when I try to create my Profile I get this reply:
The proxy server received an invalid response from an upstream server.
The proxy server could not handle the request POST /wiki/UserPreferences.
Reason: Error reading from remote server
Apache/2.2.3 (Red Hat) Server at fedoraproject.org Port 80
We are currently experiencing an unplanned outage as of 2008-05-28 10:00 UTC
CVS / Source Control
Reason for Outage:
There appears to be a routing issue preventing outside hosts accessing the
machine that runs the CVS system used by Fedora Developers and the Docs Team
We are currently in the process of isolating the issue but an ETA is not
available and apologise for any inconvenience.
Please join #fedora-admin in irc.freenode.net or respond to this email to track
the status of this outage.
On Sat, May 24, 2008 at 10:04 PM, Eugene Teo <eteo(a)redhat.com> wrote:
> Sankarshan Mukhopadhyay wrote:
>> With the new process for getting (and staying) on Planet Fedora in
>> place, how does it affect GSoC-ers ?
>> Do we have their blogs on the Planet ? And, do they get FedoraPeople.org
>> accounts ?
> Is it possible to waive the requirement that my mentee has to be
> sponsored to a group other than the CLA group? I remember there were
> discussion about syndicating our mentees blogs to Planet Fedora?
I'm going to forward this to seth vidal, who is in charge of such
things, and the Fedora Infrastructure team.
Personally I think that the students/mentees will need access to the
wiki at some point or another. That can definitely count as a second
group. I've made it a point for my mentee to have a biography on the
wiki, and with the new wiki, it has it's own group in FAS.
To actually put a blog on Planet Fedora, the mentees need to follow
the instructions seth posted a few days ago.
They can be found here
Just doing some thinking ...
If we want to move our OpenID acceptance outside of Fedora's OpenID
server, we'll have a blocker with the CLA. AIUI, we need someone to
knowingly accept the CLA and have that tied to a Real Name and email
address in our database. Right?
However, OpenID could be a good way to get permissions to Talk: pages.
That is a great way to get feedback from drive-bys, the kind of people
who might take advantage of an OpenID to make a minor change on a
Content in Talk: could be treated procedurally as we do bug reports.
Maybe we can have a WikiLicense type of thing (FedoraProject:Copyrights
link enough?) for that? Either way, Talk: could be a discussion area,
cf. mailing lists and bugzilla, that may produce content. If someone
gives specific wording and we want to use it, and now or later modify
it, redistribute it, etc., it needs to be under the CLA and site
license. This is comparable to receiving a patch via bugzilla where the
contributor should include licensing text.
Karsten Wade, Sr. Developer Community Mgr.
Dev Fu : http://developer.redhatmagazine.com
Fedora : http://quaid.fedorapeople.org
gpg key : AD0E0C41
On Mon, May 26, 2008 at 3:01 AM, Karsten Wade <karstenwade(a)gmail.com> wrote:
>> It would be but I get the feeling that some aren't joining or aren't
>> allowed to because of google rules (I have no idea about either of
>> these, someone please correct me)
> Well, AIUI Google's whole point of getting the students connected
> months ago was so they could join the projects and so forth.
> If there are any students who haven't got their FAS account ... why? Etc.
> Google mainly wants the students to fit in with the project, under our
> own regular processes. Where they exert influence is in, for example,
> requiring the students to work on their own code and not be a a team
> working on a module, etc. I presume this is mainly to let them tie
> expenditure to effort directly, without team effects.
This is more or less 'it' in a nutshell. There is one extra
requirement that they have a uploadable set of files, mainly for legal
reasons. That's pretty much all there is to it.
In my case, I've asked pavel to email me patches for git. The
reasoning is that we'll have a log of emails complete with files that
can be tarballed and submitted to Google easily. I've asked him not
to ask for permission to participate in our git instance, although he
really does need to sign up for our trac. He also needs to be signed
up for the wiki, and a few mailing lists. His participation is
supposed to be the same as anyone else's with the notable exception of
the 'hgsmolt' group.
I'm probably not important enough that it warrants a full message, but
this is to inform you that I will be out of touch from May 26th 2008
through May 31st 2008. I will have limited access to internet and
email, and will be busy interacting with people in meatspace anyways.
