IRC logs of #tryton for Friday, 2017-05-12 #tryton log beginning Fri May 12 00:00:01 CEST 2017
2017-05-12 00:39 -!- nineinchnick(~jwas@ has joined #tryton
2017-05-12 01:04 -!- nineinchnick(~jwas@ has joined #tryton
2017-05-12 01:44 -!- JosDzG(~Thunderbi@ has joined #tryton
2017-05-12 02:23 -!- csotelo(~csotelo@2001:1388:49c4:4f41:9332:92db:5529:247) has joined #tryton
2017-05-12 02:43 -!- JosDzG(~Thunderbi@ has joined #tryton
2017-05-12 02:46 -!- JosDzG(~Thunderbi@ has joined #tryton
2017-05-12 03:07 -!- csotelo(~csotelo@2001:1388:49c4:6280:45de:b59b:b457:1437) has joined #tryton
2017-05-12 05:04 -!- VaticanCameos(~VaticanCa@ has joined #tryton
2017-05-12 05:16 -!- VaticanCameos(~VaticanCa@ has joined #tryton
2017-05-12 05:51 -!- JanGB( has joined #tryton
2017-05-12 06:04 -!- thaneor1(~ldlc6@ has joined #tryton
2017-05-12 06:42 -!- semarie(~semarie@unaffiliated/semarie) has joined #tryton
2017-05-12 06:49 -!- VaticanCameos(~VaticanCa@ has joined #tryton
2017-05-12 07:23 -!- Timitos( has joined #tryton
2017-05-12 07:37 -!- dj_xatra(~dj_xatra@ has joined #tryton
2017-05-12 08:12 -!- xcodinas(~xcodinas@ has joined #tryton
2017-05-12 08:22 -!- xcodinas(~xcodinas@ has joined #tryton
2017-05-12 08:59 -!- mrichez( has joined #tryton
2017-05-12 09:02 -!- cedk(~ced@gentoo/developer/cedk) has joined #tryton
2017-05-12 09:04 -!- rpit(~rpit@2a02:908:e672:7480:56ee:75ff:fe0d:d3c7) has joined #tryton
2017-05-12 09:19 -!- dmollerm( has joined #tryton
2017-05-12 09:29 -!- VaticanCameos(~VaticanCa@ has joined #tryton
2017-05-12 09:36 <sisalp> hello, I find a drawback to new certificate policy of the client : With let's encrypt you must expose trytond to the internet to get/renew a certificate.
2017-05-12 09:39 <Timitos> sisalp: you are not forced to use letsencrypt. you can use any certification authority you want
2017-05-12 09:42 <dmollerm> sisalp: and afaik, you can still autosign your certificate and install it in the client machines
2017-05-12 09:44 <sisalp> dmollerm: I'm not aware, can you tell me more ?
2017-05-12 09:45 <sisalp> Timitos: With most providers, I cannot automate the setup.
2017-05-12 09:46 <Timitos> sisalp: you only need to expose the domain to the internet to get the letsencrypt certificate. but there is no need to expose the trytond
2017-05-12 09:47 <dmollerm> sisalp:
2017-05-12 09:49 <dmollerm> sisalp: this can be achieved in Windows an Mac clients as well. A tryton>=4.4 client should recognize a system CA, but I haven't tried this out yet.
2017-05-12 09:49 <sisalp> Timitos: correct, but I have some homework to understand how I can.
2017-05-12 09:52 <dmollerm> sisalp: indeed all this is very interesting, but I usually I require the aid of sysadmins/devops to get the SSL certs on place
2017-05-12 09:57 <sisalp> dmollerm: Thank you. I had a look, it is too complex to ask every user to setup his pc.
2017-05-12 10:03 <pokoli> sisalp: have you thought about exposing an nginx proxy in front of trytond?
2017-05-12 10:04 <pokoli> sisalp: the ngignx proxy will be respoinsible of managing ssl certificates and static files
2017-05-12 10:04 <sisalp> pokoli: why nginx ?
