TPA team issueshttps://gitlab.torproject.org/tpo/tpa/team/-/issues2024-03-07T14:22:30Zhttps://gitlab.torproject.org/tpo/tpa/team/-/issues/41507ExoneraTor suffering from possible denial of service2024-03-07T14:22:30ZJérôme Charaouilavamind@torproject.orgExoneraTor suffering from possible denial of serviceSince approximately the new year, it seems like ExoneraTor (hosted on `materculae`) is suffering from an unusually high load:
![Capture_d_écran_du_2024-01-30_18-26-01](/uploads/6d9c76f835b53626b2d6cb0b13628ee0/Capture_d_écran_du_2024-01...Since approximately the new year, it seems like ExoneraTor (hosted on `materculae`) is suffering from an unusually high load:
![Capture_d_écran_du_2024-01-30_18-26-01](/uploads/6d9c76f835b53626b2d6cb0b13628ee0/Capture_d_écran_du_2024-01-30_18-26-01.png)
Many requests appear to be timing out with a 502 error.HiroHirohttps://gitlab.torproject.org/tpo/tpa/team/-/issues/40873Sending gitlab comments by emails is not working2022-12-05T15:19:19ZboklmSending gitlab comments by emails is not workingI wrote some comment for tpo/applications/tor-browser-build!509 by answering an email a few days ago (on 2022-08-22), and today answered a comment on #40872 by email, but they did not get posted. So it looks like sending comments by emai...I wrote some comment for tpo/applications/tor-browser-build!509 by answering an email a few days ago (on 2022-08-22), and today answered a comment on #40872 by email, but they did not get posted. So it looks like sending comments by emails is not working anymore.anarcatanarcathttps://gitlab.torproject.org/tpo/tpa/team/-/issues/41483metricsdb-01 out of swap2024-02-17T00:06:09ZKezmetricsdb-01 out of swapNagios has an alert for metricsdb-01: SWAP CRITICAL - 4% free (65MB out of 2047MB). It's almost exclusively because of a victoria-metric process: `victoria-metric 1800892 kB`.
@hiro I'm assigning this to you because you'll probably know...Nagios has an alert for metricsdb-01: SWAP CRITICAL - 4% free (65MB out of 2047MB). It's almost exclusively because of a victoria-metric process: `victoria-metric 1800892 kB`.
@hiro I'm assigning this to you because you'll probably know what to do with it better than meHiroHirohttps://gitlab.torproject.org/tpo/tpa/team/-/issues/41464nextcloud is returning 502 bad gateway2024-03-14T00:48:16ZJim Newsomenextcloud is returning 502 bad gatewayI'm getting 502 bad gateway for https://nc.torproject.net/. Verified by thorin as wellI'm getting 502 bad gateway for https://nc.torproject.net/. Verified by thorin as wellmicahmicah@torproject.orgmicahmicah@torproject.orghttps://gitlab.torproject.org/tpo/tpa/team/-/issues/33588migrate to puppetserver and Puppet agent 7 before EOL2023-02-27T21:00:32Zanarcatmigrate to puppetserver and Puppet agent 7 before EOLOur current "puppetmaster" configuration ("apache + passenger") is deprecated and will be removed in Puppet 6. we need to switch to the alternative, which is "puppetserver", a daemon written in Clojure especially for that purpose.
the t...Our current "puppetmaster" configuration ("apache + passenger") is deprecated and will be removed in Puppet 6. we need to switch to the alternative, which is "puppetserver", a daemon written in Clojure especially for that purpose.
the tool is [not yet in Debian](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=830904), <del>so this can wait until then</del>. otherwise we could also use the upstream puppet debian repositories.
our "old" passenger configuration lead to at least one security issue (#33587) which was due to how complex that configuration is.
puppet 5, as a whole, is EOL in november 2020, so we should consider an upgrade path to Puppet 6 by then. the packaging work is happening in [bts #950182](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=950182).
