To Software Software - To Software-Assessment Software/Assessment - To previous meeting - To next meeting
Minutes of the MiniTOP on the 2013-08-13
Setting
The MiniTOP will be held via telco 22:00 CEST (20:00 UTC)
Participants: Magu, Andreas P., BenBE, Uli, Michael, dirk
Topics
(skip to agenda)
Action items from last meeting Meeting Action Items
Software/Assessment/ActionItems
all
proposed Apache config SSLCipherSuite settings for CAcert SSL enabled infrastructure systems
see also BEAST migration https://community.qualys.com/blogs/securitylabs/2011/10/17/mitigating-the-beast-attack-on-tls
Proposal from Sysadm list 2013-09-06{0}
SA
documentation server cert design concept to SystemAdministration/Systems/Development/Prepare
{0}
all
{0}
BenBE, Marcus
documentation: developer git repos under github
bug #1131 history @ github
CAcertOrg @ github
started under Software/Assessment/Documentation/UpdateCycle/step1{0}
NEO
{0}
all
read x509 guide
{0}
all
bug#1068 blog problem (also relates to community)
debian lenny - edge - squeeze upgrades needed
alternate: new server with squeeze, install wordpress, transfer domain
workaround: configure your FF FAQ/BrowserClients{g}
uli
Experience points for ATE attendance
check board motions and/or trigger if not yet passed{0}
uli
Infrastructure separation, to contact secure-u (Frank, Mario, Ted, Sebastian) for discussion, prepare a plan, started 2011-12-18
current state: see Funding Landing Page
May 2013: tk-server sponsoring, tk-server rcvd, deployment: WIP, project not yet finished{0}
All
1. next: strategy for "New Roots & Escrow" - using indirect crl's ?
indirect CRL: RFC 5280 http://tools.ietf.org/html/rfc5280 (chapter 5) - test deployment{0}
dirk, Michael
3. next: strategy for "New Roots & Escrow" - how does debian work?
to contact, deferred to next events (?)
next round: picked up by Benedikt new proposal 2013-06-02{0}
Uli, Michael
Documentation Bugs.cacert.org Review, documentation I (bugs handbook) svg files to convert to jpg or png
{0}
Development, Deployment, Discussion
OAO, Ted
bug #943 change OA admin/assurer text
needs 2nd test -> Fabian, Marc, Alex? {g} / needs 2nd review -> Ted, rejected
{-}
uli, Ted
bug #824 Org User cert fix Case study
Organisation User Certificates: Need UI improvement for proper production usage
{0}
uli, ted
bug #823 email address removal fix
No warning when removing e-mail address from account that certificates will be revoked
checked by 4, needs 2nd review, deploy
rejected{-}
inopiae
bug #920 Join - single name only (eg Indonesian)
details under bug number
{0}
uli
bug #859 admin console interface
feature request: show activity on an account in the admin interface
rejected, certs login doesn't modify "modified" field{r}
Michael
p20111113 CPS #7.1.2 "Certificate Extensions" adjustments - testing
uli, marcus: needs full cert create tests
duplicate report to bug#978
tested by 3, 2nd review done, transfered
Ken reported: still has problems, bug kept open{0}
gagern, NEO
bug #440 Problem with subjectAltName (CSR, renew certs)
There seems to be a problem with the subjectAltName. Dupes, missing entries, and more, rejected, needs further development
{r}
neo
bug #1025 Domain Dispute issue
disputes rc and rc2 var prob
needs work{r}
dirk
bug #1054 0001054: Review the code regarding the new point calculation
Thawte patch part II
needs further work{r}
Software Assessors: Review 1 / add to cacert-devel, add to testserver
Software-Assessors task
Testing
Testers task
neo
bug #1004 Stats page improvement
tested by 2, needs 2nd review
{0}
neo
Bugs #1159 it might be possible to execute commands on the signing server
{0}
inopiae
bug #1065 Wrong wording when sending mails during the assurance process
{0}
inopiae
bug #1162 calcutate (the passwords) hash in php instead of in mysql
create test scenarios for the software testers
![/!\](/moin_static199/cacert/img/alert.png "/!\")
Full testing {0}
inopiae
bug #0028 Wrong language for you've been assured & [CAcert.org] Client Certificate emails
{0}
inopiae
bug #988 TTP cap form deployment
{0}
Software Assessors: 2nd Review, Bundle Package to Critical Team
Software-Assessors task
Ted
bug #500 Get contact mail adress after resolving test
tested by 3, requires review
{0}
Ted
bug #1140 Show if a test is passed in learnprogress
tested by 3, requires review
{0}
magu
bug #1131 Rename _all_ Policies from .php to .html and fix all links
global policy directory maintenance and update
{0}
inopiae
bug #1010 Reorder the view on organisation certificates
tested by 3
{0}
Software Assessors: Bundle Package to Critical Team
Software-Assessors task
inopiae
bug #1139 Add new fields to the database
tests through #500 and #1140, 2nd review done, requires transfer
{0}
Awaiting Response from Critical Team
inopiae
bug #411 Wrong text is made into link
{g}
Agenda
1. Preface
sql queries to deploy/review/confirmed by a Software-Assessor under Arbitration case a20130810.1
- sql query #1
select count(email) from users where `email` like "%@lavabit.%" and deleted = '0000-00-00 00:00:00';
- sql query #2
SELECT count(email.email) FROM email inner join users on email.memid=users.id where users.email like '%@lavabit.%' and users.deleted='0000-00-00 00:00:00' and email.deleted='0000-00-00 00:00:00' and users.email != email.email group by email.memid;
modified sql queries #1 (-> sql query #3) and #2 (-> sql query #4) to deploy
count of active, not yet expired and not revoked certs per identified member (this includes client certs and server certs) > 0 ?
