Participants ============ 1. guilhem 2. Cloph 3. Brett Agenda ====== * guilhem: anything pending for libocon videos sharing? + cloph: all good already + guilhem to save the pre-recorded videos and cancel the jibri box * gerrit sshd + https://lists.freedesktop.org/archives/libreoffice/2021-October/087900.html + mina sshd <2.7.0 are affected + gerrit 3.4 upgrades to mina sshd 2.6 only, so affected as well + cloph: Hossein upgraded logerrit to use EC keys already, so the problem only affects returning users — who are more likely to be technical or ask on #-dev → nothing concrete to do here * bullseye: 11.1 was released some weeks ago + guilhem: upgraded the baseline, no major issues; heads up - python2 was removed (affects mailman2 and planetplanet, possibly also some of our custom scripts in dev-tools) → proper fix is to port scripts to python3, not to keep unsupported python2 forever :-) - bullseye has PHP7.4 not 8.0 (somewhat better now but might bite us later in the recycle cycle) - guilhem: upgraded the [matrix] (newer synapse is better for federation with matrix.org) and jitsi boxes - guilhem: dunno how pg_basebackup work with multiple PG version (buster has 11, bullseye 13) . Brett: Should be fine since it is largely shell getting the wal files - guilhem: plan to upgrade other non-mission critical systems during what's left of 2021, then later proceed with hypervisors and mission critical guests * Useless X3 intermediate supplied by let's encrypt: + client-side validation issue (they should be happy with the one path that's valid) but older libssl choke on this + affects tinderboxes, temporary fix is to remove X3 from the chain on the server, or its issuer on the client (Brett, cloph: did that) + unclear why let's encrypt still adds X3 though as it can't be used in validation paths anymore → nothing concrete to do for now * pg backups: + Brett: removed barman from all boxes + Brett: haven't configured the copying logic — push vs. pull - let's go with push then, it's is more common + sftp -l postgres should land in a chroot so it doesn't access other host's DB - internal-sftp subsystem, cf. for instance this sshd_config snippet Match User backup-* AllowUsers backup-* AllowGroups * DisableForwarding yes PermitTTY no PermitUserRC no # Note: The chroot and all its parent directories must be root:root with mode 0755. ChrootDirectory %h ForceCommand internal-sftp + can be integrated with other backup solutions if we want to move away from rsnapshot - cloph, guilhem: not specially attached to rsnapshot - that's an intrusive change though, and can be done independently * 90 min downtime on friday in CH + 11:30 CEST til 13:00 CEST (UTC+2) + tb84 (mac mini) might be down until next day (housing's PW-button is not working) + but of course can also change the power-plan to power-on in the afternoon * Next call on Nov 16 at 17:30 UTC (DST change!)
-- Guilhem. -- To unsubscribe e-mail to: [email protected] Problems? https://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: https://wiki.documentfoundation.org/Netiquette List archive: https://listarchives.libreoffice.org/global/website/ Privacy Policy: https://www.documentfoundation.org/privacy
