19:00:01 #startmeeting Infrastructure (2011-12-01) 19:00:01 Meeting started Thu Dec 1 19:00:01 2011 UTC. The chair is nirik. Information about MeetBot at http://wiki.debian.org/MeetBot. 19:00:01 Useful Commands: #action #agreed #halp #info #idea #link #topic. 19:00:01 #meetingname infrastructure 19:00:01 #topic Robot Roll Call 19:00:01 #chair smooge skvidal Codeblock ricky nirik abadger1999 lmacken dgilmore mdomsch 19:00:01 The meeting name has been set to 'infrastructure' 19:00:01 Current chairs: Codeblock abadger1999 dgilmore lmacken mdomsch nirik ricky skvidal smooge 19:00:18 * CodeBlock is here :D 19:00:30 * abadger1999 here 19:00:40 * wsterling here 19:00:56 * StylusEater is here 19:01:22 * skvidal is here 19:02:02 ok, lets go ahead and dive in. 19:02:05 #topic New folks introductions and apprentice tasks/feedback 19:02:23 any new folks want to introduce themselves? or apprentices want to talk about specific tasks or tickets? 19:02:45 note that I will be mailing out my monthy nag to apprentices later today. Please reply to it if you wish to remain in the fi-apprentice group 19:03:10 nothing form me. 19:03:31 ok, will move along then... 19:03:37 hi everyone 19:03:46 morning jac1bat0 19:04:19 jac1bat0: you sent an intro to the list... care to say hi and say a bit about your background and what you want to work on? 19:05:22 a linux newbie here, got some courses on linux and hooked into it ;) i'm really interested in sysadmin atm 19:05:42 are you more interested in the sysadmin side of things? or programming on our various web applications? 19:06:08 sysadmin, definitely 19:06:39 ok, cool. Do hang out in #fedora-admin / #fedora-noc and ask questions... we can see about getting you added to the apprentice group there to look and see what you might want to work on. 19:06:44 welcome again. 19:06:56 * nirik moves along then. 19:06:57 nirik, thanks 19:07:00 #topic Password / ssh key reset status and retrospective 19:07:14 so, we have a bit left to do on our mass password/key expire. 19:07:29 * nokia3510 waves 19:07:42 #action will be marking folks who haven't changed pass/ssh key inactive later today probibly. 19:07:43 * pingou here (late) 19:07:59 we need to set a date to orphan/remove from acls those packagers who are inactive. 19:08:12 * nirik looks at schedule. 19:08:27 I think January before fudcon 19:08:50 yeah, how about 2012-01-10 or so... 19:08:52 that way packages can be dropped/fixed before final release 19:09:01 final feature freeze 19:09:01 when is alpha? 19:09:02 sorry 19:09:14 2012-02-14 to 2012-02-28 - F17 Alpha Freeze 19:09:18 * CodeBlock will make note to take cover at fudcon... as to not be physically harmed after we do this. :) 19:09:32 ok 19:09:41 well, doing it before fudcon also will give folks more chance to see and take ownership, etc. 19:09:52 but I don't care too much 19:10:06 any counterproposals to 2012-01-10 ? 19:10:31 no one is doing anything for the next 3 weeks. anyway 19:10:36 we could just set it on fire today 19:10:38 :) 19:10:44 +1 19:10:45 * skvidal is not seriously proposing that 19:10:45 +1 :) 19:11:03 but I do think doing some dry-runs of the orphaning 19:11:07 and we can get pelted with rotten vegetables at the show 19:11:13 * nirik shrugs. I'm ok with giving people time to do our work for us with bounces. ;) 19:11:15 and refining our tooling to discover what will implode 19:11:27 but I think this 19:11:29 yeah, absolutely. 