- similar to the certs overview table in admin console overview of member accounts
count of assurances given > 0 per identified member ?
- sql query #1
2. Documentations
- Documentation - Review / Changes to add (relates to Policy Group SP review)
- further review required
- Documentation - To-Do (relates to Policy Group SP review)
- developer git repos under github
see also Software/Assessment/ActionItems
relates to Software/DevelopmentWorkflow
Details documentation started under: Software/Assessment/Documentation/UpdateCycle/step1
3. DEV on bug 1023/1054 "Thawte Patch"
"Thawte points removal, final step" bug #1023
- bug #1023 Testing (6.php)
- last patch transfered to production system 2012-05-30
- what are the next steps for thawte points revoke?
- points settings codes eg 50 pts open gpg/pgp, which certs avail by how many pts
- 15.php needs rename to 10.php
next step in: bug #1054 Review the code regarding the new point calculation in ./includes/general.php (current state: testing)
- email debug notification, search for other solution
testing scenarios: see bug note c3163
- some explanations
- assure someone - f2f, ttp, the sentence "Only tick the next box if the Assurance was face to face" is conflicting, fixed
- new patches by dirk, pushed to cacert-devel, (update 2012-09-18)
- tverify removed (?)
merge conflict with account id 60 (eg email removal), see bug #823
- max_points() routine replaced by new max_points() routine
- get_assurer_status(), output_summary_content() with parameter 0 replaced by max_points()
- received_points()
- Status testing ?
- debug messages on testserver (1054)
- test account 1
- variant 1 (pwd login): points3 (185/100)
- variant 2 (cert login): points3 (185/100)points4 (185/100)
- first value relates to wot.php?id=10 count of pts
- test account 2
- points3 (350/394)points4 (350/394)
- 484 AP, anderer weg 64
- 100
- test account 3
- points3 (200/662)
- problem identified, fix transfered to testserver
- test account 1
- debug messages on testserver (1054)
- current state: runs in debug mode points1, points2, points3, points4 that reflects conditions
- conditions points1 and points2 yet undefined
- identified points1 + points2 debug points in routine
- Logged-in, My Details, Edit, change something, submit changes
- calculate points will be used to select edit mode for name, dob
- if points==0 edit allowed, otherwise edit prevented
- Patch moved out from testserver
- new testserver branch stable
- reason: more and more merge conflicts caused by bug #1054
- patches to add: 1070(?)
- new testserver branch stable
- 2013-02-05 DEV on bug 1023/1054 "Thawte Patch" - no update
- 2013-02-12 - no update
- 2013-02-19 - no update
- 2013-02-26 - no update
- 2013-03-05 - no update
- 15.php needs update: all ttp points starting 2013-01-01 with new ttp-assurance method
- 1054 plan B ?
