Tag Archives: Update

CAcert’s infrastructure ready for the future

On saturday, 13th of July 2019, in a joint operation, CAcert Infrastructure Team and CAcert Critical Team updated the operation system of CAcert’s infrastructure in the Netherlands sucessfully. The system is now running on the Debian Buster OS release that has been released by the Debian project last weekend.

Timing

The teams started this morning at around 9:30 CEST and finished the upgrades at 16:30 CEST, some of our applications turned back to service afterwards. The system is running smoothly now.

What is new?

The new OS release provides some features that are important for our infrastructure and will allow better operation of our applications in the future:

  • LXC has been upgraded from the somewhat primitive 0.8.0 pre-release to LXC 3.0.3 that has a proper API, better security and which will help application administrators
  • Firewalling/forwarding/NAT should now be faster then the old iptables setup. We still use ferm as a wrapper but the CAcert Infrastructure Team is already considering switching to native nftables rules that will provide a similar but faster rule set.
  • Further details about this major update can be read on our mailing list.

CAcert Infrastructure Team Lead JanDD is happy that we could finish this big upgrade and that we could implement all these changes for you. In a statement made on the early saturday evening, he thanked again to Wytze from CAcert Critical Team for his great support during the day.

The volunteers from these two teams worked for seven and a half hours today, Saturday, to keep our systems up to date. Join us in thanking them and donate now at your own discretion. Your donation will only be used to pay for the infrastructure (hosting, electricity in the data center). «I say thank you to Jan and Wytze and their team with a donation!»

If you find any issues that might be caused by the upgrade feel free to file bugs on https://bugs.cacert.org/ (at project Infrastructure > Infrastructue hosts).

If you want to join one of our teams, please join the development mailing list or write to the secretary.

Stability of e-mail verification strongly improved

The e-mail verification on the CAcert web server has recently led to repeated support requests. An analysis of the log files in our data center showed that the corresponding error occurred more frequently. So we have to conclude that many CAcert users have been negatively affected. In order to avoid further negative effects, an emergency
patch was deemed necessary by the Critical System Administrator Team.

The standardised review and testing of the emergency patch implemented yesterday is carried out by the regular teams in the aftermath, which can result in a formal blessing for this patch or a request for additional code or configuration changes. We would like to thank the Critical System Administrator Team for their quick and decisive action. All teams consist of volunteers. If you want to support the work done by the Critical System Administration Team and the review by the Software Team, please donate, to continue to run this service. Thank you.

Software-Assessment-Project reached next milestone

Todays systemlog message marks the quantum leap in our about 10 months project work, to become the Software-Assessment area auditable.

As many Software-Updates are in the queue from the software developers, that needs testing and reviews by Software Assessors, the team started by end of last year with this project,

  • to build up a new ”controlled” testserver with authority by Software-Assessors
  • built up by the critical team as a Disaster Recovery testcase
  • a new central repository for all the upcoming software projects (including the New Software project BirdShack)
  • building a new test team running the software tests
  • and finalyze the process by a review of the patches by 2 Software-Assessors
  • document the patches, the testing, the review and the check by two Software-Assessors
  • to bundle the new Software-revision for transfer to the Critical team

The systemlog message signals, that the first tested and reviewed patches has received by the critical system webdb and is incorporated into production. A new tarball has been generated to build the next basis for applying the next patches.

So here my thanks goes to all the involved teams,

  • Software-Assessment-Project team
  • the new Software Testteam
  • the Critical Sysadmins team
  • and last but not least to the Software-Assessors from the Software-Assessment team

With all these people assistance, this project hadn’t be pushed to this milestone. Thank you Andreas, to build the project plan and the technical background, and also hosting the current testserver, Thank you Wytze for all your work to build the new testserver from scratch as identical as possible to the production server, to Michael, who assist us in deploying the new git repository and also assistance in deploying the Testserver-Mgmt-System, so everybody can start testing w/o the need of console access, Thank you Markus, for all your time and effort to deploy the repository and testserver environment and also your work together with Philipp as Software-Assessor, to finalyze the Software-Update-Cycle. Thank you Dirk for all your suggestions to move on with this project.

Some more work is todo:

  • adding a test-signer, so also cert related patches can be tested in the future (Andreas and Markus are working on this)
  • deploying a C(ontinous)I(ntegration) system for automated testing (Andreas is working on this).

Now the teams have to walk thru the list of open bugs, that needs to be pushed thru … First of all is the “Thawte” bug … to signal all users who’ve got their Thawte points transfered by the old Tverify program if they are effected by the points removal or if they are safe. The CCA-Rollout with a couple of patches, a list of new Policies and Subpolicies related patches (eg. PoJAM, TTP program), a list of Arbitration pushed patches, and so on …

So guys, lets have a party tonight, we’ve wiped out one of the biggest audit blockers!

