Re: [gentoo-dev] Followup notes: {cvs,git,git.overlays}.gentoo.org migration; awol: some overlays commits, gitweb
On 8/19/14 1:00 AM, Robin H. Johnson wrote: The new SSH keys, in case you still didn't have them: On Mon, Jun 30, 2014 at 10:26:52PM +, Robin H. Johnson wrote: 1024 5f:c3:fe:9a:ac:a7:99:f4:d3:c1:93:4c:52:87:74:28 (DSA) 256 aa:6a:e4:74:1d:73:d2:5a:9f:45:9f:18:55:81:c9:9a (ECDSA) 256 1c:2e:99:7d:c7:f0:bc:3b:a9:fb:d0:3e:2c:2a:79:ba (ED25519) 2048 24:3b:2d:3b:47:ca:7e:62:48:97:49:6a:f5:ad:66:88 (RSA) I noticed the ssh host key for cvs.gentoo.org changed just now. IMHO such announcement would greatly benefit from a digital signature. Just in case, this is what ssh printed out for me (the new key matches the announcement): $ cvs up @@@ @ WARNING: POSSIBLE DNS SPOOFING DETECTED! @ @@@ The RSA host key for cvs.gentoo.org has changed, and the key for the corresponding IP address 148.251.78.52 is unknown. This could either mean that DNS SPOOFING is happening or the IP address for the host and its host key have changed at the same time. @@@ @WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that a host key has just been changed. The fingerprint for the RSA key sent by the remote host is 24:3b:2d:3b:47:ca:7e:62:48:97:49:6a:f5:ad:66:88. Please contact your system administrator. Add correct host key in /home/ph/.ssh/known_hosts to get rid of this message. Offending RSA key in /home/ph/.ssh/known_hosts:15 RSA host key for cvs.gentoo.org has changed and you have requested strict checking. Host key verification failed. cvs [update aborted]: end of file from server (consult above messages if any) Paweł signature.asc Description: OpenPGP digital signature
Re: [gentoo-dev] Followup notes: {cvs,git,git.overlays}.gentoo.org migration; awol: some overlays commits, gitweb
On Tue, Aug 19, 2014 at 6:10 PM, Paweł Hajdan, Jr. phajdan...@gentoo.org wrote: I noticed the ssh host key for cvs.gentoo.org changed just now. IMHO such announcement would greatly benefit from a digital signature. Robin's July 1 announcement, which I easily found when I ran into the same warning yesterday night, did have a signature. Cheers, Dirkjan
Re: [gentoo-dev] Followup notes: {cvs,git,git.overlays}.gentoo.org migration; awol: some overlays commits, gitweb
Paweł Hajdan, Jr.: On 8/19/14 1:00 AM, Robin H. Johnson wrote: The new SSH keys, in case you still didn't have them: On Mon, Jun 30, 2014 at 10:26:52PM +, Robin H. Johnson wrote: 1024 5f:c3:fe:9a:ac:a7:99:f4:d3:c1:93:4c:52:87:74:28 (DSA) 256 aa:6a:e4:74:1d:73:d2:5a:9f:45:9f:18:55:81:c9:9a (ECDSA) 256 1c:2e:99:7d:c7:f0:bc:3b:a9:fb:d0:3e:2c:2a:79:ba (ED25519) 2048 24:3b:2d:3b:47:ca:7e:62:48:97:49:6a:f5:ad:66:88 (RSA) I noticed the ssh host key for cvs.gentoo.org changed just now. IMHO such announcement would greatly benefit from a digital signature. I'm not going to commit anything until this issue is resolved. Can we get _confirmed_ fingerprints?
