TPA team issueshttps://gitlab.torproject.org/tpo/tpa/team/-/issues2024-02-21T19:49:00Zhttps://gitlab.torproject.org/tpo/tpa/team/-/issues/41522TPA-RFC-62: migrate tor-passwords to password-store2024-02-21T19:49:00ZanarcatTPA-RFC-62: migrate tor-passwords to password-storeIn #29677, we have reviewed a bunch of password managers. Bitwarden seems to be emerging as a possible candidate for an organisation-wide password management service, but in the short term however, we do not want to make any major change...In #29677, we have reviewed a bunch of password managers. Bitwarden seems to be emerging as a possible candidate for an organisation-wide password management service, but in the short term however, we do not want to make any major changes to our workflow. There's also an argument to be made that TPA should *not* be using a global password manager and is best protecting those secrets with a a different mechanism.
In any case, during a recent offboarding process (tpo/tpa/team#41519), it became very clear that our *current* password manager (pwstore) has major flaws:
1. key management: in this case, @hiro's key was expired and had to be manually removed from the user's list. this would be similar in pass, except that the keyid file is easier to manage, as its signature is managed automatically by `pass init`, provided that the `PASSWORD_STORE_SIGNING_KEY` variable is set
2. password rotation: because multiple passwords are stored in the same file, it's hard or impossible to actually see the last rotation on a single password
3. conflicts: because multiple passwords are stored in the same file, we frequently get conflicts when making changes, which is particularly painful if we need to distribute the "rotation" work
4. abandonware: a [pull request to fix Debian bookworm / Ruby 3.1 support](https://github.com/weaselp/pwstore/pull/8) has been ignored for more than a year at this point
5. counter-intuitive interface: there's no command to extract a password, you're presumably supposed to use `gpg -d` to read the password files, yet you can't use other tools to directly manipulate the password files because the target encryption keys are specified in a meta file (that latter issue is shared with pass, to be fair)
6. not packaged: pwstore is not in Debian, flatpak, or anything else
The main downside to pass is the .gpg-id system is less secure than pwstore: its signature is not enforced unless the environment variable is set, which is a bit brittle. It's also relying on the global GPG key store although in theory it should be possible to rely on another keyring by passing different options to GnuPG.
Finally, by splitting secrets into different files, we disclose **which** accounts we have access to, but I consider this a reasonable tradeoff for the benefits it brings.
Update: the above was put in an actual proposal, see https://gitlab.torproject.org/tpo/tpa/team/-/wikis/policy/tpa-rfc-62-tpa-password-manageranarcatanarcathttps://gitlab.torproject.org/tpo/tpa/team/-/issues/41523document donate-review deployment process and project in general2024-02-14T21:09:13Zanarcatdocument donate-review deployment process and project in generalin tpo/tpa/team#41519, we have identified that donate-review lacks documentation. #41518 is a task for @lavamind to review that project, but this is for @kez to document it as much as they can.in tpo/tpa/team#41519, we have identified that donate-review lacks documentation. #41518 is a task for @lavamind to review that project, but this is for @kez to document it as much as they can.Jérôme Charaouilavamind@torproject.orgJérôme Charaouilavamind@torproject.orghttps://gitlab.torproject.org/tpo/tpa/team/-/issues/41433Provide git commit notifications for dirauth-conf changes to #tor-internal2024-01-19T20:40:07ZGeorg KoppenProvide git commit notifications for dirauth-conf changes to #tor-internalAs our dirauth-conf repo is moving away from git.torproject.org to Gitlab we'd like to retain the option to send notifications for git commits pushed to our #tor-internal channel.As our dirauth-conf repo is moving away from git.torproject.org to Gitlab we'd like to retain the option to send notifications for git commits pushed to our #tor-internal channel.https://gitlab.torproject.org/tpo/tpa/team/-/issues/41384Deploy community policies mkdocs build2023-11-08T23:50:58ZGusDeploy community policies mkdocs buildHi,
We're generating the Tor Community policies (https://tpo.pages.torproject.net/community/policies) pages using GitLab-CI + GitLab pages.