If there are any major problems with Smolt, or anything else that
requires my attention, the best person to reach is probably Mike
Mike McGrath wrote:
> Please let us know if you have any questions or concerns. The wiki is
> such a critical piece of Fedora's infrastructure we want to make sure that
> after the migration it and everyone gets up to speed as quickly as
> possible. Happy wiki-ing!
Answering on this list because it just seems more appropriate:
Assuming I should be editing at http://fp.o/wikinew/ (which I got from
#fedora-admin and didn't find in the announcement mail -maybe worth a
On the Main_Page (or any other page -that does not yet exist?-), the
link to "edit this page" links to:
The Edit link on top of existing pages goes well though.
Jeroen van Meeuwen
Just FYI I'll be quite busy the next few days, couple of reasons:
b) -EBADHARDWARE - RAM is giving me nightmares on my desktop, so I'll be
spending a bit of time trying to get that going
I *should* be able to still look after my packages and I'll be
infrequently checking my dev e-mail & IRC, if anything urgent comes up,
you can always try to catch me on my normal e-mail address nigel(a)nigelj.com.
I'll be back around 0000 28th May UTC
Lets get this topic started. We've had a lot of requests to have fas
authentication with third party groups (both nirik and dgilmore have
requested such setups)
We can easily set things up so that public key's can be used. I still
have grave security concerns about this though. The obvious fear is
compromise of a third party box that allows an unauthorized person to
then access our production servers.
The reality is this isn't much different from having an individual
contributors machine get hacked and having them then log in to one of our
boxes (this has happened once that I am aware of). The main difference
though is how to target.
Lets assume an attacker wants to commit something bad to our servers.
If they wanted to do it as me, they'd have to attack my workstation and
somehow gain root access on the box. At that point they'd be able to take
my keys or agent. A difficult task.
Now lets say that one of our third party machines is allowing people to
build via mock for PPC (this is one real request). That third party box
has the SSH keys of a number of people, lets say one of them is
sysadmin-main. The attacker would need to merely create an fas account,
request access to the group that gives access to that machine and they'd
be able to take the ssh keys as people log in.
Now, I've never actually done this. It's just my understanding that it'd
work that way. If you had root on a box and I sshed there with my ssh
key, would you not have access to take the key and log in to other boxes
So my question is, is this a real risk or is there a precaution in SSH
preventing the attack i'm describing (basically a man in the middle type
I can think of a number of options to prevent this but I'm curious what
the rest of you think.
07:57 < dgilmore> mmcgrath: show time?
07:58 < mmcgrath> yep
07:58 -!- mmcgrath changed the topic of #fedora-meeting to:
Infrastructure -- Who's Here?
07:58 < ivazquez> Pong.
07:58 * ianweller
07:59 < mmcgrath> so who's all here?
07:59 * dgilmore is here
07:59 * skvidal is
07:59 < G> me
07:59 * mmcgrath lets people roll in
07:59 * ricky
07:59 * nirik is off in the spectator seats.
08:00 < jcollie> hello
08:00 * f13
08:01 < mmcgrath> Allrighty, lets get started
08:01 -!- mmcgrath changed the topic of #fedora-meeting to:
Infrastructure -- Open Tickets
08:01 < mmcgrath> .tiny
08:01 < zodbot> mmcgrath: http://tinyurl.com/2hyyz6
08:01 < mmcgrath> .ticket 395
08:01 < zodbot> mmcgrath: #395 (Audio Streaming of Fedora Board
Conference Calls) - Fedora Infrastructure - Trac -
08:01 < mmcgrath> jcollie: any news ?
08:02 < jcollie> not really
08:02 < mmcgrath> k, next ticket
08:02 < mmcgrath> .ticket 398
08:02 < zodbot> mmcgrath: #398 (elfutils `monotone' (mtn) error) -
Fedora Infrastructure - Trac -
08:02 < mmcgrath> abadger1999: jcollie: anything there?
08:02 < jcollie> nope
08:02 < abadger1999> nope
08:02 < abadger1999> It's all roland for now.
08:02 < mmcgrath> k
08:02 < mmcgrath> .ticket 446
08:02 < zodbot> mmcgrath: #446 (Possibility to add external links on
spins page) - Fedora Infrastructure - Trac -
08:02 < mmcgrath> dgilmore: any news?
