• Software
• Assessment
• 20111108-S-A-MiniTOP

• To Software Software - To Software-Assessment - Software/Assessment - To previous meeting - To next meeting

Minutes of the MiniTOP on the 2011-11-08

Setting

The MiniTOP will be held via telco 22:00 CET

Attendees: uli, dirk, magu, joost, michael

Topics

(skip to agenda)

Action items from last meeting Meeting Action Items

Agenda

1. bug #976 - database restructure preperation

   • raw transcript from meeting results: sql structure modifications as discussed within meeting

   • New table to add: high potential domains to secure (mozilla blue print)
   • proposed testserver deployment - when ?
   • results from meeting 2011-10-18
     • deletedwhen - to rename to deleted type datetime
     • from - to rename to creatorid
     • enum - or not enum for cca method
     • add table "mozilla blue print" domains
       • proposal michael: to add this as file, also to deploy to signer
     • sql update? or php script?
       • adding versioning number ? table verno, when type datetime
   • results from meeting 2011-10-25
     • email addresses + domains verification on cert renewal: last verified (type datetime)

     • info from dirk regarding CCA table structure. structure defined in https://lists.cacert.org/wws/arc/cacert-devel/2009-06/msg00004.html. Current definition to compare with structure definition from mid 2009

     • detailed discussion regarding CCA table
       • comment field to name as method?

       • type -> boolan

     • adding version table
     • latin-1 is db standard
     • sql script will be prepared by Michael
   • Update
     1. script built by Michael
     2. script reviewed by dirk
     3. script tested localy, with one bug found (Org Client Cert - View doesn't work)
     4. fix for Org Client Cert - View added to testserver, needs 2nd review
     5. needs testing regarding notary table functions

        • notary table 0-150 pts variations tested manual and TMS assurances Report #c2682

2. bug #827 - New Points calculation / Thawte patch

   1. The patch

      • Dirk, Michael

        bug #827 and bug #959 Thawte patch/Points-Count-Order-Change project

        related bug 959: needs 1 more test, needs 2nd review / 2nd review: also check -x / tests done, needs 2nd review 959 {g} reviewed, deployed 827 {g} reviewed, deployment in 2 steps deployed, report from Wytze

        {g} {0}

      • dirk needs results from arbitration a20100822.1 request to magu

      • dirk sent update 2011-10-18: michael transfered to testserver

      • michael: sql injection of one notary record: date < 30.8.2006, awarded=0, points=35

      • test: 10.php: 35 points, 15.php shows 0 points => bug not fixed

      • problem was reported by Hans, needs to be fixed: awarded = 0, points = 35, assurance date < 1.9.2006

        • there still exist 2 notary table records for test purposes to check this bug

          script	10.php	15.php	43old	43new
          assuree's view assurances received	35 pts {g}	35 pts {g}	35 pts {g}	35 pts {g}
          assurer's view assurances given	35 pts {g}	0 pts {r}	35 pts {g}	0 pts {r}

        • problem awarded = 0, points = 35 -> assurances given wrong calculation

        • dirk checks 15.php
        • new patch by dirk, michael transfered to testserver, marcus tested: 15.php ok
        • fix for 43.php needs to be fixed too

          dirk

          bug #882

          display Assurance when field in list of assurances received, assurances given by a user in admin console interface last update 2011-10-25

          {0}

        • first test: ok
        • new fix for bug#827
        • addtl. test: ok

        • michael: sql injection of two addtl. notary record: date < 30.8.2006, awarded=0, points=35

      • problem solved with last update, update pushed to critical system, deployed

        • script	10.php	15.php	43old	43new
          assuree's view assurances received	35 pts {g}	35 pts {g}	35 pts {g}	35 pts {g}
          assurer's view assurances given	35 pts {g}	35 pts {g}	35 pts {g}	35 pts {g}

      • Date problem: fixed by Michael 2011-11-01, needs 2nd review
        • identified 1 more problem: assurance date 2009, record displays yellow mark + italic

        • correction to date LT 2006-09-01 according to a20091118.1 and a20100822.1 by NEO for 15.php (bug #827) and 43.php (bug #882)

        • tests with assurance dates 2006-09-02, 2006-09-01, 2006-08-31, 2006-08-30 were successful
   2. PR work - Update?

