============================================ #fedora-meeting: Infrastructure (2011-09-29) ============================================ Meeting started by nirik at 19:00:08 UTC. The full logs are available at http://meetbot.fedoraproject.org/fedora-meeting/2011-09-29/infrastructure.2011-09-29-19.00.log.html Meeting summary --------------- * Robot Roll Call (nirik, 19:00:09) * New folks introductions and Apprentice tasks. (nirik, 19:01:54) * F16 Beta (nirik, 19:09:19) * Password/Ssh-key/Cert reset flag day discussion. (nirik, 19:13:32) * LINK: https://fedorahosted.org/pipermail/csi-devel/2011-September/000042.html (nirik, 19:16:13) * RFR progress report (nirik, 19:37:47) * Upcoming Tasks/Items (nirik, 19:41:17) * Meeting tickets (nirik, 19:44:58) * LINK: https://bugzilla.redhat.com/show_bug.cgi?id=737506#c11 (nirik, 19:46:57) * Open Floor (nirik, 19:53:30) Meeting ended at 20:00:53 UTC. Action Items ------------ Action Items, by person ----------------------- * **UNASSIGNED** * (none) People Present (lines said) --------------------------- * nirik (116) * abadger1999 (40) * skvidal (37) * smooge (36) * KKA (18) * mzhun (11) * zodbot (10) * herlo (10) * ke4zvu3 (7) * CodeBlock (3) * athmane (1) * lmacken (1) * ricky (0) * codeblock (0) -- 19:00:08 <nirik> #startmeeting Infrastructure (2011-09-29) 19:00:08 <zodbot> Meeting started Thu Sep 29 19:00:08 2011 UTC. The chair is nirik. Information about MeetBot at http://wiki.debian.org/MeetBot. 19:00:08 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic. 19:00:09 <nirik> #meetingname infrastructure 19:00:09 <zodbot> The meeting name has been set to 'infrastructure' 19:00:09 <nirik> #topic Robot Roll Call 19:00:09 <nirik> #chair smooge skvidal codeblock ricky nirik abadger1999 lmacken 19:00:09 <zodbot> Current chairs: abadger1999 codeblock lmacken nirik ricky skvidal smooge 19:00:38 * skvidal is here 19:00:41 * skvidal is kinda grumpy, too 19:00:49 <CodeBlock> here, but might be ducking out early 19:00:58 * athmane is around 19:01:07 <mzhun> here for the first time 19:01:15 * ke4zvu3 is here 19:01:54 <nirik> #topic New folks introductions and Apprentice tasks. 19:02:14 * abadger1999 here 19:02:18 <nirik> ok, welcome new folks. ;) Any of you care to give a short welcome message? what you are hoping to work on/etc... 19:03:00 <smooge> here 19:03:09 <mzhun> maybe I start 19:03:31 <mzhun> I already sent out an introduction mail, but forgot to mention my nick here 19:03:49 <mzhun> so my name is Zoltán Magyar from Hungary 19:04:03 <nirik> welcome! 19:04:03 <mzhun> I'm mostly looking for some programming tasks 19:04:22 <mzhun> but I'm also interested in networking ang virtualization 19:04:25 <nirik> excellent. Whats your code background? python? 19:04:27 <mzhun> thanks 19:04:32 * herlo is here 19:04:56 * abadger1999 perks up at the mention of someone looking for programming tasks :-) 19:05:05 <mzhun> I did some java and python a few years ago 19:05:15 <nirik> mzhun: abadger1999 would be the one to talk to about programming tasks... we do have a number pending. ;) 19:05:19 <mzhun> but since then, I'm doing mostly function testing 19:05:39 <mzhun> so I'll have to do some refreshing :-) 19:05:45 <mzhun> ok, thanks! 19:06:00 <nirik> cool. We can talk more in #fedora-admin after the meeting... and welcome again. 