Minutes of the MiniTOP on the 2011-10-25

Setting

The MiniTOP will be held via telco 22:00 CEST

Attendees: Marcus, Uli, dirk, sven, Michael

Topics

(skip to agenda)

Action items from last meeting Meeting Action Items

Agenda

  1. bug #976 - database restructure preperation

    • raw transcript from meeting results: sql structure modifications as discussed within meeting

    • New table to add: high potential domains to secure (mozilla blue print)
    • proposed testserver deployment - when ?
    • results from meeting 2011-10-18
      • deletedwhen - to rename to deleted type datetime
      • from - to rename to creatorid
      • enum - or not enum for cca method
      • add table "mozilla blue print" domains
        • proposal michael: to add this as file, also to deploy to signer
      • sql update? or php script?
        • adding versioning number ? table verno, when type datetime
    • new infos from this week:
    • Update?
  2. The List of open / running / unhandled bugs - Part I
    1. bug #827 patch

      • Dirk, Michael

        bug #827 and bug #959 Thawte patch/Points-Count-Order-Change project

        related bug 959: needs 1 more test, needs 2nd review / 2nd review: also check -x / tests done, needs 2nd review
        959 {g} reviewed, deployed
        827 {g} reviewed, deployment in 2 steps
        deployed, report from Wytze

        {g}
        {0}

        • dirk needs results from arbitration a20100822.1 request to magu

    2. dirk sent update 2011-10-18: michael transfered to testserver
      • michael: sql injection of one notary record: date < 30.8.2006, awarded=0, points=35

      • test: 10.php: 35 points, 15.php shows 0 points => bug not fixed

      • problem was reported by Hans, needs to be fixed: awarded = 0, points = 35, assurance date < 1.9.2006

        • there still exist 2 notary table records for test purposes to check this bug

          script

          10.php

          15.php

          43old

          43new

          assuree's view
          assurances received

          35 pts {g}

          35 pts {g}

          35 pts {g}

          35 pts {g}

          assurer's view
          assurances given

          35 pts {g}

          0 pts {r}

          35 pts {g}

          0 pts {r}

    3. New proposal: scripted mailing for 0:0 F2F cases with detailed instructions
      1. get information how many 0:0 cass we have ?
        • info from last years arbitration a20100822.1 ? (documentation is not yet avail)

        • Lambert as Arbitrator, Martin as Case Manager and dirk in role as SA as Claimant should know the answer
      2. is it possible to update 15.php script to signal the 0:0 F2F assurance cases ?!? eg by color blue or background color light yellow ?
        • dirk: 15.php can be easily upgraded - not only color also italic
      3. to prepare an arbitration process for a scripted mailing announcement
        1. to the assuree's who may loose points caused by 0:0 cases
        2. to the assurers, who can re-apply their assurance over assuree's with the 0:0 problem
      4. arbitration initiated
      5. wiki faq created: FAQ/NewPointsCount#YellowLines

    4. PR work - Update?
      1. newsletter mailing: ok from board m20111016.2 and m20111023.2

      2. newsletter reviewed English revision PR/News/NewPointsCalculation

      3. translations in progress
      4. script sql query to prepare based on events/oa mailing
        • request for statement by critical team
        • proposal by critical team:
          1. to pace the email sending out a bit, e.g. by doing a chunk of 1000, then waiting 19 minutes (by a programmatic sleep) before starting the next chunk of 1000 etc
          2. pushing out the whole mailing will take somewhere between one and two full days
          3. reduce Postfix' maximal_queue_lifetime from the default 5 days to say 2 days
          4. Basically a20100309.1 already gives permission for this mailing, except that it outlines a somewhat different technical implementation of such mailings. But policy-wise there doesn't seem to be a difference to me with what we are proposing here, so why bother with addtl arbitration?

      5. Software-Assessors / developers to prepare a sql-query that can handle above requirements, also to handle localy translateded text
        • script to use from events + OA mailing, SA's to build a sql query, sending to critical team
    5. Questions from last 5 meetings:
      • dirk: when will 827 goes to production ?
  3. Michaels workqueue
    1. Translingo
      • bug #985

      • https://translations.cacert.org (http://translations.cacert.org/) (replacement for translingo)