      1. newsletter mailing: ok from board m20111016.2 and m20111023.2

      2. newsletter reviewed English revision PR/News/NewPointsCalculation

      3. translations in progress
      4. script sql query to prepare based on events/oa mailing
         • request for statement by critical team
         • proposal by critical team:
           1. to pace the email sending out a bit, e.g. by doing a chunk of 1000, then waiting 19 minutes (by a programmatic sleep) before starting the next chunk of 1000 etc
           2. pushing out the whole mailing will take somewhere between one and two full days
           3. reduce Postfix' maximal_queue_lifetime from the default 5 days to say 2 days

           4. Basically a20100309.1 already gives permission for this mailing, except that it outlines a somewhat different technical implementation of such mailings. But policy-wise there doesn't seem to be a difference to me with what we are proposing here, so why bother with addtl arbitration?

      5. Software-Assessors / developers to prepare a sql-query that can handle above requirements, also to handle localy translateded text
         • script to use from events + OA mailing, SA's to build a sql query, sending to critical team
         • Update ?
      6. translations, reviews

         1. newsletter reviewed English revision PR/News/NewPointsCalculation

         2. newsletter translated, reviewed German revision German

         3. newsletter translated, reviewed Dutch revision Dutch

         4. newsletter translated, reviewed French revision French

         5. newsletter translated, reviewed Spanish revision Spanish

         6. newsletter translated Russian revision Russian needs 2nd review

      7. newsletter script
         • dirk: script not yet deployed, will do till last weekend, Sunday: not yet written
   3. "Special case" - handling of 0:0 cases under arbitration
      • New proposal: scripted mailing for 0:0 F2F cases with detailed instructions
      • get information how many 0:0 cass we have ?

        • info from last years arbitration a20100822.1 ? (documentation is not yet avail)

        • Lambert as Arbitrator, Martin as Case Manager and dirk in role as SA as Claimant should know the answer
      • is it possible to update 15.php script to signal the 0:0 F2F assurance cases ?!? eg by color blue or background color light yellow ?
        • dirk: 15.php can be easily upgraded - not only color also italic
      • to prepare an arbitration process for a scripted mailing announcement
        1. to the assuree's who may loose points caused by 0:0 cases
        2. to the assurers, who can re-apply their assurance over assuree's with the 0:0 problem
      • arbitration initiated

      • wiki faq created: FAQ/NewPointsCount#YellowLines

      • No CM/A picked up this case yet
   4. Questions from last 7 meetings:
      • dirk: when will 827 goes to production ?
3. Testers workqueue

   1. Translingo bug #985

      • https://translations.cacert.org (http://translations.cacert.org/) (replacement for translingo)

      • the translingo.cacert.org had been in operation far longer, so I think it is possible that some users migrated to translingo.cacert.org, without telling us.
      • I would suggest to mass-mail the email addresses of the translation-project leaders in the translingo database, to inform them, and to ask them to speak up if they still need it
      • last foreign uploads 2008 on about 13 + cacert projects
      • whohas translingo server console access?
        • mario
      • req for console access for michael to contact project leaders, Updates?
      • Transfer In, Transfer Out problems
      • Update from new deployment ?
      • opened for: create an account can now be started
      • Michael current state:
        • import and export routine works
        • script to incorporate updates needs fixed
      • next: complete language handling needs to be updated
      • accept lang handler needs fix
        • FF de, de_de
        • IE 6 de, 8,9 de_de
      • working session within last meeting: michael, marcus
        • infos from meeting 2011-10-18
          • pdf code needs rewrite (uni code library, move to external server (outsourcing))
          • message cert notification - uses perl code, text source not avail (get bind-text-domain)
      • current state?
      • Marcus sent mailing to translators, no response so far, no tests so far (week 2)

   2. bug#894 "Haeckchen bug" - review done, changes needs reviewed again

      • 3

        Dirk

        bug#894 assure someone patches (checkbox)

        (incl wot.php changes) tested by 2, needs 2nd review, deploy new test round

        {0}

        ? / u1 / m1

      • review by dirk in session, review ok
      • needs testing
      • Update?
      • No tests this week (week 2)
   3. needs testing (summary)
      • 976 table notary funcctions
      • 985 translingo, needs 2nd test, eg mails, needs review
        • no tests reported
      • 894 Haeckchen bug
        • no tests reported

      • 827 new points count (year 2006), needs review (-> dirk)

4. Build + Document Emergency Patches Path

   • Build + Document Emergency Patches Path

     Andreas, Uli, Wytze

     {0}

   • Software/Assessment/Documentation/EmergencyPatches

   • Documentation written, reviewed by Wytze
   • other reviews done ?
5. Michaels workqueue
   1. New function to TMS - edit notary table record