analyze -> identify all places where points calculation is referenced
- assure someone
- receive assurance
- is assurer? assurer status
- revoked assurance
- create certs (new points calculation, 0 pts, 50 pts, 100 pts)
- multitasking aware (revoke assurance, assurer assures but have required pts revoked)
- lazy value (eg menu rendering)
- session validate? (if database related)
bug 1177 Combine wot.inc.php, notary.inc..php and temp-function.php
BenBE
bug #1177 Combine wot.inc.php, notary.inc.php and temp-function.php account administration
{0}
- used in development of 10.php/15.php
- notary.inc / wot.inc: one for 15.php, one for 10.php, later to merge
43.php inclusion -> notary.inc is most current
- to depricate: wot.inc
- inopiae will pickup the merge process upcoming weekend
problems araised out of dublicated code base also relates to bug 1137
current patch on testserver bug 1177 requires some more work
- display prob 15.php + 43.php
- fixed, checked by 3
4. requires transfer to production
bug 663
- dirk, 2nd review done
bug 893 (reviewed 2013-08-06 by NEO) to be bundled with 1177, 1136, 1137
bug 1177 (reviewed 2013-08-06 by NEO) to be bundled with 893, 1136, 1137
5. 2nd review of remaining patches
6. Patches Overview - Testing, Development
- needs further testing
- 918 .. keysize
- Middle security mostly relates to keysize 1024, High security to 2048 but this all relates to crypto provider
- needs testing
- 918 .. keysize
- summary - state of patches
- 440 needs work (NEO) (see also below)
- Patch bug #440 was defered (timo addtl. work), but this project stalls. What to do with bug #440 ?
- 1004 needs work by neo
- 1113 needs work by benbe, transfered to cacert-devel
- 1017 needs work by neo
- 1025 needs testing
bug 1123, magu test done
Bugs #1023 re-opened
Bugs #1112 Exchange the text on the TTP page according to the new TTP programm, deployed 2013-04-24
- needs update of patch 1023 (new points calculation routine)
Bugs #1023 re-opened
- 440 needs work (NEO) (see also below)
- Policy text and Arbitration ruling bug# fixes
- Policy text changes
new bug #1131 Replace all policies from php to html
Inopiae
Bugs #1131 Rename PolicyOnPolicy.php and other Policies too to .html
{0}
- dirk to review
PoP update running under Policy Decisions #p20130223
- proposal to await final decision dated 2013-03-08
to wait until end of p20130223 -> 2013-03-08
POLICY images to transfer from www.cacert.org/images to www.cacert.org/policy/images -> img src="images/.."
- url link
- current: 3 variations
- href="//www.cacert.org/policy/PolicyOnPolicy.html" vs.
href="PolicyOnPolicy.html"
- proposal
- absolute url
- a. or b. ?
- // ... after download http missing
- so therefor https
b. as https://..
- current: 3 variations
- BenBE: needs patches 1146, 1147, 1131
all 3 patches attached as complete archive under bug #1131 as zip
- BenBE: wants them in git
- git guru: take over this task
- BenBE: wants them in git
Fix available: bug #1131
bug 1131 ready for 2nd review
authoritive go by PoP 2.5 according to Policy Decisions #p20130223
- NEO, looks good, except html entities in CPS section 3.1.2
- Arbitration ruling text fixes
- CAcert must update the web page on disputes, and include an explanation how to file a dispute (a20091206.1)
- Policy text changes
bug #1004 Stats page improvement
- stats, Marcus + Uli did some tests, one problem identified, fixed 2012-08-25 by NEO
- fully re-tested by 2: 2012-08-25 (at froscon)
- needs 2nd review
- moved out to cron job routine
-> BenBe, assigned
1004 ... on review by BenBe
checked BenBe
- work done by NEO, pushed to cacert-devel, transfered to testserver
- needs 2nd review, tested
- current state:
- open issues
- How are deleted users handled?
- Isn't "verified_certs" misleading as the affected tables also contain certs that failed to be signed?
- User Statistics don't take removed assurances into account (???)
- Why not calculate backwards in the year-dependent loop from the already known values? The loop runs backwards already anyway.
- the latter is still open
bug #1025 Domain Dispute issue
BenBe will pickup for 2nd review
- needs further testing
magu, inopiae, u60 -> testing https://bugs.cacert.org/view.php?id=1025
- several test accounts, variations of one or more email addresses, 0 or 1 domain added
- test the full disputes procedure for all variations
- tested by u60
bug #1054, test 1054.3.6, bug #1035
create several types of certs (client certs, server certs, org client certs, org server certs) and analyse the content of the certs -> subjectAltName and CN with single SAN and multiple SANs
- renew the certs
addtl. tests ? Marcus? Magu? BenBe?
- 2012-10-02 dirk: problems with git push #1054, got fixed
- DEV on bug 1023/1054 "Thawte Patch"
- check last changes by dirk to transfer into test scenarios
see reference notes note 3225 on bug #1101 and note 3245 on bug #1101
bug #1017
, relates also to bug #1054, test 1054.3.6 - Chrome certificate enrollement (relates to #964 "Black Jack") bug #964 - create client certs, go to signing routine
- new routine with 3 different potential signed public key download routines /account.php?id=6 list 3 options
- Install the certificate into your browser (tested)
- Download the certificate in PEM format
- Download the certificate in DER format
bug #1017 Chrome certificate enrollement
BenBe will pickup
bug #1017, doing some more tests?
