21:01:35
Peter
Good morning
21:01:49
* ted is still tired.
21:02:39
ted
Are there more people alive than us three?
21:03:38
dops
I am here. Good evening/morning.
21:04:18
ted
Great! So, I guess we should start?
21:06:33
Peter
I see the big sticking point is how to get the changes from test to production
21:07:56
ted
Peter, this does not relate to the protocol? So I assume we'll just continue with the discussion.
21:09:23
ted
OK, which issues would be seen fit for roll-out?
21:10:53
GuKKDevel
how far is the work with PHP?
#2-#4? 21:11:10
ted
1305 (the re-signed certificates) are far advanced, I'll probably have to check a few things and set up some kind of "review procedure" for them.
21:11:25
Peter
#2 is only one line and is done
21:12:37
Peter
#3 and
#4 are lots of lines changed by Brian. I have not yet looked at/tested all those changes.
21:12:54
ted
So, we'll have to set up the testsystem for
#1 (mysqli migration).
21:13:26
ted
If
#2 (each -> foreach) is a one-liner we should combine it on the testserver
21:14:57
ted
Are
#3 and
#4 (Replace Replace <?= and <?) fit for testing? Anyone knows how much of the replacements have been done?
21:14:59
GuKKDevel
jann built a new test-server test3 but AFAIK the cacert-environment istn't installed yet
21:15:40
GuKKDevel
and the question is how to access test3.cacert.org
21:15:57
ted
IMHO we should test first on the testserver. As I understand it all those changes are compatible to the older PGP version, correct?
21:16:03
GuKKDevel
and to install a test3mgr.cacert.org
21:17:08
GuKKDevel
for my part yes
21:17:37
ted
I guess the new testserver will still need a bit of work. But I guess the fist step is to test all those changes on the old PHP 5.6 installation on test.cacert.org
21:18:04
ⓘ bdmc_on_server is now known as bdmc
21:18:17
ted
We want to install the changes on production before doing the OS upgrade, or don't we?
21:18:21
bdmc
I'm here. Late, and have to leave early, but for now.....
21:18:35
Peter
Brian created something on git for 2,3,4. They have the one issue number.
21:18:46
* ted greets bdmc wholeheartedly.
21:19:33
bdmc
'Morning, All. B-)
21:19:41
→ egalontour has joined
21:20:08
ted
Brian, how far advances are you with
#3 and
#4 (Replace Replace <?= and <?)? Are they fit for testing?
21:20:38
bdmc
As far as I know. At least, I changed the status to that.
21:21:16
bdmc
I had hoped to do some testing myself, but without messing with DNS, I ran into the redirects to cacert.org that are built in.
21:21:32
ted
OK, so I'd say we push
#1 to
#4 to the (old) testserver and see how this runs in the old environment.
21:22:36
egalontour
Sorry for being late ... Still on tour .. currently logged in via tablet/web ... Will read later
21:23:49
bdmc
I presume that the testserver has a way to capture those redirects to cacert.org.
21:23:56
ted
OK, I'll look into this next week and mail the list when I'm done
21:24:36
ted
I'm not sure about the redirects you are mentioning? Do you have an example, so I can have a look?
21:25:29
bdmc
If you point a web server ( Apache ) to the root of this code, it almost immediately goes to www.cacert.org.
21:26:30
bdmc
I didn't dig into that part of the code too deeply, so I don't have a line number.
21:26:42
ted
OK, the testserver does not have this problem. I guess that some files have to be patched... give me a moment moment...
21:28:06
ted
Have you checked the file /includes/mysql.php?
21:28:11
bdmc
One option, I THINK, would be to make a pointer in /etc/hosts that redirects
www.cacert.org to itself.
21:28:26
bdmc
itself being the testserver
21:29:34
ted
No, the idea is just to adjust this mysql.php to your settings.
21:29:36
bdmc
ted: you are probably correct. I do see those configuration items, now.
21:30:20
bdmc
So that file may be mis-named. It isn't just MySQL settings or functions.