Community 2010 March Update

  • 2010-03-30 New Roots task force offers SHA2 based roots/end user certificates for testing
  • 2010-03-30 Software-Assessment Project telco 2010-03-30
    • GIT as the future Software Assessment repository passed test successful
    • Testserver needs Testserver Management System, action plans triggered to start a deployment
  • 2010-03-27 Walter Güldenberg appointed as Events Team Leader
  • 2010-03-26 Sysadmin team works out way forward for SNI, client certificate authentication and SSL renegotiation changes in browsers
  • 2010-03-26 Security Policy – Board vetos Security Policy Draft regarding point 9.1.4.2. Coverage – Board sighting conflicts with CAcert incorporated rules
  • 2010-03-25 Ongoing update of CAcert Officers list
  • 2010-03-24 First ATE in 2010 season: ATE-Sydney with 6 co-Audited Assurances and addtl. 14 interested Attendees
    • Discussions through email and irc about how to seed CAcert deserts. Plans for contacting Usergroups (existing IT related social networks)
    • mostly, area has many old SuperAssurers that will have faded away
  • 2010-03-21 Board Meeting 2010-03-21 “Determine Root escrow and recovery mechanism” review ends with no consensus
  • 2010-03-18 Rasika Dayarathna, our Privacy Officer, resigned due to lack of time. Looking forward to rejoining us later.
  • 2010-03-14 Boards Projects Overview Page started deployment
    • with this page, Board and also Community can get a better overview over the running and upcoming projects regarding Audit
    • currently active areas/projects:
  • 2010-03-13 Board Members allowed to serve on arbitration team again
  • 2010-03-06 Daniel Black gets appointed as Infrastructure Team Leader
  • 2010-03-06 Efficiency gain – Policy Officer empowered to perform minor adjustments to policy
  • 2010-03-06 CeBIT 2010 Big Assurance Event successful passed after 5 days with a team of about 8 to 12 and more Assurers. CAcert was one of the 15 projects on the booth at the Open Source Project Lounge sponsored by Linux New Media.
  • 2010-03-03 Co-Audited Assurances Program finalized and starts at CeBIT 2010

Contributions to this Community Update by: Ian, Daniel, Uli

Community 2010 February Update

  • 20100221 Markus Warg appointed to Software Assessment.
    * He is now the 2nd team member in a new team that will be formed under the “Repository Project” by Andreas Bäß
    * Also involved in this project is the Critical sysadmins team for building up the Servers and software for becoming testing and staging servers.
    * Also to train the system recovery from scratch
    * Also to prepare a proposed system upgrade
    * These are the first results from the Software MiniTOP Essen Dec 16th 2009
  • 20100221 UlrichSchroeter appointed as Assurance Officer
    * Board accepts Sebastian’s resignation as Assurance team leader, and thank him for steering the ship over the last year. Sebastian remains on the Assurance team! Board appoints Ulrich as team leader, formally Assurance Officer within the meaning of the Assurance Policy.
  • 20100221 Michael Tänzer appointed as Support Officer
    * Board appointed Michael as support team leader and accepts Ian Grigg’s resignation as support team leader.
    * (Formally, as Support Officer within Security Policy.)
  • 20100213 Software MiniTOP Offenbach Feb 13th 2010
    * Current State of ”Repository Project”
  • 20100206 Assurance MiniTOP Brussels Feb 6th 2010 – on the Agenda were several topics
    * Assurance – Tasks for coming weeks.

    • Plan for Events.
    • Submit review to board.
    • new AO and EO to board.
    • prepare CeBIT.
    • finish Co-auditing Programme for 2010, in time for CeBIT.

    * CeBIT
    * Roles
    * Support
    * ABC interviews
    * Recruitment
    * Co-Audit
    * Defining the Co-Auditor
    * co-Audit Team
    * co-Audit preparation

  • 20100201 p20100119 PoJAM to DRAFT resolved.
    * https://svn.cacert.org/CAcert/Policies/PolicyOnJuniorAssurersMembers.html
    * Now the Subpolicy is binding to Assurers for assuring minors and als minors to be Assurers.
    * This is the first policy in a series of subpolicys under AP, that cames back after all special assurance programs becomes frozen.

Further Community Update News you will find in the Wiki Community Update

December 2009 Community Update

  • 20091221 Nick Bebout: Resignation as Dispute Resolution Officer (DRO)
  • [Poll for AGM day] (Fr,Sa,Su?) Inc Members, please vote! (finished)
  • 20091220 Board Meeting
    • “process of software review” ends with the motion: m20091220.2, propose 4 people, and to request ABCs
    • Support is proceeding to bring in Triage people. 3 ABCs have been completed. Michael Taenzer, Martin Schultze, Wolfgang Kasulke are now complete, so t/l-support will probably propose them for Support Engineer.
    • Arbitration: “That, given m20090811.1, and today’s informal information that some arbitrators are non-working, board requests an immediate update of the state and health of the Arbitration system from DRO, with a view to changing the roles and re-invigorating the process.”. Motion m20091220.3 carried
    • Update on Finance: No Annual General Meeting schedule yet (Update: Boardmeeting Jan 3th: AGM is at Jan 30th)
    • Minutes 20091216 Essen Software MiniTOP
      • Software, repository: Repository is up and going. Haven’t got the test system, just the developer system. We expect to have everything together by end of January.
      • Birdshack doco
      • Root ceremony: In order to re-do this process, we have to do: planning, collection of the people, budget, hardware, and also to come up with a new concept for protection of the root. This latter is important, and the whole thing will need to be serious and documented for presentation to a new auditor.
    • Hamburg Assurance mini-TOP 20091215 results with three new Special Assurance programs proposals
  • 20091215 Confirmation received for a booth at the CEBIT 2010. CAcert get this sponsored booth from the Linux New Media (Cebit Open Source) (CEBIT Event Organisation)
  • 20091211 Support Team declares reaching a milestone in clearing out the support Inbox. All that’s left is the future!
  • 20091205 Confirmation received for a booth at the FOSDEM 2010 6-7 Feb 2010, Brussels Belgium. (FOSDEM Event Organisation)

Original Wiki Post 2009 December Update

2009 November Community Update

Original Wiki Post 2009 November Update