- new routine with 3 different potential signed public key download routines /account.php?id=6 list 3 options
- Install the certificate into your browser (tested)
- Download the certificate in PEM format
- Download the certificate in DER format
- Alex, Marcus doing some more tests
- new routine with 3 different potential signed public key download routines /account.php?id=6 list 3 options
- BenBE to review
- review bug #964 by Michael
- bug #964 transfered, still open: bug #1017
bug #1017 Chrome certificate enrollement
- needs testing (lost by transfer to testserver stable)
- commited 2012-09-04
- new commited 2013-02-13
- 964 create cert works, install into browser doesn't work
- Marcus Bugs list
according to Bugs # 976
- 0000976: List of update request for webdb database structure upgrade with tables / fields
addtl_notes table hasn't been added in patch bug 976 on 2011-11-25
- OU info from Org cert not stored
addtl_notes table hasn't been added in patch bug 976 on 2011-11-25
- extend org certs table ? new bug?
- OU in subject?
- includes/account.php (17)
- in org certs it is in subject
- addtl. field ou ? new bug# ?
- used bug #1010
new bug #1095 "Problems with creating server sertificate where the csr is created with Java SDK Tools"
- cmdline sample: keytool -genkey -alias test.test.net -keyalg RSA -keystore test.test.net.ks -validity 1095
- NEO couldn't reproduce the problem using keytool, tested against production and testserver
- identified as weak key usage: csr used MD2 encryption, not or no longer supported by openssl, add new error message
bug #440, bug #1101 (extract CSR) (back under development)
- ASN.1 format
- CSR extract: needed for signing: email address, hostname
- Timo will write a CSR parser
- Current:
- CN will be parsed
- some information about public key
- ASN.1 php library
- Whats about UTF-8 ?
- IDN's
Policy: p20091108 CPS to drop assurer critieria and allow IDN certificates in specified TLD or single script character sets
Assurance Handbook - Some more Information
Code signing and IDN certificates If you are an Assurer, you can get certificates signed/issued by CAcert for code signing and IDNs (International Domain Names). Due to the increased possibilities for abuse those certificates have additional requirements. The CPS states that this requires Assurer level, which you meet if you are reading this Handbook. However note that as of 20091106, there is a move to reduce these requirements. Watch this space.
- current only client and server certs, other options currently not selectable, except Code Signing
- parameters: domains, current first becomes CN, others SANs
- rebuild subject routine ... to check
- Michael: shall we enforce cn from csr?
- optional?
- enforce copy cn to SAN
asn1 parse procedure, http://lapo.it/asn1js/
- getcn, getalt procedure
docs für extractit() und getcn(): general.php line.230
- felicitus: how someone get "CN" from "commonName"? where is it documented that "CN" is "commonName"?
- OID of commonName is 2.5.4.3, but there is nothing about "CN"
- BenBE: see Header of OpenSSL-Header
- Patch bug #440 was defered (timo's addtl. work), but this project stalls. What to do with bug #440 ?
comments https://bugs.cacert.org/view.php?id=440#c3243, https://bugs.cacert.org/view.php?id=440#c3251 checked?
- Neo started some fixes (getcn and ...), to be continued
- ASN.1 parser - planned: incorporate asn.1 from openssl
bug #1101 refactoring getalt getcn (Timo)
might 1101 comment c3225
- tries to build a php library for openssl parsing replacement
- asn.1 parsing, own library
- ???
- openssl does escaping (per man page) (input? output?)
- library test thru unit tests
- openssl command for multiple san's ?
- undocumented feature?
currently only known with -extfile creating-a-certificate-with-multiple-hostnames
- GPG bugs
delete/revoke GPG keys (eg bug #1079 )
- trust signatures can be revoked
- CRL's have to be added to keyservers, but no one will check
- revocation: 5 reasons given
- should be possible, but project needs a developer
- GPG bugs
- OpenGPG parser project, reviewed by Michael last weekend
- Michael remark: using 3x = (===) instead of 2x = (==)
- unpack (N) 32bit unsigned may become a problem
- relates to hardware platforms, signer has been replaced about 2 years ago, but needs to be used on both sides (webserver + signer). Webserver upgrade is WIP
- in principle ok
- BenBE: GPG/PGP parser
- revoke gpg keys implemented
bug #279 bad domains
- .*top.*
- regexp list
- database table exist
- update procedure?
