TPA issueshttps://gitlab.torproject.org/groups/tpo/tpa/-/issues2024-03-25T20:15:38Zhttps://gitlab.torproject.org/tpo/tpa/team/-/issues/41563evaluate impact of Let's Encrypt chain shortening2024-03-25T20:15:38Zanarcatevaluate impact of Let's Encrypt chain shorteningIn [this article from July 2023](https://letsencrypt.org/2023/07/10/cross-sign-expiration.html), let's encrypt mentioned the cross-sign with IdenTrust will stop working in September 2024.
Their timeline is this:
> - On Thursday, Feb 8t...In [this article from July 2023](https://letsencrypt.org/2023/07/10/cross-sign-expiration.html), let's encrypt mentioned the cross-sign with IdenTrust will stop working in September 2024.
Their timeline is this:
> - On Thursday, Feb 8th, 2024, we stopped providing the cross-sign by default in requests made to our /acme/certificate API endpoint. For most Subscribers, this means that your ACME client will configure a chain which terminates at ISRG Root X1, and your webserver will begin providing this shorter chain in all TLS handshakes. The longer chain, terminating at the soon-to-expire cross-sign, will still be available as an alternate chain which you can configure your client to request.
> - On Thursday, June 6th, 2024, we will stop providing the longer cross-signed chain entirely. This is just over 90 days (the lifetime of one certificate) before the cross-sign expires, and we need to make sure subscribers have had at least one full issuance cycle to migrate off of the cross-signed chain.
> - On Monday, September 30th, 2024, the cross-signed certificate will expire. This should be a non-event for most people, as any client breakages should have occurred over the preceding six months.
So part of the transition has already happened, with a reduced chain for most certificates issued. This should already have impacted us.
We need to see what other impacts that has for us. In #32351, we've been hesitant at performing cipher changes for backwards compatibility concerns. According to [this graph](https://gs.statcounter.com/android-version-market-share/mobile-tablet/worldwide/#monthly-202302-202402-bar), we're talking about 5% of Android users affected here, for example. The [compatibility page](https://letsencrypt.org/docs/certificate-compatibility/) has a more detailed breakdown.
So basically the task is to evaluate the above table and see if we need to do anything special to any of our services.2024-04-25https://gitlab.torproject.org/tpo/tpa/anon_ticket/-/issues/66Cannot open any ticket "Server Error (500)".2024-03-27T00:04:15ZcypherpunksCannot open any ticket "Server Error (500)".Same problem as in tickets #61 and #63 (should merge them, along with this one). I can confirm that this problem exist at least 3 months.
As such is impossible to comment and give feedback on any ticket, thought the anon system.
Teste...Same problem as in tickets #61 and #63 (should merge them, along with this one). I can confirm that this problem exist at least 3 months.
As such is impossible to comment and give feedback on any ticket, thought the anon system.
Tested 4 projects(anon, TBO, core ) and none of the ticket I clicked showed as an anon user. The gitlab link works correctly.
Does not matter if you reach the ticket from search or list,the error is the same, as the ticket link is the same.
Neither does matter if it was created by you, another anon, or normal gitlab user. Also tested a different Anonymous Identifier.
Example link with error 500, using a random Anonymous Identifier to include publicly in this ticket:
https://anonticket.onionize.space/user/vehicular-renegade-uncommon-tyke-mower-imprint/projects/snowflake/issues/40347/details/1/
If more info is requested, will create more tickets.https://gitlab.torproject.org/tpo/tpa/team/-/issues/41557order and setup new backup server (bungei 2 AKA bacula-storage-02)2024-03-28T12:44:38Zanarcatorder and setup new backup server (bungei 2 AKA bacula-storage-02)The new backup server (#41364) has been approved.
@lavamind can you settle the specs, and order the box? i'm happy to review and approve the hardware if you don't feel fully confident, of course...
i also put the server setup in this i...The new backup server (#41364) has been approved.
