Date: prev next · Thread: first prev next last
2021 Archives by date, by thread · List index

1. guilhem
2. Brett
3. cloph

 * Replace pootle box and hand it over to Brett for PiTR
   - Currently have an XL from 3.5y ago; current XLs are identical but we could
     upgrade to XXL for double RAM and disk
   - Brett: PiTR could take quite a bit of space, the larger one might be good
   - cloph: ack
 * Upcoming upgrade/downtime
   - Staggered hypervisor reboot needed (new kernel)
   - cloph: we have weekly releases/tags now, but rebooting during the fri/sat
     night would work
 * Embargoed saltstack vulnerability (initial publication date Feb 4th, then
   delayed until 25th) — salt-master turned off during the publication window
   while we assess things and can upgrade smoothly
 * Dual cert (ECDSA alongside RSA) for cheaper handshake
   - update checker, piwik and crashreport in particular are hammered with
     requests, the handshake causes unnecessary load with large RSA keys
   - cloph: current LO master is using libcurl 7.71 and libssl 1.1.1, so quite
     capable of using EC
   - guilhem: need to refactor the certificate deployment setup, have some ideas
     about this (we'd need to maintain two X.509 with identical subject and SANs,
     recipe for disaster if we don't use a single list for both)
   - twice as many certificates but we should remain below the rate limits from
     Let's Encrypt <> (if we exceed the
     limit and the renewal fails it should succeed next day or so)
 * The Mac mini and KVM switch at Adfinis are broken, waiting for reply and will
   proceed with new orders
   - cloph: CI suffered until the m1 box was hooked up
   - cloph: planning to replace one of the physical linux hosts with windows and
     deploy a new linux guest at hetzner to relieve some load off CI
 * Cloph: gustl's OpenVPN server is still causing issues (multiple connections
   hiccups, blacklisting) sometimes, would be nice to use a more modern
   implementation on a dedicated box
   - guilhem: and force people to use stronger password and/or client cert
     authentication so we can remove the blacklist, esp. with additional
     tls-auth HMAC signatures before the handshake
 * Still pending
   - mailing list import
   - firewall refactoring
     + deploy plain nftables rules by salt instead of shorewall rules.d
     + v4/v6 consolidation
     + shorewall backend (iptables/ip6tables) and xtables are deprecated in
     + nftables has nicer syntax, atomic reloads, builtin ipsets (with
       expiration etc)
   - node monitoring on the guests
     + have the guests *push* to prometheus so we don't have to bother about
     + use HTTP basic authentication on the prometheus side
 * Next call: March 16 at 17:30 UTC


To unsubscribe e-mail to:
Posting guidelines + more:
List archive:
Privacy Policy:


Privacy Policy | Impressum (Legal Info) | Copyright information: Unless otherwise specified, all text and images on this website are licensed under the Creative Commons Attribution-Share Alike 3.0 License. This does not include the source code of LibreOffice, which is licensed under the Mozilla Public License (MPLv2). "LibreOffice" and "The Document Foundation" are registered trademarks of their corresponding registered owners or are in actual use as trademarks in one or more countries. Their respective logos and icons are also subject to international copyright laws. Use thereof is explained in our trademark policy.