[libreoffice-website] Minutes from the Tue Oct 19 infra call

Participants
============
 1. guilhem
 2. Cloph
 3. Brett

Agenda
======
 * guilhem: anything pending for libocon videos sharing?
   + cloph: all good already
   + guilhem to save the pre-recorded videos and cancel the jibri box
 * gerrit sshd
   + https://lists.freedesktop.org/archives/libreoffice/2021-October/087900.html
   + mina sshd <2.7.0 are affected
   + gerrit 3.4 upgrades to mina sshd 2.6 only, so affected as well
   + cloph: Hossein upgraded logerrit to use EC keys already, so the problem only
     affects returning users — who are more likely to be technical or ask on #-dev
   → nothing concrete to do here
 * bullseye: 11.1 was released some weeks ago
   + guilhem: upgraded the baseline, no major issues; heads up
     - python2 was removed (affects mailman2 and planetplanet, possibly also some of
       our custom scripts in dev-tools) → proper fix is to port scripts to python3,
       not to keep unsupported python2 forever :-)
     - bullseye has PHP7.4 not 8.0 (somewhat better now but might bite us later in
       the recycle cycle)
     - guilhem: upgraded the [matrix] (newer synapse is better for federation with
       matrix.org) and jitsi boxes
     - guilhem: dunno how pg_basebackup work with multiple PG version (buster has 11,
       bullseye 13)
       . Brett: Should be fine since it is largely shell getting the wal files
     - guilhem: plan to upgrade other non-mission critical systems during what's left
       of 2021, then later proceed with hypervisors and mission critical guests
 * Useless X3 intermediate supplied by let's encrypt:
   + client-side validation issue (they should be happy with the one path that's
     valid) but older libssl choke on this
   + affects tinderboxes, temporary fix is to remove X3 from the chain on the server,
     or its issuer on the client (Brett, cloph: did that)
   + unclear why let's encrypt still adds X3 though as it can't be used in validation
     paths anymore
   → nothing concrete to do for now
 * pg backups:
   + Brett: removed barman from all boxes
   + Brett: haven't configured the copying logic — push vs. pull
     - let's go with push then, it's is more common
   + sftp -l postgres should land in a chroot so it doesn't access other host's DB
     - internal-sftp subsystem, cf. for instance this sshd_config snippet
       Match User backup-*
         AllowUsers backup-*
         AllowGroups *
         DisableForwarding yes
         PermitTTY no
         PermitUserRC no
         # Note: The chroot and all its parent directories must be root:root with mode 0755.
         ChrootDirectory %h
         ForceCommand internal-sftp
   + can be integrated with other backup solutions if we want to move away from
     rsnapshot
     - cloph, guilhem: not specially attached to rsnapshot
     - that's an intrusive change though, and can be done independently
 * 90 min downtime on friday in CH
   + 11:30 CEST til 13:00 CEST (UTC+2)
   + tb84 (mac mini) might be down until next day (housing's PW-button is not working)
   + but of course can also change the power-plan to power-on in the afternoon
 * Next call on Nov 16 at 17:30 UTC (DST change!)

-- 
Guilhem.

-- 
To unsubscribe e-mail to: website+unsubscribe@global.libreoffice.org
Problems? https://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
Posting guidelines + more: https://wiki.documentfoundation.org/Netiquette
List archive: https://listarchives.libreoffice.org/global/website/
Privacy Policy: https://www.documentfoundation.org/privacy