Logfile from Software-Meeting 2018-10-26
all timestamps are UTC +2 (Germany/MESZ)
26.10.2018 [19:05:34] <GuKKDevel> Hi 26.10.2018 [19:05:55] <Ted> Moin 26.10.2018 [19:06:02] <GuKKDevel> Moin 26.10.2018 [19:06:08] <Ted> Noch ' bischen früh... 26.10.2018 [19:06:16] <GuKKDevel> jooh 26.10.2018 [19:06:17] -*- Ted grins happily 26.10.2018 [19:07:05] <Ted> Du arbeitest jetzt an dem rebase? Von Bug-1260 26.10.2018 [19:07:12] <GuKKDevel> ja 26.10.2018 [19:08:30] <GuKKDevel> aber ich bin mir nicht sicher, ob es nicht einfacher wäre, bug-1260-neu noch mal von release anzufangen. 26.10.2018 [19:09:12] <Ted> Ja, der Gedanke ist mir beim Überfliegen auch gekommen. 26.10.2018 [19:09:49] <GuKKDevel> ich habe über origin/release eine Textsuche nach mysql_ und bei origin/bug-1260 nach mysqli_ gefahren 26.10.2018 [19:10:21] <GuKKDevel> ein Großteil der Änderungen sind wie erwartet 26.10.2018 [19:10:47] <GuKKDevel> aber manche Mysql_real_escape sind nicht ersetzt 26.10.2018 [19:11:27] <GuKKDevel> auf der anderen Seite hat sich auch einiges an Textzeilen verschoben 26.10.2018 [19:11:59] <GuKKDevel> ich würde gerne die beiden Dateien mal zur Verfügung stellen, dass man sich das ansehen kann 26.10.2018 [19:12:30] <Ted> . Die Diffs? 26.10.2018 [19:12:55] <GuKKDevel> hast Du eine Idee/ einen Vorschlag, wo ich die Dateien speichern könnte damit jeder Sie runterladen bzw. ansehen kann? 26.10.2018 [19:13:08] <Ted> Bin gerade am überlegen... 26.10.2018 [19:13:40] <GuKKDevel> nein, die Zeilen die das jeweilige mysql bzw. mysqli- statement anthalten 26.10.2018 [19:14:08] <Ted> Achso, also das Suchergebnis 26.10.2018 [19:14:38] <GuKKDevel> sind ca. 60 bzw. 70 kB 26.10.2018 [19:14:43] <Ted> Wie groß sind die denn? 26.10.2018 [19:15:00] <Ted> OK, das sollte kein Problem sein die an den Bugtracker-Case zu hängen 26.10.2018 [19:15:55] <Ted> Dort gehen Files bis 5 MB 26.10.2018 [19:16:19] <GuKKDevel> OK das ist dann ja prima 26.10.2018 [19:17:44] <GuKKDevel> oder sollen wir doch lieber den bug-1260 auslaufen lassen und lieber den bug, den Du neu eingestellt hast dafür verwenden? bei dem 1260 war ja auch noch was anderes zu machen wenn ich das richtig verstanden habe 26.10.2018 [19:18:38] <Ted> Aktuell habe ich meinen als Duplicate von 1260 klassifiziert und geschlossen 26.10.2018 [19:19:01] <Ted> Aber den kann man natürlich auch wieder aufmachen und als Child klassifizieren... 26.10.2018 [19:19:17] <Ted> Könnte Sinn machen 26.10.2018 [21:32:38] <jandd> mysql escape braucht man doch nur wenn man kein PDO, also keine prepared-Statements benutzt. Wäre ein Umbau auf PDO zu viel Aufwand? 26.10.2018 [21:33:27] <jandd> ... ich hab mir den Code noch nicht angesehen, deswegen die - vielleicht naive - Frage :-) 26.10.2018 [21:38:08] <jandd> ... mmh, ok 1275 Zeilen mit mysql_-Funktionen ist doch etwas mehr. 26.10.2018 [21:38:28] <jandd> gibt es für den Code eine Unit-Testsuite? 26.10.2018 [21:47:03] <GuKKDevel> was ist eine Unit-Testsuite? 26.10.2018 [21:48:32] <jandd> ein Set von automatischen Test, das man ausführen kann, um zu prüfen, ob Code-Änderungen keine bestehende Funktionalität kaputt gemacht haben, bzw. ob der Code noch das erwartete tut 26.10.2018 [21:49:16] <jandd> für PHP geht das z.B. mit PHPUnit https://phpunit.de/ 26.10.2018 [21:52:01] <jandd> wenn man sowas in ausreichendem Umfang hat, ist es wesentlich leichter Code umzubauen, weil man dann sicherstellen kann, dass man nicht versehentlich etwas kaputt gemacht hat 26.10.2018 [21:52:57] <jandd> es gibt auch noch weitergehende Testautomatisierungstools wie Selenium mit denen man dann auch Weboberflächen testen kann aber Unit-Tests wären schonmal ein guter Anfang 26.10.2018 [21:52:58] <Ted> Ja, wäre gut wenn man sowas hätte, aber ich fürchte das müsste man erst aufbauen. ==> Erstmal ein Haufen Arbeit, auch wenn später vieles einfacher geht 26.10.2018 [21:53:26] <jandd> ok, das gibt es also bisher nicht 26.10.2018 [21:54:22] <Ted> Ich wüsste nicht wo. 26.10.2018 [21:56:53] <jandd> schade. Gibt es irgendwo eine grobe Liste der Features des Systems mit dem man z.B. eine Liste der wichtigsten Funktionen machen könnte für die solche automatischen Tests auf jeden Fall existieren sollten? Oder wäre da erstmal Code-Archäologie nötig? 26.10.2018 [21:57:50] <Ted> Letzteres. 26.10.2018 [21:57:55] <jandd> :-/ 26.10.2018 [21:59:29] <Ted> All according to my current knowledge, which is far from being complete. I have not been very active in code development, juste volutered as a "Sofrware Assessor for emergencies..." :-\ 26.10.2018 [21:59:40] <GuKKDevel> Das war wohl auch mit einer der Gründe warum an einer komplett neuen Version gearbeitet wurde? 26.10.2018 [22:00:21] <Ted> Yes, probably. 26.10.2018 [22:00:49] <Ted> I see it turned 20:00 UTC? 26.10.2018 [22:01:27] <dops> You don't have church in the neighborhood? Hi all! 26.10.2018 [22:01:40] <bdmc> Greetings, everybody. 