. '''To Software''' '''[[Software|Software]]''' - '''To Software-Assessment - ''' '''[[Software/Assessment|Software/Assessment]]''' - '''To [[Software/Assessment/20110726-S-A-MiniTOP|previous meeting]]''' - '''To [[Software/Assessment/20110809-S-A-MiniTOP|next meeting]]'''
----
= Minutes of the MiniTOP on the 2011-08-02 =
== Setting ==
The MiniTOP will be held via telco 22:00 CEST
Attendees: Magu, Benedikt F, Marcus, Dirk, Uli, Ted, Michael, Alex
== Topics ==
(skip to agenda)
Action items from last meeting '''[[Software/Assessment/ActionItems|Meeting Action Items]]'''
== Agenda ==
1. PRO
1. Milestone 3 of Software-Assessment project team reached? "Build + Document Emergency Patches Path"
* As a side effect on writing the AGM 2010-2011 report, the reach of milestone 3 comes to question
* The side effect becomes possible by the last meeting vote on parallele processing of patches
* how about documentation?
1. how to handle / work with git
* git pull
* git diff origin/release...origin/bug-921>bug921.patch
* send to critical team by email (with template)
* link to bug, who reviewed, people to cc
1. Workshop - The List of open / running / unhandled bugs
1. x^1^ Arbitration case [[Arbitrations/a20110312.1|a20110312.1]] Weak keys [[https://bugs.cacert.org/view.php?id=918|bug #918]] / [[https://bugs.cacert.org/view.php?id=954|bug #954]] / [[https://bugs.cacert.org/view.php?id=964|bug#964]]
* Current state:
|| {g} || pre mailing sent ||
|| {g} || keys revocation script to bulk revoke weak keys, new [[https://bugs.cacert.org/view.php?id=954|bug #954]], finished ||
|| {-} || dirk: DEV: [[Arbitrations/a20110312.1|a20110312.1]] [[https://bugs.cacert.org/view.php?id=918|bug#918]] Weak keys: /pages/account/.. 4.php, 17.php to combine ? (/includes/keygen.php) '''DEV''' <<BR>>vbscript needs to be improved with select box key size and lower limit to 2048 (based on [[https://wiki.mozilla.org/CA:MD5and1024]])<<BR>>Api CertEnroll (MS crypto provider)<<BR>>new [[https://bugs.cacert.org/view.php?id=964|bug#964]]<<BR>>current state: test /account/4.php added to testserver<<BR>>Marcus will do detailed tests on Wed<<BR>>some references added to [[https://bugs.cacert.org/view.php?id=964|bug#964]] ||
|| {g} || Weak keys blog post, published ||
|| {0} || Weak keys article not yet published by Hanno ||
|| {b} || weak keys: problems with cryptostick (to test at [[events/FrOSCon2011|Froscon]] with Juergen ?) ||
1. x^2^ [[https://bugs.cacert.org/view.php?id=827|Bug# 827]] and [[https://bugs.cacert.org/view.php?id=959|bug #959]] "Thawte" patch - Points-Count-Order-Change project - 2nd Review + deploy
* Next step(s) ?
* current state on production system? table points: count(id) > 150 points ?
* fix points < 0 and points > 150 in bug 827 ?
* included
* missing: [[https://bugs.cacert.org/view.php?id=959|bug #959]] 2nd review
* dirk to add note in bugtracker, done
* todo:
1. NEO: 2nd review of [[https://bugs.cacert.org/view.php?id=827|Bug# 827]]
1. NEO: bundling [[https://bugs.cacert.org/view.php?id=827|Bug# 827]] and [[https://bugs.cacert.org/view.php?id=959|bug #959]] to critical team
* [[https://bugs.cacert.org/view.php?id=959|bug #959]] deployed
1. x^3^ [[https://bugs.cacert.org/view.php?id=637|Bug #637]] and [[https://bugs.cacert.org/view.php?id=953|bug #953]] and [[https://bugs.cacert.org/view.php?id=963|bug #963]] : Weak Passwords - 2nd Review + deploy
* Overall result: Please evaluate if the session problem can be fixed!