      • the translingo.cacert.org had been in operation far longer, so I think it is possible that some users migrated to translingo.cacert.org, without telling us.
      • I would suggest to mass-mail the email addresses of the translation-project leaders in the translingo database, to inform them, and to ask them to speak up if they still need it
      • last foreign uploads 2008 on about 13 + cacert projects
      • whohas translingo server console access?
        • mario
      • req for console access for michael to contact project leaders, Updates?
      • Transfer In, Transfer Out problems
      • Update from new deployment ?
      • opened for: create an account can now be started
      • Michael current state:
        • import and export routine works
        • script to incorporate updates needs fixed
      • next: complete language handling needs to be updated
      • accept lang handler needs fix
        • FF de, de_de
        • IE 6 de, 8,9 de_de
      • working session within last meeting: michael, marcus
        • infos from meeting 2011-10-18
          • pdf code needs rewrite (uni code library, move to external server (outsourcing))
          • message cert notification - uses perl code, text source not avail (get bind-text-domain)
      • current state?
    2. New function to TMS - edit notary table record
      • bug #980

      • infos from last meeting
      • testers needs editing individual notary records: fields "method", "awarded", "points"
      • easier to create notary records with testserver (add F2F), and edit existing record, doesn't need to check for assurer-from, assuree-to and so on
      • Update?
  4. Dirks workqueue - The List of open / running / unhandled bugs
    1. VBscript for Vista/Win7 (select keysize >= 1024) - reminder to dirk

      • x1 Dirk, new bug#964
        DEV: bug#918 (Part II) (a20110312.1) Weak keys: /pages/account/.. 4.php, 17.php to combine ? (/includes/keygen.php) DEV

        current state: test /account/4.php added to testserver
        Marcus will do detailed tests on Wed
        some references added to bug#964

        {-}

      • as part of
      • x1 Arbitration case a20110312.1 Weak keys bug #918 / bug #954 / bug#964

      • Current state:
        • {g}

          pre mailing sent

          {g}

          keys revocation script to bulk revoke weak keys, new bug #954, finished

          {-}

          dirk: DEV: a20110312.1 bug#918 Weak keys: /pages/account/.. 4.php, 17.php to combine ? (/includes/keygen.php) DEV
          vbscript needs to be improved with select box key size and lower limit to 2048 (based on https://wiki.mozilla.org/CA:MD5and1024)
          Api CertEnroll (MS crypto provider)
          new bug#964
          current state: test /account/4.php added to testserver
          Marcus will do detailed tests on Wed
          some references added to bug#964

          {g}

          Weak keys blog post, published

          {g}

          Weak keys article published by Hanno(July 28), link is in CAcert's blog post (July 30)

          {b}

          weak keys: problems with cryptostick (to test at Froscon with Juergen ?)

      • cert enroll infos under bug#964

      • vista and win7 works with other engine !CryptoAPI (?) => Cryptography API: Next Generation

      • Update (5th week) ?
      • dirk: has not started the virtual machine
      • Question from Marcus: did someone contacted illuminat?
        • No, Marcus: to contact illuminat
      • Update?
    2. Advertising
      1. Prepare Advertising fix for testserver - reminder to dirk

        • Dirk

          Advertising (from last board meeting), bug #958

          add changes as discussed in last meeting to testserver

          {0}

        • CAcertInc/LogosForSale/Rules wiki link exist

        • "buy me" logo / "Logo For Sale" logo / "Monthly Auction on Logos" logo
        • Logos and Links exist, needs deployment to testserver
        • Update (6th week) ?
  5. Bugs rejected in review 2
    • 2

      uli, ted

      bug #794

      visibility over certificates for sysadm in account administration, new update 2011-09-24

      {-}

      ? / u1 / m1

      • shorten ttl for certs on testserver modification?
      • update?

      9

      uli

      bug #823 email address removal fix

      No warning when removing e-mail adres from acount that certificates will be revoked
      checked by 4, needs 2nd review, deploy

      {-}

      ? / u9 / m9

      • update?
  6. Bugs to Review #1, transfer to testserver - Currently 4

    • uli

      bug #977 admin console text fix

      admin console Sysadmin - find domain - lists 2 tables - one for user accounts, one for org accounts, naming issue

      {0}

      uli

      bug #967 OA isassurer check

      Give an OA the oppertuntiy to check if a desiginated Organisation Admininistrator is a CAcert assurer

      {0}

      uli

      bug #859 admin console interface

      feature request: show activity on an account in the admin interface, new update /!\

      {0}

      inopiae

      bug #981 OA overview (dupe of bug #943)

      New layout of view for Organisation Administraors in account/id35

      {0}

  7. Bugs under testing: - Currently 4

    • neo

      bug #985 move translingo to translations

      check language settings under testserver

      {0}

      inopiae

      bug #920 Join - single name only (eg Indonesian)

      details under bug number

      {0}

      uli

      bug #855 admin console interface "unknown" + "empty" assurance method fields, needed for correct testing on testserver

      admin console lists "empty" and "Unknown" assurance types on listing given Assurances