19:11:29 if you're not a packager 19:11:33 and you're not in an admin group 19:11:36 you get deactivated 19:11:38 and no tears 19:11:40 the sooner it is done faster workaround can happen and people do what they are requested 19:11:57 #action tenatively remove inactive people from pkgdb on 2012-01-10. Can re-evaluate as we know more closer to the time. 19:12:09 nirik: here's what I suspect will happen 19:12:17 we'll catch a bunch of these people in the next week or two 19:12:20 any other thoughts from this long painful road? 19:12:31 and he deactivation/orphaning won't be as dramatic in january 19:12:34 s/he/the/ 19:12:40 yeah. 19:13:15 I hope it's at least 3 more years before we go through this again, BTW. 19:13:28 it's a massive time and energy sink... but it needed to be done and I am glad we did it. 19:14:04 I thin kthe next authN/Z energy sink will be 2fa 19:14:10 but that's just my guess 19:14:15 yeah, agreed. 19:14:27 ok, will move on unless something further on this... 19:14:43 #topic serverbeach / collab / hosted status 19:14:45 Seems we do this once per fedora infra-lead :-) 19:14:56 abadger1999: cool. Then I have done mine. ;) 19:15:02 abadger1999: oh so you're sayting nirik is going to run for his life now? 19:15:10 so, some updates on serverbeach hosts. 19:15:15 We should make it happen just before the lead leaves, though instead of at the beginning ;-) 19:15:21 heh 19:15:42 We got old/bad hardware (boo), which they have now replaced with newer better hopefully hardware (yea!) 19:15:54 we still need to install and setup things on the new boxes. 19:16:28 * CodeBlock can start on that today if we have a list of what needs to start happening where 19:16:34 I'd like to try and get things moving/rescheduled on hosted and collab moves... but we will see how things shake out on the new hardware. 19:16:43 CodeBlock: install + setup raid1 on the disks, 19:16:49 On the plus side the rhel6 trac migration was looking not too bad at all. 19:16:56 CodeBlock: I did them 2 weeks ago before we found out they were old 19:17:25 skvidal: Is there a thing in infra-docs about it, by chance? 19:17:39 so, I think we could probibly mass move hosted to a rhel6 instance without much doom... then look further down the road at migrating those things out to further hosts or whatever. 19:17:42 CodeBlock: it's a normalish virthost setup 19:17:54 CodeBlock: kickstart using vnc - go from there 19:18:03 CodeBlock: we can talk more about it post-meeting 19:18:07 skvidal: sure :) 19:18:09 and collab migration should be still hopefully pretty easy. 19:18:34 So, perhaps we can get some of it done before the holidays... perhaps not until early jan... should be able to figure out more in the next week. 19:19:25 any other thoughts on hosted/collab moves or serverbeach hosts? 19:19:37 #info new machines will be installed in the next few days. 19:19:49 #info will look at rescheduling collab and hosted moves after that. 19:20:28 #topic ibiblio machines status 19:20:40 So, we should have a new ibiblio03 showing up sometime... 19:20:53 smooge: any eta on that one? 19:21:04 we still need to migrate stuff off ibiblio01. 19:21:20 and we need to setup a download-ibiblio01 instance to replace serverbeach01. 19:21:37 on ibiblio02 or 03? 19:21:39 * LoKoMurdoK here 19:21:55 * LoKoMurdoK late :S sorry 19:21:59 skvidal: either way I guess. We do need to still migrate stuff off 01... 19:22:04 smooge: and lemme know about ibiblio03 showing up so I can plan my day of fun and frivolity there 19:22:12 once we have 01 all clear we can re-install it rhel6... and have another machine 19:22:38 if we could get 01 clear before we get 03 installed, we could re-install it at the same time. 19:22:40 skvidal, it has been ordered. I haven't gotten an email saying its been invoiced yet so will let you know whne that happens 19:22:43 but I don't know how practical that is. 19:23:03 smooge: kewl 19:23:20 ok what does having a download-ibiblio or download-sb get us 19:23:27 beyond torrents 19:23:47 smooge: well, it's a remote mirror we control... so we can point people there if phx2 has issues or is down. 19:23:57 or they have network issues reaching phx2. 