@lavamind can you settle the specs, and order the box? i'm happy to review and approve the hardware if you don't feel fully confident, of course...
i also put the server setup in this issue, but we can also spin that out in a separate one if we want to... one thing that's for sure is we want to move to barman for the psql backups (#40950), but one ... uh... problem with that approach is that we actually want cross-backups, so, technically, we *can't* actually deploy *that* on the new server ... oops?
so maybe we need to move other psql databases and we'll have to resize the partition anyways? urghl.
thanks!Jérôme Charaouilavamind@torproject.orgJérôme Charaouilavamind@torproject.orghttps://gitlab.torproject.org/tpo/tpa/grafana-dashboards/-/issues/2Add to the README what implies `provisioned` dashboards2024-03-06T10:37:11ZjugaAdd to the README what implies `provisioned` dashboardsOne thing to add is that the dashboard needs to have the tag `provisioned` to pass the CI (`check.py`).
Another thing i realized only when the dashboard was added in this repo and deployed, is that it can't be modified nor deleted via G...One thing to add is that the dashboard needs to have the tag `provisioned` to pass the CI (`check.py`).
Another thing i realized only when the dashboard was added in this repo and deployed, is that it can't be modified nor deleted via GUI. I guess it can't only be modified via this repo.
This isn't a problem in principle, but i wonder whether the dashboard could be still modifiable via GUI (to check new changes before addding them to this repo) and just be advised that puppet/whatever will overwrite your GUI changes at some point (how often). Maybe this is something to discuss to at tpo/tpa/team#41312.
In any case, would be great to advise the dashboard added here can only be modified here.
/cc @gkhttps://gitlab.torproject.org/tpo/tpa/gitlab/-/issues/152https link of comments at my user page on onion site cause the "Unable to con...2024-03-13T00:05:25Zsnowflake_user_40314https link of comments at my user page on onion site cause the "Unable to connect" errorReproduce step: on onion site of this GitLab instance click my avatar and click Commented on issue #xxxReproduce step: on onion site of this GitLab instance click my avatar and click Commented on issue #xxxhttps://gitlab.torproject.org/tpo/tpa/gitlab/-/issues/151Encrypt confidential emails2024-03-06T18:30:32Zmicahmicah@torproject.orgEncrypt confidential emailsNow that [confidential issue emails are not sent in the clear](https://gitlab.torproject.org/tpo/tpa/gitlab/-/issues/23) it might be interesting to consider what it would take to modify the current process so that it sent encrypted email...Now that [confidential issue emails are not sent in the clear](https://gitlab.torproject.org/tpo/tpa/gitlab/-/issues/23) it might be interesting to consider what it would take to modify the current process so that it sent encrypted emails with the actual contents of the issue, if possible.
We could modify the python script that was deployed to redact the message to add a few additional steps: query the gitlab API (requires a personal access token) to look up a user's ID, and then lookup that ID's OpenPGP key. If they have one set, then encrypt the mail to them, and if they do not, then do what we do now (send the "This issue is confidential and the contents of the message have been redacted." message).
Its actually quite easy to get the public key of a user via the API, if you know their email address. To figure out how, I wrote this script that will spit out the OpenPGP key of any email in gitlab *as long as the user's email is public*:
```python
import argparse
import requests
import sys
GITLAB_API_URL = 'https://gitlab.torproject.org/api/v4'
GITLAB_PRIVATE_TOKEN = '<redacted>'
def get_user_id(email):
"""Fetch the GitLab user ID based on the email address."""
headers = {'Private-Token': GITLAB_PRIVATE_TOKEN}
try:
response = requests.get(f"{GITLAB_API_URL}/users?search={email}", headers=headers)
response.raise_for_status() # Raises an HTTPError if the response code was unsuccessful
users = response.json()
if not users:
print(f"API returned no users for email: {email}")
return None
return users[0]['id']
except requests.exceptions.HTTPError as e:
print(f"HTTPError: {e.response.status_code} {e.response.reason}")
except requests.exceptions.RequestException as e:
print(f"RequestException: {e}")
return None
def get_user_gpg_keys(user_id):
"""Fetch the GPG keys associated with a GitLab user ID."""
