| Time | Nick | Message |
|---|---|---|
| 16:02 | hhardy | #topic Agenda |
| 16:02 | _dogi | hi all |
| 16:02 | hhardy | <- glares at bot |
| 16:02 | edmcnierney | hello, _dogi |
| 16:02 | hhardy | lol |
| 16:02 | Purpose of the VIG -- discussion of "make the sysadmin's life easier" | |
| 16:02 | Improving documentation process and availability wiki git | |
| 16:02 | Adric rt report | |
| 16:02 | Future of VIG and OLPC community | |
| 16:02 | New Business | |
| 16:02 | oops before new business | |
| 16:03 | multiple-wiki-discussion | |
| 16:03 | who is here beside edmcnierney and dogi and ffm? | |
| 16:03 | nada ok | |
| 16:04 | _dogi | hmm |
| 16:04 | cjl | hides in corner |
| 16:04 | hhardy | first question is to discuss the previously agreed "purpose of the VIG" per the VIG page |
| 16:04 | ah hi cjl | |
| 16:05 | cjl | hi |
| 16:05 | hhardy | * Make the sysadmin's job easier |
| 16:05 | * Improve the infrastructure systems through "many hands/many minds" | |
| 16:05 | * Strengthen ties with the community | |
| 16:05 | Dogi and I had agreed some better wording but couldn't remember it the next day | |
| 16:06 | the important point is that we hope that by using the community we can reduce the need for paid sysadmin staff support and free up those people to do other things for the project | |
| 16:06 | _dogi | but only for make the sysadmins job easier ... |
| 16:06 | hhardy | it isn't about "I don't feel like working let the volunteers do it" |
| 16:07 | edmcnierney | To some folks, that's what "Make the sysadmin's job easier" sounds like. |
| 16:07 | lfaraone | hhardy: and give people the warm and fuzzies for helping maintain OLPC's infra. (and the resume-stuffers) |
| 16:07 | edmcnierney | (although I think the best way to make the sysadmin's job easier is for HP to ship a working printer ;) ) |
| 16:07 | _dogi | lol |
| 16:08 | hhardy | so if someone can come up with some suggested wording we can improve that |
| 16:08 | lol | |
| 16:08 | cjl | hhardy: I see two slightly different ways in which this happens. 1) take things off plate of staff ro complement time coverage on monitoring systems 2) do things that are good, but wouldn't get staffed. |
| 16:08 | hhardy | #topic Purpose of the VIG -- discussion of "make the sysadmin's life easier" |
| 16:09 | I want to concentrate more on 1 than 2 but yes | |
| 16:09 | cjl | hhardy: 2 is the carrot that gets dangled :-) |
| 16:10 | hhardy | if I wanted my job to be sysadmin + mai tais ont he beach I should move back to Santa Cruz... |
| 16:10 | thats not a horrible idea actually :) | |
| 16:10 | cjl | hhardy: another critical element is sharing knowledge and skills |
| 16:10 | hhardy | thats good |
| 16:10 | adric | squeaks, "Sorry, running a few minutes late, as the print queue was holding my check :) I'll be home in a few and back then." |
| 16:10 | cjl | An advisory resource |
| 16:11 | actually gets paid to advise software company on beaches, most recently in Roatan Honduras :-) | |
| 16:11 | _dogi | empower the community to help the sysadmins ... |
| 16:11 | hhardy | just as long as it isn't Croatan, VA :) |
| 16:12 | dogi: yes were agreeing on something like that | |
| 16:12 | so this could go into the mailing list or discussion of the VIG wiki page | |
| 16:12 | edmcnierney | cjl: If I were in Roatan I wouldn't be wasting time on the beach - I'd be underwater! |
| 16:13 | cjl | edmcnierney: Wife and I got our PADI Open Water cards :-) |
| 16:13 | edmcnierney | cjl: Whale sharks - yum. |
| 16:13 | hhardy | ahem moving right along :) |
| 16:13 | edmcnierney | hhardy: Are we off-topic? |
| 16:13 | cjl | little advising went on underwater though, that was at beach bar |