19:06:08 <ke4zvu3> Hi all, i'm Jonathan Nalley in SC, USA. I'm glad to be here and excited to dedicate some time to Infra. In my list introduction email, I identified a few low-hanging-fruit tickets that i'm hoping won't be too much fuss to deal with for an Infra n00b like myself. tickets 1968, 2816, and 1658 immediately stood out to me 19:06:30 <smooge> cool 19:06:47 <ke4zvu3> but i'm just hanging out in IRC and trying to make it to the weekly meetings as suggested in the GettingStarted wiki 19:06:56 <nirik> ke4zvu3: welcome. ;) do ask folks about those and we can get you pointed in the right direction... 19:07:03 <ke4zvu3> nirik: will do, thanks 19:07:16 <nirik> and yeah, just hanging around and asking questions or the like is a great way to see whats going on... 19:07:41 <ke4zvu3> nirik: yup, yup. hope you get to feeling better soon btw 19:07:49 <skvidal> ke4zvu3: are you related to ke4qqq? 19:07:52 <nirik> any other new folks like to say hi? 19:08:01 <nirik> skvidal: another ham I guess. ;) 19:08:02 <ke4zvu3> skvidal: indeed I am 19:08:06 <skvidal> nirik: no kidding 19:08:10 <skvidal> nirik: ZING 19:08:19 <skvidal> ke4zvu3: ah ha 19:08:47 <nirik> ok, will move along then if there's no more intros or questions on apprentice stuff? 19:08:48 * CodeBlock waves to ke4zvu3 ... n8sql here :D 19:09:03 <CodeBlock> (and yes, that is a vanity callsign :P) 19:09:11 <nirik> ha 19:09:19 <nirik> #topic F16 Beta 19:09:23 <KKA> my update on 1180 : These are all the archival indexers I could find HyperMail, PiperMail, MHOnarc, luker, MnoGoSearch, HT:Dig and Swish-E 19:09:55 <nirik> KKA: cool. If you could filter thru them and see what might be possible, then update the ticket. ;) 19:10:03 <nirik> so, we don't know yet if beta is a go... 19:10:10 <nirik> it could go out tuesday or slip a week. 19:10:19 <nirik> but we have our typical beta prep ticket. 19:10:35 * nirik digs up numbers 19:10:49 <nirik> .ticket 2945 19:10:51 <zodbot> nirik: #2945 (Fedora 16 Beta - New website) - Fedora Infrastructure - Trac - https://fedorahosted.org/fedora-infrastructure/ticket/2945 19:10:52 <nirik> .ticket 2946 19:10:54 <zodbot> nirik: #2946 (Fedora 16 Beta - verify mirror space) - Fedora Infrastructure - Trac - https://fedorahosted.org/fedora-infrastructure/ticket/2946 19:10:56 <nirik> .ticket 2947 19:10:58 <zodbot> nirik: #2947 (Fedora 16 Beta - release day ticket) - Fedora Infrastructure - Trac - https://fedorahosted.org/fedora-infrastructure/ticket/2947 19:11:00 <nirik> .ticket 2948 19:11:02 <zodbot> nirik: #2948 (Fedora 16 Beta - verify release permissions with rel-eng) - Fedora Infrastructure - Trac - https://fedorahosted.org/fedora-infrastructure/ticket/2948 19:11:06 <nirik> .ticket 2949 19:11:07 <zodbot> nirik: #2949 (Fedora 16 Beta - Mirrormanager redirects for beta) - Fedora Infrastructure - Trac - https://fedorahosted.org/fedora-infrastructure/ticket/2949 19:11:21 <nirik> will check on the website, but I think it's created and ready. 19:11:31 <nirik> I think we are ok on mirror space still. 19:11:45 <nirik> the others need to wait for the staging part of the release. 19:12:06 <smooge> we are ok on mirror space. I want to get some of the alt ones cleaned up 19:12:30 <nirik> ok, cool. 19:12:37 <nirik> Anyone have any questions or concerns for Beta? 19:12:58 <smooge> not from me 19:13:32 <nirik> #topic Password/Ssh-key/Cert reset flag day discussion. 19:14:00 <nirik> So, I wrote up a wiki page on this: https://fedoraproject.org/wiki/Infrastructure_mass_password_update 19:14:23 <nirik> and updated CSI docs and sent my changes to the csi-devel list (with no reply). I will probibly just check in changes later today. 