From Axel.Thimm at ATrpms.net Fri May 1 06:04:46 2009 From: Axel.Thimm at ATrpms.net (Axel Thimm) Date: Fri, 1 May 2009 09:04:46 +0300 Subject: Statistics problem In-Reply-To: References: <20090428125750.GE13551@localhost.localdomain> <20090428135220.GA19050@victor.nirvana> <20090428151755.GC3350@localhost.localdomain> <20090429122054.GB26655@victor.nirvana> <49F85187.6070005@hidayahonline.org> <20090429184040.GA31876@victor.nirvana> <20090429230905.GY18166@localhost.localdomain> <20090430135943.GR3111@localhost.localdomain> Message-ID: <20090501060446.GB11032@victor.nirvana> On Thu, Apr 30, 2009 at 09:15:32AM -0500, Mike McGrath wrote: > On Thu, 30 Apr 2009, Paul W. Frields wrote: > > > On Wed, Apr 29, 2009 at 06:59:17PM -0500, Mike McGrath wrote: > > > On Wed, 29 Apr 2009, Paul W. Frields wrote: > > > > > > > On Wed, Apr 29, 2009 at 09:40:40PM +0300, Axel Thimm wrote: > > > > > Isn't a range request sent in the header of the HTTP request which > > > > > would hit the Fedora servers before being redirected? > > > > > > > > Can someone on the Infrastructure guru team help me pull some relevant > > > > lines from the logs, expurgating the IP address and any other > > > > identifying information so we're not running afoul of any privacy > > > > concerns? > > > > > > > 255.255.255.255 - - [22/Mar/2009:23:59:44 +0000] "GET > > > /pub/fedora/linux/releases/10/Live/i686/F10-i686-Live.iso HTTP/1.1" 302 > > > -"http://fedoraproject.org/en/get-fedora" "Mozilla/4.0 (compatible; MSIE > > > 7.0; Windows NT 5.1; .NET CLR 1.1.4322)" > > > > > > Bam! > > > > Is there one that includes a range request of the kind Axel talks > > about? Sorry to be dense. > > Nope. Which doesn't mean you can't put them there: http://httpd.apache.org/docs/2.2/mod/mod_log_config.html#formats e.g. a %{Range}i and %{If-Range}i in a CustomLog would yield the Range headers in the logs sent with the non-redirected request. Next one would need to examine the behaviour of popular download accellerators and check for their pattern in these fields. Most prominently whether the last HTTP request logged has them or not. You wouldn't be able to recover past information, of course (although one could extrapolate the percentage of download accelerators back in time). -- Axel.Thimm at ATrpms.net -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: not available URL: From Axel.Thimm at ATrpms.net Fri May 1 06:09:39 2009 From: Axel.Thimm at ATrpms.net (Axel Thimm) Date: Fri, 1 May 2009 09:09:39 +0300 Subject: Any C coders want to help me with something? In-Reply-To: <49F9D793.5090804@gmail.com> References: <49F88AFA.1080406@hidayahonline.org> <20090429184721.GB31876@victor.nirvana> <20090430034409.GA5887@victor.nirvana> <20090430042355.GA13310@auslistsprd01.us.dell.com> <20090430055640.GA30691@sphe.res.cmu.edu> <49F9D793.5090804@gmail.com> Message-ID: <20090501060939.GC11032@victor.nirvana> On Thu, Apr 30, 2009 at 09:53:39AM -0700, Toshio Kuratomi wrote: > Mike McGrath wrote: > > On Thu, 30 Apr 2009, Ricky Zhou wrote: > >> In some distant future version of FAS, I'd > >> like to play with the idea of storing the data in LDAP while handling > >> our group sponsorship system in postgres. > >> > > > > Ick > > > heh :-) > > I think ricky's approach could work but it would need planning. The > idea would be to increase the complexity of FAS but decrease the > complexity for everything we deploy that needs authentication. We'd > want to examine that assumption in the planning phase to make sure it's > actually true for us. > > For instance, there was the thought that having cached credentials on > our servers was preferable to what happens to when the LDAP server goes > down. Still a concern? You can have slave LDAP servers, of course, and if you don't trust their location, you can have slices of LDAP mirrored differently, e.g. not all attributes, not all trees etc. > We currently mask a lot of information for the privacy policy, can we do > that with LDAP? (Or just not put the information in there?) Sure, there are rather fine-coarsed ACL systems in both openldap and ds. > We let third parties (like the hosts to let packagers try building on > ppc, x86_64, etc) use fas to get ssh keys. Would we let them connect to > and get that information from the LDAP server instead? There would be no security downside compared to other retieval solution. Absolute security is to let this be done by a trusted human. > We let people use their normal accounts to get a subset of data for > authenticating to their web apps while they're developing them. Would > we enable the same setup with LDAP? Yes, check out the ACLs in either or the two popular projects. -- Axel.Thimm at ATrpms.net -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: not available URL: From Axel.Thimm at ATrpms.net Fri May 1 06:11:11 2009 From: Axel.Thimm at ATrpms.net (Axel Thimm) Date: Fri, 1 May 2009 09:11:11 +0300 Subject: Any C coders want to help me with something? In-Reply-To: References: <80d7e4090904290929q6aa67d73g675549b0bc02d696@mail.gmail.com> <49F88AFA.1080406@hidayahonline.org> <20090429184721.GB31876@victor.nirvana> <20090430034409.GA5887@victor.nirvana> Message-ID: <20090501061111.GD11032@victor.nirvana> On Thu, Apr 30, 2009 at 07:54:42AM -0500, Mike McGrath wrote: > On Thu, 30 Apr 2009, Axel Thimm wrote: > > > On Wed, Apr 29, 2009 at 02:03:55PM -0500, Mike McGrath wrote: > > > We worked pretty closely with different LDAP teams and the way FAS works > > > is just not very... ldapian. Although it's only some internal stuff that > > > we need (specifically related to our user/sponsor/admin bits in each > > > group. > > > > Can't this be implemented with a FAS ldap schema that contains these > > bits in ldap attributes? > > > > Or rephrased: Can't any SQL field in a table be always mapped onto > > some (custom) ldap attribute? If you can map a problem onto an SQL > > database it should be possible to go ldap IMHO. > > > > Seems like it should work that way, and we spent months trying to get it > to work right (even working with the fedora-ds people) but it just ended > up being very hacky and not very good. Maybe if someone gives some detail on why the LDAP setup looked like too hacky we could find a better solution and use LDAP? -- Axel.Thimm at ATrpms.net -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: not available URL: From Axel.Thimm at ATrpms.net Fri May 1 06:14:20 2009 From: Axel.Thimm at ATrpms.net (Axel Thimm) Date: Fri, 1 May 2009 09:14:20 +0300 Subject: Any C coders want to help me with something? In-Reply-To: <20090430042355.GA13310@auslistsprd01.us.dell.com> References: <80d7e4090904290929q6aa67d73g675549b0bc02d696@mail.gmail.com> <49F88AFA.1080406@hidayahonline.org> <20090429184721.GB31876@victor.nirvana> <20090430034409.GA5887@victor.nirvana> <20090430042355.GA13310@auslistsprd01.us.dell.com> Message-ID: <20090501061420.GE11032@victor.nirvana> On Wed, Apr 29, 2009 at 11:23:55PM -0500, Matt Domsch wrote: > On Thu, Apr 30, 2009 at 06:44:09AM +0300, Axel Thimm wrote: > > On Wed, Apr 29, 2009 at 02:03:55PM -0500, Mike McGrath wrote: > > > We worked pretty closely with different LDAP teams and the way FAS works > > > is just not very... ldapian. Although it's only some internal stuff that > > > we need (specifically related to our user/sponsor/admin bits in each > > > group. > > > > Can't this be implemented with a FAS ldap schema that contains these > > bits in ldap attributes? > > Can I reverse the question? Instead of a pam_fas module, what about > creating a way to export FAS information as LDAP, such that all > LDAP-consuming apps would "just work", albeit not able to access the > FAS-specific information? That was further up the thread: One could have FAS export the parts Mike needs in an ldif formated file and cron-import them into a *read only* ldap backend. You would need a sibling ldap instance running for serving ldap requests. If you mean having an ldap (read-only) interface to FAS coded, then I think that this is quite a lot of work. -- Axel.Thimm at ATrpms.net -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: not available URL: From ricky at fedoraproject.org Fri May 1 06:54:08 2009 From: ricky at fedoraproject.org (Ricky Zhou) Date: Fri, 1 May 2009 02:54:08 -0400 Subject: Any C coders want to help me with something? In-Reply-To: <20090501061111.GD11032@victor.nirvana> References: <80d7e4090904290929q6aa67d73g675549b0bc02d696@mail.gmail.com> <49F88AFA.1080406@hidayahonline.org> <20090429184721.GB31876@victor.nirvana> <20090430034409.GA5887@victor.nirvana> <20090501061111.GD11032@victor.nirvana> Message-ID: <20090501065408.GB7172@sphe.res.cmu.edu> On 2009-05-01 09:11:11 AM, Axel Thimm wrote: > Maybe if someone gives some detail on why the LDAP setup looked like > too hacky we could find a better solution and use LDAP? We were basically trying to use LDAP like a relational DB instead of a directory, so we were trying to force our entire sponsorship system to be totally contained in LDAP. Looking back at this, the best approach with LDAP would probably have been a DB for sponsorship data, and LDAP for holding approved user/group data. As I mentioned, I'd be interested in exploring this approach a bit more in the future. Thanks, Ricky -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: not available URL: From ricky at fedoraproject.org Fri May 1 06:59:55 2009 From: ricky at fedoraproject.org (Ricky Zhou) Date: Fri, 1 May 2009 02:59:55 -0400 Subject: Any C coders want to help me with something? In-Reply-To: <49F9D793.5090804@gmail.com> References: <49F88AFA.1080406@hidayahonline.org> <20090429184721.GB31876@victor.nirvana> <20090430034409.GA5887@victor.nirvana> <20090430042355.GA13310@auslistsprd01.us.dell.com> <20090430055640.GA30691@sphe.res.cmu.edu> <49F9D793.5090804@gmail.com> Message-ID: <20090501065955.GC7172@sphe.res.cmu.edu> On 2009-04-30 09:53:39 AM, Toshio Kuratomi wrote: > I think ricky's approach could work but it would need planning. The > idea would be to increase the complexity of FAS but decrease the > complexity for everything we deploy that needs authentication. We'd > want to examine that assumption in the planning phase to make sure it's > actually true for us. > > For instance, there was the thought that having cached credentials on > our servers was preferable to what happens to when the LDAP server goes > down. Still a concern? My suggested solution to this would be to continue having local cached data using nss_db. One benefit to having this backed by LDAP instead of SQL is that reading/generating these local caches should be far faster. > We currently mask a lot of information for the privacy policy, can we do > that with LDAP? (Or just not put the information in there?) Yes, we can restrict access to this information. > We let third parties (like the hosts to let packagers try building on > ppc, x86_64, etc) use fas to get ssh keys. Would we let them connect to > and get that information from the LDAP server instead? That is certainly an option. I don't think OpenSSH has built in support for reading public keys from an LDAP server without recompiling it with third party patches, so we'd still need something for creating home directories with authorized_key files. > We let people use their normal accounts to get a subset of data for > authenticating to their web apps while they're developing them. Would > we enable the same setup with LDAP? With LDAP, authentication should be possible without having separate special credentials. Thanks, Ricky -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: not available URL: From ricky at fedoraproject.org Fri May 1 07:04:07 2009 From: ricky at fedoraproject.org (Ricky Zhou) Date: Fri, 1 May 2009 03:04:07 -0400 Subject: Any C coders want to help me with something? In-Reply-To: <20090501061420.GE11032@victor.nirvana> References: <80d7e4090904290929q6aa67d73g675549b0bc02d696@mail.gmail.com> <49F88AFA.1080406@hidayahonline.org> <20090429184721.GB31876@victor.nirvana> <20090430034409.GA5887@victor.nirvana> <20090430042355.GA13310@auslistsprd01.us.dell.com> <20090501061420.GE11032@victor.nirvana> Message-ID: <20090501070407.GD7172@sphe.res.cmu.edu> On 2009-05-01 09:14:20 AM, Axel Thimm wrote: > That was further up the thread: One could have FAS export the parts > Mike needs in an ldif formated file and cron-import them into a *read > only* ldap backend. You would need a sibling ldap instance running for > serving ldap requests. > > If you mean having an ldap (read-only) interface to FAS coded, then I > think that this is quite a lot of work. This would make it easier to have a lot of different authentication methods, but it wouldn't solve the sync problem, unfortunately. I think we can get both of these benefits by storing the data directly in an LDAP directory, which I've been thinking about a bit. Thanks, Ricky -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: not available URL: From Axel.Thimm at ATrpms.net Fri May 1 08:11:50 2009 From: Axel.Thimm at ATrpms.net (Axel Thimm) Date: Fri, 1 May 2009 11:11:50 +0300 Subject: Any C coders want to help me with something? In-Reply-To: <20090501065408.GB7172@sphe.res.cmu.edu> References: <80d7e4090904290929q6aa67d73g675549b0bc02d696@mail.gmail.com> <49F88AFA.1080406@hidayahonline.org> <20090429184721.GB31876@victor.nirvana> <20090430034409.GA5887@victor.nirvana> <20090501061111.GD11032@victor.nirvana> <20090501065408.GB7172@sphe.res.cmu.edu> Message-ID: <20090501081150.GG11032@victor.nirvana> On Fri, May 01, 2009 at 02:54:08AM -0400, Ricky Zhou wrote: > On 2009-05-01 09:11:11 AM, Axel Thimm wrote: > > Maybe if someone gives some detail on why the LDAP setup looked like > > too hacky we could find a better solution and use LDAP? > We were basically trying to use LDAP like a relational DB instead of a > directory, so we were trying to force our entire sponsorship system to > be totally contained in LDAP. Looking back at this, the best approach > with LDAP would probably have been a DB for sponsorship data, and LDAP > for holding approved user/group data. As I mentioned, I'd be interested > in exploring this approach a bit more in the future. With details I mean something more like what exact bits where not mapping naturally into some LDAP structure, existent or custom schema made. W/o having in-depth knowledge of FAS I'd start with a typical account LDAP setup and add the extra FAS functionality with a custom schema. The group mapping should be done via conventional LDAP Posix Account/Group schemas, and I guess most of the extra bits could be converted to group memberships. That way, not only will you be able to map special FAS bits to simple POSIX semantics and thus reduce any special FAS schemes, but also use FAS information in anything that reads nss. E.g. you could use group memberships in filesystem acls to allow provenpackager some access to some files, sponsors other access to other files etc. -- Axel.Thimm at ATrpms.net -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: not available URL: From mmcgrath at redhat.com Fri May 1 13:54:07 2009 From: mmcgrath at redhat.com (Mike McGrath) Date: Fri, 1 May 2009 08:54:07 -0500 (CDT) Subject: Any C coders want to help me with something? In-Reply-To: <20090501065408.GB7172@sphe.res.cmu.edu> References: <80d7e4090904290929q6aa67d73g675549b0bc02d696@mail.gmail.com> <49F88AFA.1080406@hidayahonline.org> <20090429184721.GB31876@victor.nirvana> <20090430034409.GA5887@victor.nirvana> <20090501061111.GD11032@victor.nirvana> <20090501065408.GB7172@sphe.res.cmu.edu> Message-ID: On Fri, 1 May 2009, Ricky Zhou wrote: > On 2009-05-01 09:11:11 AM, Axel Thimm wrote: > > Maybe if someone gives some detail on why the LDAP setup looked like > > too hacky we could find a better solution and use LDAP? > We were basically trying to use LDAP like a relational DB instead of a > directory, so we were trying to force our entire sponsorship system to > be totally contained in LDAP. Looking back at this, the best approach > with LDAP would probably have been a DB for sponsorship data, and LDAP > for holding approved user/group data. As I mentioned, I'd be interested > in exploring this approach a bit more in the future. > I really hate this idea. Granted we're looking to use ldap as an extension of FAS, but to require them both for base functionality is just nasty to me. In my mind a system that requires both, and where you have to know what information is where in order to query it is a poorly designed system. -Mike From mmcgrath at redhat.com Fri May 1 13:57:22 2009 From: mmcgrath at redhat.com (Mike McGrath) Date: Fri, 1 May 2009 08:57:22 -0500 (CDT) Subject: Any C coders want to help me with something? In-Reply-To: <20090501081150.GG11032@victor.nirvana> References: <80d7e4090904290929q6aa67d73g675549b0bc02d696@mail.gmail.com> <49F88AFA.1080406@hidayahonline.org> <20090429184721.GB31876@victor.nirvana> <20090430034409.GA5887@victor.nirvana> <20090501061111.GD11032@victor.nirvana> <20090501065408.GB7172@sphe.res.cmu.edu> <20090501081150.GG11032@victor.nirvana> Message-ID: On Fri, 1 May 2009, Axel Thimm wrote: > On Fri, May 01, 2009 at 02:54:08AM -0400, Ricky Zhou wrote: > > On 2009-05-01 09:11:11 AM, Axel Thimm wrote: > > > Maybe if someone gives some detail on why the LDAP setup looked like > > > too hacky we could find a better solution and use LDAP? > > > We were basically trying to use LDAP like a relational DB instead of a > > directory, so we were trying to force our entire sponsorship system to > > be totally contained in LDAP. Looking back at this, the best approach > > with LDAP would probably have been a DB for sponsorship data, and LDAP > > for holding approved user/group data. As I mentioned, I'd be interested > > in exploring this approach a bit more in the future. > > With details I mean something more like what exact bits where not > mapping naturally into some LDAP structure, existent or custom schema > made. > Both ldap groups basically suggested to us to have 3 groups for each 'group'. SO if you have a sysadmin group we'd have 'sysadmin' 'sysadmin-sponsors' and 'sysadmin-admins'. Then we'd move people from one group to another. Then there was the concept of marking who sponsored who in that group. So if Axel joined the sysadmin group and I sponsored him in that group, that I be able to track that information. Those two requirements together make ldap a poor solution in our use case. -Mike From mmcgrath at redhat.com Fri May 1 15:17:42 2009 From: mmcgrath at redhat.com (Mike McGrath) Date: Fri, 1 May 2009 10:17:42 -0500 (CDT) Subject: Outage Notification - 2009-05-01 19:00 UTC Message-ID: There will be an outage starting at 2009-05-01 19:00 UTC, which will last approximately .5 hours. To convert UTC to your local time, take a look at http://fedoraproject.org/wiki/Infrastructure/UTCHowto or run: date -d '2009-05-01 19:00 UTC' Affected Services: Torrent Unaffected Services: Buildsystem CVS / Source Control Database DNS Fedora Hosted Fedora People Fedora Talk Mail Mirror System Translation Services Websites Ticket Link: https://fedorahosted.org/fedora-infrastructure/ticket/1365 Reason for Outage: I need to set a flag in ibiblio1's BIOS. This will take the torrent server offline. Contact Information: Please join #fedora-admin in irc.freenode.net or respond to this email to track the status of this outage. From mmcgrath at redhat.com Fri May 1 23:08:15 2009 From: mmcgrath at redhat.com (Mike McGrath) Date: Fri, 1 May 2009 18:08:15 -0500 (CDT) Subject: Multi-factor authentication Message-ID: I had intended to send this earlier but am only getting around to it. As per our discussion online (this is unrelated to the other thread about ldap and wanting a C coder. Dennis and I have started looking at yubikey for authentication. After some discussion in the last meeting these are some of the talking points. As of right now nothing is set in stone but yubikeys are a strong front runner. * Will likely be required for sysadmin-main and probably a few other highly sensitive groups (package signing) * Will probably be required for those groups on specific high target servers. * Will likely be an additional layer of authentication instead of a replacement. * Possibly required for sudo access * Possibly required for shell access * Concerns about SPOF (yubikeys in particular require a central server) * Might be optional for other contributors wanting to use additional security. * Obviously will require only Free Software. * kerberos was discussed, some for some against. The primary hangup being people who use kerberos as their $DAYJOB will have conflicts when working in Fedora. * Concerns over what to do when a key is stolen[1] Though phone numbers were mentioned as an additional verification level. * Still unclear how to make the keys * Implementation details still unclear though it was generally considered that "yubikey + ssh key" were both "something you have". Meaning it'd be "yubikey + fas password" "Something you have + something you know" as is common with most multifactor authentication mechanisms. My initial looks at yubikey are pretty promising, from knowing nothing to being able to ssh using the yubikey took only about 15 minutes. It'll take less now that dgilmore has the software packaged like pam_yubico. Questions comments? -Mike [1] This is an issue even with non keys, it's nearly impossible for us to verify someone is who they say they are if they no longer have access to their email address, even that's not really 'proof'. From smooge at gmail.com Sat May 2 00:45:31 2009 From: smooge at gmail.com (Stephen John Smoogen) Date: Fri, 1 May 2009 18:45:31 -0600 Subject: Multi-factor authentication In-Reply-To: References: Message-ID: <80d7e4090905011745i10373e48kcc599ce7dba613f4@mail.gmail.com> On Fri, May 1, 2009 at 5:08 PM, Mike McGrath wrote: > I had intended to send this earlier but am only getting around to it. > > As per our discussion online (this is unrelated to the other thread about > ldap and wanting a C coder. > > Dennis and I have started looking at yubikey for authentication. ?After > some discussion in the last meeting these are some of the talking points. > As of right now nothing is set in stone but yubikeys are a strong front > runner. > > ?* Will likely be required for sysadmin-main and probably a few other > highly sensitive groups (package signing) > ?* Will probably be required for those groups on specific high target > servers. > ?* Will likely be an additional layer of authentication instead of a > replacement. > ?* Possibly required for sudo access > ?* Possibly required for shell access > ?* Concerns about SPOF (yubikeys in particular require a central server) > ?* Might be optional for other contributors wanting to use additional > ? security. > ?* Obviously will require only Free Software. > ?* kerberos was discussed, some for some against. ?The primary hangup > ? being people who use kerberos as their $DAYJOB will have conflicts when > ? working in Fedora. > ?* Concerns over what to do when a key is stolen[1] Though phone numbers > ? were mentioned as an additional verification level. > ?* Still unclear how to make the keys > ?* Implementation details still unclear though it was generally > ? considered that "yubikey + ssh key" were both "something you have". > ? Meaning it'd be "yubikey + fas password" "Something you have + > ? something you know" as is common with most multifactor authentication > ? mechanisms. That I think covers it all. Basically I think the tasks would be 1) Get a set of keys 2) Setup test architecture. 3) Work out initial issues of how to make/destroy and deal with potential problems. 4) Begin to architect how it would roll out. a) Work with yubikey and Fedora security experts on how it would be best built for our needs. b) Write up procedural issues for who keys are made for, how they are made, how they are destroyed, etc. c) Get political/social buyin/acceptance on procedural issues. d) Determine what systems would be in test environment. 5) Build a test environment with architecture. a) Work on breaking it b) Work out how much of the breakage we can accept and what we would do when it happens. 6) Go/no-go 7) If Go, start rolling out further. Does that help? > My initial looks at yubikey are pretty promising, from knowing nothing to > being able to ssh using the yubikey took only about 15 minutes. ?It'll > take less now that dgilmore has the software packaged like pam_yubico. > > Questions comments? > > ? ? ? ?-Mike > > [1] This is an issue even with non keys, it's nearly impossible for us to > verify someone is who they say they are if they no longer have access to > their email address, even that's not really 'proof'. > > _______________________________________________ > Fedora-infrastructure-list mailing list > Fedora-infrastructure-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list > -- Stephen J Smoogen. -- BSD/GNU/Linux How far that little candle throws his beams! So shines a good deed in a naughty world. = Shakespeare. "The Merchant of Venice" From admin at arcnetworks.biz Sat May 2 01:45:43 2009 From: admin at arcnetworks.biz (Anand Capur) Date: Fri, 1 May 2009 21:45:43 -0400 Subject: Multi-factor authentication In-Reply-To: <80d7e4090905011745i10373e48kcc599ce7dba613f4@mail.gmail.com> References: <80d7e4090905011745i10373e48kcc599ce7dba613f4@mail.gmail.com> Message-ID: <5d66540b0905011845i36db96f8m8029acc52d320746@mail.gmail.com> > > That I think covers it all. Basically I think the tasks would be > > 1) Get a set of keys > 2) Setup test architecture. > 3) Work out initial issues of how to make/destroy and deal with > potential problems. > 4) Begin to architect how it would roll out. > a) Work with yubikey and Fedora security experts on how it would be > best built for our needs. > b) Write up procedural issues for who keys are made for, how they are > made, how they are destroyed, etc. > c) Get political/social buyin/acceptance on procedural issues. > d) Determine what systems would be in test environment. > 5) Build a test environment with architecture. > a) Work on breaking it > b) Work out how much of the breakage we can accept and what we would > do when it happens. > 6) Go/no-go > 7) If Go, start rolling out further. > I'd be happy to get an initial key and help test it all out. I might be able to help setup the architecture, I've worked with two factor before. -Anand -------------- next part -------------- An HTML attachment was scrubbed... URL: From mmcgrath at redhat.com Sat May 2 02:01:12 2009 From: mmcgrath at redhat.com (Mike McGrath) Date: Fri, 1 May 2009 21:01:12 -0500 (CDT) Subject: Multi-factor authentication In-Reply-To: <5d66540b0905011845i36db96f8m8029acc52d320746@mail.gmail.com> References: <80d7e4090905011745i10373e48kcc599ce7dba613f4@mail.gmail.com> <5d66540b0905011845i36db96f8m8029acc52d320746@mail.gmail.com> Message-ID: On Fri, 1 May 2009, Anand Capur wrote: > That I think covers it all. Basically I think the tasks would be > > 1) Get a set of keys > 2) Setup test architecture. > 3) Work out initial issues of how to make/destroy and deal with > potential problems. > 4) Begin to architect how it would roll out. > ?a) Work with yubikey and Fedora security experts on how it would be > best built for our needs. > ?b) Write up procedural issues for who keys are made for, how they are > made, how they are destroyed, etc. > ?c) Get political/social buyin/acceptance on procedural issues. > ?d) Determine what systems would be in test environment. > 5) Build a test environment with architecture. > ?a) Work on breaking it > ?b) Work out how much of the breakage we can accept and what we would > do when it happens. > 6) Go/no-go > 7) If Go, start rolling out further. > > > I'd be happy to get an initial key and help test it all out. I might be able to help setup the architecture, I've worked > with two factor before. > For interested parties, I got my yubikey from: http://yubico.com/order/index/ -Mike From eric at christensenplace.us Sat May 2 02:02:26 2009 From: eric at christensenplace.us (Eric Christensen) Date: Fri, 1 May 2009 22:02:26 -0400 Subject: Multi-factor authentication In-Reply-To: References: Message-ID: On Fri, May 1, 2009 at 19:08, Mike McGrath wrote: > ?* Implementation details still unclear though it was generally > ? considered that "yubikey + ssh key" were both "something you have". > ? Meaning it'd be "yubikey + fas password" "Something you have + > ? something you know" as is common with most multifactor authentication > ? mechanisms. > Questions comments? > > ? ? ? ?