| 16:13 | hhardy | #topic Improving documentation process and availability |
| 16:14 | cjl | hhardy: Much of that is you reviewing internal wiki things? |
| 16:14 | hhardy | right now most of the interesting/useful documentation for sysamdin is on internal wiki |
| 16:14 | volunteers don't have access, and its fairly useless when wiki itself or network is down | |
| 16:15 | cjl | Just as an FYI, I am creating an RT training resource on teamwiki (mostly of use to SG) http://laptop.org/teamwiki/index.php/RT |
| 16:15 | lfaraone | hhardy: can it be moved to teamwiki? (under a sysadmin: namespace, maybe?) |
| 16:15 | hhardy | suggestion is: move to a more accessible wiki, either a section on teamwiki or a new wiki on a new virtual machine |
| 16:15 | _dogi | bingo |
| 16:15 | cjl | teamwiki (if possible) |
| 16:16 | hhardy | 2) use wget to make a static copy daily, and commit it to git |
| 16:16 | so we can have checked out copies locally when everything is down | |
| 16:16 | discuss | |
| 16:16 | 2) is more of a priority for me than 1 | |
| 16:16 | m_stone | how well does it meet the requirements set out at http://wiki.laptop.org/go/User[…]/Infrastructure_1 ? |
| 16:17 | lfaraone | hhardy: we need a private git tree then... |
| 16:17 | hhardy | mstone: do you feel that git insures data integrity? |
| 16:17 | a wiki certainly doesnt | |
| 16:17 | in that many people can write to it | |
| 16:18 | m_stone | hhardy: I think it does okay, if you put the right data into it and use signed tags when appropriate. |
| 16:18 | hhardy | we dont have a written threat model as far as I know, there is only the rough diagram mstone and I made on the whiteboard about 6 months ago |
| 16:19 | _dogi | :) |
| 16:19 | hhardy | mstone would you be happier if "official" docs were gpg-signed? |
| 16:19 | m_stone | (I don't want to take over this discussion, by the way. it's your discussion. I just want to point out that, when deciding on a system, you ought to judge it according to the criteria you helped me write up!) |
| 16:19 | hhardy | mstone: agree and thanks for reminder |
| 16:20 | lfaraone | hhardy: wikis _do_ provide integrity,. |
| 16:20 | hhardy: we have verification on who wrote what, and it's all private(ish) | |
| 16:21 | hhardy: (imho, we should REQUIRE https for team and internalwiki, but w/e) | |
| 16:21 | hhardy | #IDEA require https for critical/secure docs |
| 16:22 | m_stone | lfaraone: just for humour: are you familiar with geeki-geeki? |
| 16:22 | cjl | teamwiki (as a closed wiki) is reasonably good at ease, integrity, (timely addressed with git push) credential, publish, trail |
| 16:22 | lfaraone | m_stone: quite. |
| 16:22 | m_stone | lfaraone: the best of both worlds! :) |
| 16:22 | lfaraone | m_stone: I've browsed bernie's site. |
| 16:22 | http://www.codewiz.org/wiki/GeekiGeeki | |
| 16:23 | hhardy | ok rough count on teamwiki vrs new wiki isntance |
| 16:23 | teamwiki: | |
| 16:23 | +1 | |
| 16:23 | _dogi | ... ikiWiki ??? |
| 16:23 | cjl | teanwiki |
| 16:23 | _dogi | mom hardy |
| 16:23 | lfaraone | hhardy: +1 |
| 16:23 | _dogi | -1 |
| 16:23 | thx for have me made my points | |
| 16:23 | hhardy | and for new wiki instance: |
| 16:24 | edmcnierney | abstains |
| 16:24 | hhardy | I think teamwiki is more of a consensus |
| 16:24 | _dogi | i like more the idea that we set up a new wikiinstance maintained by the VIG |
| 16:24 | m_stone | hhardy: w/ 2/5 approving? |
| 16:24 | hhardy | however I dont object if we have a "backup wiki" |
| 16:25 | _dogi | i dont want to every user of the as sysadmin |
| 16:25 | m_stone | ah, 3. |
| 16:25 | missed cjl. | |
