19:00:08 <nirik> #startmeeting Infrastructure (2011-09-29)
19:00:08 <zodbot> Meeting started Thu Sep 29 19:00:08 2011 UTC.  The chair is nirik. Information about MeetBot at http://wiki.debian.org/MeetBot.
19:00:08 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic.
19:00:09 <nirik> #meetingname infrastructure
19:00:09 <zodbot> The meeting name has been set to 'infrastructure'
19:00:09 <nirik> #topic Robot Roll Call
19:00:09 <nirik> #chair smooge skvidal codeblock ricky nirik abadger1999 lmacken
19:00:09 <zodbot> Current chairs: abadger1999 codeblock lmacken nirik ricky skvidal smooge
19:00:38 * skvidal is here
19:00:41 * skvidal is kinda grumpy, too
19:00:49 <CodeBlock> here, but might be ducking out early
19:00:58 * athmane is around
19:01:07 <mzhun> here for the first time
19:01:15 * ke4zvu3 is here
19:01:54 <nirik> #topic New folks introductions and Apprentice tasks.
19:02:14 * abadger1999 here
19:02:18 <nirik> ok, welcome new folks. ;) Any of you care to give a short welcome message? what you are hoping to work on/etc...
19:03:00 <smooge> here
19:03:09 <mzhun> maybe I start
19:03:31 <mzhun> I already sent out an introduction mail, but forgot to mention my nick here
19:03:49 <mzhun> so my name is Zoltán Magyar from Hungary
19:04:03 <nirik> welcome!
19:04:03 <mzhun> I'm mostly looking for some programming tasks
19:04:22 <mzhun> but I'm also interested in networking ang virtualization
19:04:25 <nirik> excellent. Whats your code background? python?
19:04:27 <mzhun> thanks
19:04:32 * herlo is here
19:04:56 * abadger1999 perks up at the mention of someone looking for programming tasks :-)
19:05:05 <mzhun> I did some java and python a few years ago
19:05:15 <nirik> mzhun: abadger1999 would be the one to talk to about programming tasks... we do have a number pending. ;)
19:05:19 <mzhun> but since then, I'm doing mostly function testing
19:05:39 <mzhun> so I'll have to do some refreshing :-)
19:05:45 <mzhun> ok, thanks!
19:06:00 <nirik> cool. We can talk more in #fedora-admin after the meeting... and welcome again.
19:06:08 <ke4zvu3> Hi all, i'm Jonathan Nalley in SC, USA. I'm glad to be here and excited to dedicate some time to Infra.  In my list introduction email, I identified a few low-hanging-fruit tickets that i'm hoping won't be too much fuss to deal with for an Infra n00b like myself. tickets 1968, 2816, and 1658 immediately stood out to me
19:06:30 <smooge> cool
19:06:47 <ke4zvu3> but i'm just hanging out in IRC and trying to make it to the weekly meetings as suggested in the GettingStarted wiki
19:06:56 <nirik> ke4zvu3: welcome. ;) do ask folks about those and we can get you pointed in the right direction...
19:07:03 <ke4zvu3> nirik: will do, thanks
19:07:16 <nirik> and yeah, just hanging around and asking questions or the like is a great way to see whats going on...
19:07:41 <ke4zvu3> nirik: yup, yup. hope you get to feeling better soon btw
19:07:49 <skvidal> ke4zvu3: are you related to ke4qqq?
19:07:52 <nirik> any other new folks like to say hi?
19:08:01 <nirik> skvidal: another ham I guess. ;)
19:08:02 <ke4zvu3> skvidal: indeed I am
19:08:06 <skvidal> nirik: no kidding
19:08:10 <skvidal> nirik: ZING
19:08:19 <skvidal> ke4zvu3: ah ha
19:08:47 <nirik> ok, will move along then if there's no more intros or questions on apprentice stuff?
19:08:48 * CodeBlock waves to ke4zvu3 ... n8sql here :D
19:09:03 <CodeBlock> (and yes, that is a vanity callsign :P)
19:09:11 <nirik> ha
19:09:19 <nirik> #topic F16 Beta
19:09:23 <KKA> my update on 1180 : These are all the archival indexers I could find HyperMail, PiperMail, MHOnarc, luker, MnoGoSearch, HT:Dig and Swish-E
19:09:55 <nirik> KKA: cool. If you could filter thru them and see what might be possible, then update the ticket. ;)
19:10:03 <nirik> so, we don't know yet if beta is a go...