-Mike In my opinion, a hardware token is much more secure when compared to a software token. In either case you would still want to require the use of some sort of passphrase (fas password) to maintain the multi-factor which would mitigate the risk of having the token stolen. I've been doing a bit of research on the Yubikey solution for a DoD project I'm working on and have been impressed by how it is designed and how easy it is for a non-geek to understand and use. Still trying to figure out my own implementation, however, so I haven't had an opportunity to use it. Just my two cents worth. Eric "Sparks" From Axel.Thimm at ATrpms.net Sat May 2 10:08:37 2009 From: Axel.Thimm at ATrpms.net (Axel Thimm) Date: Sat, 2 May 2009 13:08:37 +0300 Subject: Any C coders want to help me with something? In-Reply-To: References: <49F88AFA.1080406@hidayahonline.org> <20090429184721.GB31876@victor.nirvana> <20090430034409.GA5887@victor.nirvana> <20090501061111.GD11032@victor.nirvana> <20090501065408.GB7172@sphe.res.cmu.edu> <20090501081150.GG11032@victor.nirvana> Message-ID: <20090502100837.GE24141@victor.nirvana> On Fri, May 01, 2009 at 08:57:22AM -0500, Mike McGrath wrote: > On Fri, 1 May 2009, Axel Thimm wrote: > > > On Fri, May 01, 2009 at 02:54:08AM -0400, Ricky Zhou wrote: > > > On 2009-05-01 09:11:11 AM, Axel Thimm wrote: > > > > Maybe if someone gives some detail on why the LDAP setup looked like > > > > too hacky we could find a better solution and use LDAP? > > > > > We were basically trying to use LDAP like a relational DB instead of a > > > directory, so we were trying to force our entire sponsorship system to > > > be totally contained in LDAP. Looking back at this, the best approach > > > with LDAP would probably have been a DB for sponsorship data, and LDAP > > > for holding approved user/group data. As I mentioned, I'd be interested > > > in exploring this approach a bit more in the future. > > > > With details I mean something more like what exact bits where not > > mapping naturally into some LDAP structure, existent or custom schema > > made. > > > > Both ldap groups basically suggested to us to have 3 groups for each > 'group'. SO if you have a sysadmin group we'd have 'sysadmin' > 'sysadmin-sponsors' and 'sysadmin-admins'. Then we'd move people from > one group to another. Where is the information "*-vanilla" vs "*-sponsors" vs "*-admins" needed? If nothing else outside of FAS needs it, then I'd simply add a custom attribute. If you would need to export this information to say filesystem ACLs to allow different access to sysadmin-sponsors and sysadmin-admins, then you would have to split into these subgroups anyway somewhere in the FAS -> filesystem ACLs process. > Then there was the concept of marking who sponsored who in that group. So > if Axel joined the sysadmin group and I sponsored him in that group, that > I be able to track that information. That really sounds like a simple custom attribute, possibly not even needed anywhere else outside of FAS scope. > Those two requirements together make ldap a poor solution in our use > case. Why? Custom schemes are quite often found in LDAP world, and it is really just two attributes you are adding to typical PosixAccounts. -- Axel.Thimm at ATrpms.net -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: not available URL: From mmcgrath at redhat.com Sat May 2 14:47:18 2009 From: mmcgrath at redhat.com (Mike McGrath) Date: Sat, 2 May 2009 09:47:18 -0500 (CDT) Subject: Any C coders want to help me with something? In-Reply-To: <20090502100837.GE24141@victor.nirvana> References: <49F88AFA.1080406@hidayahonline.org> <20090429184721.GB31876@victor.nirvana> <20090430034409.GA5887@victor.nirvana> <20090501061111.GD11032@victor.nirvana> <20090501065408.GB7172@sphe.res.cmu.edu> <20090501081150.GG11032@victor.nirvana> <20090502100837.GE24141@victor.nirvana> Message-ID: On Sat, 2 May 2009, Axel Thimm wrote: > On Fri, May 01, 2009 at 08:57:22AM -0500, Mike McGrath wrote: > > On Fri, 1 May 2009, Axel Thimm wrote: > > > > > On Fri, May 01, 2009 at 02:54:08AM -0400, Ricky Zhou wrote: > > > > On 2009-05-01 09:11:11 AM, Axel Thimm wrote: > > > > > Maybe if someone gives some detail on why the LDAP setup looked like > > > > > too hacky we could find a better solution and use LDAP? > > > > > > > We were basically trying to use LDAP like a relational DB instead of a > > > > directory, so we were trying to force our entire sponsorship system to > > > > be totally contained in LDAP. Looking back at this, the best approach > > > > with LDAP would probably have been a DB for sponsorship data, and LDAP > > > > for holding approved user/group data. As I mentioned, I'd be interested > > > > in exploring this approach a bit more in the future. > > > > > > With details I mean something more like what exact bits where not > > > mapping naturally into some LDAP structure, existent or custom schema > > > made. > > > > > > > Both ldap groups basically suggested to us to have 3 groups for each > > 'group'. SO if you have a sysadmin group we'd have 'sysadmin' > > 'sysadmin-sponsors' and 'sysadmin-admins'. Then we'd move people from > > one group to another. > > Where is the information "*-vanilla" vs "*-sponsors" vs "*-admins" > needed? If nothing else outside of FAS needs it, then I'd simply add a > custom attribute. If you would need to export this information to say > filesystem ACLs to allow different access to sysadmin-sponsors and > sysadmin-admins, then you would have to split into these subgroups > anyway somewhere in the FAS -> filesystem ACLs process. > > > Then there was the concept of marking who sponsored who in that group. So > > if Axel joined the sysadmin group and I sponsored him in that group, that > > I be able to track that information. > > That really sounds like a simple custom attribute, possibly not even > needed anywhere else outside of FAS scope. > > > Those two requirements together make ldap a poor solution in our use > > case. > > Why? Custom schemes are quite often found in LDAP world, and it is > really just two attributes you are adding to typical PosixAccounts. > I'm not sure "why" you'd have to ask the fedora-ds and openldap devs. We dropped ldap largly on their recommendation, the comment that did it for me was "what you're trying to do with ldap is not a very ldap way of doing things." Thus why I described what we were trying to do as "hacky" -Mike From lmacken at redhat.com Sat May 2 20:39:02 2009 From: lmacken at redhat.com (Luke Macken) Date: Sat, 2 May 2009 16:39:02 -0400 Subject: SELinux lockdown Message-ID: <20090502203902.GB15316@x300> Hey everyone, So I've been doing a lot of SELinux/audit related work behind the scenes within our infrastructure for a while now, working closely with Dan Walsh and Steve Grubb. It's taken a lot of patience and hard work, but we're finally at the point where we can start switching large portions of our infrastructure over to SELinux Enforcing mode. The following server groups are now fully enforcing: o gateway o people o planet o fas o collab o releng o db o torrent o dns These are all groups of machines that have not had any SELinux denials in at least a month. If you notice any issues with regard to these groups, please speak up. I will be keeping a close eye on these machines, and I encourage anyone that is interested to do the same. I threw together a little tool that I've been using to monitor & manage SELinux on our machines. It uses func, and allows you to do the following: Get the SELinux status: selinux-overlord.py --status Display all enforced denials: selinux-overlord.py --enforced-denials Dump all raw AVCs to disk. Each minion will have it's own file: selinux-overlord.py --dump-avcs Upgrade the SELinux policy RPMs: selinux-overlord.py --upgrade-policy It defaults to querying all minions, but you can specify groups of them if you wish: selinux-overlord.py --status app* db* This script should ideally be it's own func module, but in the mean time I added it to the fedora-infrastructure git repository: http://git.fedorahosted.org/git/?p=fedora-infrastructure.git;a=blob_plain;f=scripts/selinux/selinux-overlord.py;hb=HEAD More information on our SELinux deployment can be found in our [out of date] SOP: http://fedoraproject.org/wiki/Infrastructure/SOP/SELinux luke -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: not available URL: From mmcgrath at redhat.com Sat May 2 20:45:53 2009 From: mmcgrath at redhat.com (Mike McGrath) Date: Sat, 2 May 2009 15:45:53 -0500 (CDT) Subject: SELinux lockdown In-Reply-To: <20090502203902.GB15316@x300> References: <20090502203902.GB15316@x300> Message-ID: On Sat, 2 May 2009, Luke Macken wrote: > Hey everyone, > > So I've been doing a lot of SELinux/audit related work behind the scenes > within our infrastructure for a while now, working closely with Dan > Walsh and Steve Grubb. It's taken a lot of patience and hard work, but > we're finally at the point where we can start switching large portions > of our infrastructure over to SELinux Enforcing mode. > > The following server groups are now fully enforcing: > > o gateway > o people > o planet > o fas > o collab > o releng > o db > o torrent > o dns > > These are all groups of machines that have not had any SELinux > denials in at least a month. If you notice any issues with > regard to these groups, please speak up. > > I will be keeping a close eye on these machines, and I encourage anyone > that is interested to do the same. I threw together a little tool that > I've been using to monitor & manage SELinux on our machines. It uses > func, and allows you to do the following: > > Get the SELinux status: > > selinux-overlord.py --status > > Display all enforced denials: > > selinux-overlord.py --enforced-denials > > Dump all raw AVCs to disk. Each minion will have it's own file: > > selinux-overlord.py --dump-avcs > > Upgrade the SELinux policy RPMs: > > selinux-overlord.py --upgrade-policy > > It defaults to querying all minions, but you can specify groups of them > if you wish: > > selinux-overlord.py --status app* db* > > This script should ideally be it's own func module, but in the mean time > I added it to the fedora-infrastructure git repository: > > http://git.fedorahosted.org/git/?p=fedora-infrastructure.git;a=blob_plain;f=scripts/selinux/selinux-overlord.py;hb=HEAD > > More information on our SELinux deployment can be found in our > [out of date] SOP: http://fedoraproject.org/wiki/Infrastructure/SOP/SELinux > Thanks for working on this Luke. I just wanted to let people know that since we're not all trained on selinux yet if something is coming up that needs to be done "right now" like an outage, and selinux is preventing that. It's acceptable for now to put the box in permissive mode with: setenforce 0 But if you do that, you must open a ticket so that we can get the proper selinux policy updated. If you have any questions please talk to me or luke and we'll figure something out. -Mike From smooge at gmail.com Sun May 3 01:05:03 2009 From: smooge at gmail.com (Stephen John Smoogen) Date: Sat, 2 May 2009 19:05:03 -0600 Subject: SELinux lockdown In-Reply-To: <20090502203902.GB15316@x300> References: <20090502203902.GB15316@x300> Message-ID: <80d7e4090905021805qead9681jdabb96dbd5bf221e@mail.gmail.com> On Sat, May 2, 2009 at 2:39 PM, Luke Macken wrote: > Hey everyone, > > So I've been doing a lot of SELinux/audit related work behind the scenes > within our infrastructure for a while now, working closely with Dan > Walsh and Steve Grubb. ?It's taken a lot of patience and hard work, but > we're finally at the point where we can start switching large portions > of our infrastructure over to SELinux Enforcing mode. Congrats... I hearts selinux. I would like to go over how this was all accomplished.. [I will be looking forward to reading the class Dan does tomorrow too... ] > The following server groups are now fully enforcing: > > ? ?o gateway > ? ?o people > ? ?o planet > ? ?o fas > ? ?o collab > ? ?o releng > ? ?o db > ? ?o torrent > ? ?o dns > > These are all groups of machines that have not had any SELinux > denials in at least a month. ?If you notice any issues with > regard to these groups, please speak up. > > I will be keeping a close eye on these machines, and I encourage anyone > that is interested to do the same. ?I threw together a little tool that > I've been using to monitor & manage SELinux on our machines. ?It uses > func, and allows you to do the following: > > ? ?Get the SELinux status: > > ? ? ? ?selinux-overlord.py --status > > ? ?Display all enforced denials: > > ? ? ? ?selinux-overlord.py --enforced-denials Oooooh sexy. -- Stephen J Smoogen. -- BSD/GNU/Linux How far that little candle throws his beams! So shines a good deed in a naughty world. = Shakespeare. "The Merchant of Venice" From mmcgrath at redhat.com Mon May 4 15:58:20 2009 From: mmcgrath at redhat.com (Mike McGrath) Date: Mon, 4 May 2009 10:58:20 -0500 (CDT) Subject: Outstanding F11 tickets Message-ID: So there are a number of F11 tickets outsanding right now assigned to a wide range of people. https://fedorahosted.org/fedora-infrastructure/query?status=new&status=assigned&status=reopened&milestone=Fedora+11 (http://tinyurl.com/dmb88h) Please do log in, close/fix the ticket, or give it a Fedora 12 milestone with an explanation of why it can't / shouldn't be done by F12. As always much of our team consists of volunteers and not having enough time is a completely valid reason for a project to not be complete. If you are on the below list you have a ticket assigned to you. If you are unable to work in the ticket any longer please find a replacement or assign it to "nobody" toshio, jcollie, mmcgrath, sysadmin-hosted-members, ausil, fchiulli, bretm, lmacken, jsmith, ricky, nigelj, ianweller, huzaifas, boodle, mdomsch, santosp, webmaster, ausil, sts, laxathom. -Mike From mmcgrath at redhat.com Tue May 5 15:59:06 2009 From: mmcgrath at redhat.com (Mike McGrath) Date: Tue, 5 May 2009 10:59:06 -0500 (CDT) Subject: Outage Notification - 2009-05-06 18:00 UTC Message-ID: There will be an outage starting at 2009-05-06 18:00 UTC, which will last approximately 2 hours. To convert UTC to your local time, take a look at http://fedoraproject.org/wiki/Infrastructure/UTCHowto or run: date -d '2009-05-06 18:00 UTC' Affected Services: Primary Mirror Server Fedora Wiki infrastructure.fedoraproject.org Unaffected Services: Buildsystem CVS / Source Control Database DNS Fedora Hosted Fedora People Fedora Talk Mail Mirror System Torrent Translation Services Websites Ticket Link: https://fedorahosted.org/fedora-infrastructure/ticket/1370 Reason for Outage: Firmware upgrade for our netapps. This will only take about 15 minutes or so but I've scheduled a larger window. This will take our primary mirror offline for a bit as well as the wiki uploads. Contact Information: Please join #fedora-admin in irc.freenode.net or respond to this email to track the status of this outage. From sundaram at fedoraproject.org Tue May 5 22:38:27 2009 From: sundaram at fedoraproject.org (Rahul Sundaram) Date: Wed, 06 May 2009 04:08:27 +0530 Subject: Preventing ctrl-c from blocking CVS commit messages In-Reply-To: <20090430233949.GE30691@sphe.res.cmu.edu> References: <20090423203025.GE20235@sphe.res.cmu.edu> <20090430213027.GD30691@sphe.res.cmu.edu> <20090430233949.GE30691@sphe.res.cmu.edu> Message-ID: <4A00BFE3.6020908@fedoraproject.org> On 05/01/2009 05:09 AM, Ricky Zhou wrote: > On 2009-04-30 04:43:14 PM, Mike McGrath wrote: >> I was able to write the file and commit, I did ctl+c out of it after it >> hit the "Sleeping for 5 seconds bit" and my commit went through. I'm not >> quite sure what the intended behavior is, perhaps we should enable emails? >> Maybe you already did? > Sorry, my mistake. I made it log to > /home/fedora/ricky/repo/CVSROOT/commitlog and I forgot to chgrp the file > so that people in packager had write access to it. Could somebody in > packager test this out now? Did anyone test this out yet? If not, please post to fedora-devel list. Rahul From mmcgrath at redhat.com Wed May 6 01:10:09 2009 From: mmcgrath at redhat.com (Mike McGrath) Date: Tue, 5 May 2009 20:10:09 -0500 (CDT) Subject: Preventing ctrl-c from blocking CVS commit messages In-Reply-To: <4A00BFE3.6020908@fedoraproject.org> References: <20090423203025.GE20235@sphe.res.cmu.edu> <20090430213027.GD30691@sphe.res.cmu.edu> <20090430233949.GE30691@sphe.res.cmu.edu> <4A00BFE3.6020908@fedoraproject.org> Message-ID: On Wed, 6 May 2009, Rahul Sundaram wrote: > On 05/01/2009 05:09 AM, Ricky Zhou wrote: > > On 2009-04-30 04:43:14 PM, Mike McGrath wrote: > >> I was able to write the file and commit, I did ctl+c out of it after it > >> hit the "Sleeping for 5 seconds bit" and my commit went through. I'm not > >> quite sure what the intended behavior is, perhaps we should enable emails? > >> Maybe you already did? > > Sorry, my mistake. I made it log to > > /home/fedora/ricky/repo/CVSROOT/commitlog and I forgot to chgrp the file > > so that people in packager had write access to it. Could somebody in > > packager test this out now? > > Did anyone test this out yet? If not, please post to fedora-devel list. > I did a few times, I wasn't able to commit without log but I did wedge it once requiring manual intervention. -Mike From mmcgrath at redhat.com Wed May 6 16:20:50 2009 From: mmcgrath at redhat.com (Mike McGrath) Date: Wed, 6 May 2009 11:20:50 -0500 (CDT) Subject: db2 Message-ID: So xen13 actually seems (might be) fixed now. Hasn't rebooted since the tech went out. So I want to move the databases that should be on db2, back to db2. I know lots of work is being done right now though on various systems so I want to coordinate with everyone. Would scheduling downtime for Sunday afternoon work for everyone? -Mike From a.badger at gmail.com Wed May 6 16:56:11 2009 From: a.badger at gmail.com (Toshio Kuratomi) Date: Wed, 06 May 2009 09:56:11 -0700 Subject: db2 In-Reply-To: References: Message-ID: <4A01C12B.2090207@gmail.com> Mike McGrath wrote: > So xen13 actually seems (might be) fixed now. Hasn't rebooted since the > tech went out. So I want to move the databases that should be on db2, > back to db2. I know lots of work is being done right now though on > various systems so I want to coordinate with everyone. > > Would scheduling downtime for Sunday afternoon work for everyone? > Sunday is Mother's Day. So I won't be doing any work involving the db then but also might not be available to help out. -Toshio -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: OpenPGP digital signature URL: From mmcgrath at redhat.com Wed May 6 19:02:10 2009 From: mmcgrath at redhat.com (Mike McGrath) Date: Wed, 6 May 2009 14:02:10 -0500 (CDT) Subject: Master Mirror Sync Status Message-ID: So a while ago I started trending our netapp snapshots. If you guys are curious here's the graph and data: http://mmcgrath.fedorapeople.org/transfer.tar.gz http://mmcgrath.fedorapeople.org/transfer_html_m74bc38de.jpg Really the only interesting info out of it is sync time, for the preview release looks like it started syncing at April 25 14:45:02 and seems to have been completely done by 15:12:01 -Mike From mmcgrath at redhat.com Wed May 6 20:54:26 2009 From: mmcgrath at redhat.com (Mike McGrath) Date: Wed, 6 May 2009 15:54:26 -0500 (CDT) Subject: RHEL4 Message-ID: Anyone against me removing the RHEL4 repos we have at infrastructure.fedoraproject.org? -Mike From mmcgrath at redhat.com Wed May 6 20:54:56 2009 From: mmcgrath at redhat.com (Mike McGrath) Date: Wed, 6 May 2009 15:54:56 -0500 (CDT) Subject: RHEL4 In-Reply-To: References: Message-ID: On Wed, 6 May 2009, Mike McGrath wrote: > Anyone against me removing the RHEL4 repos we have at > infrastructure.fedoraproject.org? > Oops, it dawned on me as soon as I clicked send that we build off of these repos. -Mike From smooge at gmail.com Wed May 6 20:56:02 2009 From: smooge at gmail.com (Stephen John Smoogen) Date: Wed, 6 May 2009 14:56:02 -0600 Subject: RHEL4 In-Reply-To: References: Message-ID: <80d7e4090905061356n7ceb6375yf183066d028ceb5f@mail.gmail.com> On Wed, May 6, 2009 at 2:54 PM, Mike McGrath wrote: > On Wed, 6 May 2009, Mike McGrath wrote: > >> Anyone against me removing the RHEL4 repos we have at >> infrastructure.fedoraproject.org? >> > > Oops, it dawned on me as soon as I clicked send that we build off of these > repos. > What is our usage of RHEL-4 versus 5 versus XYZ? -- Stephen J Smoogen. -- BSD/GNU/Linux How far that little candle throws his beams! So shines a good deed in a naughty world. = Shakespeare. "The Merchant of Venice" From skvidal at fedoraproject.org Wed May 6 20:54:47 2009 From: skvidal at fedoraproject.org (Seth Vidal) Date: Wed, 6 May 2009 16:54:47 -0400 (EDT) Subject: RHEL4 In-Reply-To: References: Message-ID: On Wed, 6 May 2009, Mike McGrath wrote: > Anyone against me removing the RHEL4 repos we have at > infrastructure.fedoraproject.org? What does epel4 use? -sv From mmcgrath at redhat.com Wed May 6 20:58:54 2009 From: mmcgrath at redhat.com (Mike McGrath) Date: Wed, 6 May 2009 15:58:54 -0500 (CDT) Subject: RHEL4 In-Reply-To: <80d7e4090905061356n7ceb6375yf183066d028ceb5f@mail.gmail.com> References: <80d7e4090905061356n7ceb6375yf183066d028ceb5f@mail.gmail.com> Message-ID: On Wed, 6 May 2009, Stephen John Smoogen wrote: > On Wed, May 6, 2009 at 2:54 PM, Mike McGrath wrote: > > On Wed, 6 May 2009, Mike McGrath wrote: > > > >> Anyone against me removing the RHEL4 repos we have at > >> infrastructure.fedoraproject.org? > >> > > > > Oops, it dawned on me as soon as I clicked send that we build off of these > > repos. > > > > What is our usage of RHEL-4 versus 5 versus XYZ? > In terms of how often the repos get hit or Fedora Infrastructures RHEL install base? As far as our install base goes we have no RHEL4 boxes left. -Mike From smooge at gmail.com Wed May 6 21:01:04 2009 From: smooge at gmail.com (Stephen John Smoogen) Date: Wed, 6 May 2009 15:01:04 -0600 Subject: RHEL4 In-Reply-To: References: <80d7e4090905061356n7ceb6375yf183066d028ceb5f@mail.gmail.com> Message-ID: <80d7e4090905061401t1baabffse39ca61528e616f4@mail.gmail.com> On Wed, May 6, 2009 at 2:58 PM, Mike McGrath wrote: > On Wed, 6 May 2009, Stephen John Smoogen wrote: > >> On Wed, May 6, 2009 at 2:54 PM, Mike McGrath wrote: >> > On Wed, 6 May 2009, Mike McGrath wrote: >> > >> >> Anyone against me removing the RHEL4 repos we have at >> >> infrastructure.fedoraproject.org? >> >> >> > >> > Oops, it dawned on me as soon as I clicked send that we build off of these >> > repos. >> > >> >> What is our usage of RHEL-4 versus 5 versus XYZ? >> > > In terms of how often the repos get hit or Fedora Infrastructures RHEL > install base? ?As far as our install base goes we have no RHEL4 boxes > left. Install base but then I realized that it might be used for EPEL stuff so I should include the first also. -- Stephen J Smoogen. -- BSD/GNU/Linux How far that little candle throws his beams! So shines a good deed in a naughty world. = Shakespeare. "The Merchant of Venice" From mmcgrath at redhat.com Wed May 6 21:07:06 2009 From: mmcgrath at redhat.com (Mike McGrath) Date: Wed, 6 May 2009 16:07:06 -0500 (CDT) Subject: RHEL4 In-Reply-To: <80d7e4090905061401t1baabffse39ca61528e616f4@mail.gmail.com> References: <80d7e4090905061356n7ceb6375yf183066d028ceb5f@mail.gmail.com> <80d7e4090905061401t1baabffse39ca61528e616f4@mail.gmail.com> Message-ID: On Wed, 6 May 2009, Stephen John Smoogen wrote: > On Wed, May 6, 2009 at 2:58 PM, Mike McGrath wrote: > > On Wed, 6 May 2009, Stephen John Smoogen wrote: > > > >> On Wed, May 6, 2009 at 2:54 PM, Mike McGrath wrote: > >> > On Wed, 6 May 2009, Mike McGrath wrote: > >> > > >> >> Anyone against me removing the RHEL4 repos we have at > >> >> infrastructure.fedoraproject.org? > >> >> > >> > > >> > Oops, it dawned on me as soon as I clicked send that we build off of these > >> > repos. > >> > > >> > >> What is our usage of RHEL-4 versus 5 versus XYZ? > >> > > > > In terms of how often the repos get hit or Fedora Infrastructures RHEL > > install base? ?As far as our install base goes we have no RHEL4 boxes > > left. > > Install base but then I realized that it might be used for EPEL stuff > so I should include the first also. > For the month of april requests for rhel4:rhel5 ration were about 3:4 -Mike From laxathom at fedoraproject.org Wed May 6 22:43:57 2009 From: laxathom at fedoraproject.org (Xavier Lamien) Date: Thu, 7 May 2009 00:43:57 +0200 Subject: db2 In-Reply-To: References: Message-ID: <62bc09df0905061543t430229bfpfa6efd3ea5384d29@mail.gmail.com> I'm ok with sunday afternoon. On May 6, 2009 6:21 PM, "Mike McGrath" wrote: So xen13 actually seems (might be) fixed now. Hasn't rebooted since the tech went out. So I want to move the databases that should be on db2, back to db2. I know lots of work is being done right now though on various systems so I want to coordinate with everyone. Would scheduling downtime for Sunday afternoon work for everyone? -Mike _______________________________________________ Fedora-infrastructure-list mailing list Fedora-infrastructure-list at redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list -------------- next part -------------- An HTML attachment was scrubbed... URL: From abu_hurayrah at hidayahonline.org Thu May 7 06:16:26 2009 From: abu_hurayrah at hidayahonline.org (Basil Mohamed Gohar) Date: Thu, 07 May 2009 14:16:26 +0800 Subject: Master Mirror Sync Status In-Reply-To: References: Message-ID: <4A027CBA.9060906@hidayahonline.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 05/07/2009 03:02 AM, Mike McGrath wrote: > So a while ago I started trending our netapp snapshots. If you guys are > curious here's the graph and data: > > http://mmcgrath.fedorapeople.org/transfer.tar.gz > > http://mmcgrath.fedorapeople.org/transfer_html_m74bc38de.jpg > > Really the only interesting info out of it is sync time, for the preview > release looks like it started syncing at April 25 14:45:02 and seems to > have been completely done by 15:12:01 > > -Mike Sorry to be annoyingly pedantic here, but if you have the option, simple graphics like this consisting mostly of straight lines, solid colors, and text would best be saved as a PNG or other lossless format. The size would (usually) be smaller & quality would (undoubtedly) be superior. - -- Basil Mohamed Gohar abu_hurayrah at hidayahonline.org http://www.basilgohar.com/blog/ basilgohar on irc.freenode.net -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkoCfLIACgkQaVgOCFr0s2LExgCgpb4uE+rPM+QDnqZbPLlX37MG YqwAnRteigr9krgi49WgKEMpy7WTMHvb =m+uP -----END PGP SIGNATURE----- From mmcgrath at redhat.com Thu May 7 13:09:05 2009 From: mmcgrath at redhat.com (Mike McGrath) Date: Thu, 7 May 2009 08:09:05 -0500 (CDT) Subject: Master Mirror Sync Status In-Reply-To: <4A027CBA.9060906@hidayahonline.org> References: <4A027CBA.9060906@hidayahonline.org> Message-ID: On Thu, 7 May 2009, Basil Mohamed Gohar wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 05/07/2009 03:02 AM, Mike McGrath wrote: > > So a while ago I started trending our netapp snapshots. If you guys are > > curious here's the graph and data: > > > > http://mmcgrath.fedorapeople.org/transfer.tar.gz > > > > http://mmcgrath.fedorapeople.org/transfer_html_m74bc38de.jpg > > > > Really the only interesting info out of it is sync time, for the preview > > release looks like it started syncing at April 25 14:45:02 and seems to > > have been completely done by 15:12:01 > > > > -Mike > Sorry to be annoyingly pedantic here, but if you have the option, simple > graphics like this consisting mostly of straight lines, solid colors, > and text would best be saved as a PNG or other lossless format. The > size would (usually) be smaller & quality would (undoubtedly) be superior. > If you know how to get oocalc to do that let me know, I just export the thing as an html doc, it does the rest for me. -Mike From abu_hurayrah at hidayahonline.org Thu May 7 13:21:03 2009 From: abu_hurayrah at hidayahonline.org (Basil Mohamed Gohar) Date: Thu, 07 May 2009 21:21:03 +0800 Subject: Master Mirror Sync Status In-Reply-To: References: <4A027CBA.9060906@hidayahonline.org> Message-ID: <4A02E03F.8000208@hidayahonline.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 05/07/2009 09:09 PM, Mike McGrath wrote: > On Thu, 7 May 2009, Basil Mohamed Gohar wrote: >> Sorry to be annoyingly pedantic here, but if you have the option, simple >> graphics like this consisting mostly of straight lines, solid colors, >> and text would best be saved as a PNG or other lossless format. The >> size would (usually) be smaller & quality would (undoubtedly) be superior. >> > > If you know how to get oocalc to do that let me know, I just export the > thing as an html doc, it does the rest for me. > > -Mike > Print Screen? ;) - -- Basil Mohamed Gohar abu_hurayrah at hidayahonline.org http://www.basilgohar.com/blog/ basilgohar on irc.freenode.net -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkoC4DkACgkQaVgOCFr0s2JjLACfWSdLMxW5vFumMWrBFpIruzxG XlgAn3kIbY1eHk3Cqt3uvK91bpDAyKP4 =DiWe -----END PGP SIGNATURE----- From marcelo.maia.garcia at googlemail.com Thu May 7 21:00:26 2009 From: marcelo.maia.garcia at googlemail.com (Marcelo M. Garcia) Date: Thu, 07 May 2009 22:00:26 +0100 Subject: How to generate a .template and .jigdo from an iso image? Message-ID: <4A034BEA.4000906@googlemail.com> Hi. I'm interested in generating the .jigdo and .template from a .iso image. I couldn't find much information on this. It would be a straightforward process, just run "jigdo-file file.iso" and I would have my .jigdo and my .template. The problem is doing like this, my .template has almost the same size of the .iso image. I noticed that the Fedora 11 x86_64 has only 11.1M. My question is how to do that? How to get a .template so small? Where I can get a good documentation about jigdo-file? The official web site[1] it isn't very helpful. Thanks Marcelo [1] http://atterer.net/jigdo/ From ivazqueznet at gmail.com Fri May 8 00:02:09 2009 From: ivazqueznet at gmail.com (Ignacio Vazquez-Abrams) Date: Thu, 07 May 2009 20:02:09 -0400 Subject: How to generate a .template and .jigdo from an iso image? In-Reply-To: <4A034BEA.4000906@googlemail.com> References: <4A034BEA.4000906@googlemail.com> Message-ID: <1241740929.12122.349.camel@ignacio.lan> On Thu, 2009-05-07 at 22:00 +0100, Marcelo M. Garcia wrote: > Hi. > > I'm interested in generating the .jigdo and .template from a .iso image. > I couldn't find much information on this. It would be a straightforward > process, just run "jigdo-file file.iso" and I would have my .jigdo and > my .template. > > The problem is doing like this, my .template has almost the same size of > the .iso image. I noticed that the Fedora 11 x86_64 has only 11.1M. My > question is how to do that? How to get a .template so small? > > Where I can get a good documentation about jigdo-file? The official web > site[1] it isn't very helpful. > > Thanks > > Marcelo From man 1 jigdo-file: """ jigdo-file COMMAND [ --image=cdrom.iso ] [ --jigdo=cdrom.jigdo ] [ --template=cdrom.template ] [ --force ] [ MORE OPTIONS ] [ FILES ... | --files-from=f ] Common COMMANDs: make-template, make-image, verify ... -i --image=cdrom.iso Specify location of the file containing the image. The image is the large file that you want to distribute. -j --jigdo=cdrom.jigdo Specify location of the Jigsaw Download description file. The jigdo file is a human-readable file generated by jigdo- file, to which you add information about all the servers you are going to upload the files to. jigdo will download this file as the first step of retrieving the image. -t --template=cdrom.template Specify location of the image ?template? file. The template file is a binary file generated by jigdo-file, it contains information on how to reassemble the image and also (in compressed form) all the data from the image which was not found in any of the parts. Depending on the command, each of these three files is used sometimes for input, sometimes for output. If the file is to be used for output for a particular com- mand and the output file already exists, jigdo-file exits with an error, unless --force is present. In most cases, you will only need to specify one out of -i -j -t, because any missing filenames will be deduced from the one you specify. This is done by first stripping any extension from the supplied name and then appending nothing (if deducing --image), ?.jigdo? or ?.template?. ... FILES Names of files or directories to use as input. These are the parts that are con- tained in the image. In case one of the names is a directory, the program recur- sively scans the directory and adds all files contained in it. While doing this, it follows symbolic links, but avoids symlink loops. If one of the filenames starts with the character ?-?, you must precede the list of files with ?--?. A value of ?-? has no special meaning in this list, it stands for a file whose name is a single hyphen. """ -- Ignacio Vazquez-Abrams PLEASE don't CC me; I'm already subscribed -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part URL: From piranzo at redhat.com Fri May 8 06:26:38 2009 From: piranzo at redhat.com (=?utf-8?Q?Pablo_Iranzo_G=C3=B3mez?