26.10.2018 [22:01:45] <GuKKDevel> hello 26.10.2018 [22:02:02] <jandd> GuKKDevel: The new implementation birdshack had been started in Java probably because of better type-safety and tool support. As far as I have seen it was far from completion 26.10.2018 [22:02:04] <nemunaire> hello everyone! 26.10.2018 [22:02:07] <jandd> hello everyone 26.10.2018 [22:02:07] <Ted> Good evening / good morning everyone. 26.10.2018 [22:02:34] <bdmc> I have to leave in just under an hour, but am very willing to "be volunteered" to do whatever you like. 26.10.2018 [22:02:44] <Peter> Good morning 26.10.2018 [22:03:03] <Ted> Does anyone have an agenda, or do we just want an informal meeting? 26.10.2018 [22:03:20] <Peter> What is happening with the PHP code? 26.10.2018 [22:03:43] <jandd> bdmc: we just discussed that a unit test suite and a functional specification of the code is missing 26.10.2018 [22:03:52] <GuKKDevel> can't reach https://dev.cacert.cl/wiki/birdshack 26.10.2018 [22:03:55] <jandd> Ted: AFAIK there is no formal agenda 26.10.2018 [22:03:57] <AlainV_> Hello all 26.10.2018 [22:04:00] <bdmc> It appeared to me, from the e-mail chain, that there were things going on before we had this meeting, so I am with Peter and his question. 26.10.2018 [22:04:10] <jandd> dev.cacert.cl is dead unfortunatelly 26.10.2018 [22:04:25] <bdmc> Where is dev.cacert.cl? 26.10.2018 [22:04:35] -*- Ted greets Dirk. 26.10.2018 [22:04:47] <jandd> bdmc: I do not know 26.10.2018 [22:04:52] <egal> hi ... sorry for being late ... needed to find the channel we're talking in ... 26.10.2018 [22:04:58] <bdmc> B-) 26.10.2018 [22:04:59] <jandd> hi dirk 26.10.2018 [22:05:04] <GuKKDevel> hallo 26.10.2018 [22:05:09] <egal> in the past we used the channel #sap ... ;-) 26.10.2018 [22:05:23] <bdmc> Is that a valid URL? ( dev.cacert.cl ) 26.10.2018 [22:05:40] <egal> dev.cacert.cl was a machine operated by (as far as i know) alejandro ... 26.10.2018 [22:05:45] <jandd> Peter: the PHP code is what is the current code base and for the time being the code that needs work 26.10.2018 [22:05:51] <bdmc> egal: We moved just to confuse you. 26.10.2018 [22:05:58] <egal> but ... he isn't active in CAcert anymore ... ;-( 26.10.2018 [22:06:26] <jandd> and with him ... the server is gone. I don't know of a backup of that machine. 26.10.2018 [22:06:42] <bdmc> jandd: I was confused by all of the activity. I think that it was you that suggested that we start over with a fresh look at things, using the current Production code. 26.10.2018 [22:07:21] <GuKKDevel> found https://wiki.cacert.org/Software?action=show&redirect=BirdShack#BirdShack 26.10.2018 [22:07:32] <Peter> Many months ago, I downloaded some code from a link at cacert and converted it for PHP 7.2. 26.10.2018 [22:07:45] <Ted> bdmc: I'll try a summary of what happened this week 26.10.2018 [22:07:53] <Peter> Now I have a Github download ready to work on. 26.10.2018 [22:07:56] <jandd> git.cacert.org has an 8 year old clone of the birdshack code if anyone is interested for historical reasons 26.10.2018 [22:08:31] <egal> birdshack was an idea to rewrite the code completely ... but ... as far as i know there wasn't much coding done at that time 26.10.2018 [22:08:36] <Peter> Is the github code the current code? 26.10.2018 [22:08:39] <bdmc> Peter: I did the same at the same time. ( perhaps not 7.2 ) 26.10.2018 [22:08:45] <egal> it was more or less concept work 26.10.2018 [22:08:58] <Ted> Following up on Wytzes report we assumed that the migration to a new PHP version should have some priority. 26.10.2018 [22:09:09] <egal> (as far as i know) 26.10.2018 [22:09:37] <Ted> This has already been started 5 years ago, in bug-1260 26.10.2018 [22:09:47] <Peter> <= to <?php 26.10.2018 [22:09:47] <jandd> in the last few days Ted and I fixed the connectivity of test.cacert.org and testmgr.cacert.org. I did not do anything on the code base yet. I have just been taking care of infrastructure for the past few years. 26.10.2018 [22:10:39] <bdmc> Ted: In Board Meetings we keep asking about bug-1260. 26.10.2018 [22:10:58] <jandd> I'm just here to see whether I can help the development with some of my software architecture and infrastructure know-how 26.10.2018 [22:11:09] <GuKKDevel> AS far as I could see most mysql_-statements were replaced by mysqli_ -statements 26.10.2018 [22:11:19] <Ted> GuKK is currently evaluating if it makes more sense to start anew or of it is easier to rebase the old bug to the current release branch 26.10.2018 [22:11:41] <bdmc> But, as you saw, there is more to the upgrade than just mysql_ statements. 26.10.2018 [22:11:49] <nemunaire> is there any chance the PHP code can pass audits, required for browser inclusion? how much work is needed to do so vs. continuing birdshack vs. some frech idea ? 