Re: [arch-dev-public] [aur-general] AUR migration
[2020-07-27 21:10:23 -0300] Giancarlo Razzolini: > Em julho 27, 2020 21:03 Gaetan Bisson escreveu: > > > > It's quite unsettling that we seem to be rushing to write a news post > > while this very reasonable suggestion remains completely ignored. > > > > It wasn't ignored. They keys were deliberately changed in the process. Why? Baptiste rightly points out "it's the same service as before and (presumably) the host private keys were not compromised, so there is no reason to change keys." Yet his message remains unanswered... > I think the issue you refer to happened on the orion -> gemini migration and You are correct. > I personally think that everything that runs as a service on Arch servers > should > be properly tracked on ansible, even if it's a user service. That is certainly a worthy goal but it does not imply that we must kill everything that is not tracked by ansible at every migration. Copying home directories over to the new host used to be standard practice for any administrator of a system which serves multiple users... Cheers. -- Gaetan signature.asc Description: PGP signature
Re: [arch-dev-public] [aur-general] AUR migration
On 7/24/20 6:18 PM, Baptiste Jonglez wrote: > Can't you just copy the SSH host keys from the old machines? > > It's the same service as before and (presumably) the host private keys > were not compromised, so there is no reason to change keys. In theory one could, but this was not simply migrating one box to another physical device. The old AUR box is still available, running other services (e.g. git.archlinux.org), and is still using those keys. Per default, I don't see a good reason for two active boxes to have the same private keys, but if you know better, then let's have *that* discussion. -- Eli Schwartz Bug Wrangler and Trusted User signature.asc Description: OpenPGP digital signature
Re: [arch-dev-public] [aur-general] AUR migration
On 7/27/20 8:03 PM, Gaetan Bisson via arch-dev-public wrote: > [2020-07-25 00:18:55 +0200] Baptiste Jonglez: >> On 24-07-20, Giancarlo Razzolini via arch-dev-public wrote: >>> The migration is almost done. Since we are moving to a new machine, it will >>> have new host keys. They are: >>> >>>Ed25519: SHA256:RFzBCUItH9LZS0cKB5UE6ceAYhBD5C8GeOBip8Z11+4 >>>ECDSA: SHA256:5s5cIyReIfNNVGRFdDbe3hdYiI5OelHGpw2rOUud3Q8 >>>RSA: SHA256:uTa/0PndEgPZTf76e1DFqXKJEXKsn7m9ivhLQtzGOCI >> >> Can't you just copy the SSH host keys from the old machines? >> >> It's the same service as before and (presumably) the host private keys >> were not compromised, so there is no reason to change keys. > > It's quite unsettling that we seem to be rushing to write a news post > while this very reasonable suggestion remains completely ignored. Nothing "unsettling", about it, the suggestion is not as reasonable as it seems on the surface (because the old box is still in use), but even without that knowledge, given devops clearly didn't do that I don't understand the rationale for refusing a news post after the fact. If you think the old box is out of use and deleted, then the keys would be gone and it would be too late to transfer them. > For future migrations I would greatly appreciate if not all on-disk data > were thrown away. On top of SSH keys, there are home directories which > contain not only user data but also in some cases things useful for the > distro as a whole (such as the service I use to version iana-etc files). Is there reason to believe that this data was thrown away? We were given warning when soyuz got decommissioned, to backup data before the decommissioning date. And orion is not decommissioned, it is still used for mail at least, so your data there is untouched and still accessible. -- Eli Schwartz Bug Wrangler and Trusted User signature.asc Description: OpenPGP digital signature
Re: [arch-dev-public] [aur-general] AUR migration