=) Date: Fri, 8 May 2009 02:26:38 -0400 (EDT) Subject: How to generate a .template and .jigdo from an iso image? In-Reply-To: <1241740929.12122.349.camel@ignacio.lan> Message-ID: <13649150.101241764011286.JavaMail.iranzo@iranzo.usersys.redhat.com> Hi ----- "Ignacio Vazquez-Abrams" escribi?: > On Thu, 2009-05-07 at 22:00 +0100, Marcelo M. Garcia wrote: > > Hi. > > > > I'm interested in generating the .jigdo and .template from a .iso > image. > > I couldn't find much information on this. It would be a > straightforward > > process, just run "jigdo-file file.iso" and I would have my .jigdo > and > > my .template. > > > > The problem is doing like this, my .template has almost the same > size of > > the .iso image. I noticed that the Fedora 11 x86_64 has only 11.1M. > My > > question is how to do that? How to get a .template so small? > > > > Where I can get a good documentation about jigdo-file? The official > web > > site[1] it isn't very helpful. > > > > Thanks > > > > Marcelo > > From man 1 jigdo-file: > > """ > jigdo-file COMMAND > [ --image=cdrom.iso ] [ --jigdo=cdrom.jigdo ] > [ --template=cdrom.template ] [ --force ] [ > MORE OPTIONS ] [ FILES ... | --files-from=f ] > Common COMMANDs: make-template, make-image, > verify Ignacio, the problem with size is probably because not having files available, what I used is https://alufis35.uv.es/Creando-plantillas-Jigdo-Jigsaw.html, translating it: Having iso original file at path/iso/ and having the iso loopback mounted and available at path/tree/ We should run jigdo-file mt -i path/iso/Fedora.iso -j Fedora-DVD.jigdo -t Fedora-DVD.template ?uri fedoramirrors=http://whatevermirror path/tree/ After some checks, trying to download missing files it will create the template and .jigdo and hopefully, will be a small one ;) Regards Pablo -- Pablo Iranzo G?mez (Pablo.Iranzo at redhat.com) RHC{SP,E,SS,DS,A} Senior Global Profesional Services Consultant Phone: +34 645 01 01 49 (CET/CEST) GnuPG KeyID: 0xFAD3CF0D -- Inscrita en el Reg. Mercantil de Madrid ? C.I.F. B-82 65 79 41 Directores: Michael Cunningham, Charlie Peters y David Owens Direcci?n Registrada: Red Hat S.L., C/ Velazquez 63, Madrid 28001, Espa?a Direcci?n contacto: C/Jose Bardasano Baos, 9, Edif. Gorbea 3, Planta 3?D, 28016 Madrid, Spain From marcelo.maia.garcia at googlemail.com Fri May 8 06:35:09 2009 From: marcelo.maia.garcia at googlemail.com (Marcelo M. Garcia) Date: Fri, 08 May 2009 07:35:09 +0100 Subject: How to generate a .template and .jigdo from an iso image? In-Reply-To: <1241740929.12122.349.camel@ignacio.lan> References: <4A034BEA.4000906@googlemail.com> <1241740929.12122.349.camel@ignacio.lan> Message-ID: <4A03D29D.7060408@googlemail.com> Hi I read the man page. It says that I have to specify only one of the options "-i", "-j" or "-t". OK. If I use only -i, my template has the same size of image, then there is no point in using jigdo. There must be something more. My question is how Fedora generates the .template with only 11.1M? The command "jigdo-file -i CentOS-5.3-i386-bin-DVD.iso" it's not enough. Regards Marcelo Ignacio Vazquez-Abrams wrote: > On Thu, 2009-05-07 at 22:00 +0100, Marcelo M. Garcia wrote: >> Hi. >> >> I'm interested in generating the .jigdo and .template from a .iso image. >> I couldn't find much information on this. It would be a straightforward >> process, just run "jigdo-file file.iso" and I would have my .jigdo and >> my .template. >> >> The problem is doing like this, my .template has almost the same size of >> the .iso image. I noticed that the Fedora 11 x86_64 has only 11.1M. My >> question is how to do that? How to get a .template so small? >> >> Where I can get a good documentation about jigdo-file? The official web >> site[1] it isn't very helpful. >> >> Thanks >> >> Marcelo > > From man 1 jigdo-file: > > """ > jigdo-file COMMAND > [ --image=cdrom.iso ] [ --jigdo=cdrom.jigdo ] > [ --template=cdrom.template ] [ --force ] [ > MORE OPTIONS ] [ FILES ... | --files-from=f ] > Common COMMANDs: make-template, make-image, > verify > > ... > > -i --image=cdrom.iso > Specify location of the file containing > the image. The image is the large file > that you want to distribute. > > -j --jigdo=cdrom.jigdo > Specify location of the Jigsaw Download > description file. The jigdo file is a > human-readable file generated by jigdo- > file, to which you add information about > all the servers you are going to upload > the files to. jigdo will download this > file as the first step of retrieving the > image. > > -t --template=cdrom.template > Specify location of the image ?template? > file. The template file is a binary file > generated by jigdo-file, it contains > information on how to reassemble the > image and also (in compressed form) all > the data from the image which was not > found in any of the parts. > > Depending on the command, each of these > three files is used sometimes for input, > sometimes for output. If the file is to > be used for output for a particular com- > mand and the output file already exists, > jigdo-file exits with an error, unless > --force is present. > > In most cases, you will only need to > specify one out of -i -j -t, because any > missing filenames will be deduced from > the one you specify. This is done by > first stripping any extension from the > supplied name and then appending nothing > (if deducing --image), ?.jigdo? or > ?.template?. > > ... > > FILES Names of files or directories to use as > input. These are the parts that are con- > tained in the image. In case one of the > names is a directory, the program recur- > sively scans the directory and adds all > files contained in it. While doing this, > it follows symbolic links, but avoids > symlink loops. > > If one of the filenames starts with the > character ?-?, you must precede the list > of files with ?--?. A value of ?-? has > no special meaning in this list, it > stands for a file whose name is a single > hyphen. > """ > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Fedora-infrastructure-list mailing list > Fedora-infrastructure-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list From ivazqueznet at gmail.com Fri May 8 06:52:00 2009 From: ivazqueznet at gmail.com (Ignacio Vazquez-Abrams) Date: Fri, 08 May 2009 02:52:00 -0400 Subject: How to generate a .template and .jigdo from an iso image? In-Reply-To: <4A03D29D.7060408@googlemail.com> References: <4A034BEA.4000906@googlemail.com> <1241740929.12122.349.camel@ignacio.lan> <4A03D29D.7060408@googlemail.com> Message-ID: <1241765520.4210.3.camel@ignacio.ignacio.lan> On Fri, 2009-05-08 at 07:35 +0100, Marcelo M. Garcia wrote: > Hi > > I read the man page. It says that I have to specify only one of the > options "-i", "-j" or "-t". OK. If I use only -i, my template has the > same size of image, then there is no point in using jigdo. There must be > something more. > > My question is how Fedora generates the .template with only 11.1M? The > command "jigdo-file -i CentOS-5.3-i386-bin-DVD.iso" it's not enough. Did you read the part that says "FILES"? -- Ignacio Vazquez-Abrams PLEASE don't CC me; I'm already subscribed -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part URL: From sundaram at fedoraproject.org Fri May 8 14:07:01 2009 From: sundaram at fedoraproject.org (Rahul Sundaram) Date: Fri, 08 May 2009 19:37:01 +0530 Subject: wiki caching old content Message-ID: <4A043C85.4000202@fedoraproject.org> Hi, For the past few weeks, I have the problem with the wiki. It shows really old content (several weeks old) unless I login. I heard this was a side effect of some sort of caching mechanism but it shouldn't really be working this way. I can see this at for example, http://fedoraproject.org/wiki/Fedora_11_FAQ http://fedoraproject.org/wiki/Easter_Eggs Login and you will see very different content. Rahul From mmcgrath at redhat.com Fri May 8 14:16:04 2009 From: mmcgrath at redhat.com (Mike McGrath) Date: Fri, 8 May 2009 09:16:04 -0500 (CDT) Subject: wiki caching old content In-Reply-To: <4A043C85.4000202@fedoraproject.org> References: <4A043C85.4000202@fedoraproject.org> Message-ID: On Fri, 8 May 2009, Rahul Sundaram wrote: > Hi, > > For the past few weeks, I have the problem with the wiki. It shows > really old content (several weeks old) unless I login. I heard this was > a side effect of some sort of caching mechanism but it shouldn't really > be working this way. I can see this at for example, > > http://fedoraproject.org/wiki/Fedora_11_FAQ > > http://fedoraproject.org/wiki/Easter_Eggs > > Login and you will see very different content. > If only there were some issue tracking system that one could notify the infrastructure team of problems so we can track them. -Mike From sundaram at fedoraproject.org Fri May 8 14:25:23 2009 From: sundaram at fedoraproject.org (Rahul Sundaram) Date: Fri, 08 May 2009 19:55:23 +0530 Subject: wiki caching old content In-Reply-To: References: <4A043C85.4000202@fedoraproject.org> Message-ID: <4A0440D3.5030106@fedoraproject.org> On 05/08/2009 07:46 PM, Mike McGrath wrote: > On Fri, 8 May 2009, Rahul Sundaram wrote: > >> Hi, >> >> For the past few weeks, I have the problem with the wiki. It shows >> really old content (several weeks old) unless I login. I heard this was >> a side effect of some sort of caching mechanism but it shouldn't really >> be working this way. I can see this at for example, >> >> http://fedoraproject.org/wiki/Fedora_11_FAQ >> >> http://fedoraproject.org/wiki/Easter_Eggs >> >> Login and you will see very different content. >> > > If only there were some issue tracking system that one could notify the > infrastructure team of problems so we can track them. Mike - Drop the sarcasm. It is not very helpful. I do report issues to tracker but I wanted to ask here first in this instance. Would you mind responding to the actual problem or let somebody who knows what is happening, do that? Rahul From mmcgrath at redhat.com Fri May 8 14:24:48 2009 From: mmcgrath at redhat.com (Mike McGrath) Date: Fri, 8 May 2009 09:24:48 -0500 (CDT) Subject: wiki caching old content In-Reply-To: <4A0440D3.5030106@fedoraproject.org> References: <4A043C85.4000202@fedoraproject.org> <4A0440D3.5030106@fedoraproject.org> Message-ID: On Fri, 8 May 2009, Rahul Sundaram wrote: > On 05/08/2009 07:46 PM, Mike McGrath wrote: > > On Fri, 8 May 2009, Rahul Sundaram wrote: > > > >> Hi, > >> > >> For the past few weeks, I have the problem with the wiki. It shows > >> really old content (several weeks old) unless I login. I heard this was > >> a side effect of some sort of caching mechanism but it shouldn't really > >> be working this way. I can see this at for example, > >> > >> http://fedoraproject.org/wiki/Fedora_11_FAQ > >> > >> http://fedoraproject.org/wiki/Easter_Eggs > >> > >> Login and you will see very different content. > >> > > > > If only there were some issue tracking system that one could notify the > > infrastructure team of problems so we can track them. > > Mike - Drop the sarcasm. It is not very helpful. I do report issues to > tracker but I wanted to ask here first in this instance. Would you mind > responding to the actual problem or let somebody who knows what is > happening, do that? > We have an issue tracking system that people can use to report issues to us. It can be found at: https://fedorahosted.org/fedora-infrastructure/ After logging in click new ticket. This process is further documented at: http://fedoraproject.org/wiki/Infrastructure/ReportProblem -Mike From sundaram at fedoraproject.org Fri May 8 14:40:44 2009 From: sundaram at fedoraproject.org (Rahul Sundaram) Date: Fri, 08 May 2009 20:10:44 +0530 Subject: wiki caching old content In-Reply-To: References: <4A043C85.4000202@fedoraproject.org> <4A0440D3.5030106@fedoraproject.org> Message-ID: <4A04446C.6080703@fedoraproject.org> On 05/08/2009 07:54 PM, Mike McGrath wrote: > > > > We have an issue tracking system that people can use to report issues to > us. It can be found at: https://fedorahosted.org/fedora-infrastructure/ > After logging in click new ticket. > > This process is further documented at: > > http://fedoraproject.org/wiki/Infrastructure/ReportProblem > > Let me repeat myself then. I am already aware of the presence of a tracking system and you are well aware, that I know of it since you have personally closed many of the issues I have reported there. This doesn't mean that I can't raise an issue in the mailing list. Does it? Now, if someone can answer the actual question asked, that would be helpful. Thanks. Rahul From me at davidjmemmett.co.uk Fri May 8 14:51:48 2009 From: me at davidjmemmett.co.uk (David JM Emmett) Date: Fri, 08 May 2009 15:51:48 +0100 Subject: wiki caching old content In-Reply-To: <4A04446C.6080703@fedoraproject.org> References: <4A043C85.4000202@fedoraproject.org> <4A0440D3.5030106@fedoraproject.org> <4A04446C.6080703@fedoraproject.org> Message-ID: <1241794308.11020.80.camel@can11.canstudiosltd.thecan> What language was the wiki developed using: PHP, Python... etc? Is it bespoke/some open source project? Is there any client side caching, i.e. does everyone get the same cached version? I'm new to this list so please forgive me for any lack of understanding. Cheers, David On Fri, 2009-05-08 at 20:10 +0530, Rahul Sundaram wrote: > On 05/08/2009 07:54 PM, Mike McGrath wrote: > > > > > > > > > We have an issue tracking system that people can use to report issues to > > us. It can be found at: https://fedorahosted.org/fedora-infrastructure/ > > After logging in click new ticket. > > > > This process is further documented at: > > > > http://fedoraproject.org/wiki/Infrastructure/ReportProblem > > > > > > Let me repeat myself then. I am already aware of the presence of a > tracking system and you are well aware, that I know of it since you have > personally closed many of the issues I have reported there. > > This doesn't mean that I can't raise an issue in the mailing list. Does > it? Now, if someone can answer the actual question asked, that would be > helpful. Thanks. > > Rahul > > _______________________________________________ > Fedora-infrastructure-list mailing list > Fedora-infrastructure-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list From mmcgrath at redhat.com Fri May 8 15:26:28 2009 From: mmcgrath at redhat.com (Mike McGrath) Date: Fri, 8 May 2009 10:26:28 -0500 (CDT) Subject: wiki caching old content In-Reply-To: <1241794308.11020.80.camel@can11.canstudiosltd.thecan> References: <4A043C85.4000202@fedoraproject.org> <4A0440D3.5030106@fedoraproject.org> <4A04446C.6080703@fedoraproject.org> <1241794308.11020.80.camel@can11.canstudiosltd.thecan> Message-ID: On Fri, 8 May 2009, David JM Emmett wrote: > What language was the wiki developed using: PHP, Python... etc? > Is it bespoke/some open source project? > Is there any client side caching, i.e. does everyone get the same cached > version? > > I'm new to this list so please forgive me for any lack of understanding. > php, there is both client side caching and proxy level caching. It's mediawiki. I opened a ticket: https://fedorahosted.org/fedora-infrastructure/ticket/1375 and am looking at it now. -Mike > Cheers, > > David > > On Fri, 2009-05-08 at 20:10 +0530, Rahul Sundaram wrote: > > On 05/08/2009 07:54 PM, Mike McGrath wrote: > > > > > > > > > > > > > > We have an issue tracking system that people can use to report issues to > > > us. It can be found at: https://fedorahosted.org/fedora-infrastructure/ > > > After logging in click new ticket. > > > > > > This process is further documented at: > > > > > > http://fedoraproject.org/wiki/Infrastructure/ReportProblem > > > > > > > > > > Let me repeat myself then. I am already aware of the presence of a > > tracking system and you are well aware, that I know of it since you have > > personally closed many of the issues I have reported there. > > > > This doesn't mean that I can't raise an issue in the mailing list. Does > > it? Now, if someone can answer the actual question asked, that would be > > helpful. Thanks. > > > > Rahul > > > > _______________________________________________ > > Fedora-infrastructure-list mailing list > > Fedora-infrastructure-list at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list > > _______________________________________________ > Fedora-infrastructure-list mailing list > Fedora-infrastructure-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list > From mmcgrath at redhat.com Fri May 8 15:29:42 2009 From: mmcgrath at redhat.com (Mike McGrath) Date: Fri, 8 May 2009 10:29:42 -0500 (CDT) Subject: wiki caching old content In-Reply-To: References: <4A043C85.4000202@fedoraproject.org> <4A0440D3.5030106@fedoraproject.org> <4A04446C.6080703@fedoraproject.org> <1241794308.11020.80.camel@can11.canstudiosltd.thecan> Message-ID: On Fri, 8 May 2009, Mike McGrath wrote: > On Fri, 8 May 2009, David JM Emmett wrote: > > > What language was the wiki developed using: PHP, Python... etc? > > Is it bespoke/some open source project? > > Is there any client side caching, i.e. does everyone get the same cached > > version? > > > > I'm new to this list so please forgive me for any lack of understanding. > > > > php, there is both client side caching and proxy level caching. It's > mediawiki. I opened a ticket: > > https://fedorahosted.org/fedora-infrastructure/ticket/1375 > > and am looking at it now. > Sorry, by 'client side' I intended to say 'mediawiki' -Mike From josemanimala at gmail.com Fri May 8 15:32:59 2009 From: josemanimala at gmail.com (jose manimala) Date: Fri, 8 May 2009 21:02:59 +0530 Subject: wiki caching old content In-Reply-To: References: <4A043C85.4000202@fedoraproject.org> <4A0440D3.5030106@fedoraproject.org> <4A04446C.6080703@fedoraproject.org> <1241794308.11020.80.camel@can11.canstudiosltd.thecan> Message-ID: <53a863600905080832s2d73d355if4bb6ca57f8ed4b@mail.gmail.com> Hello, I have seen it happen very often with Google Chrome. But on firefox i fixed it by just refreshing the browser cache... I dont know if this helps.... Jose On Fri, May 8, 2009 at 8:59 PM, Mike McGrath wrote: > On Fri, 8 May 2009, Mike McGrath wrote: > > > On Fri, 8 May 2009, David JM Emmett wrote: > > > > > What language was the wiki developed using: PHP, Python... etc? > > > Is it bespoke/some open source project? > > > Is there any client side caching, i.e. does everyone get the same > cached > > > version? > > > > > > I'm new to this list so please forgive me for any lack of > understanding. > > > > > > > php, there is both client side caching and proxy level caching. It's > > mediawiki. I opened a ticket: > > > > https://fedorahosted.org/fedora-infrastructure/ticket/1375 > > > > and am looking at it now. > > > > Sorry, by 'client side' I intended to say 'mediawiki' > > -Mike > > _______________________________________________ > Fedora-infrastructure-list mailing list > Fedora-infrastructure-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list > -- Jose M Manimala http://www.jmmblog.in.eu.org Ph: +919790824111 GPGkeyID: F5DD9656 -------------- next part -------------- An HTML attachment was scrubbed... URL: From ricky at fedoraproject.org Sat May 9 00:40:57 2009 From: ricky at fedoraproject.org (Ricky Zhou) Date: Fri, 8 May 2009 20:40:57 -0400 Subject: Outage Notification - 2009-05-09 00:00 UTC Message-ID: <20090509004057.GB27647@alpha.rzhou.org> Outage Notification - 2009-05-09 00:00 UTC There was an unplanned outage starting at 2009-05-09 00:00 UTC. PHX people have been notified and are currently looking into the issue. To convert UTC to your local time, take a look at http://fedoraproject.org/wiki/Infrastructure/UTCHowto or run: date -d '2009-05-09 00:00 UTC' Affected Services: Buildsystem CVS / Source Control Database Mail Translation Services Websites Unaffected Services: DNS Fedora Hosted Fedora People Fedora Talk Mirror System Torrent Ticket Link: Can't make one, since DB is down :-) Reason for Outage: Unknown PHX network outage. Contact Information: Please join #fedora-admin in irc.freenode.net or respond to this email to track the status of this outage. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: not available URL: From ricky at fedoraproject.org Sat May 9 01:22:00 2009 From: ricky at fedoraproject.org (Ricky Zhou) Date: Fri, 8 May 2009 21:22:00 -0400 Subject: Outage Notification - 2009-05-09 00:00 UTC In-Reply-To: <20090509004057.GB27647@alpha.rzhou.org> References: <20090509004057.GB27647@alpha.rzhou.org> Message-ID: <20090509012200.GC27647@alpha.rzhou.org> On 2009-05-08 08:40:57 PM, Ricky Zhou wrote: > Outage Notification - 2009-05-09 00:00 UTC > > There was an unplanned outage starting at 2009-05-09 00:00 UTC. PHX > people have been notified and are currently looking into the issue. > > To convert UTC to your local time, take a look at > http://fedoraproject.org/wiki/Infrastructure/UTCHowto > or run: > > date -d '2009-05-09 00:00 UTC' > > Affected Services: > > Buildsystem > CVS / Source Control > Database > Mail > Translation Services > Websites > > Unaffected Services: > DNS > Fedora Hosted > Fedora People > Fedora Talk > Mirror System > Torrent > > Ticket Link: > Can't make one, since DB is down :-) > > Reason for Outage: > Unknown PHX network outage. > > Contact Information: > > Please join #fedora-admin in irc.freenode.net or respond to this email to track > the status of this outage. Everything should be back up now. Apparently, there was a loose wire somewhere :-) Thanks, Ricky -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: not available URL: From me at davidjmemmett.co.uk Sat May 9 13:17:20 2009 From: me at davidjmemmett.co.uk (David JM Emmett) Date: Sat, 09 May 2009 14:17:20 +0100 Subject: wiki caching old content In-Reply-To: <53a863600905080832s2d73d355if4bb6ca57f8ed4b@mail.gmail.com> References: <4A043C85.4000202@fedoraproject.org> <4A0440D3.5030106@fedoraproject.org> <4A04446C.6080703@fedoraproject.org> <1241794308.11020.80.camel@can11.canstudiosltd.thecan> <53a863600905080832s2d73d355if4bb6ca57f8ed4b@mail.gmail.com> Message-ID: <1241875040.11020.87.camel@can11.canstudiosltd.thecan> With mediawiki, you can purge the server cache by setting the GET var "action=purge". As for client-side caching - how long is the cache valid? Can you look at the RAW HTTP Response headers and find out the contents of: "Cache-Control" and "Expires"? Cheers, David On Fri, 2009-05-08 at 21:02 +0530, jose manimala wrote: > Hello, > I have seen it happen very often with Google Chrome. But on > firefox i fixed it by just refreshing the browser cache... I dont know > if this helps.... > > Jose > > On Fri, May 8, 2009 at 8:59 PM, Mike McGrath > wrote: > On Fri, 8 May 2009, Mike McGrath wrote: > > > On Fri, 8 May 2009, David JM Emmett wrote: > > > > > What language was the wiki developed using: PHP, Python... > etc? > > > Is it bespoke/some open source project? > > > Is there any client side caching, i.e. does everyone get > the same cached > > > version? > > > > > > I'm new to this list so please forgive me for any lack of > understanding. > > > > > > > php, there is both client side caching and proxy level > caching. It's > > mediawiki. I opened a ticket: > > > > https://fedorahosted.org/fedora-infrastructure/ticket/1375 > > > > and am looking at it now. > > > > > Sorry, by 'client side' I intended to say 'mediawiki' > > -Mike > > > _______________________________________________ > Fedora-infrastructure-list mailing list > Fedora-infrastructure-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list > > > > > -- > Jose M Manimala > http://www.jmmblog.in.eu.org > Ph: +919790824111 > GPGkeyID: F5DD9656 > _______________________________________________ > Fedora-infrastructure-list mailing list > Fedora-infrastructure-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list From me at davidjmemmett.co.uk Sat May 9 13:19:43 2009 From: me at davidjmemmett.co.uk (David JM Emmett) Date: Sat, 09 May 2009 14:19:43 +0100 Subject: wiki caching old content In-Reply-To: <1241875040.11020.87.camel@can11.canstudiosltd.thecan> References: <4A043C85.4000202@fedoraproject.org> <4A0440D3.5030106@fedoraproject.org> <4A04446C.6080703@fedoraproject.org> <1241794308.11020.80.camel@can11.canstudiosltd.thecan> <53a863600905080832s2d73d355if4bb6ca57f8ed4b@mail.gmail.com> <1241875040.11020.87.camel@can11.canstudiosltd.thecan> Message-ID: <1241875183.11020.89.camel@can11.canstudiosltd.thecan> Also the "Pragma" header. On Sat, 2009-05-09 at 14:17 +0100, David JM Emmett wrote: > With mediawiki, you can purge the server cache by setting the GET var > "action=purge". > > As for client-side caching - how long is the cache valid? > Can you look at the RAW HTTP Response headers and find out the contents > of: "Cache-Control" and "Expires"? > > Cheers, > > David > > > On Fri, 2009-05-08 at 21:02 +0530, jose manimala wrote: > > Hello, > > I have seen it happen very often with Google Chrome. But on > > firefox i fixed it by just refreshing the browser cache... I dont know > > if this helps.... > > > > Jose > > > > On Fri, May 8, 2009 at 8:59 PM, Mike McGrath > > wrote: > > On Fri, 8 May 2009, Mike McGrath wrote: > > > > > On Fri, 8 May 2009, David JM Emmett wrote: > > > > > > > What language was the wiki developed using: PHP, Python... > > etc? > > > > Is it bespoke/some open source project? > > > > Is there any client side caching, i.e. does everyone get > > the same cached > > > > version? > > > > > > > > I'm new to this list so please forgive me for any lack of > > understanding. > > > > > > > > > > php, there is both client side caching and proxy level > > caching. It's > > > mediawiki. I opened a ticket: > > > > > > https://fedorahosted.org/fedora-infrastructure/ticket/1375 > > > > > > and am looking at it now. > > > > > > > > > Sorry, by 'client side' I intended to say 'mediawiki' > > > > -Mike > > > > > > _______________________________________________ > > Fedora-infrastructure-list mailing list > > Fedora-infrastructure-list at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list > > > > > > > > > > -- > > Jose M Manimala > > http://www.jmmblog.in.eu.org > > Ph: +919790824111 > > GPGkeyID: F5DD9656 > > _______________________________________________ > > Fedora-infrastructure-list mailing list > > Fedora-infrastructure-list at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list > > _______________________________________________ > Fedora-infrastructure-list mailing list > Fedora-infrastructure-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list From ian at ianweller.org Sat May 9 14:29:34 2009 From: ian at ianweller.org (Ian Weller) Date: Sat, 9 May 2009 09:29:34 -0500 Subject: wiki caching old content In-Reply-To: <1241875040.11020.87.camel@can11.canstudiosltd.thecan> References: <4A043C85.4000202@fedoraproject.org> <4A0440D3.5030106@fedoraproject.org> <4A04446C.6080703@fedoraproject.org> <1241794308.11020.80.camel@can11.canstudiosltd.thecan> <53a863600905080832s2d73d355if4bb6ca57f8ed4b@mail.gmail.com> <1241875040.11020.87.camel@can11.canstudiosltd.thecan> Message-ID: <20090509142934.GA14354@kupenblagster.ianweller.org> On Sat, May 09, 2009 at 02:17:20PM +0100, David JM Emmett wrote: > With mediawiki, you can purge the server cache by setting the GET var > "action=purge". > You can also add a purge button to your buttons at the top. Steal this code: https://fedoraproject.org/wiki/User:Ianweller/fedora.js -- Ian Weller GnuPG fingerprint: E51E 0517 7A92 70A2 4226 B050 87ED 7C97 EFA8 4A36 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: not available URL: From mmcgrath at redhat.com Sat May 9 23:21:47 2009 From: mmcgrath at redhat.com (Mike McGrath) Date: Sat, 9 May 2009 18:21:47 -0500 (CDT) Subject: Outage Notification - 2009-05-10 20:00 UTC Message-ID: There will be an outage starting at 2009-05-10 20:00 UTC, which will last approximately 2 hours. To convert UTC to your local time, take a look at http://fedoraproject.org/wiki/Infrastructure/UTCHowto or run: date -d '2009-05-10 20:00 UTC' Affected Services: Buildsystem Database Mirror System Translation Services Websites Unaffected Services: CVS / Source Control DNS Fedora Hosted Fedora People Fedora Talk Mail Torrent Ticket Link: https://fedorahosted.org/fedora-infrastructure/ticket/1376 Reason for Outage: Moving the db2 databases back to db2 now that it's hardware has been fixed. We'll also be rebooting nfs1 during this time. Contact Information: Please join #fedora-admin in irc.freenode.net or respond to this email to track the status of this outage. From kanarip at kanarip.com Sun May 10 13:22:27 2009 From: kanarip at kanarip.com (Jeroen van Meeuwen) Date: Sun, 10 May 2009 15:22:27 +0200 Subject: How to generate a .template and .jigdo from an iso image? In-Reply-To: <4A03D29D.7060408@googlemail.com> References: <4A034BEA.4000906@googlemail.com> <1241740929.12122.349.camel@ignacio.lan> <4A03D29D.7060408@googlemail.com> Message-ID: <4A06D513.3080109@kanarip.com> On 05/08/2009 08:35 AM, Marcelo M. Garcia wrote: > Hi > > I read the man page. It says that I have to specify only one of the > options "-i", "-j" or "-t". OK. If I use only -i, my template has the > same size of image, then there is no point in using jigdo. There must be > something more. > > My question is how Fedora generates the .template with only 11.1M? The > command "jigdo-file -i CentOS-5.3-i386-bin-DVD.iso" it's not enough. > Attached is the script Fedora Unity uses to jigdofy it's Re-Spins. Note the "function jigdofy()" in the top that may just help you get the syntax right. Note the double slash in the two directories passed to the "jigdo-file make-template" command, which functions as a delimiter for jigdo-file, so that in the --label parameter, we can 'label' the path and then attach a URI (--uri) to be used in the resulting .jigdo file instead. $1 is the (fully qualified) path to the .iso image, $2 is the base architecture for the .iso image (i386, x86_64 or ppc in our case), and ${version} is the Fedora $releasever (9 or 10 right now). Also note that /data/os/distr/fedora is a local, full mirror and that /data/os/archive/fedora is a local, full archive (with package files that have been removed from the mirror because for example they've expired and have been superseeded by another update to said package). Kind regards, Jeroen van Meeuwen -kanarip -------------- next part -------------- A non-text attachment was scrubbed... Name: jigdofy_everything.sh Type: application/x-sh Size: 3792 bytes Desc: not available URL: From marcelo.maia.garcia at googlemail.com Mon May 11 11:15:48 2009 From: marcelo.maia.garcia at googlemail.com (Marcelo M. Garcia) Date: Mon, 11 May 2009 12:15:48 +0100 Subject: How to generate a .template and .jigdo from an iso image? In-Reply-To: <4A06D513.3080109@kanarip.com> References: <4A034BEA.4000906@googlemail.com> <1241740929.12122.349.camel@ignacio.lan> <4A03D29D.7060408@googlemail.com> <4A06D513.3080109@kanarip.com> Message-ID: <4A0808E4.3010103@googlemail.com> Jeroen van Meeuwen wrote: > On 05/08/2009 08:35 AM, Marcelo M. Garcia wrote: >> Hi >> >> I read the man page. It says that I have to specify only one of the >> options "-i", "-j" or "-t". OK. If I use only -i, my template has the >> same size of image, then there is no point in using jigdo. There must be >> something more. >> >> My question is how Fedora generates the .template with only 11.1M? The >> command "jigdo-file -i CentOS-5.3-i386-bin-DVD.iso" it's not enough. >> > > Attached is the script Fedora Unity uses to jigdofy it's Re-Spins. Note > the "function jigdofy()" in the top that may just help you get the > syntax right. > > Note the double slash in the two directories passed to the "jigdo-file > make-template" command, which functions as a delimiter for jigdo-file, > so that in the --label parameter, we can 'label' the path and then > attach a URI (--uri) to be used in the resulting .jigdo file instead. > > $1 is the (fully qualified) path to the .iso image, > $2 is the base architecture for the .iso image (i386, x86_64 or ppc in > our case), and > ${version} is the Fedora $releasever (9 or 10 right now). > > Also note that /data/os/distr/fedora is a local, full mirror and that > /data/os/archive/fedora is a local, full archive (with package files > that have been removed from the mirror because for example they've > expired and have been superseeded by another update to said package). > > Kind regards, > > Jeroen van Meeuwen > -kanarip > Hi Jeroen Many thanks for that. Regards mg. From mmcgrath at redhat.com Mon May 11 16:58:05 2009 From: mmcgrath at redhat.com (Mike McGrath) Date: Mon, 11 May 2009 11:58:05 -0500 (CDT) Subject: change freeze tomorrow Message-ID: Just a reminder, the change freeze starts tomorrow. This is the hard change freeze and you will be talked to for making changes without getting approval first. -Mike From mmcgrath at redhat.com Wed May 13 15:56:47 2009 From: mmcgrath at redhat.com (Mike McGrath) Date: Wed, 13 May 2009 10:56:47 -0500 (CDT) Subject: Fedora Community Pre-Beta Testing (fwd) Message-ID: FYI -Mike ---------- Forwarded message ---------- Date: Wed, 13 May 2009 10:43:12 From: Tom "spot" Callaway Reply-To: Development discussions related to Fedora To: "fedora-devel-list at redhat.com >> Development discussions related to^M^J Fedor a" Subject: Fedora Community Pre-Beta Testing Since the previous post was buried in a thread about sound issues (are all emails on fedora-devel-list about sound issues), and I suspect that many of you have tuned out on a lot of those awful threads, I wanted to repost it where it might get seen. Fedora Community is a project with grand visions, tempered with mostly sane milestones. Our first milestone is focused on Fedora packagers, providing them with the information to help them be productive and minimize the need to jump between the various Fedora web tools (koji, bodhi, FAS, PKGDB, bugzilla). We've built it on top of Moksha, which you can read all about here: https://fedorahosted.org/moksha/ The Fedora Community demo instance is running and visible to others. We have not been aggressively advertising it up to this point because: A) It is a test instance, and the performance is non on-par with what it will be when we go live. We didn't want to spend time wading through the "OMG THIS IS SLOWER THAN BUGZLILLA!!!1!" B) We have been constantly cycling it as we've been fixing blocker bugs. The last thing we wanted was for anyone to think they could depend on it. C) Anyone who asked to see it has been pointed to it (several folks have asked). So, without further ado and the above caveats, look at our pre-beta test instance: https://publictest16.fedoraproject.org/community/ We know lots of stuff is broken, we have a pile of blocker bugs open in our trac instance. Please don't rely on this test instance for anything. For more information about Fedora Community, please look at: http://fedoraproject.org/wiki/FedoraCommunity Thanks, ~spot P.S. Our second milestone will be codename "Workflows". Got a workflow that you'd like to see the Fedora Community application handle? Either email it to me or join the moksha mailing list and suggest it there. -- fedora-devel-list mailing list fedora-devel-list at redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list From mmcgrath at redhat.com Wed May 13 16:29:50 2009 From: mmcgrath at redhat.com (Mike McGrath) Date: Wed, 13 May 2009 11:29:50 -0500 (CDT) Subject: Change Freeze (telia1 reboot) Message-ID: This is a multi-part change request. I'd like to reboot telia1 which would take app6 noc2 pb14 pt16 smtp-mm1 proxy5 pt15 offline. To do this I'll mark it dead in the dns servers for the reboot. The cause is this box didn't get rebooted during a recent update so the running xen and xen kernels aren't compatable. We have other servers in this situation too (that one's on me) but as long as we don't have problems I don't see any need to reboot them yet. We can wait till after the freeze to avoid downtime. The impact of this freeze will only impact our test servers and noc2. 