26.10.2018 [22:11:50] <Peter> I can see http://test.cacert.org/ but not http://testmgr.cacert.org/ 26.10.2018 [22:11:53] <GuKKDevel> but there are some conflicts with rebase 26.10.2018 [22:11:57] <nemunaire> or what is the target? 26.10.2018 [22:12:32] <Ted> bsmd: Yes, but the mysql upgrade is a critical point, we cannot migrate wothout that. 26.10.2018 [22:12:54] <Ted> The other things mightfive problems, but maybe there'll only be warnings. 26.10.2018 [22:13:02] <bdmc> Someone else can answer, but the big issue with browser inclusion is cost. Hundreds of thousands of euros, if I remember correctly. 26.10.2018 [22:13:21] <GuKKDevel> the target for the moment is to get the sourcecode readyy for the new debian stable 26.10.2018 [22:13:25] <Peter> Was the mysql change to mysqli or PDO? 26.10.2018 [22:13:35] <Ted> GuKK: +1 26.10.2018 [22:13:40] <jandd> I don't think code without a requirements specification can pass an audit. From my point of view the current effort is just to make the code work on a supported PHP version. This can only be a first step to get the code modernized. 26.10.2018 [22:13:44] <bdmc> Peter: they were taking the "easy" way out, and going to mysqli 26.10.2018 [22:14:13] <egal> jandd: +1 ;-) 26.10.2018 [22:14:33] <GuKKDevel> PDo should be used later with the new concept possibly 26.10.2018 [22:14:39] <dops> @nemunaire: Browser inclusion could only be a long term goal. For not running into serious trouble with outdated versions there is no real alternative to work on PHP as first step. 26.10.2018 [22:14:41] <Peter> I converted openbiblio from PHP 4 and mysql to run with both mysqli on old PHP and PDO on PHP 7.2 26.10.2018 [22:15:04] <egal> that's why the team with benny, marcus etc. wrote new software ... unfortunately they decided to write the specs after writing code ... .-( 26.10.2018 [22:15:11] <bdmc> I would like to suggest that, from Peter's and my experience, re-doing the upgrade with the current Production code would be better than trying to mash everything together. 26.10.2018 [22:15:47] <egal> the production code is (as far as i know) unchanged for (at least) 2 or three years ... 26.10.2018 [22:16:05] <jandd> git says 3 years 26.10.2018 [22:16:31] <egal> if there are changes, they should be minor changes in single files 26.10.2018 [22:16:43] <jandd> December 4th 2014 was the last commit ... so almost 4 years then 26.10.2018 [22:17:07] <Ted> bdmc: Unless you have lots of developers (say 2-3 full time workers) I don't see any chance to do any big things. 26.10.2018 [22:17:20] <Peter> Ok, I started a document: Convert Cacert to run with mysqli, PDO, and PHP 7 in stages 26.10.2018 [22:17:33] <Peter> I can run up simple spec. 26.10.2018 [22:17:34] <bdmc> Ted: I agree. Small steps. 26.10.2018 [22:17:39] <GuKKDevel> as I stated before merge and rebase give conflicting files; some conflicts with the notary-thing 26.10.2018 [22:17:49] <jandd> Peter: that sounds good 26.10.2018 [22:18:13] <bdmc> What version of Debian and PHP is the current target? 26.10.2018 [22:18:36] <Ted> GuKK: That's probably the "new points calculation"... Another monster of the past... :-) 26.10.2018 [22:18:39] <GuKKDevel> PHP 7 is the actual? 26.10.2018 [22:18:42] <egal> latest tarball is around one month old ... (it was a small bugfix for the umlaut-issue) 26.10.2018 [22:19:24] <bdmc> Skeeper: welcome to the party 26.10.2018 [22:19:41] <jandd> The current target should be Debian 9 and PHP 7.0 which is included there 26.10.2018 [22:19:43] <bdmc> egal: didn't that affect the git code? 26.10.2018 [22:19:56] <Skeeper> hi, sorry for beeing late 26.10.2018 [22:19:57] <bdmc> OK, so that is the specification. 26.10.2018 [22:19:59] <jandd> Debian 10 will probably be released next year with PHP 7.3 26.10.2018 [22:20:06] <GuKKDevel> and debia would be stretch 26.10.2018 [22:20:09] <Ted> https://secure.php.net/ says PHP 7.3 has been recently released 26.10.2018 [22:20:10] <egal> normally git should reflect the changes done in the tarball 26.10.2018 [22:20:36] <bdmc> But the upgrade from 7.0 to 7.3 ( or anything else ) would be relatively minor. 26.10.2018 [22:20:38] <nemunaire> 22:11 <nemunaire> is there any chance the PHP code can pass audits, required for browser inclusion? how much work is needed to do so vs. continuing birdshack vs. some frech idea ? 26.10.2018 [22:20:41] <nemunaire> oups 26.10.2018 [22:21:06] <Peter> PHP 7.2 is current on Ubuntu. PHP 7.2 warns about things that will disappear possibly as soon as PHP 7.3. 26.10.2018 [22:21:25] <Peter> You can no longer use each() in PHP. 26.10.2018 [22:21:45] <bdmc> Agreed, but the upgrade from 5.0 to 7.0 is much more significant. 26.10.2018 [22:22:13] <jandd> I suggest to try to target PHP 7.3 and remain compatible with PHP 7.0 until Debian 10 is released 26.10.2018 [22:22:44] <bdmc> That sounds reasonable. 26.10.2018 [22:22:45] <Ted> nemunaire: Hard to tell. Probably the current code is not auditable for lack of documentation. 