To Software Software - To Software-Assessment - Software/Assessment - To previous meeting - To next meeting

Minutes of the MiniTOP on the 2011-04-19

Setting

The MiniTOP will be held via telco 22:00 CEST

Attendees: Dirk, Martin, Ted, Uli, Marcus

Topics

Action items from last meeting Meeting Action Items

new items in last meeting:

Arbitration case a20110312.1
- Ted: perl script trigger to critical team by ted
- dirk: /pages/account/.. 4.php, 17.php to combine ?
Ted: triage test on CATS (Update), probably upcoming week
Bug #637: Password suggestion always the same. Proposed solution.
- dirk: will take care about text removal (general.php check pwd proc, text /pages/index/1.php)
- marcus: start dispute, first test: sql-query, to be verified by 2nd SA: select count(*) from users where password='xxx';
Arbitration case a20110312.1
State Testserver Update
- Current Patches on Testserver:
  - "Thawte" patch Bug# 827
  - Prepare Easter Eggs Bug# 921 also for PR - blog post, find new testers
triage test on CATS (Update)
strategy plans ...
- strategy for: "Certificates Class3" problem and "New Roots & Escrow"
- pragmatic solution proposed
Bug #637: Password suggestion always the same. Proposed solution.
CI new product
next meeting: Tuesday, April 26, 2011 22:00

Minutes

Magu: has new product under test, app.test, eclipse based
- has deployed a Hudson installation
Action Items
- Ted, triage test on CATS (Update), probably upcoming week
  - finished
  - transfer of TRIAGE results to webdb is currently commented out, not active, but CATS is still active
  - OA test is only avail on test1
- Marcus: Bug #637 Weak Password: start dispute, first test: sql-query, to be verified by 2nd SA -> a20110413.1
  - 1st step: Quick fix: reject default pwd
  - 2nd step: to fix current effected accounts, to be handled under arbitration
  - Michael: index old id=1 is join form, check pwd in /includes/general.php
  - Dirk: 1.php, 6.php, 14.php modified
    - send info to users, weak pwd, please replace pwd
    - 1 month deadline, running script to set randam pwd
    - addtl. query to crtical team:
      1. when last logged-in ?
      2. accounts assured ?
  - Michael: to add a new branch within git
    - git fetch (current state between server and local)
    - git checkout -b bug-637 origin/release
    - further documentation by Michael
  - Request Michael to Uli: to write request to Markus, Andreas to create new cacert1 image and set url for download
  - dirk Bug #637 Weak Password: will take care about text removal (general.php check pwd proc, text /pages/index/1.php)
    - bug#637 files send by dirk, reviewed by Michael, pushed to branch, pushed to master, checked-out to testserver, part I + II
    - part I: removal of text
    - part II: to push users to replace their pwd
    - next steps: arbitrator to decide, how this case should be handled eg mailing, how to handle unused accounts and so on
    - arbitration: file dispute, who ? Michael, what ? see above step 2
- Arbitration case a20110312.1, bug#918
  - perl script started, runs long time, result sent by Wytze
  - scipt is ok, one run 9 hours !
  - if web code fixes on production then script can be run on production
  - mailing script is pushed to git
  - some tests has been made, Hanno also involved in testing but no report, only keys < 1024 blocked
  - review of patches:
    - perl script by ted, reviewed by michael
    - mailing script php by ted, reviewed by Michael
    - patches to block weak keys by michael, needs to be reviewed -> Ted
  - dirk: a20110312.1 /pages/account/.. 4.php, 17.php to combine ? no update
    - michael briefs dirk
    - call 17.php from 16.php, call 4.php from 3.php
    - add/replace code with include(/includes/keygen.php) within 4.php + 17.php under bug#918
- Dirk: 15.php, not updated
- Michael: add SA's to Admin in bugs for customizing, mail to Philipp, Andreas, Mario
  - email to write, within session, mail sent
Bug#921, Michael will review Wed and add to testserver
- Uli to prepare blog post
Bug#897 HowManyPoints
- patch by Uli, first review by Michael, needs 2nd review
dirk has new xen vm, trafic limit 1 or 5 TB, 4 ip's, and IPv6 for 10 EUR, alternate for hosting ?
- no concensus, probably for Non-Critical not interesting as each of the Non-Critical machines are VMs by itself
strategy plans ...
- strategy for: "Certificates Class3" problem and "New Roots & Escrow"
- pragmatic solution proposed
- Michael: class3 renew ?
- Dirk: board motion, no new class3 cert
- Michael: to wait for new roots & escrow is probably no option
- Dirk: current class1 + class3 on testserver, test class3 replacement on testserver, what are the changes to do ?
- Michael: changes to do:
  - /etc/ssl/openssl-ca.cnf algorythm to replace line 30 default md5 to sha1
- Dirk: revocation list, and renewal of keys ?
- Class3 replace test after Eastern
- Uli: tester to inform regarding class3 certs creation in mailing regarding bug#921
next meeting: Tuesday, April 26, 2011 22:00

Fixed Action Items since last Meeting

Ted	a20110312.1 perl script trigger to critical team	{+}
Ted	triage test on CATS (Update), probably upcoming week	{+}
dirk	Bug #637 Weak Password: will take care about text removal (general.php check pwd proc, text /pages/index/1.php)	{+}
Marcus	Bug #637 Weak Password: start dispute, first test: sql-query, to be verified by 2nd SA -> a20110413.1	{+}
Michael	update to Hanno	{+}
Michael	add SA's to Admin in bugs for customizing, mail to Philipp, Andreas, Mario	{+}
Dirk	strategy for: "Certificates Class3" problem and "New Roots & Escrow" contact root cert group new plan: signer class3 test on cacert1	{-}