2+1's? -Mike From a.badger at gmail.com Wed May 13 16:50:19 2009 From: a.badger at gmail.com (Toshio Kuratomi) Date: Wed, 13 May 2009 09:50:19 -0700 Subject: Change Freeze (telia1 reboot) In-Reply-To: References: Message-ID: <4A0AFA4B.7020809@gmail.com> Mike McGrath wrote: > This is a multi-part change request. I'd like to reboot telia1 which > would take app6 noc2 pb14 pt16 smtp-mm1 proxy5 pt15 offline. To do this > I'll mark it dead in the dns servers for the reboot. > > The cause is this box didn't get rebooted during a recent update so the > running xen and xen kernels aren't compatable. We have other servers in > this situation too (that one's on me) but as long as we don't have > problems I don't see any need to reboot them yet. We can wait till after > the freeze to avoid downtime. > > > The impact of this freeze will only impact our test servers and noc2. > > 2+1's? > Looks like lmacken is on board with this (f-community test is on pt16) so +1. -Toshio -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: OpenPGP digital signature URL: From jkeating at redhat.com Wed May 13 17:10:32 2009 From: jkeating at redhat.com (Jesse Keating) Date: Wed, 13 May 2009 10:10:32 -0700 Subject: Change Freeze (telia1 reboot) In-Reply-To: References: Message-ID: <1242234632.6282.15.camel@localhost.localdomain> On Wed, 2009-05-13 at 11:29 -0500, Mike McGrath wrote: > This is a multi-part change request. I'd like to reboot telia1 which > would take app6 noc2 pb14 pt16 smtp-mm1 proxy5 pt15 offline. To do this > I'll mark it dead in the dns servers for the reboot. > > The cause is this box didn't get rebooted during a recent update so the > running xen and xen kernels aren't compatable. We have other servers in > this situation too (that one's on me) but as long as we don't have > problems I don't see any need to reboot them yet. We can wait till after > the freeze to avoid downtime. > > > The impact of this freeze will only impact our test servers and noc2. > > 2+1's? > +1 from me, this shoudln't impact the F11 process. -- Jesse Keating Fedora -- Freedom? is a feature! identi.ca: http://identi.ca/jkeating -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part URL: From jkeating at redhat.com Thu May 14 01:30:55 2009 From: jkeating at redhat.com (Jesse Keating) Date: Wed, 13 May 2009 18:30:55 -0700 Subject: Change Request - Stop puppet on releng2 for the night. Message-ID: <1242264655.6282.50.camel@localhost.localdomain> I want to start the rawhide compose early, since I'm done tagging/signing things for today, so that it will finish maybe in time for me to compose out pre-RCs from it for more intensive testing tomorrow. To do this, I need to modify the cron job that kicks off rawhide on releng2, and stop the puppet service from updating that cron job for the evening. I'll turn on puppet again in my morning. -- Jesse Keating Fedora -- Freedom? is a feature! identi.ca: http://identi.ca/jkeating -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part URL: From nigjones at redhat.com Thu May 14 01:32:50 2009 From: nigjones at redhat.com (Nigel Jones) Date: Wed, 13 May 2009 21:32:50 -0400 (EDT) Subject: Change Request - Stop puppet on releng2 for the night. In-Reply-To: <1242264655.6282.50.camel@localhost.localdomain> Message-ID: <31154824.721242264754547.JavaMail.nigjones@njones.bne.redhat.com> +1 for the papertrail ----- "Jesse Keating" wrote: > I want to start the rawhide compose early, since I'm done > tagging/signing things for today, so that it will finish maybe in > time > for me to compose out pre-RCs from it for more intensive testing > tomorrow. To do this, I need to modify the cron job that kicks off > rawhide on releng2, and stop the puppet service from updating that > cron > job for the evening. I'll turn on puppet again in my morning. > > -- > Jesse Keating > Fedora -- Freedom? is a feature! > identi.ca: http://identi.ca/jkeating > > _______________________________________________ > Fedora-infrastructure-list mailing list > Fedora-infrastructure-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list From jkeating at redhat.com Thu May 14 01:42:36 2009 From: jkeating at redhat.com (Jesse Keating) Date: Wed, 13 May 2009 18:42:36 -0700 Subject: Change Request - Stop puppet on releng2 for the night. In-Reply-To: <1242264655.6282.50.camel@localhost.localdomain> References: <1242264655.6282.50.camel@localhost.localdomain> Message-ID: <1242265356.6282.51.camel@localhost.localdomain> On Wed, 2009-05-13 at 18:30 -0700, Jesse Keating wrote: > I want to start the rawhide compose early, since I'm done > tagging/signing things for today, so that it will finish maybe in time > for me to compose out pre-RCs from it for more intensive testing > tomorrow. To do this, I need to modify the cron job that kicks off > rawhide on releng2, and stop the puppet service from updating that cron > job for the evening. I'll turn on puppet again in my morning. Strike this. Josh has already scheduled another updates push tonight for some Mozilla upstream testing, so I'm going to let rawhide go as normal. -- Jesse Keating Fedora -- Freedom? is a feature! identi.ca: http://identi.ca/jkeating -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part URL: From dennis at ausil.us Thu May 14 01:43:33 2009 From: dennis at ausil.us (Dennis Gilmore) Date: Wed, 13 May 2009 20:43:33 -0500 Subject: Change Request - Stop puppet on releng2 for the night. In-Reply-To: <1242264655.6282.50.camel@localhost.localdomain> References: <1242264655.6282.50.camel@localhost.localdomain> Message-ID: <200905132043.39853.dennis@ausil.us> On Wednesday 13 May 2009 20:30:55 Jesse Keating wrote: > I want to start the rawhide compose early, since I'm done > tagging/signing things for today, so that it will finish maybe in time > for me to compose out pre-RCs from it for more intensive testing > tomorrow. To do this, I need to modify the cron job that kicks off > rawhide on releng2, and stop the puppet service from updating that cron > job for the evening. I'll turn on puppet again in my morning. +1 from me -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part. URL: From mmcgrath at redhat.com Fri May 15 15:09:31 2009 From: mmcgrath at redhat.com (Mike McGrath) Date: Fri, 15 May 2009 10:09:31 -0500 (CDT) Subject: Change Request (bring ibiblio and telia back online) Message-ID: Proxy3 saw a spike in traffic today, I'd like to bring ibiblio and telia back online. 2+1's? -Mike From ricky at fedoraproject.org Fri May 15 15:11:27 2009 From: ricky at fedoraproject.org (Ricky Zhou) Date: Fri, 15 May 2009 11:11:27 -0400 Subject: Change Request (bring ibiblio and telia back online) In-Reply-To: References: Message-ID: <20090515151127.GC23904@alpha.rzhou.org> On 2009-05-15 10:09:31 AM, Mike McGrath wrote: > Proxy3 saw a spike in traffic today, I'd like to bring ibiblio and telia > back online. > > 2+1's? +1 Thanks, Ricky -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: not available URL: From skvidal at fedoraproject.org Fri May 15 15:09:17 2009 From: skvidal at fedoraproject.org (Seth Vidal) Date: Fri, 15 May 2009 11:09:17 -0400 (EDT) Subject: Change Request (bring ibiblio and telia back online) In-Reply-To: References: Message-ID: On Fri, 15 May 2009, Mike McGrath wrote: > Proxy3 saw a spike in traffic today, I'd like to bring ibiblio and telia > back online. > > 2+1's? > +1 -sv From mmcgrath at redhat.com Fri May 15 16:07:12 2009 From: mmcgrath at redhat.com (Mike McGrath) Date: Fri, 15 May 2009 16:07:12 +0000 Subject: [PATCH] Creating sftp disable mechanism Message-ID: <1242403632-27401-1-git-send-email-mmcgrath@redhat.com> Also disabling sftp on fedorahosted boxes --- manifests/servergroups/hosted.pp | 1 + modules/ssh/manifests/init.pp | 6 ++++++ modules/ssh/templates/sshd_config.erb | 2 +- 3 files changed, 8 insertions(+), 1 deletions(-) diff --git a/manifests/servergroups/hosted.pp b/manifests/servergroups/hosted.pp index 30142e2..24d3720 100644 --- a/manifests/servergroups/hosted.pp +++ b/manifests/servergroups/hosted.pp @@ -4,6 +4,7 @@ class hosted { $restrictedApp = '/usr/bin/run-git' $sshd_config_PasswordAuthentication = 'no' $sshd_config_AllowTcpForwarding = 'no' + $sshd_config_sftp = '/bin/false' include global include hosted-server include fas::fas diff --git a/modules/ssh/manifests/init.pp b/modules/ssh/manifests/init.pp index 9c8b62d..4972851 100644 --- a/modules/ssh/manifests/init.pp +++ b/modules/ssh/manifests/init.pp @@ -17,6 +17,12 @@ class ssh::sshd { default => $sshd_config_StrictModes } + $sshd_config_sftp = $sshd_config_sftp ? { + '' => "/usr/libexec/openssh/sftp-server", + default => $sshd_config_sftp + } + + file { "/etc/ssh/sshd_config": content => template("ssh/sshd_config.erb"), mode => 0600, diff --git a/modules/ssh/templates/sshd_config.erb b/modules/ssh/templates/sshd_config.erb index ea656ec..2e90a99 100644 --- a/modules/ssh/templates/sshd_config.erb +++ b/modules/ssh/templates/sshd_config.erb @@ -116,4 +116,4 @@ X11Forwarding yes #Banner /some/path # override default of no subsystems -Subsystem sftp /usr/libexec/openssh/sftp-server +Subsystem sftp <%= sshd_config_sftp %> -- 1.5.5.6 From ricky at fedoraproject.org Fri May 15 16:11:27 2009 From: ricky at fedoraproject.org (Ricky Zhou) Date: Fri, 15 May 2009 12:11:27 -0400 Subject: [PATCH] Creating sftp disable mechanism In-Reply-To: <1242403632-27401-1-git-send-email-mmcgrath@redhat.com> References: <1242403632-27401-1-git-send-email-mmcgrath@redhat.com> Message-ID: <20090515161127.GA3713@alpha.rzhou.org> On 2009-05-15 04:07:12 PM, Mike McGrath wrote: > Also disabling sftp on fedorahosted boxes > --- > manifests/servergroups/hosted.pp | 1 + > modules/ssh/manifests/init.pp | 6 ++++++ > modules/ssh/templates/sshd_config.erb | 2 +- > 3 files changed, 8 insertions(+), 1 deletions(-) > > diff --git a/manifests/servergroups/hosted.pp b/manifests/servergroups/hosted.pp > index 30142e2..24d3720 100644 > --- a/manifests/servergroups/hosted.pp > +++ b/manifests/servergroups/hosted.pp > @@ -4,6 +4,7 @@ class hosted { > $restrictedApp = '/usr/bin/run-git' > $sshd_config_PasswordAuthentication = 'no' > $sshd_config_AllowTcpForwarding = 'no' > + $sshd_config_sftp = '/bin/false' > include global > include hosted-server > include fas::fas > diff --git a/modules/ssh/manifests/init.pp b/modules/ssh/manifests/init.pp > index 9c8b62d..4972851 100644 > --- a/modules/ssh/manifests/init.pp > +++ b/modules/ssh/manifests/init.pp > @@ -17,6 +17,12 @@ class ssh::sshd { > default => $sshd_config_StrictModes > } > > + $sshd_config_sftp = $sshd_config_sftp ? { > + '' => "/usr/libexec/openssh/sftp-server", > + default => $sshd_config_sftp > + } > + > + > file { "/etc/ssh/sshd_config": > content => template("ssh/sshd_config.erb"), > mode => 0600, > diff --git a/modules/ssh/templates/sshd_config.erb b/modules/ssh/templates/sshd_config.erb > index ea656ec..2e90a99 100644 > --- a/modules/ssh/templates/sshd_config.erb > +++ b/modules/ssh/templates/sshd_config.erb > @@ -116,4 +116,4 @@ X11Forwarding yes > #Banner /some/path > > # override default of no subsystems > -Subsystem sftp /usr/libexec/openssh/sftp-server > +Subsystem sftp <%= sshd_config_sftp %> > -- > 1.5.5.6 +1 Thanks, Ricky -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: not available URL: From a.badger at gmail.com Fri May 15 16:13:45 2009 From: a.badger at gmail.com (Toshio Kuratomi) Date: Fri, 15 May 2009 09:13:45 -0700 Subject: [PATCH] Creating sftp disable mechanism In-Reply-To: <1242403632-27401-1-git-send-email-mmcgrath@redhat.com> References: <1242403632-27401-1-git-send-email-mmcgrath@redhat.com> Message-ID: <4A0D94B9.3040307@gmail.com> Mike McGrath wrote: > Also disabling sftp on fedorahosted boxes > --- > manifests/servergroups/hosted.pp | 1 + > modules/ssh/manifests/init.pp | 6 ++++++ > modules/ssh/templates/sshd_config.erb | 2 +- > 3 files changed, 8 insertions(+), 1 deletions(-) > > diff --git a/manifests/servergroups/hosted.pp b/manifests/servergroups/hosted.pp > index 30142e2..24d3720 100644 > --- a/manifests/servergroups/hosted.pp > +++ b/manifests/servergroups/hosted.pp > @@ -4,6 +4,7 @@ class hosted { > $restrictedApp = '/usr/bin/run-git' > $sshd_config_PasswordAuthentication = 'no' > $sshd_config_AllowTcpForwarding = 'no' > + $sshd_config_sftp = '/bin/false' > include global > include hosted-server > include fas::fas > diff --git a/modules/ssh/manifests/init.pp b/modules/ssh/manifests/init.pp > index 9c8b62d..4972851 100644 > --- a/modules/ssh/manifests/init.pp > +++ b/modules/ssh/manifests/init.pp > @@ -17,6 +17,12 @@ class ssh::sshd { > default => $sshd_config_StrictModes > } > > + $sshd_config_sftp = $sshd_config_sftp ? { > + '' => "/usr/libexec/openssh/sftp-server", > + default => $sshd_config_sftp > + } > + > + > file { "/etc/ssh/sshd_config": > content => template("ssh/sshd_config.erb"), > mode => 0600, > diff --git a/modules/ssh/templates/sshd_config.erb b/modules/ssh/templates/sshd_config.erb > index ea656ec..2e90a99 100644 > --- a/modules/ssh/templates/sshd_config.erb > +++ b/modules/ssh/templates/sshd_config.erb > @@ -116,4 +116,4 @@ X11Forwarding yes > #Banner /some/path > > # override default of no subsystems > -Subsystem sftp /usr/libexec/openssh/sftp-server > +Subsystem sftp <%= sshd_config_sftp %> +1 -Toshio -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: OpenPGP digital signature URL: From miguel at oalojasites.com Sun May 17 18:34:40 2009 From: miguel at oalojasites.com (Miguel Lopes) Date: Sun, 17 May 2009 19:34:40 +0100 Subject: introduction Message-ID: <4A1058C0.70000@oalojasites.com> Hi My name is Miguel, now i'm working on projects that require php mysql and javascript, i'm building backoffices that manage reports and give information to the client of a database in a different network, this network has another webserver with php that decrypts and handle the querys and return the results.I also know python and the basic on C. On python i modified a msn messenger client for a newer protocol, made a key generator for a application that my company is working on and a small program that downloads and updatloads a file to an FTP server. From mmcgrath at redhat.com Mon May 18 17:40:08 2009 From: mmcgrath at redhat.com (Mike McGrath) Date: Mon, 18 May 2009 12:40:08 -0500 (CDT) Subject: Cattle call for reviews Message-ID: Those of you who can review, please help us with: https://fedoraproject.org/wiki/TurboGears2 Even if you can't/don't want to, testing would be greatly appreciated! -Mike From mmcgrath at redhat.com Mon May 18 19:39:40 2009 From: mmcgrath at redhat.com (Mike McGrath) Date: Mon, 18 May 2009 14:39:40 -0500 (CDT) Subject: introduction In-Reply-To: <4A1058C0.70000@oalojasites.com> References: <4A1058C0.70000@oalojasites.com> Message-ID: On Sun, 17 May 2009, Miguel Lopes wrote: > Hi > > My name is Miguel, now i'm working on projects that require php mysql and > javascript, i'm building backoffices that manage reports and give information > to the client of a database in a different network, this network has another > webserver with php that decrypts and handle the querys and return the > results.I also know python and the basic on C. On python i modified a msn > messenger client for a newer protocol, made a key generator for a application > that my company is working on and a small program that downloads and > updatloads a file to an FTP server. > Welcome Miguel, was there something specific you were interested in working on from the list: http://join.fedoraproject.org/ -Mike From mmcgrath at redhat.com Tue May 19 14:37:00 2009 From: mmcgrath at redhat.com (Mike McGrath) Date: Tue, 19 May 2009 09:37:00 -0500 (CDT) Subject: Change Freeze Breakage Message-ID: Unfortunately I'm not totally in control of these things sometime. Someone will be on site today to replace the tapes in our backup server and give it a new drive. backup1 is in the change freeze though, can I get 2+1's to have this work done? -Mike From skvidal at fedoraproject.org Tue May 19 14:37:48 2009 From: skvidal at fedoraproject.org (Seth Vidal) Date: Tue, 19 May 2009 10:37:48 -0400 (EDT) Subject: Change Freeze Breakage In-Reply-To: References: Message-ID: On Tue, 19 May 2009, Mike McGrath wrote: > Unfortunately I'm not totally in control of these things sometime. > Someone will be on site today to replace the tapes in our backup server > and give it a new drive. backup1 is in the change freeze though, can I > get 2+1's to have this work done? > +1 more backup space is good. -sv From ricky at fedoraproject.org Tue May 19 14:39:44 2009 From: ricky at fedoraproject.org (Ricky Zhou) Date: Tue, 19 May 2009 10:39:44 -0400 Subject: Change Freeze Breakage In-Reply-To: References: Message-ID: <20090519143944.GD20408@alpha.rzhou.org> On 2009-05-19 09:37:00 AM, Mike McGrath wrote: > Unfortunately I'm not totally in control of these things sometime. > Someone will be on site today to replace the tapes in our backup server > and give it a new drive. backup1 is in the change freeze though, can I > get 2+1's to have this work done? +1 Thanks, Ricky -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: not available URL: From mmcgrath at redhat.com Tue May 19 16:49:47 2009 From: mmcgrath at redhat.com (Mike McGrath) Date: Tue, 19 May 2009 11:49:47 -0500 (CDT) Subject: SSH vulnerability Message-ID: If y'all see an ssh session dropping constantly (like, 11356 times :) let me know. http://www.openssh.com/txt/cbc.adv -Mike From affix at FedoraProject.org Tue May 19 16:59:47 2009 From: affix at FedoraProject.org (Keiran Smith) Date: Tue, 19 May 2009 17:59:47 +0100 Subject: SSH vulnerability In-Reply-To: References: Message-ID: Hey Mike, That is a very interesting find to me personally. System and Software Security is something I have great interest in. I am a security advisor in a datacenter in the UK. However the article http://www.cpni.gov.uk/Docs/Vulnerability_Advisory_SSH.txt says this is a very severe attack although the possibility of a sucessful attack is Very low. But you can never be too careful about these things. Software vendors may be getting more technicologically advanced but so are exploit coders. For example PHP addslashes() was added to stop SQL Injection exploits by adding a slash to every quotation. Attackers realised PHP didnt parse HEX code but mySQL Server did. This makes me wonder if The posibility of an attack using this vulnerability is fairly high rather than low. On Tue, May 19, 2009 at 5:49 PM, Mike McGrath wrote: > If y'all see an ssh session dropping constantly (like, 11356 times :) let > me know. > > http://www.openssh.com/txt/cbc.adv > > -Mike > > _______________________________________________ > Fedora-infrastructure-list mailing list > Fedora-infrastructure-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list > -- Keiran Smith - Fedora Ambassador / BugZapper - - Free Software Foundation Associate - - http://keiran-smith.net - Call me on +44 (0) 131 208 4347 -------------- next part -------------- An HTML attachment was scrubbed... URL: From miguel at oalojasites.com Tue May 19 17:56:22 2009 From: miguel at oalojasites.com (Miguel Lopes) Date: Tue, 19 May 2009 18:56:22 +0100 Subject: introdution In-Reply-To: <20090519160003.74417619ACA@hormel.redhat.com> References: <20090519160003.74417619ACA@hormel.redhat.com> Message-ID: <4A12F2C6.1010101@oalojasites.com> I was thinking on web developer or administrator. From bugs.michael at gmx.net Wed May 20 07:31:55 2009 From: bugs.michael at gmx.net (Michael Schwendt) Date: Wed, 20 May 2009 09:31:55 +0200 Subject: Problems with bugzilla and FAS account Message-ID: <20090520093155.7f81fb3f@faldor.intranet> As the fedoraproject aliases have trouble forwarding mail to GMX, I've changed my FAS account to use my Google Mail address. I've confirmed the change meanwhile. In bugzilla, however, my account still uses my GMX address. And I cannot change that. When I try to change it, I get: There is already an account with the login name mschwendt AT gmail.com. That looks as if the FAS sync script created a separate account for me. Right? Are there special requirements for FAS users? Do I need to change email addr in bugzilla _before_ changing it in FAS? Or what is necessary to get this right? From didar.hossain at gmail.com Wed May 20 08:59:56 2009 From: didar.hossain at gmail.com (Didar Hossain) Date: Wed, 20 May 2009 14:29:56 +0530 Subject: SSH vulnerability In-Reply-To: References: Message-ID: <62d32bf20905200159k2ef731d6m1537b650296a471a@mail.gmail.com> On Tue, May 19, 2009 at 10:29 PM, Keiran Smith wrote: > Hey Mike, > > That is a very interesting find to me personally. System and Software > Security is something I have great interest in. I am a security advisor in a > datacenter in the UK. However the article > http://www.cpni.gov.uk/Docs/Vulnerability_Advisory_SSH.txt says this is a > very severe attack although the possibility of a sucessful attack is Very > low. But you can never be too careful about these things. > Software vendors may be getting more technicologically advanced but so are > exploit coders. For example PHP addslashes() was added to stop SQL Injection > exploits by adding a slash to every? quotation. Attackers realised PHP didnt > parse HEX code but mySQL Server did. This makes me wonder if The posibility > of an attack using this vulnerability is fairly high rather than low. > > On Tue, May 19, 2009 at 5:49 PM, Mike McGrath wrote: >> >> If y'all see an ssh session dropping constantly (like, 11356 times :) let >> me know. >> >> http://www.openssh.com/txt/cbc.adv >> >> ? ? ? ?-Mike >> >> _______________________________________________ >> Fedora-infrastructure-list mailing list >> Fedora-infrastructure-list at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list > > > > -- > Keiran Smith > - Fedora Ambassador / BugZapper - > - Free Software Foundation Associate - > - http://keiran-smith.net > - Call me on +44 (0) 131 208 4347 > > _______________________________________________ > Fedora-infrastructure-list mailing list > Fedora-infrastructure-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list > I use iptables "recent" module as well the "limit" modules to handle the sustained brute-force attempts on a box that I manage. Maybe, it could help in delaying this attack - although, I don't understand the technical details of the exploit other than the "an attacker would expect around 11356 connection-killing attempts before they are likely to succeed" part. Didar From mmcgrath at redhat.com Wed May 20 13:13:40 2009 From: mmcgrath at redhat.com (Mike McGrath) Date: Wed, 20 May 2009 08:13:40 -0500 (CDT) Subject: Problems with bugzilla and FAS account In-Reply-To: <20090520093155.7f81fb3f@faldor.intranet> References: <20090520093155.7f81fb3f@faldor.intranet> Message-ID: On Wed, 20 May 2009, Michael Schwendt wrote: > As the fedoraproject aliases have trouble forwarding mail to GMX, I've > changed my FAS account to use my Google Mail address. I've confirmed > the change meanwhile. > > In bugzilla, however, my account still uses my GMX address. And I cannot > change that. When I try to change it, I get: > > There is already an account with the login name mschwendt AT gmail.com. > > That looks as if the FAS sync script created a separate account for me. > Right? > > Are there special requirements for FAS users? Do I need to change email > addr in bugzilla _before_ changing it in FAS? Or what is necessary to > get this right? > I'd guess that you need to change it in bugzilla first, and I'd bet you'll have to contact the bugzilla owner to get it changed in its current state. Let me talk to Toshio first though to confirm that. We might be able to fix it on our end, not sure. -Mike From mmcgrath at redhat.com Wed May 20 16:13:57 2009 From: mmcgrath at redhat.com (Mike McGrath) Date: Wed, 20 May 2009 11:13:57 -0500 (CDT) Subject: Gone on Friday Message-ID: Hey all, just a heads up I won't be around on Friday. Helping my father in law move. -Mike From a.badger at gmail.com Thu May 21 17:01:21 2009 From: a.badger at gmail.com (Toshio Kuratomi) Date: Thu, 21 May 2009 10:01:21 -0700 Subject: Change Request - email alias handling Message-ID: <4A1588E1.6090002@gmail.com> Right now FAS constructs email aliases only for accounts that are active. This is causing us two problems. 