| 16:25 | _dogi | +VIG |
| 16:25 | cjl | dogi, why when there is already a wiki that has needed features? |
| 16:25 | _dogi | no |
| 16:25 | no wiki maintained by VIG | |
| 16:25 | lfaraone | _dogi: we have per-namespace access control. |
| 16:26 | _dogi: only ppl we approve can see our stuff. | |
| 16:26 | _dogi | but only admins can add users ... |
| 16:26 | cjl | I have teamwiki access only to Team space, beleive me I've checked :-) |
| 16:26 | adric | If the public wiki (main one) is down, where will we be looking for our documentation? |
| 16:26 | m_stone | lfaraone: (for the record, with the integrity question -- I was really asking how you'd detect disk failure, or DB-hacking) |
| 16:26 | hhardy | thats 2) above, look at your local static copy checked out of git |
| 16:26 | lfaraone | adric: teamwiki isn't our main wiki |
| 16:27 | _dogi: hhardy is an admin. | |
| 16:27 | m_stone | lfaraone: (not data entry by normal means by unauthorized persons) |
| 16:27 | lfaraone | m_stone: oh. well then... no, we wouldn't know. |
| 16:27 | adric | lfaraone: S'not? Okay.. I admit to spending very little time on Teamwiki |
| 16:28 | cjl | adric: Here is Team manin page http://laptop.org/teamwiki/ind[…]hp/Team:Main_Page |
| 16:28 | _dogi | i dont like to start the vote bevor all person had spoke ... but .... this is hhardy style not mine ... |
| 16:28 | hhardy | ok dogi who had not spoken? |
| 16:28 | cjl | dogi, Can you explai nwhat advantage a new wiki has over existing Teamwiki? |
| 16:29 | adric | cjl: hmm, login still work, once i remember that I'm adric there, not adricnet |
| 16:29 | hhardy | people are carrying out a discussion, its not a vote per se |
| 16:29 | cjl | trying to cut infrastructure tasks with Occam's Razor |
| 16:29 | hhardy | what cjl said! |
| 16:30 | cjl | adric: pro forma evidence tha security on teamwiki is adequate :-) |
| 16:30 | hhardy | the lockout extension is not foolproof |
| 16:30 | lfaraone | hhardy: lockdown* |
| 16:31 | hhardy | lockdown |
| 16:31 | "If you need per-page or partial page access restrictions, you are advised to install an appropriate content management package. MediaWiki was not written to provide per-page access restrictions, and almost all hacks or patches promising to add them will likely have flaws somewhere, which could lead to exposure of confidential data. We are not responsible for anything being leaked, leading to loss of funds or one's job." | |
| 16:31 | lfaraone | hhardy: which is why I think that http://www.mediawiki.org/wiki/[…]gGroupPermissions is more secure |
| 16:31 | adric | What sorts of secrets are we trying to protect .. oh, it's integrity, not confidentialty so much... hmm |
| 16:31 | hhardy | http://www.mediawiki.org/wiki/Extension:Lockdown |
| 16:31 | lfaraone | hhardy: (the latter is a mediawiki-builtin function) |
| 16:32 | hhardy | adric: yes |
| 16:33 | #topic Adric rt report | |
| 16:33 | anything new besides the nice RT docs going up? | |
| 16:33 | adric | I don't have any news. There is one point I'd like to ask about. |
| 16:34 | docs? | |
| 16:34 | cjl | adric: on teamwiki :-) |
| 16:34 | I'm doing an intro to SG RT tasks | |
| 16:34 | hhardy | whats that link again? |
| 16:35 | adric | The SSH bug that I hi on rt (production) that stopped me cold last time I had time to work on rt-sandbox has not been fixed. |
| 16:35 | hhardy | I'm getting better at setting up custom autoresponders and scripts in RT |
| 16:35 | cjl | http://laptop.org/teamwiki/index.php/RT |
| 16:35 | adric | cjl, hhardy Yay |
| 16:35 | hhardy | WB dogi |
| 16:36 | adric | cjl: Wow, that is cool! Was there mail on that I missed? |
| 16:36 | dogi | back |