19:10:10 <nirik> it could go out tuesday or slip a week.
19:10:19 <nirik> but we have our typical beta prep ticket.
19:10:35 * nirik digs up numbers
19:10:49 <nirik> .ticket 2945
19:10:51 <zodbot> nirik: #2945 (Fedora 16 Beta - New website) - Fedora Infrastructure - Trac - https://fedorahosted.org/fedora-infrastructure/ticket/2945
19:10:52 <nirik> .ticket 2946
19:10:54 <zodbot> nirik: #2946 (Fedora 16 Beta - verify mirror space) - Fedora Infrastructure - Trac - https://fedorahosted.org/fedora-infrastructure/ticket/2946
19:10:56 <nirik> .ticket 2947
19:10:58 <zodbot> nirik: #2947 (Fedora 16 Beta - release day ticket) - Fedora Infrastructure - Trac - https://fedorahosted.org/fedora-infrastructure/ticket/2947
19:11:00 <nirik> .ticket 2948
19:11:02 <zodbot> nirik: #2948 (Fedora 16 Beta - verify release permissions with rel-eng) - Fedora Infrastructure - Trac - https://fedorahosted.org/fedora-infrastructure/ticket/2948
19:11:06 <nirik> .ticket 2949
19:11:07 <zodbot> nirik: #2949 (Fedora 16 Beta - Mirrormanager redirects for beta) - Fedora Infrastructure - Trac - https://fedorahosted.org/fedora-infrastructure/ticket/2949
19:11:21 <nirik> will check on the website, but I think it's created and ready.
19:11:31 <nirik> I think we are ok on mirror space still.
19:11:45 <nirik> the others need to wait for the staging part of the release.
19:12:06 <smooge> we are ok on mirror space. I want to get some of the alt ones cleaned up
19:12:30 <nirik> ok, cool.
19:12:37 <nirik> Anyone have any questions or concerns for Beta?
19:12:58 <smooge> not from me
19:13:32 <nirik> #topic Password/Ssh-key/Cert reset flag day discussion.
19:14:00 <nirik> So, I wrote up a wiki page on this: https://fedoraproject.org/wiki/Infrastructure_mass_password_update
19:14:23 <nirik> and updated CSI docs and sent my changes to the csi-devel list (with no reply). I will probibly just check in changes later today.
19:14:54 <nirik> we need to get fas changes worked on. Not sure if abadger1999 might have time, if we should try and catch ricky or if we want to find someone else to do them. ;)
19:15:38 <nirik> I'd like to have our docs setup, and fas changes, and a draft announcement ready before we announce anything.
19:15:41 <smooge> nirik, I didn't see any email on csi-devel. I need to figure out why
19:15:53 <nirik> smooge: huh. I thought I sent it. I can doublecheck.
19:16:07 <smooge> I don't doubt you did.. I may have spammed it
19:16:13 <nirik> https://fedorahosted.org/pipermail/csi-devel/2011-September/000042.html
19:16:17 <skvidal> hmm
19:16:19 <skvidal> I don'
19:16:22 <skvidal> t think i'm on that list
19:16:33 <nirik> mor lists!
19:16:35 <skvidal> wow, xml diffs
19:16:38 <abadger1999> I would like to get a new infra programmer to program it... although, after looking, it may be that I do a bit of cleanup after the changes are in.
19:16:41 * skvidal decides to stay off of it
19:16:45 <nirik> skvidal: it's in publican.
19:17:01 <abadger1999> It should be relatively simple to program the checks for a more secure password
19:17:37 <nirik> is everyone ok with the password rules in https://fedorahosted.org/fedora-infrastructure/ticket/2804
19:17:53 <nirik> abadger1999: so, as far as checking ssh keys, we would want to do that as a standalone script?
19:18:02 <abadger1999> nirik: yes.
19:18:35 <abadger1999> Reason for that is that we want to allow users to update their ssh keys in general usage but that update might be adding a key.
19:18:56 <abadger1999> In this particular case, we specifically want users to change their keys.
19:19:05 <skvidal> abadger1999: do we have a max-length on our pws?
19:19:16 <ke4zvu3> nirik: those standards are a very conservative minimum IMHO
19:19:17 <nirik> right, so we need to dump them all out when we announce, then keep checking them against that dump over time until the deadline.
19:19:33 <nirik> ke4zvu3: yeah. they are better than what we have now tho. ;)
19:19:48 <abadger1999> skvidal: Not that I know of -- I believe we're using glibc's crypt with a salt that tells it to use md5.