update: it might be desirable to jump directly to Puppet 7 if we're going to make such a switch, since Puppet 6 itself is going to be EOL by February 2023 ([source](https://puppet.com/docs/puppet/6/platform_lifecycle.html)).
update: we most definitely will want to jump to puppet 7 for both the server and agent components, as the 6.x series is missing support for Ruby 3.0 which is what bookworm ships currently.
note: a [puppet cluster upgrade](https://puppet.com/docs/puppet/6/upgrade_minor.html) normally goes through those two stages:
* upgrade puppetdb, because its consumers are typically more tolerant of API changes
* upgrade the server
* upgrade the agents
In other words, the server is backwards compatible with older clients, but not the reverse. and the server and puppet db need to be upgraded together. How far back the server is compatible with the clients is unclear. [this document](https://puppet.com/docs/puppet/7/server/compatibility_with_puppet_agent.html) seems to state, surprisingly, that Puppetserver 7 is backwards compatible with Puppet 4 agents. But this *other* [document](https://puppet.com/docs/pe/2021.5/component_versions_in_recent_pe_releases.html#primary-agent-compatibility) states the opposite, that even Puppet agent 5.x is not supported by 7.x. So that's still unclear.
update: bastelfreak stated that Puppet agent 5.5 should work with Server 7. one concern they had was with the "intermediate cert" created by Puppet server 7, but as long as we keep the existing cert, we should be fine.
This is the state of the Puppet packages in Debian and upstream:
| Package | buster | bullseye | testing | unstable | experimental | upstream |
|---------------|------------------|-----------|-------------|-------------|--------------|----------------|
| Puppet agent | 5.5.10-4 | 5.5.22-2 | 5.5.22-4 | 5.5.22-4 | 7.16.0-2 | 6.27.0/7.17.0 |
| Puppet master | 5.5.10-4 | 5.5.22-2 | 5.5.22-4 | 5.5.22-4 | N/A | N/A |
| Puppetserver | N/A | N/A | N/A | N/A | 6.16.0-1 | 6.19.0/7.8.0 |
| PuppetDB | 6.2.0-3 | N/A | N/A | 6.2.0-5 | N/A | 6.21.0/7.10.1 |
| Facter | 3.11.0-2+deb10u2 | 3.14.12-1 | 3.14.12-1.1 | 3.14.12-1.1 | N/A | 3.14.23/4.2.10 |
This is the different EOL dates:
* Puppet 5: November 2020 (source?)
* Puppet 6: February 2023 ([source](https://puppet.com/docs/puppet/6/platform_lifecycle.html))
* Puppet 7: unannounced?
this implies that we *could* do this:
1. upgrade pauli to bullseye, keeping the old puppetmaster 5 configuration (or rebuild with bullseye)
2. upgrade to puppet server 6 (probably using upstream packages, because the [ITP is still not resolved](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=830904), [details in this post too](https://veronneau.org/puppetserver-6-a-debian-packaging-post-mortem.html))
3. eventually, upgrade all agents to puppet agent 6 (see [this bug report](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=950182), fixed in experimental?), possibly part of the bookworm upgrade?
4. upgrade to puppet server 7, possibly with the Bookworm upgrade (see %"Debian 12 bookworm upgrade") with Debian packages if jruby gets their thing together
it should be noted that puppetdb is also in bad shape. it's at version 6.2.0 (while upstream is 6.20), with at least three RC bugs which kept it from shipping in bullseye and keep it from bookworm right now as well. see #40707 for that package specifically.
so that's another thing that should be fixed. according to @pollo, that is simpler to fix than the puppetserver SNAFU, fortunately. it seems it could be upgraded separately from the other as well.
there's a coding sprint coming in the clojure team to address some of the underlying issues in clojure Debian packaging that directly affect Puppet packaging, see https://wiki.debian.org/Sprints/2022/ClojureTeam. I think we should participate in this sprint to help with this effort.