Please create `policies.torproject.org` subdomain and redirect to https://tpo.pages.torproject...Hi,
We're generating the Tor Community policies (https://tpo.pages.torproject.net/community/policies) pages using GitLab-CI + GitLab pages.
Please create `policies.torproject.org` subdomain and redirect to https://tpo.pages.torproject.net/community/policiesJérôme Charaouilavamind@torproject.orgJérôme Charaouilavamind@torproject.orghttps://gitlab.torproject.org/tpo/tpa/team/-/issues/40999followup on TPA-RFC-27: Python 2 removal in bookworm2023-07-05T14:42:44Zanarcatfollowup on TPA-RFC-27: Python 2 removal in bookwormin #33949, we decided to EOL Python 2 inside TPA. The actual [proposal](https://gitlab.torproject.org/tpo/tpa/team/-/wikis/policy/tpa-rfc-27-python2-eol) [timeline](https://gitlab.torproject.org/tpo/tpa/team/-/wikis/policy/tpa-rfc-27-pyt...in #33949, we decided to EOL Python 2 inside TPA. The actual [proposal](https://gitlab.torproject.org/tpo/tpa/team/-/wikis/policy/tpa-rfc-27-python2-eol) [timeline](https://gitlab.torproject.org/tpo/tpa/team/-/wikis/policy/tpa-rfc-27-python2-eol#timeline) said:
> Debian 12 bookworm upgrades are currently scheduled to begin some time in 2023 and should be completed before July 2024. An actual schedule will be proposed in a future announcement. When this change will be deployed, Python 2 will be gone from TPA servers.
This ticket is to followup on that step, when we upgrade all servers to bookworm and Python 2 is definitely removed from our servers. It's possible (though unlikely) that some Python 2 programs remain on the upgraded bullseye servers, so this ticket will make sure we make proper announcements and porting if we encounter those.Debian 12 bookworm upgradeanarcatanarcathttps://gitlab.torproject.org/tpo/tpa/team/-/issues/41188Migrate new machine docs to new swap file policy2023-05-25T15:05:34ZJérôme Charaouilavamind@torproject.orgMigrate new machine docs to new swap file policyFollowing adoption of [TPA-RFC-55: Swap file policy](https://gitlab.torproject.org/tpo/tpa/team/-/wikis/policy/tpa-rfc-55-swap-file-policy), we should implement the changes to our new-machines documentation and templates.
- [x] new gane...Following adoption of [TPA-RFC-55: Swap file policy](https://gitlab.torproject.org/tpo/tpa/team/-/wikis/policy/tpa-rfc-55-swap-file-policy), we should implement the changes to our new-machines documentation and templates.
- [x] new ganeti instance docs
- [x] new physical machine docs
- [x] fabric installer disk templatesJérôme Charaouilavamind@torproject.orgJérôme Charaouilavamind@torproject.orghttps://gitlab.torproject.org/tpo/tpa/team/-/issues/41187Document swap file resizing2023-05-24T21:55:16ZJérôme Charaouilavamind@torproject.orgDocument swap file resizingFollowing adoption of [TPA-RFC-55: Swap file policy](https://gitlab.torproject.org/tpo/tpa/team/-/wikis/policy/tpa-rfc-55-swap-file-policy), we should document how to resize the ganeti installer-created swap file for instances that requi...Following adoption of [TPA-RFC-55: Swap file policy](https://gitlab.torproject.org/tpo/tpa/team/-/wikis/policy/tpa-rfc-55-swap-file-policy), we should document how to resize the ganeti installer-created swap file for instances that require more swap space.Jérôme Charaouilavamind@torproject.orgJérôme Charaouilavamind@torproject.orghttps://gitlab.torproject.org/tpo/tpa/team/-/issues/41125prepare (and give) training for 2FA with security keys in CR2023-04-27T23:20:17Zanarcatprepare (and give) training for 2FA with security keys in CRIn #41083 we agreed to distribute security keys (specifically Yubikeys) in Costa Rica.
This ticket is to ensure we have a training prepared beforehand and that we give it to people and that people are happy.