26.10.2018 [22:23:30] <Ted> nemunaire: Birdshack is probably dead, or is there anyone ledt knowing the project? 26.10.2018 [22:23:41] <jandd> nemunaire: a reimplementation of any kind should start with a specification of the required features and a proper test suite. I would prefer some statically typed language like Java/Kotlin or Go but this is mostly a question of available developers 26.10.2018 [22:23:50] <jandd> Birdshack is dead 26.10.2018 [22:24:09] <egal> @nemuaire: as far as i remember, the current code will not pass an audit, as there are no specifications defined ... therefore the idea of birdshack was born ages ago, but gut stuck ... another attempt was done by the benny-team some years ago, but there were major issues within cacert inc, which caused it to stuck. 26.10.2018 [22:24:14] <jandd> none of the original developers is involved in CAcert anymore and there is no prober documentation 26.10.2018 [22:24:14] <Skeeper> I'm a security code reviewer, I tried to read some parts of the code to evaluate the implementation of CAA, but i think it needs a deep cleaning to be auditable 26.10.2018 [22:24:27] <Ted> nemunaire: Anything else should start with lots of documentation, or ot will go the same way as birdshack. 26.10.2018 [22:25:02] <jandd> Ted: 26.10.2018 [22:25:06] <jandd> Ted: +1 26.10.2018 [22:25:10] <egal> @ted: correct ... and until then the most nasty bugs have to be fixed in the current software (like PHP-update) 26.10.2018 [22:25:14] <GuKKDevel> peter do you mean foreach? 26.10.2018 [22:25:27] <bdmc> No, different construct. 26.10.2018 [22:25:58] <Peter> while ( each()) is replaced with foreach() 26.10.2018 [22:26:12] <egal> months/years ago there was the idea to write proper documentation/specification and replace parts of the code step by step ... 26.10.2018 [22:26:49] <GuKKDevel> ted+1 26.10.2018 [22:27:05] <egal> ... like moving out some functions from PHP to a new coding/platform/language/... until everything is done ... 26.10.2018 [22:27:39] <jandd> I can try to start documenting the current code base (archeologist work) but I don't think I have enough time to finish this task anytime soon. 26.10.2018 [22:27:46] <bdmc> Sounds interesting. However, I agree. Write specifications, then documentation, then test specifications, then .... 26.10.2018 [22:28:11] <Peter> My current list (with each one a separate step for audit) 1. Change from mysql to mysqli 26.10.2018 [22:28:12] <Peter> 2. Replace each() with foreach() 26.10.2018 [22:28:12] <Peter> 3. Replace <?= with <?php echo 26.10.2018 [22:28:12] <Peter> 4. Replace <? with <PHP 26.10.2018 [22:28:12] <Peter> 5. Convert to new error class 26.10.2018 [22:28:12] <Peter> 6. Use autoloader class 26.10.2018 [22:28:29] <bdmc> Peter: Are you thinking PHPUnit, or something else? ( Or are you thinking? ) 26.10.2018 [22:28:36] <bdmc> Peter: #4 ?? 26.10.2018 [22:28:44] <egal> @jandd: i started to do it on the way to 27c3 ... but as nobody wanted to have it i don't know, where my documentation is now ... ;-( 26.10.2018 [22:29:09] <GuKKDevel> I could help documenting if advised 26.10.2018 [22:29:28] <Peter> with <?php 26.10.2018 [22:30:30] <Peter> Hexchat on screen one, Libreoffice on screen two, and no latte to wake me up. 26.10.2018 [22:30:33] <GuKKDevel> so the question to peter and brian: how much of code did you change? 26.10.2018 [22:30:34] <jandd> GuKKDevel: it is something like take every file, describe what it does, link to every other file/method/function that is called. Draw some diagramms. Tools can help a bit but it is mostly tedious manual work 26.10.2018 [22:31:03] <Ted> Concerning documentation: Maybe it would be better to go top down, first look at the web site and identify modules, like account management, web of trust management, support interface, ... 26.10.2018 [22:31:13] <bdmc> I don't remember any more. I would rather start again, as I said. 26.10.2018 [22:31:16] <Ted> Then specify what the modules should do 26.10.2018 [22:31:37] <Ted> Then look at the code and decide to upgrade it or to replace it. 26.10.2018 [22:31:53] <Peter> For <?= to <?php echo, it is 2000 changes across an unknown number of files. A global scan and replace. One patch. 26.10.2018 [22:31:59] <GuKKDevel> Ted this would be the second step I think 26.10.2018 [22:32:04] <bdmc> Ted: Actually both approaches could be useful, simultaneously. The bottom-up would describe the actual code, the top down would describe the needs and intents. 26.10.2018 [22:32:05] <jandd> Ted ... and hope that nothing critical is forgotten 26.10.2018 [22:32:24] <jandd> bdmc: I agree 26.10.2018 [22:32:34] <Ted> Yes, of course (to all of you). :-) 26.10.2018 [22:33:26] <Ted> But let's have a look at the manpower available 26.10.2018 [22:33:59] <Ted> There's no sense in making big plans, and then GuKK has to do everything alone! 