- whats about recuring distribution of update files via cabforum?
- arbitration?
- SE console for update?
- critical admins?
- check routine on add-domain
- add domain under OA should be possible ...
- one-time check of current existing domains ?
- first time check against full filter list
- individual check in event add domain
- global check in event add entry to filter list
- replace/update full filter list (case 1 + 4)
- meta infos:
- datasources
- attributes (?)
- creation date
- delete entry / revocation date
bug #1135 SE activity audit tables
- addtl. recording of arbitration numbers to members
- results in long discussions
requirements, thought cases (eg name change request while another arbitration is running (-> uncritical))
delete account requests handled under precedent case a20111128.3), one "critical" case (certs misusage) is turned in procedure: arbitrator has to follow "emergency case" procedure and to keep track of open "delete account" cases
- interferance/interaction of 2 of the 3 powers (executive, judicate) (arbitration has to act as executive to forward all new cases to support team with list of open/running arbitration cases)
- all ends on (arbitration) "critical" cases
"critical" cases will be handled under Arbitration eg. a20111128.3 within reasonable (eg 48 hours) window
- discussion defered
1135 (BenBe) 2nd review by another SA before moving to testserver
- Michael to review
bug #1136 SE console, delete all certs of a member (instead of highjack an account)
- probably 1 requirement: addtl. verification step
- 2013-02-26:
- bug #1136 - revoke certs doesn't work
- server log shows no errors
- and the fix: cacert-devel: testserver-stable 90bdd8cb Timestamp: 2013-02-26 23:32:07
- added to testers portal, needs testing, 2nd review
- doesn't work as expected, needs work
- bug-1136 ready to test. Error fixed
- tested by magu
bug 1136 review tests
u60: requires some rework report #4112
- inopiae: patch delivered, merged into testserver
- re-tests started
bug #893 Extend Delete account feature for support
inopiae
bug #893 Delete account rev 3 procedure
needs testing and 2nd review
{0}
- test 893 (delete account) with existing server certs, also gpg certs
- gpg revocation is currently not avail ...
- manual procedure: currently we hadn't such a case in manualy procedure
- proposal: in production: set on hold until gpg key expires
for testing: gpg keys not expired -> stop procedure if remaining gpg keys not expired
if account is locked -> no special exception
org admin flag set -> procedure stop (includes Org certs avail)
- related dispute bugs 1136? 1045?
- from meeting 2013-04-30
- requires regexp to check validity: /^[a-z]\d{8}\.\d+\.\d+$/i
- several tests and updates made
bug #1137 Record the CCA acception for entering an assurance
inopiae
bug #1137 Record the CCA acception for entering an assurance
needs testing and 2nd review
{0}
- 1137 "Record the CCA acception for entering an assurance" needs review testing
- bug-1137 ready to test. Error fixed
(2013-06-11) bug #1137 pushed to test server by BenBE
- Testing 2013-07-16
- after finishing assure someone - results in wot.php blank page
- problem commit 93742459589b515a232d3ec4b717e4b7caa9de85
testserver-stable~43..testserver-stable~44 (bad -> good) - dublicated code
43.php inclusion -> notary.inc is most current
- to depricate: wot.inc
- inopiae will pickup the merge process upcoming weekend
bug #1162 pushed to test server by BenBE
bug #1141 If i delete Domains, no Servercerts for this domains are listet, even not the revoked
- moved to testserver
NEO
bug #1141 If i delete Domains, no Servercerts for this domains are listet, even not the revoked
needs testing
{0}
discusssions: arb case? privacy (eg PP 10.), data retention (-> Australien DPA)
- Marcus to contact Benedikt
- moved to testserver
what to do with bug #1143 Web site doesn't scale vertically
- Advertisement
- permission review script doesn't include ADadmin
relates to bug #1003 and Arbitration case a20110118.1
- board motion? treasurer? adadmin?
Answers given by Intermediate ruling #7 under a20110118.1
- Michael to pickup
- 2013-06-11: reminder for NEO
Bug #1003 permissions review script
- next run: 2013-06-30
- patch transfered to testserver, initiated schedule, mails sent
- still problems?
bug #901 Renewal of certificate with WIN 7 and IE8
Marcus: bug #1160 "Unable to import personal cert/key into Tunderbird or Evolution, hence unable to encrypt mail with CACert certificates" - needs feedback
- does this have to do with the last patch install ?