08:03 * dgilmore notes that he sucks
08:03 < mmcgrath> hah, no news then?
08:04 < mmcgrath> .ticket 547
08:04 < zodbot> mmcgrath: #547 (Koji DB Server as postgres 8.3) - Fedora
Infrastructure - Trac -
08:04 < mmcgrath> abadger1999: so we're going to package this but we
didn't really get any farther then that.
08:04 < abadger1999> mmcgrath: Right. It's packaged and in the fi-repo now.
08:04 < abadger1999> F-9 versions.
08:04 < dgilmore> abadger1999: is this weekend too soon to roll out
08:05 < dgilmore> abadger1999: just thinking we can piggy back on the fsck
08:05 < abadger1999> I thought we were going to wait for the dedicated
koji db server?
08:05 < jcollie> fsck is going take almost 24hrs anyway
08:05 < dgilmore> we can do that also
08:05 < abadger1999> We could deploy now... just saying that was my
08:06 < mmcgrath> yeah, lets just wait for the new server.
08:06 < mmcgrath> That way we can call an outage, try to migrate. if it
fails, we can just turn db2 back on. no harm no foul
08:06 < abadger1999> <nod> Makes sense to me
08:06 < dgilmore> having done a conversion from 8.1 to 8.3 it was
08:06 < mmcgrath> we can do it this weekend but I won't be around much
08:07 < mbonnet> the dump/restore will take a significant amount of time
08:07 * abadger1999 likes having an escape option
08:07 < dgilmore> mbonnet: which is why i suggested during the 24 hr
window for the fsck
08:08 < dgilmore> but im with abadger1999
08:08 < abadger1999> <nod> Do we know how long the backup currently
takes on the koji db?
08:08 < dgilmore> we do 4 a day
08:08 < dgilmore> restore will take longer i think
08:08 < mmcgrath> abadger1999: the backups don't take long, the restores
take a very long time though. I'm not sure how long though.
08:08 < abadger1999> yeah.
08:09 < mmcgrath> its the indexes
08:09 < mmcgrath> abadger1999: to give you an idea, the backup is 4.1G,
the database is 61G.
08:10 < abadger1999> <nod>
08:10 < mmcgrath> anywho. I'll leave that up to you tosho when you want
to do it. It'd be nice to do a trial run first and import of all the
production data to know what issues we'll run into.
08:11 < mmcgrath> anything else on that? If not we'll move on.
08:11 < abadger1999> k. For the real thing I say wait for the koji db
08:11 < abadger1999> Nope, no more.
08:11 < mmcgrath> k
08:11 < mmcgrath> next item
08:11 < G> yeah, kind of makes sense
08:11 -!- mmcgrath changed the topic of #fedora-meeting to:
Infrastructure -- The Wiki Migration
08:11 * ricky must go now :-(
08:11 < mmcgrath> So the new wiki will be in place on Friday (most of it)
08:11 < mmcgrath> ricky: later!
08:11 < ianweller> woo, my subject. :D
08:12 < ianweller> ricky: cya
08:12 < mmcgrath> we're officialy doing the switchover on Tuesday.
08:12 * dgilmore hopes he can continue to use moin syntax
08:12 < ianweller> i've had enough with moin syntax :/
08:12 < mmcgrath> the idea is we'll do the main mass import on friday,
go through, fix up, test, etc. Then just re-import the pages that have
changed in moin.
08:12 * lmacken wants LaTeX syntax by default ;)
08:12 < mmcgrath> This will consume almost all of my time starting two
days ago until Tuesday.
08:13 < ianweller> same here
08:13 < mmcgrath> ianweller and ricky have also been hard at work but if
_any_ of you have free time we can use additional hands and eyes on this.
08:13 < mmcgrath> in testing, verifying, etc.
08:13 < mmcgrath> We're in good shape but there's a couple of hangups
08:13 < mmcgrath> 1) auth
08:13 < mmcgrath> and 2) auth -> email mapping.
08:13 < mmcgrath> beyond that I don't think there's any blockers.
