Tag Archives: Software-Assessment

CAcert software development reaches milestone for CCA rollout

[Dutch, French, German, Italian, Spanish versions below]
The CAcert Software Development Team completed work on the important milestone for the rollout of the CAcert Community Agreement (CCA) [1]. The agreement of the CCA is recorded throughtout the software ([2], [3].

Therefore each member needs to agree to the CCA within the software on the following occasions:
– creating a new member account
– assuring another member, getting assured
– creating a new client certificate, a new server certificate or a new gpg certificate

Sometime in the future the software will prompt each user, who did not accept the CCA until up to that date while logging into the system. After that date you only will be able to log into the software after accepting the CCA.

[Dutch version]
Het CAcert Software Development Team heeft een belangrijke mijlpaal
bereikt voor het uitrollen van de CAcert Community Agreement (CCA) [1].
Aanvaarding van de CCA wordt nu door middel van de software systematisch
vastgelegd ([2], [3]).

Daarom moet elk CAcert lid nu de CCA aanvaarden in de software op de
volgende momenten:
– bij het maken van een nieuwe account;
– bij het invoeren van een assurance;
– bij het aanmaken van een nieuw client certificaat, een nieuw
server certificaat of een nieuw gpg certificaat.

Binnenkort zal de software aan elke gebruiker die tot dat moment de CCA
nog niet aanvaard heeft, bij het inloggen verzoeken om in te stemmem met
de CCA. Vanaf dat moment kan er alleen nog ingelogd worden door leden
die expliciet de CCA aanvaarden.

[French version]
L’equipe de développement de logiciels CAcert a franchit une nouvelle étape pour le déploiement de l’Accord de la Communauté CAcert.

L’équipe de développement de logiciel CAcert a achevé ses travaux sur l’étape importante pour le déploiement de l’accord de la Communauté CAcert (CCA) [1]. L’acetptance du CCA est maintenant enregistré par le logiciel. [2], [3]

Par conséquent, chaque membre doit accepter le CCA dans le logiciel sur un des cas suivants:
– lors de la création d’un nouveau compte de membre
– après l’accréditation d’un autre membre, en l’inscrivant dans le système
– lors de la création d’un nouveau certificat de client, un nouveau certificat de serveur ou d’un
nouveau certificat GPG

Dans les jours à venir, le logiciel invitera chaque utilisateur, qui n’a pas encore accepté le CCA lors d’une connection au système, de confirmer qu’il accèpte le CCA. Après cette date, se peut connecter au logiciel que celui qui a accepté le CCA.

[German version]
Das CAcert Software Development Team hat den wichtigen Meilenstein für das CAcert Community Agreement (CCA) [1] Rollout erreicht. [2, 3]

Daher müssen alle Community Member nun an folgenden Stellen innerhalb der Software zustimmen:
– beim Anlegen eines neuen Accounts
– bei der Eintragen der Assurance
– beim Erstellen eines neuen Client Zertifikat, eines neuen Server Zertifikats oder eines neuen GPG Zertifikats

In der näheren Zukunft wird die Software beim Login jeden User, der bis dahin nicht der CCA zugestimmt hat, auffordern der CCA zustimmen. Ab diesem Zeitpunkt wird man sich in der Software nur anmelden können, wenn man der CCA zugestimmt hat.

[Italian version]
Il Team di Sviluppo Software di CAcert ha completato il lavoro su un aspetto
cruciale per il lancio dell’Accordo della Comunità CAcert (CCA) [1].
L’accettazione del CCA è registrata ovunque all’interno del software ([2],[3]).

D’ora in poi ogni membro deve accettare la CCA all’interno del software nelle
seguenti occasioni:
* creazione dell’account di un nuovo membro
* accertamento di un altro membro, accertamento da parte di un altro membro
* creazione di un nuovo certificato client, nuovo certificato server o nuovo
certificato gpg

In futuro il software chiederà ad ogni utente, che non lo avesse ancora fatto,
di accettare la CCA all’accesso nel sistema.
Da quel momento in poi sarà possibile accedere nel software solo dopo aver
accettato la CCA.