      • bug #980

      • infos from last meeting
      • testers needs editing individual notary records: fields "method", "awarded", "points"
      • easier to create notary records with testserver (add F2F), and edit existing record, doesn't need to check for assurer-from, assuree-to and so on
      • Update?
6. Dirks workqueue - The List of open / running / unhandled bugs

   1. VBscript for Vista/Win7 (select keysize >= 1024) - reminder to dirk

      • x1 Dirk, new bug#964 DEV: bug#918 (Part II) (a20110312.1) Weak keys: /pages/account/.. 4.php, 17.php to combine ? (/includes/keygen.php) DEV

        current state: test /account/4.php added to testserver Marcus will do detailed tests on Wed some references added to bug#964

        {-}

      • as part of

      • x¹ Arbitration case a20110312.1 Weak keys bug #918 / bug #954 / bug#964

      • Current state:

        • {g}	pre mailing sent
          {g}	keys revocation script to bulk revoke weak keys, new bug #954, finished
          {-}	dirk: DEV: a20110312.1 bug#918 Weak keys: /pages/account/.. 4.php, 17.php to combine ? (/includes/keygen.php) DEV vbscript needs to be improved with select box key size and lower limit to 2048 (based on https://wiki.mozilla.org/CA:MD5and1024) Api CertEnroll (MS crypto provider) new bug#964 current state: test /account/4.php added to testserver Marcus will do detailed tests on Wed some references added to bug#964
          {g}	Weak keys blog post, published
          {g}	Weak keys article published by Hanno(July 28), link is in CAcert's blog post (July 30)
          {b}	weak keys: problems with cryptostick (to test at Froscon with Juergen ?)

      • cert enroll infos under bug#964

      • vista and win7 works with other engine !CryptoAPI (?) => Cryptography API: Next Generation

        • http://msdn.microsoft.com/en-us/library/aa833130%28v=VS.85%29.aspx

        • Marcus: added notes for Win7 https://bugs.cacert.org/view.php?id=964#c2249

      • dirk: has not started the virtual machine
      • Question from Marcus: did someone contacted illuminat?
        • No, Marcus: to contact illuminat
      • Update?
   2. Advertising

      1. Prepare Advertising fix for testserver - reminder to dirk

         • Dirk

           Advertising (from last board meeting), bug #958

           add changes as discussed in last meeting to testserver

           {0}

         • CAcertInc/LogosForSale/Rules wiki link exist

         • "buy me" logo / "Logo For Sale" logo / "Monthly Auction on Logos" logo
         • Logos and Links exist, needs deployment to testserver
         • Update ?
7. Bugs rejected in review 2

   • 2

     uli, ted

     bug #794

     visibility over certificates for sysadm in account administration, new update 2011-09-24

     {-}

     ? / u1 / m1

     • shorten ttl for certs on testserver modification?
     • update?

     9

     uli

     bug #823 email address removal fix

     No warning when removing e-mail adres from acount that certificates will be revoked checked by 4, needs 2nd review, deploy

     {-}

     ? / u9 / m9

     • update?

8. Bugs to Review #1, transfer to testserver - Currently 4

   • uli	bug #977 admin console text fix	admin console Sysadmin - find domain - lists 2 tables - one for user accounts, one for org accounts, naming issue	{0}
     uli	bug #967 OA isassurer check	Give an OA the oppertuntiy to check if a desiginated Organisation Admininistrator is a CAcert assurer	{0}
     uli	bug #859 admin console interface	feature request: show activity on an account in the admin interface, new update	{0}
     inopiae	bug #981 OA overview (dupe of bug #943)	New layout of view for Organisation Administraors in account/id35	{0}

9. Bugs under testing: - Currently 4

   • 	neo	bug #985 move translingo to translations	check language settings under testserver	{0}
     	inopiae	bug #920 Join - single name only (eg Indonesian)	details under bug number	{0}
     	uli	bug #855 admin console interface "unknown" + "empty" assurance method fields, needed for correct testing on testserver	admin console lists "empty" and "Unknown" assurance types on listing given Assurances	{0}
     3	Dirk	bug#894 assure someone patches (checkbox)	(incl wot.php changes) tested by 2, needs 2nd review, deploy new test round	{0}	? / u1 / m1