We should also, incidentall...In #41083 we agreed to distribute security keys (specifically Yubikeys) in Costa Rica.
This ticket is to ensure we have a training prepared beforehand and that we give it to people and that people are happy.
We should also, incidentally, keep track of the keys to make sure they do end up in CR.
/cc @linus @shelikhooanarcatanarcathttps://gitlab.torproject.org/tpo/tpa/team/-/issues/40979document our fastly/CDN setup2022-11-30T19:55:45Zanarcatdocument our fastly/CDN setupso we have a CDN we use here, and it's not really documented. we have fairly good docs on the ~"static-component" system, but nothing on ~Fastly. we didn't even have a tag for it until #40978 was filed (and i made it).
so we should docu...so we have a CDN we use here, and it's not really documented. we have fairly good docs on the ~"static-component" system, but nothing on ~Fastly. we didn't even have a tag for it until #40978 was filed (and i made it).
so we should document:
* [ ] what we use fastly for
* [ ] how it's configured (e.g. `cdn-config-fastly.git`, `./tor-puppet/modules/roles/files/puppetmaster/update-fastly-ips`, static-component yaml file, probably more)
* [ ] what talks to it and why not everything is on there
* [ ] what our limits are
* [ ] contact information
* [ ] password management
basically make a full service audit.anarcatanarcathttps://gitlab.torproject.org/tpo/tpa/team/-/issues/40937CI for wiki-replica is broken2022-10-24T20:11:50ZJérôme Charaouilavamind@torproject.orgCI for wiki-replica is brokenSince the markdownlint project on GitHub has [updated](https://github.com/markdownlint/markdownlint/commit/865ab4408132de980baddb9448047f411f4e3325) their docker image a week ago, the [wiki-replica CI](https://gitlab.torproject.org/tpo/t...Since the markdownlint project on GitHub has [updated](https://github.com/markdownlint/markdownlint/commit/865ab4408132de980baddb9448047f411f4e3325) their docker image a week ago, the [wiki-replica CI](https://gitlab.torproject.org/tpo/tpa/wiki-replica/-/jobs) is unable to run any tests because the container bootstrap is failing with:
> ERROR: Job failed (system failure): Error response from daemon: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: exec: "/bin/bash": stat /bin/bash: no such file or directory: unknown (exec.go:78:0s)anarcatanarcathttps://gitlab.torproject.org/tpo/tpa/team/-/issues/34436document the static mirror network and onionbalance system better2020-12-01T15:31:36Zanarcatdocument the static mirror network and onionbalance system betterwe have some documentation on the static mirroring system here:
https://help.torproject.org/tsa/howto/static-component/
it's mostly procedural and minimal: add a component, remove a component and that's it. it doesn't explain at all ho...we have some documentation on the static mirroring system here:
https://help.torproject.org/tsa/howto/static-component/
it's mostly procedural and minimal: add a component, remove a component and that's it. it doesn't explain at all how the system works, how to create or remove a new node in the network, how onion services interact with it, and how it actually works in puppet.
all this should be better documented. for example, I should be able to resolve legacy/trac#34396 without asking weasel. :)anarcatanarcathttps://gitlab.torproject.org/tpo/tpa/team/-/issues/40045Make (and update) a services table, with pointers to survival guides for each...2020-09-23T15:15:25ZRoger DingledineMake (and update) a services table, with pointers to survival guides for each serviceWe should make a table of what our services are, and which teams / people are running them.
Here's the original table:
https://trac.torproject.org/projects/tor/wiki/org/operations/services
ahf imported this table into gitlab, but it d...We should make a table of what our services are, and which teams / people are running them.
Here's the original table:
https://trac.torproject.org/projects/tor/wiki/org/operations/services
ahf imported this table into gitlab, but it doesn't seem to display:
https://gitlab.torproject.org/legacy/trac/-/wikis/org/operations/Infrastructure
I'll start with: phw just made a survival guide for check, and it is at:
https://gitlab.torproject.org/tpo/metrics/team/-/wikis/Survival-Guides/Checkanarcatanarcat