1) We have recently implemented a "bot" status for accounts that makes it so the account can't be logged into and don't go inactive. This status needs to be allowed to get email as well. 2) inactive accounts are bouncing mail, not just from the pkgdb which I've been handling and have a mid-term and long-term plan for fixing but also for the wiki watch-page function which we currently don't have a good mid-term plan for. Restoring aliases for inactive accounts seems like the best short-term solution for this. Fixing these requires updating the fas server code. Attaching a patch to hotfix our servers with to do this. The patch has been tested on fas1.stg successfully. -Toshio -------------- next part -------------- A non-text attachment was scrubbed... Name: fas-email.patch Type: text/x-patch Size: 728 bytes Desc: not available URL: From mmcgrath at redhat.com Thu May 21 17:27:19 2009 From: mmcgrath at redhat.com (Mike McGrath) Date: Thu, 21 May 2009 12:27:19 -0500 (CDT) Subject: Change Request - email alias handling In-Reply-To: <4A1588E1.6090002@gmail.com> References: <4A1588E1.6090002@gmail.com> Message-ID: On Thu, 21 May 2009, Toshio Kuratomi wrote: > Right now FAS constructs email aliases only for accounts that are active. > This is causing us two problems. > > 1) We have recently implemented a "bot" status for accounts that makes it so > the account can't be logged into and don't go inactive. This status needs to > be allowed to get email as well. > > 2) inactive accounts are bouncing mail, not just from the pkgdb which I've > been handling and have a mid-term and long-term plan for fixing but also for > the wiki watch-page function which we currently don't have a good mid-term > plan for. Restoring aliases for inactive accounts seems like the best > short-term solution for this. > > Fixing these requires updating the fas server code. Attaching a patch to > hotfix our servers with to do this. The patch has been tested on fas1.stg > successfully. > +1 -Mike From katzj at redhat.com Thu May 21 17:31:53 2009 From: katzj at redhat.com (Jeremy Katz) Date: Thu, 21 May 2009 13:31:53 -0400 Subject: Change Request - email alias handling In-Reply-To: <4A1588E1.6090002@gmail.com> References: <4A1588E1.6090002@gmail.com> Message-ID: <20090521173152.GA29264@redhat.com> On Thursday, May 21 2009, Toshio Kuratomi said: > Fixing these requires updating the fas server code. Attaching a patch > to hotfix our servers with to do this. The patch has been tested on > fas1.stg successfully. Looks good, +1 Jeremy From jorn at wcborstel.com Fri May 22 19:31:34 2009 From: jorn at wcborstel.com (Jorn Argelo) Date: Fri, 22 May 2009 21:31:34 +0200 Subject: Greetings from a potential new contributor Message-ID: <4A16FD96.5040004@wcborstel.com> Hi guys and girls, Following the getting started page on the wiki I saw an introducion e-mail to the list was recommended. So here is mine. Allow me to introduce myself. My name is Jorn Argelo, 23 years old coming from the Netherlands. I was born and raised in Amsterdam, and always had a keen interest for computers when I was a kid. IT was something I knew was going to be my job when I was young. After high school I studied for basic system administration and after that I studied some basic application development. Then I ended up at my current employer. Last month I passed my RHCE exam, with #805009993038409 for those interested. I also followed the Cluster and Storage training course. I am employed by a large printer and imaging company, and work in their European datacenter where I do all the internet infrastructure for the EMEAR region. I started working there fulltime when I was 19, and I have been in internship there twice for 6 months, starting when I was 17. Before that I played around with Red Hat 8, so that is how Linux all started for me. When I was hired I was a junior, and now I'm a medior. (or internally we call it an engineer and a specialist, so I'm the latter now.) With that said, I hope my age does not put anyone off. As I sort of already mentioned, I do everything with internet infrastructure on a daily base. I administrate webservers, proxies, e-mail servers, DNS, their operating systems and everything else regarding internet. With two people we built the infrastructure for the new web environment, based on 60 RHEL4 & 5 boxes and Jboss. This also includes two RHEL5 clusters, webservers running mod_jk, squid and Apache and so on. Next to that also all of the infrastructure supporting this is admistrated by us, and we also have a Satellite server running there. Other than I have experience with various other Linux distrution, BSD and Solaris. When it comes to scripting, I can do bash scripting and Perl scripting primarily. I know Red Hat / Fedora uses Python extensively but so far I did not see a need for me to learn this, as I can do everything I want with Perl. So why am I applying here? Because I think Red Hat as a company shares similar goals as I do, and of course being able to help out the Fedora project is a great oppertunity to contribute to that. I believe my knowledge can be put to use in the infrastructure team, seeing as that is my job as well. (I hope that doesn't sound arrogant as that is certainly not the intend) Next to that I am also willing to learn new things should that be required. Maybe I get a reason to learn Python. Well, I suppose that's about it. I hope I didn't make this too long, and I'm looking forward to hear from you guys. Thanks, Jorn From bugs.michael at gmx.net Sat May 23 10:08:30 2009 From: bugs.michael at gmx.net (Michael Schwendt) Date: Sat, 23 May 2009 12:08:30 +0200 Subject: Problems with bugzilla and FAS account In-Reply-To: References: <20090520093155.7f81fb3f@faldor.intranet> Message-ID: <20090523120830.150f5502@faldor.intranet> On Wed, 20 May 2009 08:13:40 -0500 (CDT), Mike wrote: > On Wed, 20 May 2009, Michael Schwendt wrote: > > > As the fedoraproject aliases have trouble forwarding mail to GMX, I've > > changed my FAS account to use my Google Mail address. I've confirmed > > the change meanwhile. > > > > In bugzilla, however, my account still uses my GMX address. And I cannot > > change that. When I try to change it, I get: > > > > There is already an account with the login name mschwendt AT gmail.com. > > > > That looks as if the FAS sync script created a separate account for me. > > Right? > > > > Are there special requirements for FAS users? Do I need to change email > > addr in bugzilla _before_ changing it in FAS? Or what is necessary to > > get this right? > > > > I'd guess that you need to change it in bugzilla first, If the FAS backend managed to create a new account in bugzilla, why would I need to _change_ an existing one myself? Can't it sync bugzilla with my email change in FAS? (which is what I expected it to do) Anyone who changes email in FAS gets a new bugzilla account for the changed email address? Is that how it's implemented currently? > and I'd bet you'll > have to contact the bugzilla owner to get it changed in its current state. Well, I could ask bugzilla to send me a password, then reassign the superfluous account to a throw-away address. > Let me talk to Toshio first though to confirm that. We might be able to > fix it on our end, not sure. From ricky at fedoraproject.org Sat May 23 15:32:03 2009 From: ricky at fedoraproject.org (Ricky Zhou) Date: Sat, 23 May 2009 11:32:03 -0400 Subject: Problems with bugzilla and FAS account In-Reply-To: <20090523120830.150f5502@faldor.intranet> References: <20090520093155.7f81fb3f@faldor.intranet> <20090523120830.150f5502@faldor.intranet> Message-ID: <20090523153203.GE30454@alpha.rzhou.org> On 2009-05-23 12:08:30 PM, Michael Schwendt wrote: > If the FAS backend managed to create a new account in bugzilla, why would > I need to _change_ an existing one myself? Can't it sync bugzilla with my > email change in FAS? (which is what I expected it to do) This is because at the time of writing, there was no XMLRPC method exposed for changing a user's email. I just checked now, and there might be a new method available that we can use. I'll look at adding this to our scripts soon. > Anyone who changes email in FAS gets a new bugzilla account for the changed > email address? Is that how it's implemented currently? This is currently implemented as follows: When a user changes their email in FAS, or changes their membership in the fedorabugs group, a trigger runs which adds the user to a special queue table. We then run a script periodically that empties out the queue and creates a BZ account if one doesn't already exist, and grants privileges to the accounts. The relevant code for this is in the FAS repo: git://git.fedorahosted.org/git/fas.git in scripts/export-bugzilla.* and fas2.sql. Thanks, Ricky -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: not available URL: From a.badger at gmail.com Sat May 23 16:37:00 2009 From: a.badger at gmail.com (Toshio Kuratomi) Date: Sat, 23 May 2009 09:37:00 -0700 Subject: Problems with bugzilla and FAS account In-Reply-To: <20090523153203.GE30454@alpha.rzhou.org> References: <20090520093155.7f81fb3f@faldor.intranet> <20090523120830.150f5502@faldor.intranet> <20090523153203.GE30454@alpha.rzhou.org> Message-ID: <4A18262C.6010502@gmail.com> On 05/23/2009 08:32 AM, Ricky Zhou wrote: > On 2009-05-23 12:08:30 PM, Michael Schwendt wrote: >> If the FAS backend managed to create a new account in bugzilla, why would >> I need to _change_ an existing one myself? Can't it sync bugzilla with my >> email change in FAS? (which is what I expected it to do) > This is because at the time of writing, there was no XMLRPC method > exposed for changing a user's email. I just checked now, and there > might be a new method available that we can use. I'll look at > adding this to our scripts soon. > >> Anyone who changes email in FAS gets a new bugzilla account for the changed >> email address? Is that how it's implemented currently? > This is currently implemented as follows: When a user changes their > email in FAS, or changes their membership in the fedorabugs group, a > trigger runs which adds the user to a special queue table. We then run > a script periodically that empties out the queue and creates a BZ > account if one doesn't already exist, and grants privileges to the > accounts. The relevant code for this is in the FAS repo: > git://git.fedorahosted.org/git/fas.git > in scripts/export-bugzilla.* and fas2.sql. > Apologies for not joining in sooner. What ricky's outlined as the current situation is correct. Michael, what you outlined as a way to keep the accounts straight would work. I think making the script not create new accounts (forcing the user to reconcile the fas email and lack of bugzilla account manually) is the way to go. Here's an untested, updated export-bugzilla.py script. It emails the users when an account mismatch occurs (I believe this runs in cron hourly, so this would send an email once an hour). Does this look good to you guys? I'm going to a family reunion this weekend. If someone wants to update the script sooner, they can (It will need an infrastructure change request if we put this in place before the release but should be fairly low risk/easy to revert.) -Toshio -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: export-bugzilla.py URL: From skvidal at fedoraproject.org Tue May 26 13:50:49 2009 From: skvidal at fedoraproject.org (Seth Vidal) Date: Tue, 26 May 2009 09:50:49 -0400 (EDT) Subject: mobile phone + password = 2 factor auth? Message-ID: I was changing some settings with my mobile phone company and in order to change my password they made me use what looks a lot like 2 factor auth: something I know: my current password something I have: my phone I logged in with my current password - then they txt'd me a temporary password which I had to type in to verify I was me. Which got me to wondering - if most people have a mobile phone and/or have access to one - why couldn't we use that as the second factor for our auth? I can think of multiple ways to do it: 1. login to a web page 2. click on 'auth me' button 3. it sends you a txt msg 4. you input the password it sent you 5. you get a cert back that you use for auths for a set period of time (24 hours?) or 1. login to a webpage 2. download a key 3. it sends you a txt msg which contains a password for that key 4. the key + txt'd password allows you to login for a set period of time (24 hours?) Now, my question is - what is dangerous/silly about this? -sv From bkearney at redhat.com Tue May 26 14:25:47 2009 From: bkearney at redhat.com (Bryan Kearney) Date: Tue, 26 May 2009 10:25:47 -0400 Subject: mobile phone + password = 2 factor auth? In-Reply-To: References: Message-ID: <4A1BFBEB.5030801@redhat.com> Seth Vidal wrote: > Now, my question is - what is dangerous/silly about this? Luddites like me who have disabled text messages on their phones. -- bk From skvidal at fedoraproject.org Tue May 26 14:46:54 2009 From: skvidal at fedoraproject.org (Seth Vidal) Date: Tue, 26 May 2009 10:46:54 -0400 (EDT) Subject: mobile phone + password = 2 factor auth? In-Reply-To: <4A1BFBEB.5030801@redhat.com> References: <4A1BFBEB.5030801@redhat.com> Message-ID: On Tue, 26 May 2009, Bryan Kearney wrote: > Seth Vidal wrote: >> Now, my question is - what is dangerous/silly about this? > > > Luddites like me who have disabled text messages on their phones. > Well your options would eventually be: - enable txt msgs - carry a yubikey with you everywhere so... -sv From bkearney at redhat.com Tue May 26 15:01:13 2009 From: bkearney at redhat.com (Bryan Kearney) Date: Tue, 26 May 2009 11:01:13 -0400 Subject: mobile phone + password = 2 factor auth? In-Reply-To: References: <4A1BFBEB.5030801@redhat.com> Message-ID: <4A1C0439.5070700@redhat.com> Seth Vidal wrote: > > > On Tue, 26 May 2009, Bryan Kearney wrote: > >> Seth Vidal wrote: >>> Now, my question is - what is dangerous/silly about this? >> >> >> Luddites like me who have disabled text messages on their phones. >> > > Well your options would eventually be: > - enable txt msgs > - carry a yubikey with you everywhere As long as I get a non-text msg version I am fine. To your original question... things to consider: 1) Cost of sending SMS. 2) How to prove that bkearney at foo.com == 555-1212 -- bk From skvidal at fedoraproject.org Tue May 26 15:11:20 2009 From: skvidal at fedoraproject.org (Seth Vidal) Date: Tue, 26 May 2009 11:11:20 -0400 (EDT) Subject: mobile phone + password = 2 factor auth? In-Reply-To: <4A1C0439.5070700@redhat.com> References: <4A1BFBEB.5030801@redhat.com> <4A1C0439.5070700@redhat.com> Message-ID: On Tue, 26 May 2009, Bryan Kearney wrote: > Seth Vidal wrote: >> >> >> On Tue, 26 May 2009, Bryan Kearney wrote: >> >>> Seth Vidal wrote: >>>> Now, my question is - what is dangerous/silly about this? >>> >>> >>> Luddites like me who have disabled text messages on their phones. >>> >> >> Well your options would eventually be: >> - enable txt msgs >> - carry a yubikey with you everywhere > > As long as I get a non-text msg version I am fine. To your original > question... things to consider: > > 1) Cost of sending SMS. > 2) How to prove that bkearney at foo.com == 555-1212 > 1. acknowledged - but we know there is a cost to the hardware keys, too. 2. you prove that they are related the same way that I prove that when we issue a hw key to skvidal at fedoraproject.org that it goes to ME. -sv From skvidal at fedoraproject.org Tue May 26 15:01:49 2009 From: skvidal at fedoraproject.org (Seth Vidal) Date: Tue, 26 May 2009 11:01:49 -0400 (EDT) Subject: mobile phone + password = 2 factor auth? In-Reply-To: References: Message-ID: On Tue, 26 May 2009, Seth Vidal wrote: > I was changing some settings with my mobile phone company and in order to > change my password they made me use what looks a lot like 2 factor auth: > > something I know: my current password > something I have: my phone > > I logged in with my current password - then they txt'd me a temporary > password which I had to type in to verify I was me. > > Which got me to wondering - if most people have a mobile phone and/or have > access to one - why couldn't we use that as the second factor for our auth? > > Now, my question is - what is dangerous/silly about this? Jeremy mentioned some potential problems on jabber: 1. no guaranteed message delivery time 2. cost structure of sending/receiving a lot of txt msgs. In both cases I'd be curious how that ends up in practice. -sv From ricky at fedoraproject.org Tue May 26 15:22:55 2009 From: ricky at fedoraproject.org (Ricky Zhou) Date: Tue, 26 May 2009 11:22:55 -0400 Subject: [PATCH] Make bacula backup to /bacula/, include db1's db3 dumps. Message-ID: <20090526152255.GA13013@alpha.rzhou.org> --- modules/bacula/files/fedora_delete_catalog_backup | 5 +++++ modules/bacula/files/fedora_make_catalog_backup | 3 +++ modules/bacula/manifests/init.pp | 15 +++++++++++++++ modules/bacula/templates/bacula-dir.conf.erb | 7 ++++--- 4 files changed, 27 insertions(+), 3 deletions(-) create mode 100755 modules/bacula/files/fedora_delete_catalog_backup create mode 100755 modules/bacula/files/fedora_make_catalog_backup diff --git a/modules/bacula/files/fedora_delete_catalog_backup b/modules/bacula/files/fedora_delete_catalog_backup new file mode 100755 index 0000000..7f7a760 --- /dev/null +++ b/modules/bacula/files/fedora_delete_catalog_backup @@ -0,0 +1,5 @@ +#!/bin/sh +# +# This script deletes a catalog dump +# +rm -f /bacula/bacula.sql diff --git a/modules/bacula/files/fedora_make_catalog_backup b/modules/bacula/files/fedora_make_catalog_backup new file mode 100755 index 0000000..5a6d383 --- /dev/null +++ b/modules/bacula/files/fedora_make_catalog_backup @@ -0,0 +1,3 @@ +#!/bin/sh +rm -f /bacula/bacula.sql +/usr/bin/mysqldump -u bacula -f bacula > /bacula/bacula.sql diff --git a/modules/bacula/manifests/init.pp b/modules/bacula/manifests/init.pp index 526aba7..2729613 100644 --- a/modules/bacula/manifests/init.pp +++ b/modules/bacula/manifests/init.pp @@ -40,6 +40,21 @@ class bacula::director { notify => Service['bacula-dir'], require => Package['bacula-director-mysql'] } + + file { '/usr/local/bin/fedora_make_catalog_backup': + owner => "root", + group => "root", + mode => 0755, + source => "puppet:///bacula/fedora_make_catalog_backup", + } + + file { '/usr/local/bin/fedora_delete_catalog_backup': + owner => "root", + group => "root", + mode => 0755, + source => "puppet:///bacula/fedora_delete_catalog_backup", + } + } class bacula::bconsole { diff --git a/modules/bacula/templates/bacula-dir.conf.erb b/modules/bacula/templates/bacula-dir.conf.erb index 310a4ee..22a6ed3 100644 --- a/modules/bacula/templates/bacula-dir.conf.erb +++ b/modules/bacula/templates/bacula-dir.conf.erb @@ -316,9 +316,9 @@ Job { FileSet="Catalog" Schedule = "WeeklyCycleAfterBackup" # This creates an ASCII copy of the catalog - RunBeforeJob = "/usr/libexec/bacula/make_catalog_backup bacula bacula" + RunBeforeJob = "/usr/local/bin/fedora_make_catalog_backup" # This deletes the copy of the catalog - RunAfterJob = "/usr/libexec/bacula/delete_catalog_backup" + RunAfterJob = "/usr/local/bin/fedora_delete_catalog_backup" Write Bootstrap = "/var/spool/bacula/BackupCatalog.bsr" Priority = 11 # run after main backup } @@ -506,6 +506,7 @@ FileSet { File = /netapp/app File = /srv File = /backups + File = /var/lib/mysql/backups } # @@ -565,7 +566,7 @@ FileSet { Options { signature = MD5 } - File = /var/spool/bacula/bacula.sql + File = /bacula/bacula.sql } } -- 1.5.5.6 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: not available URL: From jonstanley at gmail.com Tue May 26 15:23:32 2009 From: jonstanley at gmail.com (Jon Stanley) Date: Tue, 26 May 2009 11:23:32 -0400 Subject: mobile phone + password = 2 factor auth? In-Reply-To: References: Message-ID: On Tue, May 26, 2009 at 9:50 AM, Seth Vidal wrote: > Now, my question is - what is dangerous/silly about this? Interestingly, for something I'm working on at $DAYJOB we're proposing pretty much exactly this for a customer. However, instead of a text message, the authentication mechanism is a phone call, thus minimizing the effect of luddites like Bryan :). http://www.phonefactor.com/ From ricky at fedoraproject.org Tue May 26 15:45:09 2009 From: ricky at fedoraproject.org (Ricky Zhou) Date: Tue, 26 May 2009 11:45:09 -0400 Subject: [PATCH] Make bacula backup to /bacula/, include db1's db3 dumps. In-Reply-To: <20090526152255.GA13013@alpha.rzhou.org> References: <20090526152255.GA13013@alpha.rzhou.org> Message-ID: <20090526154509.GA13963@alpha.rzhou.org> Sorry, the commit message wasn't as clear as it could have been. backup1 has been running out of space on catalog backup jobs, as it makes a temporary dump of the bacula database in /var/spool/bacula/bacula.sql. This commit moves this temporary dump to /bacula, which has more space. The other thing in this commit is that it adds /var/lib/mysql/backups into the include list, which makes bacula backup db1's backup of db3. Currently, we're excluding these files, but we're still backing up dumps of db3 in several other places. I'd like to commit these to puppet and run puppet on backup1. Can I get two +1s? Thanks, Ricky -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: not available URL: From opensource at till.name Tue May 26 15:44:33 2009 From: opensource at till.name (Till Maas) Date: Tue, 26 May 2009 17:44:33 +0200 Subject: mobile phone + password = 2 factor auth? In-Reply-To: References: Message-ID: <200905261744.43362.opensource@till.name> On Tuesday 26 May 2009 15:50:49 Seth Vidal wrote: > I was changing some settings with my mobile phone company and in order to > change my password they made me use what looks a lot like 2 factor auth: > > something I know: my current password > something I have: my phone > > I logged in with my current password - then they txt'd me a temporary > password which I had to type in to verify I was me. > > Which got me to wondering - if most people have a mobile phone and/or have > access to one - why couldn't we use that as the second factor for our > auth? A problem with phones is, that they are typically not as secure as hardware tokens. Users can install custom software on them. Also the phone may be compromised via bluetooth. It might be even possible to directly access text messages via bluetooth or maybe also wifi nowadays. Regards Till -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 836 bytes Desc: This is a digitally signed message part. URL: From mmcgrath at redhat.com Tue May 26 15:47:00 2009 From: mmcgrath at redhat.com (Mike McGrath) Date: Tue, 26 May 2009 10:47:00 -0500 (CDT) Subject: [PATCH] Make bacula backup to /bacula/, include db1's db3 dumps. In-Reply-To: <20090526154509.GA13963@alpha.rzhou.org> References: <20090526152255.GA13013@alpha.rzhou.org> <20090526154509.GA13963@alpha.rzhou.org> Message-ID: On Tue, 26 May 2009, Ricky Zhou wrote: > Sorry, the commit message wasn't as clear as it could have been. > > backup1 has been running out of space on catalog backup jobs, as it > makes a temporary dump of the bacula database in > /var/spool/bacula/bacula.sql. This commit moves this temporary dump to > /bacula, which has more space. > > The other thing in this commit is that it adds /var/lib/mysql/backups > into the include list, which makes bacula backup db1's backup of db3. > Currently, we're excluding these files, but we're still backing up dumps > of db3 in several other places. > > I'd like to commit these to puppet and run puppet on backup1. Can I get > two +1s? > +1 -Mike From jkeating at redhat.com Tue May 26 15:47:48 2009 From: jkeating at redhat.com (Jesse Keating) Date: Tue, 26 May 2009 08:47:48 -0700 Subject: mobile phone + password = 2 factor auth? In-Reply-To: References: Message-ID: <1243352868.3144.20.camel@localhost.localdomain> On Tue, 2009-05-26 at 11:01 -0400, Seth Vidal wrote: > 2. cost structure of sending/receiving a lot of txt msgs. Don't most carriers offer an email gateway to sms? -- Jesse Keating Fedora -- Freedom? is a feature! identi.ca: http://identi.ca/jkeating -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part URL: From jkeating at redhat.com Tue May 26 15:48:50 2009 From: jkeating at redhat.com (Jesse Keating) Date: Tue, 26 May 2009 08:48:50 -0700 Subject: mobile phone + password = 2 factor auth? In-Reply-To: <200905261744.43362.opensource@till.name> References: <200905261744.43362.opensource@till.name> Message-ID: <1243352930.3144.21.camel@localhost.localdomain> On Tue, 2009-05-26 at 17:44 +0200, Till Maas wrote: > A problem with phones is, that they are typically not as secure as hardware > tokens. Users can install custom software on them. Also the phone may be > compromised via bluetooth. It might be even possible to directly access text > messages via bluetooth or maybe also wifi nowadays. > Wouldn't that be why you have to combine what comes up on your phone with the password you know, so that just the phone alone can't get you in? -- Jesse Keating Fedora -- Freedom? is a feature! identi.ca: http://identi.ca/jkeating -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part URL: From a.badger at gmail.com Tue May 26 15:49:56 2009 From: a.badger at gmail.com (Toshio Kuratomi) Date: Tue, 26 May 2009 08:49:56 -0700 Subject: [PATCH] Make bacula backup to /bacula/, include db1's db3 dumps. In-Reply-To: References: <20090526152255.GA13013@alpha.rzhou.org> <20090526154509.GA13963@alpha.rzhou.org> Message-ID: <4A1C0FA4.1020004@gmail.com> On 05/26/2009 08:47 AM, Mike McGrath wrote: > On Tue, 26 May 2009, Ricky Zhou wrote: > >> Sorry, the commit message wasn't as clear as it could have been. >> >> backup1 has been running out of space on catalog backup jobs, as it >> makes a temporary dump of the bacula database in >> /var/spool/bacula/bacula.sql. This commit moves this temporary dump to >> /bacula, which has more space. >> >> The other thing in this commit is that it adds /var/lib/mysql/backups >> into the include list, which makes bacula backup db1's backup of db3. >> Currently, we're excluding these files, but we're still backing up dumps >> of db3 in several other places. >> >> I'd like to commit these to puppet and run puppet on backup1. Can I get >> two +1s? >> > > +1 > +1 -Toshio From skvidal at fedoraproject.org Tue May 26 15:49:13 2009 From: skvidal at fedoraproject.org (Seth Vidal) Date: Tue, 26 May 2009 11:49:13 -0400 (EDT) Subject: mobile phone + password = 2 factor auth? In-Reply-To: <200905261744.43362.opensource@till.name> References: <200905261744.43362.opensource@till.name> Message-ID: On Tue, 26 May 2009, Till Maas wrote: > On Tuesday 26 May 2009 15:50:49 Seth Vidal wrote: >> I was changing some settings with my mobile phone company and in order to >> change my password they made me use what looks a lot like 2 factor auth: >> >> something I know: my current password >> something I have: my phone >> >> I logged in with my current password - then they txt'd me a temporary >> password which I had to type in to verify I was me. >> >> Which got me to wondering - if most people have a mobile phone and/or have >> access to one - why couldn't we use that as the second factor for our >> auth? > > A problem with phones is, that they are typically not as secure as hardware > tokens. Users can install custom software on them. Also the phone may be > compromised via bluetooth. It might be even possible to directly access text > messages via bluetooth or maybe also wifi nowadays. > But that's the point of it being one factor of two factor auth... Even if you compromise the txt msg you still don't have the component that the user knows. You only have the component that the user HAS. -sv From skvidal at fedoraproject.org Tue May 26 15:49:36 2009 From: skvidal at fedoraproject.org (Seth Vidal) Date: Tue, 26 May 2009 11:49:36 -0400 (EDT) Subject: mobile phone + password = 2 factor auth? In-Reply-To: <1243352868.3144.20.camel@localhost.localdomain> References: <1243352868.3144.20.camel@localhost.localdomain> Message-ID: On Tue, 26 May 2009, Jesse Keating wrote: > On Tue, 2009-05-26 at 11:01 -0400, Seth Vidal wrote: >> 2. cost structure of sending/receiving a lot of txt msgs. > > Don't most carriers offer an email gateway to sms? yes - but it still costs the receiver something. -sv From bkearney at redhat.com Tue May 26 16:12:54 2009 From: bkearney at redhat.com (Bryan Kearney) Date: Tue, 26 May 2009 12:12:54 -0400 Subject: mobile phone + password = 2 factor auth? In-Reply-To: References: <200905261744.43362.opensource@till.name> Message-ID: <4A1C1506.4040009@redhat.com> Seth Vidal wrote: > > > On Tue, 26 May 2009, Till Maas wrote: > >> On Tuesday 26 May 2009 15:50:49 Seth Vidal wrote: >>> I was changing some settings with my mobile phone company and in >>> order to >>> change my password they made me use what looks a lot like 2 factor auth: >>> >>> something I know: my current password >>> something I have: my phone >>> >>> I logged in with my current password - then they txt'd me a temporary >>> password which I had to type in to verify I was me. >>> >>> Which got me to wondering - if most people have a mobile phone and/or >>> have >>> access to one - why couldn't we use that as the second factor for our >>> auth? >> >> A problem with phones is, that they are typically not as secure as >> hardware >> tokens. Users can install custom software on them. Also the phone may be >> compromised via bluetooth. It might be even possible to directly >> access text >> messages via bluetooth or maybe also wifi nowadays. >> > > But that's the point of it being one factor of two factor auth... > > Even if you compromise the txt msg you still don't have the component > that the user knows. You only have the component that the user HAS. > > -sv How about a token App for the iPhone? Download a certificate with seed data for the algorithm.. and bobs your uncle. -- bk From skvidal at fedoraproject.org Tue May 26 16:16:48 2009 From: skvidal at fedoraproject.org (Seth Vidal) Date: Tue, 26 May 2009 12:16:48 -0400 (EDT) Subject: mobile phone + password = 2 factor auth? In-Reply-To: <4A1C1506.4040009@redhat.com> References: <200905261744.43362.opensource@till.name> <4A1C1506.4040009@redhat.com> Message-ID: On Tue, 26 May 2009, Bryan Kearney wrote: >> >> But that's the point of it being one factor of two factor auth... >> >> Even if you compromise the txt msg you still don't have the component that >> the user knows. You only have the component that the user HAS. >> >> -sv > > How about a token App for the iPhone? Download a certificate with seed data > for the algorithm.. and bobs your uncle. > Requires closed-source software. - No go. -sv From opensource at till.name Tue May 26 16:43:50 2009 From: opensource at till.name (Till Maas) Date: Tue, 26 May 2009 18:43:50 +0200 Subject: mobile phone + password = 2 factor auth? In-Reply-To: References: <200905261744.43362.opensource@till.name> Message-ID: <200905261844.03679.opensource@till.name> On Di Mai 26 2009, Seth Vidal wrote: > On Tue, 26 May 2009, Till Maas wrote: > > A problem with phones is, that they are typically not as secure as > > hardware tokens. Users can install custom software on them. Also the > > phone may be compromised via bluetooth. It might be even possible to > > directly access text messages via bluetooth or maybe also wifi nowadays. > > But that's the point of it being one factor of two factor auth... > > Even if you compromise the txt msg you still don't have the component > that the user knows. You only have the component that the user HAS. But one of the two factors in this case should be to own the phone or the SIM card to be able to login sucessfully. Which imho should mean that if someone is in posession of the phone, he can be sure that nobody else can access the two factor protected website. But in this case, you can still own the compromosised phone, but someone else might access it and use it. Regards Till -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 836 bytes Desc: This is a digitally signed message part. URL: From skvidal at fedoraproject.org Tue May 26 16:45:16 2009 From: skvidal at fedoraproject.org (Seth Vidal) Date: Tue, 26 May 2009 12:45:16 -0400 (EDT) Subject: mobile phone + password = 2 factor auth? In-Reply-To: <200905261844.03679.opensource@till.name> References: <200905261744.43362.opensource@till.name> <200905261844.03679.opensource@till.name> Message-ID: On Tue, 26 May 2009, Till Maas wrote: > On Di Mai 26 2009, Seth Vidal wrote: >> On Tue, 26 May 2009, Till Maas wrote: > >>> A problem with phones is, that they are typically not as secure as >>> hardware tokens. Users can install custom software on them. Also the >>> phone may be compromised via bluetooth. It might be even possible to >>> directly access text messages via bluetooth or maybe also wifi nowadays. >> >> But that's the point of it being one factor of two factor auth... >> >> Even if you compromise the txt msg you still don't have the component >> that the user knows. You only have the component that the user HAS. > > But one of the two factors in this case should be to own the phone or the SIM > card to be able to login sucessfully. Which imho should mean that if someone > is in posession of the phone, he can be sure that nobody else can access the > two factor protected website. But in this case, you can still own the > compromosised phone, but someone else might access