26.10.2018 [22:34:35] <egal> and ... we only have two software-assessors for code-reviews ... ;-( 26.10.2018 [22:34:50] <Ted> The problem is: If we don't manage the upgrade then we'll have to close down CAcert within a year. 26.10.2018 [22:34:53] <jandd> ... and no automated tests to assist these reviews 26.10.2018 [22:35:12] <egal> ted and me ... so we shouldn't do any coding ... as it will lack getting reviews ... 26.10.2018 [22:35:25] <egal> (the issue i have since 2010 ... :-( ) 26.10.2018 [22:35:26] <bdmc> That was why I was asking about automated tools for testing. 26.10.2018 [22:36:03] <bdmc> egal: I agree, we have already said that you two should be isolated from all of this work. 26.10.2018 [22:36:36] <egal> @bdmc: if doing code-review we don't need to test the code ... we have to ensure, that the code is working as expected and has no security-flaws ... :-) 26.10.2018 [22:37:04] <GuKKDevel> Peter, what is meant by #5 and #6 26.10.2018 [22:37:07] <egal> @bdmc ... yep ... unfortunately ... ;-( ... (and i like to code ... sometimes ... ;-) ) 26.10.2018 [22:37:08] <bdmc> That was what I thought. I hoped that you wouldn't be going through the source code, line-by-line. 26.10.2018 [22:37:12] <Ted> ... the first one is usually hard to say without tests... 26.10.2018 [22:37:28] <nemunaire> but, how many more years CAcert will survive if there is no try to make move in the inclusion direction? 26.10.2018 [22:37:51] <egal> @ted: therefore we have testers: if they give us green light, it's up to us to do the review and give it to critical ... ;-) 26.10.2018 [22:38:05] <Ted> nemunaire: You won't believe it, but I'm hearing this since I joined CAcert. In 2005. 26.10.2018 [22:38:22] <bdmc> GuKKDevel: He is talking about modernising the code, bringing it into the 21st Century. 26.10.2018 [22:38:42] <bdmc> It is a relatively small change, compared to the rest. 26.10.2018 [22:38:53] <GuKKDevel> bdmc doesn't help me much 26.10.2018 [22:39:02] <bdmc> I know. 26.10.2018 [22:39:02] <jandd> egal: I see automated test as a first line of defense against regressions. Code reviews add knowledge on top of this. In my day job I tell the teams "manual testing is a waste of human life" all the time. 26.10.2018 [22:39:17] <egal> as i said before: update the current code, fix the most nasty bugs ... and focus on a rewrite as soon as possible ... 26.10.2018 [22:39:43] <Peter> #5 PHP now has an error class and conflicted with the error class already used in openbiblio 26.10.2018 [22:40:05] <bdmc> As far as the 'error class,' it means isolating all of the error-handling code into a single area, and make calls to that code for both error handling and error reporting. 26.10.2018 [22:40:13] <Peter> #6 Autiloader used to be only a function. Now you can use a method of a class. 26.10.2018 [22:40:32] <egal> when doing the rewrite with proper documentation/specification we can (hm ... no should/have to) implement automatic regression-tests 26.10.2018 [22:40:32] <jandd> I do code archeology in may day job quite often. I could start writing the bottom-up spec based on the existing code if this would help. 26.10.2018 [22:40:44] <GuKKDevel> thanks peter 26.10.2018 [22:40:55] <Peter> There are 7297 uses of <?= 26.10.2018 [22:41:27] <egal> @jandd: at least for parts of the code so we/some of us get the point and are able to continue/finish the work ... ;-) 26.10.2018 [22:41:38] <egal> so you don't have to do the complete job alone 26.10.2018 [22:41:42] <bdmc> I would suggest that we create PHPUnit ( or something else ) tests as part of this current work. 26.10.2018 [22:41:50] <Peter> 1640 uses of <? 26.10.2018 [22:42:01] <jandd> bdmc: I did not write PHP code for ages 26.10.2018 [22:42:15] <bdmc> B-) 26.10.2018 [22:42:15] <GuKKDevel> can this be done while documenting in parallel? 26.10.2018 [22:42:41] <jandd> most of my work is JVM based as well as Python / Go code. I can read PHP but don't think I'm good at writing modern PHP code at all. 26.10.2018 [22:43:01] <Peter> Write problem, write test, then write code. Only way to ensure change can be tested. 26.10.2018 [22:43:14] <jandd> Peter: exactly 26.10.2018 [22:43:27] <bdmc> GuKKDevl: if that was to me, I would suggest that the developers would be responsible for test code. 26.10.2018 [22:44:16] <jandd> bdmc: this is the only possible way because unit test verify the developer expectations 26.10.2018 [22:44:29] <bdmc> precisely 26.10.2018 [22:44:30] <GuKKDevel> bdmc: I thought about writing the test while dokumenting the source 26.10.2018 [22:44:31] <egal> @bdms: developers should run their own test before giving it to "test" ... but then somebody has to test it independetly from the original developer ... ;-) 26.10.2018 [22:45:12] <bdmc> egal: agreed. and then the test code is the "standard" to confirm accuracy. 