February 2019 - Arch-devops - lists.archlinux.org

Re: [arch-devops] [arch-dev-public] Uploading old packages on archive.org (Was: Archive cleanup)
by Florian Pritz 04 Mar '19

04 Mar '19

Hi Baptiste, On Thu, Jun 14, 2018 at 10:28:17AM +0200, Florian Pritz via arch-dev-public <arch-dev-public(a)archlinux.org> wrote: > On 10.06.2018 01:35, Baptiste Jonglez wrote: > > Archival of all packages between September 2013 and December 2016 is finished: > > > > https://archive.org/details/archlinuxarchive > > > > Here is some documentation on this "Historical Archive" hosted on archive.org: > > > > https://wiki.archlinux.org/index.php/Arch_Linux_Archive#Historical_Archive So the archive is still growing and we'll need to clean it up again soonish. Where do you have the archive.org uploader and is it in a state where we (devops team) can also easily use it? If not, could you help us getting it to that point? We also have an archive cleanup script here[1]. Maybe the uploader can be integrated there? I don't know how complicated it is. [1] https://github.com/archlinux/archivetools/blob/master/archive-cleaner Florian

2 6

[arch-devops] forum migration
by Jelle van der Waa 25 Feb '19

25 Feb '19

Hi all, >From what I've heard is that the forum ansible role is mostly done, can we keep this migration moving? What's currently holding it back? Also to which server do we move the forums? Greetings, Jelle

7 12

[arch-devops] security@archlinux.org address
by Jelle van der Waa 19 Feb '19

19 Feb '19

For security(a)archlinux.org the Security Team wants to setup a way for reporters to securely mail encrypted issues to our email address. To limit the bus factor we want to send those emails to multiple receivers and then handle and/or forward the information appropriately. Schleuder providers an solution to this issue by decryping the sent email and re-encrypting it to the Arch Security team members. Since this requires a GPG key to be on the server, we want to implement this securely and hook up a nitrokey pro 2 to a separate Hetzner dedicated server. This server serves the sole purpose of hosting the security mail address. Installing by Hetzner costs 18 euro’s (excl. VAT). Options: * Cheapest Hetzner server 34 euro / month and 40 euro setup fees. * Hetzner auction server ~ 25 / month and no setup fees. * Different dedicated server hoster which allows custom usb devices. Benefits: * Key can’t be recovered by an attacker who has access to the server. * Receivers don’t need a shared private key but only their own. * Separate server so no other software can influence/impact. Downsides: Downsides: * Nitrokey is out of our control, but we trust Hetzner already (ie. they could easily hook up a malicious USB/BMC device already and gain root privileges). * Server dies, the Nitrokey has to be moved to the new server. Questions: * How to update the key, handle key expiration? * Do we backup the key? Let someone have a separate nitrokey? Setup: * Levente (anthraxx) volunteered to aquire, setup key (+revocation) and get it to Hetzner. -- Jelle van der Waa

9 12

[arch-devops] planet.archlinux.org future
by Jelle van der Waa 10 Feb '19

10 Feb '19

Hi All, Last night I made a poor attempt at porting planet.archlinux.org to Python3, as it's the last Python 2 only application in our infra (I hope?). Running 2to3 did no miracles, since the code is extremely badly written and also includes old vendored dependencies. The actual software which powers this feed aggregator website is dead since 2006. [1] This leaves us with a few options: * Blindly ignore and keep using Python2 * Port the code, this will be painful and you'll discover that out of the 3000 loc we need ~ 10%? * Switch to an alternative, there are a few and I haven't checked at how nice they are but I've found. [2] [3] [4] * Write something yourself, it shouldn't be that hard to write a simple (secure) planet feed aggregator. All it has to do is, @nightly fetch all rss keep some state, generate HTML. I've checked the situation in Debian and they also seem to use "planet Venus". So we could contact what their plans are :-) [5] [1] https://en.wikipedia.org/wiki/Planet_(software) [2] http://feedreader.github.io [3] https://github.com/toolness/planet-badges [4] https://pypi.org/project/pelican-planet/ [5] https://packages.debian.org/jessie/planet-venus

2 1

[arch-devops] Archweb migration
by Jelle van der Waa 08 Feb '19

08 Feb '19

Hi All, Tommorow night (CET) I will update archweb (archlinux.org) to Python 3. We've already tested it on a staging server and it seems to work well so tommorow I'll update it on our main server. This will mean that archlinux.org will be unavailabe for ~ 30 minutes since the upgrade requires some manual work with removing and creating a new virtualenv. -- Jelle van der Waa

1 1

[arch-devops] Secure PGP key on our servers
by Jelle van der Waa 06 Feb '19

06 Feb '19

Hi all, The security team wants to setup a secure security(a)archlinux.org address with schleuder which decrypts an encrypted mail and re-encrypts it to recipients of this address. We would like to use a PGP token for it, so I've contacted Hetzner about the option to install it. If it can't happen in Hetzner, we'll have to discuss a new solution. [1] [1] https://kanboard.archlinux.org/project/1/task/98 -- Jelle van der Waa

1 0