* if password changed, cached info - reminder plz change pwd
* session reset and error messages in system log
* new [[https://bugs.cacert.org/view.php?id=963|bug #963]]
* /includes/loggedin.php line 140 ff. to fix
* Ted: checked-in cacert-devel, added to testserver
* needs review, re-testing
* Next steps:
* [[https://bugs.cacert.org/view.php?id=637|Bug #637]] transfered to critical team
* [[https://bugs.cacert.org/view.php?id=953|bug #953]] needs 2nd review, deploy
* [[https://bugs.cacert.org/view.php?id=963|bug #963]] still open, to continue
* {-} maybe we have a potential problem here: [[https://bugs.cacert.org/view.php?id=637|Bug #637]] is transfered to critical system, [[https://bugs.cacert.org/view.php?id=953|bug #953]] and [[https://bugs.cacert.org/view.php?id=963|bug #963]] aren't. 637 depends on 653 and 963. On testserver this _complete_ bundle works.
1. x^4^ [[https://bugs.cacert.org/view.php?id=841|bug #841]] Problems on cert login
* needs 2nd review - Ted, done<<BR>>needs bundling, done
* NEO: did restructuring (sql query to subroutine), (Update 2011-07-26)
* needs re-tested
* needs 2nd review, bundling
1. Dirk '''reminder''' (from last meeting) assure someone patches (checkboxes)
|| Dirk || DEV: [[https://bugs.cacert.org/view.php?id=894|bug #894]] problems with check-boxes on website forms (Assure someone) -> [[Arbitrations/a20091118.3|a20091118.3]] || {0} ||
1. Review 1: review, add to cacert-devel, transfer to testserver
|| Dirk, Michael, Ted || [[https://bugs.cacert.org/view.php?id=957|bug #957]] Resize the comment field on [[https://secure.cacert.org/account.php?id=27]] so more information is visible || {0} ||
|| Dirk, Michael, Ted || [[https://bugs.cacert.org/view.php?id=965|bug #965]] 0000965: Outsource / fix Webdb text pages id=12, 13 || {0} ||
1. Review bugs under testing (finished testing?) (Review 2?)
|| x^2^ [[https://bugs.cacert.org/view.php?id=827|bug #827]] "Thawte" patch (still running)<<BR>>related [[https://bugs.cacert.org/view.php?id=959|bug #959]] || needs 1 more test, needs 2nd review<<BR>>2nd review: also check -x<<BR>>tests done, 2nd review outstanding || {0} <<BR>> {g} ||
|| x^3^ [[https://bugs.cacert.org/view.php?id=637|bug #637]] and [[https://bugs.cacert.org/view.php?id=953|bug #953]] and [[https://bugs.cacert.org/view.php?id=963|bug #963]] weak password || needs 2nd review, not Micha -> Ted, done<<BR>>Overall result: Please evaluate if the session problem can be fixed! (new [[https://bugs.cacert.org/view.php?id=963|bug #963]]) || {g} <<BR>> {0} <<BR>> {0} ||
|| x^4^ NEO: [[https://bugs.cacert.org/view.php?id=841|bug #841]] Problems on cert login || needs 2nd review - Ted, done<<BR>>needs bundled<<BR>>NEO will check to get sql query extracted<<BR>>needs pushing<<BR>>pushed to testserver<<BR>>Needs Review & testing || {0} ||
|| [[https://bugs.cacert.org/view.php?id=910|bug #910]] Outsource board member list || from Webdb to wiki (id=8) (Part II) || {0} ||
|| [[https://bugs.cacert.org/view.php?id=955|bug #955]] change sort order Orga list || Possibilty to change the sorting order for the organisation overview || {0} ||
1. (review), to bundle, to deploy
|| [[https://bugs.cacert.org/view.php?id=942|bug #942]] CATS import (2) || complete re-test as of code changes<<BR>>fully re-tested by 2 testers || {0} ||
|| [[https://bugs.cacert.org/view.php?id=911|bug #911]] gpg bug || gpg keys expires 1970<<BR>>tests started 2 weeks ago<<BR>>needs review, deploy || {0} ||
|| [[https://bugs.cacert.org/view.php?id=940|bug #940]] help* to wiki || Outsource Webdb text pages help.php?id=0..9 to wiki<<BR>>needs review, deploy || {0} ||
|| [[https://bugs.cacert.org/view.php?id=953|bug #953]] failure on pwd change redirect || needs 2nd review, deploy || {0} ||
1. Needs development, deployment, discussion
