. '''To Software [[Software|Software]]''' - '''To Software-Assessment [[Software/Assessment|Software/Assessment]]''' - '''To [[Software/Assessment/20121002-S-A-MiniTOP|previous meeting]]''' - '''To [[Software/Assessment/20121016-S-A-MiniTOP|next meeting]]''' ---- = Minutes of the MiniTOP on the 2012-10-09 = == Setting == The MiniTOP will be held via telco 22:00 CEST Attendees: Marcus, Magu, Michael, uli, Timo, Benny, dirk, (alex by irc) == Topics == (skip to [[#AGENDA|agenda]]) Action items from last meeting '''[[Software/Assessment/ActionItems|Meeting Action Items]]''' <> <> == Agenda == ## last full agenda https://wiki.cacert.org/Software/Assessment/20120228-S-A-MiniTOP === 1. Preface === * Timo: [[https://bugs.cacert.org/view.php?id=220|bug #220]] "Find an Assurer" and "My Location" too bare-bone without Javascript === 2. DEV on bug 1023/1054 "Thawte Patch" === * "Thawte points removal, final step" [[https://bugs.cacert.org/view.php?id=1023|bug #1023]] * bug #1023 Testing (6.php) * last patch transfered to production system 2012-05-30 * what are the next steps for thawte points revoke? * points settings codes eg 50 pts open gpg/pgp, which certs avail by how many pts * 15.php needs rename to 10.php * next step in: [[https://bugs.cacert.org/view.php?id=1054|bug #1054]] Review the code regarding the new point calculation in ./includes/general.php (current state: testing) * email debug notification, search for other solution * testing scenarios: see [[https://bugs.cacert.org/view.php?id=1054#c3163|bug note c3163]] * some explanations * assure someone - f2f, ttp, the sentence "Only tick the next box if the Assurance was face to face" is conflicting, fixed * new patches by dirk, pushed to cacert-devel, (update 2012-09-18) * tverify removed (?) * merge conflict with account id 60 (eg email removal), see [[https://bugs.cacert.org/view.php?id=823|bug #823]] * max_points() routine replaced by new max_points() routine * get_assurer_status(), output_summary_content() with parameter 0 replaced by max_points() * received_points() === 3. 2nd review of about again 5 remaining patches === ||<#ff8080> '''Software-Assessors task''' || 1. Benny pre-views done || neo || [[https://bugs.cacert.org/view.php?id=978|bug #978]] Invalid SPKAC requests are not properly validated || recheck full certs signing procedures<
>duplicate report to bug#540 || 5 {0} || * from meeting 2012-07-17: * 5 patches reviewed * 3 simple, bugs 540 (fixed), 789 (fixed), 981 (reviewed) * 2 with some difficultys, 978 (related to bug#540), complexest one: 1024 (reviewed) 1. [[https://bugs.cacert.org/view.php?id=978|bug #978]] bug 978 (weak keys) (bug 918) * invalid key format, no regular error message, something wrong, error code # identified * debugging infos from user + infos from critical team with error code #, was spkac routine * one test done 2011-12-17 by JensK * uli, marcus: more tests: certs routine, weak keys (small keys test), relates to [[https://bugs.cacert.org/view.php?id=540|bug#540]] tests * (week 7) 1. [[https://bugs.cacert.org/view.php?id=1004|bug#1004]], stats, Marcus + Uli did some tests, one problem identified, fixed 2012-08-25 by NEO * fully re-tested by 2: 2012-08-25 (at froscon) 1. [[https://bugs.cacert.org/view.php?id=1091|bug #1091]] contact assurer improvement * BenBe, Michael text deployed * prevent injections * Neo: commited #1091 and transfered to testserver * first tests (with special chars and code in text, eg "." ... text is missing after "." * php.ini: magic quotes gpn is on * 2nd review still started by dirk two times within last 3 weeks || neo || [[https://bugs.cacert.org/view.php?id=1091|bug #1091]] contact assurer improvement || tested by 2, needs 2nd review || {0} 1 || || neo || [[https://bugs.cacert.org/view.php?id=978|bug #978]] Invalid SPKAC requests are not properly validated || recheck full certs signing procedures<