26.10.2018 [22:45:16] <Peter> I can make code changes locally and upload them as a patch. For the PHP version changes, you would need to test against PHP 5 and PHP 7 in parallel to make sure there is no difference in result. 26.10.2018 [22:45:49] <bdmc> Peter: Unless we are going to ignore PHP 5, and just put the new code in the new Debian only. 26.10.2018 [22:45:54] <nemunaire> where/with which software the documentation will be done? 26.10.2018 [22:46:14] <jandd> we have jenkins.cacert.org if we have automated test I can assist in setting up automatic jobs to run these on checkins 26.10.2018 [22:46:28] <bdmc> Peter: hmmm. Good point. Regression. 26.10.2018 [22:46:33] <egal> some years ago the was the idea to have automatic tests ... but unfortunately the code is more or less "coding a page from top to bottom, mixing layout, code and database-functions" ... which isn't easy to prepare for automatic tests ... ;-( 26.10.2018 [22:46:34] <Peter> Test PHP 7 against your current release 26.10.2018 [22:46:43] <jandd> nemunaire: I would use markdown or restructured text and put the documentation in a git repository 26.10.2018 [22:47:14] <jandd> ... maybe building an automatic HTML export like I do for infradocs.cacert.org 26.10.2018 [22:47:21] <Peter> Load an empty database with test data, run a test, then change the database has changed the right way. 26.10.2018 [22:47:28] <nemunaire> yeah, infradocs is great :) 26.10.2018 [22:47:56] <jandd> nemunaire: thanks :-) 26.10.2018 [22:48:40] <bdmc> Ummm. I know that nobody has brought this up, but don't we have a database upgrade to deal with, too? 26.10.2018 [22:49:46] <Ted> Is this expected to give any troubles? 26.10.2018 [22:49:51] <GuKKDevel> what database do you mean bdmc? 26.10.2018 [22:49:56] <jandd> Debian 9 has MySQL 5.5.9999 and MariaDB 10.1 26.10.2018 [22:50:08] <bdmc> What are we currently running? 26.10.2018 [22:50:45] <bdmc> I presume that the PHP code, with all of its mysql_ calls, is working against a MySQL database of some old version. 26.10.2018 [22:51:24] <jandd> test.cacert.org uses MySQL 5.5.60 26.10.2018 [22:51:25] <Ted> Server version: 5.5.60-0+deb8u1-log (Debian) 26.10.2018 [22:51:30] <Ted> (mysql) 26.10.2018 [22:51:41] <Ted> on the testserver 26.10.2018 [22:51:44] <bdmc> That's nice. Relatively new. 26.10.2018 [22:52:01] <bdmc> Oh, sorry. What about production? 26.10.2018 [22:52:08] <jandd> Ted: do you know whether that is the same as production? 26.10.2018 [22:52:45] <egal> i don't know ... maybe it's in the wiki, otherwise we need to ask wytze or mendel 26.10.2018 [22:52:47] <Ted> I'm assuming it, but don't know for sure. But if it works on testserver it shouldn't give much problems on production 26.10.2018 [22:53:13] <jandd> the systems overview page says it is Debian 8 so I would assume yes, but we should as Wytze/critical team to be sure. 26.10.2018 [22:53:29] <jandd> s/as/ask/ 26.10.2018 [22:54:11] <jandd> as far as I am aware Wytze tried to keep test.cacert.org as close to production as possible in the past 26.10.2018 [22:54:31] <bdmc> OK, I have to run in about a minute. Feel free to assign me work, whether coding or perhaps documentation. We can continue this, after today, in cacert-devel@lists.c.o. 26.10.2018 [22:54:33] <Ted> Yes, at least as far as system configuration is concerned. 26.10.2018 [22:55:13] <jandd> bdmc: bye. Thanks for your input 26.10.2018 [22:55:45] <GuKKDevel> mysql-client-5.5:amd64/jessie 5.5.59-0+deb8u1 upgraded to 5.5.60-0+deb8u1 Updated 2018-04-20 26.10.2018 [22:56:12] <Peter> I have to go. I am subscribed to devel list. 26.10.2018 [22:57:17] <Ted> I would prefer not to continue much longer, it was a long day for me today... 26.10.2018 [22:57:34] <GuKKDevel> mysql-server-5.5:amd64/jessie 5.5.59-0+deb8u1 upgraded to 5.5.60-0+deb8u1 at the same date 26.10.2018 [22:58:03] <Ted> Is ther anyone who can write a summary of this meeting on a wiki page (for example)? 26.10.2018 [22:59:05] <GuKKDevel> I will try, what name? 26.10.2018 [22:59:19] <GuKKDevel> where to connect? 26.10.2018 [23:00:29] <Ted> Hmm, how about https://wiki.cacert.org/Software/Meeting/20181026 26.10.2018 [23:00:44] <jandd> I just filed https://bugs.cacert.org/view.php?id=1443 as a reminder to myself to start with the documentation 26.10.2018 [23:00:58] <Ted> Dirk, do you know of an existing protocol area for software? 26.10.2018 [23:00:59] <GuKKDevel> ok ted 26.10.2018 [23:01:09] <GuKKDevel> where to anchor? 26.10.2018 [23:01:45] <jandd> egal: you mentioned that the current tarball is newer than the git repository. Where can I find the code changes? Are these included in the Github clone of git.cacert.org's cacert.git repository? 26.10.2018 [23:02:18] <GuKKDevel> jandd shall we comunicate in this bug or shall we try IRC? 26.10.2018 [23:03:14] <Ted> GuKK: The software pages are such a mess! Probably anchor in a new paragraph on https://wiki.cacert.org/Software or https://wiki.cacert.org/Software/DevelopmentTeam... 