|| x^1^ Dirk, new [[https://bugs.cacert.org/view.php?id=964|bug#964]]<<BR>>DEV: [[https://bugs.cacert.org/view.php?id=918|bug#918 (Part II)]] ([[Arbitrations/a20110312.1|a20110312.1]]) Weak keys: /pages/account/.. 4.php, 17.php to combine ? (/includes/keygen.php) '''DEV''' || current state: test /account/4.php added to testserver<<BR>>Marcus will do detailed tests on Wed<<BR>>some references added to [[https://bugs.cacert.org/view.php?id=964|bug#964]] || {-} ||
|| [[https://bugs.cacert.org/view.php?id=835|bug #835]] Assurer challenge (on testserver) || asssigned to Ted, set to needs work, CATS to install on ca-mgr1 || {0} ||
|| [[https://bugs.cacert.org/view.php?id=943|bug #943]] change OA admin/assurer text || -> Ted, rejected, needs comment from OAO || {-} ||
|| [[https://bugs.cacert.org/view.php?id=958|bug #958]] || ADS Challenge, Advertising || {0} ||
1. Deployed, Finished
|| Ted || [[https://bugs.cacert.org/view.php?id=921|bug #921]] Privacy Policy cleanup || Marcus: 2nd test {g} / Dirk, Ted: 2nd review {g} || {g} ||
|| Michael || [[https://bugs.cacert.org/view.php?id=954|bug #954]] ([[https://wiki.cacert.org/Arbitrations/a20110312.1|a20110312.1]]) Next: script to bulk revoke weak keys || deployed || {g} {g} ||
|| Michael || x^3^ [[https://bugs.cacert.org/view.php?id=637|bug #637]] weak password || deployed w/o [[https://bugs.cacert.org/view.php?id=953|bug #953]] and w/o [[https://bugs.cacert.org/view.php?id=963|bug #963]] || {g} ||
|| Michael || x^2^ [[https://bugs.cacert.org/view.php?id=959|bug #959]] - patch for [[https://bugs.cacert.org/view.php?id=827|bug #827]] Thawte patch/Points-Count-Order-Change project || deployed w/o [[https://bugs.cacert.org/view.php?id=827|bug #827]] || {g} ||
1. strategy plans ... next: strategy for "New Roots & Escrow"
1. idea: using indirect crl's ?
* 2 crl's needed, one valid, one invalid crl server
* more infos available ? who ?
1. build testserver with special certs
1. Magu, Michael to send instructions for test deployment
* indirect CRL: RFC 5280 [[http://tools.ietf.org/html/rfc5280]] (chapter 5)
* meetings ago we've defined Testing requirements and a potential testszenario
* to remind every meeting
1. policy group: define requirements
* multimember escrow method ?
* needs risk analyze
* potential candidates ?
* Marcus to contacted Benedikt, will contact Thomas K
* Next step(s)
1. how does debian work ?
* defered to Froscon (end of Aug), CCCcamp (around Aug 10th)
1. [[AGM/TeamReports/2011#Software-Assessment-Project|AGM reports 2010-2011]]
* Software-Assessment project team report finished, plz review
* Weak keys / Weak passwords missing
* Sections added:
* Weak Keys / Weak Passwords Arbitration cases
* The Software-Testteam
* Software-Assessment Documentation
* Statistics
* Summary
1. Documentation Bugs.cacert.org Review
* discussion about states to define, redefine
* bugs documentation I ([[Software/Assessment/Documentation/bugs|bugs handbook]])
* bugs documentation II (to incorporate into the [[Software/Assessment/Documentation|Software-Update-Cycle]] procedure/documentation)
* Review, Update
* svg pictures have cuted text under some browsers
* u60: cant get it scaled
1. CI (Update)
* [[http://live.eclipse.org/node/1031|description to eclipse testpage]], [[http://adobedev.adobe.acrobat.com/p4101brizwr/|Webinar]]
* deployment scenario:
1. create testusers
1. testing
1. delete testusers
* regression test for standard tests: eg 0,1,49,50,51,99,100,101 pts w/ and w/o CATS passed
* reminder
1. next meeting: Tuesday, August 9, 2011 22:00
== Minutes ==
1. PRO
* question from board -> PR officer
* request to Alex
* support from all
1. Milestone 3 of Software-Assessment project team reached? "Build + Document Emergency Patches Path"
* As a side effect on writing the AGM 2010-2011 report, the reach of milestone 3 comes to question
* The side effect becomes possible by the last meeting vote on parallele processing of patches
* how about documentation?