2017-05-12 10:04 <pokoli> sisalp: because letencript can automatically renew certificates with letsencript
2017-05-12 10:05 <pokoli> last letsencrit should be nginx, sorry
2017-05-12 10:05 <sisalp> pokoli: it does well with apache too
2017-05-12 10:05 <pokoli> sisalp: You can use apache if you prefer also
2017-05-12 10:06 <sisalp> pokoli: I do, but my problem is at client level
2017-05-12 10:07 <sisalp> pokoli: regarding Timitos, the way to ask a cert on the web and then serve clients on the lan is not yet clear for me.
2017-05-12 10:08 <pokoli> sisalp: but once you have a verified CA (which is the case with letsencrypt) then you don't have any problem in client level
2017-05-12 10:08 <pokoli> sisalp: can you explain a little bit how is your setup? specially the lan part
2017-05-12 10:10 <sisalp> pokoli: right now I have no working setup able 1) to deliver services automatically 2) to keep trytond private on a LAN.
2017-05-12 10:14 <sisalp> pokoli: regarding the lan I have a real case : The lan is simulated between containers behind a firewall. I also think a customer may ask for a LAN only solution and I may be in trouble, but I don't have this case.
2017-05-12 10:16 <Timitos> sisalp: for the lan szenario i would prefer not to use a letsencrypt cert and if necessary stick with a manual solution
2017-05-12 10:18 <pokoli> sisalp: if the lan is simulted you should get a certificate for the public domain
2017-05-12 10:19 <sisalp> Timitos: Unfortunatly manual is not an option for me. I may limit the use to sao, but it is a pity.
2017-05-12 10:19 <pokoli> sisalp: and for lan, then it makes sense to install custom ca to clients. As you are suposed to controll all the machines conecting
2017-05-12 10:20 <pokoli> sisalp: instead of limiting, you can provide and advice on how to install CA
2017-05-12 10:20 <dmollerm> sisalp: for a LAN-only scenario, if the server domain name is not public, you are forced to self-signed certs or to drop SSL altogether
2017-05-12 10:23 <dmollerm> sisalp: but if the server name domain actually exists and you can require your DNS provider to point it anywhere you can still get your certs signed by any public CA while keeping the actual trytond server on the LAN
2017-05-12 10:28 <sisalp> As a consequence, I'm figuring out what are the sao limitations today compared to Tryton client.
2017-05-12 10:32 <sisalp> dmollerm: if I close access from the WEB, I think, I won't get lets'encrypt certificates.
2017-05-12 10:34 <cedk> sisalp: but sao will require exactly the same constraint against certificate
2017-05-12 10:35 <cedk> sisalp: browsers require valid SSL certificate
2017-05-12 10:36 -!- nicoe(~nicoe@ has joined #tryton
2017-05-12 10:36 <sisalp> cedk: mine doesn't. Up to now my firefox proposes a security exception.
2017-05-12 10:37 <pokoli> sisalp: because the CA used to sign the certificate is not trusted
2017-05-12 10:37 <cedk> sisalp: you can not rely on people skipping security exception
2017-05-12 10:37 <cedk> sisalp: it is the same as if you had no SSL
2017-05-12 10:38 <sisalp> cedk: do you really mean it ?
2017-05-12 10:38 <semarie> it is more a kind of opportinistic encyption than no encryption. mitm is possible, but passive monitoring isn't
2017-05-12 10:39 <dmollerm> sisalp: if you teach your users to accept SSL exceptions, they will do so in an eventual MITM attack/domain hijack, which is the whole thing SSL tries to save you from
2017-05-12 10:39 <sisalp> semarie: what is mitm ?