[2020-07-25 00:18:55 +0200] Baptiste Jonglez: > On 24-07-20, Giancarlo Razzolini via arch-dev-public wrote: > > The migration is almost done. Since we are moving to a new machine, it will > > have new host keys. They are: > > > >Ed25519: SHA256:RFzBCUItH9LZS0cKB5UE6ceAYhBD5C8GeOBip8Z11+4 > >ECDSA: SHA256:5s5cIyReIfNNVGRFdDbe3hdYiI5OelHGpw2rOUud3Q8 > >RSA: SHA256:uTa/0PndEgPZTf76e1DFqXKJEXKsn7m9ivhLQtzGOCI > > Can't you just copy the SSH host keys from the old machines? > > It's the same service as before and (presumably) the host private keys > were not compromised, so there is no reason to change keys. It's quite unsettling that we seem to be rushing to write a news post while this very reasonable suggestion remains completely ignored. For future migrations I would greatly appreciate if not all on-disk data were thrown away. On top of SSH keys, there are home directories which contain not only user data but also in some cases things useful for the distro as a whole (such as the service I use to version iana-etc files). Cheers. -- Gaetan signature.asc Description: PGP signature
[arch-dev-public] Orphaning signing-party and dependencies
Hi there, I’ve never went far into using signing-party, and do not have time to maintain it anymore. Thus, I’m going to orphan it as well as its dependencies (nothing else requires them), and move them to the AUR unless someone steps in to maintain them within ~two weeks. The full packages list: libmd perl-data-perl perl-gnupg-interface perl-moox-handlesvia perl-moox-late perl-strictures perl-type-tiny qprint signing-party Regards, Bruno/Archange
Re: [arch-dev-public] News draft: AUR migration
Hey Giancarlo, only some minor spell fixes. On 2020-07-27 10:46:35 (-0300), Giancarlo Razzolini via arch-dev-public wrote: > AUR migration: New SSH Host keys > > Due to the fact the AUR was migrated to a new server, the SSH HostKeys used to Due to the fact *that* the AUR *has been migrated* [..] > pushed packages were changed in the process. These are the new keys > fingerprints: *connect to the host* have changed in the process. [..] >Ed25519: SHA256:RFzBCUItH9LZS0cKB5UE6ceAYhBD5C8GeOBip8Z11+4 >ECDSA: SHA256:uTa/0PndEgPZTf76e1DFqXKJEXKsn7m9ivhLQtzGOCI >RSA: SHA256:5s5cIyReIfNNVGRFdDbe3hdYiI5OelHGpw2rOUud3Q8 > > They can also be found on the AUR home page when not logged in. *The above fingerprints* can also be found [..] > Given this is somewhat urgent and the migration was done on Friday, > I'll not wait the full 24 hours before posting this, but I'll probably > post this by the end of the day, today, instead. Let me know if anyone > has any objections. ACK Thanks! :) Best, David -- https://sleepmap.de signature.asc Description: PGP signature
[arch-dev-public] News draft: AUR migration
Hi guys, Given that the SSH host keys were changed during the AUR migration, and, due to the fact that not everyone will see this on the home page for the AUR or on aur-general, I propose the following news draft: > AUR migration: New SSH Host keys Due to the fact the AUR was migrated to a new server, the SSH HostKeys used to pushed packages were changed in the process. These are the new keys fingerprints: Ed25519: SHA256:RFzBCUItH9LZS0cKB5UE6ceAYhBD5C8GeOBip8Z11+4 ECDSA: SHA256:uTa/0PndEgPZTf76e1DFqXKJEXKsn7m9ivhLQtzGOCI RSA: SHA256:5s5cIyReIfNNVGRFdDbe3hdYiI5OelHGpw2rOUud3Q8 They can also be found on the AUR home page when not logged in. < Given this is somewhat urgent and the migration was done on Friday, I'll not wait the full 24 hours before posting this, but I'll probably post this by the end of the day, today, instead. Let me know if anyone has any objections. Regards, Giancarlo Razzolini pgpzqRT_0W8cM.pgp Description: PGP signature
Re: [arch-dev-public] [aur-general] AUR migration
Em julho 27, 2020 9:35 Henry-Joseph Audéoud escreveu: On 24/07/2020 21:24, Giancarlo Razzolini via aur-general wrote: The migration is almost done. Since we are moving to a new machine, it will have new host keys. They are: Ed25519: SHA256:RFzBCUItH9LZS0cKB5UE6ceAYhBD5C8GeOBip8Z11+4 ECDSA: SHA256:5s5cIyReIfNNVGRFdDbe3hdYiI5OelHGpw2rOUud3Q8 RSA: SHA256:uTa/0PndEgPZTf76e1DFqXKJEXKsn7m9ivhLQtzGOCI You swapped the fingerprints of keys ECDSA and RSA. From my computer, I get that fingerprints (and Ricardo Band has the same for ECDSA): ED25519: SHA256:RFzBCUItH9LZS0cKB5UE6ceAYhBD5C8GeOBip8Z11+4 ECDSA:SHA256:uTa/0PndEgPZTf76e1DFqXKJEXKsn7m9ivhLQtzGOCI RSA: SHA256:5s5cIyReIfNNVGRFdDbe3hdYiI5OelHGpw2rOUud3Q8 Yes, this is correct. The configuration is with the keys swapped. I'm going to fix it and also create a news post about this. Regards, Giancarlo Razzolini pgpUyAEicMGav.pgp Description: PGP signature