19:24:24 * skvidal hmms 19:24:30 also, currently serverbeach01 is used/needed for boot.fedoraproject.org 19:24:37 would it make any sense to cram torrent02 togewther with download-ibiblio? 19:24:42 but that could possibly be adjusted. 19:24:43 or is that too much 19:25:07 skvidal: you mean serve the torrents from the mirrored files? or just on the same host? 19:25:19 same host 19:25:33 if they can fit, sure. 19:25:43 I guess they might both get heavy i/o at times. 19:25:47 well, I was thinking that hardlinks to the files for the mirrors... 19:25:48 right 19:26:31 oh warranty extension on ibiblio01 went through 19:26:33 might be better to seperate them if we have enough space. 19:26:50 I would say seperating the 3 big IOs would be a good idea 19:26:59 backups, torrent, download 19:27:06 yeah. 19:27:38 oh silly question for the man with too little caffeine, why arent we making sb0X the new sb01 and have it be the backup? 19:28:02 please don't do the renumbering that way 19:28:07 for the love of all that is good and holy 19:28:07 smooge: well, I think it's bad to have bare hosts serving things... 19:28:14 * aeperezt sorry been late, but here 19:28:18 sb01 was 'special' 19:28:24 welcome aeperezt 19:28:25 "special" == frelling broken 19:28:39 sb01 wouldn't support any guests w/o crashing 19:28:41 yay 19:28:49 ok lets redefine the question a bit. Why not have a download-sb on one of the boxes? 19:29:01 disk space? 19:29:06 * skvidal doesn't know 19:29:07 smooge: we could, we just thought we had extra capacity on ibiblio... 19:29:24 yeah, disk is more limited at sb 19:29:44 new boxes have 2 x 250 I think... 19:30:36 sb01 is almost using 250 as is. 19:31:01 ah got it 19:31:02 ok 19:31:31 anything else on ibiblio stuff? 19:32:08 #topic Upcoming Tasks/Items 19:32:56 #info 2011-12-01 Flag day for password reset/new ssh keys. 19:32:56 #info 2011-12-01 nag fi-apprentice folks for december 19:32:57 #info 2011-12-08 - Fedora 14 end of life. 19:32:57 #info 2011-12-23 to 2012-01-02 - rh shutdown week. 19:32:57 #info 2012-01-13 to 2012-01-15 - FUDCON blacksberg 19:32:57 #info 2012-02-14 to 2012-02-28 - F17 Alpha Freeze 19:33:36 I'll add in new dates for collab and hosted migrations when we can figure them out. 19:33:45 I have sync'd most of F14 over to archive. I just need to do a last rsync after EOL and then I can talk with mdomsch about what needs to be done in MM 19:33:46 any other upcoming items folks want to discuss/mention? 19:34:05 smooge: cool. dgilmore or I could do the announcement... need to also turn it off in koji. 19:34:40 We'll want to add the "orphan packages" into that list. 19:34:47 oh yeah. ;) 19:35:04 2012-01-10? 19:35:05 Probably also the deprecate orphaned packages -- but that may be something that releng coordinates. 19:35:05 2012-01-10 19:35:17 yeah. 19:35:26 abadger1999: yeah, there's a per cycle time to do that. 19:35:45 * abadger1999 just wants to know there's some time between those two events 19:36:21 otherwise, "Tue: hey we've orphaned packages with inactive maintainers" "Wed: Hey, we've retired all those packages you thought you might want to take" 19:36:26 http://fedoraproject.org/wiki/Deprecate_orphaned_packages 19:36:34 it's right before feature freeze. 19:36:53 2012-03-20 19:37:08 so that gives folks a bit more than 2 months. 19:37:49 * nirik will move on in a minute if nothing more on upcoming tasks. 19:38:03 nirik: Schedule page says feature freeze is 2012-02-07 19:38:14 huh? 19:38:17 * nirik re-looks 19:38:34 oh, so it is. 19:38:42 so about a month? 