finally, there's also facter to worry about. Puppet 7 seems to mention Facter 4 in its [upgrade notes](https://puppet.com/docs/puppet/7/upgrading-from-puppet6-to-puppet7.html#upgrading_from_puppet6_to_puppet7) and specifically trouble with upgrades from 6 to 7 that need to go through 6.22+ on the server side. Ugh. Update: on that front, we seem safe enough: people are apparently running Puppet 7 with Facter 3 without problems.
update: there's been some progress recently in packaging puppet agent 7 (almost ready) and puppetdb (some deps still missing). as for puppetserver its still blocking on jruby, so the outlook is uncertain currently. this ongoing work is being tracked in more detail on this [Debian wiki page](https://wiki.debian.org/Teams/Puppet/Work).Puppet CIJérôme Charaouilavamind@torproject.orgJérôme Charaouilavamind@torproject.orghttps://gitlab.torproject.org/tpo/tpa/team/-/issues/41553write a blog post about the static mirror system2024-03-11T17:06:03Zanarcatwrite a blog post about the static mirror systemI found [this post](https://alexcabal.com/posts/standard-ebooks-and-classic-web-tech) to be pretty interesting. I wish I could write about some fancy new high-tech system we've built in TPA that's the cutting edge of technology, but the ...I found [this post](https://alexcabal.com/posts/standard-ebooks-and-classic-web-tech) to be pretty interesting. I wish I could write about some fancy new high-tech system we've built in TPA that's the cutting edge of technology, but the reality is that we're a hodgepodge collection of legacy systems we're keeping alive by a wise combination of "if it ain't broken don't fix it" and "okay, this is too horrible, let's fix that tiny piece", migrating one system at a time toward modernity.
The static mirror system is an excellent example of this. When I arrived, it was mostly built from shell servers and... Jenkins, which was hard to use and generally disliked. We migrated to GitLab and built a shim to avoid having to replace the entire system. That handful of servers is pumping out gigabits per second, it's easy to deploy and scale out (although *that* could be made easier).
This is mostly summarizing and glorifying the docs I've already written in the [service docs](https://gitlab.torproject.org/tpo/tpa/team/-/wikis/howto/static-component/).
This would be, therefore, an interesting blog post on its own, but I think it could also serve as great advertisement for the job posting (tpo/tpa/team#41542).anarcatanarcathttps://gitlab.torproject.org/tpo/tpa/team/-/issues/41548issue when downloading from https://bridges.torproject.org/bridgestrap-collector2024-03-04T15:00:14ZHiroissue when downloading from https://bridges.torproject.org/bridgestrap-collectorI have noticed an issue when collector-02 is downloading from: https://bridges.torproject.org/bridgestrap-collector
This is the error I see in java.
```
2024-03-01 09:45:13,880 WARN o.t.m.c.b.BridgestrapStatsDownloader:70 Failed downl...I have noticed an issue when collector-02 is downloading from: https://bridges.torproject.org/bridgestrap-collector
This is the error I see in java.
```
2024-03-01 09:45:13,880 WARN o.t.m.c.b.BridgestrapStatsDownloader:70 Failed downloading https://bridges.torproject.org/bridgestrap-collector.