19:20:04 <skvidal> md5??
19:20:17 <abadger1999> or sha... I'd have to check
19:20:24 <smooge> ke4zvu3, they are very very conservative.. mainly because the outcry and backlash from the users when we tried more
19:20:28 <abadger1999> I just remember -- it's not des
19:20:35 <abadger1999> so the 8 char limit isn't there.
19:20:50 <smooge> I found out that for some reason there is a 15 letter limit in some MD5 implementations
19:21:06 <nirik> so, would anyone be willing to write the ssh key checker script? ;)
19:21:44 <smooge> we are using MD5 hashes currently
19:21:47 <skvidal> nod
19:21:50 <skvidal> $1$
19:22:02 <skvidal> we can go to sha512 w/o any issues I think
19:22:03 <nirik> switching that to nice sha256 might be good. ;)
19:22:07 <abadger1999> hash_id = '6' # SHA-512
19:22:07 <skvidal> $6$
19:22:08 <nirik> or 512, sure.
19:22:27 * abadger1999 checks db to see how many people's passwords currently are sha-512
19:22:44 <skvidal> abadger1999: getent shadow skvidal shows mine as md5
19:22:59 <skvidal> and nirik's
19:23:23 <nirik> another reason for a password change. ;)
19:24:01 <nirik> I'll probibly try and work on a draft announcement/nag email tomorrow or early next week. Then I will float it to some folks to sanity check...
19:24:50 <abadger1999> Looks like everyone has md5 passwords
19:25:01 <abadger1999> We'll want to update/hotfix fas.
19:25:07 <smooge> yeah..
19:25:10 <nirik> yep.
19:25:14 <skvidal> nod
19:25:20 <smooge> don't want to find out fas has a 40 character limit :)
19:25:24 <smooge> for the hash
19:25:26 <nirik> we will need to update for this password rules too right?
19:26:33 <nirik> if no one else steps up, I can look at making the fas changes. ;)
19:26:58 <skvidal> what needs to be done to fas?
19:27:10 <nirik> new password rules, change to sha512.
19:28:13 <nirik> there's also at least 4 hotfixes we currently are carrying, so perhaps it would be time for a new release?
19:29:15 <abadger1999> Well, the md5 algo that we're using is generating different hashes with 103 and 104 character strings.
19:29:43 <abadger1999> So at least that's good.
19:29:55 <abadger1999> yeah, it is time for a new fas release.
19:30:13 <abadger1999> ricky was going to organize one but I'm not sure how things are for him right now.
19:30:20 <nirik> abadger1999: so, if you can find someone who wants to work on it, great... if not by mid-next week let me know and I will poke it.
19:30:51 <abadger1999> Okay.
19:30:52 <skvidal> jsmith-away: ping!
19:31:06 * abadger1999 hopes maybe mzhun will be interested :-)
19:31:19 <abadger1999> at least, to the point where we can hotfix.
19:31:21 <skvidal> abadger1999: let me know, too
19:31:22 <nirik> we still need someone to whip up the ssh key script. :) I guess I will try and farm it around after the meeting.
19:31:28 <abadger1999> making a release will be harder.
19:31:33 <skvidal> nirik: ssh key script.....
19:31:36 <abadger1999> probably needs ricky or I for now.
19:31:39 <skvidal> nirik: I could probably do that
19:31:47 <nirik> skvidal: that would be lovely. ;)
19:31:51 <abadger1999> nirik: Did we decide o nthe password criteria?
19:32:02 * abadger1999 clicks on ticket link
19:32:03 <nirik> I am personally fine with the stuff in that ticket.
19:32:08 <nirik> unless it's hard to implement that way
19:32:58 <smooge> me too
19:33:46 <nirik> so, anything more on password / key resetting?
19:34:07 <abadger1999> Looks implementable
19:34:19 * nirik invests in flame retardent suits for everyone after we announce it.
19:34:40 * herlo calls dibs on the kevlar vest!
19:34:43 <smooge> you will need to invest in soap for my mouth
19:35:00 <nirik> I hope I can make a clear case in the announcement... time will tell.
19:35:01 <skvidal> if anyone complains just show them kernel.org
19:35:02 <abadger1999> Do we want a length for all-lower case letters?  Or is that 12?
