[libreoffice-website] Minutes from the Tue Nov 17 infra call

Participants
============

1. guilhem
2. wget
3. Brett (late join)
4. Cloph

Agenda
======

* DMARC (eagles absent)
  + guilhem: don't think it's worth spending time on this for mailing lists,
    p=reject domains (yahoo.com, laposte.net, zaclys) cause problem but
    ARC sealing will most likely obsolete that in due time
    - wget, cloph: agreed
    - wget: users having a personal domain for their email and having issues can
      use a tool like https://www.uriports.com/ to interpret more easily DMARC
      reports and where their too restrictive config comes from.
  + TDF uses p=none (DMARC) and ?all (SPF) right now because not everyone uses
    TDF/JPBerlin's servers to manage TDF/LibO mails
    - guilhem: don't mind having something more restrictive but we need to get
      people to change habits first…
    - we *do* OTOH have a more restrictive policy on the mailing lists, simply
      because spoofed messages there could potentially affect thousands of
      users
      . guilhem: been monitoring false positive for a while, not enforced yet but
        we do have metrics for false positives
* Pending: MediaWiki upgrade to 1.35 (1.31 supported until june 2021)
  + Dennis (absent) said he started working on the AOOwiki import again
* gerrit upgrade (3.2):
  + done last week-end
    - cloph: no negative feedback
    - cloph: some bots/checkout timeouts during the upgrade but that was soon
      fixed
    - cloph: that broke the online editor until full refresh (cache deletion)
    - guilhem: not the first this happens, not sure how to best fix that, maybe
      trim the cache control headers from the proxy (we don't specify our own)
      ~2w before an upgrade to force clients to stay alert
  + cloph: unrelated to our update, but Fedora 33 changed crypto policies:
    
https://www.reddit.com/r/Fedora/comments/jhxbdh/no_ssh_public_key_auth_after_upgrade_to_fedora_33/
* mailing lists:
  + web archives: old-style — unreliable — links should be restored now
    - unreliable because there is a race condition between the one-to-one
      mapping between incremental versions of the archives and the real mail
      being sent. Nothing we can solve on our end. Could still happen when an
      email is received at the very same time. The URL may link to the wrong
      email, but just the one before or the one after.
    - same logic (SQL backend) can easily be used to provide permalinks and
      author/subject/etc searches
    - guilhem: will do that this week
    - so far our only permalinks are the mail-archives.com ones, would be nice
      to have our own
  + migration from FDO: Underestimated the amount of emails received from FDO.
    Had to change the config on our infra and get it prepared/overhaulted.
    Blocking on the above topic about permalinks.
    - guilhem: tight schedule due to dayoffs to take, let's see.
* Monitoring guests from hypervisor
  + guilhem: looked at SLIR hostfwd, supported by QEMU but unfortunately libvirt
    DTD only supports guestfwd (upstream wishlist
    https://bugzilla.redhat.com/show_bug.cgi?id=679117 ).  workaround is to use
    <qemu:commandline/> to pass custom arguments but this taints the domain as
    libvirt cannot do sanitization
  + Brett: can also use a push-based solution https://prometheus.io/docs/practices/pushing/
    - guilhem: need to be careful with mutual authentication though, we don't
      want random nodes to pollute our metrics or nodes impersonating each
      others.  a single shared secrets isn't an option, could use client certs
      authentication if that's an option otherwise let salt generate a dedicated
      client for each node, mine its digest, and authenticate to the server
      using http basic auth
    - Brett: basic auth is supported
    - guilhem: have no experience about the push-driven option, will have a look
* Brett: Status of PITR?
  + guilhem: used as beta/test on some machines, but not for the intended
    purpose (replication/backups)
  + need to decommission the pootle box now that it's not used anymore and
    reclaim the rack space for a more beefy machine and use that as central
    rdbms host or pitr target
  + redmine ticket still open, guilhem to reach out to Brett when the above is
    done
* wget: why the update mapping wasn't updated?
  + cloph: it's in the releng recipe now but there was simply no new release
    meanwhile
* Debian 10.7 to be released the first week-end of december, will need rolling
  hypervisor reboots through december
  + cloph: nothing blocking doing that during week-ends
* Next call: Tue Dec 15 at 18:30 CET

-- 
Guilhem.

-- 
To unsubscribe e-mail to: website+unsubscribe@global.libreoffice.org
Problems? https://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
Posting guidelines + more: https://wiki.documentfoundation.org/Netiquette
List archive: https://listarchives.libreoffice.org/global/website/
Privacy Policy: https://www.documentfoundation.org/privacy