@gsingers We have three major types of NDA/MOU under which people get access to PII-sensitive data on our servers:
- Everyone who's WMF staff has signed an NDA as part of their work contract
- Researchers get access to some data after signing a MOU (with a person on the WMF side being a point of contact and time-limited until the research is completed)
- Some people from the community have signed an NDA (called the Volunteer NDA in contrast to the NDA which applies to staff) which allows them to e.g. debug problems in production, deploy code changes, review Logstash/Turnilo etc.
Debian unstable was updated to 5.5.22:
dbgsym files are supported in reprepro for quite a while now and as of today, we can also install dbgsym packages from the Debian archive. Closing.
Fri, Oct 23
I've built an updated mod_cas package with SameSite cookie support for buster-wikimedia (not imported yet to apt.wikimedia.org), will run some tests next week.
/etc/apt/sources.list is managed by Puppet since a few weeks in production, closing the task (for Cloud VPS it's being considered to also enabled it in a separate task).
Thu, Oct 22
All new buster replicas are now pooled and the stretch ones have been depooled. I'll keep them around for another week just in case, then they are going to be removed.
@MoritzMuehlenhoff: Is it acceptable to download the pre-build .debs, and upload them into our apt repo?
Wed, Oct 21
This is complete
Mon, Oct 19
I've removed Chase from SRE-Access-Requests
We can close this task given that the OpenLDAP mirror in going away in favour of JumpCloud
This is complete: The package mirror can now be set via profile::base::mirror_server (and still defaults to mirrors.wikimedia.org)
For the followup work with the old home there's T264994, so we can close this.
Fri, Oct 16
I've uploaded an NMU (2.42-4.2) for ploticus which correctly enables the toolchain hardening (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=967239), we can import that version to buster-wikimedia for the mw migration of the app servers.
The servers with a public IP already have lots of noise from random bots/portscans (e.g. on bast3004 40kish log per day), so this doesn't make too much of a difference.
The Gerrit servers have been switched to profile::java (which allowed for quite a few cleanups)
FWIW, the dependencies on a Buster system look fine to me and are fulfilled in stretch as well (Stretch has libgcc1 6.3.0 and libc6 2.24):
Wed, Oct 14
Tue, Oct 13
From what I can tell the procedure described in https://wikitech.wikimedia.org/wiki/Volunteer_NDA is outdated and no longer accurate. All current NDA access requires an NDA signed with the Legal department (it's still a digital signture, but different from clicking https://phabricator.wikimedia.org/L2.
Mon, Oct 12
Fri, Oct 9
I have taken care of removing SSH access, LDAP, Networking, Icinga pwstore and some of the mail aliases configured in SRE (root@ etc.). earlier today.
After a lot of fist shaking and head scratching I think I've found a workable solution, to the problem that PHP build depends on ICU 63 (for intl) and indirectly to ICU57 via libxml: I tried a few hacks with double-building (exploiting the fact the icu 63 uses pkgconfig, while ICU 57 still uses the old-school "icu-config", but it didn't work out, too complex and too many corner cases. Rebuilding all the libxml2 reverse deps with ICU 63 is also a fragile/error-prone undertaking since there's multiple levels of dependencies in the reverse deps.
The "leila" account also needs to be removed from the wmf LDAP group.
Thu, Oct 8
I've created a standalone backport of icu63 in the component/icu63. Rebuilding PHP 7.2 with it is a little tricky, since PHP build-depends on libxml2 (for php7.2-xml), which in itself uses ICU. Also rebuilding libxml2 with ICU would require to test/adapt/rebuild a long list of reverse dependencies (and possible second order dependencies). Ideally this can be avoided, I'm testing a few options today and tomorrow.
Wed, Oct 7
Agreed, the service enumation/information disclosure angle is moot for us, so let's give this a shot. If we make it configurable via Hiera we can also test it beforehand on a few hosts.
Tue, Oct 6
Mon, Oct 5
Is this really worth fixing? jessie is totally end-of-life by Debian, not even Debian LTS covers it, so let's rather retire the repo for jessie for good.
The patch to support the setting is not yet in the released or packaged versions of libapache2-mod-auth-cas, but if it works for us, I can reach out to the maintainer to cherrypick the patch
cergen is now using profile::java.
VMs have been created
Fri, Oct 2
So, I've created three VMs and this happened in one out of three cases only.
This got added in T263692, also assigning to Keith.
Thu, Oct 1
For a Buster system, the puppetised sources.list looks like this:
Ack, closing this task.
Wed, Sep 30
Reopening, this needs an update in data.yaml as well (in the ldap users table).
Tue, Sep 29
I think the exceptional case of double LTS release is rare enough, can you update the wikitech with the steps above and then we can call this resolved from my PoV?