java.io.IOException: Premature EOF
at java.base/sun.net.www.http.ChunkedInputStream.readAheadBlocking(ChunkedInputStream.java:567)
at java.base/sun.net.www.http.ChunkedInputStream.readAhead(ChunkedInputStream.java:611)
at java.base/sun.net.www.http.ChunkedInputStream.read(ChunkedInputStream.java:705)
at java.base/java.io.FilterInputStream.read(FilterInputStream.java:132)
at java.base/sun.net.www.protocol.http.HttpURLConnection$HttpInputStream.read(HttpURLConnection.java:3698)
at java.base/java.io.BufferedInputStream.fill(BufferedInputStream.java:244)
at java.base/java.io.BufferedInputStream.read1(BufferedInputStream.java:284)
at java.base/java.io.BufferedInputStream.read(BufferedInputStream.java:343)
at org.torproject.metrics.collector.downloader.Downloader.downloadFromHttpServer(Downloader.java:55)
at org.torproject.metrics.collector.downloader.Downloader.downloadFromHttpServer(Downloader.java:26)
at org.torproject.metrics.collector.bridgestrap.BridgestrapStatsDownloader.startProcessing(BridgestrapStatsDownloader.java:68)
at org.torproject.metrics.collector.cron.CollecTorMain.run(CollecTorMain.java:55)
at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:539)
at java.base/java.util.concurrent.FutureTask.runAndReset(FutureTask.java:305)
at java.base/java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:305)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
at java.base/java.lang.Thread.run(Thread.java:840)
```
I made some little measurements from bash and got this:
```
time_namelookup: 0.050899s
time_connect: 0.097606s
time_appconnect: 0.159109s
time_pretransfer: 0.159138s
time_redirect: 0.000000s
time_starttransfer: 0.209088s
----------
time_total: 5.969495s
```
Seems nothing is really amiss. Any idea what is happening? Is this a web server issue or should I talk to anti-censorship instead?meskiomeskio@torproject.orgmeskiomeskio@torproject.orghttps://gitlab.torproject.org/tpo/tpa/team/-/issues/41545120 Stripe / PayPal transactions missing from CiviCRM, 30 January - 5 Februar...2024-02-27T21:54:30Zmattlav120 Stripe / PayPal transactions missing from CiviCRM, 30 January - 5 February 2024Between 30 January and 5 February, I was able to identify (by comparing transaction records) 120 transactions totaling $2,085 that remained un-recorded in CiviCRM. The money came to Tor, but the records of the transactions did not.
In t...Between 30 January and 5 February, I was able to identify (by comparing transaction records) 120 transactions totaling $2,085 that remained un-recorded in CiviCRM. The money came to Tor, but the records of the transactions did not.
In time I was able to find all the transactions and import dummy versions of them to CiviCRM, so our books will balance. But we still should figure out what happened, and whether we should take steps to prevent it.
I kept pretty detailed records of how I proceeded, along with all the data dumped from Stripe and PayPal, in a [NextCloud folder](https://nc.torproject.net/index.php/f/535242) - but I don't imagine this will be very easy to interpret if you're not me. So the way forward is probably for me to do a little show and tell with TPA, in order to enable you to figure out what went haywire for the week in question.anarcatanarcathttps://gitlab.torproject.org/tpo/tpa/team/-/issues/41541Vaultwarden experiment2024-03-26T20:46:38Zmicahmicah@torproject.orgVaultwarden experimentI have been working in the engineering side of the organization to organize accounts we have with different online services. That work has identified that we have accounts that have been setup by different individuals over time (some who...I have been working in the engineering side of the organization to organize accounts we have with different online services. That work has identified that we have accounts that have been setup by different individuals over time (some who are no longer with us, many who should not even have access any longer), with different personal or outdated organization information configured, and their associated passwords being shared in numerous ways of various levels of security or insecurity (signal, matrix, email, etc.). Accounts such as google play store, apple developer console, dockerhub, domain fronting CDN providers, browser extension stores, AWS, GKE, etc. are strewn about in a fairly haphazard way. The goal of this effort is to bring sanity to these accounts and reduce the overhead involved in regaining access, performing necessary billing work, adjusting organizational details, updating legal agreements, etc. Having a single password vault for accounts that can be organized in ways that different people can have appropriate access would go a long ways towards making things less chaotic.