19:35:06 <skvidal> ask them where the git trees are
19:35:09 <skvidal> then tell them to stfu
19:35:10 <smooge> but I will try to keep my language down to only klingon swear words
19:35:30 <herlo> smooge: you can use battlestar galactica swearing too!
19:35:33 <herlo> :)
19:35:34 <smooge> abadger1999, all lowercase should be 20
19:35:40 <abadger1999> feldercarb
19:35:53 <skvidal> feldercarb
19:35:54 <skvidal> nice
19:36:07 <smooge> only old school BSG though
19:36:08 * abadger1999 adds lowercase==20 to the ticket
19:36:11 <abadger1999> Yep.
19:37:08 <nirik> sounds fine to me.
19:37:16 <nirik> ok, move on then?
19:37:47 <nirik> #topic RFR progress report
19:38:07 <nirik> so, I have setup a production ask.fedoraproject.org instance. ;) It's not officially announced, but it's running along.
19:38:20 <nirik> I need to get awstats working on it, but otherwise I think it's all set.
19:38:37 <nirik> fpaste is still testing stuff in dev...
19:38:47 <nirik> I don't think we have any others in process currently.
19:39:13 <nirik> any other questions or comments on new resources?
19:39:35 <herlo> fpaste-server is going back to the drawing board
19:39:43 <nirik> herlo: ;(
19:39:54 <nirik> so, should we nuke our dev instance entirely until it's more ready?
19:40:02 <nirik> or is that helpfull to rework it?
19:40:04 <herlo> nirik: if you need the resources
19:40:23 <herlo> for now, I'll go stop the instance of httpd
19:40:24 <nirik> well, we don't, but it's another machine to update and secure and such. ;)
19:41:11 <nirik> just let us know...
19:41:17 <nirik> #topic Upcoming Tasks/Items
19:41:33 <smooge> why is it going to the drawing board?
19:41:33 <nirik> So, we are still in freeze, which may end next week, or the week after.
19:42:02 <smooge> will talk after meeting
19:42:27 <nirik> smooge: I think there were coding issues... it needed parts re-written to be more clean/maintainable.
19:42:39 <smooge> ok
19:42:44 <nirik> I'd like to schedule an update day after the freeze is over.
19:42:58 <smooge> nirik, sounds good.
19:43:18 <nirik> also, we need to get guests moved off xen03/xen05/xen09.
19:43:34 <nirik> some of that can happen now... but a few things will need to wait until after freeze.
19:44:18 <smooge> yes.
19:44:18 <nirik> anyone have anything else they are looking at upcoming?
19:44:24 <smooge> I have a ticket
19:44:27 <smooge> for the meeting
19:44:37 <smooge> but that probably goes under new biz
19:44:52 <nirik> ok.
19:44:58 <nirik> #topic Meeting tickets
19:45:06 <nirik> .ticket 2959
19:45:07 <zodbot> nirik: #2959 (Move infrastructure to TLS 1.1+) - Fedora Infrastructure - Trac - https://fedorahosted.org/fedora-infrastructure/ticket/2959
19:45:58 <smooge> With the current "OMG The Intertube Kittens Will Be Killed" Crisis, there is a call to move from SSL3.0/TLS1.0 to TLS1.1+
19:46:00 <nirik> as far as I know, gnutls is the only ones to have updated to allow this.
19:46:13 <nirik> it's also not clear how bad this issue is.
19:46:16 * nirik digs up some links.
19:46:52 <smooge> I don't know myself. I was hoping to get abadger1999 and ricky looking at it
19:46:57 <nirik> https://bugzilla.redhat.com/show_bug.cgi?id=737506#c11
19:47:27 * abadger1999 not a security expert.
19:47:33 <abadger1999> ricky might have a better idea.
19:47:45 <smooge> The problem comes from Xsite attack loading a javascript which slowly decrypts your encrypted cookies
19:48:02 <nirik> a java applet rather.
19:48:03 <smooge> once it has an encrypted cookie it uses it to login
19:48:22 <smooge> nirik, I was told it was all javascript.. but I am probably wrong
19:48:38 <nirik> websockets or java from my understanding.
19:49:30 <nirik> so, I think if we can easily set our stuff to not use tls1.0, great... but it's not clear to me that this is currently possible/easy.
19:50:02 <smooge> that was the part I was thinking abadger1999 would need to tackle as it breaks various apps suppsoedly.
19:50:16 <abadger1999> hmm...
19:50:24 <nirik> possibly via a sslprotocol... not sure.
19:50:38 <abadger1999> We aren't using websocket in any of our mission critical stuff.  moksha might.