26.10.2018 [23:03:29] <jandd> GuKKDevel: I suggest the bug for formal steps/done work. IRC for discussions. Mailing list to request feedback, report progress 26.10.2018 [23:04:27] <GuKKDevel> ok to both 26.10.2018 [23:06:26] <Ted> GuKKDevel: Try to do the summary at https://wiki.cacert.org/Software/Meeting/20181026, I'll try to do the organising. 26.10.2018 [23:07:02] <jandd> I'll create a new git repository for the documentation and setup a Jenkins job for HTML exports this weekend 26.10.2018 [23:08:54] <Ted> I'll continue trying to get testserver under control, that is: create a new testserver branch from release branch 26.10.2018 [23:09:14] <jandd> let's finish this meeting. I think we should do such short IRC meeting periodically (maybe once a month) to have checkpoints of where we are and what tasks should be done next 26.10.2018 [23:09:21] <egal> @gukkdevel ... do you remember the filechange, which was done to solve the umlaut-issue? 26.10.2018 [23:09:30] <Ted> So there's any chance to test till the automated tests are in effect, :-) 26.10.2018 [23:10:02] <Ted> jandd: +1 26.10.2018 [23:10:08] <egal> @jandd: i suggest to do it every 2 weeks ... one month is too long ... ;-( 26.10.2018 [23:10:18] <jandd> egal: fine for me 26.10.2018 [23:10:28] <GuKKDevel> ok for me 26.10.2018 [23:10:48] <Ted> I won't be present every time, but I'll try... 26.10.2018 [23:11:29] <jandd> Ted: we are all volunteers so nobody can expect that everone is available every time :-) 26.10.2018 [23:11:31] <GuKKDevel> https://bugs.cacert.org/view.php?id=1441 26.10.2018 [23:12:13] <GuKKDevel> but it was only wytze who changed the parameters of PHP or apache 26.10.2018 [23:13:11] <egal> okay ... then the change is only for the make-file to import the language-files 26.10.2018 [23:14:22] <jandd> Wytze committed this change to http://svn.cacert.org/CAcert/SystemAdministration/webdb/ 26.10.2018 [23:14:39] <GuKKDevel> did you get an answer from arbitration to check the affected userids? 26.10.2018 [23:14:59] <egal> unfortunately not ... ;-( 26.10.2018 [23:15:10] <GuKKDevel> ted can you help us? 26.10.2018 [23:15:21] <Ted> In Arbitration? 26.10.2018 [23:15:22] <jandd> who is still active in arbitration? 26.10.2018 [23:15:24] <GuKKDevel> you are an arbitrator or are you not? 26.10.2018 [23:15:40] <GuKKDevel> sorry wrong tone 26.10.2018 [23:15:59] <GuKKDevel> do you still work as arbitrator 26.10.2018 [23:16:05] <GuKKDevel> ? 26.10.2018 [23:16:10] <Ted> But since I'm also Education Officer i have to retire as Arbitrator due to the infamous ruling ... 26.10.2018 [23:16:22] <egal> ted is arbitrator ... but as there is the "Philipp"-ruling ted can't work as arbitrator ... ;-( 26.10.2018 [23:16:50] <GuKKDevel> how can this ruling be overruled? 26.10.2018 [23:16:57] <egal> but ... he can work as case manager ... and maybe train upcoming arbitrators ... ;-) 26.10.2018 [23:17:07] <jandd> egal: is this a deadlock situation then or do we have other active arbitrators? 26.10.2018 [23:17:19] <Ted> Or, maybe start with policy group to amend the ruling... 26.10.2018 [23:17:38] <GuKKDevel> Ted:+1 26.10.2018 [23:17:39] <egal> sometimes lambert, sometimes mario ... but somebody has to trigger them ... 26.10.2018 [23:17:56] <egal> alex_uk 26.10.2018 [23:18:30] <egal> but as soon as one of them takes a case as CM, he can't be arbitrator of this case ... ;-( 26.10.2018 [23:19:25] <Ted> Dirk: Let's phone next week about Arbitration deadlock! 26.10.2018 [23:19:32] <GuKKDevel> for the umlauts ted could do CM and alex_uk A? 26.10.2018 [23:19:36] <egal> per policy/manuals/... support engineers can work as CM, too ... but it wasn't practiced ... ;-( 26.10.2018 [23:20:07] <GuKKDevel> or egal as cm and alex as A? 26.10.2018 [23:20:24] <egal> therefore i asked board to name support-engineers as CM ... so joost or I can do CM for easy cases ... ;-) 26.10.2018 [23:21:05] <GuKKDevel> there was a voting on that and board as DRO gave you the order/right to handle so 26.10.2018 [23:21:28] <Ted> As you say, I'm not blocked as CM. But tell me which cases, and which Arbitrators! 26.10.2018 [23:21:45] <egal> @gukkdevel: in theory: yes ... there are two or three easy cases in the queue, which should be solveable easiely by arbitration (to get some practise) 26.10.2018 [23:22:38] <egal> ted and i will give us a call next week ... so we can start acting as CM ... ;-) 26.10.2018 [23:22:50] <GuKKDevel> one case would be that we can solve the umlaut problem 26.10.2018 [23:24:08] <GuKKDevel> mail from wytze dated 22.6.2018 26.10.2018 [23:24:50] <AlainV_> I will leave now. See you next meeting. 