As we continue to [evaluate passsword management options](https://gitlab.torproject.org/tpo/tpa/team/-/issues/29677), and because there is a need in engineering to solve our messy password situation, I'd like to propose that we try an experiment with a [vaultwarden](https://github.com/dani-garcia/vaultwarden) server (the free software, rust rewrite of Bitwarden). I have been managing a valutwarden server for personal use, and it appears to work well, and functions well in organizations who have different access and client needs. My proposal is that TPA would setup and manage a VM, with the vaultwarden-server container setup, and I would manage the service. I would attempt to use this system to organize these efforts, and this can be simultaneously an opportunity to evaluate the relative merits of this system for potential wider use. We can check in on the effectiveness of this as we go along and change course without difficulty.
Vaultwarden was designed to run on a raspberry pi, and it [appears](https://github.com/dani-garcia/vaultwarden/issues/277#issuecomment-445526374) that hosting up to 100 users works just fine on [such a setup](https://github.com/dani-garcia/vaultwarden/issues/645). Thus the [required specifications](https://github.com/dani-garcia/vaultwarden/wiki/Deployment-examples) for a server are quite minimal. Considering this is a experiment, I would suggest we start off with a minimal configuration and monitor it and adjust on the way.
**Specs requested:**
- Memory: 512MB
- CPU: 1 core
- Storage: 5GB (in addition to what your typical Debian installation with podman would reuqire)
- DNS: vault.torproject.org
- Software:
podman configured to auto-update the docker image `vaultwarden/server:latest` -- this [tracks the latest released tagged version number](https://github.com/dani-garcia/vaultwarden/wiki/Which-container-image-to-use) with an appropriate rw volume/directory mounted on `/data` and port 80 exposed (`-p 80:80`), passing the following environment variables:
```
SIGNUPS_ALLOWED: false
ORG_CREATION_USERS: none
INVITATIONS_ALLOWED: false
INVITATION_ORG_NAME: Tor
DOMAIN: 'https://vault.torproject.org'
ADMIN_TOKEN: <provided out of band>
SMTP_HOST: <tpa provided>
SMTP_FROM: <tpa provided>
SMTP_USERNAME: <tpa provided>
SMTP_PASSWORD: <tpa provided>
SMTP_SECURITY: <tpa provided: starttls for 587, force_tls for 465)
SMTP_AUTH_MECHANISM: <tpa provided: Plain, Login, Xoauth2>
HELO_NAME: vault.torproject.org
```
```
TPA's choice:
USE_SYSLOG: true (depends on TPA logging policy)
LOG_FILE: /path/to/log (if not using syslog, depending on TPA log poligy)
```
- Reverse Proxy: avec TLS certificate, please see [these examples](https://github.com/dani-garcia/vaultwarden/wiki/Proxy-examples), presumably the normal `nginx` one there is what you would use, but if that isn't the typical tpa webserver, other options are there.
- Backups: please backup the volume that is passed, it contains a sqlite database that is critical.
- Firewall:
ALL IN/OUT: port 443 for reverse proxy
OUT: either port 587 or 465, depending on `SMTP_SECURITY`Jérôme Charaouilavamind@torproject.orgJérôme Charaouilavamind@torproject.orghttps://gitlab.torproject.org/tpo/tpa/team/-/issues/41516metricsdb-01 root filesystem is full2024-02-05T20:09:05ZJérôme Charaouilavamind@torproject.orgmetricsdb-01 root filesystem is fullFor over a week, the root filesystem on `metricsdb-01` has been filled to 100%.
The cause seems to be related to logs lines such as this being added tens (even hundreds) of thousands of times every day:
Feb 05 04:05:37 metricsdb-01...For over a week, the root filesystem on `metricsdb-01` has been filled to 100%.