Since install of patch bug #964 (Black Jack) automatic client cert installation and renew into FF doesn't work (install to IE5 button doesn't work)
- signed public client cert will be presented in ascii for copy and paste into a file, but this cert doesn't include the private key part, so the signed public key has to be marriaged with the private key
see also FAQ client certs Renew Client Certs under FF
patch bug #1017 includes an automatic install into Mozilla keystore, current code on production doesn't
- does this have to do with the last patch install ?
Marcus: server.pl - bug #1159 - it might be possible to execute commands on the signing server
- answered by Wytze
- NEO tries a patch
server.pl issue .. review by Ben finished, ready to deploy bug #1159
bug #1172 MySQL -> transactional, move isam to innodb
- Switch MySQL to MariaDB ?
2013-06-11: bug #1172 Move the database engine from myISAM to InnoDB - and other plans for DB migrations
- also long term project: "sql class project"
- ongoing discussions about using stored procedures or not
- voted: result: 1 aye, 4 naye, 1 abstain
bug #1094 Wrong information shown when disputing a domain that is part of a organisation account - Review by Michael
- Review by Michael + Test by Magu 1094 - OK.
bug #28 Wrong language for you've been assured & [CAcert.org] Client Certificate emails - Review by Michael
- Review 28 by Michael doesn't work.
- Additional work required: Doc Comments in include/lib/l10n.php
- Repaired by Benny for bug 28
- Ported patch by Marcus
- Fixed parameter name and class refs in include/lib/l10n.php
bug #872 Discuss over Software changes for PoJAM Policy
- (BenBE)
- UI with checkbox for PoJAM seen
- for old cases take "not seen" as default
- do mass-mailing for all PoJAM related to ask assurers to confirm they saw the Parental Consent form
- ignore points from assurances under PoJAM (even after 18th birthday) when calculating permissions if no confirmation is present
- Marcus
- check only one case of PoJAM acceptions per user
- once one is present count all assurances as valid
- Michael
- 2 or more Checked PoJAM Assurances for CAcert High Products
- SQL query to critical:
Users below 18th birthday grouped by date -> counts of assurance points
From arb a20091221.1
- Uli (AO)
PoJAM assurance points received handling according to Legacy Policy - PoJAM
- bug 872 for statiscs for PoJAM
- file a dispute - SQLquery
1 SELECT 2 count( `temp`.`no` ) as AffectedUsers, 3 sum( `temp`.`assurances` ) as AffectedAssurances, 4 if(points = 0, "No points", IF(points < 50, "1 < x < 50", IF(points < 100, "50 <= x < 100", "100 <= x"))) as ReceivedPoints 5 FROM ( 6 SELECT 1 AS no, count( 1 ) AS assurances, sum( `notary`.`points` ) AS points 7 FROM `users`, `notary` 8 WHERE YEAR(`users`.`dob`)>=1995 and `users`.`id`=`notary`.`to` 9 GROUP BY `users`.`id` 10 ) AS `temp` 11 group by ReceivedPoints
- file a dispute - SQLquery
- (BenBE)
bug #1140 needs testing
Ted
bug #1140 Show if a test is passed in learnprogress
tested by 3, requires review
{0}
bug #500 needs testing
Ted
bug #500 Get contact mail adress after resolving test
requires testing
tested by 3, requires review
{0}
bug #1139 moved to ready to deploy
inopiae
bug #1139 Add new fields to the database
tests through #500 and #1140, 2nd review done, requires transfer
{0}
2013-06-11: Bug #1064 and Bug #1045 results in merge conflict in www/wot.php - postponed, Various patches
- merge conflicts, in www/wot.php
Updated Bug #569 had been pushed to testserver already
bug 1183 prepared patch by magu
bug 372 - relates to fixed bug 922 but 922 only covers missing expired certs notifications - 372 requires deeper review regarding domlink table (in short: deprication of domlink table isn't possible)
Ted: bug 1191 proposal to upgrade to Wheezy
- do we have a testserver? if no - can cats1 be upgraded?
- requires no update for 1191
- ca-mgr1 update will be done by NEO
- Markus W initiated Zend on ca-mgr1, NEO continued
bug 1190 re-opened
magu
bug #1190 News does not display teaser
re-opened, again
{0}
- Magu dropped fix, depatched entities
- Mario: looks like wp bug
bug 1185 register globals
simple fix; Should be solved now because bug 1176 is in production
bug 1193
- per CPS 4.2.2 this is an allowed variant
- section Domain verification
7. Long Term Projects
NEO: "BlackJack" bug #964 testing from last week -> error codes
- started implementing
how does bug #1017 relate to this bug?