08:13 < jcollie> brb
08:14 < mmcgrath> A reminder, you won't be able to do regex watchlists
anymore. (thats a design choice and one of the reaons Moin was so slow
on page saves)
08:14 < ianweller> tomorrow after the main mass import my first priority
is to fix up the WikiEditing page
08:14 < mmcgrath> s/slow/expensive/
08:14 < mmcgrath> but you should (if we get the extension configured in
time) be able to watch /wiki/Docs/* for example.
08:15 < mmcgrath> This is going to be painful for about the first month
I suspect. After that we'll all be glad we switched.
08:15 < mmcgrath> Does anyone have any questions or comments about the wiki?
08:15 < mmcgrath> Anyone want to volunteer some time?
08:15 * ianweller
08:15 < mmcgrath> oh! G's also been mega helpful in this too.
08:15 < mmcgrath> as has smooge
08:15 < dgilmore> mmcgrath: what do we have as the backend/frontend setup?
08:15 < ianweller> mediawiki allows spaces in page names.
08:15 < mmcgrath> dgilmore: backend is going to be db1, frontend is
going to be app[1-2]
08:16 < smooge> ?
08:16 < mmcgrath> well the append
08:16 < mmcgrath> smooge: talking about mediawiki :-P
08:16 < G> mmcgrath: I might be able to help on Tuesday, but it'll be a
08:16 < mmcgrath> to start we won't be deploying any caching abilities
of mediawiki. I want to make sure to get a baseline.
08:16 < mmcgrath> G: thanks.
08:17 < mmcgrath> Anyone have anything else to discuss there?
08:17 < mmcgrath> k, next item
08:17 < smooge> ah ok.
08:17 -!- mmcgrath changed the topic of #fedora-meeting to:
Infrastructure -- 3rd party machine auth.
08:18 < mmcgrath> this is on the infrastructure list right now
08:18 < mmcgrath> nirik: ping (see topic)
08:18 < nirik> you rang?
08:18 < mmcgrath> What do y'all think? I want to be able to provide
this but I need to do it in a way that won't get me fired.
08:18 * nirik doesn't want to cause any security problems... but it
would be nice to have.
08:19 < nirik> I need ssh pub keys & logins I guess... no password auth.
08:19 < mmcgrath> nirik: and its a service we'd like to be able to provide.
08:19 < G> this is where something like two facter authentication would
08:19 < mmcgrath> does anyone think this is a service we should not provide?
08:20 < G> oh I really do think it's something we should provide
08:20 < mmcgrath> G: indeed, I'd like to do that but right now I'm
-ENOTIME unless someone else wants to pick up the job.
08:20 * ianweller is reading the list archive
08:21 < nirik> G: which 2 factors? ssh key + openid or something?
08:21 * dgilmore thinks we should provide it.
08:21 < ianweller> is the subject 'FAS and public Key auth'?
08:21 < G> if you were to do something like what the banks use (two
facter auth) you have something *you* know and something you *don't* know
08:21 < dgilmore> but im biased as im one of those wanting it
08:21 < mmcgrath> Yeah, i don't think anyone is against providing it,
the question now is how to do it properly.
08:21 < mmcgrath> G: yeah, and we have a couple of options there.
08:21 < G> shouldn't be too hard to implement inside fedora, you could
have a pam_fas plugin or something to manage the something you don't
08:22 < G> login to fas, bam there is the one use token that you can use
to login to the core machines w/ your public key
08:23 < nirik> well, I thought 2 factor is more: something you know +
something you have... (cell/secureid fob, etc), but ok.
08:23 < wfp> To make it worth doing, doesn't 2 factor auth need
something like a hardware crypto card?
08:23 < G> wfp: not really
08:23 < mmcgrath> wfp: that makes it much more secure, but there are
levels of security between singlefactor and two factor w/ hardware key.
08:24 < nirik> if we have * and cell phone numbers we could use that...
"call from fedora account system, do you auth this, press 1"
08:24 < G> nirik: that sounds costly :)
08:24 < ivazquez> There's PhoneFactor, but I don't think they work
08:24 < ianweller> nirik: G: myopenid.com does that.