The cause seems to be related to logs lines such as this being added tens (even hundreds) of thousands of times every day:
Feb 05 04:05:37 metricsdb-01 run[3664186]: 2024-02-05 04:05:37,453 WARN o.t.m.d.p.WebStatsParser:114 ERROR: duplicate key value violates unique constraint "log_line_pkey"
Feb 05 04:05:37 metricsdb-01 run[3664186]: Detail: Key (digest)=(g4tX2M7Beig0hqfn2OaUHKGTpXTjel+p8wrfWoTzK+8) already exists.HiroHirohttps://gitlab.torproject.org/tpo/tpa/team/-/issues/41492grafana2.tpo datasource PostgreSQL metricsdb-01.tpo returns error2024-02-13T03:27:25Zjugagrafana2.tpo datasource PostgreSQL metricsdb-01.tpo returns errorWhen i try to use metricsdb-01.tpo as datasource in grafana2.tpo, i get this error:
```
db query error: pq: no pg_hba.conf entry for host "2a01:4f8:c2c:1ff7::1", user "metricsro", database "parser", SSL encryption
```
However i can use ...When i try to use metricsdb-01.tpo as datasource in grafana2.tpo, i get this error:
```
db query error: pq: no pg_hba.conf entry for host "2a01:4f8:c2c:1ff7::1", user "metricsro", database "parser", SSL encryption
```
However i can use this datasource in a local grafana server configuring `/var/lib/grafana/autoca.crt` as `TLS/SSL Root Certificate`. I've added this to grafana2.tpo datasource, but it still gives the error `Plugin health check failed` when i clic `Save & test`.HiroHirohttps://gitlab.torproject.org/tpo/tpa/team/-/issues/41489Consider disabling HTML filter for XSS on LimeSurvey2024-01-30T13:42:45ZsajolidaConsider disabling HTML filter for XSS on LimeSurveyAs part of tpo/ux/research#130, I tried to embed a data handling policy in the questionnaire using a [Bootstrap](https://getbootstrap.com/) collapsible section, to avoid overwhelming participants with text that they might not read.
The ...As part of tpo/ux/research#130, I tried to embed a data handling policy in the questionnaire using a [Bootstrap](https://getbootstrap.com/) collapsible section, to avoid overwhelming participants with text that they might not read.
The following code works when entered in the description of a group of questions on my other instance of LimeSurvey without HTML filtering:
```
<p><button aria-controls="data-handling-policy" aria-expanded="false" class="btn btn-secondary" data-bs-target="#data-handling-policy" data-bs-toggle="collapse" type="button">Show Data Handling Policy</button></p>
<div class="collapse" id="data-handling-policy">
<div class="card card-body">Data Handling Policy</div>
</div>
```
LimeSurvey already uses Bootstrap for theming so all these goodies are readily available.
When I try this on survey.torproject.org, the code gets filtered and actually saves:
```
<p>Show Data Handling Policy</p>
<div class="collapse" id="data-handling-policy">
<div class="card card-body">Data Handling Policy</div>
</div>
```
As a result the collapsible section doesn't work.
This relates to the following setting in Configuration → Settings → Global:
![image](/uploads/58eb873590f89c2d0f67c6d8f053d74a/image.png)
It's set to "On" by default, which is probably the case on survey.torproject.org. If I turn it on on my other instance of LimeSurvey, I get the same filtering.
Together with @donuts, we were wondering whether this filtering was activated on purpose or of it could be deactivated to allow the use of more Bootstrap goodies in surveys.
And don't worry if you want to keep the filtering activated for security reasons, I can try to implement a [pure CSS collapsible](https://www.digitalocean.com/community/tutorials/css-collapsible).Jérôme Charaouilavamind@torproject.orgJérôme Charaouilavamind@torproject.orghttps://gitlab.torproject.org/tpo/tpa/team/-/issues/41484deploy fabric-tasks on install and keep up to date in puppet2024-03-27T14:40:01Zanarcatdeploy fabric-tasks on install and keep up to date in puppetall hosts should have a copy of fabric-tasks. there's many useful things in that repo, and we should keep expanding it to have more useful things.
it would skip a step in the install procedure, but it would also allow us to dump ad-hoc ...all hosts should have a copy of fabric-tasks. there's many useful things in that repo, and we should keep expanding it to have more useful things.
it would skip a step in the install procedure, but it would also allow us to dump ad-hoc scripts that we currently leave lying around in /root or elsewhere.
this is part of the automated install task (#31239).(next) cluster scalinganarcatanarcathttps://gitlab.torproject.org/tpo/tpa/team/-/issues/41478puppet-run.service failing on rude2024-01-18T20:16:07ZKezpuppet-run.service failing on rudeNagios is warning about degraded system services on rude. Checking `systemctl --failed`, the only failing service is puppet-run. I tried starting it by hand in case it was a transient issue, but it fails with the same error message.