19:14:54 <nirik> we need to get fas changes worked on. Not sure if abadger1999 might have time, if we should try and catch ricky or if we want to find someone else to do them. ;) 19:15:38 <nirik> I'd like to have our docs setup, and fas changes, and a draft announcement ready before we announce anything. 19:15:41 <smooge> nirik, I didn't see any email on csi-devel. I need to figure out why 19:15:53 <nirik> smooge: huh. I thought I sent it. I can doublecheck. 19:16:07 <smooge> I don't doubt you did.. I may have spammed it 19:16:13 <nirik> https://fedorahosted.org/pipermail/csi-devel/2011-September/000042.html 19:16:17 <skvidal> hmm 19:16:19 <skvidal> I don' 19:16:22 <skvidal> t think i'm on that list 19:16:33 <nirik> mor lists! 19:16:35 <skvidal> wow, xml diffs 19:16:38 <abadger1999> I would like to get a new infra programmer to program it... although, after looking, it may be that I do a bit of cleanup after the changes are in. 19:16:41 * skvidal decides to stay off of it 19:16:45 <nirik> skvidal: it's in publican. 19:17:01 <abadger1999> It should be relatively simple to program the checks for a more secure password 19:17:37 <nirik> is everyone ok with the password rules in https://fedorahosted.org/fedora-infrastructure/ticket/2804 19:17:53 <nirik> abadger1999: so, as far as checking ssh keys, we would want to do that as a standalone script? 19:18:02 <abadger1999> nirik: yes. 19:18:35 <abadger1999> Reason for that is that we want to allow users to update their ssh keys in general usage but that update might be adding a key. 19:18:56 <abadger1999> In this particular case, we specifically want users to change their keys. 19:19:05 <skvidal> abadger1999: do we have a max-length on our pws? 19:19:16 <ke4zvu3> nirik: those standards are a very conservative minimum IMHO 19:19:17 <nirik> right, so we need to dump them all out when we announce, then keep checking them against that dump over time until the deadline. 19:19:33 <nirik> ke4zvu3: yeah. they are better than what we have now tho. ;) 19:19:48 <abadger1999> skvidal: Not that I know of -- I believe we're using glibc's crypt with a salt that tells it to use md5. 19:20:04 <skvidal> md5?? 19:20:17 <abadger1999> or sha... I'd have to check 19:20:24 <smooge> ke4zvu3, they are very very conservative.. mainly because the outcry and backlash from the users when we tried more 19:20:28 <abadger1999> I just remember -- it's not des 19:20:35 <abadger1999> so the 8 char limit isn't there. 19:20:50 <smooge> I found out that for some reason there is a 15 letter limit in some MD5 implementations 19:21:06 <nirik> so, would anyone be willing to write the ssh key checker script? ;) 19:21:44 <smooge> we are using MD5 hashes currently 19:21:47 <skvidal> nod 19:21:50 <skvidal> $1$ 19:22:02 <skvidal> we can go to sha512 w/o any issues I think 19:22:03 <nirik> switching that to nice sha256 might be good. ;) 19:22:07 <abadger1999> hash_id = '6' # SHA-512 19:22:07 <skvidal> $6$ 19:22:08 <nirik> or 512, sure. 19:22:27 * abadger1999 checks db to see how many people's passwords currently are sha-512 19:22:44 <skvidal> abadger1999: getent shadow skvidal shows mine as md5 19:22:59 <skvidal> and nirik's 19:23:23 <nirik> another reason for a password change. ;) 19:24:01 <nirik> I'll probibly try and work on a draft announcement/nag email tomorrow or early next week. Then I will float it to some folks to sanity check... 19:24:50 <abadger1999> Looks like everyone has md5 passwords 19:25:01 <abadger1999> We'll want to update/hotfix fas. 19:25:07 <smooge> yeah.. 19:25:10 <nirik> yep. 19:25:14 <skvidal> nod 19:25:20 <smooge> don't want to find out fas has a 40 character limit :) 19:25:24 <smooge> for the hash 19:25:26 <nirik> we will need to update for this password rules too right? 