- cert signing routine
- ie5 ie6 automatic storage of signed key in local keystore
- doesn't work under vista, win7
- msi package is to download and import the keys to the local keystore under vista, win7
relates to bug #1099 but is quite different
- neo sent msi package for testing to u60, benbe; test successful passed
- bug #964 passed, #1017 still open
- bug 964, has been passed to production, key generation works, transfer into browser not
BenBE: reviewed bug #1099 roots installer
- displays: "Windows installer package for browsers that use the Windows certificate store (for example Internet Explorer, Chrome on Windows and Safari on Windows)"
- some ideas to move the installer to own section
Michael: reworks bug #1099 (roots download page), deployed
- Marek's sql class project:
- is working on charset replacement
- api project, Carsten continues with portal project not waiting for vendor-api to be delivered
- vendor-api delayed
- no coders
- other projects
- related to sql class project
- portal project continues with a workaround, needs an assurer
- arbitration case on locations database orders outsourcing of find-an-assurer asap
- with portal function, update of data is possible vs. update of data on critical system is difficult (keep data current for assurers)
- relation to location database
- website find an assurer
- scripted mailing for ATE invitations
- user check that data is still valid eg every 1 year
- notification at login upto 6 months not online
- notification by email if not logged in within last 6 months
- vendor-api delayed
- Automated testing system
- Timo: Unit-test testsystem, phpunit jenkins
- can we merge both environments? frontend tests and unit tests?
- Timo: automated testing systems are mergable
- frontend test: java, may become a problem, alternate php version?
- focus on unittests
- dirk: code or screen?
- code and screen
- frontend and unit tests on one machine?
- trial: port frontend tests
- Timo: monitoring signer, not yet done
- Probably Wytze monitors the systems externaly ?!?
see Systems overview
- monitoring system eg Zabbix instead of Nagios?
- BenBE: Icinga as alternate?
- Zabbix agents: requires to be the same revision as server
- TLS project
- BenBe/Wytze talked @ fosdem
- risks fairly low, awaiting fix
secure boot project (required steps?) (also relates to New Roots & Escrow)
- we have
- risk analyze
- new roots procedure
- required steps?
- Escrow method to select
- subroot under eg. org++
- cps changes
- new roots?
- new signer?
- indirect crl's
- we have
- tk-server / testserver system hosting
- plans for moving testserver over from current location over to BIT Ede, NL new non-critical infrastructure?
- What are the testserver host requirements? as current non-critical infrastructure runs on LXC and testserver runs under VMware esxi 3.5
- piped serial interface configuration
- isolating port 25 for testservers (local firewall?)
- LXC and serial interfaces
- possible solutions: using a. serial interface b. named pipes?
alternates: VirtualBox
- To link serial port ttyS0 to another serial port:
socat /dev/ttyS0,raw,echo=0,crnl /dev/ttyS1,raw,echo=0,crnl
- Server is currently locate by Sebastian and is planned for Non-Critical Infrastructure
- another plan: reducing rackspace, removal of old hardware?
IP Addresses see IP List
cacert1 + secure1 -> 1 IP
ca-mgr1 + cats1 -> 1 IP
git-cacert -> 1 IP
- TVERIFY is disabled
- dirk: shall contact Sebastian, transfer to Wytze, Wytze will continue preparation offsite
- secure-u project (signatures) is decoupled from tk server project
Plans are: using VirtualBox or LXC (preferred)
- planned Infrastructure upgrades
several systems bugs, mantis, lists and many others (current Infrastructure systems keys list (see meeting minutes 2013-07-16))
- several firewall outbound rules for blog, web (community portal) and others
- Update 2013-07-23
- dirk: transfer to BIT Ede, NL, around week 33 (2013-08-12 ff.)
8. next meeting
- Tuesday, August 20, 2013 - 22:00 CEST (20 UTC) ?