* git allows several branches
* documentation
* who decides that issue is an emergency patch ?
* disconnect machine from network
* what if a check of user data is needed?
* simple case: Software Assessor requests emergency patch thru critical admin
1. publishing "Weak key" issue
* awaiting Hanno's publishing
1. how to handle / work with git
* git pull
* git diff origin/release...origin/bug-921>bug921.patch
* send to critical team by email (with template)
* link to bug, who reviewed, people to cc
* git pull / git clone
* git clone is from scratch, local branches that exists before not included
* git pull
* branches will be merged, but don't cover all branches
* local changes not pushed to master
* Ted: commited branch to wrong place instead of origin/release
1. Froscon coordinations
1. Workshop - The List of open / running / unhandled bugs
1. x^1^ Arbitration case [[Arbitrations/a20110312.1|a20110312.1]] Weak keys [[https://bugs.cacert.org/view.php?id=918|bug #918]] / [[https://bugs.cacert.org/view.php?id=954|bug #954]] / [[https://bugs.cacert.org/view.php?id=964|bug#964]]
* Current state:
|| {g} || pre mailing sent ||
|| {g} || keys revocation script to bulk revoke weak keys, new [[https://bugs.cacert.org/view.php?id=954|bug #954]], finished ||
|| {-} || dirk: DEV: [[Arbitrations/a20110312.1|a20110312.1]] [[https://bugs.cacert.org/view.php?id=918|bug#918]] Weak keys: /pages/account/.. 4.php, 17.php to combine ? (/includes/keygen.php) '''DEV''' <<BR>>vbscript needs to be improved with select box key size and lower limit to 2048 (based on [[https://wiki.mozilla.org/CA:MD5and1024]])<<BR>>Api CertEnroll (MS crypto provider)<<BR>>new [[https://bugs.cacert.org/view.php?id=964|bug#964]]<<BR>>current state: test /account/4.php added to testserver<<BR>>Marcus will do detailed tests on Wed<<BR>>some references added to [[https://bugs.cacert.org/view.php?id=964|bug#964]] ||
|| {g} || Weak keys blog post, published ||
|| {0} || Weak keys article not yet published by Hanno ||
|| {b} || weak keys: problems with cryptostick (to test at [[events/FrOSCon2011|Froscon]] with Juergen ?) ||
* cert enroll infos under [[https://bugs.cacert.org/view.php?id=964|bug#964]]
* vista and win7 works with other engine !CryptoAPI (?) => Cryptography API: Next Generation
* [[http://msdn.microsoft.com/en-us/library/aa833130%28v=VS.85%29.aspx]]
* Hanno published the article (July 28), link is in CAcert's blog post (July 30)
1. x^2^ [[https://bugs.cacert.org/view.php?id=827|Bug# 827]] and [[https://bugs.cacert.org/view.php?id=959|bug #959]] "Thawte" patch - Points-Count-Order-Change project - 2nd Review + deploy
* Next step(s) ?
* current state on production system? table points: count(id) > 150 points ?
* fix points < 0 and points > 150 in bug 827 ?
* included
* missing: [[https://bugs.cacert.org/view.php?id=959|bug #959]] 2nd review
* dirk to add note in bugtracker, done
* todo:
1. NEO: 2nd review of [[https://bugs.cacert.org/view.php?id=827|Bug# 827]]
1. NEO: bundling [[https://bugs.cacert.org/view.php?id=827|Bug# 827]] and [[https://bugs.cacert.org/view.php?id=959|bug #959]] to critical team
* [[https://bugs.cacert.org/view.php?id=959|bug #959]] deployed
* 2nd review and bundling by Ted
* bundling instruction to critical team, deploy 15.php, and 7 days later 10.php
1. x^3^ [[https://bugs.cacert.org/view.php?id=637|Bug #637]] and [[https://bugs.cacert.org/view.php?id=953|bug #953]] and [[https://bugs.cacert.org/view.php?id=963|bug #963]] : Weak Passwords - 2nd Review + deploy
* Overall result: Please evaluate if the session problem can be fixed!