      {0}

      3

      Dirk

      bug#894 assure someone patches (checkbox)

      (incl wot.php changes)
      tested by 2, needs 2nd review, deploy
      new test round

      {0}

      ? / u1 / m1

  8. Needs 2nd review + transfer to Critical team, to bundle, to deploy - Currently 4 (!!!)

    • define priority eg. 10,2, and so on
    • proposed order: from 1 to 10

      5

      uli, ted

      bug #968 error logging cleanup (splitted bug #909)

      split 0000909: too many error messages logged - part II - general.php
      create certs,certs,certs
      2 sessions: 2011-09-21 + 2011-09-25
      more tests needed
      create certs,certs,certs,certs
      create client, server, gpg keys, org client and server certs

      {0}

      ? / u4 / m5

      7

      uli, ted

      bug #789 OA edit domain fix

      Editing domain for organisations does not work
      new update 2011-09-26

      {0}

      ? / u7 / m7

      8

      Ted, uli

      bug #957 Resize the comment field on https://secure.cacert.org/account.php?id=27 so more information is visible

      last update 2011-08-19
      tested 3 times
      ready to deploy?

      {0}

      ? / u8 / m8

      10

      uli, Ted

      bug #965 0000965: Outsource / fix Webdb text pages id=12, 13

      addtl. id=37, id=38, new update 2011-09-25

      {0}

      ? / u10 / m10

      • #1 reviewed and transfered by Michael within meeting
  9. Needs development, deployment, discussion
    1. bug #835 Migrate CATS onto testserver

      • bug #835 Assurer challenge (on testserver)

        asssigned to Ted, CATS to install on ca-mgr1, awaiting deployment

        {0}

    2. bug #943 change OA admin/assurer text

      • bug #943 change OA admin/assurer text

        -> Ted, rejected, needs comment from OAO

        {-}

      • webdb names OrgAdmins as OrgAssurers and names OrgAssurers as OrgAdmins.

      • patch takes account about this issue
      • problem with menu link Org Admin .. is Org Assurers menu
        • but this menu includes one addtl. link "View" that is available for Org Admins
          • and Org Admins with master flag to add new admins
        • master flag is not described in OAP (!)

        • addtl master flag to revoke ?
        • rename to "Org Administration"
        • don't show menu to OrgAdmins

      • dupe bug# 981
    3. bug #824 Org User cert fix

      • uli, Ted

        bug #824 Org User cert fix

        Organisation User Certificates: Need UI improvement for proper production usage
        working session: needs to be removed from testserver, done
        Case study

        {0}

    4. bug #988 TTP cap form deployment

      • uli

        bug #988 TTP cap form deployment

        Case study

        {0}

  10. strategy plans ... next: strategy for "New Roots & Escrow"

    1. idea: using indirect crl's ?
      • 2 crl's needed, one valid, one invalid crl server
      • more infos available ? who ?
        1. build testserver with special certs
        2. Magu, Michael to send instructions for test deployment
      • meetings ago we've defined Testing requirements and a potential testszenario
      • to remind every meeting
      • Michael: testserver environment deployment
    2. policy group: define requirements
      • multimember escrow method ?
        • needs risk analyze
        • potential candidates ?
          • Marcus to contacted Benedikt, will contact Thomas K
          • Next step(s)
    3. how does debian work ?
      • defered to Froscon (end of Aug), CCCcamp (around Aug 10th)
  11. CI (Update)
    1. description to eclipse testpage, Webinar

      • deployment scenario:
        1. create testusers
        2. testing
        3. delete testusers
      • regression test for standard tests: eg 0,1,49,50,51,99,100,101 pts w/ and w/o CATS passed
      • reminder
    2. Jubula Test-Tool (by Michael) - update?
    3. new proposal by Sven: Webdriver with Maven and Jenkins-CI
      1. Jubula vs. Webdriver
      2. testserver variants
        1. testserver for manual tests
        2. testserver of OS and application upgrades
        3. testserver for CI
      3. test methods
        1. unit test
          • test single modules, exceptions
        2. integration tests
          • test interaction of modules
        3. system tests
          • complete system test, with database interactions, module interactions and much more
      4. Updates?
  12. Infrastructure seperation
    • info from funkfeuer.at
    • power input of dl blade server?
      • DL380G3-power calculation
        