headers = {'Private-Token': GITLAB_PRIVATE_TOKEN}
try:
response = requests.get(f"{GITLAB_API_URL}/users/{user_id}/gpg_keys", headers=headers)
response.raise_for_status()
return response.json()
except requests.exceptions.HTTPError as e:
print(f"HTTPError: {e.response.status_code} {e.response.reason}")
except requests.exceptions.RequestException as e:
print(f"RequestException: {e}")
return []
def main():
parser = argparse.ArgumentParser(description='Fetch a GitLab user\'s GPG key by email address.')
parser.add_argument('email', type=str, help='The email address of the user to search for.')
args = parser.parse_args()
user_id = get_user_id(args.email)
if not user_id:
sys.exit("Exiting: No user found or error occurred.")
gpg_keys = get_user_gpg_keys(user_id)
if not gpg_keys:
print(f"No GPG keys found for user with ID {user_id}")
return
for key in gpg_keys:
print(f"{key['key']}")
if __name__ == "__main__":
main()
```
Considering that is how you would pull the key from the API endpoint, then you could imagine modifying the existing deployed script to incorporate this. Here is some *untested* somewhat pseudo-code modification of the currently deployed script. Because I can't test this, there are some obvious things that are wrong, but the basic idea is there:
```python
#!/usr/bin/python3 -X utf8
import argparse
from email.parser import Parser
import email.policy
from io import StringIO
import logging
import quopri
from typing import TextIO
import subprocess
import sys
import requests
import gnupg
gpg = gnupg.GPG(gnupghome='/path/to/.gnupg')
gitlab_api_url = 'https://gitlab.torproject.org/api/v4'
gitlab_private_token = 'prviate access token'
def get_user_gpg_key(email):
"""Fetch the user's GPG key from GitLab API."""
headers = {'Private-Token': gitlab_private_token}
users = requests.get(f"{gitlab_api_url}/users?search={email}", headers=headers).json()
if not users:
return None
user_id = users[0]['id']
keys = requests.get(f"{gitlab_api_url}/users/{user_id}/gpg_keys", headers=headers).json()
if not keys:
return None
return keys[0]['key']
def encrypt_message(message, gpg_key):
"""Encrypt the message with the provided GPG key."""
imported_key = gpg.import_keys(gpg_key)
encrypted_data = gpg.encrypt(message, imported_key.fingerprints[0], always_trust=True)
return str(encrypted_data)
def main():
logging.basicConfig(level="INFO", format="%(levelname)s: %(message)s")
parser = argparse.ArgumentParser()
parser.add_argument("--stdout", action="store_true", help="send the email to stdout instead of sendmail(1)")
parser.add_argument("--from", "-f", dest="sender", help="sender address")
parser.add_argument("recipients", nargs="+", help="recipient address(es)")
args = parser.parse_args()
email_content = transform_email(sys.stdin, args.recipients[0]) # Assuming one recipient for simplicity
if args.stdout:
print(email_content)
else:
cmd = ["/usr/sbin/sendmail", "-G", "-i", "-f", args.sender, "--"] + args.recipients
try:
subprocess.Popen(cmd, stdin=subprocess.PIPE, encoding="utf-8").communicate(email_content)
except Exception as e:
import traceback
print("4.3.0 %s: %s" % (e, traceback.format_exc()))
sys.exit(75) # TEMPFAIL
def transform_email(stream: TextIO, recipient_email):
msg = Parser(policy=email.policy.compat32).parse(stream)
if msg.get('X-GitLab-ConfidentialIssue', 'false') != 'true':
return str(msg)
gpg_key = get_user_gpg_key(recipient_email)
if gpg_key:
# Encrypt the message if a GPG key is found
encrypted_msg = encrypt_message(str(msg), gpg_key)
return encrypted_msg
else:
# Redact if no GPG key is found
for part in msg.walk():
if part.is_multipart():
continue
if part.get_content_type() != 'text/plain':
continue
plain_text = part.as_string()
signature = quopri.decodestring(plain_text.split("-- ").pop()).decode("ascii")
redaction_msg = """This issue is confidential and the contents of the message have been redacted.