it and use it. If someone steals my phone - then they can get the txt msg but they can't get my password that only I know. If someone gets my password they have to steal my phone or hijack my txt msgs to get the other bit. So, how is this better/worse than any other 2factor auth? -sv From opensource at till.name Tue May 26 16:48:43 2009 From: opensource at till.name (Till Maas) Date: Tue, 26 May 2009 18:48:43 +0200 Subject: mobile phone + password = 2 factor auth? In-Reply-To: <1243352930.3144.21.camel@localhost.localdomain> References: <200905261744.43362.opensource@till.name> <1243352930.3144.21.camel@localhost.localdomain> Message-ID: <200905261848.53968.opensource@till.name> On Di Mai 26 2009, Jesse Keating wrote: > On Tue, 2009-05-26 at 17:44 +0200, Till Maas wrote: > > A problem with phones is, that they are typically not as secure as > > hardware tokens. Users can install custom software on them. Also the > > phone may be compromised via bluetooth. It might be even possible to > > directly access text messages via bluetooth or maybe also wifi nowadays. > > Wouldn't that be why you have to combine what comes up on your phone > with the password you know, so that just the phone alone can't get you > in? Here is another attack scenario: The attacker first attacks the desktop to obtain the password. But then he also compromises the phone once it is connected to the desktop to synchronize some data, e.g. contacts, music or software. Then the attacker got both factors without having physical access on the phone. Regards Till -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 836 bytes Desc: This is a digitally signed message part. URL: From notting at redhat.com Tue May 26 16:53:30 2009 From: notting at redhat.com (Bill Nottingham) Date: Tue, 26 May 2009 12:53:30 -0400 Subject: mobile phone + password = 2 factor auth? In-Reply-To: References: Message-ID: <20090526165330.GH9951@nostromo.devel.redhat.com> Seth Vidal (skvidal at fedoraproject.org) said: > I can think of multiple ways to do it: > > 1. login to a web page > 2. click on 'auth me' button > 3. it sends you a txt msg > 4. you input the password it sent you > 5. you get a cert back that you use for auths for a set period of time > (24 hours?) > > or > > 1. login to a webpage > 2. download a key > 3. it sends you a txt msg which contains a password for that key > 4. the key + txt'd password allows you to login for a set period of time > (24 hours?) > > > Now, my question is - what is dangerous/silly about this? Can you, with only the password, change the phone number used for the second factor? Bill From skvidal at fedoraproject.org Tue May 26 16:52:14 2009 From: skvidal at fedoraproject.org (Seth Vidal) Date: Tue, 26 May 2009 12:52:14 -0400 (EDT) Subject: mobile phone + password = 2 factor auth? In-Reply-To: <200905261848.53968.opensource@till.name> References: <200905261744.43362.opensource@till.name> <1243352930.3144.21.camel@localhost.localdomain> <200905261848.53968.opensource@till.name> Message-ID: On Tue, 26 May 2009, Till Maas wrote: > On Di Mai 26 2009, Jesse Keating wrote: >> On Tue, 2009-05-26 at 17:44 +0200, Till Maas wrote: >>> A problem with phones is, that they are typically not as secure as >>> hardware tokens. Users can install custom software on them. Also the >>> phone may be compromised via bluetooth. It might be even possible to >>> directly access text messages via bluetooth or maybe also wifi nowadays. >> >> Wouldn't that be why you have to combine what comes up on your phone >> with the password you know, so that just the phone alone can't get you >> in? > > Here is another attack scenario: The attacker first attacks the desktop to > obtain the password. But then he also compromises the phone once it is > connected to the desktop to synchronize some data, e.g. contacts, music or > software. Then the attacker got both factors without having physical access on > the phone. Both of them assume an attacker targetting someone on our system. If we have someone gunning to break in to fedora, it would be far easier to compromise the trust between individuals by social-engineering than to cling to cracking the desktop first. -sv From skvidal at fedoraproject.org Tue May 26 16:53:29 2009 From: skvidal at fedoraproject.org (Seth Vidal) Date: Tue, 26 May 2009 12:53:29 -0400 (EDT) Subject: mobile phone + password = 2 factor auth? In-Reply-To: <20090526165330.GH9951@nostromo.devel.redhat.com> References: <20090526165330.GH9951@nostromo.devel.redhat.com> Message-ID: On Tue, 26 May 2009, Bill Nottingham wrote: > Seth Vidal (skvidal at fedoraproject.org) said: >> I can think of multiple ways to do it: >> >> 1. login to a web page >> 2. click on 'auth me' button >> 3. it sends you a txt msg >> 4. you input the password it sent you >> 5. you get a cert back that you use for auths for a set period of time >> (24 hours?) >> >> or >> >> 1. login to a webpage >> 2. download a key >> 3. it sends you a txt msg which contains a password for that key >> 4. the key + txt'd password allows you to login for a set period of time >> (24 hours?) >> >> >> Now, my question is - what is dangerous/silly about this? > > Can you, with only the password, change the phone number used for > the second factor? I'd say no. Just like if you lose your hardware key. You have to go through some convoluted authentication process to change the number. -sv From opensource at till.name Tue May 26 17:02:12 2009 From: opensource at till.name (Till Maas) Date: Tue, 26 May 2009 19:02:12 +0200 Subject: mobile phone + password = 2 factor auth? In-Reply-To: References: <200905261844.03679.opensource@till.name> Message-ID: <200905261902.18917.opensource@till.name> On Di Mai 26 2009, Seth Vidal wrote: > If someone steals my phone - then they can get the txt msg but they can't > get my password that only I know. > > If someone gets my password they have to steal my phone or hijack my txt > msgs to get the other bit. > > > So, how is this better/worse than any other 2factor auth? If someone has only temporary access to your phone, it is a lot easier to tamper it and give it back to you, without you noticing it. Hardware tokens are normally more tamper proof and are not easy to be cloned. Therefore the attacker has to be in posession of the token at the time of the login. Thefore you can be sure that nobody else is logging in as you as long as you have the tokens in your hand. Regards Till -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 836 bytes Desc: This is a digitally signed message part. URL: From opensource at till.name Tue May 26 17:08:56 2009 From: opensource at till.name (Till Maas) Date: Tue, 26 May 2009 19:08:56 +0200 Subject: mobile phone + password = 2 factor auth? In-Reply-To: References: <200905261848.53968.opensource@till.name> Message-ID: <200905261909.03100.opensource@till.name> On Di Mai 26 2009, Seth Vidal wrote: > On Tue, 26 May 2009, Till Maas wrote: > > On Di Mai 26 2009, Jesse Keating wrote: > >> On Tue, 2009-05-26 at 17:44 +0200, Till Maas wrote: > >>> A problem with phones is, that they are typically not as secure as > >>> hardware tokens. Users can install custom software on them. Also the > >>> phone may be compromised via bluetooth. It might be even possible to > >>> directly access text messages via bluetooth or maybe also wifi > >>> nowadays. > >> > >> Wouldn't that be why you have to combine what comes up on your phone > >> with the password you know, so that just the phone alone can't get you > >> in? > > > > Here is another attack scenario: The attacker first attacks the desktop > > to obtain the password. But then he also compromises the phone once it is > > connected to the desktop to synchronize some data, e.g. contacts, music > > or software. Then the attacker got both factors without having physical > > access on the phone. > > Both of them assume an attacker targetting someone on our system. Why is this? Even an attacker that got access to your desktop without specifically targetting a Fedora infrastructure team member can afterwards compromise your phone, once he noticed that you use it to login to Fedora. The browser cache or e-mails may indicate that you login to Fedora and some config files for phone synchronization can show the attacker, how the phone can be compromised. Regards Till -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 836 bytes Desc: This is a digitally signed message part. URL: From skvidal at fedoraproject.org Tue May 26 17:11:10 2009 From: skvidal at fedoraproject.org (Seth Vidal) Date: Tue, 26 May 2009 13:11:10 -0400 (EDT) Subject: mobile phone + password = 2 factor auth? In-Reply-To: <200905261909.03100.opensource@till.name> References: <200905261848.53968.opensource@till.name> <200905261909.03100.opensource@till.name> Message-ID: On Tue, 26 May 2009, Till Maas wrote: > > Why is this? Even an attacker that got access to your desktop without > specifically targetting a Fedora infrastructure team member can afterwards > compromise your phone, once he noticed that you use it to login to Fedora. The > browser cache or e-mails may indicate that you login to Fedora and some config > files for phone synchronization can show the attacker, how the phone can be > compromised. Doesn't this same argument stand if you plug the yubikey into the machine? Ie: sniff the incoming usb traffic and grab the "password" that the yubikey has just inputted? -sv From wakko666 at gmail.com Tue May 26 17:20:34 2009 From: wakko666 at gmail.com (brett lentz) Date: Tue, 26 May 2009 10:20:34 -0700 Subject: mobile phone + password = 2 factor auth? In-Reply-To: <200905261909.03100.opensource@till.name> References: <200905261848.53968.opensource@till.name> <200905261909.03100.opensource@till.name> Message-ID: On Tue, May 26, 2009 at 10:08 AM, Till Maas wrote: > On Di Mai 26 2009, Seth Vidal wrote: >> On Tue, 26 May 2009, Till Maas wrote: >> > On Di Mai 26 2009, Jesse Keating wrote: >> >> On Tue, 2009-05-26 at 17:44 +0200, Till Maas wrote: >> >>> A problem with phones is, that they are typically not as secure as >> >>> hardware tokens. Users can install custom software on them. Also the >> >>> phone may be compromised via bluetooth. It might be even possible to >> >>> directly access text messages via bluetooth or maybe also wifi >> >>> nowadays. >> >> >> >> Wouldn't that be why you have to combine what comes up on your phone >> >> with the password you know, so that just the phone alone can't get you >> >> in? >> > >> > Here is another attack scenario: The attacker first attacks the desktop >> > to obtain the password. But then he also compromises the phone once it is >> > connected to the desktop to synchronize some data, e.g. contacts, music >> > or software. Then the attacker got both factors without having physical >> > access on the phone. >> >> Both of them assume an attacker targetting someone on our system. > > Why is this? Even an attacker that got access to your desktop without > specifically targetting a Fedora infrastructure team member can afterwards > compromise your phone, once he noticed that you use it to login to Fedora. The > browser cache or e-mails may indicate that you login to Fedora and some config > files for phone synchronization can show the attacker, how the phone can be > compromised. > Part of security work is analysis of the perceived risk and mitigation strategies or acceptance of that risk. I think that using a mobile phone as part of a two-factor auth scheme is a good idea, despite the inherent risks of the platform. It's a relatively low cost item that nearly everyone has or can obtain. While it's not a very secure object on it's own, I think that because it's only one factor in a two factor scheme, it's still useful and 'good enough' for this purpose. I would be willing to accept the risks of using this as a part of our auth scheme. My perception of those risks is that there is a sufficient level of effort required on the part of the attacker as to make an attack non-trivial and reasonably time consuming. ---Brett. From opensource at till.name Tue May 26 17:29:49 2009 From: opensource at till.name (Till Maas) Date: Tue, 26 May 2009 19:29:49 +0200 Subject: mobile phone + password = 2 factor auth? In-Reply-To: References: <200905261909.03100.opensource@till.name> Message-ID: <200905261929.57449.opensource@till.name> On Di Mai 26 2009, Seth Vidal wrote: > On Tue, 26 May 2009, Till Maas wrote: > > Why is this? Even an attacker that got access to your desktop without > > specifically targetting a Fedora infrastructure team member can > > afterwards compromise your phone, once he noticed that you use it to > > login to Fedora. The browser cache or e-mails may indicate that you login > > to Fedora and some config files for phone synchronization can show the > > attacker, how the phone can be compromised. > > Doesn't this same argument stand if you plug the yubikey into the machine? > Ie: sniff the incoming usb traffic and grab the "password" that the > yubikey has just inputted? It is similiar. But the password can be afaik only used once and might be only created if the user presses a button on the yubikey (iirc there are two versions). Regards Till -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 836 bytes Desc: This is a digitally signed message part. URL: From smooge at gmail.com Tue May 26 17:32:38 2009 From: smooge at gmail.com (Stephen John Smoogen) Date: Tue, 26 May 2009 11:32:38 -0600 Subject: mobile phone + password = 2 factor auth? In-Reply-To: <200905261909.03100.opensource@till.name> References: <200905261848.53968.opensource@till.name> <200905261909.03100.opensource@till.name> Message-ID: <80d7e4090905261032u377a0f62mfc904d735a4f8eb@mail.gmail.com> On Tue, May 26, 2009 at 11:08 AM, Till Maas wrote: > On Di Mai 26 2009, Seth Vidal wrote: >> On Tue, 26 May 2009, Till Maas wrote: >> > On Di Mai 26 2009, Jesse Keating wrote: >> >> On Tue, 2009-05-26 at 17:44 +0200, Till Maas wrote: >> >>> A problem with phones is, that they are typically not as secure as >> >>> hardware tokens. Users can install custom software on them. Also the >> >>> phone may be compromised via bluetooth. It might be even possible to >> >>> directly access text messages via bluetooth or maybe also wifi >> >>> nowadays. >> >> >> >> Wouldn't that be why you have to combine what comes up on your phone >> >> with the password you know, so that just the phone alone can't get you >> >> in? >> > >> > Here is another attack scenario: The attacker first attacks the desktop >> > to obtain the password. But then he also compromises the phone once it is >> > connected to the desktop to synchronize some data, e.g. contacts, music >> > or software. Then the attacker got both factors without having physical >> > access on the phone. >> >> Both of them assume an attacker targetting someone on our system. > > Why is this? Even an attacker that got access to your desktop without > specifically targetting a Fedora infrastructure team member can afterwards > compromise your phone, once he noticed that you use it to login to Fedora. The > browser cache or e-mails may indicate that you login to Fedora and some config > files for phone synchronization can show the attacker, how the phone can be > compromised. > Ok you have an attack vector. There are attack vectors against every authentication method. The issue is you need to gauge is how likely this attack is and how one recovers from the attack. If you show that one is very high, and two is very costly then the weight of this method is less than another method. -- Stephen J Smoogen. -- BSD/GNU/Linux How far that little candle throws his beams! So shines a good deed in a naughty world. = Shakespeare. "The Merchant of Venice" From smooge at gmail.com Tue May 26 17:47:54 2009 From: smooge at gmail.com (Stephen John Smoogen) Date: Tue, 26 May 2009 11:47:54 -0600 Subject: mobile phone + password = 2 factor auth? In-Reply-To: References: Message-ID: <80d7e4090905261047ua58bb20he81a8a8f56259d98@mail.gmail.com> On Tue, May 26, 2009 at 9:01 AM, Seth Vidal wrote: > > > On Tue, 26 May 2009, Seth Vidal wrote: > >> I was changing some settings with my mobile phone company and in order to >> change my password they made me use what looks a lot like 2 factor auth: >> >> something I know: my current password >> something I have: my phone >> >> I logged in with my current password - then they txt'd me a temporary >> password which I had to type in to verify I was me. >> >> Which got me to wondering - if most people have a mobile phone and/or have >> access to one - why couldn't we use that as the second factor for our auth? > >> >> Now, my question is - what is dangerous/silly about this? > > Jeremy mentioned some potential problems on jabber: > > 1. no guaranteed message delivery time Depends on how fast the grid is at the moment. I have had a text message go out 8 hours after it being sent on a day where lots of issues were going on (university was doing a drill of a shooter on campus and everykid texting each other swamped out the delivery of the 'please stay inside the building there is a shooter.') There is also no guarentee that you will have a correct message. while it doesn't happen as much as I remember in the 90's you still can get a3tjilke in your text. > 2. cost structure of sending/receiving a lot of txt msgs. As I am looking for a phone it looks like its an extra 10-20/month for 'unlimited texting'. If you don't have that then you are paying for a lot more ( others I found were 0.99/SMS+ if out of network.). If we 2fact rarely, I think the 1st problem dominates. It means you have a window of opportunity of for best brute force efforts. How long is the password good before we say it isn't. How many attempts can be made before we invalidate it (eg how long before we DOS ourselves :)?) That's more risk management mathematics than I have taken so far :(. If we 2factor a lot then it will be a how long before its cheaper to have a yubikey? [For the phone payer 1-2 months :).. for the organization???] And in any case (hardware or phone), there will need to be an audited protected route in case of failure (if the SMS system can't send or the yubikey server can't authenticate.. how do people do their work to fix that.) -- Stephen J Smoogen. -- BSD/GNU/Linux How far that little candle throws his beams! So shines a good deed in a naughty world. = Shakespeare. "The Merchant of Venice" From eric at christensenplace.us Tue May 26 18:00:39 2009 From: eric at christensenplace.us (Eric Christensen) Date: Tue, 26 May 2009 14:00:39 -0400 Subject: mobile phone + password = 2 factor auth? In-Reply-To: References: <200905261848.53968.opensource@till.name> <200905261909.03100.opensource@till.name> Message-ID: On Tue, May 26, 2009 at 13:11, Seth Vidal wrote: > On Tue, 26 May 2009, Till Maas wrote: > >> >> Why is this? Even an attacker that got access to your desktop without >> specifically targetting a Fedora infrastructure team member can afterwards >> compromise your phone, once he noticed that you use it to login to Fedora. >> The >> browser cache or e-mails may indicate that you login to Fedora and some >> config >> files for phone synchronization can show the attacker, how the phone can >> be >> compromised. > > Doesn't this same argument stand if you plug the yubikey into the machine? > Ie: sniff the incoming usb traffic and grab the "password" that the yubikey > has just inputted? > > -sv Yubikey uses a one time password (OTP) so sniffing the output of the device would yield the key for that particular time and wouldn't be able to be used at a later time. Eric "Sparks" From kaboom at oobleck.net Tue May 26 17:47:54 2009 From: kaboom at oobleck.net (Chris Ricker) Date: Tue, 26 May 2009 13:47:54 -0400 (EDT) Subject: mobile phone + password = 2 factor auth? In-Reply-To: References: <200905261744.43362.opensource@till.name> <4A1C1506.4040009@redhat.com> Message-ID: On Tue, 26 May 2009, Seth Vidal wrote: > On Tue, 26 May 2009, Bryan Kearney wrote: > > How about a token App for the iPhone? Download a certificate with seed data > > for the algorithm.. and bobs your uncle. > > > > Requires closed-source software. - No go. http://barada.sourceforge.net/ PAM module plus Android app later, chris From skvidal at fedoraproject.org Tue May 26 18:24:24 2009 From: skvidal at fedoraproject.org (Seth Vidal) Date: Tue, 26 May 2009 14:24:24 -0400 (EDT) Subject: mobile phone + password = 2 factor auth? In-Reply-To: References: <200905261744.43362.opensource@till.name> <4A1C1506.4040009@redhat.com> Message-ID: On Tue, 26 May 2009, Chris Ricker wrote: > On Tue, 26 May 2009, Seth Vidal wrote: >> On Tue, 26 May 2009, Bryan Kearney wrote: >>> How about a token App for the iPhone? Download a certificate with seed data >>> for the algorithm.. and bobs your uncle. >>> >> >> Requires closed-source software. - No go. > > http://barada.sourceforge.net/ > > PAM module plus Android app > hmm- very interesting. -sv From skvidal at fedoraproject.org Tue May 26 18:24:54 2009 From: skvidal at fedoraproject.org (Seth Vidal) Date: Tue, 26 May 2009 14:24:54 -0400 (EDT) Subject: mobile phone + password = 2 factor auth? In-Reply-To: References: <200905261848.53968.opensource@till.name> <200905261909.03100.opensource@till.name> Message-ID: On Tue, 26 May 2009, Eric Christensen wrote: > > Yubikey uses a one time password (OTP) so sniffing the output of the > device would yield the key for that particular time and wouldn't be > able to be used at a later time. > True - my major objection to the yubikey is the single-vendor-ness of it. -sv From bkearney at redhat.com Tue May 26 18:45:52 2009 From: bkearney at redhat.com (Bryan Kearney) Date: Tue, 26 May 2009 14:45:52 -0400 Subject: mobile phone + password = 2 factor auth? In-Reply-To: References: <200905261744.43362.opensource@till.name> <4A1C1506.4040009@redhat.com> Message-ID: <4A1C38E0.5040704@redhat.com> Seth Vidal wrote: > > > On Tue, 26 May 2009, Chris Ricker wrote: > >> On Tue, 26 May 2009, Seth Vidal wrote: >>> On Tue, 26 May 2009, Bryan Kearney wrote: >>>> How about a token App for the iPhone? Download a certificate with >>>> seed data >>>> for the algorithm.. and bobs your uncle. >>>> >>> >>> Requires closed-source software. - No go. >> >> http://barada.sourceforge.net/ >> >> PAM module plus Android app Actually.. I was thinking why have a keyfob if you have a smartphone. Load the pin generation code onto the smartphone. But.. this is pretty interesting. -- bk From kanarip at kanarip.com Tue May 26 19:10:01 2009 From: kanarip at kanarip.com (Jeroen van Meeuwen) Date: Tue, 26 May 2009 21:10:01 +0200 Subject: mobile phone + password = 2 factor auth? In-Reply-To: References: <4A1BFBEB.5030801@redhat.com> Message-ID: <4A1C3E89.9020807@kanarip.com> On 05/26/2009 04:46 PM, Seth Vidal wrote: > > > On Tue, 26 May 2009, Bryan Kearney wrote: > >> Seth Vidal wrote: >>> Now, my question is - what is dangerous/silly about this? >> >> >> Luddites like me who have disabled text messages on their phones. >> > > Well your options would eventually be: > - enable txt msgs > - carry a yubikey with you everywhere > yubikey ftw! Just my $0.02 -Jeroen From kanarip at kanarip.com Tue May 26 19:13:37 2009 From: kanarip at kanarip.com (Jeroen van Meeuwen) Date: Tue, 26 May 2009 21:13:37 +0200 Subject: mobile phone + password = 2 factor auth? In-Reply-To: <200905261744.43362.opensource@till.name> References: <200905261744.43362.opensource@till.name> Message-ID: <4A1C3F61.5000500@kanarip.com> On 05/26/2009 05:44 PM, Till Maas wrote: > On Tuesday 26 May 2009 15:50:49 Seth Vidal wrote: >> I was changing some settings with my mobile phone company and in order to >> change my password they made me use what looks a lot like 2 factor auth: >> >> something I know: my current password >> something I have: my phone >> >> I logged in with my current password - then they txt'd me a temporary >> password which I had to type in to verify I was me. >> >> Which got me to wondering - if most people have a mobile phone and/or have >> access to one - why couldn't we use that as the second factor for our >> auth? > > A problem with phones is, that they are typically not as secure as hardware > tokens. Users can install custom software on them. Also the phone may be > compromised via bluetooth. It might be even possible to directly access text > messages via bluetooth or maybe also wifi nowadays. > Although this is entirely true, my bank sure considers my phone safe enough to send me one-time transaction confirmation codes that are only valid with the existing session. So, to hack this, you would need access to my phone as well as my current session. -Jeroen From eric at christensenplace.us Tue May 26 19:23:52 2009 From: eric at christensenplace.us (Eric Christensen) Date: Tue, 26 May 2009 15:23:52 -0400 Subject: mobile phone + password = 2 factor auth? In-Reply-To: <4A1C3F61.5000500@kanarip.com> References: <200905261744.43362.opensource@till.name> <4A1C3F61.5000500@kanarip.com> Message-ID: On Tue, May 26, 2009 at 15:13, Jeroen van Meeuwen wrote: > Although this is entirely true, my bank sure considers my phone safe enough > to send me one-time transaction confirmation codes that are only valid with > the existing session. > > So, to hack this, you would need access to my phone as well as my current > session. > > -Jeroen I'm glad your bank considers your phone safe enough. But do you? Your bank puts the security of your money in your hands which is fine for them because it isn't their money. Remember, messages going through the Internet to the phone company to your phone isn't encrypted or otherwise protected. - Eric "Sparks" From skvidal at fedoraproject.org Tue May 26 19:30:42 2009 From: skvidal at fedoraproject.org (Seth Vidal) Date: Tue, 26 May 2009 15:30:42 -0400 (EDT) Subject: mobile phone + password = 2 factor auth? In-Reply-To: References: <200905261744.43362.opensource@till.name> <4A1C3F61.5000500@kanarip.com> Message-ID: On Tue, 26 May 2009, Eric Christensen wrote: > On Tue, May 26, 2009 at 15:13, Jeroen van Meeuwen wrote: >> Although this is entirely true, my bank sure considers my phone safe enough >> to send me one-time transaction confirmation codes that are only valid with >> the existing session. >> >> So, to hack this, you would need access to my phone as well as my current >> session. >> >> -Jeroen > > I'm glad your bank considers your phone safe enough. But do you? > Your bank puts the security of your money in your hands which is fine > for them because it isn't their money. > > Remember, messages going through the Internet to the phone company to > your phone isn't encrypted or otherwise protected. Which is why it is 2-factor auth! You have to put bot the session key and the password you know together in order to auth. The bank is implicitly saying they don't trust the phone, nor do the trust your password, but if you have both of them..... then they trust that. -sv From smooge at gmail.com Tue May 26 19:47:30 2009 From: smooge at gmail.com (Stephen John Smoogen) Date: Tue, 26 May 2009 13:47:30 -0600 Subject: mobile phone + password = 2 factor auth? In-Reply-To: References: <200905261744.43362.opensource@till.name> <4A1C3F61.5000500@kanarip.com> Message-ID: <80d7e4090905261247s43a299c1md1520621177f817f@mail.gmail.com> On Tue, May 26, 2009 at 1:30 PM, Seth Vidal wrote: > > > On Tue, 26 May 2009, Eric Christensen wrote: > >> On Tue, May 26, 2009 at 15:13, Jeroen van Meeuwen >> wrote: >>> >>> Although this is entirely true, my bank sure considers my phone safe >>> enough >>> to send me one-time transaction confirmation codes that are only valid >>> with >>> the existing session. >>> >>> So, to hack this, you would need access to my phone as well as my current >>> session. >>> >>> -Jeroen >> >> I'm glad your bank considers your phone safe enough. ?But do you? >> Your bank puts the security of your money in your hands which is fine >> for them because it isn't their money. >> >> Remember, messages going through the Internet to the phone company to >> your phone isn't encrypted or otherwise protected. > > > Which is why it is 2-factor auth! You have to put bot the session key and > the password you know together in order to auth. > > The bank is implicitly saying they don't trust the phone, nor do the trust > your password, but if you have both of them..... then they trust that. > The bank has also put risk factors on how much money they can lose in the inevitable case that both are compromised. Now the issue banks don't cover usually is what they will do when the loses occur. Those are the parts of deciding about a 2factor method. 