| 16:37 | cjl | adric: It has been going up over past three days, with help from Culseg, will announce wider soon. |
| 16:37 | adric | So, should i just upgrade the packages to patch the bug, on the prod system? Or work around the flaw and keep working on the sandbox? |
| 16:37 | hhardy | cheers for cjl and culseg |
| 16:37 | cjl | adric: ticket number in RT of SSH issue? |
| 16:37 | hhardy | adric: ticket on the bug? |
| 16:37 | adric | cheers! |
| 16:37 | http://rt.laptop.org/Ticket/Display.html?id=26233 | |
| 16:38 | hhardy | we should update openssh on the rt virtual machine |
| 16:38 | adric | two week old ticket on a 8+ month old bug |
| 16:38 | cjl | Well if that is blocking any forward motion on RT, that is a problem. |
| 16:38 | hhardy | I will up priority |
| 16:38 | adric | I tripped over it. There's a workaround... |
| 16:39 | It is really the greater issue that concerns me. | |
| 16:39 | cjl | hhardy: I know SJ and holt are anxious to see RT upgrade |
| 16:39 | hhardy | oh I already made it 30... |
| 16:39 | adric | cjl: Then obviously they need to hire some more help. |
| 16:39 | hhardy | adric: thats a non starter for now |
| 16:39 | adric | hhardy: Okay, sure, then so is most of what we are trying to do here. *shrug* |
| 16:39 | hhardy | we are in the "do more with less" mode |
| 16:39 | cjl | adric: Well, that is what VIG is heere to try to alleviate (somewhat). |
| 16:40 | adric | And that is why this rant is on-topic. |
| 16:40 | hhardy | lol |
| 16:40 | adric | There is no other mode, in this crappy business, that I've witnessed *fume*. People want the their computers to do miracles , for free. |
| 16:41 | cjl | Ther will always be a need for OLPC sysadmin actions as blockers for big things, the goal would be to take other things off the plate to allow them to handle those blockers on a timely basis. |
| 16:41 | hhardy | I will be on vacation next week, adric if you want to ping me we can see what we can do about openssh on rt |
| 16:41 | that is you can ping me this week on it or wait till Jan | |
| 16:41 | adric | shrugs. |
| 16:41 | I have had to stop caring. | |
| 16:41 | hhardy | *hug* adric |
| 16:41 | adric | I can patch the machine if you want, but I won't be able to fix it if it breaks something critical. |
| 16:41 | cjl | blows pixie dust in adric's direction. |
| 16:41 | hhardy | you dont have to stop caring just dont carry your hurt around and use it like a shield |
| 16:42 | adric | Thanks. I am only letting myself type this crap in the hope some one has an idea here. |
| 16:42 | hhardy | open hearts open minds :) |
| 16:42 | adric | Busy people, other projects. |
| 16:42 | cjl | adric what do you assess the risk of patching to be? What is time cost of "real" soultion? |
| 16:42 | hhardy | adric do you have a copy of "The Devil's Dictionary?" |
| 16:43 | adric | Anyway, that's enough time wasted. Apologies. |
| 16:43 | hhardy | seems like you could use one :) |
| 16:43 | adric | Bierce is usally available online? |
| 16:43 | hhardy | yes |
| 16:43 | one of my favorite authors | |
| 16:43 | adric | cjl: It's a crypto weakness. All communications to, and some from, the server are in danger of compromise. |
| 16:43 | cjl | adric: thjat is risk of NOT patching. |
| 16:44 | What is risk that patching will break something (that anyone will notice) | |
| 16:44 | adric | the patch will upgrade the opensll libraries and openssh binaries and blacklist (block!) connections from unpatched machines |
| 16:44 | If there are other OLPC machines unpacthed they will no longer be able to SSH and possibly SSL to this server (the rt instance on solar) | |