[Spanish Verison]
El equipo de desarollo de software terminó el trabajo para alcanzar el importante hito del despliegue del CAcert Community Agreement (CCA) , Acuerdo de la Comunidad CAcert. [1] El acuerdo CCA se registra mediante el software. [2], [3]

Por ello, cada miembro necesita confirmar que acepta el CCA mediante el software en las siguientes ocasiones:
* En la creación de una nueva cuenta de miembro
* Cuando se asegura/certifica a otro miembro, cuando se es asegurado/certificado
* Creando un nuevo certificado de cliente, de servidor o GPG

En un futuro, el software preguntará a cada usuario que no lo haya aceptado hasta ese momento, cuando entre en el sistema. Después de dicho momento, solo se le permitirá el acceso después de aceptar el CCA.

[1] http://www.cacert.org/policy/CAcertCommunityAgreement.php
[2] http://svn.cacert.org/CAcert/Events/Public/pics/Big-Masterplan-To-Become-Audit-Ready-20130806.jpg
[3] http://wiki.cacert.org/Software/Assessment

Software Testers Reward Challenge – Your last chance …

The Software-Testers Reward Challenge 2011 is now running the last two days. So its your last chance to climb into the hall of fame.

The Software-Testers Reward Challenge will end Thursday, June 30th at midnight.

The software tester with the highest count of reports written related to the listed bugs under the Tester Portal receives a reward of 30 Euro. The 2nd one a reward of 15 Euro.

Each report under the listed bug numbers counts 🙂

Since Tuesday we have at least two new bugs added to the testserver that you can start testing:

  • Bug #942
    0000942: CATS import interface is not fit to handle non-Assurer Challenge tests
  • Bug #948
    0000948: Email address verification violates SMTP protocol
  • For Bug #827
    there is addtl. info available under wiki bug827 infos

Happy testing

Easter Egg Challenge 2011

Easter Egg
We’ve just started our this years Easter Egg Challenge … We’ve put a couple of patches on to our testserver CACERT1 for you, our fellow and our new Software testers. We’ve put light to heavy patches to the package so everybody is able to walk thru the testserver web pages and search our Easter Egg’s.
Continue reading

Software-Assessment-Project reached next milestone

Todays systemlog message marks the quantum leap in our about 10 months project work, to become the Software-Assessment area auditable.

As many Software-Updates are in the queue from the software developers, that needs testing and reviews by Software Assessors, the team started by end of last year with this project,

  • to build up a new ”controlled” testserver with authority by Software-Assessors
  • built up by the critical team as a Disaster Recovery testcase
  • a new central repository for all the upcoming software projects (including the New Software project BirdShack)
  • building a new test team running the software tests
  • and finalyze the process by a review of the patches by 2 Software-Assessors
  • document the patches, the testing, the review and the check by two Software-Assessors
  • to bundle the new Software-revision for transfer to the Critical team

The systemlog message signals, that the first tested and reviewed patches has received by the critical system webdb and is incorporated into production. A new tarball has been generated to build the next basis for applying the next patches.

So here my thanks goes to all the involved teams,

  • Software-Assessment-Project team
  • the new Software Testteam
  • the Critical Sysadmins team
  • and last but not least to the Software-Assessors from the Software-Assessment team

With all these people assistance, this project hadn’t be pushed to this milestone. Thank you Andreas, to build the project plan and the technical background, and also hosting the current testserver, Thank you Wytze for all your work to build the new testserver from scratch as identical as possible to the production server, to Michael, who assist us in deploying the new git repository and also assistance in deploying the Testserver-Mgmt-System, so everybody can start testing w/o the need of console access, Thank you Markus, for all your time and effort to deploy the repository and testserver environment and also your work together with Philipp as Software-Assessor, to finalyze the Software-Update-Cycle. Thank you Dirk for all your suggestions to move on with this project.

Some more work is todo:

  • adding a test-signer, so also cert related patches can be tested in the future (Andreas and Markus are working on this)
  • deploying a C(ontinous)I(ntegration) system for automated testing (Andreas is working on this).

Now the teams have to walk thru the list of open bugs, that needs to be pushed thru … First of all is the “Thawte” bug … to signal all users who’ve got their Thawte points transfered by the old Tverify program if they are effected by the points removal or if they are safe. The CCA-Rollout with a couple of patches, a list of new Policies and Subpolicies related patches (eg. PoJAM, TTP program), a list of Arbitration pushed patches, and so on …

So guys, lets have a party tonight, we’ve wiped out one of the biggest audit blockers!