1. how much risk are 'we' willing to take on, 2. how can we generally measure the risk a method has 3. does the estimated risk less than we what we are going to take. and finally (the one most places skip) 4. what coverage do we have in place when the method breaks down. All methods break down at some point. The question is the cost of the method more or less what the organization wishes to pay. -- Stephen J Smoogen. -- BSD/GNU/Linux How far that little candle throws his beams! So shines a good deed in a naughty world. = Shakespeare. "The Merchant of Venice" From opensource at till.name Tue May 26 21:05:40 2009 From: opensource at till.name (Till Maas) Date: Tue, 26 May 2009 23:05:40 +0200 Subject: mobile phone + password = 2 factor auth? In-Reply-To: <4A1C3F61.5000500@kanarip.com> References: <200905261744.43362.opensource@till.name> <4A1C3F61.5000500@kanarip.com> Message-ID: <200905262305.45638.opensource@till.name> On Di Mai 26 2009, Jeroen van Meeuwen wrote: > Although this is entirely true, my bank sure considers my phone safe > enough to send me one-time transaction confirmation codes that are only > valid with the existing session. I do not know how it is in your country, but afaik in Germany banks normally do not take the risk for online banking, but the customer. So the customer has to proove that a transaction was fraud. In comparsion, for offline banking, the bank has to proove that a transaction in question is valid. So for them it is enough that a judge believes that the phone is safe enough to make it hard for the customer to proove, that he was attacked. Also in Germany there was an implementation live that allowed an attacker to use normal transaction verification codes to enroll a phone that allowed to create an arbitrary amount of new verification codes. Regards Till -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 836 bytes Desc: This is a digitally signed message part. URL: From kanarip at kanarip.com Tue May 26 21:06:12 2009 From: kanarip at kanarip.com (Jeroen van Meeuwen) Date: Tue, 26 May 2009 23:06:12 +0200 Subject: mobile phone + password = 2 factor auth? In-Reply-To: References: <200905261744.43362.opensource@till.name> <4A1C3F61.5000500@kanarip.com> Message-ID: <4A1C59C4.8030709@kanarip.com> On 05/26/2009 09:23 PM, Eric Christensen wrote: > On Tue, May 26, 2009 at 15:13, Jeroen van Meeuwen wrote: >> Although this is entirely true, my bank sure considers my phone safe enough >> to send me one-time transaction confirmation codes that are only valid with >> the existing session. >> >> So, to hack this, you would need access to my phone as well as my current >> session. >> >> -Jeroen > > I'm glad your bank considers your phone safe enough. I did not say that? -Jeroen From opensource at till.name Tue May 26 21:15:45 2009 From: opensource at till.name (Till Maas) Date: Tue, 26 May 2009 23:15:45 +0200 Subject: mobile phone + password = 2 factor auth? In-Reply-To: <80d7e4090905261032u377a0f62mfc904d735a4f8eb@mail.gmail.com> References: <200905261909.03100.opensource@till.name> <80d7e4090905261032u377a0f62mfc904d735a4f8eb@mail.gmail.com> Message-ID: <200905262315.51292.opensource@till.name> On Di Mai 26 2009, Stephen John Smoogen wrote: > On Tue, May 26, 2009 at 11:08 AM, Till Maas wrote: > > Why is this? Even an attacker that got access to your desktop without > > specifically targetting a Fedora infrastructure team member can > > afterwards compromise your phone, once he noticed that you use it to > > login to Fedora. The browser cache or e-mails may indicate that you login > > to Fedora and some config files for phone synchronization can show the > > attacker, how the phone can be compromised. > > Ok you have an attack vector. There are attack vectors against every > authentication method. The issue is you need to gauge is how likely > this attack is and how one recovers from the attack. If you show that > one is very high, and two is very costly then the weight of this > method is less than another method. The history already showed that an attacker gained access to user's system account afaik. Since people involved in Fedora are more likely geeks, they will more likely not have some dumb phone, but some high tech phone that allows to install custom software. Because they are also interested in FOSS, they will more likely install software that cannot be easily verificated. E.g. closed source applications for symbian are normally signed by a well know CA for the phone. But there is afaik no established way to distribute signed FOSS software for symbian like there are gpg signed packages in Fedora. Regards Till -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 836 bytes Desc: This is a digitally signed message part. URL: From jeff at ocjtech.us Tue May 26 22:08:29 2009 From: jeff at ocjtech.us (Jeffrey Ollie) Date: Tue, 26 May 2009 17:08:29 -0500 Subject: mobile phone + password = 2 factor auth? In-Reply-To: <200905262315.51292.opensource@till.name> References: <200905261909.03100.opensource@till.name> <80d7e4090905261032u377a0f62mfc904d735a4f8eb@mail.gmail.com> <200905262315.51292.opensource@till.name> Message-ID: <935ead450905261508o24b3496ejdde1fbfa7a37de5b@mail.gmail.com> On Tue, May 26, 2009 at 4:15 PM, Till Maas wrote: > > Since people involved in Fedora are more likely geeks, they > will more likely not have some dumb phone, but some high tech phone that > allows to install custom software. Don't assume that... Fancy phones cost a lot of money, especially when you consider the extra cost of the data plans that you need to get. Between my wife and I we spend almost as much on our data plan as we do on the basic service plan. Up until a week ago my personal cell phone was a low end motorola flip phone. It allowed "apps" to be installed, but only ones that came from Verizon's app store - and just about every one cost $$$ so I wouldn't have installed it anyway. Don't assume that work provides a fancy phone either, and if work does give us a fancy phone don't assume that we are allowed to install apps on them. -- Jeff Ollie From sijis.aviles at gmail.com Wed May 27 04:37:11 2009 From: sijis.aviles at gmail.com (Sijis Aviles) Date: Tue, 26 May 2009 23:37:11 -0500 Subject: My Introduction Message-ID: <747290270905262137r2ed714bcge2b3c5befb7115ff@mail.gmail.com> Hey all. My name is Sijis Aviles and I'm a Systems Engineer living in Chicago, IL. I've been using linux for about 5 years now, and became an RHCE about a 1 1/2 years ago. I started with Debian and then moved to Fedora during the F7 release. My experiences are primarily with scripting and web technologies: PHP, Batch, VB, Bash, HTML/CSS and some Perl, C/C++. I'm currently learning Python. I love to learn and figure out how things work. Challenges are always fun and I'm not afraid to ask questions or for help. I think I'd like to participate with the web, noc or tools FIGs. I hope I can be of help and continue the Fedora tradition. Sijis From mmcgrath at redhat.com Wed May 27 21:38:13 2009 From: mmcgrath at redhat.com (Mike McGrath) Date: Wed, 27 May 2009 16:38:13 -0500 (CDT) Subject: Change Freeze Message-ID: I'd like to clean up some old plague cruft on ppc2 (which has started throwing storage warnings) rm -rf /mnt/build/builder_work/* +1's? -Mike From dennis at ausil.us Wed May 27 21:41:27 2009 From: dennis at ausil.us (Dennis Gilmore) Date: Wed, 27 May 2009 16:41:27 -0500 Subject: Change Freeze In-Reply-To: References: Message-ID: <200905271641.34751.dennis@ausil.us> On Wednesday 27 May 2009 04:38:13 pm Mike McGrath wrote: > I'd like to clean up some old plague cruft on ppc2 (which has started > throwing storage warnings) > > rm -rf /mnt/build/builder_work/* > > +1's? +1 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part. URL: From mmcgrath at redhat.com Wed May 27 21:42:57 2009 From: mmcgrath at redhat.com (Mike McGrath) Date: Wed, 27 May 2009 16:42:57 -0500 (CDT) Subject: My Introduction In-Reply-To: <747290270905262137r2ed714bcge2b3c5befb7115ff@mail.gmail.com> References: <747290270905262137r2ed714bcge2b3c5befb7115ff@mail.gmail.com> Message-ID: On Tue, 26 May 2009, Sijis Aviles wrote: > Hey all. My name is Sijis Aviles and I'm a Systems Engineer living in > Chicago, IL. I've been using linux for about 5 years now, and became > an RHCE about a 1 1/2 years ago. I started with Debian and then moved > to Fedora during the F7 release. My experiences are primarily with > scripting and web technologies: PHP, Batch, VB, Bash, HTML/CSS and > some Perl, C/C++. I'm currently learning Python. > > I love to learn and figure out how things work. Challenges are always > fun and I'm not afraid to ask questions or for help. > > I think I'd like to participate with the web, noc or tools FIGs. > > I hope I can be of help and continue the Fedora tradition. > > Sijis > Welcome Sijis! How much time / week are you interested in participating? Also have you seen - http://fedoraproject.org/wiki/Infrastructure/GettingStarted -Mike From ricky at fedoraproject.org Wed May 27 21:54:45 2009 From: ricky at fedoraproject.org (Ricky Zhou) Date: Wed, 27 May 2009 17:54:45 -0400 Subject: Change Freeze In-Reply-To: <200905271641.34751.dennis@ausil.us> References: <200905271641.34751.dennis@ausil.us> Message-ID: <20090527215445.GB27816@alpha.rzhou.org> On 2009-05-27 04:41:27 PM, Dennis Gilmore wrote: > On Wednesday 27 May 2009 04:38:13 pm Mike McGrath wrote: > > I'd like to clean up some old plague cruft on ppc2 (which has started > > throwing storage warnings) > > > > rm -rf /mnt/build/builder_work/* > > > > +1's? > +1 +1 (and strangely, I still haven't gotten the original email). Thanks, Ricky -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: not available URL: From stickster at gmail.com Thu May 28 01:23:17 2009 From: stickster at gmail.com (Paul W. Frields) Date: Wed, 27 May 2009 21:23:17 -0400 Subject: Redirect needed for docs.fp.o Message-ID: <20090528012317.GA3620@localhost.localdomain> Could I ask someone to set up a rewrite rule or a redirect that would send people from: http://docs.fedoraproject.org/release-notes/f11preview to: http://docs.fedoraproject.org/release-notes/f11 And from: http://docs.fedoraproject.org/release-notes/f10preview to: http://docs.fedoraproject.org/release-notes/f10 I'm not the expert but I think what we need is a rewrite, since there are a ton of subdirectories and files under there. The /f10 content is pre-existing, and essentially we're just sending people away from preview content to the final content. In the /f11 case it's the same, but I've copied the preview content and the Docs team will simply replace the preview content with the final content shortly for release day. We're doing this because QA noted, wisely, that the way things stand right now, they have to change some links in a release-day rain dance to make sure people are looking at the right content. Better that the link always point to a single location and that the content update. Our Docs crew is relatively new at this and out of an abundance of caution they chose to keep the preview docs separated. In the future everyone agreed there should be a procedure of treating these directories like branches, with no need for 'f12beta' or 'f12preview'. Eric Christensen will file a ticket to support this request, as soon as I get the CVS stuff done to support it. Did I mention how hard it is to use CVS now that I use git regularly? ;-) -- Paul W. Frields http://paul.frields.org/ gpg fingerprint: 3DA6 A0AC 6D58 FEC4 0233 5906 ACDB C937 BD11 3717 http://redhat.com/ - - - - http://pfrields.fedorapeople.org/ irc.freenode.net: stickster @ #fedora-docs, #fedora-devel, #fredlug From ricky at fedoraproject.org Thu May 28 02:00:21 2009 From: ricky at fedoraproject.org (Ricky Zhou) Date: Wed, 27 May 2009 22:00:21 -0400 Subject: [PATCH] Add requested redirects for release notes. Message-ID: <20090528020021.GA15699@alpha.rzhou.org> --- .../web/docs.fedoraproject.org/amodRewrite.conf | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) diff --git a/configs/web/docs.fedoraproject.org/amodRewrite.conf b/configs/web/docs.fedoraproject.org/amodRewrite.conf index 6ca8ac5..55add46 100644 --- a/configs/web/docs.fedoraproject.org/amodRewrite.conf +++ b/configs/web/docs.fedoraproject.org/amodRewrite.conf @@ -2,3 +2,5 @@ RewriteEngine On RedirectMatch ^/$ http://docs.fedoraproject.org/docs/ RewriteRule ^(.*)/fc7/$ http://docs.fedoraproject.org/$1/f7/ [R,L] RewriteRule ^(.*)/fc7$ http://docs.fedoraproject.org/$1/f7/ [R,L] +Redirect /release-notes/f11preview /release-notes/f11 +Redirect /release-notes/f10preview /release-notes/f10 -- 1.5.5.6 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: not available URL: From ricky at fedoraproject.org Thu May 28 02:04:23 2009 From: ricky at fedoraproject.org (Ricky Zhou) Date: Wed, 27 May 2009 22:04:23 -0400 Subject: [PATCH] Add requested redirects for release notes. In-Reply-To: <20090528020021.GA15699@alpha.rzhou.org> References: <20090528020021.GA15699@alpha.rzhou.org> Message-ID: <20090528020423.GB31564@alpha.rzhou.org> On 2009-05-27 10:00:21 PM, Ricky Zhou wrote: > +Redirect /release-notes/f11preview /release-notes/f11 > +Redirect /release-notes/f10preview /release-notes/f10 Actually, make that: +Redirect permanent /release-notes/f11preview /release-notes/f11 +Redirect permanent /release-notes/f10preview /release-notes/f10 Thanks, Ricky -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: not available URL: From sijis.aviles at gmail.com Thu May 28 02:38:50 2009 From: sijis.aviles at gmail.com (Sijis Aviles) Date: Wed, 27 May 2009 21:38:50 -0500 Subject: My Introduction In-Reply-To: References: <747290270905262137r2ed714bcge2b3c5befb7115ff@mail.gmail.com> Message-ID: <747290270905271938t7f7b3878ib9ecdc6fbaa313f2@mail.gmail.com> Hi Mike, I anticipate being available ~10hr/week. I have read through that document. I created a Fedora Account (ID: sijis) a few days ago and i've been lurking in #fedora-admin too. I'm just observing and getting acquainted on what's going on. I plan on attending the meeting on Thursday afternoon. See you all there. Sijis On Wed, May 27, 2009 at 4:42 PM, Mike McGrath wrote: > On Tue, 26 May 2009, Sijis Aviles wrote: > >> Hey all. My name is Sijis Aviles and I'm a Systems Engineer living in >> Chicago, IL. I've been using linux for about 5 years now, and became >> an RHCE about a 1 1/2 years ago. I started with Debian and then moved >> to Fedora during the F7 release. My experiences are primarily with >> scripting and web technologies: PHP, Batch, VB, Bash, HTML/CSS and >> some Perl, C/C++. I'm currently learning Python. >> >> I love to learn and figure out how things work. Challenges are always >> fun and I'm not afraid to ask questions or for help. >> >> I think I'd like to participate with the web, noc or tools FIGs. >> >> I hope I can be of help and continue the Fedora tradition. >> >> Sijis >> > > Welcome Sijis! ?How much time / week are you interested in participating? > Also have you seen - > http://fedoraproject.org/wiki/Infrastructure/GettingStarted > > ? ? ? ?-Mike > > _______________________________________________ > Fedora-infrastructure-list mailing list > Fedora-infrastructure-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list > From mmcgrath at redhat.com Thu May 28 13:12:13 2009 From: mmcgrath at redhat.com (Mike McGrath) Date: Thu, 28 May 2009 08:12:13 -0500 (CDT) Subject: My Introduction In-Reply-To: <747290270905271938t7f7b3878ib9ecdc6fbaa313f2@mail.gmail.com> References: <747290270905262137r2ed714bcge2b3c5befb7115ff@mail.gmail.com> <747290270905271938t7f7b3878ib9ecdc6fbaa313f2@mail.gmail.com> Message-ID: On Wed, 27 May 2009, Sijis Aviles wrote: > Hi Mike, > > I anticipate being available ~10hr/week. > > I have read through that document. I created a Fedora Account (ID: > sijis) a few days ago and i've been lurking in #fedora-admin too. I'm > just observing and getting acquainted on what's going on. > > I plan on attending the meeting on Thursday afternoon. > Excellent, see you at the meeting. Make sure to make yourself known online. -Mike > See you all there. > > Sijis > > > On Wed, May 27, 2009 at 4:42 PM, Mike McGrath wrote: > > On Tue, 26 May 2009, Sijis Aviles wrote: > > > >> Hey all. My name is Sijis Aviles and I'm a Systems Engineer living in > >> Chicago, IL. I've been using linux for about 5 years now, and became > >> an RHCE about a 1 1/2 years ago. I started with Debian and then moved > >> to Fedora during the F7 release. My experiences are primarily with > >> scripting and web technologies: PHP, Batch, VB, Bash, HTML/CSS and > >> some Perl, C/C++. I'm currently learning Python. > >> > >> I love to learn and figure out how things work. Challenges are always > >> fun and I'm not afraid to ask questions or for help. > >> > >> I think I'd like to participate with the web, noc or tools FIGs. > >> > >> I hope I can be of help and continue the Fedora tradition. > >> > >> Sijis > >> > > > > Welcome Sijis! ?How much time / week are you interested in participating? > > Also have you seen - > > http://fedoraproject.org/wiki/Infrastructure/GettingStarted > > > > ? ? ? ?-Mike > > > > _______________________________________________ > > Fedora-infrastructure-list mailing list > > Fedora-infrastructure-list at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list > > > > _______________________________________________ > Fedora-infrastructure-list mailing list > Fedora-infrastructure-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list > From mmcgrath at redhat.com Thu May 28 14:22:09 2009 From: mmcgrath at redhat.com (Mike McGrath) Date: Thu, 28 May 2009 09:22:09 -0500 (CDT) Subject: [PATCH] Add requested redirects for release notes. In-Reply-To: <20090528020423.GB31564@alpha.rzhou.org> References: <20090528020021.GA15699@alpha.rzhou.org> <20090528020423.GB31564@alpha.rzhou.org> Message-ID: On Wed, 27 May 2009, Ricky Zhou wrote: > On 2009-05-27 10:00:21 PM, Ricky Zhou wrote: > > +Redirect /release-notes/f11preview /release-notes/f11 > > +Redirect /release-notes/f10preview /release-notes/f10 > Actually, make that: > +Redirect permanent /release-notes/f11preview /release-notes/f11 > +Redirect permanent /release-notes/f10preview /release-notes/f10 > I'm wondering if we should: RewriteRule ^/release-notes/f10preview(.*) /release-notes/f10$1 [R,L] RewriteRule ^/release-notes/f11preview(.*) /release-notes/f11$1 [R,L] What do you think? -Mike From ricky at fedoraproject.org Thu May 28 18:05:00 2009 From: ricky at fedoraproject.org (Ricky Zhou) Date: Thu, 28 May 2009 14:05:00 -0400 Subject: [PATCH] Add requested redirects for release notes. In-Reply-To: References: <20090528020021.GA15699@alpha.rzhou.org> <20090528020423.GB31564@alpha.rzhou.org> Message-ID: <20090528180500.GB469@alpha.rzhou.org> On 2009-05-28 09:22:09 AM, Mike McGrath wrote: > I'm wondering if we should: > > RewriteRule ^/release-notes/f10preview(.*) /release-notes/f10$1 [R,L] > RewriteRule ^/release-notes/f11preview(.*) /release-notes/f11$1 [R,L] > > What do you think? The plain Redirect will actually work as well, they were pretty smart about designing it, so it'll redirect /release-notes/f11preview/blah.html to /release-notes/f11/blah: http://httpd.apache.org/docs/2.2/mod/mod_alias.html#redirect Thanks, Ricky -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: not available URL: From mmcgrath at redhat.com Thu May 28 18:05:51 2009 From: mmcgrath at redhat.com (Mike McGrath) Date: Thu, 28 May 2009 13:05:51 -0500 (CDT) Subject: [PATCH] Add requested redirects for release notes. In-Reply-To: <20090528180500.GB469@alpha.rzhou.org> References: <20090528020021.GA15699@alpha.rzhou.org> <20090528020423.GB31564@alpha.rzhou.org> <20090528180500.GB469@alpha.rzhou.org> Message-ID: On Thu, 28 May 2009, Ricky Zhou wrote: > On 2009-05-28 09:22:09 AM, Mike McGrath wrote: > > I'm wondering if we should: > > > > RewriteRule ^/release-notes/f10preview(.*) /release-notes/f10$1 [R,L] > > RewriteRule ^/release-notes/f11preview(.*) /release-notes/f11$1 [R,L] > > > > What do you think? > The plain Redirect will actually work as well, they were pretty smart > about designing it, so it'll redirect > /release-notes/f11preview/blah.html to /release-notes/f11/blah: > > http://httpd.apache.org/docs/2.2/mod/mod_alias.html#redirect > K, then +1 from me. We need one more +1 if anyone is so inclined. -Mike From a.badger at gmail.com Thu May 28 18:30:18 2009 From: a.badger at gmail.com (Toshio Kuratomi) Date: Thu, 28 May 2009 11:30:18 -0700 Subject: [PATCH] Add requested redirects for release notes. In-Reply-To: References: <20090528020021.GA15699@alpha.rzhou.org> <20090528020423.GB31564@alpha.rzhou.org> <20090528180500.GB469@alpha.rzhou.org> Message-ID: <4A1ED83A.3060305@gmail.com> On 05/28/2009 11:05 AM, Mike McGrath wrote: > On Thu, 28 May 2009, Ricky Zhou wrote: > >> On 2009-05-28 09:22:09 AM, Mike McGrath wrote: >>> I'm wondering if we should: >>> >>> RewriteRule ^/release-notes/f10preview(.*) /release-notes/f10$1 [R,L] >>> RewriteRule ^/release-notes/f11preview(.*) /release-notes/f11$1 [R,L] >>> >>> What do you think? >> The plain Redirect will actually work as well, they were pretty smart >> about designing it, so it'll redirect >> /release-notes/f11preview/blah.html to /release-notes/f11/blah: >> >> http://httpd.apache.org/docs/2.2/mod/mod_alias.html#redirect >> > > K, then +1 from me. > > We need one more +1 if anyone is so inclined. > +1 -Toshio From ricky at fedoraproject.org Thu May 28 20:27:33 2009 From: ricky at fedoraproject.org (Ricky Zhou) Date: Thu, 28 May 2009 16:27:33 -0400 Subject: Meeting Log - 2009-05-28 Message-ID: <20090528202733.GD469@alpha.rzhou.org> 20:00 -!- ricky changed the topic of #fedora-meeting to: Infrastructure Meeting - who's here? 20:00 < skvidal> w00t 20:00 < skvidal> w00t 20:00 -!- sijis [n=sijis at adsl-75-58-82-242.dsl.emhril.sbcglobal.net] has joined #fedora-meeting 20:01 * mmcgrath is sort of here 20:01 < mmcgrath> sijis: this is where you say "i'm here" :-P 20:01 < sijis> i'm here. 20:01 * ke4qqq is quasi-here 20:01 * skvidal is playing bug slave 20:01 * tmz watches from the peanut gallery 20:01 < ricky> Grr, annoying time for Firefox to crash 20:02 * abadger1999 waves 20:02 * dgilmore is here 20:02 < ricky> f13, lmacken, SmootherFrOgZ, jds2001, G_work, anybody I forgot: ping 20:02 * dgilmore slaps ricky 20:02 < ricky> dgilmore: Oops, sorry :-) 20:03 -!- inode0 [n=inode0 at fedora/inode0] has quit Read error: 54 (Connection reset by peer) 20:03 < ricky> We have no meeting tickets today, so I guess we can just go through the release tickets instead 20:03 < ricky> https://fedorahosted.org/fedora-infrastructure/report/9 20:03 -!- inode0 [n=inode0 at fedora/inode0] has joined #fedora-meeting 20:03 < ricky> .ticket 1387 20:03 < zodbot> ricky: #1387 (New Website) - Fedora Infrastructure - Trac - https://fedorahosted.org/fedora-infrastructure/ticket/1387 20:04 < ricky> Everything's pretty much ready there, test site at http://publictest1.fedoraproject.org/fedoraproject.org/ 20:04 * mdomsch waits for a concall to start 20:04 * ianweller lurks 20:04 < ricky> .ticket 1390 20:04 < skvidal> ricky: well, the release isn't finished yet 20:04 < zodbot> ricky: #1390 (Verify permissions) - Fedora Infrastructure - Trac - https://fedorahosted.org/fedora-infrastructure/ticket/1390 20:04 < skvidal> ricky: minor issue 20:04 < skvidal> ricky: :) 20:05 < ricky> Heh, yeah - the once the images are ready, we need to do one more check of the links. 20:05 < ricky> .ticket 1391 20:05 -!- biertie [n=bert at 91.181.251.152] has joined #fedora-meeting 20:05 < zodbot> ricky: #1391 (Add MirrorManager redirects) - Fedora Infrastructure - Trac - https://fedorahosted.org/fedora-infrastructure/ticket/1391 20:05 < ricky> I think mdomsch got all of those back during the Alpha release. Feel free to close if it's all set 20:06 < mdomsch> ricky, the follow-up is they need to be dropped on release day 20:06 < mdomsch> so please leave it open 20:06 < ricky> mdomsch: Ah, will do. Will you be around to do that on release day? 20:06 < mdomsch> yep 20:06 < ricky> Cool 20:06 < ricky> .ticket 1392 20:06 < zodbot> ricky: #1392 (RHIS Communication) - Fedora Infrastructure - Trac - https://fedorahosted.org/fedora-infrastructure/ticket/1392 20:07 < ricky> mmcgrath: You've got that one, right? 20:07 < mmcgrath> ricky: yep, and it should be just fine. 20:07 < ricky> Excellent 20:08 < ricky> .ticket 1393 20:08 < zodbot> ricky: #1393 (Infrastructure Change Freeze) - Fedora Infrastructure - Trac - https://fedorahosted.org/fedora-infrastructure/ticket/1393 20:08 -!- inode0 [n=inode0 at fedora/inode0] has quit Read error: 54 (Connection reset by peer) 20:08 < ricky> This is running until June 10th now 20:08 -!- inode0 [n=inode0 at fedora/inode0] has joined #fedora-meeting 20:08 < ricky> .ticket 1394 20:08 < zodbot> ricky: #1394 (Common Issues on the wiki) - Fedora Infrastructure - Trac - https://fedorahosted.org/fedora-infrastructure/ticket/1394 20:09 -!- rdieter [n=rdieter at fedora/rdieter] has quit Remote closed the connection 20:09 < ricky> ianweller: I suspect that there will be a bunch of wiki changes other than the common issues page - would you mind taking that one? ^ 20:09 -!- opuk [n=kupo at pipe.intertubez.net] has joined #fedora-meeting 20:09 < ianweller> surrre. 20:09 < ianweller> i'll be around on release day now 20:09 < ianweller> i just have to bump a global template 20:09 < ricky> Nice :-) Go ahead and accept it in trac, then 20:10 < ricky> .ticket 1395 20:10 < zodbot> ricky: #1395 (Lessons Learned) - Fedora Infrastructure - Trac - https://fedorahosted.org/fedora-infrastructure/ticket/1395 20:10 < ricky> Does anybody have anything to bring up from previous releases that we should keep an eye on? 20:10 < ricky> It's only been getting smoother and smoother, as far as I've seen 20:10 < ianweller> double check the links? 20:11 < ricky> Definitely, yes ;-) 20:11 < ianweller> :) 20:11 < ricky> mdomsch: Are we doing anything differently to try to get the bit flip on time? 20:12 < mdomsch> ricky, just bitflipping earlier I hope 20:12 < mdomsch> to give mirrors enough time to sync and catch it 20:12 < ricky> Are people taking advantage of the fullfilelist now, or is that still being worked out? 20:13 < mdomsch> still being worked out 20:14 < ricky> Cool, thanks 20:14 < sijis> i read in the list that doing the bit-flip 6.5 hours ahead of time would work. 20:14 < mdomsch> sijis, yes, I think so 20:15 -!- openpercept [n=openperc at fedora/openpercept] has quit Remote closed the connection 20:16 < ricky> Any other lessons learned? We've pretty much had no trouble with load ever since the wiki migration 20:16 < ricky> mmcgrath: Do we still do any manual caching of specific wiki pages? 20:17 < ianweller> i don't think we did last release. we just need to make sure to hand out http:// links instead of https:// 20:17 < mmcgrath> ricky: No, but I plan on enabling it the day before the release and removing it the day after. 20:17 < mmcgrath> as part of a release cycle. 20:18 < ricky> mmcgrath: Sorry, you mean enabling caching of certain pages? 20:18 < mmcgrath> ricky: I was just going to enable disk caching of /wiki again at the proxy layer. 20:18 < ricky> Ah, OK. 20:18 < ianweller> will sending ?action=purge make it so that we can update the disk cache? 20:18 < ricky> ianweller: Remind us to clear the caches after you/anybody makes any f10 edits, then 20:18 < ianweller> just in case we need to emergency update a page 20:19 < ianweller> like that ;) 20:19 < ricky> ianweller: I don't think so, that would only clear mediawiki's cache, not apache's cache 20:19 < ricky> So yeah, remind us to clear both caches any time an important edit is made :-) 20:19 < sijis> does the wiki have any 'freeze' times too? 20:20 < ricky> Not that I know of, since it's not currently translated. 20:20 -!- josedamiangarrid [n=damian at 200.49.17.134] has quit "Leaving." 20:20 < ianweller> only wiki freezes are for rel notes 20:20 < ianweller> so that they can be translated 20:21 < ianweller> in the not-wiki 20:22 < ricky> So does anybody have anything else to discuss from previous releases? 20:23 -!- ricky changed the topic of #fedora-meeting to: Infrastructure Meeting - Open Floor 20:23 < ricky> Anything anybody wants to bring up in general? 20:24 * ricky welcomes sijis - he recently sent an introduction to list 20:25 < ricky> Closing n 30 if there's nothing else 20:25 < ricky> **in 20:25 < sijis> yes.. thanks ricky. 20:25 < ricky> :-) 20:25 < sijis> i just want to say, i hope i can be of help :) and it'll be a pleasure working with eveyrone 20:25 * ianweller high fives sijis 20:25 < ricky> Thanks :-) 20:26 < ricky> All right then, see you all back in #fedora-admin then :-) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: not available URL: From laxathom at fedoraproject.org Thu May 28 20:29:13 2009 From: laxathom at fedoraproject.org (Xavier Lamien) Date: Thu, 28 May 2009 22:29:13 +0200 Subject: [PATCH] Add requested redirects for release notes. In-Reply-To: <62bc09df0905281328l178ea0f1w9fa9dac5a36f3300@mail.gmail.com> References: <20090528020021.GA15699@alpha.rzhou.org> <20090528020423.GB31564@alpha.rzhou.org> <20090528180500.GB469@alpha.rzhou.org> <62bc09df0905281328l178ea0f1w9fa9dac5a36f3300@mail.gmail.com> Message-ID: <62bc09df0905281329g6912b627o61a8fa52980f1da6@mail.gmail.com> +1 from me On May 28, 2009 8:05 PM, "Mike McGrath" wrote: On Thu, 28 May 2009, Ricky Zhou wrote: > On 2009-05-28 09:22:09 AM, Mike McGrath wrote: > > I'm won... K, then +1 from me. We need one more +1 if anyone is so inclined. -Mike _______________________________________________ Fedora-infrastructure-list mailing list Fed... -------------- next part -------------- An HTML attachment was scrubbed... URL: From Matt_Domsch at dell.com Fri May 29 01:15:11 2009 From: Matt_Domsch at dell.com (Matt Domsch) Date: Thu, 28 May 2009 20:15:11 -0500 Subject: remove old video torrents Message-ID: <20090529011511.GA22609@auslistsprd01.us.dell.com> (I screwed up and did this w/o asking first; I expect thugs^Wenforcers from the Chicago area to arrive momentarily; fortunately, steaks are on the grill and hopefully they can be appeased. I can easily put the content back if need be.) I want to move the videos (ogg and avi files) currently hosted only on torrent.fp.o, to alt.fp.o/pub/alt/videos/ with the other videos. I have already copied the content over. This request will remove the torrents, their contents, and their .ini files on torrent1. Then, the normal processes will refresh the torrent.fp.o web page and the tracker. There are currently 0 or 1 seed, and 0 downloaders, for this content, which dates back to January 2008 at the most recent. Thanks, Matt -- Matt Domsch Technology Strategist, Dell Office of the CTO linux.dell.com & www.dell.com/linux From ricky at fedoraproject.org Fri May 29 01:20:58 2009 From: ricky at fedoraproject.org (Ricky Zhou) Date: Thu, 28 May 2009 21:20:58 -0400 Subject: remove old video torrents In-Reply-To: <20090529011511.GA22609@auslistsprd01.us.dell.com> References: <20090529011511.GA22609@auslistsprd01.us.dell.com> Message-ID: <20090529012058.GE469@alpha.rzhou.org> On 2009-05-28 08:15:11 PM, Matt Domsch wrote: > (I screwed up and did this w/o asking first; I expect thugs^Wenforcers > from the Chicago area to arrive momentarily; fortunately, steaks are > on the grill and hopefully they can be appeased. I can easily put the > content back if need be.) > > I want to move the videos (ogg and avi files) currently hosted only > on torrent.fp.o, to alt.fp.o/pub/alt/videos/ with the other videos. I > have already copied the content over. > > This request will remove the torrents, their contents, and their .ini > files on torrent1. Then, the normal processes will refresh the > torrent.fp.o web page and the tracker. > > There are currently 0 or 1 seed, and 0 downloaders, for this content, > which dates back to January 2008 at the most recent. +1 Thanks, Ricky -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: not available URL: From nigjones at redhat.com Fri May 29 02:06:19 2009 From: nigjones at redhat.com (Nigel Jones) Date: Thu, 28 May 2009 22:06:19 -0400 (EDT) Subject: remove old video torrents In-Reply-To: <20090529011511.GA22609@auslistsprd01.us.dell.com> Message-ID: <15489782.21243562768978.JavaMail.nigjones@njones.bne.redhat.com> +1 Also note, you need to send some of the steaks to Australia... - Nigel ----- "Matt Domsch" wrote: > (I screwed up and did this w/o asking first; I expect > thugs^Wenforcers > from the Chicago area to arrive momentarily; fortunately, steaks are > on the grill and hopefully they can be appeased. I can easily put > the > content back if need be.) > > I want to move the videos (ogg and avi files) currently hosted only > on torrent.fp.o, to alt.fp.o/pub/alt/videos/ with the other videos. > I > have already copied the content over. > > This request will remove the torrents, their contents, and their .ini > files on torrent1. Then, the normal processes will refresh the > torrent.fp.o web page and the tracker. > > There are currently 0 or 1 seed, and 0 downloaders, for this content, > which dates back to January 2008 at the most recent. > > Thanks, > Matt > > -- > Matt Domsch > Technology Strategist, Dell Office of the CTO > linux.dell.com & www.dell.com/linux > > _______________________________________________ > Fedora-infrastructure-list mailing list > Fedora-infrastructure-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list From jonstanley at gmail.com Fri May 29 04:03:39 2009 From: jonstanley at gmail.com (Jon Stanley) Date: Fri, 29 May 2009 00:03:39 -0400 Subject: remove old video torrents In-Reply-To: <15489782.21243562768978.JavaMail.nigjones@njones.bne.redhat.com> References: <20090529011511.GA22609@auslistsprd01.us.dell.com> <15489782.21243562768978.JavaMail.nigjones@njones.bne.redhat.com> Message-ID: On Thu, May 28, 2009 at 10:06 PM, Nigel Jones wrote: > Also note, you need to send some of the steaks to Australia... And some to NYC. From Matt_Domsch at dell.com Fri May 29 04:06:27 2009 From: Matt_Domsch at dell.com (Matt Domsch) Date: Thu, 28 May 2009 23:06:27 -0500 Subject: remove old video torrents In-Reply-To: References: <20090529011511.GA22609@auslistsprd01.us.dell.com> <15489782.21243562768978.JavaMail.nigjones@njones.bne.redhat.com> Message-ID: <20090529040627.GB22609@auslistsprd01.us.dell.com> On Fri, May 29, 2009 at 12:03:39AM -0400, Jon Stanley wrote: > On Thu, May 28, 2009 at 10:06 PM, Nigel Jones wrote: > > > Also note, you need to send some of the steaks to Australia... > > And some to NYC. You all know of my standing offer. Any time anyone in FI is on Austin, drop me a line - the grill will be hot and the beverages cold. -- Matt Domsch Technology Strategist, Dell Office of the CTO linux.dell.com & www.dell.com/linux From Matt_Domsch at dell.com Fri May 29 04:39:34 2009 From: Matt_Domsch at dell.com (Matt Domsch) Date: Thu, 28 May 2009 23:39:34 -0500 Subject: remove old video torrents In-Reply-To: <20090529011511.GA22609@auslistsprd01.us.dell.com> References: <20090529011511.GA22609@auslistsprd01.us.dell.com> Message-ID: <20090529043934.GC22609@auslistsprd01.us.dell.com> > I want to move the videos (ogg and avi files) currently hosted only > on torrent.fp.o, to alt.fp.o/pub/alt/videos/ with the other videos. I > have already copied the content over. As long as I'm removing torrent content, let me suggest a few more. :-) ccLiveContent-1.0-i386 Posted August 2007. No seeders. ccLiveContent-2.0-1202964485.iso ccLiveContent-2.0-FINAL.iso Posted Feb 2008. 