect when the edition is done so it can not automatically update the field12:28
cedksisalp: or it will have to be blocked until the edition is done12:28
sisalpcedk: excellent. and it looks the same on sao.12:29
sisalpcedk: by the way "print directly" means "get pdf" ?12:30
cedksisalp: no it means it is send to the printer12:34
sisalpcedk: so I choose pdf in extension model if I want it as pdf12:37
sisalpcedk: even if I prefer the client, it seems to me that sao has reached up to the client level in terms of capabilities.12:39
pokolisisalp: there are still some minor features missing12:40
pokolisisalp: for example, right click menú on relation fields and tree views12:40
-!- JanGB(~jan@ip92343817.dynamic.kabel-deutschland.de) has joined #tryton12:55
-!- mariomop(~quassel@host73.181-10-43.telecom.net.ar) has joined #tryton13:03
sisalppokoli: Thank you. All the functions of the product are operational with sao. It may do the trick until I revisit the client connectivity aspect.13:06
-!- JanGB(~jan@ip92343817.dynamic.kabel-deutschland.de) has joined #tryton14:52
-!- smarro(~sebastian@181.16.7.104) has joined #tryton15:35
-!- csotelo_at_work(~csotelo@179.43.99.44) has joined #tryton16:15
csotelo_at_workhello coders16:23
csotelo_at_workcedk, I have a question related to the tryton icon16:24
csotelo_at_workcould I use it for icon for slack local team ??16:24
cedkcsotelo_at_work: for me, I see no problem as far as it is in relation with Tryton16:26
csotelo_at_workthanks16:27
csotelo_at_workand yes, I would use it just for bitbucket for free and open source local peruvian modules and a possible slack chanel if I could get other people or users connect to it16:28
csotelo_at_workI have modules locate slike account_invoice_pe, account_pe, party_pe, currency_sunat_pe16:30
csotelo_at_workthat are free and open source16:30
cedkcsotelo_at_work: still ok as far as you do not try to impersonate the Tryton project16:32
csotelo_at_workcedk, definetely I wouldnt do that16:34
csotelo_at_workI just looking for improve peruvian locale modules for tryton16:34
cedkcsotelo_at_work: I do not doubt ;-) just telling the rules16:44
csotelo_at_workof course :)16:45
csotelo_at_workI was looking on before days for contribute as coder on the main project and modules. However in my first attempt it was very hard, even though I have a degree in computer science and some years already working as a coder and now as as Project Manager, I found it no easy to understand some work flows or tickets, I hope to be able to contribute later and been part of it :)17:20
-!- kstenger(~karla@r186-54-24-97.dialup.adsl.anteldata.net.uy) has joined #tryton17:25
-!- JosDzG(~Thunderbi@189.250.43.248) has joined #tryton17:57
pokolicsotelo_at_work: feel free to ask here (or in ML) the workflows that you don't understand18:02
csotelo_at_workpokoli, thanks!!!18:03
-!- thaneor(~ldlc6@179.26.119.197) has joined #tryton18:06
-!- JanGB(~jan@ip92343817.dynamic.kabel-deutschland.de) has joined #tryton18:21
-!- Telesight(~anthony@4dae0c97.ftth.telfortglasvezel.nl) has joined #tryton19:19
-!- thaneor(~ldlc6@179.26.119.197) has joined #tryton20:03
-!- kstenger1(~karla@r190-133-246-124.dialup.adsl.anteldata.net.uy) has joined #tryton20:04
-!- JosDzG(~Thunderbi@189.250.43.248) has joined #tryton20:55
-!- JosDzG(~Thunderbi@189.250.43.248) has joined #tryton21:06
-!- semarie(~semarie@unaffiliated/semarie) has joined #tryton22:00
-!- smarro(~sebastian@181.16.7.104) has joined #tryton22:03
-!- csotelo_at_work(~csotelo@190.42.17.12) has joined #tryton23:47

Generated by irclog2html.py 2.11.0 by Marius Gedminas - find it at mg.pov.lt!