19:38:51 yeah. 19:38:56 Fine with me. 19:39:04 should be enough time I hope. ;) 19:39:24 ok, moving on then... 19:39:26 #topic Meeting tagged tickets: 19:39:27 https://fedorahosted.org/fedora-infrastructure/report/10 19:39:33 we have a meeting tagged ticket. Hurray! 19:39:41 .ticket 3043 19:39:43 :-) 19:39:47 nirik: #3043 (Password Complexity) - Fedora Infrastructure - Trac - https://fedorahosted.org/fedora-infrastructure/ticket/3043 19:40:34 so, I guess I don't mind this change (2 or 3 char required)... but I'm just worried we will keep adding things and get the brute force set too low. ;) 19:40:53 The ticket is a continuation of a conversation started in #fedora-admin and on the list. 19:41:26 what is the minimum length 19:41:33 see also: 19:41:39 .ticket 3027 19:41:39 I sent off an email about it -- we need someone better versed in math than I to really analyze the brute force differences. 19:41:41 nirik: #3027 (Check the FAS password against dictionary words) - Fedora Infrastructure - Trac - https://fedorahosted.org/fedora-infrastructure/ticket/3027 19:41:59 but 2 char requirement seems very low impact (both positive and negative). 19:42:03 I'm wondering if we should employ a combination of more complex + other deterrents 19:42:19 StylusEater: you mean like hammers to the finger tips? 19:42:34 picture of skvidal ? :) 19:42:56 smooge: "A passphrase with symbols, upper and lowercase letters, and digits must be at least 9 characters" 19:43:01 I try to login ... fails ... page loads but login box is disabled for x seconds ... I fail again ... login disabled for x+5 seconds ... etc. 19:43:11 also, the cost increases to documentation... 19:43:12 pingou: you want to entice them to change their passwords w/a reward? :) 19:43:20 we have to add this to the change template... 19:43:27 but I'm ok with the 2 char thing. 19:43:29 smooge: 3 char diversity requirement will only impact the "lowercase only" case (20 chars) and the letters and digits case (12 chars) 19:44:05 as the more stringent requirements already encompass needing to have multiple chars. 19:44:06 smooge: aA1 is consider as 3 chars 19:44:27 "A passphrase with lowercase letters and digits must be at least 12 characters" to "A passphrase with lowercase letters and digits must be at least 12 characters with at least 2 different letters used" 19:44:33 for instance, the 9 char case requires a minimm of 4 different chars (an uppercase, a lowercase, a digit, and a symbol) 19:45:45 one thing I saw in some of the recently feedback about password changes was that some people liked how simple and easy to see our guidelines were. ;) 19:46:21 so, perhaps we need to try and find some folks more versed in security to give us some feedback? 19:46:31 +100 19:46:34 Hmm I think our guidelines should be simple. I would say hand it over to mark cox's group and ask for input 19:46:46 or bresser 19:47:10 yeah, I was thinking bress. 19:47:19 nirik: do we know of anyone? 19:47:20 ahh ok 19:47:35 see: http://www.bress.net/blog/archives/200-Expanding-Red-Hats-Product-Security-Efforts.html 19:47:42 they might be able to look for us. 19:48:03 I can ping him and see if thats possible. 19:48:13 I am guessing we will get bonus points of "we asked this time and are implementing what the experts said. if you don't like it become an expert yourself." 19:48:20 #action nirik to talk to bressers and see if they can give us some help there. 19:48:44 so, shall we just wait on this until we hear back? 19:48:48 sorry I am rather grumpy, irritable and hostile today 19:49:14 I think it would be a good idea. 19:49:16 nirik: we can 19:49:44 if people have made 'aaaaaaaaaaaaaaaa' their password well they only have themselves to blame for being so passive aggressive. 