3 seeders, but no links from the torrent.fp.o HTML page. Fedora 11 Alpha. No links from torrent.fp.o HTML page. Amazingly, some of these have as many as 11 seeders and 6 downloaders. No reason to encourage downloads of this anymore though. Fedora 11 Beta. _Is_ linked from t.fp.o HTML page. 1-17 seeders, 0-2 downloaders. Same reason as Alpha - there are newer bits available to test with. Fedora 11 Snap 1. _Is_ linked from t.fp.o HTML page. 1-6 seeders, 0-3 downloaders. Pre-dates the Preview release. Now for something maybe more controversial. Fedora 8. _Is_ linked from t.fp.o HTML page. 1-35 seeders, 0-8 downloaders. F8 is EOL, and still posted on archive.fp.o. I also note that the map link besides each torrent on the t.fp.o HTML page is broken. But hey, that's only present for the F8 and ccLiveContent bits, which, if we nuke, then we don't have a problem there either. :-) Thanks, Matt the pruner -- Matt Domsch Technology Strategist, Dell Office of the CTO linux.dell.com & www.dell.com/linux From mmcgrath at redhat.com Fri May 29 04:46:20 2009 From: mmcgrath at redhat.com (Mike McGrath) Date: Thu, 28 May 2009 23:46:20 -0500 (CDT) Subject: remove old video torrents In-Reply-To: <20090529043934.GC22609@auslistsprd01.us.dell.com> References: <20090529011511.GA22609@auslistsprd01.us.dell.com> <20090529043934.GC22609@auslistsprd01.us.dell.com> Message-ID: On Thu, 28 May 2009, Matt Domsch wrote: > > I want to move the videos (ogg and avi files) currently hosted only > > on torrent.fp.o, to alt.fp.o/pub/alt/videos/ with the other videos. I > > have already copied the content over. > > As long as I'm removing torrent content, let me suggest a few > more. :-) > > ccLiveContent-1.0-i386 > Posted August 2007. No seeders. > > ccLiveContent-2.0-1202964485.iso > ccLiveContent-2.0-FINAL.iso > Posted Feb 2008. 3 seeders, but no links from the torrent.fp.o HTML page. > > Fedora 11 Alpha. No links from torrent.fp.o HTML page. Amazingly, > some of these have as many as 11 seeders and 6 downloaders. No reason > to encourage downloads of this anymore though. > > Fedora 11 Beta. _Is_ linked from t.fp.o HTML page. 1-17 seeders, 0-2 > downloaders. Same reason as Alpha - there are newer bits available to > test with. > > Fedora 11 Snap 1. _Is_ linked from t.fp.o HTML page. 1-6 seeders, 0-3 > downloaders. Pre-dates the Preview release. > > > Now for something maybe more controversial. > > Fedora 8. _Is_ linked from t.fp.o HTML page. 1-35 seeders, 0-8 > downloaders. F8 is EOL, and still posted on archive.fp.o. > > > I also note that the map link besides each torrent on the t.fp.o HTML > page is broken. But hey, that's only present for the F8 and > ccLiveContent bits, which, if we nuke, then we don't have a problem > there either. :-) > > Thanks, > Matt the pruner > I'm all for pruning, lets have a plan for it though. Anyone see any reason not to have these up there? Should we come up with some test for what does and does not get removed? -Mike From Matt_Domsch at dell.com Fri May 29 05:07:30 2009 From: Matt_Domsch at dell.com (Matt Domsch) Date: Fri, 29 May 2009 00:07:30 -0500 Subject: remove old video torrents In-Reply-To: References: <20090529011511.GA22609@auslistsprd01.us.dell.com> <20090529043934.GC22609@auslistsprd01.us.dell.com> Message-ID: <20090529050730.GD22609@auslistsprd01.us.dell.com> On Thu, May 28, 2009 at 11:46:20PM -0500, Mike McGrath wrote: > I'm all for pruning, lets have a plan for it though. Anyone see any > reason not to have these up there? > > Should we come up with some test for what does and does not get removed? I agree. Here's what I am going by: a) content that has reached the end of life. This includes: 1) pre-release content (Alpha, Beta, snapshots, ...) that have been superceeded, and are thus no longer useful for testing. 2) EOL releases that we have moved to archive.fp.o (I'm open to be swayed on this one...) b) content which has exceedingly limited seeders and downloaders, and which has little prospect of increasing those numbers, and which is > 1 year old. The several-years-old videos fall into this category, with 0-1 seeder, and no significant increase in downloads in a while (by visual inspection, ~3000 downloads as far back as I can remember). Content which is still considered "current" (e.g. spins of non-EOL releases) get to stay. We haven't traditionally hosted spins elsewhere, such as archive.fp.o or alt.fp.o, so nuking them removes the only method by which someone could obtain them. Given we're OK on space right now, there's no good reason to remove spins even of EOL releases where the non-spins got archived. -- Matt Domsch Technology Strategist, Dell Office of the CTO linux.dell.com & www.dell.com/linux From me at davidjmemmett.co.uk Fri May 29 09:27:14 2009 From: me at davidjmemmett.co.uk (David JM Emmett) Date: Fri, 29 May 2009 10:27:14 +0100 Subject: wiki caching old content In-Reply-To: <20090509142934.GA14354@kupenblagster.ianweller.org> References: <4A043C85.4000202@fedoraproject.org> <4A0440D3.5030106@fedoraproject.org> <4A04446C.6080703@fedoraproject.org> <1241794308.11020.80.camel@can11.canstudiosltd.thecan> <53a863600905080832s2d73d355if4bb6ca57f8ed4b@mail.gmail.com> <1241875040.11020.87.camel@can11.canstudiosltd.thecan> <20090509142934.GA14354@kupenblagster.ianweller.org> Message-ID: <1243589234.15768.39.camel@can11.canstudiosltd.thecan> I noticed that you mentioned this yesterday in the meeting, is anything being actioned for either client/server cache? On Sat, 2009-05-09 at 09:29 -0500, Ian Weller wrote: > On Sat, May 09, 2009 at 02:17:20PM +0100, David JM Emmett wrote: > > With mediawiki, you can purge the server cache by setting the GET var > > "action=purge". > > > You can also add a purge button to your buttons at the top. > Steal this code: > https://fedoraproject.org/wiki/User:Ianweller/fedora.js > From mmcgrath at redhat.com Fri May 29 14:41:10 2009 From: mmcgrath at redhat.com (Mike McGrath) Date: Fri, 29 May 2009 09:41:10 -0500 (CDT) Subject: wiki caching old content In-Reply-To: <1243589234.15768.39.camel@can11.canstudiosltd.thecan> References: <4A043C85.4000202@fedoraproject.org> <4A0440D3.5030106@fedoraproject.org> <4A04446C.6080703@fedoraproject.org> <1241794308.11020.80.camel@can11.canstudiosltd.thecan> <53a863600905080832s2d73d355if4bb6ca57f8ed4b@mail.gmail.com> <1241875040.11020.87.camel@can11.canstudiosltd.thecan> <20090509142934.GA14354@kupenblagster.ianweller.org> <1243589234.15768.39.camel@can11.canstudiosltd.thecan> Message-ID: On Fri, 29 May 2009, David JM Emmett wrote: > I noticed that you mentioned this yesterday in the meeting, is anything > being actioned for either client/server cache? > > On Sat, 2009-05-09 at 09:29 -0500, Ian Weller wrote: > > On Sat, May 09, 2009 at 02:17:20PM +0100, David JM Emmett wrote: > > > With mediawiki, you can purge the server cache by setting the GET var > > > "action=purge". > > > > > You can also add a purge button to your buttons at the top. > > Steal this code: > > https://fedoraproject.org/wiki/User:Ianweller/fedora.js > > Client side caching we haven't altered. Server side caching we now use memcached and will ramp up with mod_cache around release time. We likely don't need action=purge anymore. -Mike From mmcgrath at redhat.com Fri May 29 14:49:54 2009 From: mmcgrath at redhat.com (Mike McGrath) Date: Fri, 29 May 2009 09:49:54 -0500 (CDT) Subject: remove old video torrents In-Reply-To: <20090529050730.GD22609@auslistsprd01.us.dell.com> References: <20090529011511.GA22609@auslistsprd01.us.dell.com> <20090529043934.GC22609@auslistsprd01.us.dell.com> <20090529050730.GD22609@auslistsprd01.us.dell.com> Message-ID: On Fri, 29 May 2009, Matt Domsch wrote: > On Thu, May 28, 2009 at 11:46:20PM -0500, Mike McGrath wrote: > > I'm all for pruning, lets have a plan for it though. Anyone see any > > reason not to have these up there? > > > > Should we come up with some test for what does and does not get removed? > > I agree. Here's what I am going by: > > a) content that has reached the end of life. This includes: > 1) pre-release content (Alpha, Beta, snapshots, ...) that have been > superceeded, and are thus no longer useful for testing. > 2) EOL releases that we have moved to archive.fp.o > (I'm open to be swayed on this one...) > > b) content which has exceedingly limited seeders and downloaders, and > which has little prospect of increasing those numbers, and which is > > 1 year old. The several-years-old videos fall into this > category, with 0-1 seeder, and no significant increase in downloads > in a while (by visual inspection, ~3000 downloads as far back as I > can remember). > > Content which is still considered "current" (e.g. spins of non-EOL > releases) get to stay. > > We haven't traditionally hosted spins elsewhere, such as archive.fp.o > or alt.fp.o, so nuking them removes the only method by which someone > could obtain them. Given we're OK on space right now, there's no good > reason to remove spins even of EOL releases where the non-spins got > archived. > This seems reasonable to me. Anyone have issues? -Mike From notting at redhat.com Fri May 29 14:55:04 2009 From: notting at redhat.com (Bill Nottingham) Date: Fri, 29 May 2009 10:55:04 -0400 Subject: remove old video torrents In-Reply-To: References: <20090529011511.GA22609@auslistsprd01.us.dell.com> <20090529043934.GC22609@auslistsprd01.us.dell.com> <20090529050730.GD22609@auslistsprd01.us.dell.com> Message-ID: <20090529145504.GB30106@nostromo.devel.redhat.com> Mike McGrath (mmcgrath at redhat.com) said: > > > I'm all for pruning, lets have a plan for it though. Anyone see any > > > reason not to have these up there? > > > > > > Should we come up with some test for what does and does not get removed? > > > > I agree. Here's what I am going by: > > > > a) content that has reached the end of life. This includes: > > 1) pre-release content (Alpha, Beta, snapshots, ...) that have been > > superceeded, and are thus no longer useful for testing. > > 2) EOL releases that we have moved to archive.fp.o > > (I'm open to be swayed on this one...) > > > > b) content which has exceedingly limited seeders and downloaders, and > > which has little prospect of increasing those numbers, and which is > > > 1 year old. The several-years-old videos fall into this > > category, with 0-1 seeder, and no significant increase in downloads > > in a while (by visual inspection, ~3000 downloads as far back as I > > can remember). > > > > Content which is still considered "current" (e.g. spins of non-EOL > > releases) get to stay. > > > > We haven't traditionally hosted spins elsewhere, such as archive.fp.o > > or alt.fp.o, so nuking them removes the only method by which someone > > could obtain them. Given we're OK on space right now, there's no good > > reason to remove spins even of EOL releases where the non-spins got > > archived. > > > > This seems reasonable to me. Anyone have issues? Seems reasonable. Should we make this generic so it applies to older alpha/beta trees on the ftp/http site as well? Bill From Matt_Domsch at dell.com Fri May 29 16:26:42 2009 From: Matt_Domsch at dell.com (Matt Domsch) Date: Fri, 29 May 2009 11:26:42 -0500 Subject: remove old video torrents In-Reply-To: <20090529145504.GB30106@nostromo.devel.redhat.com> References: <20090529011511.GA22609@auslistsprd01.us.dell.com> <20090529043934.GC22609@auslistsprd01.us.dell.com> <20090529050730.GD22609@auslistsprd01.us.dell.com> <20090529145504.GB30106@nostromo.devel.redhat.com> Message-ID: <20090529162642.GA7934@auslistsprd01.us.dell.com> On Fri, May 29, 2009 at 10:55:04AM -0400, Bill Nottingham wrote: > Seems reasonable. Should we make this generic so it applies to older alpha/beta > trees on the ftp/http site as well? Well, we pretty much do already. We delete the alpha/beta releases whenever we have content that superceeds those and when we're low on space. If we're good on space, sometimes these stay longer, but they can be removed at any time. Mike and Jesse have also been good about moving EOL content (Fedora 7 and 8 and their updates) to archive.fp.o to free up space to host the new content. -- Matt Domsch Technology Strategist, Dell Office of the CTO linux.dell.com & www.dell.com/linux From mmcgrath at redhat.com Fri May 29 21:11:57 2009 From: mmcgrath at redhat.com (Mike McGrath) Date: Fri, 29 May 2009 16:11:57 -0500 (CDT) Subject: httpd update on servers Message-ID: I'd like to update httpd on our web servers and proxy boxes. https://rhn.redhat.com/errata/RHSA-2009-1075.html 2+1's? -Mike From Matt_Domsch at dell.com Fri May 29 21:13:49 2009 From: Matt_Domsch at dell.com (Matt Domsch) Date: Fri, 29 May 2009 16:13:49 -0500 Subject: httpd update on servers In-Reply-To: References: Message-ID: <20090529211349.GA17643@auslistsprd01.us.dell.com> On Fri, May 29, 2009 at 04:11:57PM -0500, Mike McGrath wrote: > I'd like to update httpd on our web servers and proxy boxes. > > https://rhn.redhat.com/errata/RHSA-2009-1075.html +1 -- Matt Domsch Technology Strategist, Dell Office of the CTO linux.dell.com & www.dell.com/linux From ricky at fedoraproject.org Fri May 29 21:14:10 2009 From: ricky at fedoraproject.org (Ricky Zhou) Date: Fri, 29 May 2009 17:14:10 -0400 Subject: httpd update on servers In-Reply-To: References: Message-ID: <20090529211410.GA8119@alpha.rzhou.org> On 2009-05-29 04:11:57 PM, Mike McGrath wrote: > I'd like to update httpd on our web servers and proxy boxes. > > https://rhn.redhat.com/errata/RHSA-2009-1075.html > > 2+1's? +1 Thanks, Ricky -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: not available URL: From admin at arcnetworks.biz Fri May 29 21:14:28 2009 From: admin at arcnetworks.biz (Anand Capur) Date: Fri, 29 May 2009 17:14:28 -0400 Subject: httpd update on servers In-Reply-To: <20090529211349.GA17643@auslistsprd01.us.dell.com> References: <20090529211349.GA17643@auslistsprd01.us.dell.com> Message-ID: <5d66540b0905291414h3a109bam3c8a5c0f452bae7c@mail.gmail.com> On Fri, May 29, 2009 at 5:13 PM, Matt Domsch wrote: > On Fri, May 29, 2009 at 04:11:57PM -0500, Mike McGrath wrote: > > I'd like to update httpd on our web servers and proxy boxes. > > > > https://rhn.redhat.com/errata/RHSA-2009-1075.html > > +1 > > -- > Matt Domsch > Technology Strategist, Dell Office of the CTO > linux.dell.com & www.dell.com/linux > +1 -------------- next part -------------- An HTML attachment was scrubbed... URL: From itamar at ispbrasil.com.br Fri May 29 21:14:40 2009 From: itamar at ispbrasil.com.br (Itamar Reis Peixoto) Date: Fri, 29 May 2009 18:14:40 -0300 Subject: httpd update on servers In-Reply-To: References: Message-ID: +1 On Fri, May 29, 2009 at 6:11 PM, Mike McGrath wrote: > I'd like to update httpd on our web servers and proxy boxes. > > https://rhn.redhat.com/errata/RHSA-2009-1075.html > > 2+1's? > > ? ? ? ?-Mike > > _______________________________________________ > Fedora-infrastructure-list mailing list > Fedora-infrastructure-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list > -- ------------ Itamar Reis Peixoto e-mail/msn: itamar at ispbrasil.com.br sip: itamar at ispbrasil.com.br skype: itamarjp icq: 81053601 +55 11 4063 5033 +55 34 3221 8599 From mmcgrath at redhat.com Fri May 29 21:15:37 2009 From: mmcgrath at redhat.com (Mike McGrath) Date: Fri, 29 May 2009 16:15:37 -0500 (CDT) Subject: haproxy update Message-ID: while I'm doing the httpd update, I'd like to update haproxy as well as there were a number of change fixes that would be good to have in place for the release: http://haproxy.1wt.eu/download/1.3/src/CHANGELOG-1.3.18.X 2+1's? -Mike From admin at arcnetworks.biz Fri May 29 21:16:24 2009 From: admin at arcnetworks.biz (Anand Capur) Date: Fri, 29 May 2009 17:16:24 -0400 Subject: haproxy update In-Reply-To: References: Message-ID: <5d66540b0905291416s4d52d48fkbda8c1cc62bc91df@mail.gmail.com> On Fri, May 29, 2009 at 5:15 PM, Mike McGrath wrote: > while I'm doing the httpd update, I'd like to update haproxy as well as > there were a number of change fixes that would be good to have in place > for the release: > > http://haproxy.1wt.eu/download/1.3/src/CHANGELOG-1.3.18.X > > 2+1's? > > -Mike > +1 -------------- next part -------------- An HTML attachment was scrubbed... URL: From ricky at fedoraproject.org Fri May 29 21:17:14 2009 From: ricky at fedoraproject.org (Ricky Zhou) Date: Fri, 29 May 2009 17:17:14 -0400 Subject: haproxy update In-Reply-To: References: Message-ID: <20090529211714.GB8119@alpha.rzhou.org> On 2009-05-29 04:15:37 PM, Mike McGrath wrote: > while I'm doing the httpd update, I'd like to update haproxy as well as > there were a number of change fixes that would be good to have in place > for the release: > > http://haproxy.1wt.eu/download/1.3/src/CHANGELOG-1.3.18.X > > 2+1's? +1 Thanks, Ricky -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: not available URL: From mmcgrath at redhat.com Fri May 29 21:31:18 2009 From: mmcgrath at redhat.com (Mike McGrath) Date: Fri, 29 May 2009 16:31:18 -0500 (CDT) Subject: Change request - Proxy1 (x86_64) Message-ID: This one's an oops, probably on me. I happened to notice proxy1 is an x86_64 box. We have two options. 1) double it's ram 2) rebuild it as x86 I'd prefer to do 2 since the release slipped again and we've generally got time for it. The concern is the boxes are tuned for i686 with 4G of ram and don't generally like to operate if either of those change. -Mike From mmcgrath at redhat.com Fri May 29 21:32:29 2009 From: mmcgrath at redhat.com (Mike McGrath) Date: Fri, 29 May 2009 16:32:29 -0500 (CDT) Subject: Change request - Proxy1 (x86_64) In-Reply-To: References: Message-ID: On Fri, 29 May 2009, Mike McGrath wrote: > This one's an oops, probably on me. I happened to notice proxy1 is an > x86_64 box. We have two options. > > 1) double it's ram > > 2) rebuild it as x86 > > I'd prefer to do 2 since the release slipped again and we've generally got > time for it. The concern is the boxes are tuned for i686 with 4G of ram > and don't generally like to operate if either of those change. > Side note on this... it's late on a Friday. I'm not going to risk this going wrong for the weekend so I'll be doing it on Monday if approved. -Mike From ricky at fedoraproject.org Fri May 29 21:32:59 2009 From: ricky at fedoraproject.org (Ricky Zhou) Date: Fri, 29 May 2009 17:32:59 -0400 Subject: Change request - Proxy1 (x86_64) In-Reply-To: References: Message-ID: <20090529213259.GC8119@alpha.rzhou.org> On 2009-05-29 04:31:18 PM, Mike McGrath wrote: > This one's an oops, probably on me. I happened to notice proxy1 is an > x86_64 box. We have two options. > > 1) double it's ram > > 2) rebuild it as x86 > > I'd prefer to do 2 since the release slipped again and we've generally got > time for it. The concern is the boxes are tuned for i686 with 4G of ram > and don't generally like to operate if either of those change. +1 to 2 Thanks, Ricky -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: not available URL: From lxtnow at gmail.com Fri May 29 21:37:20 2009 From: lxtnow at gmail.com (SmootherFrOgZ) Date: Fri, 29 May 2009 23:37:20 +0200 Subject: Change request - Proxy1 (x86_64) In-Reply-To: References: Message-ID: <62bc09df0905291437t424925b1kb96d2a35d1605151@mail.gmail.com> On Fri, May 29, 2009 at 11:31 PM, Mike McGrath wrote: > This one's an oops, probably on me. ?I happened to notice proxy1 is an > x86_64 box. ?We have two options. > > 1) double it's ram > > 2) rebuild it as x86 > > I'd prefer to do 2 since the release slipped again and we've generally got > time for it. ?The concern is the boxes are tuned for i686 with 4G of ram > and don't generally like to operate if either of those change. > +1 for 1 -- Xavier.t Lamien -- http://fedoraproject.org/wiki/XavierLamien GPG-Key ID: F3903DEB Fingerprint: 0F2A 7A17 0F1B 82EE FCBF 1F51 76B7 A28D F390 3DEB From itamar at ispbrasil.com.br Fri May 29 21:45:32 2009 From: itamar at ispbrasil.com.br (Itamar Reis Peixoto) Date: Fri, 29 May 2009 18:45:32 -0300 Subject: Change request - Proxy1 (x86_64) In-Reply-To: References: Message-ID: +1 for 1 On Fri, May 29, 2009 at 6:31 PM, Mike McGrath wrote: > This one's an oops, probably on me. ?I happened to notice proxy1 is an > x86_64 box. ?We have two options. > > 1) double it's ram > > 2) rebuild it as x86 > > I'd prefer to do 2 since the release slipped again and we've generally got > time for it. ?The concern is the boxes are tuned for i686 with 4G of ram > and don't generally like to operate if either of those change. > > ? ? ? ?-Mike > > _______________________________________________ > Fedora-infrastructure-list mailing list > Fedora-infrastructure-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list > -- ------------ Itamar Reis Peixoto e-mail/msn: itamar at ispbrasil.com.br sip: itamar at ispbrasil.com.br skype: itamarjp icq: 81053601 +55 11 4063 5033 +55 34 3221 8599 From mmcgrath at redhat.com Fri May 29 21:56:30 2009 From: mmcgrath at redhat.com (Mike McGrath) Date: Fri, 29 May 2009 16:56:30 -0500 (CDT) Subject: Change request - Proxy1 (x86_64) In-Reply-To: References: Message-ID: On Fri, 29 May 2009, Itamar Reis Peixoto wrote: > +1 for 1 > > > On Fri, May 29, 2009 at 6:31 PM, Mike McGrath wrote: > > This one's an oops, probably on me. ?I happened to notice proxy1 is an > > x86_64 box. ?We have two options. > > > > 1) double it's ram > > > > 2) rebuild it as x86 > > > > I'd prefer to do 2 since the release slipped again and we've generally got > > time for it. ?The concern is the boxes are tuned for i686 with 4G of ram > > and don't generally like to operate if either of those change. > > I should note that if we do 1) it'd only be until after the release at which time 2 would be done. -Mike From a.badger at gmail.com Fri May 29 21:58:09 2009 From: a.badger at gmail.com (Toshio Kuratomi) Date: Fri, 29 May 2009 14:58:09 -0700 Subject: Change request - Proxy1 (x86_64) In-Reply-To: <20090529213259.GC8119@alpha.rzhou.org> References: <20090529213259.GC8119@alpha.rzhou.org> Message-ID: <4A205A71.4060608@gmail.com> On 05/29/2009 02:32 PM, Ricky Zhou wrote: > On 2009-05-29 04:31:18 PM, Mike McGrath wrote: >> This one's an oops, probably on me. I happened to notice proxy1 is an >> x86_64 box. We have two options. >> >> 1) double it's ram >> >> 2) rebuild it as x86 >> >> I'd prefer to do 2 since the release slipped again and we've generally got >> time for it. The concern is the boxes are tuned for i686 with 4G of ram >> and don't generally like to operate if either of those change. > +1 to 2 > +1 to 2 -Toshio -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: OpenPGP digital signature URL: From a.badger at gmail.com Fri May 29 21:59:25 2009 From: a.badger at gmail.com (Toshio Kuratomi) Date: Fri, 29 May 2009 14:59:25 -0700 Subject: haproxy update In-Reply-To: References: Message-ID: <4A205ABD.80209@gmail.com> On 05/29/2009 02:15 PM, Mike McGrath wrote: > while I'm doing the httpd update, I'd like to update haproxy as well as > there were a number of change fixes that would be good to have in place > for the release: > > http://haproxy.1wt.eu/download/1.3/src/CHANGELOG-1.3.18.X > > 2+1's? > +1 -Toshio -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: OpenPGP digital signature URL: From a.badger at gmail.com Fri May 29 21:59:49 2009 From: a.badger at gmail.com (Toshio Kuratomi) Date: Fri, 29 May 2009 14:59:49 -0700 Subject: httpd update on servers In-Reply-To: References: Message-ID: <4A205AD5.5060501@gmail.com> On 05/29/2009 02:11 PM, Mike McGrath wrote: > I'd like to update httpd on our web servers and proxy boxes. > > https://rhn.redhat.com/errata/RHSA-2009-1075.html > > 2+1's? > +1 -Toshio -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: OpenPGP digital signature URL: From an037-ooai8 at yahoo.com Sat May 30 18:22:29 2009 From: an037-ooai8 at yahoo.com (Allen Kistler) Date: Sat, 30 May 2009 13:22:29 -0500 Subject: Fedora 11 RC2 installation testing In-Reply-To: <20090530160017.D31A461B219@hormel.redhat.com> References: <20090530160017.D31A461B219@hormel.redhat.com> Message-ID: <4A217965.3050705@yahoo.com> Andre Robatino wrote in fedora-test-list: > I have made available a deltaiso from the i386 Preview DVD ISO to the > i386 RC2 ISO. It is 233945224 bytes (about 6-7% the size of the full > ISO) with MD5 f0413ba9d23be4dd1778a06f35c80a43, and can be downloaded from > > http://www.yourfilelink.com/get.php?fid=497480 > > ... To apply > it, one needs to have the deltarpm package installed, and then run the > command > > applydeltaiso Fedora-11-Preview-i386-DVD.iso > Fedora-11-Preview_rc2-i386-DVD.diso Fedora-11-i386-DVD.iso > > ... Of > course, one should check the sha256sum of the final ISO (listed in > Fedora-11-i386-CHECKSUM as > 07f1229ad5717d63d2e08d556b9221be71a825ad83b9090b4632bf7208189bf6) > > ... This was just done as a demonstration. ... Hmm... Make the technology work *for* you. A novel idea. Maybe the GA could be distributed the same way, like to mirrors and end users. It only works for places that already have the previous image (i.e., Preview in this case), but that's at least the testers. Worth it? From bashton at brennanashton.com Sun May 31 01:10:23 2009 From: bashton at brennanashton.com (Brennan Ashton) Date: Sat, 30 May 2009 18:10:23 -0700 Subject: RFR: triageweb In-Reply-To: <20090407052852.GC15860@sphe.res.cmu.edu> References: <981da310904061137y917e57chb4a1cb73770e70b0@mail.gmail.com> <20090407052852.GC15860@sphe.res.cmu.edu> Message-ID: <981da310905301810g48254945kc6ef0caffb80fbb8@mail.gmail.com> 2009/4/6 Ricky Zhou : > On 2009-04-06 06:37:59 PM, Brennan Ashton wrote: >> ==Project Info== >> Project Name: TriageWeb >> Target Audience: ?Bug Triagers, Developers, Quality Assurance. To some >> extent this might include the general public, as a way to see how >> fedora is managing bugs and developing. >> Expiration/Delivery Date (Required): 06/06/2009 > I'd be happy to sponsor this - can somebody please approve bashton into > sysadmin-test? > > Thanks, > Ricky > > _______________________________________________ > Fedora-infrastructure-list mailing list > Fedora-infrastructure-list at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list > > The Bugzappers team would like to request the test time be extended for another month as we continue to make changes and test the system. Could the Expiration/Delivery Date be changed to July 6, 2009. Thank You, Brennan Ashton From ricky at fedoraproject.org Sun May 31 01:22:46 2009 From: ricky at fedoraproject.org (Ricky Zhou) Date: Sat, 30 May 2009 21:22:46 -0400 Subject: RFR: triageweb In-Reply-To: <981da310905301810g48254945kc6ef0caffb80fbb8@mail.gmail.com> References: <981da310904061137y917e57chb4a1cb73770e70b0@mail.gmail.com> <20090407052852.GC15860@sphe.res.cmu.edu> <981da310905301810g48254945kc6ef0caffb80fbb8@mail.gmail.com> Message-ID: <20090531012246.GA5814@alpha.rzhou.org> On 2009-05-30 06:10:23 PM, Brennan Ashton wrote: > The Bugzappers team would like to request the test time be extended > for another month as we continue to make changes and test the system. > Could the Expiration/Delivery Date be changed to July 6, 2009. Sure thing, we'll make sure to keep publictest14 available until then. Thanks, Ricky -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: not available URL: From patelbhavin27 at gmail.com Sun May 31 21:05:08 2009 From: patelbhavin27 at gmail.com (Bhavinkumar patel) Date: Sun, 31 May 2009 14:05:08 -0700 Subject: introduction again Message-ID: <89fb7d600905311405l38c35a4cob079cedd5e1b729a@mail.gmail.com> Hi, I am doing MS in Network systems. I have around 1 yr experience in network management company. I know C, C++, Java , Perl. I also know web technologies related to web 2.0. I would like to join the team of fedora system admin. Please let me know, If I have to do some extra steps. Thanks, -------------------------------- Bhavinkumar G Patel -------------- next part -------------- An HTML attachment was scrubbed... URL: From mmcgrath at redhat.com Sun May 31 21:11:37 2009 From: mmcgrath at redhat.com (Mike McGrath) Date: Sun, 31 May 2009 16:11:37 -0500 (CDT) Subject: introduction again In-Reply-To: <89fb7d600905311405l38c35a4cob079cedd5e1b729a@mail.gmail.com> References: <89fb7d600905311405l38c35a4cob079cedd5e1b729a@mail.gmail.com> Message-ID: On Sun, 31 May 2009, Bhavinkumar patel wrote: > Hi, > ? > ??? I am doing MS in Network systems. > > ?? I have around 1 yr experience in network management company. > > ?? I know C, C++, Java , Perl. I also know web technologies related to web 2.0. > > ?? I would like to join the team of fedora system admin. > > ?? Please let me know, If I have to do some extra steps. > Ahh yes! You were asking about C/C++ a few months ago. One other link that wsa put up recently included: https://fedoraproject.org/wiki/ContributingCode Which are all worth a look. The tricky part in Infrastructure is that we have almost no C/C++, Java or perl that we use which makes it difficult for us to find a place to use you, but that's not to say we can't. I'll think on this some more and see if any others have additional ideas. In the meantime though, give that link a look. -Mike