Date: prev next · Thread: first prev next last
2021 Archives by date, by thread · List index

 1. guilhem
 2. Cloph
 3. Brett

 * guilhem: anything pending for libocon videos sharing?
   + cloph: all good already
   + guilhem to save the pre-recorded videos and cancel the jibri box
 * gerrit sshd
   + mina sshd <2.7.0 are affected
   + gerrit 3.4 upgrades to mina sshd 2.6 only, so affected as well
   + cloph: Hossein upgraded logerrit to use EC keys already, so the problem only
     affects returning users — who are more likely to be technical or ask on #-dev
   → nothing concrete to do here
 * bullseye: 11.1 was released some weeks ago
   + guilhem: upgraded the baseline, no major issues; heads up
     - python2 was removed (affects mailman2 and planetplanet, possibly also some of
       our custom scripts in dev-tools) → proper fix is to port scripts to python3,
       not to keep unsupported python2 forever :-)
     - bullseye has PHP7.4 not 8.0 (somewhat better now but might bite us later in
       the recycle cycle)
     - guilhem: upgraded the [matrix] (newer synapse is better for federation with and jitsi boxes
     - guilhem: dunno how pg_basebackup work with multiple PG version (buster has 11,
       bullseye 13)
       . Brett: Should be fine since it is largely shell getting the wal files
     - guilhem: plan to upgrade other non-mission critical systems during what's left
       of 2021, then later proceed with hypervisors and mission critical guests
 * Useless X3 intermediate supplied by let's encrypt:
   + client-side validation issue (they should be happy with the one path that's
     valid) but older libssl choke on this
   + affects tinderboxes, temporary fix is to remove X3 from the chain on the server,
     or its issuer on the client (Brett, cloph: did that)
   + unclear why let's encrypt still adds X3 though as it can't be used in validation
     paths anymore
   → nothing concrete to do for now
 * pg backups:
   + Brett: removed barman from all boxes
   + Brett: haven't configured the copying logic — push vs. pull
     - let's go with push then, it's is more common
   + sftp -l postgres should land in a chroot so it doesn't access other host's DB
     - internal-sftp subsystem, cf. for instance this sshd_config snippet
       Match User backup-*
         AllowUsers backup-*
         AllowGroups *
         DisableForwarding yes
         PermitTTY no
         PermitUserRC no
         # Note: The chroot and all its parent directories must be root:root with mode 0755.
         ChrootDirectory %h
         ForceCommand internal-sftp
   + can be integrated with other backup solutions if we want to move away from
     - cloph, guilhem: not specially attached to rsnapshot
     - that's an intrusive change though, and can be done independently
 * 90 min downtime on friday in CH
   + 11:30 CEST til 13:00 CEST (UTC+2)
   + tb84 (mac mini) might be down until next day (housing's PW-button is not working)
   + but of course can also change the power-plan to power-on in the afternoon
 * Next call on Nov 16 at 17:30 UTC (DST change!)


To unsubscribe e-mail to:
Posting guidelines + more:
List archive:
Privacy Policy:


Privacy Policy | Impressum (Legal Info) | Copyright information: Unless otherwise specified, all text and images on this website are licensed under the Creative Commons Attribution-Share Alike 3.0 License. This does not include the source code of LibreOffice, which is licensed under the Mozilla Public License (MPLv2). "LibreOffice" and "The Document Foundation" are registered trademarks of their corresponding registered owners or are in actual use as trademarks in one or more countries. Their respective logos and icons are also subject to international copyright laws. Use thereof is explained in our trademark policy.