2017-05-12 10:39 <semarie> Man-In-The-Middle
2017-05-12 10:39 <sisalp> man in the middle, sorry
2017-05-12 10:40 <cedk> sisalp: for me, your best solution will be to use a SSL proxy for all your installations
2017-05-12 10:40 <cedk> sisalp: with probably a wildcard domain name
2017-05-12 10:41 <sisalp> regarding man-in-the-middle, we have the same problem with ssh first connection
2017-05-12 10:42 <cedk> sisalp: no the hostname of the SSL certificate is checked
2017-05-12 10:43 <cedk> at Gandi an wildcard certificate is at 120€/year:
2017-05-12 10:44 <cedk> I guess letsencrypt forced them to reduce their prices
2017-05-12 10:47 <sisalp> cedk: what do you mean by "the hostname of the SSL certificate is checked" ?
2017-05-12 10:49 <cedk> sisalp: the hostname of the connection is checked to match the CN's of the certificate
2017-05-12 10:50 <sisalp> cedk: you mean with ssh ?
2017-05-12 10:50 <cedk> sisalp: otherwise anybody with a signed certificate could behave as anybody
2017-05-12 10:50 <cedk> sisalp: I do not understand what ssh has to do here
2017-05-12 10:52 <sisalp> cedk: because I mentionned the case of MITM with ssh, and you answered "the hostname of the SSL certificate is checked"
2017-05-12 10:53 <cedk> sisalp: ha you talked about ssh, I though you talked about ssl
2017-05-12 10:53 <sisalp> cedk: ;-)
2017-05-12 10:56 <cedk> sisalp: so yes it is like for standard ssh
2017-05-12 10:57 <sisalp> cedk: wildcard certificate is a possibility if I enforce a single domain name to everybody. I'm afraid these certs are "single level", I mean you can have, but not
2017-05-12 10:57 <cedk> sisalp: but it is worst because ssh is used by trained people while browser is used by everybody
2017-05-12 10:58 <cedk> sisalp: wildcard is wildcard so it is as deep as you want
2017-05-12 10:58 <semarie> cedk: it seems to me that * will works only for one level.
2017-05-12 10:59 -!- Telesight( has joined #tryton
2017-05-12 11:02 <cedk> indeed
2017-05-12 11:08 <cedk> but you do not really need deeper hostname for hosting service
2017-05-12 11:09 <cedk> if it is enough for google with, it should also be for you :-)
2017-05-12 11:40 <sisalp> cedk: I think I need a * cert per IP, because * and * go to different IPs.
2017-05-12 11:41 <cedk> sisalp: you can share the certificate
2017-05-12 11:44 <sisalp> cedk: may be, but not all servers are under my exclusive control.
2017-05-12 11:45 <sisalp> Thank you all for your inputs, will figure out what is best to open free subscriptions to Tryton 4.4 as soon as possible.
2017-05-12 12:09 <sisalp> hi, another question : I don't find the upload menu to update a document .odt model. Do you know where it sits ?
2017-05-12 12:12 <cedk> sisalp: you mean a report?
2017-05-12 12:14 <sisalp> cedk: invoice for example
2017-05-12 12:16 <cedk> sisalp: in administration > UI > action > report
2017-05-12 12:19 <sisalp> cedk: on content field, I get 4 icons. Select/Open/save as and erase (in french)
2017-05-12 12:20 <sisalp> cedk: Open opens LibreOffice. Do I edit the document directly on the server ?
2017-05-12 12:21 <sisalp> cedk: Is Select an upload function ?
2017-05-12 12:22 <cedk> sisalp: yes select is to set the value of the field
2017-05-12 12:23 <sisalp> cedk: so I save it to download it, then edit it locally, then Select to upload it, right ?
2017-05-12 12:24 <sisalp> cedk: and so my invoice is modified for this database.
2017-05-12 12:25 <sisalp> And what is the use of Open ? It seems to download in /tmp and edit. Correct ?
2017-05-12 12:26 <cedk> sisalp: yes
2017-05-12 12:28 <cedk> sisalp: the client can not detect when the edition is done so it can not automatically update the field
2017-05-12 12:28 <cedk> sisalp: or it will have to be blocked until the edition is done
2017-05-12 12:29 <sisalp> cedk: excellent. and it looks the same on sao.
2017-05-12 12:30 <sisalp> cedk: by the way "print directly" means "get pdf" ?