```...Nagios is warning about degraded system services on rude. Checking `systemctl --failed`, the only failing service is puppet-run. I tried starting it by hand in case it was a transient issue, but it fails with the same error message.
```
Jan 18 13:51:33 rude systemd[1]: Started puppet-run.service - Run the Puppet agent on this machine.
Jan 18 13:51:50 rude puppet-agent[1571786]: (/Postgresql_psql[ALTER ROLE rtuser ENCRYPTED PASSWORD ****]) Unable to mark 'unless' as sensitive: unless is a parameter and not a property, and cannot be automatically redacted.
Jan 18 13:51:51 rude crontab[1571944]: (root) LIST (root)
Jan 18 13:51:51 rude crontab[1571945]: (root) LIST (rtmailarchive)
Jan 18 13:51:51 rude crontab[1571946]: (root) LIST (colin)
Jan 18 13:52:05 rude puppet-agent[1571786]: (/Stage[main]/Profile::Rt/File[/etc/spamassassin/kam.sa-channels.mcgrail.com.key]) Could not evaluate: Could not retrieve information from environment production source(s) https://mcgrail.com/downloads/kam.sa-channels.mcgrail.com.key
Jan 18 13:52:05 rude puppet-agent[1571786]: (/Stage[main]/Profile::Rt/Exec[import KAM channel key]) Dependency File[/etc/spamassassin/kam.sa-channels.mcgrail.com.key] has failures: true
Jan 18 13:52:05 rude puppet-agent[1571786]: (/Stage[main]/Profile::Rt/Exec[import KAM channel key]) Skipping because of failed dependencies
Jan 18 13:52:05 rude puppet-agent[1571786]: (/Stage[main]/Profile::Rt/Cron[update KAM ruleset]) Skipping because of failed dependencies
Jan 18 13:52:09 rude puppet-agent[1571786]: Applied catalog in 18.97 seconds
Jan 18 13:52:10 rude systemd[1]: puppet-run.service: Main process exited, code=exited, status=4/NOPERMISSION
Jan 18 13:52:10 rude systemd[1]: puppet-run.service: Failed with result 'exit-code'.
Jan 18 13:52:10 rude systemd[1]: puppet-run.service: Consumed 12.406s CPU time.
```
the specific problem here seems to be that puppet can't fetch a key file from `mcgrail.com`.Jérôme Charaouilavamind@torproject.orgJérôme Charaouilavamind@torproject.orghttps://gitlab.torproject.org/tpo/tpa/team/-/issues/41471irc bouncer account for bella2024-01-23T13:09:28ZGabagaba@torproject.orgirc bouncer account for bella@bella will be connecting to irc soon. Can we setup an account in the irc bouncer for her?@bella will be connecting to irc soon. Can we setup an account in the irc bouncer for her?pastlypastlyhttps://gitlab.torproject.org/tpo/tpa/team/-/issues/41460oo.nc.torproject.net CAA record prevents issuance2024-01-10T13:13:41Zmicahmicah@torproject.orgoo.nc.torproject.net CAA record prevents issuanceThe CAA record that exists for torproject.org makes it not possible for `oo.nc.torproject.net` certificates to be generated on riseup's side.
The certificate is set to expire on Wed, 24 Jan 2024 05:54:25 GMT.The CAA record that exists for torproject.org makes it not possible for `oo.nc.torproject.net` certificates to be generated on riseup's side.