21:30:36
ted
There are probably more places where the release branch needs changes to turn it into a working testsystem, but that's an area I'm currently exploring...
21:31:33
ted
Another thing is that the sendmail of your testmachine should not really send out mails, to avoid spamming peeople during tests.
21:32:05
bdmc
We had talked about an "external" configuration file.
21:32:24
bdmc
These are all things that should be in there.
21:32:31
ted
You can probably fake this by tuning the "sendmail" function in mysql.php, so it just does not send the mail.
21:33:01
ted
Of course, if you convince your mailer to redirect all mails to a local mailbox this would be better.
21:33:02
bdmc
Or sends it to a fixed address, but that might be a little more difficult.
21:33:17
bdmc
sendmail that was
21:33:21
dops
Would it be possible to restrict sending to white-listed emails? It is bit inconvenient to simulate email...
21:33:45
ted
testserver.cacert.org does this, but I have not found out how to configure postfix this way. Probably Jan could tell.
21:34:26
GuKKDevel
emails sent will land in testmgr
21:34:27
bdmc
If the mail function was "internal" to our code, it could use a configuration item to decide whether to send "public" e-mail or to a fixed one or more addresses, overriding the ones coming in.
21:34:33
ted
dops: You could build a whitelist into the sendmail function.
21:35:03
ted
Or change the senmail function to write the mails to a file, so you can see what would have been sent...
21:35:45
egalontour
As far as I know you can see the mail in testmgr
21:35:48
bdmc
As long as we have control over the mail sending function, any or all of these can be done. Just don't send it to /etc/sendmail or whatever.
21:37:01
bdmc
Peter: do you have that sort of functionality in something in your library, or should we cobble up something now?
21:37:05
ted
If someone finds the time, a few alternative "sendmail"-variants could be implementes in mysql.php, so you can choose what fits your environment best.
21:37:37
Peter
I have a settings mod for cacert. Having problems with Git.
21:37:50
bdmc
That's not nice.
21:38:21
bdmc
OK, I will have some time on Sunday, so let me use this log and make something. It might be crude to begin with, but....
21:38:33
ted
Note that the repository includes only a file "mysql.php.sample". The intention is that you copy this file to mysql.php and edit it to your needs.
21:38:45
bdmc
I will put it in mysql.php.sample, as Ted says.
21:39:05
GuKKDevel
apropos log who will document this meeting?
21:39:34
bdmc
I have to run off to make some money, so I will be in touch....
21:39:47
ted
Have a nice day!
21:40:03
ⓘ bdmc is now known as bdmc_on_server
21:40:11
ted
Concerning minutes, if noone els volunteers I can probably do them this time.
21:43:09
ted
I found in the minutes of the last meeting: "Must we change to a new database-system MySQL -> MariaDB". testserver3 is already running a database, and when I connect it it repors as "Server version: 10.1.26-MariaDB-0+deb9u1 Debian 9.1"
21:43:27
ted
So it seems that this issue is already solved... :-)
21:44:13
Peter
I have to go. Will leave chat logging the conversation for a while.
21:44:54
ted
Another question was "Are the git-repositories up to date?". I merged the current tarball into the release branch last week, so, yes, the release branch should be as it is on the production system
21:45:01
GuKKDevel
I looked at test.cacert.org, there are the test-entries hardcoded
21:45:35
egalontour
Normally there are no changes necessary when moving from MySQL to mariadb
21:46:32
ted
egal: Luckily this even applies to our database, at least it looks this way.
21:47:57
ted
GuKK: what do you mean with "...there are the test-entries hardcoded"?
21:49:55
GuKKDevel
$_SESSION['_config']['normalhostname'] = "test.cacert.org";
21:49:55
GuKKDevel
$_SESSION['_config']['securehostname'] = "secure.test.cacert.org";
21:50:38
ted
OK, yes, that's the way it is intended to be. Do you think it should be changed?
21:50:59
GuKKDevel
no, not at this stage
21:51:22
GuKKDevel
for a latter,new version it could be a nice to have
21:52:24
* ted waits patiently...