19:26:33 <nirik> if no one else steps up, I can look at making the fas changes. ;) 19:26:58 <skvidal> what needs to be done to fas? 19:27:10 <nirik> new password rules, change to sha512. 19:28:13 <nirik> there's also at least 4 hotfixes we currently are carrying, so perhaps it would be time for a new release? 19:29:15 <abadger1999> Well, the md5 algo that we're using is generating different hashes with 103 and 104 character strings. 19:29:43 <abadger1999> So at least that's good. 19:29:55 <abadger1999> yeah, it is time for a new fas release. 19:30:13 <abadger1999> ricky was going to organize one but I'm not sure how things are for him right now. 19:30:20 <nirik> abadger1999: so, if you can find someone who wants to work on it, great... if not by mid-next week let me know and I will poke it. 19:30:51 <abadger1999> Okay. 19:30:52 <skvidal> jsmith-away: ping! 19:31:06 * abadger1999 hopes maybe mzhun will be interested :-) 19:31:19 <abadger1999> at least, to the point where we can hotfix. 19:31:21 <skvidal> abadger1999: let me know, too 19:31:22 <nirik> we still need someone to whip up the ssh key script. :) I guess I will try and farm it around after the meeting. 19:31:28 <abadger1999> making a release will be harder. 19:31:33 <skvidal> nirik: ssh key script..... 19:31:36 <abadger1999> probably needs ricky or I for now. 19:31:39 <skvidal> nirik: I could probably do that 19:31:47 <nirik> skvidal: that would be lovely. ;) 19:31:51 <abadger1999> nirik: Did we decide o nthe password criteria? 19:32:02 * abadger1999 clicks on ticket link 19:32:03 <nirik> I am personally fine with the stuff in that ticket. 19:32:08 <nirik> unless it's hard to implement that way 19:32:58 <smooge> me too 19:33:46 <nirik> so, anything more on password / key resetting? 19:34:07 <abadger1999> Looks implementable 19:34:19 * nirik invests in flame retardent suits for everyone after we announce it. 19:34:40 * herlo calls dibs on the kevlar vest! 19:34:43 <smooge> you will need to invest in soap for my mouth 19:35:00 <nirik> I hope I can make a clear case in the announcement... time will tell. 19:35:01 <skvidal> if anyone complains just show them kernel.org 19:35:02 <abadger1999> Do we want a length for all-lower case letters? Or is that 12? 19:35:06 <skvidal> ask them where the git trees are 19:35:09 <skvidal> then tell them to stfu 19:35:10 <smooge> but I will try to keep my language down to only klingon swear words 19:35:30 <herlo> smooge: you can use battlestar galactica swearing too! 19:35:33 <herlo> :) 19:35:34 <smooge> abadger1999, all lowercase should be 20 19:35:40 <abadger1999> feldercarb 19:35:53 <skvidal> feldercarb 19:35:54 <skvidal> nice 19:36:07 <smooge> only old school BSG though 19:36:08 * abadger1999 adds lowercase==20 to the ticket 19:36:11 <abadger1999> Yep. 19:37:08 <nirik> sounds fine to me. 19:37:16 <nirik> ok, move on then? 19:37:47 <nirik> #topic RFR progress report 19:38:07 <nirik> so, I have setup a production ask.fedoraproject.org instance. ;) It's not officially announced, but it's running along. 19:38:20 <nirik> I need to get awstats working on it, but otherwise I think it's all set. 19:38:37 <nirik> fpaste is still testing stuff in dev... 19:38:47 <nirik> I don't think we have any others in process currently. 19:39:13 <nirik> any other questions or comments on new resources? 