2017-05-12 12:34 <cedk> sisalp: no it means it is send to the printer
2017-05-12 12:37 <sisalp> cedk: so I choose pdf in extension model if I want it as pdf
2017-05-12 12:39 <sisalp> cedk: even if I prefer the client, it seems to me that sao has reached up to the client level in terms of capabilities.
2017-05-12 12:40 <pokoli> sisalp: there are still some minor features missing
2017-05-12 12:40 <pokoli> sisalp: for example, right click menú on relation fields and tree views
2017-05-12 12:55 -!- JanGB( has joined #tryton
2017-05-12 13:03 -!- mariomop( has joined #tryton
2017-05-12 13:06 <sisalp> pokoli: Thank you. All the functions of the product are operational with sao. It may do the trick until I revisit the client connectivity aspect.
2017-05-12 14:52 -!- JanGB( has joined #tryton
2017-05-12 15:35 -!- smarro(~sebastian@ has joined #tryton
2017-05-12 16:15 -!- csotelo_at_work(~csotelo@ has joined #tryton
2017-05-12 16:23 <csotelo_at_work> hello coders
2017-05-12 16:24 <csotelo_at_work> cedk, I have a question related to the tryton icon
2017-05-12 16:24 <csotelo_at_work> could I use it for icon for slack local team ??
2017-05-12 16:26 <cedk> csotelo_at_work: for me, I see no problem as far as it is in relation with Tryton
2017-05-12 16:27 <csotelo_at_work> thanks
2017-05-12 16:28 <csotelo_at_work> and yes, I would use it just for bitbucket for free and open source local peruvian modules and a possible slack chanel if I could get other people or users connect to it
2017-05-12 16:30 <csotelo_at_work> I have modules locate slike account_invoice_pe, account_pe, party_pe, currency_sunat_pe
2017-05-12 16:30 <csotelo_at_work> that are free and open source
2017-05-12 16:32 <cedk> csotelo_at_work: still ok as far as you do not try to impersonate the Tryton project
2017-05-12 16:34 <csotelo_at_work> cedk, definetely I wouldnt do that
2017-05-12 16:34 <csotelo_at_work> I just looking for improve peruvian locale modules for tryton
2017-05-12 16:44 <cedk> csotelo_at_work: I do not doubt ;-) just telling the rules
2017-05-12 16:45 <csotelo_at_work> of course :)
2017-05-12 17:20 <csotelo_at_work> I was looking on before days for contribute as coder on the main project and modules. However in my first attempt it was very hard, even though I have a degree in computer science and some years already working as a coder and now as as Project Manager, I found it no easy to understand some work flows or tickets, I hope to be able to contribute later and been part of it :)
2017-05-12 17:25 -!- kstenger( has joined #tryton
2017-05-12 17:57 -!- JosDzG(~Thunderbi@ has joined #tryton
2017-05-12 18:02 <pokoli> csotelo_at_work: feel free to ask here (or in ML) the workflows that you don't understand
2017-05-12 18:03 <csotelo_at_work> pokoli, thanks!!!
2017-05-12 18:06 -!- thaneor(~ldlc6@ has joined #tryton
2017-05-12 18:21 -!- JanGB( has joined #tryton
2017-05-12 19:19 -!- Telesight( has joined #tryton
2017-05-12 20:03 -!- thaneor(~ldlc6@ has joined #tryton
2017-05-12 20:04 -!- kstenger1( has joined #tryton
2017-05-12 20:55 -!- JosDzG(~Thunderbi@ has joined #tryton
2017-05-12 21:06 -!- JosDzG(~Thunderbi@ has joined #tryton
2017-05-12 22:00 -!- semarie(~semarie@unaffiliated/semarie) has joined #tryton
2017-05-12 22:03 -!- smarro(~sebastian@ has joined #tryton
2017-05-12 23:47 -!- csotelo_at_work(~csotelo@ has joined #tryton

Generated by 2.17.3 by Marius Gedminas - find it at!