>duplicate report to bug#540 || 5 {0} || || neo || [[https://bugs.cacert.org/view.php?id=1004|bug #1004]] Stats page improvement || tested by 2, needs 2nd review || {0} || || neo || [[https://bugs.cacert.org/view.php?id=860|bug #860]] someone accessed your password and secret questions notification || tested by 2, needs 2nd review || {0} || || gagern, neo || [[https://bugs.cacert.org/view.php?id=440|bug #440]] Problem with subjectAltName || tested, needs 2nd review || {0} || === 4. Patches Overview - Testing === 1. [[https://bugs.cacert.org/view.php?id=835|bug #835]] CATS test on testserver [[http://cats1.it-sls.de/]] * create client cert * go over to [[http://cats1.it-sls.de/]] pass a cats test * inform Ted to trigger a transfer of the tests to the testserver * check if CATS test passed to testserver * test with different accounts I. members age GT 18 a. member < 100 pts, pass the CATS test a. member >= 100 pts, pass the CATS test I. members age GT 14 and LT 18 a. member < 100 pts, pass the CATS test a. member >= 100 pts, pass the CATS test I. members age LT 14 a. member < 100 pts, pass the CATS test a. member >= 100 pts, pass the CATS test * finish and report the tests, no need to transfer to production 1. Problem with subjectAltName: bugs: [[https://bugs.cacert.org/view.php?id=440|bug #440]], [[https://bugs.cacert.org/view.php?id=1054|bug #1054, test 1054.3.6]], [[https://bugs.cacert.org/view.php?id=1035|bug #1035]] * create several types of certs (client certs, server certs, org client certs, org server certs) and analyse the content of the certs -> subjectAltName and CN with single SAN and multiple SANs * renew the certs * addtl. tests ? Marcus? Magu? BenBe? * 2012-10-02 dirk: problems with git push #1054, got fixed * DEV on bug 1023/1054 "Thawte Patch" * check last changes by dirk to transfer into test scenarios * [[Software/CurrentTest/bug1054|Bug #1054 test scenarios]] 1. [[https://bugs.cacert.org/view.php?id=922|bug #922]] missing "certificate about to expire" messages * you can use previous test to also check "certificate about to expire" messages * notification expected: 1d, 15d, 30d, 45d * Uli: Marcus plz test again * Marcus+Uli: plz add serno of cert about to expire into the message text 1. [[https://bugs.cacert.org/view.php?id=964|bug #964]] and [[https://bugs.cacert.org/view.php?id=1017|bug #1017]], relates also to [[https://bugs.cacert.org/view.php?id=1054|bug #1054, test 1054.3.6]] - Chrome certificate enrollement (relates to #964 "Black Jack") * create client certs, go to signing routine * new routine with 3 different potential signed public key download routines /account.php?id=6 list 3 options a. Install the certificate into your browser (tested) a. Download the certificate in PEM format a. Download the certificate in DER format 1. [[https://bugs.cacert.org/view.php?id=1054|bug #1054]] (Thawte patch) tests passed ? 1. Marcus Bugs list * see [[Software/BugsOverview]] 1. new [[https://bugs.cacert.org/view.php?id=1095|bug #1095]] "Problems with creating server sertificate where the csr is created with Java SDK Tools" * cmdline sample: keytool -genkey -alias test.test.net -keyalg RSA -keystore test.test.net.ks -validity 1095 * NEO couldn't reproduce the problem using keytool, tested against production and testserver * identified as weak key usage: csr used MD2 encryption, not or no longer supported by openssl, add new error message === 5. New SA candidates and Coders === 1. ABC Benny - possible Itzehoe (2012-09-14), mrmcd (2012-09-08) or other events before 2012-08-10 - 2012-08-11 BarCamp kiel * [[Arbitrations/a20120703.1|ABC Benny]] passed/closed, added to board meeting agenda upcoming meeting 1. Heino, not yet prepared, needs first contact 1. How to find coders? Experiences from the Gentoo project * [[http://redmonk.com/dberkholz/2012/07/10/how-to-recruit-open-source-contributors/]] * [[http://www.slideshare.net/dberkholz/lessons-on-recruiting-open-source-contributors-from-the-google-summer-of-code]] * use as blueprint for other recruits? 1. report from last board meeting - topic Arbitration * is added to upcoming [[Brain/CAcertInc/Committee/MeetingAgendasAndMinutes/20120819|board meeting 2012-08-19]] === 6. Long Term Projects === 1. NEO: "BlackJack" [[https://bugs.cacert.org/view.php?id=964|bug #964]] * NEO: "BlackJack" [[https://bugs.cacert.org/view.php?id=964|bug #964]] testing from last week -> error codes * started implementing * how does [[https://bugs.cacert.org/view.php?id=1017|bug #1017]] relate to this bug? * cert signing routine * ie5 ie6 automatic storage of signed key in local keystore * doesn't work under vista, win7 * msi package is to download and import the keys to the local keystore under vista, win7 * relates to [[https://bugs.cacert.org/view.php?id=1099|bug #1099]] but is quite different * neo sent msi package for testing to u60, benbe; test successful passed 1. Marek's sql class project: * is working on charset replacement 1. api project, Carsten continues with portal project not waiting for vendor-api to be delivered * vendor-api delayed * no coders * other projects * related to sql class project * portal project continues with a workaround, needs an assurer * arbitration case on locations database orders outsourcing of find-an-assurer asap * with portal function, update of data is possible vs. update of data on critical system is difficult (keep data current for assurers) * relation to location database 1. website find an assurer 1. scripted mailing for ATE invitations * user check that data is still valid eg every 1 year * notification at login upto 6 months not online * notification by email if not logged in within last 6 months 1. Automated testing system * Timo: Unit-test testsystem, phpunit jenkins * [[http://ci.partkeepr.org/job/PartKeepr/]] * [[https://github.com/NEOatNHNG/cacert-frontendtests]] * can we merge both environments? frontend tests and unit tests? === 7. next meeting === * Tuesday, October 16, 2012 22:00 CEST == Minutes == 1. Preface * Timo: monitoring signer, not yet done * Probably Wytze monitors the systems externaly ?!? * [[SystemAdministration/Systems|Systems overview]] * Timo, Benny: Distro needs upgrade * lenny - support ended Feb 2012 * upgrade etch to lenny was a long running project * squeeze (current stable release) - tests started by critical team * "wheezy close before release date * monitoring system eg Zabbix instead of Nagios? * BenBE: Icinga as alternate? * Zabbix agents: requires to be the same revision as server * Timo: automated testing systems are mergable * frontend test: java, may become a problem, alternate php version? * focus on unittests * dirk: code or screen? * code and screen * frontend and unit tests on one machine? * trial: port frontend tests * Timo: [[https://bugs.cacert.org/view.php?id=1101|bug #1101]] refactoring getalt getcn * might [[http://bugs.cacert.org/view.php?id=1101#c3225|1101 comment c3225]] * tries to build a php library for openssl parsing replacement a. asn.1 parsing, own library a. ??? * openssl does escaping (per man page) (input? output?) * library test thru unit tests * openssl command for multiple san's ? * undocumented feature? * currently only known with -extfile [[http://therowes.net/~greg/2008/01/08/creating-a-certificate-with-multiple-hostnames/#comment-595|creating-a-certificate-with-multiple-hostnames]] * Donations: whats with paypal? * in code redirects to paypal * web analytics (to get an idea for performance), how many visits, clicks * did run in the past, had been removed * Timo: [[https://bugs.cacert.org/view.php?id=220|bug #220]] "Find an Assurer" and "My Location" too bare-bone without Javascript * shall be outsourced (per arbitration ruling) * Michael: mail regarding squeeze upgrade to critical team 1. Benny - new SA 1. wiki-1: add Wiki account name to [[AllowedUsersGroup]] 1. wiki-2: add Wiki account name including motion number [[Software/Assessment/Team|new Software Assessment Team member]] 1. mantis: add/change group admin status 1. testserver create console account, also ca-mgr1, git-cacert 1. testserver ssh key exchange 1. connect to cacert-devel mailing list, add as owner * request by Michael to list-admin: plz add all Software-Assessors as Owner of cacert-devel mailing list 1. TL: welcome mail (also info to critical admins) about new Software-Assessor team member * [[https://lists.cacert.org/wws/arc/cacert-devel/2012-10/msg00000.html|Welcome BenBe]] 1. Magu question to Marcus * last contact to gooze, around August, September 1. Test patch to review / transfer for BenBe * [[https://bugs.cacert.org/view.php?id=1091|bug #1091]] contact assurer improvement * preparing an email to critical team: similar to [[https://lists.cacert.org/wws/arc/cacert-devel/2012-09/msg00002.html|deployment mail to critical team patch 1019]] 1. next meeting * Tuesday, October 16, 2012 22:00 CEST ==== Fixed Action Items since last or within meeting ==== ==== Action Items New ==== Action items: '''[[Software/Assessment/ActionItems|Meeting Action Items]]''' ---- . CategorySoftwareAssessment