19:50:13 yeah, everyone knows 'zzzzzzzzzzzzzzzzzzz' is more secure. ;) 19:50:19 exactly 19:50:23 #topic Open Floor 19:50:28 it makes no difference statistically 19:50:28 any items for open floor? 19:50:31 .ticket 2997 19:50:34 wsterling: #2997 (Create a script to check whether GeoIP updates remove used country codes) - Fedora Infrastructure - Trac - https://fedorahosted.org/fedora-infrastructure/ticket/2997 19:50:39 I have a stalled ticket 19:50:43 nirik: I'm okay with implementing 2 char diversity now. 19:50:45 I've got the same combination on my luggage! 19:50:46 I'm not sure how to move it forward 19:51:01 spot: not 007 ? 19:51:18 spot, next FUDcon I do come to, and you are there, I will leave a surprise for you in there 19:51:20 lol 19:51:26 hahaha 19:51:30 than that I'm more than happy if we can get expert advice :-) 19:51:53 my luggage only allows me to use lowercase and numbers. I cant get any of the required symbols 19:52:04 abadger1999: well, I suppose that would be ok, but how do we modify the docs? is there a way to make it not sound confusing? 19:52:17 * nirik doesn't have a lock on his luggage. ;) 19:52:25 wsterling, ok for your ticket 19:52:30 what have you got so far 19:52:42 I have the script I wrote and attached to the ticket 19:53:17 It was run manually and no bad country codes were found other than those that were added for testing the script 19:53:22 nirik: Mmm.. that's true. 2 chars only affects the 20 characters... so I think I can think of something. 19:53:33 wsterling: I'd say see if you can work with abadger1999 to get that setup ? 19:53:39 I think it now needs to be put into a cron or some other documentation to be run regularly 19:53:45 wsterling: we need to I think add it as a cron... yeah. 19:54:01 wsterling: I can help you -- we'll add a cron job in puppet to handle it. 19:54:37 abadge1999: If you are going to be on-line tonight I'll try to work with you to get that done then. 19:55:11 wsterling: I have karate tonight... maybe someone else would be better if that's when you/they are available. 19:55:14 abadger1999: it needs to be modified to source in the fas.conf 19:55:49 skvidal: ah. Okay, let's see if I can prep that part of it now. 19:56:08 wsterling: then you can work on the cron job with someone else tonight (or catch me tomorrow) 19:56:17 ok, osunds good 19:56:28 wsterling: and I'm sorry about dropping that ticket - last week went left for me 19:56:33 wsterling: and I forgot about it 19:56:47 (worthy of note I'm still not getting tcket updates on it) 19:56:47 skvidal: NP 19:57:17 ok, any other open floor stuff? 19:57:29 fedora-review-server ? 19:57:45 just to get an idea if you guys think the idea is interesting/worthwhile 19:58:11 as at the end you will be concerned if it goes through 19:58:19 pingou: I added some feedback... but I think you might get more from devel list. 19:58:37 if we do decide for move forward on it, it would be a RFR 19:58:53 Request For R? 19:59:06 Resources 19:59:11 ah, thanks :) 20:00:03 http://infrastructure.fedoraproject.org/infra/docs/requestforresources.txt and http://fedoraproject.org/wiki/Request_For_Resources 20:00:22 ie, we want to make sure this is well maintained and deployed in a good manner. ;) 20:00:32 agreed there :) 20:00:59 pingou: so, I would say if you want try asking devel list what they think... be ready for emails. :) 20:01:29 nirik: that's one reason why I wanted to have a feeling by asking infra first :) 20:02:08 I think it's something we talked about in the past, but it's a lot of work to setup and code, so no one really pushed it. 20:03:50 * nirik will close out in a minute if nothing more. 20:04:34 Thanks for coming everyone! 20:04:37 #endmeeting