To AGM - To AGM/Next - To AGM TeamReports Overview - To AGM Members Reports Overview
Team Reports 2022/2023
Team Leaders are encouraged to present a report for their team. (alphabetic order)
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
19 = Text from 2019 or 2020, please replace!
AffiliateProgramme
booking.com
booking.com – Hotel-buchen-Portal
spreadshirt.de
This webshop with T-shirts, caps, mugs and more is run by secureU, a partner association from CAcert in Germany. The benefit is sent to us or used to pay bills for us.(Ru)
Amazon
Since April 2018, CAcert has Amazon Affiliates links. Unfortunatley, there are different links for each different language/shop:
On the wiki, we have Google Ads on the top corner. To help CAcert, please allow your adblocker to show this ads. They are small, discrete and do not disturb you while writing or reading on the wiki.
Arbitration
Assurance
ATE
Audit Team
Critical System Administrator Team
On-site work
Outages of critical hard/software
Day to day operation
New processes/software
We implemented a new Go based OCSP responder on ARM hardware. (jd)
We implemented a Git based process for DNS zone changes (for cacert.com, cacert.net, cacert.org and the public reverse DNS zones). (jd)
Jan started work on a new signer implementation in Go with Smartcard/HSM support and a more robust serial protocol. The code is available at https://code.cacert.org/jandd/cacert-gosigner but needs more work before considering testing/production usage. We will need people that can review Go code. (jd)
Current status
Future outlook
Access Team
Education
EventsTeam
Infrastructure
We setup a new Git hosting platform for CAcert software that gives more transparency, better ways for contributions and keeps us independent of big corporations. The new system is available at https://code.cacert.org/. This system is used for the new Git based DNS change process, the new OCSP responder code and the new OpenID Connect implementation. In the mid term we plan to decommission the old git.cacert.org and probably svn.cacert.org.
The new code.cacert.org system uses a letsencrypt server certificate. We have ongoing discussions to move more services to letsencrypt certificates. This will allow us to have whole services provided via https for all people including those who are not part of our community yet or do not trust the CAcert CA certificates for other reasons.
We implemented a new mutual backup system between our infrastructure systems using a combination of LVM snapshots and Restic.
We upgraded most of our infrastructure systems to a recent and supported Debian release. Some systems that have no real admins (lists, irc) have been updated too.
We have two systems (wiki and translations) that still rely on Python 2 and are therefore kept at Debian 10. The Wiki software (moinmoin) is used by other projects (i.e. Debian itself) too and we will see whether there will be a Python 3 variant that will allow an upgrade of the wiki system. Translations uses the Pootle software which has no active upstream. The infrastructure team suggests to switch to Weblate. We suggest to use the Hosted Weblate SaaS offering, as we have no active administrator for the translations system.
The board voting system at https://motion.cacert.org/ got a user management functionality. Secretary can now manage users and voting permissions via a Web user interface.
A big task of the infrastructure team was the implementation and setup of a new OpenID Connect implementation that exchanges CAcert client certificates for OAuth2 access tokens and OpenID Connect identity tokens. We use the Open Source Ory Hydra OAuth2/OpenID Connect API server and have a custom implementation of an identity provider as well as a demo application. The components are hosted as https://auth.cacert.org/ (Ory Hydra), https://idp.cacert.org/ (identity provider) and https://oidcdemo.cacert.org/ (the OpenID Connect demo application).
In August we started to setup a new externaly hosted monitoring system. We started to setup a distributed Icinga2 monitoring setup with satellites on both infra02 and infra03. This work is not complete yet. We plan to share the Icinga master system with the critical infrastructure team. Critical systems will have their own satellites to ensure a clean separation of critical and non-critical systems.
We detected symptoms of aging hardware on both our systems, infra02 and infra03. A hard disk on infra02 died and one of the disks on infra03 shows SMART warnings. Dirk borrowed two SSDs for infra02 to allow continued operation. We strongly suggest to replace both servers with a single new more capable system, but need enough budget to buy the system. Moving all containers from infra02 and infra03 to a new system will require some work too. (jd)
New Root & Escrow Project (NRE)
Organisation Assurance Team
Policy Group
During 2022/2023 (from 07-2022 until 06-2023 and even until 09-2023) was no discussion in the policy group. (ru)
PublicRelations
Software Development Team
Support Team
Triage
- cca 13-18 new messages daily
- one hack tries to overflow Support/OTRS with thousands of spam messages
- several series of spam messages, each row about 10-20 ones
Delete accounts
- still unable to delete accounts which issued any certificates
- now more than 50 such accounts are locked
- average delete requests: cca 1 per 3 days
Advices
- average cca 3 a week
- some advices are unsuccessful as some users give up e.g. trying their password recovery
- recently many users want to know the deadline for renewing CAcert operation, info needed
Translation / Localisation
There was one activity by Ragon this year in german for the main page.
- compleatlty translated: spanish, dutch, czech, italian, french, german
- translated 33-82%: brasilian portugese, swedish, hungarian, finish, japanese and catalan.
Some activity at CATS translation in dutch by Hamaryns, now at 49%.
- compleatly translated: french, german, english
- other languages welcome (ru)
Finance Team
secure-u e.V.
Secure-U is no more active.