--
""" + signature
del msg['X-GitLab-ConfidentialIssue']
msg['X-GitLab-ConfidentialIssue'] = 'redacted'
msg.set_type("text/plain")
msg.del_param("boundary", header="Content-Type")
msg.set_payload(redaction_msg)
return str(msg)
if __name__ == "__main__":
main()
```https://gitlab.torproject.org/tpo/tpa/team/-/issues/41544fail2ban monitoring2024-02-27T20:30:58Zanarcatfail2ban monitoringwe should monitor fail2ban everywhere. in tpo/web/donate#17, we are setting up monitoring specifically for donate, but this should apply more generally to every jail, everywhere.
in particular, we should alert when it's not setup proper...we should monitor fail2ban everywhere. in tpo/web/donate#17, we are setting up monitoring specifically for donate, but this should apply more generally to every jail, everywhere.
in particular, we should alert when it's not setup properly.
there are two exporters i know of:
| Project | Language | Description | Debian package |
|-----------------------------------------------|----------|--------------------------------|-----------------|
| [vdcloudcraft/fail2ban-geo-exporter][] | Python | per IP/location counters | no |
| [hectorjsmith/fail2ban-prometheus-exporter][] | Golang | per jail bans, matches, errors | [RFP 1064925][] |
[hectorjsmith/fail2ban-prometheus-exporter]: https://gitlab.com/hectorjsmith/fail2ban-prometheus-exporter
[vdcloudcraft/fail2ban-geo-exporter]: https://github.com/vdcloudcraft/fail2ban-geo-exporter
[RFP 1064925]: https://bugs.debian.org/1064925
right now I built a mtail-based parser specifically for donate, in tpo/web/donate#17, we'll see how it behaves. it's not enough to warn about errors, for example.https://gitlab.torproject.org/tpo/tpa/team/-/issues/41538Create new email address for use with CiviCRM relationship management2024-03-25T16:59:30Zal smithCreate new email address for use with CiviCRM relationship managementHi TPA,
Fundraising + Mathieu need a new email address created for a function we're introducing in CiviCRM. (It will allow us to BCC an email address to automatically add a record of that email to an individual's records in CiviCRM. You...Hi TPA,
Fundraising + Mathieu need a new email address created for a function we're introducing in CiviCRM. (It will allow us to BCC an email address to automatically add a record of that email to an individual's records in CiviCRM. You can see the overarching ticket here: https://gitlab.torproject.org/tpo/web/civicrm/-/issues/112.)
I'm requesting `crm@torproject.org`.
Please let me know if there's anything I need to do to facilitate this. :) Thanks!Jérôme Charaouilavamind@torproject.orgJérôme Charaouilavamind@torproject.org2024-03-31https://gitlab.torproject.org/tpo/tpa/team/-/issues/41524Sending mail to travel@torproject.org does not forward to gmail2024-02-19T15:10:38ZSebastian HahnSending mail to travel@torproject.org does not forward to gmailI wrote an email to travel@torproject.org, which worked a few days ago, but now eugeni informed me it couldn't deliver to gmail:
> This is the mail system at host eugeni.torproject.org.
>
> I'm sorry to have to inform you that your mes...I wrote an email to travel@torproject.org, which worked a few days ago, but now eugeni informed me it couldn't deliver to gmail:
> This is the mail system at host eugeni.torproject.org.
>
> I'm sorry to have to inform you that your message could not
> be delivered to one or more recipients. It's attached below.
>
> For further assistance, please send mail to postmaster.
>
> If you do so, please include this problem report. You can
> delete your own text from the attached returned message.
>
> The mail system
>
> <<handle>@gmail.com>: host
> gmail-smtp-in.l.google.com[2a00:1450:400c:c0c::1a] said: 550-5.7.26 This
> mail has been blocked because the sender is unauthenticated. 550-5.7.26
> Gmail requires all senders to authenticate with either SPF or DKIM.
