TPA-RFC-41: Consider replacing or fixing Schleuder
Hello,
The title is a bit of a joke, but the gist of the issue here is that Schleuder seems to make everybody sad and miserable.
Over the past few weeks we had to do:
- Transition the Community Council list to new members. That caused troubles where we needed help from TPA.
- @nickm wrote a very important email to the Network Team Security list which nobody received. @dgoulet got the log out which gave the error message, but @nickm has not been notified about this automatically from the system.
- Issues with handling key updates when the keys isn't on the currently-functional-whatever-that-may-mean OpenPGP keyserver.
- It seems like we have /some/ overlap between tor-security@ and network-team-security@, but maybe we should just consolidate these two into a single end-point for such reports? Since I'm not on the former: does the browser team gets as many security issues that way as the network team does?
We don't use Schleuder much in the organization right now. Only for "sensitive" topics such as the Community Council, and the different methods to report security issues to us.
Since https://gitlab.com/gitlab-org/gitlab/-/issues/222908 is still open, Gitlab doesn't seem to be the sole solution to this issue unfortunately and wouldn't work in the CC case at all :-/
Can we try to come up with an alternative?
CC'ing @cohosh here too as CC contact. CC'ing @arma and @sysrqb as they are on tor-security@ too.
update: https://gitlab.torproject.org/tpo/tpa/team/-/wikis/policy/tpa-rfc-41-schleuder-retirement drafted
next steps:
-
retire network-team-security@ -
decide what to do with tor-security-encrypted@ -
decide what to do with tor-security@ -
make a ticket to setup a new VM for schleuder and setup the web interface (see also #40981 (closed))