| 16:44 | hhardy | it is pretty straightforward just we will first back up everything in case of some odd occurance |
| 16:44 | adric | Thats the forseen consequences. |
| 16:44 | cjl | ah, that sounds like a potential risk that can be quantified and mitigated. |
| 16:45 | adric | the unforseen is something tha linked to a specific version of a library could break. |
| 16:45 | hhardy | most/all of the production machines have the ssl bug fixed |
| 16:45 | adric | And yeah, you guys know this stuff better than I do, |
| 16:45 | cjl | RT is running on a VM? |
| 16:45 | hhardy | yes a vserver on solar |
| 16:45 | adric | vserver instance .. a directory |
| 16:46 | cjl: Thats' in the public RT page :) *tease* | |
| 16:46 | hhardy | lfaraone: what was your topic again? sorry it scrolled up and I'm too lazy to parse the log to find it |
| 16:46 | cjl | Just spitballing here, but other than mail-service pointers, there shouldn't be a lot of interaction with other systems should there? |
| 16:47 | adric | Instance solution probable. process changes? ... |
| 16:47 | hhardy | cjl: yes |
| 16:47 | adric | I can't think of any, other that what we're doing |
| 16:47 | hhardy | the server key will change, everyone with strict checking anabled will be locked out till they update the key |
| 16:48 | afk 2 min | |
| 16:48 | adric | correct. |
| 16:48 | lfaraone | hhardy: multiple wikis off a single codebase. |
| 16:48 | cjl | Downside risk of not patching. Long known vulnerability to security issue with well-known fix. Blocked on m,oving RT upgrade forward |
| 16:49 | edmcnierney | Can we accurately enumerate "other OLPC machines" that need to connect? |
| 16:49 | adric | Anywho. I ahve to deal with this kind of nonsense and worse at $paying_job, so I'm unhappy to see it here too. If IT isn't given resources, users should stop asking for features. |
| 16:49 | cjl | Downside of patching. Low likelyhood of RT system (probably no other system) disruption until restoration to status quo ante is possible. |
| 16:50 | adric | yeah, we could break production RT somehow for .. a few minutes while we roll it back |
| 16:50 | lfaraone | that's not that bad. |
| 16:50 | the mail will be queued. | |
| 16:50 | adric | (this is not specifically a VIG problem. ask me about handbills) |
| 16:50 | lfaraone | And our replys can wait. |
| 16:50 | adric | mail coming in will be queued, webui would be unavailable, yeah |
| 16:51 | hhardy | edmcnierney: those machines from which adric and I might ssh |
| 16:51 | I want to get to lfaraone's point if thats ok | |
| 16:51 | edmcnierney | hhardy: Yes, I understand the description of the machines - I asked if we could enumerate them (make a list). |
| 16:52 | hhardy | yes I can as far as I know they are allready all updated and I understand how to delete old key from known_hosts |
| 16:52 | primarily in my case, thinker.laptop.org | |
| 16:52 | dogi | edmcnierney: i have a picture on my machine |
| 16:52 | hhardy | a gdk is here quick let's hide! |
| 16:52 | edmcnierney | dogi: Thanks |
| 16:52 | gregdek | lol |
| 16:53 | cjl | Then making a list and testing immediately post RT SSH patch should vcover testing to see if rollback (or other work around) might be needed |
| 16:53 | dogi | and hhardy: http://wiki.laptop.org/go/User:Dogi/VIGwiki |
| 16:53 | edmcnierney | cjl: +1 |
| 16:54 | hhardy | dogi: https works fine on teamwiki for me |
| 16:55 | dogi | ups |
| 16:55 | hhardy | #topic http://wiki.laptop.org/go/User:Dogi/VIGwiki |
| 16:55 | opps | |
| 16:55 | lol | |
| 16:55 | #topic multiple wikis off a single codebase. | |
| 16:55 | lfaraone you have the floor | |
| 16:56 | lfaraone: yo | |