19:39:35 <herlo> fpaste-server is going back to the drawing board 19:39:43 <nirik> herlo: ;( 19:39:54 <nirik> so, should we nuke our dev instance entirely until it's more ready? 19:40:02 <nirik> or is that helpfull to rework it? 19:40:04 <herlo> nirik: if you need the resources 19:40:23 <herlo> for now, I'll go stop the instance of httpd 19:40:24 <nirik> well, we don't, but it's another machine to update and secure and such. ;) 19:41:11 <nirik> just let us know... 19:41:17 <nirik> #topic Upcoming Tasks/Items 19:41:33 <smooge> why is it going to the drawing board? 19:41:33 <nirik> So, we are still in freeze, which may end next week, or the week after. 19:42:02 <smooge> will talk after meeting 19:42:27 <nirik> smooge: I think there were coding issues... it needed parts re-written to be more clean/maintainable. 19:42:39 <smooge> ok 19:42:44 <nirik> I'd like to schedule an update day after the freeze is over. 19:42:58 <smooge> nirik, sounds good. 19:43:18 <nirik> also, we need to get guests moved off xen03/xen05/xen09. 19:43:34 <nirik> some of that can happen now... but a few things will need to wait until after freeze. 19:44:18 <smooge> yes. 19:44:18 <nirik> anyone have anything else they are looking at upcoming? 19:44:24 <smooge> I have a ticket 19:44:27 <smooge> for the meeting 19:44:37 <smooge> but that probably goes under new biz 19:44:52 <nirik> ok. 19:44:58 <nirik> #topic Meeting tickets 19:45:06 <nirik> .ticket 2959 19:45:07 <zodbot> nirik: #2959 (Move infrastructure to TLS 1.1+) - Fedora Infrastructure - Trac - https://fedorahosted.org/fedora-infrastructure/ticket/2959 19:45:58 <smooge> With the current "OMG The Intertube Kittens Will Be Killed" Crisis, there is a call to move from SSL3.0/TLS1.0 to TLS1.1+ 19:46:00 <nirik> as far as I know, gnutls is the only ones to have updated to allow this. 19:46:13 <nirik> it's also not clear how bad this issue is. 19:46:16 * nirik digs up some links. 19:46:52 <smooge> I don't know myself. I was hoping to get abadger1999 and ricky looking at it 19:46:57 <nirik> https://bugzilla.redhat.com/show_bug.cgi?id=737506#c11 19:47:27 * abadger1999 not a security expert. 19:47:33 <abadger1999> ricky might have a better idea. 19:47:45 <smooge> The problem comes from Xsite attack loading a javascript which slowly decrypts your encrypted cookies 19:48:02 <nirik> a java applet rather. 19:48:03 <smooge> once it has an encrypted cookie it uses it to login 19:48:22 <smooge> nirik, I was told it was all javascript.. but I am probably wrong 19:48:38 <nirik> websockets or java from my understanding. 19:49:30 <nirik> so, I think if we can easily set our stuff to not use tls1.0, great... but it's not clear to me that this is currently possible/easy. 19:50:02 <smooge> that was the part I was thinking abadger1999 would need to tackle as it breaks various apps suppsoedly. 19:50:16 <abadger1999> hmm... 19:50:24 <nirik> possibly via a sslprotocol... not sure. 19:50:38 <abadger1999> We aren't using websocket in any of our mission critical stuff. moksha might. 19:50:50 <abadger1999> so we probably need to ask lmacken about that. 19:51:51 <nirik> looks like no on mod_ssl/openssl... it only supports TLS1 (meaning any tls 1* version). 19:52:43 <nirik> so, I think we update as we can and hope for the best here? 19:52:53 <smooge> ok 19:52:59 <smooge> I wanted to get it on the docket 19:53:06 <nirik> yeah, good plan. 19:53:12 <smooge> next to "lets have a calender server" and "oh look ponies" 19:53:20 <nirik> we should check on moksha and websockets tho... 19:53:30 <nirik> #topic Open Floor 19:53:36 <nirik> Anyone have anything for open floor? 