Date: prev next · Thread: first prev next last
2017 Archives by date, by thread · List index


Participants
 1. guilhem
 2. cloph
 3. Brett
 4. Norbert

Agenda
 * SSL/TLS
   + [rdm#2312] Avoid serving web content over http:// when possible
     - website (vm168): TODO: s,http://,https:// in the templates and pages,
       plus add 30x redirect at the top level
     - dev-www and other dev tools: support https:// since the beginning of the
       year, but no redirect as it'd break scripts otherwise.  Hence scripts
       are still mostly using http://.  TODO: Poke devs to upgrade their
       links.
     - downloads: http:// and https:// both work (without redirect)
   + [rdm#1987] Please use HTTPS for downloads to protect users
     - adding a redirect http://download.tdfhttps://download.tdf is not
       enough, because mirrorbrain doesn't have a separate baseurl for secure
       links hence can further redirect from https://download.tdf to
       http://mirror .  
       . cloph: the redirect could also cause problem with protocol downgrade
         on handing out http mirror in the redirect
     - mirrorbrain can't serve https://-only mirrors to https:// connections;
       and that would be mostly useless without the above redirect anyway, as
       most users would otherwise stick to http://
       . https://github.com/poeml/mirrorbrain/issues/143 (consistent https
         handling)
       . https://github.com/poeml/mirrorbrain/issues/167 (configure https urls
         in mirrorbrain itself for a given mirror)
     - Stats: 113 active HTTP mirrors, of which 6 have an https:// baseURL.
       Of the 106 http:// URLs, 35 can safely (valid X.509 chain) be upgraded
       to https:// based on a quick curl(1) scan.
       . AI guilhem: ask mirror operators if the https:// URLs will remain
         stable, and upgrade when possible.
       . Norbert: reach out to other mirror operators and ask them (with a
         link to the Let's Encrypt tutorials) if they can add https://
         support.  When we have enough https://-capable mirrors, we can
         perhaps disable the rest and serve https://-only content.
   + [rdm#2340] LibreOffice download page - please change torrent file to be
     downloaded using https instead of current http link
     - same as before, but maybe we could enable SSL/TLS on the torrent
       tracker?
       . no problem for .torrent files - those (and other small files like the
         .asc signatures) are served by download.tdf directly, and not passed
         on to mirrors
       . enabling ssl support for tracker (hefur) would be possible, but would
         require external let's encrypt-handling (AI guilhem) (https tracker
         would listen on port 6970 by default) - but would need http / non-ssl
         version anyway.
       . ssl not so much a problem with torrents, since individual downloaded
         hunks have sha-checksum anyway/the connection to the peer you
         download from is not covered by the tracker's ssl-connection
   + [rdm#2090] gerrit: anonymous VCS URI scheme should be https:// not the
     insecure git://
     - https://gerrit-review.googlesource.com/Documentation/config-gerrit.html#download
       (not part of default gerrit)
   + [rdm#2026] scan sites with observatory.mozilla.org
 * Norbert: would be nice to have a superset of sudo in salt, which we can map
   to sudo on specific machines, eg build slaves.
 * Monitoring
   + [rdm#2211] greylog/log parsing
     - Norbert: when we have a problem, add filter patterns to detect future
       similar problems
   + [rdm#2210] monitoring notifications
     - really need to improve the situation here, cf.
       https://redmine.documentfoundation.org/issues/2210#note-5
       . SMS is the way to go, but we need to the ability to specify schedules
         so not everyone is waken up in the middle of the night
       . cloph: want to revive the telegram notifications that we had in the
         past (TDF Monitoring bot)
       . Norbert: need the ability to temporarily disable the rules when doing
         manual maintenance
       . Norbert: it's crucial to avoid false positives (cf. infra ML…)
   + [rdm#2208] add missing hosts to monitoring
     - we need to run salt on the monitoring (and backup) host after each new
       host/VM deployment
     - salt only adds basic ping/web-check - specific services need to be
       added manually/separately
   + [rdm#1079] Status page
     - cloph: don't want to make everything public, but we can basic info like
       web check for public services
     - admins need to be able to tell the world the problem is known and being
       worked on
 * Backups
   + [rdm#2082] provide a way to set per-vm backup time (e.g. only do gerrit
     during nighttime)
   + [rdm#2209]
   + TODO: add a flag in pillar to specify backup run time or disable it
     (comment out the entry)
 * reCAPTCHA
   + [rdm#2141] Replacing reCAPTCHA with self-hosted version
     - Demote to low prio as SSO should deprecate reCAPTCHA on the frontends
   + [rdm#2396] reCAPTCHA v1 API shutdown on March 31, 2018
     - wiki.tdf, ask.lo, extensions.lo, and www.lo all use v2, anything else
       still on v1?  Not that we know of
 * WebSSO
   + [rdm#1585] single sign-on (SSO)
     - 467 accounts created in LDAP so far
     - WebSSO deployed on pad.tdf, tdf.io, and survey.tdf.  Unauthenticated
       users are redirected to the central auth portal, and then back to the
       service
     - LDAP auth partly deployed (dual auth) on nextcloud.tdf, www.tdf and
       testlink.tdf
     - TODO: poke recent wiki contributors?  last time I checked 350/400
       didn't have an LDAP account yet.  cloph: start by showing a banner with
       a link to user.tdf to logged in users
 * Next call: *Mon* Dec. 18, 17:30 UTC

-- 
Guilhem.

-- 
To unsubscribe e-mail to: website+unsubscribe@global.libreoffice.org
Problems? https://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
Posting guidelines + more: https://wiki.documentfoundation.org/Netiquette
List archive: https://listarchives.libreoffice.org/global/website/
All messages sent to this list will be publicly archived and cannot be deleted

Context


Privacy Policy | Impressum (Legal Info) | Copyright information: Unless otherwise specified, all text and images on this website are licensed under the Creative Commons Attribution-Share Alike 3.0 License. This does not include the source code of LibreOffice, which is licensed under the Mozilla Public License (MPLv2). "LibreOffice" and "The Document Foundation" are registered trademarks of their corresponding registered owners or are in actual use as trademarks in one or more countries. Their respective logos and icons are also subject to international copyright laws. Use thereof is explained in our trademark policy.