        Total System Input power requirement (W)      485              x1)
        Total System Input measured (W)               265 Lo, 292 Hi
        x1) source: http://h30099.www3.hp.com/configurator/calc/Power Calculator Catalog.xls
    • proposal by mario:
      • buy new machine: sample proposal alternate individual pieces: Euro 1042
        • (1x Rasurbo BC-10, 1x Intel® DB65ALB3, 1x Intel® Core™ i7-2600, 4x Kingston ValueRAM DIMM 8 GB ECC, 2x Western Digital WD2002FAEX 2 TB)
    • infos from meeting 2011-10-18
      • other hosting providers
        • hetzner: 50 euro server + setup 150 euro once + ip's: 22 euro
        • funkfeuer: + ip's: unknown
      • ip's needed: 24-30
    • updates?
  13. next meeting: Tuesday, November 01, 2011 22:00

Minutes

  1. pre-meeting disucssions
    • T-Dose in 10 days, this or next week #976 should become active
    • bug#827 needs pushed
    • spam attacks
    • 3 high prio topics: 976, 827, spam attack
  2. bug #976 - database restructure preperation

    • raw transcript from meeting results: sql structure modifications as discussed within meeting

    • New table to add: high potential domains to secure (mozilla blue print)
    • proposed testserver deployment - when ?
    • results from meeting 2011-10-18
      • deletedwhen - to rename to deleted type datetime
      • from - to rename to creatorid
      • enum - or not enum for cca method
      • add table "mozilla blue print" domains
        • proposal michael: to add this as file, also to deploy to signer
      • sql update? or php script?
        • adding versioning number ? table verno, when type datetime
    • new infos from this week:
    • Update?
      • new modifications see above
    • detailed discussion regarding CCA table
      • comment field to name as method?
      • type -> boolan

    • adding version table
    • latin-1 is db standard
    • sql script will be prepared by Michael
  3. bug #827 - New Points calculation / Thawte patch

    1. bug #827 patch

      • Dirk, Michael

        bug #827 and bug #959 Thawte patch/Points-Count-Order-Change project

        related bug 959: needs 1 more test, needs 2nd review / 2nd review: also check -x / tests done, needs 2nd review
        959 {g} reviewed, deployed
        827 {g} reviewed, deployment in 2 steps
        deployed, report from Wytze

        {g}
        {0}

        • dirk needs results from arbitration a20100822.1 request to magu

      • dirk sent update 2011-10-18: michael transfered to testserver
      • michael: sql injection of one notary record: date < 30.8.2006, awarded=0, points=35

      • test: 10.php: 35 points, 15.php shows 0 points => bug not fixed

      • problem was reported by Hans, needs to be fixed: awarded = 0, points = 35, assurance date < 1.9.2006

        • there still exist 2 notary table records for test purposes to check this bug

          script

          10.php

          15.php

          43old

          43new

          assuree's view
          assurances received

          35 pts {g}

          35 pts {g}

          35 pts {g}

          35 pts {g}

          assurer's view
          assurances given

          35 pts {g}

          0 pts {r}

          35 pts {g}

          0 pts {r}

      • problem awarded = 0, points = 35 -> assurances given wrong calculation

      • dirk checks 15.php
      • new patch by dirk, michael transfered to testserver, marcus tested: 15.php ok
      • fix for 43.php needs to be fixed too

        dirk

        bug #882

        display Assurance when field in list of assurances received, assurances given by a user in admin console interface
        last update 2011-10-25

        {0}

      • first test: ok
      • new fix for bug#827
      • addtl. test: ok
  4. Spam attack
    • analyze process by Michael, Marcus regarding contact form
    • OTRS solution
  5. bug#894 "Haeckchen bug" - review done, changes needs reviewed again

    • 3

      Dirk

      bug#894 assure someone patches (checkbox)

      (incl wot.php changes)
      tested by 2, needs 2nd review, deploy
      new test round

      {0}

      ? / u1 / m1

    • review by dirk in session, review ok
    • needs testing
  6. CI (Update)
    • sven did some work regarding frontendtest
    • roles for users: new user, user with points, assurer, admin user
  7. needs testing
    • 985 translingo, needs 2nd test, eg mails, needs review
    • 894 Haeckchen bug
    • 827 new points count (15.php), needs review (-> Michael)

      • 882 relates to 43.php
  8. uli to trigger new testserver developer image
    • new fixes: fixed git repository
    • michael to enable/start ntpdaemon
  9. bug #827 - New Points calculation / Thawte patch