08:24 < G> get a SMS gateway to sponsor text messages
08:24 < ianweller> G: costly to the end user
08:24 < G> ianweller: ohhh okay
08:24 * dgilmore just wants to easily give fedora community access to a
sparc box for doing mock builds
08:25 * dgilmore really doesnt care how its achieved
08:25 * nirik just wants to give fedora community acces to ppc and
x86_64 boxes for mockbuilds and debugging.
08:25 < dgilmore> mmcgrath: ill bring you a sparc box to put into phx :)
08:25 < G> I agree, we should provide it for those exact reasons (didn't
I mention this in my F10 wishlist? :P)
08:26 < mmcgrath> Lets think on this for another week or so and talk
about it at the next meeting as well.
08:26 < nirik> I can also think of more fun stuff down the road... on
demand test virtuals, access to archive of rawhide daily installs, etc.
08:28 < G> exactly, Debian offer Developer (equiv to our cvsextras)
access to donated boxes for testing w/ chroots, bugfixing etc
08:28 < mmcgrath> alrighty then, beyond that I've got nothing else.
08:28 -!- mmcgrath changed the topic of #fedora-meeting to:
Infrastructure -- Open Floor
08:28 < mmcgrath> Who's got something they want to discuss?
08:28 < lmacken> SELinux!
08:28 < mmcgrath> lmacken: have at it.
08:28 < lmacken> I sat down with Dan Walsh today, and we tackled the
SELinux issues around bastion, app1, and proxy1.
08:28 < lmacken> .ticket 230
08:28 < zodbot> lmacken: #230 (SELinux Deployment) - Fedora
Infrastructure - Trac -
08:28 < lmacken> see the ticket for more details :)
08:28 < lmacken> progress is being made
08:29 < mmcgrath> if only we can get Dan to sit down with everyone who
wants to use selinux :)
08:29 < lmacken> seriously
08:29 < mmcgrath> lmacken: how bad of shape are we in?
08:29 < lmacken> mmcgrath: well, we've got a lot of custom apps, running
in a lot of custom locations.
08:29 < lmacken> which is easily fixable from an selinux standpoint
08:29 < lmacken> but puppet..
08:29 < lmacken> that's were we need the changes
08:30 < mmcgrath> lmacken: how does selinux work with the satellite
08:30 < lmacken> Brett Lentz (wakko666) has been doing a great job of
pushing the selinux patch and unit test to puppet upstream
08:30 < lmacken> mmcgrath: No clue whatesover
08:31 < mmcgrath> <nod>
08:31 < lmacken> dwalsh is pretty determined to get our infrastructure
working 100% with SELinux by F10
08:31 < dgilmore> lmacken: builders will need alot of work
08:31 < ivazquez> What a coup that would be for SELinux.
08:31 < mmcgrath> lmacken: now with selinux and puppet are you talking
about deploying selinux policies via puppet? Or actually what puppet
does when deploying configs is causing selinux issues?
08:31 < lmacken> dgilmore: yes, but a lot of that is being done right
now by Eric Paris, with the mock/livecd-creator stuff, right ?
08:31 < dgilmore> lmacken: not really
08:32 < dgilmore> lmacken: simmiliar but different
08:32 < lmacken> mmcgrath: deploy custom policies, booleans, and
contexts with puppet.. and also making puppet smart when creating new files
08:33 < mmcgrath> solid.
08:33 < mmcgrath> well, baby steps I guess :)
08:33 < lmacken> indeed. I'm meeting with dan again next week. I'll
keep that ticket up to date with our progress
08:33 < mmcgrath> solid.
08:34 < mmcgrath> lmacken: are you or dan going to hold some training
sessions for the rest of our team?
08:34 < lmacken> mmcgrath: yeah, we'll make sure it's well documented
and people know how to use it
08:34 < mmcgrath> solid.
08:35 < mmcgrath> anything else on selinux?
08:35 < lmacken> nada
08:35 < abadger1999> lmacken: You might want to look at app2 as well
08:35 < abadger1999> app1 is the one app server not running all of our
08:35 < mmcgrath> solid
08:36 < mmcgrath> anyone have anything else they'd like to discuss?
08:36 < lmacken> abadger1999: yep, we'll get there :) we just wanted to
hit a few different types of machines today to get a good high-level
idea of what we're dealing with
08:36 < G> The voting app is near readiness
08:36 < abadger1999> Yeah, you're doing really great work on that!