| 16:57 | we will come back to this | |
| 16:57 | #topic Future of VIG and OLPC community | |
| 16:57 | lfaraone | is back. |
| 16:57 | heh. | |
| 16:57 | hhardy | ah ok |
| 16:58 | #topic multiple wikis off a single codebase. | |
| 16:58 | lfaraone: you have the floor | |
| 16:59 | lfaraone | Ok, if/as OLPC/SL decides to host additional wikis (for say.. spesific languages or groups) it can quickly become unwieldy to maintain all of those codebases. |
| 16:59 | This was per a SL thread on hosting wikis for local labs. | |
| 16:59 | I just wanted to throw http://www.mediawiki.org/wiki/Manual:Wiki_family out there. | |
| 17:00 | hhardy | #link http://www.mediawiki.org/wiki/Manual:Wiki_family |
| 17:00 | lfaraone | (I'm not sure wheter 1cc wants to use separate wikis for different languages etc) |
| 17:00 | hhardy | I would like to see unified wiki with language localization, I think SJ favors a wiki for each language ala wikipedia |
| 17:01 | lfaraone | Fortunately we've also implemented openID, so that allows people to link their wiki accounts with another. |
| 17:01 | hhardy | I dont know what the building thinks... |
| 17:02 | lfaraone | (http://www.mediawiki.org/wiki/[…]nsion:CentralAuth is what WMF uses, but that's SSO, not OpenID, and it's limitted to the 1CC network) |
| 17:02 | hhardy | this dovetails with my last item which I will pose as a thought-problem |
| 17:02 | #topic Future of VIG and OLPC community | |
| 17:03 | I the manga "Ghost in the Shell: Stand Alone Complex (;»_Պ) there is a concept of a "vanishing mediator" | |
| 17:03 | someone/thing which sets in motion a social movement then vanishes from the stage | |
| 17:04 | Can OLPC be such a vanishing mediator, can we eventually push out everything to the community/movement? | |
| 17:04 | if so how | |
| 17:05 | adric | Well, Prof N got Sugar out the door already, what's next? |
| 17:05 | hhardy | yes what next |
| 17:06 | cjl | hhardy: Having watched the series on CartoonNetwork, I am frightened by the possibilities you may be envisioning. |
| 17:06 | hhardy | nothing so apocalyptic I hope |
| 17:07 | adric | They didn't get the nukes out until the sequel, right? |
| 17:07 | hhardy | Dogi and I are off next week |
| 17:07 | adric lol | |
| 17:08 | adric | I think we have too much to do to get things running soothly in house to work on this now. It should remain a guiding principle. |
| 17:08 | hhardy | someone want to volunteer to facilitate the next meeting? |
| 17:08 | I will try to check in but not sure if I will have internet access | |
| 17:08 | cjl | hhardy: Let's call it a by-week |
| 17:09 | hhardy | ok so we will say no formal meeting next week but please feel free to congregate on here and hash things out |
| 17:09 | edmcnierney | hhardy: I could volunteer, but I think cjl's got a good suggestion - attendance will be thin. |
| 17:09 | hhardy | agree |
| 17:09 | lfaraone | hhardy: oh, and who's currently using teach.l.o? |
| 17:09 | hhardy | bunch of people, mstone admins it |
| 17:09 | lfaraone | hhardy: it's currently in a state of disrepair, and prolly needs rebuilding. |
| 17:09 | hhardy | send ticket |
| 17:09 | pls | |
| 17:10 | be specific on whats broken | |
| 17:10 | lfaraone | hhardy: when I run yum update: |
| 17:10 | Error: Missing Dependency: libdvdread.so.3 is needed by package mencoder | |
| 17:10 | hhardy | Thank you all for your help and support it means a lot to me |
| 17:10 | lfaraone | hhardy: among a host of other dep-hell problems. |
| 17:10 | hhardy | and OLPC is important it brings hope to the whole world |
| 17:10 | cjl | lf file ticket |
| 17:11 | hhardy | so *hug* to all |
| 17:12 | #endmeeting |