Action items: Meeting Action Items

Action Items New

Uli: to write request to Markus, Andreas to create new cacert1 image and set url for download
Ted: bug#918 patches to block weak keys by michael, needs to be reviewed
Michael: Bug #637 Weak Password, file dispute regarding 2nd step: to fix current effected accounts, to be handled under arbitration
Uli: added patch bug#637 onto testserver, update testers portal, notify tester group
Michael: Bug#921 review on Wed and add to testserver
Uli: add patch bug#921 onto testserver, update testers portal, notify tester group, publish blog post "Easter Eggs"
Ted, Markus, Dirk: Bug#897 2nd review
Uli: tester to inform regarding class3 certs creation in mailing regarding bug#921

Software/Assessment/ActionItems

all	proposed Apache config SSLCipherSuite settings for CAcert SSL enabled infrastructure systems see also BEAST migration https://community.qualys.com/blogs/securitylabs/2011/10/17/mitigating-the-beast-attack-on-tls Proposal from Sysadm list 2013-09-06	{0}
SA	documentation server cert design concept to SystemAdministration/Systems/Development/Prepare	{0}
all	review Software patches Update Cycle	{0}
BenBE, Marcus	documentation: developer git repos under github bug #1131 history @ github CAcertOrg @ github started under Software/Assessment/Documentation/UpdateCycle/step1	{0}
NEO	BenBe: request: htttps header on bugtracker bug #1116	{0}
all	read x509 guide	{0}
all	bug#1068 blog problem (also relates to community) debian lenny - edge - squeeze upgrades needed alternate: new server with squeeze, install wordpress, transfer domain workaround: configure your FF FAQ/BrowserClients	{g}
uli	Experience points for ATE attendance check board motions and/or trigger if not yet passed	{0}
uli	Infrastructure separation, to contact secure-u (Frank, Mario, Ted, Sebastian) for discussion, prepare a plan, started 2011-12-18 current state: see Funding Landing Page May 2013: tk-server sponsoring, tk-server rcvd, deployment: WIP, project not yet finished	{0}
All	1. next: strategy for "New Roots & Escrow" - using indirect crl's ? indirect CRL: RFC 5280 http://tools.ietf.org/html/rfc5280 (chapter 5) - test deployment	{0}
dirk, Michael	3. next: strategy for "New Roots & Escrow" - how does debian work? to contact, deferred to next events (?) next round: picked up by Benedikt new proposal 2013-06-02	{0}
Uli, Michael	Documentation Bugs.cacert.org Review, documentation I (bugs handbook) svg files to convert to jpg or png	{0}

Development, Deployment, Discussion

OAO, Ted	bug #943 change OA admin/assurer text	needs 2nd test -> Fabian, Marc, Alex? {g} / needs 2nd review -> Ted, rejected	{-}
uli, Ted	bug #824 Org User cert fix Case study	Organisation User Certificates: Need UI improvement for proper production usage	{0}
uli, ted	bug #823 email address removal fix	No warning when removing e-mail address from account that certificates will be revoked checked by 4, needs 2nd review, deploy rejected	{-}
inopiae	bug #920 Join - single name only (eg Indonesian)	details under bug number	{0}
uli	bug #859 admin console interface	feature request: show activity on an account in the admin interface rejected, certs login doesn't modify "modified" field	{r}
Michael	bug #540	p20111113 CPS #7.1.2 "Certificate Extensions" adjustments - testing uli, marcus: needs full cert create tests duplicate report to bug#978 tested by 3, 2nd review done, transfered Ken reported: still has problems, bug kept open	{0}
gagern, NEO	bug #440 Problem with subjectAltName (CSR, renew certs)	There seems to be a problem with the subjectAltName. Dupes, missing entries, and more, rejected, needs further development	{r}
neo	bug #1025 Domain Dispute issue	disputes rc and rc2 var prob needs work	{r}
dirk	bug #1054 0001054: Review the code regarding the new point calculation	Thawte patch part II needs further work	{r}

Software Assessors: Review 1 / add to cacert-devel, add to testserver

Software-Assessors task

Testing

Testers task

neo	bug #1004 Stats page improvement	tested by 2, needs 2nd review	{0}
neo	Bugs #1159 it might be possible to execute commands on the signing server		{0}
inopiae	bug #1065 Wrong wording when sending mails during the assurance process		{0}
inopiae	bug #1162 calcutate (the passwords) hash in php instead of in mysql	create test scenarios for the software testers $/!\$ Full testing $/!\$	{0}
inopiae	bug #0028 Wrong language for you've been assured & [CAcert.org] Client Certificate emails		{0}
inopiae	bug #988 TTP cap form deployment		{0}

Software Assessors: 2nd Review, Bundle Package to Critical Team

Software-Assessors task

Ted	bug #500 Get contact mail adress after resolving test	tested by 3, requires review	{0}
Ted	bug #1140 Show if a test is passed in learnprogress	tested by 3, requires review	{0}
magu	bug #1131 Rename _all_ Policies from .php to .html and fix all links	global policy directory maintenance and update	{0}
inopiae	bug #1010 Reorder the view on organisation certificates	tested by 3	{0}

Software Assessors: Bundle Package to Critical Team

Software-Assessors task

inopiae

bug #1139 Add new fields to the database

tests through #500 and #1140, 2nd review done, requires transfer

{0}

Awaiting Response from Critical Team

inopiae

bug #411 Wrong text is made into link

{g}

CategorySoftwareAssessment

CategorySoftwareAssessment

Software/Assessment/20110419-S-A-MiniTOP (last edited 2011-09-23 00:09:59 by UlrichSchroeter)