The Big Masterplan to become Audit Ready

Back in January 2010 the former Board decided by Board motion m20100117.3 “No new subroots on current root, plan for new root”. In the discussion a date was scheduled by end of Dec 31, 2010. On my 2nd thought, probably nobody did recognize, what that means, CAcert's Big Masterplan To become Audit Ready (01/2010) to finish all the projects from the bottom left corner at beginning of 2010 to the top right corner by end of the year with the “New Roots and Escrow” (New Roots and Escrow) process running. So this article should bring Audits mistery to light.

Policy Group worked on the last few essential Policies (Policies on Policy Group), that are essential for the Audit. One essential requirement for Audit is to Rollout the CAcert Community Agreement to all the members, so they can decide to continue or to leave the Community. To become “CCA Rollout Ready” (CCA rollout), the running Software needs to be updated. This opens the next problem: by starting 2010, there was no Software Update Process defined, nor documented. But we’re on the lucky side, the Software-Assessment-Project started November last year to fulfill this requirement (Software-Assessment-Project). The task was: To get a repository system controlled by Software-Assessment team, a controlled testserver environment and a documentation system. Currently the team tests the transfer of a test patch to the production system. Involved parties: Software-Assessment Project team, Software-Assessment team and the Critical Sysadmins team.

CAcert's Big Masterplan To become Audit Ready (10/2010)
CAcert’s Big Masterplan To become Audit Ready (10/2010)

In the meantime, another issue pop’d up: the “Thawte points removal” with a deadline of Nov 16th, 2010. We’ve allready posted several blog posts on this topic. So also this is related onto the Software-Assessment-Project progress (Software-Assessment-Project).

The next topic is running Assurer Training Events (ATE) (Assurer Training Events). ATE’s are an essential concept in the Audit over Assurance (RA) business area. To scale a worldwide community, the community has to assist Auditors work in doing Co-Audits over Assurers. The question: How to contact groups of Assurers was answered back in 2009 with the ATE concept. The purpose of ATE is twofolded: first to communicate to the Assurers all the new informations and second to do Co-Audits. As Assurers follows the invitations to the ATEs we can expect, that they are more active in the community. So also from 2009 ATE experiences, we’ve got new resources from the community by contacts on ATEs (Get new resources). So this was the plan for 2010 ATE season, to find more people, who can help on the several tasks and projects that needs to be finished, before the new Roots and Escrow project and also the Audit can be (re-)started. E.g.

Helping CAcert

  • we are searching Infrastructure Admins for the Non-Critical Infrastructure systems, all running on Unix. Familiar with system migrations for the big Infrastructure project to separate Non-Critical from the Critical systems (The big Infrastructure Task). This project is running about 2 years, but currently without progress.
  • we are searching for Software Developers (C++, Python, Java) for the New Software project BirdShack (New Software Project BirdShack), that was started last year, after Auditors review of the Software that concludes: „Serious difficulties in maintaining, improving and securing.” and „Cannot form conclusion over software.”, so if the plan to start with the Audit over the old Software fails, we’re close to the 2nd path: BirdShack.
  • we are searching for Audit consultants who can assists in the Audit next step CrowdIt disclosure system (read AGM – Audit Report 2010 – CrowdIt. CrowdIt, as a sort of wordplay on Crowd-Audit). CrowdIt is an emerging disclosure tool (based on the old DRC browser).
  • we are searching people, who can assist us in the funding project (Funding project), that becomes the ground base for the New Roots and Escrow project (New Roots and Escrow) that should be keep tracked by an Auditor, and the re-start of the Audit (Audit over Assurance (RA) 1) and (Audit over Systems (CA) 2).

The New Roots and Escrow Project Relation to Audit

As said before, the New Roots and Escrow Project should be keep tracked by an Auditor. From the experiences back in 2008 on creating New Roots but fail on Roots Escrow, we’re warned to separate the Audit steps of the New Roots and Escrow Project (New Roots and Escrow) and the Audit over Systems (Audit over Systems (CA) 2). Both tasks should be close together.

On the other side, we have to do an Audit over Assurance (Registration Authority, RA) (Audit over Assurance (RA) 1). There is no requirement on bundling the RA Audit and CA Audit as both business areas have their own Policy sets and can be checked separately. This can make our work presumably easier. Easier to get Audit funding for Audit over RA. As Assurance area is closer to be Audit Ready, we can also signal to the Community Audit is back on track. This will probably push the other tasks. With a small budget we probably can double the result by getting new resources, “Hey, there is progress on the overall Audit task” – CAcert is back!