    1. PR work - Update?
      1. newsletter mailing: ok from board m20111016.2 and m20111023.2

      2. newsletter reviewed English revision PR/News/NewPointsCalculation

      3. translations in progress
      4. script sql query to prepare based on events/oa mailing
        • request for statement by critical team
        • proposal by critical team:
          1. to pace the email sending out a bit, e.g. by doing a chunk of 1000, then waiting 19 minutes (by a programmatic sleep) before starting the next chunk of 1000 etc
          2. pushing out the whole mailing will take somewhere between one and two full days
          3. reduce Postfix' maximal_queue_lifetime from the default 5 days to say 2 days
          4. Basically a20100309.1 already gives permission for this mailing, except that it outlines a somewhat different technical implementation of such mailings. But policy-wise there doesn't seem to be a difference to me with what we are proposing here, so why bother with addtl arbitration?

      5. Software-Assessors / developers to prepare a sql-query that can handle above requirements, also to handle localy translateded text
        • script to use from events + OA mailing, SA's to build a sql query, sending to critical team
    2. Questions from last 5 meetings:
      • dirk: when will 827 goes to production ?

Fixed Action Items since last or within meeting

removed from action items list


Action Items New

Action items: Meeting Action Items

Software/Assessment/ActionItems

Development, Deployment, Discussion

  • OAO, Ted

    bug #943 change OA admin/assurer text

    needs 2nd test -> Fabian, Marc, Alex? {g} / needs 2nd review -> Ted, rejected

    {-}

    uli, Ted

    bug #824 Org User cert fix Case study

    Organisation User Certificates: Need UI improvement for proper production usage

    {0}

    uli, ted

    bug #823 email address removal fix

    No warning when removing e-mail address from account that certificates will be revoked
    checked by 4, needs 2nd review, deploy
    rejected

    {-}

    inopiae

    bug #920 Join - single name only (eg Indonesian)

    details under bug number

    {0}

    uli

    bug #859 admin console interface

    feature request: show activity on an account in the admin interface
    rejected, certs login doesn't modify "modified" field

    {r}

    Michael

    bug #540

    p20111113 CPS #7.1.2 "Certificate Extensions" adjustments - testing
    uli, marcus: needs full cert create tests
    duplicate report to bug#978
    tested by 3, 2nd review done, transfered
    Ken reported: still has problems, bug kept open

    {0}

    gagern, NEO

    bug #440 Problem with subjectAltName (CSR, renew certs)

    There seems to be a problem with the subjectAltName. Dupes, missing entries, and more, rejected, needs further development

    {r}

    neo

    bug #1025 Domain Dispute issue

    disputes rc and rc2 var prob
    needs work

    {r}

    dirk

    bug #1054 0001054: Review the code regarding the new point calculation

    Thawte patch part II
    needs further work

    {r}

Software Assessors: Review 1 / add to cacert-devel, add to testserver

  • Software-Assessors task

Testing

  • Testers task

    neo

    bug #1004 Stats page improvement

    tested by 2, needs 2nd review

    {0}

    neo

    Bugs #1159 it might be possible to execute commands on the signing server

    {0}

    inopiae

    bug #1065 Wrong wording when sending mails during the assurance process

    {0}

    inopiae

    bug #1162 calcutate (the passwords) hash in php instead of in mysql

    create test scenarios for the software testers /!\
    Full testing /!\

    {0}

    inopiae

    bug #0028 Wrong language for you've been assured & [CAcert.org] Client Certificate emails

    {0}

    inopiae

    bug #988 TTP cap form deployment

    {0}

Software Assessors: 2nd Review, Bundle Package to Critical Team

  • Software-Assessors task

    Ted

    bug #500 Get contact mail adress after resolving test

    tested by 3, requires review

    {0}

    Ted

    bug #1140 Show if a test is passed in learnprogress

    tested by 3, requires review

    {0}

    magu

    bug #1131 Rename _all_ Policies from .php to .html and fix all links

    global policy directory maintenance and update

    {0}

    inopiae

    bug #1010 Reorder the view on organisation certificates

    tested by 3

    {0}

Software Assessors: Bundle Package to Critical Team

  • Software-Assessors task

    inopiae

    bug #1139 Add new fields to the database

    tests through #500 and #1140, 2nd review done, requires transfer

    {0}

Awaiting Response from Critical Team

  • inopiae

    bug #411 Wrong text is made into link

    {g}



Software/Assessment/20111025-S-A-MiniTOP (last edited 2011-10-26 01:26:20 by UlrichSchroeter)