19:50:50 <abadger1999> so we probably need to ask lmacken about that.
19:51:51 <nirik> looks like no on mod_ssl/openssl... it only supports TLS1 (meaning any tls 1* version).
19:52:43 <nirik> so, I think we update as we can and hope for the best here?
19:52:53 <smooge> ok
19:52:59 <smooge> I wanted to get it on the docket
19:53:06 <nirik> yeah, good plan.
19:53:12 <smooge> next to "lets have a calender server" and "oh look ponies"
19:53:20 <nirik> we should check on moksha and websockets tho...
19:53:30 <nirik> #topic Open Floor
19:53:36 <nirik> Anyone have anything for open floor?
19:53:44 <skvidal> torrents?
19:53:59 <skvidal> herlo: did you test any of them out?
19:54:02 <nirik> sure. ;)
19:54:07 <herlo> not yet
19:54:14 <skvidal> okie doke
19:54:18 <herlo> skvidal: I was planning on working on it tomorrow and saturday
19:54:21 <skvidal> cool
19:54:27 <skvidal> herlo: and thank you
19:54:37 <herlo> no problem. I like that stuff
19:54:46 <nirik> this is moving us to another torrent solution that actually has people maintaining it?
19:55:18 <skvidal> nirik: hahaha
19:55:19 <skvidal> so funny
19:55:31 <nirik> possibly crazy people, but...
19:55:33 <nirik> anyhow...
19:55:46 <nirik> anyone have any other open floor items? or shall we call it a meeting?
19:55:55 <KKA> update on 1180: HyperMail(not good) and PiperMail ( moving away from this ) are dropped and I am done with my test setup of mailman integration with MHOnarc and the below are the steps that I have for the setup
19:55:56 <KKA> 1) RPM is ready and built, if needed we can build one more from source for our use.
19:55:56 <KKA> 2) Install the Mhonarc.
19:55:56 <KKA> 3) Create a new archival location.
19:55:56 <KKA> 4) Create a mrc ( MHOnarc ) resource file.
19:55:56 <KKA> 5) As we have already quite a huge number of mails we need to re-index them with mhonarc to the new archival location.
19:55:57 <KKA> 6) Need these below parameters to be added to /etc/mailman/mm_cfg.py
19:55:57 <KKA> PUBLIC_ARCHIVE_URL
19:55:58 <KKA> PRIVATE_ARCHIVE_URL
19:55:58 <KKA> PUBLIC_EXTERNAL_ARCHIVER
19:55:59 <KKA> PRIVATE_EXTERNAL_ARCHIVER
19:55:59 <KKA> 7) Update the mailman.conf in httpd to point to new archival location.
19:56:00 <KKA> 8) Reload httpd and restart mailman.
19:56:00 <KKA> I am trying to improve the current mrc file that I have once I am done with it I will start workingon getting Luker integreted with mailman.
19:56:50 <nirik> KKA: a few things...
19:57:15 <nirik> our usual policy is to use packaged stuff, and to use it from EPEL whereever possible...
19:57:15 <KKA> nirik: sure
19:57:23 <nirik> so any packages we use need to be packaged up and maintained.
19:57:41 <nirik> mhonarc is in already I think tho
19:57:49 <lmacken> abadger1999: we don't use orbited in production, and even if we did, i don't think it uses native websockets if they're available
19:58:00 <abadger1999> Excellent
19:58:20 <nirik> KKA: but lurker isn't...so that will require more work. :) Might be worth it if it's much better tho
19:58:27 <abadger1999> nirik, smooge: So it looks like updating (when it's an option) won't break anything.
19:58:29 <nirik> KKA: so, do update the ticket as you go with new info.
19:58:56 <nirik> KKA: and thanks for looking into this. ;)
19:58:58 <smooge> hey could we turn off torrents and see how long any one notices?
19:59:08 <smooge> abadger1999, thanks
19:59:16 <KKA> nirik: sure, once i am done with my test setup integration with luker i will update the ticket more info\
19:59:39 <nirik> KKA: great. It might also be cool if you could set it up somewhere and post to the list some example links for people to look at ?
20:00:04 * abadger1999 redirects thanks  to lmacken  :-0
20:00:06 <abadger1999> :-)
20:00:14 <KKA> sure, i will
20:00:26 <nirik> cool.
20:00:33 <nirik> ok, will close out in a minute then if nothing else.
20:00:53 <nirik> #endmeeting