To Software Software - To Software-Assessment Software/Assessment - To previous meeting - To next meeting
Minutes of the MiniTOP on the 2012-05-29
Setting
The MiniTOP will be held via telco 22:00 CEST
Attendees: marcus, magu, uli, michael, dirk
Topics
(skip to agenda)
Action items from last meeting Meeting Action Items
Software/Assessment/ActionItems
all
proposed Apache config SSLCipherSuite settings for CAcert SSL enabled infrastructure systems
see also BEAST migration https://community.qualys.com/blogs/securitylabs/2011/10/17/mitigating-the-beast-attack-on-tls
Proposal from Sysadm list 2013-09-06{0}
SA
documentation server cert design concept to SystemAdministration/Systems/Development/Prepare
{0}
all
{0}
BenBE, Marcus
documentation: developer git repos under github
bug #1131 history @ github
CAcertOrg @ github
started under Software/Assessment/Documentation/UpdateCycle/step1{0}
NEO
{0}
all
read x509 guide
{0}
all
bug#1068 blog problem (also relates to community)
debian lenny - edge - squeeze upgrades needed
alternate: new server with squeeze, install wordpress, transfer domain
workaround: configure your FF FAQ/BrowserClients{g}
uli
Experience points for ATE attendance
check board motions and/or trigger if not yet passed{0}
uli
Infrastructure separation, to contact secure-u (Frank, Mario, Ted, Sebastian) for discussion, prepare a plan, started 2011-12-18
current state: see Funding Landing Page
May 2013: tk-server sponsoring, tk-server rcvd, deployment: WIP, project not yet finished{0}
All
1. next: strategy for "New Roots & Escrow" - using indirect crl's ?
indirect CRL: RFC 5280 http://tools.ietf.org/html/rfc5280 (chapter 5) - test deployment{0}
dirk, Michael
3. next: strategy for "New Roots & Escrow" - how does debian work?
to contact, deferred to next events (?)
next round: picked up by Benedikt new proposal 2013-06-02{0}
Uli, Michael
Documentation Bugs.cacert.org Review, documentation I (bugs handbook) svg files to convert to jpg or png
{0}
Development, Deployment, Discussion
OAO, Ted
bug #943 change OA admin/assurer text
needs 2nd test -> Fabian, Marc, Alex? {g} / needs 2nd review -> Ted, rejected
{-}
uli, Ted
bug #824 Org User cert fix Case study
Organisation User Certificates: Need UI improvement for proper production usage
{0}
uli, ted
bug #823 email address removal fix
No warning when removing e-mail address from account that certificates will be revoked
checked by 4, needs 2nd review, deploy
rejected{-}
inopiae
bug #920 Join - single name only (eg Indonesian)
details under bug number
{0}
uli
bug #859 admin console interface
feature request: show activity on an account in the admin interface
rejected, certs login doesn't modify "modified" field{r}
Michael
p20111113 CPS #7.1.2 "Certificate Extensions" adjustments - testing
uli, marcus: needs full cert create tests
duplicate report to bug#978
tested by 3, 2nd review done, transfered
Ken reported: still has problems, bug kept open{0}
gagern, NEO
bug #440 Problem with subjectAltName (CSR, renew certs)
There seems to be a problem with the subjectAltName. Dupes, missing entries, and more, rejected, needs further development
{r}
neo
bug #1025 Domain Dispute issue
disputes rc and rc2 var prob
needs work{r}
dirk
bug #1054 0001054: Review the code regarding the new point calculation
Thawte patch part II
needs further work{r}
Software Assessors: Review 1 / add to cacert-devel, add to testserver
Software-Assessors task
Testing
Testers task
neo
bug #1004 Stats page improvement
tested by 2, needs 2nd review
{0}
neo
Bugs #1159 it might be possible to execute commands on the signing server
{0}
inopiae
bug #1065 Wrong wording when sending mails during the assurance process
{0}
inopiae
bug #1162 calcutate (the passwords) hash in php instead of in mysql
create test scenarios for the software testers
Full testing{0}
inopiae
bug #0028 Wrong language for you've been assured & [CAcert.org] Client Certificate emails
{0}
inopiae
bug #988 TTP cap form deployment
{0}
Software Assessors: 2nd Review, Bundle Package to Critical Team
Software-Assessors task
Ted
bug #500 Get contact mail adress after resolving test
tested by 3, requires review
{0}
Ted
bug #1140 Show if a test is passed in learnprogress
tested by 3, requires review
{0}
magu
bug #1131 Rename _all_ Policies from .php to .html and fix all links
global policy directory maintenance and update
{0}
inopiae
bug #1010 Reorder the view on organisation certificates
tested by 3
{0}
Software Assessors: Bundle Package to Critical Team
Software-Assessors task
inopiae
bug #1139 Add new fields to the database
tests through #500 and #1140, 2nd review done, requires transfer
{0}
Awaiting Response from Critical Team
inopiae
bug #411 Wrong text is made into link
{g}
Agenda
1. Preface
- dirk topics
- Cebit brainstorming
- dirk: request for events report
- (2012-03-27) Marcus awaiting translation from Marc
- (2012-04-03) Marcus will do upcoming (easter) weekend
- (2012-04-17) no update
- (2012-04-24) no update
- Cebit brainstorming
- Marcus bugs list
2. bug #1023 Testing (6.php)
- Thawte points removal, final step
- relates to 6.php
- this also relates to TTP
- dirk will work on this last weekend (2012-01-21)
- current state: not yet finished
- expected finishing? upcoming weekend (2012-01-23 to 2012-01-30)
- not finished, upcoming weekend 2012-02-06?