> 550-5.7.26 550-5.7.26 Authentication results: 550-5.7.26 DKIM = did not
> pass 550-5.7.26 SPF [<domain>] with ip:
> [<ip> 550-5.7.26 8] = did not pass 550-5.7.26
> 550-5.7.26 For instructions on setting up authentication, go to 550 5.7.26
> https://support.google.com/mail/answer/81126#authentication
> g7-20020a05600c4c8700b004107664bbe8si4522016wmp.61 - gsmtp (in reply to end
> of DATA command)
> ...
At the same time, there was a CC directly to gmail from my own mailserver, which gmail accepted:
> postfix/smtp[3961572]: F067B38802FE: to=<<handle>@gmail.com>, relay=gmail-smtp-in.l.google.com[<ip>]:25, delay=0.97, delays=0.13/0.01/0.41/0.43, dsn=2.0.0, status=sent (250 2.0.0 OK 1707803587 c8-20020adffb48000000b0033add90c729si3955987wrs.862 - gsmtp)improve mail serviceshttps://gitlab.torproject.org/tpo/tpa/anon_ticket/-/issues/64User landing page doesn't show Gitlab Account requests2024-02-13T09:47:03ZjugaUser landing page doesn't show Gitlab Account requestsBut the text shown when creating a new one says "you will not be able to check it from your landing page", so we should show the Account requests or, if we prefer more privacy, remove that text.But the text shown when creating a new one says "you will not be able to check it from your landing page", so we should show the Account requests or, if we prefer more privacy, remove that text.https://gitlab.torproject.org/tpo/tpa/team/-/issues/41520Intermittent GitLab CI runner failures: "network already exists"2024-03-25T21:30:51ZJérôme Charaouilavamind@torproject.orgIntermittent GitLab CI runner failures: "network already exists"Since enabling the `FF_NETWORK_PER_BUILD` on our Podman CI runners, there have been a number of intermittent errors like [this one](https://gitlab.torproject.org/tpo/tpa/ci-test/-/jobs/473518):
```
Running with gitlab-runner 16.8.0 (c72...Since enabling the `FF_NETWORK_PER_BUILD` on our Podman CI runners, there have been a number of intermittent errors like [this one](https://gitlab.torproject.org/tpo/tpa/ci-test/-/jobs/473518):
```
Running with gitlab-runner 16.8.0 (c72a09b6)
on ci-runner-x86-02-main __hc2zXq, system ID: s_39a8ec4bc83a
feature flags: FF_NETWORK_PER_BUILD:true
Preparing the "docker" executor 00:11
Using Docker executor with image debian:latest ...
ERROR: Preparation failed: Error response from daemon: container d4bbbaa38009ad974fa78664c59a1e28536096505fbf5c9dcbf99675343d50c3 does not exist in database: no such container (manager.go:81:1s)
Will be retried in 3s ...
Using Docker executor with image debian:latest ...
ERROR: Preparation failed: Error response from daemon: network name runner-hc2zxq-project-1144-concurrent-0-job-473518-network already used: network already exists (manager.go:67:0s)
Will be retried in 3s ...
Using Docker executor with image debian:latest ...
ERROR: Preparation failed: Error response from daemon: network name runner-hc2zxq-project-1144-concurrent-0-job-473518-network already used: network already exists (manager.go:67:0s)
Will be retried in 3s ...
ERROR: Job failed (system failure): Error response from daemon: network name runner-hc2zxq-project-1144-concurrent-0-job-473518-network already used: network already exists (manager.go:67:0s)
```
The issue has been documented in this GitLab ticket: [Podman. preparation failed, sometimes](https://gitlab.com/gitlab-org/gitlab-runner/-/issues/28971). The gist is that it's been identified as an issue in Podman 4.4 (which we run), and the fix is to upgrade the runners to Podman 4.5, which isn't straightforward because that's not available in Debian stable currently.Jérôme Charaouilavamind@torproject.orgJérôme Charaouilavamind@torproject.org2024-04-06https://gitlab.torproject.org/tpo/tpa/team/-/issues/41514metricsdb-01 is out of disk space on /2024-02-14T15:38:44ZKezmetricsdb-01 is out of disk space on /Roger reported metrics.tpo as being down (website returning 503). I checked nagios, and it looks like metricsdb-01 is out of disk space on the root partition. No other metrics-related issues are being reported in nagios, so I assume this...Roger reported metrics.tpo as being down (website returning 503). I checked nagios, and it looks like metricsdb-01 is out of disk space on the root partition. No other metrics-related issues are being reported in nagios, so I assume this is what's causing the metrics.tpo outage.HiroHirohttps://gitlab.torproject.org/tpo/tpa/team/-/issues/41512Simplify onionoo architecture2024-03-26T15:45:11ZHiroSimplify onionoo architectureCurrently onionoo is a service comprised of 4 VMs: two backends with the onionoo java apps serving and updating the data, and two frontends.