26.10.2018 [23:26:38] <Ted> Cannot find the case in OTRS... 26.10.2018 [23:27:00] <GuKKDevel> was sent to support-queue 26.10.2018 [23:28:11] <GuKKDevel> request for arbitration on possible problems with recent new CAcert accounts 26.10.2018 [23:32:03] <FD> Is it the same deadlock situation which prevents updating the https://www.cacert.org/index.php?id=3 page for adding on it an hyperlink to CAcert root certificate signed using the SHA256 algorithm ? The certificate is available for downloading from the Wiki at the moment. Actually, it has be be found from the FAQ : https://wiki.cacert.org/FAQ#New_Root_Certificates 26.10.2018 [23:33:44] <GuKKDevel> I don't know exactly but I think this is another deadlock situation 26.10.2018 [23:33:56] <Ted> FD: Is this an arbitration issue or a code review issue? 26.10.2018 [23:34:35] <FD> As far as I understood, this is a code review issue. 26.10.2018 [23:35:22] <Ted> Then we may be able to unlock the issue... If it was not Dirk who wrote the fix. 26.10.2018 [23:35:35] <Ted> Have you any bugtracker number? 26.10.2018 [23:35:36] <GuKKDevel> I think there was someone who had concerns about the procedure the new key was generated 26.10.2018 [23:36:09] <GuKKDevel> that was before most of the developers left 26.10.2018 [23:36:57] <dops> Do you have a reference (case #, key word ...)? 26.10.2018 [23:37:03] <Ted> Ahh, I dimly remember. But the current keys are an audit fail anyway, so IMHO there's not an issue to replace an autit fail key with an audit fail key... 26.10.2018 [23:37:22] <GuKKDevel> and also was said, that therefore a change of the policy was neccessary 26.10.2018 [23:38:40] <dops> A real concern could be that private keys were not safe during procedure. Other than that ... what Ted says. 26.10.2018 [23:39:03] <egal> as soon as a new audit starts (after we fixed/rewrote) our software new keys should be created ... 26.10.2018 [23:39:31] <egal> therefore we had the new roots&escrow-team (in the hands of magu), which does not exist anymore ... 26.10.2018 [23:41:13] <egal> from my POV the new roots is something we (software) can pick up again at a time new software is "in progress" ... which means: not now ;-) 26.10.2018 [23:41:26] <dops> You are not trying to tell the the current private keys are not private... ;-) but it's slightly off-topic here. 26.10.2018 [23:43:57] <egal> @dops: even if we're sure the current private keys are private ... are we able to convice an auditor about it? 26.10.2018 [23:44:18] <FD> @Ted : I did not checked yet if someone wrote a ticket about the case. 26.10.2018 [23:44:55] <egal> most policies were written at a time iang was the auditor ... but at that time the current root keys were already active ... 26.10.2018 [23:45:11] <egal> so there was no process before how to handle them ... 26.10.2018 [23:46:10] <dops> no, but if we know that they are disclosed we nevertheless had to take some action. So the minimum criteria for the interim-new roots could be that we believe that the current ptivate keys are as private as before. Then: roll out... 26.10.2018 [23:47:46] <GuKKDevel> dops: +1 26.10.2018 [23:48:24] <GuKKDevel> that keeps us the problems with the md5 apart 26.10.2018 [23:49:05] <dops> So if besides the PHP upgrade some could do something about them ... please tell where it is blocking. 26.10.2018 [23:50:04] <dops> Do you need arguing for a review? 26.10.2018 [23:57:04] <FD> @Ted : my point here is that Root CA MD5 is no more valid in browsers. Which basically makes barely possible to access web sites secured by CACert server certificates. Both older MD5 signed Root CA and newly SHA256 signed Root CA may not qualify for the requirements of an audit. However, for the average user, at present Root CA MD5 is useless but available in the main page for downloading and Root CA SHA256 is mandatory to be used instead of the former, 26.10.2018 [23:57:04] <FD> but is buried deeply somewhere into the wiki pages. I would like to fix that absurdity. 26.10.2018 [23:58:11] <egal> @fd on some (non-critical) cacert-servers the resigned root is already in the chain ... 26.10.2018 [23:59:12] <dops> @FD: I guess we all know about that. Also Ted is not against it ("not an issue to replace") 27.10.2018 [00:00:21] <dops> Hope that we try to clarify what is the next necessary step ;-) 27.10.2018 [00:01:28] <Ted> Now, as long as I cannot see the complete case I cannot make any decision if I'm against or in favour. And probably my decision won't matter anyway. :-) 27.10.2018 [00:01:46] <egal> well ... my next step for today is to go to bed ... it's late enough ... 27.10.2018 [00:02:29] <egal> ... and i'll talk with ted about the root-key-resigning-bug next week by phone ... 27.10.2018 [00:03:16] <dops> that's worth a blog message (just kidding) 27.10.2018 [00:03:21] <dops> wish a good night all 27.10.2018 [00:03:40] <Ted> N8 27.10.2018 [00:03:48] <FD> Thanks, good night. 27.10.2018 [00:04:35] <egal> good night ... and ... thank you for attending this meeting ... ;-) 27.10.2018 [00:05:06] <GuKKDevel> night