- not finished, last weekend 2012-03-12?
2012-03-13: new bug#1023 bug#1023
- transfered to git cacert
- to test:
- assure someone
- w/ and w/o ttp
- in all variations
- Added to testserver Tue 13.3., Wed 14.3.
dirk
bug #1023 Consolidate changes into the Assure Someone page
6.php global re-design project
assurance, wot area (Thawte points removal effective){0}
- current state: patch removed from testserver, needs work (DEV)
- (2012-03-27) back on testserver: bug #1023 (6.php), has a bug, needs work
- 2 new bugs within meeting 2012-03-27
- (2012-04-03) bugs analyze, empty results analyse, new patch transfered to testserver
- current state 2012-04-17
* dirk: didn't we concluded 14 days ago, that the current patch state is the revision similar on the production system * potential bugs on production system can be identified against wot.php on testserver (-> diff wot.php, if no difference bugs are also in production system) * Michael: diff is empty, this means wot.php is identical between production and testserver * Michael: didn't pushed one patch, as it has at least one error * Michael: fix and push to git / testserver, patch is transfered to testserver * testing: failures occured * last time we've added method transfer * if board=1, method empty -> results in garbage in database * new bug, that methods aren't checked that needs to be checked [[https://bugs.cacert.org/view.php?id=1032|bug#1032]] * req by Marcus to add maxpoints limit definition: 35 assurance points (by AP) in a f2f meeting, upto 50 assurance points possible though a subpolicy (currently none available), new bug [[https://bugs.cacert.org/view.php?id=1033|bug#1033]]
- #1033 passed to production
2012-04-24: 2nd review by neo bug #1023 (6.php) (next time)
- 2012-05-05: dirk_: @neo ... is the review of 6.php done? / NEOatNHNG: almost
- bug #1023 Testing (6.php)
- did some test and fixed small remaining bugs (removed dropdown for method when only assuer, new text for the date field as it is now prefilled with the actual date if started for the first time in a session)
- magu and marcus tested the last version, patch ready to review by dirk and deploy to production
- while testing on the bug we discovered a strage behavior of the WebDB and filed a dispute to this matter.
blocker
3. 2nd review of about 7 patches
Software-Assessors task
bug #789 OA edit domain fix, Editing domain for organisations does not work
new update 2011-09-26
2 tests, needs 2nd review, deploy
more fixes, more testing- 2nd review of 1 patch
- Michael cannot do, needs doing by dirk (or other Software-Assessor, who else?)
- 2nd review of 1 patch
bug #978 bug 978 (weak keys) (bug 918)
- invalid key format, no regular error message, something wrong, error code # identified
- debugging infos from user + infos from critical team with error code #, was spkac routine
- one test done 2011-12-17 by JensK
uli, marcus: more tests: certs routine, weak keys (small keys test), relates to bug#540 tests
- (week 7)
bug#540 No key usage attribute in cacert org certs anymore?
also: bug#905
Policy group discussion - Extended key usage -> p20111113, motion CARRIED
- deployment
prepare fixes -> Michael to prepare diffs, against svn
- sending to testserver
- transfer to critical system
- (2011-12-13) approx 2 weeks to write the fix, approx 2 months to go
- Michael did transfer the patch to testserver
- signer code update
- changes against svn
- uli, to add to tester portal, done
- uli to inform testers about new tests
- test report from kenneth to transfer to report (email from 2011-12-25)
- Michael: where to find the report from kenneth? link?