* if password changed, cached info - reminder plz change pwd
* session reset and error messages in system log
* new [[https://bugs.cacert.org/view.php?id=963|bug #963]]
* /includes/loggedin.php line 140 ff. to fix
* Ted: checked-in cacert-devel, added to testserver
* needs review, re-testing
* Next steps:
* [[https://bugs.cacert.org/view.php?id=637|Bug #637]] transfered to critical team
* [[https://bugs.cacert.org/view.php?id=953|bug #953]] needs 2nd review, deploy
* [[https://bugs.cacert.org/view.php?id=963|bug #963]] still open, to continue
* {-} maybe we have a potential problem here: [[https://bugs.cacert.org/view.php?id=637|Bug #637]] is transfered to critical system, [[https://bugs.cacert.org/view.php?id=953|bug #953]] and [[https://bugs.cacert.org/view.php?id=963|bug #963]] aren't. 637 depends on 653 and 963. On testserver this _complete_ bundle works.
* 953: 2nd review, Dirk
* go into repository
* git fetch --all
* no option all
* git fetch origin
* git diff origin/release...origin/bug-953
* bundle: NEO
* 963: addtl. for while loops ... Michael is checking
* bundle: NEO
1. x^4^ [[https://bugs.cacert.org/view.php?id=841|bug #841]] Problems on cert login
* needs 2nd review - Ted, done<<BR>>needs bundling, done
* NEO: did restructuring (sql query to subroutine), (Update 2011-07-26)
* needs re-tested
* needs 2nd review, bundling
* => Ted on Wed
1. Needs development, deployment, discussion
1. change OA admin/assurer text
|| [[https://bugs.cacert.org/view.php?id=943|bug #943]] change OA admin/assurer text || -> Ted, rejected, needs comment from OAO || {-} ||
* webdb names OrgAdmins as OrgAssurers and names OrgAssurers as OrgAdmins.
* patch takes account about this issue
* problem with menu link Org Admin .. is Org Assurers menu
* but this menu includes one addtl. link "View" that is available for Org Admins
* and Org Admins with master flag to add new admins
* master flag is not described in OAP (!)
* addtl master flag to revoke ?
* rename to "Org Administration"
* don't show menu to OrgAdmins
1. Marcus: [[https://wiki.cacert.org/Arbitrations/a20110608.1|OA Arb mailing case (a20110608.1]]: motion for mailing passed ([[https://community.cacert.org/board/motions.php?motion=m20110731.2|=m20110731.2]])
* next: translations
1. [[https://bugs.cacert.org/view.php?id=966|bug #966]]
* tests ok, but the question is, is OrgAdmin allowed to remove other admins ? yes or no?
* current scenario doesn't allow removal of other admin
* NEO: reset testserver state to fix state before bugfix
* NEO: re-add bug 966 to testserver
* bug needs more work, selection currently clashes with language setting (Delete != Löschen)
* general problem in /pages/account.php with process variable, transfer of "cancel" pushes any action
==== Fixed Action Items since last or within meeting ====
|| Ted || [[https://bugs.cacert.org/view.php?id=921|bug #921]] Privacy Policy cleanup || Marcus: 2nd test {g} / Dirk, Ted: 2nd review {g} || {g} ||
|| Michael || [[https://bugs.cacert.org/view.php?id=954|bug #954]] ([[https://wiki.cacert.org/Arbitrations/a20110312.1|a20110312.1]]) Next: script to bulk revoke weak keys || awaiting 2nd response || {g} {g} ||
|| Dirk, Ted || [[https://bugs.cacert.org/view.php?id=637|bug #637]] weak password || deployed w/o [[https://bugs.cacert.org/view.php?id=953|bug #953]] and w/o [[https://bugs.cacert.org/view.php?id=963|bug #963]] || {g} ||
|| Neo || [[https://bugs.cacert.org/view.php?id=959|bug #959]] - patch for [[https://bugs.cacert.org/view.php?id=827|bug #827]] Thawte patch/Points-Count-Order-Change project || deployed w/o [[https://bugs.cacert.org/view.php?id=827|bug #827]] || {g} ||
----
==== Action Items New ====
|| Uli || "Build + Document Emergency Patches Path" <<BR>>documentation<<BR>>who decides that issue is an emergency patch ?<<BR>>disconnect machine from network<<BR>>what if a check of user data is needed?<<BR>>simple case: Software Assessor requests emergency patch thru critical admin || {0} ||
Action items: '''[[Software/Assessment/ActionItems|Meeting Action Items]]'''
<<Include(Software/Assessment/ActionItems)>>
----
. CategorySoftwareAssessment