At the time the service was launched this architecture made a lot of sense, but I think now we ...Currently onionoo is a service comprised of 4 VMs: two backends with the onionoo java apps serving and updating the data, and two frontends.
At the time the service was launched this architecture made a lot of sense, but I think now we could simplify its maintenance by reducing it to a backend with a web server (like nginx) with some aggressive caching.
I was hoping that we would get sooner to the point where onionoo would be retired, but given the current pace of development of the metrics pipeline, I personally think it makes sense to reduce this service now so that it is easier to maintain for metrics and tpa.
What do you think?HiroHirohttps://gitlab.torproject.org/tpo/tpa/team/-/issues/41511upgrade crm-ext-01 to php 8 or retire2024-02-20T20:04:45Zanarcatupgrade crm-ext-01 to php 8 or retirein https://gitlab.torproject.org/tpo/tpa/team/-/issues/41252#note_2990644, @kez tested crm-ext-01 after I upgraded it and found the donate site completely broken by the PHP 8.2 upgrade. apparently, `implode` completely changed signature ...in https://gitlab.torproject.org/tpo/tpa/team/-/issues/41252#note_2990644, @kez tested crm-ext-01 after I upgraded it and found the donate site completely broken by the PHP 8.2 upgrade. apparently, `implode` completely changed signature in PHP and the old signature was dropped in PHP 8, which breaks a *lot* of things.
exactly how much is unclear, @kez estimated just the work to estimate that work to be a few hours of work.
for now i rolled back to the php 7.4 package from bullseye, and added it to the sources.list file (although puppet might have killed the .list file already). we need to figure out a plan to go forward, either port the code, or retire the box, which is the ultimate goal once donate-neo goes to production.Redesign donate.torproject.orghttps://gitlab.torproject.org/tpo/tpa/team/-/issues/41510Handle GitLab access token mandatory expiration2024-03-27T14:35:56ZJérôme Charaouilavamind@torproject.orgHandle GitLab access token mandatory expirationGitLab recently introduced a maximum lifetime for *all* access tokens. The change is discussed in a [blog post](https://about.gitlab.com/blog/2023/10/25/access-token-lifetime-limits/) from last October. Most importantly:
> As of the 16...GitLab recently introduced a maximum lifetime for *all* access tokens. The change is discussed in a [blog post](https://about.gitlab.com/blog/2023/10/25/access-token-lifetime-limits/) from last October. Most importantly:
> As of the 16.0 milestone (May 2023), we applied an expiration date of May 14, 2024, to any personal, group, or project access token that previously didn't have one.
We should provide a convenient way of dealing with token renewal for the many tokens used across this instance which are now set to expire soon.