- NEO has added the report (written to private dl)
- who has adobe 8 for testing?
- magu has, please test
- next: needs testing (week 6)
- uli, marcus: needs full cert create tests
- uli (2012-01-25): sent notification to software testers
- awaiting testing ... problem FULL test, including all possible variations with certs creation
also to report under bug #978 bug 978 (weak keys) (bug 918)
- Testers: test all certs veriations, functions
uli, ted
bug #789 OA edit domain fix
Editing domain for organisations does not work
new update 2011-09-26
2 tests, needs 2nd review, deploy
more fixes, more testing6 {0}
uli
bug #967 OA isassurer check
Give an OA the opportunity to check if a designated Organisation Administrator is a CAcert assurer
{0}
neo
bug #978 Invalid SPKAC requests are not properly validated
recheck full certs signing procedures
duplicate report to bug#540{0}
Michael
p20111113 CPS #7.1.2 "Certificate Extensions" adjustments - testing
uli, marcus: needs full cert create tests
duplicate report to bug#978{0}
neo
bug #1024 Assurer flag is not set correctly on updatesort.php run
tested by 4, ok
{0}
dirk
bug #1023 Consolidate changes into the Assure Someone page
6.php global re-design project
assurance, wot area (Thawte points removal effective){0}
inopiae
New layout of view for Organisation Administrators in account/id35
{0}
4. Permissions Review
- dispute cases
Permissions review and revoke of board and tverify flag (bug #1003 and bug #1038)
- Michael run the permission preview script. After finding some formating stuff and fixing it, the script was run a second time.
Afterwards Michael run the script revoke of board and tverify flag. The executing report was added as private to bug #1003
All tester please review your flags and mails on the test server and report ONLY in bug #1003.
5. next meeting
- Tuesday, June 5th, 2012 22:00 CEST
Minutes
- Cebit events report
- request for events report - no update
- uli: marcus please translate by yourself
- Marcus bugs list
bug#1023 related
bug#583 "Assure Somebody" allows future assurance dates
bug#648 send message from Assurer to Member
bug#802 Name parts should be designated in assurance form
bug#870 My Details - My Points show bugus time stamp
bug#914 Information about Practice on Name while entering an Assurance
bug#930 types wrong points in "Assure Someone" form
bug#931 Date of assurance in future don't throw any exception
bug#998 When entering an assurance in the WoT one line of the form the suffix is given in another line the suffix is missing.
bug#1000 Entering an assurance into the system after searching for an assurer causes a pre-filled location field
- Others
bug#118 Secure TTP Form upload - outdated, conflicts with new procedure, closed
bug#428 Reminder language-drop-down-box doesn't keep "English" if you choose it again - cannot be reproduced, tested by 2, closed
bug#489 Pb on rewarding 2 points for an assurance
bug#567 case sensitive email: tested by 2, cannot be confirmed, closed
bug#767 Single-quotes escaped in Web-of-Trust contact form.
- Michael "Black Jack"
- continued
- win7 part finished, error messages needs some work
- winxp part needs work
- congratulation to Michael in becoming Software-Assessment t/l
nomination at last board meeting 2012-05-23
- dirk: finished, later there was one text correction, not yet reviewed by dirk
- text change breaks translations
- what are the next steps for thawte points revoke?
- points settings codes eg 50 pts open gpg/pgp, which certs avail by how many pts
- 15.php needs rename to 10.php
- dirk: diff since last week is ok, 2nd review ok
- to michael: please transfer
- Permissions Review - needs 2nd review (red flag raised) {-}
- fix available, tested, next run close before
- last run: 2012-03-30, next run 2012-06-30
to dirk: 2nd review bug#1003
- Bug from last week
- uli: from arbitration PoV: if its so seriosly, we have to close webdb
- neo: recommendation: to disable java script for all support engineers
- uli: centralize through sql class project
- 80% can be fixed with centralized class project code
- needs to be implemented to all sql statements, complete codebase review
- next meeting 2012-06-05
Fixed Action Items since last or within meeting
Action Items New
Action items: Meeting Action Items