The certificate is set to expire on Wed, 24 Jan 2024 05:54:25 GMT.Jérôme Charaouilavamind@torproject.orgJérôme Charaouilavamind@torproject.org2024-01-19https://gitlab.torproject.org/tpo/tpa/team/-/issues/41458SMTP smuggling attack2024-01-25T14:10:34ZanarcatSMTP smuggling attacknot sure if we're affected by this or how much.
https://www.postfix.org/smtp-smuggling.html
https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/
https://security-tracker.debian.org/tracker/1059230
here's a pat...not sure if we're affected by this or how much.
https://www.postfix.org/smtp-smuggling.html
https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/
https://security-tracker.debian.org/tracker/1059230
here's a patch to tor-puppet.git that might mitigate part of the problem:
```diff
modified modules/postfix/templates/main.cf.erb
@@ -140,6 +140,12 @@ smtpd_recipient_restrictions =
reject
<% end -%>
+# workaround for SMTP smuggling, see:
+# https://security-tracker.debian.org/tracker/1059230
+# https://www.postfix.org/smtp-smuggling.html
+# https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/
+smtpd_data_restrictions = reject_unauth_pipelining
+
# cf. https://isc.sans.edu/diary/Hardening+Postfix+Against+FTP+Relay+Attacks/22086
smtpd_forbidden_commands = CONNECT,GET,POST,USER,PASS
```
this might be mitigated by the fact that we don't have hard DMARC/DKIM policies anyways, so we're already vulnerable to quite a bit of masquerading attacks.Jérôme Charaouilavamind@torproject.orgJérôme Charaouilavamind@torproject.orghttps://gitlab.torproject.org/tpo/tpa/team/-/issues/41371audit znc user database on chives2023-10-31T22:05:08ZRoger Dingledineaudit znc user database on chivesWe have some people using our znc bouncer on chives whose ldap entries were disabled long ago and who have long ago moved on from Tor. Yet they are making connections to irc that represent them as Tor people. This is not a good situation...We have some people using our znc bouncer on chives whose ldap entries were disabled long ago and who have long ago moved on from Tor. Yet they are making connections to irc that represent them as Tor people. This is not a good situation long-term.
We should (a) go through and audit the current user set, to do something about the ones that we would have removed if we had realized this was a separate user list than ldap, and then (b) we should come up with some way to remember to do this when we retire ldap accounts too.
Cc @pastly since I think he may be related to the znc bouncer still? I hope?pastlypastlyhttps://gitlab.torproject.org/tpo/tpa/team/-/issues/41345Add @jag to groups/tpo/web2023-10-02T20:05:40ZdonutsAdd @jag to groups/tpo/web@jag needs added to the tpo/web group please.@jag needs added to the tpo/web group please.anarcatanarcathttps://gitlab.torproject.org/tpo/tpa/team/-/issues/41340Move TorBrowser launcher to Tor's Gitlab server2023-09-27T17:00:36ZGabagaba@torproject.orgMove TorBrowser launcher to Tor's Gitlab serverMicahflee reached out to us about the Tor Browser Launcher's project. He wants to move it to TPO and eventually deprecate it if we find a better option for Tor Browser in Linux distros.
The project right now: https://github.com/micahfle...Micahflee reached out to us about the Tor Browser Launcher's project. He wants to move it to TPO and eventually deprecate it if we find a better option for Tor Browser in Linux distros.
The project right now: https://github.com/micahflee/torbrowser-launcher
Next steps will be:
1. Move the project to gitlab.torproject.org/tpo/applications and mirror it in micahflee's github project (https://github.com/micahflee/torbrowser-launcher)
2. Somebody in the @tpo/applications 's team can be responsible of maintaining with micah's help.
3. Deprecate it for TB 14.0 when we can package TB for Linux distros directly.Gabagaba@torproject.orgGabagaba@torproject.org