Unfortunately, it seems like we're more or less to our own devices to figure out which tokens/projects are affected by this change.anarcatanarcat2024-04-30https://gitlab.torproject.org/tpo/tpa/team/-/issues/41509upgrade libapache2-mod-qos to the debian trixie version on check-012024-03-12T00:05:22ZKezupgrade libapache2-mod-qos to the debian trixie version on check-01after upgrading check-01 (#41252), apache broke because of a bug in bookworm's libapache2-mod-qos. the version from trixie is fixed, and according to the debian mailing list it can be used on bookworm https://bugs.debian.org/cgi-bin/bugr...after upgrading check-01 (#41252), apache broke because of a bug in bookworm's libapache2-mod-qos. the version from trixie is fixed, and according to the debian mailing list it can be used on bookworm https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1000072
i'll be upgrading mod-qos to the trixie version and making sure apache starts on check.Debian 13 trixie upgradeJérôme Charaouilavamind@torproject.orgJérôme Charaouilavamind@torproject.orghttps://gitlab.torproject.org/tpo/tpa/anon_ticket/-/issues/63This anonticket service gives Server error 500 when I click on my previous Is...2024-03-21T15:12:16ZcypherpunksThis anonticket service gives Server error 500 when I click on my previous Issue #40324This anonticket service gives Server error 500 when I click on my previous Issue #40324
I want to edit or add more info to that thread but every time I try (on different days) I get that "server error 500"This anonticket service gives Server error 500 when I click on my previous Issue #40324
I want to edit or add more info to that thread but every time I try (on different days) I get that "server error 500"https://gitlab.torproject.org/tpo/tpa/team/-/issues/41506Make it harder to forget to deploy tpo/web changes2024-01-30T15:03:48ZKezMake it harder to forget to deploy tpo/web changesIn tpo/web/tpo#403, I made a change, checked the review app, merged the change, checked the staging site, and *forgot* to deploy it to production. I only noticed because I was checking the pipelines for an unrelated issue and noticed the...In tpo/web/tpo#403, I made a change, checked the review app, merged the change, checked the staging site, and *forgot* to deploy it to production. I only noticed because I was checking the pipelines for an unrelated issue and noticed the deploy job didn't run. Bekeela also pointed out to me that the change wasn't deployed, but without the two of us checking, I never would've noticed and the change wouldn't have been deployed until the next time a change was needed on tpo.
I think it would really benefit us and our stakeholders to make it harder to forget to deploy to production. Maybe we could make a simple bot that checks if a change has been deployed to staging, but not production.Jérôme Charaouilavamind@torproject.orgJérôme Charaouilavamind@torproject.orghttps://gitlab.torproject.org/tpo/tpa/team/-/issues/41501retire individual grants in RT2024-01-25T03:44:00Zanarcatretire individual grants in RTin https://gitlab.torproject.org/tpo/tpa/team/-/issues/41496#note_2988546, @lavamind suggested we have a policy to only grant "groups" access and grant users access to those groups, to facilitate permissions management and auditing.
let...in https://gitlab.torproject.org/tpo/tpa/team/-/issues/41496#note_2988546, @lavamind suggested we have a policy to only grant "groups" access and grant users access to those groups, to facilitate permissions management and auditing.
let's do that.
@lavamind do you want this? or maybe @kez?https://gitlab.torproject.org/tpo/tpa/gitlab/-/issues/148Wrong domain of GitLab's mail server certificate2024-02-08T16:05:24ZMynacolWrong domain of GitLab's mail server certificateI wanted to reply to a GitLab issue by mail, but my mail server refused to send it, as the TLS certificate could not be verified. My mail server is configured to strictly verify the respective certificates.
The mail was headed to `[...]...I wanted to reply to a GitLab issue by mail, but my mail server refused to send it, as the TLS certificate could not be verified. My mail server is configured to strictly verify the respective certificates.
The mail was headed to `[...]@gitlab.torproject.org`. My mail server queried the MX record of gitlab.torproject.org, but only got a CNAME response, which leads to gitlab-02.torproject.org that points to the right IP addresses. Now my mail server expected a TLS certificate for gitlab.torproject.org, but your postfix provided a certificate for gitlab-02.torproject.org, which my mail server regarded as invalid.
The easiest way to fix this is to add a MX record to gitlab.torproject.org pointing at gitlab-02.torproject.org. That could even help with mail deliverability.
Alternatively, you can provide a certificate for gitlab.torproject.org from your mail server just like on the website.
Maybe the test page on [internet.nl](https://internet.nl/mail/gitlab.torproject.org/1127446/) helps you too.improve mail servicesJérôme Charaouilavamind@torproject.orgJérôme Charaouilavamind@torproject.org