21:52:26
~jandd
hi, I'm a bit late
21:52:41
GuKKDevel
first we should get on to test the new mysql
21:52:59
* ted shakes hands with ~jandd.
21:53:12
ted
GuKK: Yes, of course.
21:53:33
ted
This, and the new roots, wold be my top priorities.
21:54:09
ted
(new roots --> resigned certs)
21:54:54
ted
Jan, we had a question about the postfix configuration on testserver.cacert.org. Can you help there?
21:55:15
~jandd
which one? test.cacert.org, test2 or test3?
21:55:27
ted
At the moment test.
21:55:39
ted
but of course test3 will be next
21:56:19
~jandd
postfix on test sends everything to a local mailbox of the user cacertmail
21:56:42
ted
Do you know the config files which have to be edited to convince postfix of such behaviour?
21:57:18
ted
And, BTW, does postfix include an IMAP server or is there explicit software installed?
21:57:59
~jandd
/etc/postfix/main.cf and a mapping file /etc/postfix/virtual.regexp
21:58:38
~jandd
postfix does not include IMAP but there is a dovecot running on test that is reachable from testmgr
21:59:12
ted
Thanx, that's enough so I can find out the details to document them.
22:00:37
ted
OK, I found that, but could not make enough out of it. :-)
22:01:04
ted
Should I try to put some more details into this paragraph or is this intended to be short?
22:02:04
~jandd
If it is not clear enough it should be expanded. The documentation should help system administrators to find out what is going on
22:02:38
ted
OK, I'll give it a try, to get aquainted with Jenkins at least. :-)
22:02:58
~jandd
I assume an understanding of the software involved and put some reference documentation links at the end of each system page
22:04:18
~jandd
on most systems I just documented deviations from the regular Debian package configuration
22:04:21
ted
Yes, of course. But maybe the fact that mail is intentionally redirected into a single mailbox would be an interesting fact.
22:04:54
~jandd
quote: "all mail is delivered to the mailbox of the cacertmail user in /var/mail/cacertmail via /etc/postfix/virtual.regexp."
22:05:19
~jandd
I just did some archeology because I did not know who did the setup of that machine
22:05:49
~jandd
so I cannot explain the intent behind this setup
22:06:03
ted
OK, your point. I'm reading too quickly recently...
22:07:24
~jandd
I assume the setup is made this way to avoid sending test certificates to arbitrary people who happen to have an account in the database on test systems
22:08:13
ted
It's for one (I assume) to stop the system spamming people whose mails get entered for test purposes.
22:08:35
ted
The second is to provide the mails to the testmgr, which accesses that mailbox via IMAP.
22:08:49
GuKKDevel
and you can install addresses that dont exist
22:09:17
~jandd
I implemented an extension for our documentation system this week that allows easy cross-referencing between source code files when documenting the code. I hope this helps everybody when documenting the codebase.
22:10:05
ted
Jan: Any pointer to some "How-To"?
22:12:35
ted
OK, I'll put this into the minutes, and probably have a look at it later.
22:12:38
~jandd
I'll write a paragraph about our specific extensions tomorrow but there are already some examples in the codedocs repository that us it
22:15:05
ted
Hmm, has anyone further questions? Or any progress to report? Or should we finish?
22:15:13
ted
Less than one and a half hour is a good time for such a meeting...
22:15:26
* ted smiles happily.
22:15:57
~jandd
I documented the signer protocol but I think I already mailed this information to the cacert-devel list
22:16:31
ted
Yes, but also a good thing for the minutes
22:22:04
→ egalontour has joined
22:22:19
ted
OK, let's close the formal part of the meeting. Let's try the next at Nuvember 23, 20:00 UTC (as today)?
22:22:27
~jandd
ok, let's finish. Bye
22:22:43
ted
Bye, and thenks for attending, everyone!
22:22:51
~jandd
23rd 20:00 is fine for me
22:23:16
GuKKDevel
fine for me
22:23:25
ted
I'll linger some time here, while I do the minutes...
22:23:27
GuKKDevel
and in between cacert-devel
22:24:30
→ GuKKDevel_ has joined