10. Needs 2nd review + transfer to Critical team, to bundle, to deploy - Currently 4 (!!!)

    • define priority eg. 10,2, and so on
    • proposed order: from 1 to 10

      5	uli, ted	bug #968 error logging cleanup (splitted bug #909)	split 0000909: too many error messages logged - part II - general.php create certs,certs,certs 2 sessions: 2011-09-21 + 2011-09-25 more tests needed create certs,certs,certs,certs create client, server, gpg keys, org client and server certs	{0}	? / u4 / m5
      7	uli, ted	bug #789 OA edit domain fix	Editing domain for organisations does not work new update 2011-09-26	{0}	? / u7 / m7
      8	Ted, uli	bug #957 Resize the comment field on https://secure.cacert.org/account.php?id=27 so more information is visible	last update 2011-08-19 tested 3 times ready to deploy?	{0}	? / u8 / m8
      10	uli, Ted	bug #965 0000965: Outsource / fix Webdb text pages id=12, 13	addtl. id=37, id=38, new update 2011-09-25	{0}	? / u10 / m10

      • #1 reviewed and transfered by Michael within meeting
11. Needs development, deployment, discussion

    1. bug #835 Migrate CATS onto testserver

       • bug #835 Assurer challenge (on testserver)

         asssigned to Ted, CATS to install on ca-mgr1, awaiting deployment

         {0}

    2. bug #943 change OA admin/assurer text

       • bug #943 change OA admin/assurer text

         -> Ted, rejected, needs comment from OAO

         {-}

       • webdb names OrgAdmins as OrgAssurers and names OrgAssurers as OrgAdmins.

       • patch takes account about this issue
       • problem with menu link Org Admin .. is Org Assurers menu
         • but this menu includes one addtl. link "View" that is available for Org Admins
           • and Org Admins with master flag to add new admins

         • master flag is not described in OAP

         • addtl master flag to revoke ?
         • rename to "Org Administration"

         • don't show menu to OrgAdmins

       • dupe bug# 981

    3. bug #824 Org User cert fix

       • uli, Ted

         bug #824 Org User cert fix

         Organisation User Certificates: Need UI improvement for proper production usage working session: needs to be removed from testserver, done Case study

         {0}

    4. bug #988 TTP cap form deployment

       • uli

         bug #988 TTP cap form deployment

         Case study

         {0}

12. strategy plans ... next: strategy for "New Roots & Escrow"

    1. idea: using indirect crl's ?
       • 2 crl's needed, one valid, one invalid crl server
       • more infos available ? who ?
         1. build testserver with special certs
         2. Magu, Michael to send instructions for test deployment

            • indirect CRL: RFC 5280 http://tools.ietf.org/html/rfc5280 (chapter 5)

       • meetings ago we've defined Testing requirements and a potential testszenario
       • to remind every meeting
       • Michael: testserver environment deployment
    2. policy group: define requirements
       • multimember escrow method ?
         • needs risk analyze
         • potential candidates ?
           • Marcus to contacted Benedikt, will contact Thomas K
           • Next step(s)
    3. how does debian work ?
       • defered to Froscon (end of Aug), CCCcamp (around Aug 10th)
13. CI (Update)

    1. description to eclipse testpage, Webinar

       • deployment scenario:
         1. create testusers
         2. testing
         3. delete testusers
       • regression test for standard tests: eg 0,1,49,50,51,99,100,101 pts w/ and w/o CATS passed
       • reminder
    2. Jubula Test-Tool (by Michael) - update?

       • http://www.eclipse.org/jubula/download.php

       • instructions see under Minutes meeting 2011-08-30

       • test deployment needs to be continued by software testers

       • Jubula documentation started: Software/Jubula

    3. new proposal by Sven: Webdriver with Maven and Jenkins-CI
       1. Jubula vs. Webdriver
       2. testserver variants
          1. testserver for manual tests
          2. testserver of OS and application upgrades
          3. testserver for CI
       3. test methods
          1. unit test
             • test single modules, exceptions
          2. integration tests
             • test interaction of modules
          3. system tests
             • complete system test, with database interactions, module interactions and much more
       4. sven did some work regarding frontendtest (Webdriver with Maven and Jenkins-CI)
          • Michael did some review: probably needs some seperation
14. Infrastructure seperation
    • info from funkfeuer.at
    • proposal by mario:
      • buy new machine: sample proposal alternate individual pieces: Euro 1042
        • (1x Rasurbo BC-10, 1x Intel® DB65ALB3, 1x Intel® Core™ i7-2600, 4x Kingston ValueRAM DIMM 8 GB ECC, 2x Western Digital WD2002FAEX 2 TB)
    • infos from meeting 2011-10-18
      • other hosting providers
        • hetzner: 50 euro server + setup 150 euro once + ip's: 22 euro
        • funkfeuer: + ip's: unknown
      • ip's needed: 24-30
    • 3 motions from within last board meeting 2011-11-06
      1. I move that board supports the infrastructure seperation project to find hosting for CAcerts non-critical infrastructure seperated from the hosting which is defined under SP for critical systems.
         • carried
      2. Resolved, that CAcert Inc. prefers not to be contractor for infrastructure hosting and encourages the project team to liase with organisations like secure-u e.V. to be party of the contract. (they can sign a contract … just not in CAcert's name)
         • carried
      3. Resolved, that CAcert Inc. encourages the project team to find sponsors for funding the project.
         • carried
15. next meeting: Tuesday, November 15, 2011 22:00