19:53:44 <skvidal> torrents? 19:53:59 <skvidal> herlo: did you test any of them out? 19:54:02 <nirik> sure. ;) 19:54:07 <herlo> not yet 19:54:14 <skvidal> okie doke 19:54:18 <herlo> skvidal: I was planning on working on it tomorrow and saturday 19:54:21 <skvidal> cool 19:54:27 <skvidal> herlo: and thank you 19:54:37 <herlo> no problem. I like that stuff 19:54:46 <nirik> this is moving us to another torrent solution that actually has people maintaining it? 19:55:18 <skvidal> nirik: hahaha 19:55:19 <skvidal> so funny 19:55:31 <nirik> possibly crazy people, but... 19:55:33 <nirik> anyhow... 19:55:46 <nirik> anyone have any other open floor items? or shall we call it a meeting? 19:55:55 <KKA> update on 1180: HyperMail(not good) and PiperMail ( moving away from this ) are dropped and I am done with my test setup of mailman integration with MHOnarc and the below are the steps that I have for the setup 19:55:56 <KKA> 1) RPM is ready and built, if needed we can build one more from source for our use. 19:55:56 <KKA> 2) Install the Mhonarc. 19:55:56 <KKA> 3) Create a new archival location. 19:55:56 <KKA> 4) Create a mrc ( MHOnarc ) resource file. 19:55:56 <KKA> 5) As we have already quite a huge number of mails we need to re-index them with mhonarc to the new archival location. 19:55:57 <KKA> 6) Need these below parameters to be added to /etc/mailman/mm_cfg.py 19:55:57 <KKA> PUBLIC_ARCHIVE_URL 19:55:58 <KKA> PRIVATE_ARCHIVE_URL 19:55:58 <KKA> PUBLIC_EXTERNAL_ARCHIVER 19:55:59 <KKA> PRIVATE_EXTERNAL_ARCHIVER 19:55:59 <KKA> 7) Update the mailman.conf in httpd to point to new archival location. 19:56:00 <KKA> 8) Reload httpd and restart mailman. 19:56:00 <KKA> I am trying to improve the current mrc file that I have once I am done with it I will start workingon getting Luker integreted with mailman. 19:56:50 <nirik> KKA: a few things... 19:57:15 <nirik> our usual policy is to use packaged stuff, and to use it from EPEL whereever possible... 19:57:15 <KKA> nirik: sure 19:57:23 <nirik> so any packages we use need to be packaged up and maintained. 19:57:41 <nirik> mhonarc is in already I think tho 19:57:49 <lmacken> abadger1999: we don't use orbited in production, and even if we did, i don't think it uses native websockets if they're available 19:58:00 <abadger1999> Excellent 19:58:20 <nirik> KKA: but lurker isn't...so that will require more work. :) Might be worth it if it's much better tho 19:58:27 <abadger1999> nirik, smooge: So it looks like updating (when it's an option) won't break anything. 19:58:29 <nirik> KKA: so, do update the ticket as you go with new info. 19:58:56 <nirik> KKA: and thanks for looking into this. ;) 19:58:58 <smooge> hey could we turn off torrents and see how long any one notices? 19:59:08 <smooge> abadger1999, thanks 19:59:16 <KKA> nirik: sure, once i am done with my test setup integration with luker i will update the ticket more info\ 19:59:39 <nirik> KKA: great. It might also be cool if you could set it up somewhere and post to the list some example links for people to look at ? 20:00:04 * abadger1999 redirects thanks to lmacken :-0 20:00:06 <abadger1999> :-) 20:00:14 <KKA> sure, i will 20:00:26 <nirik> cool. 20:00:33 <nirik> ok, will close out in a minute then if nothing else. 20:00:53 <nirik> #endmeeting
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ infrastructure mailing list infrastructure@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/infrastructure