Minutes
1. Preface
- Introduction Andreas
- Arb case a20130810.1 sql queries
- Michael: also other provider closed down: Silent Circle
https://silentcircle.wordpress.com/2013/08/09/to-our-customers/
- sql1, tested on local testserver: ok (u60)
select count(users.id) from users where users.email like "%@lavabit.%" and users.deleted = 0
- sql2, tested on local testserver: ok (u60)
select count(distinct email.memid) from email inner join users on email.memid = users.id where users.email like '%@lavabit.%' and users.deleted = 0 and email.deleted=0 and email.email not like '%@lavabit.%';
- sql3a - assurances given to sql1
select count(distinct notary.from) from notary, users where notary.deleted = 0 and notary.from = users.id and users.email like "%@lavabit.%" and users.deleted = 0;
- optimized, tested on local testserver: ok (u60)
select count(distinct notary.from) from (select distinct users.id from users where users.email like "%@lavabit.%" and users.deleted = 0) as interesting_users inner join notary on interesting_users.id = notary.from where notary.deleted = 0;
- sql4a - assurances given to sql2
select count(distinct notary.from) from notary, users, email where notary.deleted = 0 and notary.from = users.id and users.id = email.memid and users.email like '%@lavabit.%' and users.deleted = 0 and email.deleted=0 and email.email not like '%@lavabit.%';
- optimized, tested on local testserver: ok (u60)
select count(distinct notary.from) from (select distinct users.id from email inner join users on email.memid = users.id where users.email like '%@lavabit.%' and users.deleted = 0 and email.deleted=0 and email.email not like '%@lavabit.%') as interesting_users inner join notary on interesting_users.id = notary.from where notary.deleted = 0;
- sql3b1 - client certs active given to sql1, tested on local testserver: ok (u60)
select count(distinct emailcerts.memid ) from (select distinct users.id from users where users.email like "%@lavabit.%" and users.deleted = 0) as interesting_users inner join emailcerts on interesting_users.id = emailcerts.memid where emailcerts.expire > NOW() and revoked = 0;
- sql3b2 - server certs active given to sql1, tested on local testserver: ok (u60)
select count(distinct domains.memid ) from (select distinct users.id from users where users.email like "%@lavabit.%" and users.deleted = 0) as interesting_users inner join domains on interesting_users.id = domains.memid inner join domaincerts on domains.id = domaincerts.domid where domaincerts.expire > NOW() and domaincerts.revoked = 0;
- sql3 combined, tested on local testserver: ok (u60)
select count(*) from ( select notary.from as memid from (select users.id from users where users.email like "%@lavabit.%" and users.deleted = 0) as interesting_users inner join notary on interesting_users.id = notary.from where notary.deleted = 0 union distinct select emailcerts.memid as memid from (select users.id from users where users.email like "%@lavabit.%" and users.deleted = 0) as interesting_users inner join emailcerts on interesting_users.id = emailcerts.memid where emailcerts.expire > NOW() and revoked = 0 union distinct select domains.memid as memid from (select users.id from users where users.email like "%@lavabit.%" and users.deleted = 0) as interesting_users inner join domains on interesting_users.id = domains.memid inner join domaincerts on domains.id = domaincerts.domid where domaincerts.expire > NOW() and domaincerts.revoked = 0 ) as critical_users;
- sql4 combined, tested on local testserver: ok (u60)
select count(*) from ( select notary.from as memid from (select users.id from email inner join users on email.memid = users.id where users.email like '%@lavabit.%' and users.deleted = 0 and email.deleted=0 and email.email not like '%@lavabit.%') as interesting_users inner join notary on interesting_users.id = notary.from where notary.deleted = 0 union distinct select emailcerts.memid as memid from (select users.id from email inner join users on email.memid = users.id where users.email like '%@lavabit.%' and users.deleted = 0 and email.deleted=0 and email.email not like '%@lavabit.%') as interesting_users inner join emailcerts on interesting_users.id = emailcerts.memid where emailcerts.expire > NOW() and revoked = 0 union distinct select domains.memid as memid from (select users.id from email inner join users on email.memid = users.id where users.email like '%@lavabit.%' and users.deleted = 0 and email.deleted=0 and email.email not like '%@lavabit.%') as interesting_users inner join domains on interesting_users.id = domains.memid inner join domaincerts on domains.id = domaincerts.domid where domaincerts.expire > NOW() and domaincerts.revoked = 0 ) as critical_users;
- tk-server
- proposed 33 kw, no update yet
- proposed that Sebastian transfers server over to dirk, dirk transfers one day over to NL
2. Bugs
- BenBE prepared patch bundle from
bug 1200
- BenBE: ready to deploy
Ask Critical for installation of package mktemp in executable path of webserver for GPG signing to work
- BenBE: ready to deploy
- NEO found probably bug in notary.inc regarding server certs mysql query
- running id=50
bug 1190 re-opened
- wp bug
- fix in webdb code requires deeper inspection -or-
- search bug in wp and fix it
- wp bug
3. Documentations
BenBE updated page 4 of testers welcome pack
4. Long term projects
- BenBE proposal ...
- to centralize sql queries in the code base
- project has been started by Marek, but didn't made much progress
- see agenda item 7.2
Fixed Action Items since last or within meeting
Action Items New
Action items: Meeting Action Items