08:36 < G> Hopefully I'll have something ready for testing with the
masses in a day or two
08:37 < mmcgrath> G: you've got everything you need to put togther a
public test of it for everyone right?
08:37 < G> I've got an RPM ready, but I spotted something wack with the
URLs etc but hopefully get that fixed today
08:38 < ivazquez> Although not quite FI-specific, do we have the new
planet up somewhere?
08:38 < G> mmcgrath: all I really need to create a dummy fas login, so I
don't expose a real user login on pt10 and a new group in the main fas
08:38 < G> but yeah, I'll do a test deploy today on pt10 and see what
08:38 < mmcgrath> ivazquez: the new planet? Like what skvidal has been
08:38 < mmcgrath> G: solid
08:38 < skvidal> ivazquez: call be slartibartifast!
08:39 < ivazquez> Yes.
08:39 < ianweller> hey now. slartibartfast is my computer's host name.
08:39 < ianweller> that would get confusing for me :/
08:39 < ianweller> ;)
08:39 < skvidal> ivazquez: we still only have 78 people in the .planet files
08:39 < G> if anyone wants to, the new group is currently meant to be
08:39 < skvidal> and 230 in the existing planet
08:39 < dgilmore> skvidal: im sorry i suck and have not done it yet
08:39 < ivazquez> Well, it would still be nice if the 78 people could
make sure that their feeds work :P
08:39 < G> skvidal: thats a third, the rest will fall in line when they
suddenly disappear :)
08:40 < skvidal> ivazquez: agreed
08:40 < ivazquez> Plus it might get some others in gear when they see it
08:40 < ianweller> skvidal: if you need help with pinging individual
people, i'm up for it after the wiki switch ;)
08:40 < skvidal> ianm: nah
08:40 < skvidal> err ianweller nah
08:40 < iWolf> mmcgrath: re, the wiki, has any PHP hardening been done
08:40 < skvidal> ivazquez: agreed - but it's only been a week - so I
didn't want piss off everyone :)
08:40 < G> abadger1999: btw, thanks
08:40 < ivazquez> A week is Forever in Fedora time.
08:41 * skvidal rolls his eyes
08:41 < ivazquez> Heh.
08:41 < ianweller> so it takes 26 forevers for each fedora release? ;)
08:41 < mmcgrath> iWolf: we have mod_security mildly deployed. Beyond
that though no. Needs someone with time and experience to do it, I only
have the latter at the moment.
08:41 < jcollie> ianweller: sometimes it seems like it
08:42 < abadger1999> G: For what? You've been doing all the work :-)
08:42 < iWolf> mmcgrath: understood.
08:42 < G> abadger1999: I was saying thanks for your comment :)
08:42 < ianweller> mediawiki is pretty secure (lots of testing), not so
sure about the extensions though
08:42 < ianweller> the more extensions you have, the more potential
holes you have.
08:43 < iWolf> mmcgrath: does one just need sysadmin-test to access the
current wiki server php config?
08:43 < mmcgrath> iWolf: yes.
08:43 < mmcgrath> iWolf: We've got multiple deploys of it going, if you
want your own you're encouraged to install one :)
08:43 < iWolf> mmcgrath: :)
08:43 * ianweller has one at /w-ian/
08:44 < ianweller> that's where he's writing his IRCLog extension for
08:44 < mmcgrath> we've got like 5 or 6 wiki's I think :)
08:44 < ianweller> something like that
08:45 < mmcgrath> Ok, well talks seem to have calmed down a bit. If no
one has anything else we'll close a little early this week. I'll give it 30
08:46 < G> yeah, I have nothing more
08:46 < mmcgrath> 15
08:46 < mmcgrath> 5
08:46 -!- mmcgrath changed the topic of #fedora-meeting to:
Infrasturcture -- Meeting End
08:46 < mmcgrath> Thanks for coming everyone!
08:46 < G> I'll sort out the log
08:47 -!- giallu [n=giallu(a)81-174-9-190.dynamic.ngi.it] has joined
08:47 -!- mmcgrath changed the topic of #fedora-meeting to: Channel is
used by various Fedora groups and committees for their regular meetings
| Note that meetings often get logged | For questions about using Fedora
please ask in #fedora | See