Minutes

1. bug #827 - New Points calculation / Thawte patch

   1. The patch

      • Dirk, Michael

        bug #827 and bug #959 Thawte patch/Points-Count-Order-Change project

        related bug 959: needs 1 more test, needs 2nd review / 2nd review: also check -x / tests done, needs 2nd review 959 {g} reviewed, deployed 827 {g} reviewed, deployment in 2 steps deployed, report from Wytze

        {g} {0}

      • Date problem: fixed by Michael 2011-11-01, needs 2nd review
        • identified 1 more problem: assurance date 2009, record displays yellow mark + italic

        • correction to date LT 2006-09-01 according to a20091118.1 and a20100822.1 by NEO for 15.php (bug #827) and 43.php (bug #882)

        • tests with assurance dates 2006-09-02, 2006-09-01, 2006-08-31, 2006-08-30 were successful
   2. discussion to merge #827 + #882
   3. next steps

      1. review #827 + #882 fix-date 2006-09-01 -> dirk

      2. mailing script not yet prepared -> dirk

         • ascending user id's with high watermark file

2. bug #976 - database restructure preperation

   • raw transcript from meeting results: sql structure modifications as discussed within meeting

   • added to testserver, migration script works
   • problem with org client certs view (org table) identified fixed.
   • further tests with notary table revealed no more problems
   • accounts/18.php needs review
   • instructions for running the script is written in bug #976 docu
3. bug #920 - givenname only
   • some discussion
4. Policy group discussion - Extended key usage
   • some instructions to michael, to prepare vote on CPS change
5. Testers workqueue

   1. Translingo bug #985

      • no tests this week

   2. bug#894 "Haeckchen bug" - review done, changes needs reviewed again

      • no tests this week
6. several discussion from the floor
   1. RDL prob - contacting Software Freedom Law center
   2. OCSP server - timeout 10 min too short, 3 days to long, recommendation is 24-48 hours max, verisign: 7 days, startssl: 2d
7. dirk reviews:
   1. bug 827 + bug 882
   2. bug 976
8. Build + Document Emergency Patches Path

   • Build + Document Emergency Patches Path

     Andreas, Uli, Wytze

     {0}

   • Software/Assessment/Documentation/EmergencyPatches

   • Documentation written, reviewed by Wytze

   • Michael: reminder for review Software/Assessment/Documentation/EmergencyPatches

9. Infrastructure seperation
   • info from funkfeuer.at
   • proposal by mario:
     • buy new machine: sample proposal alternate individual pieces: Euro 1042
       • (1x Rasurbo BC-10, 1x Intel® DB65ALB3, 1x Intel® Core™ i7-2600, 4x Kingston ValueRAM DIMM 8 GB ECC, 2x Western Digital WD2002FAEX 2 TB)
   • infos from meeting 2011-10-18
     • other hosting providers
       • hetzner: 50 euro server + setup 150 euro once + ip's: 22 euro
       • funkfeuer: + ip's: unknown
     • ip's needed: 24-30
   • 3 motions from within last board meeting 2011-11-06
     1. I move that board supports the infrastructure seperation project to find hosting for CAcerts non-critical infrastructure seperated from the hosting which is defined under SP for critical systems.
        • carried
     2. Resolved, that CAcert Inc. prefers not to be contractor for infrastructure hosting and encourages the project team to liase with organisations like secure-u e.V. to be party of the contract. (they can sign a contract … just not in CAcert's name)
        • carried
     3. Resolved, that CAcert Inc. encourages the project team to find sponsors for funding the project.
        • carried
   • Hosting: 50 Euro + 22 Euro addtl. IPs
     • 2x 3 TB, 16 GB RAM DDR3
     • Backup space: 100 Gb
     • addtl Enterprise + 20 Euro
       1. Enterprise: ECC RAM, Enterprise HDD
       2. Basic: non-ECC RAM, consumer HDD
   • crypted partitions ? host? vservers?
10. next meeting: Tuesday, November 15, 2011 22:00

Fixed Action Items since last or within meeting

Action Items New

Action items: Meeting Action Items

• CategorySoftwareAssessment