Re: [gentoo-dev] Followup notes: {cvs,git,git.overlays}.gentoo.org migration; awol: some overlays commits, gitweb
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 08/19/2014 10:46 PM, hasufell wrote: Paweł Hajdan, Jr.: On 8/19/14 1:00 AM, Robin H. Johnson wrote: The new SSH keys, in case you still didn't have them: On Mon, Jun 30, 2014 at 10:26:52PM +, Robin H. Johnson wrote: 1024 5f:c3:fe:9a:ac:a7:99:f4:d3:c1:93:4c:52:87:74:28 (DSA) 256 aa:6a:e4:74:1d:73:d2:5a:9f:45:9f:18:55:81:c9:9a (ECDSA) 256 1c:2e:99:7d:c7:f0:bc:3b:a9:fb:d0:3e:2c:2a:79:ba (ED25519) 2048 24:3b:2d:3b:47:ca:7e:62:48:97:49:6a:f5:ad:66:88 (RSA) I noticed the ssh host key for cvs.gentoo.org changed just now. IMHO such announcement would greatly benefit from a digital signature. I'm not going to commit anything until this issue is resolved. Can we get _confirmed_ fingerprints? The following fingerprint information was presented in Robin's email of 1 July titled [gentoo-dev] cvs.gentoo.org, git.gentoo.org, *.overlays.gentoo.org migration timeline ssh keys and properly OpenPGP Signed: 1024 5f:c3:fe:9a:ac:a7:99:f4:d3:c1:93:4c:52:87:74:28 (DSA) 256 aa:6a:e4:74:1d:73:d2:5a:9f:45:9f:18:55:81:c9:9a (ECDSA) 256 1c:2e:99:7d:c7:f0:bc:3b:a9:fb:d0:3e:2c:2a:79:ba (ED25519) 2048 24:3b:2d:3b:47:ca:7e:62:48:97:49:6a:f5:ad:66:88 (RSA) - -- Kristian Fiskerstrand Public PGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJT87hMAAoJEPw7F94F4TaghKEQAJDCdvT2K/de+uhbdBkgScYQ YdBDUqgsCMQFZmCsGyhncmbf83ZAGy37IcN0Dk6x1jLm/VxDPfpkkxF3RivJAtcJ 4hT3UYGzo9c+3yLpevRgU+/RTVWG2yflNdVeXyeKmAB+OVjIKIio8j6pK5YuQjGT mit5jVsgb03pKPXHMdn2Fy/lgV69llhOVtpAE6mtpxi3qtPafB1o5KYx71ufT04q Axo2ucbbEKfY0ZQ6dQk9DtAzIJbgei9G5w0rNgayVXFwnQ5xGcqdZDqE3fjC9Vm5 iV/taJIg0Ks+L/mjl/rMg/6lcVGyy/Fv0nk5GK3mEpoUjoeoJkmZIxQScEy7g9k/ gfXyQEclbS3+05PqfE7AUvyC7j10mlc/I0KgNjOUwEqLv/LS/m2+fTKT9JjXi63u zfYF3jqAUvqeb4bnhTZVuCvYUyUP1ShyQnwPGXlVt1CLujf5nyf6hP++Ect9Fjd4 N8s4K7fT2FUPTczZGmB75XtXETgUWcfvtgT/kP2S5auDYerP0KoId0zf7R0d0Psm PupvEefpBm2wdRXsUJyH0ulDJhee0TIzfUQEVaOOpoyYj98rPilUC7Z7O+t7Ls46 RsBZVFmT/xJkDYeuE0A4wOX40H8exzHZ/BtumfFWY56g80GuWy/phYn5g7LGqUZm zVtfQ/23vUhwcxMF0Ha+ =2vHT -END PGP SIGNATURE-
Re: [gentoo-dev] Followup notes: {cvs,git,git.overlays}.gentoo.org migration; awol: some overlays commits, gitweb
Kristian Fiskerstrand: On 08/19/2014 10:46 PM, hasufell wrote: Paweł Hajdan, Jr.: On 8/19/14 1:00 AM, Robin H. Johnson wrote: The new SSH keys, in case you still didn't have them: On Mon, Jun 30, 2014 at 10:26:52PM +, Robin H. Johnson wrote: 1024 5f:c3:fe:9a:ac:a7:99:f4:d3:c1:93:4c:52:87:74:28 (DSA) 256 aa:6a:e4:74:1d:73:d2:5a:9f:45:9f:18:55:81:c9:9a (ECDSA) 256 1c:2e:99:7d:c7:f0:bc:3b:a9:fb:d0:3e:2c:2a:79:ba (ED25519) 2048 24:3b:2d:3b:47:ca:7e:62:48:97:49:6a:f5:ad:66:88 (RSA) I noticed the ssh host key for cvs.gentoo.org changed just now. IMHO such announcement would greatly benefit from a digital signature. I'm not going to commit anything until this issue is resolved. Can we get _confirmed_ fingerprints? The following fingerprint information was presented in Robin's email of 1 July titled [gentoo-dev] cvs.gentoo.org, git.gentoo.org, *.overlays.gentoo.org migration timeline ssh keys and properly OpenPGP Signed: 1024 5f:c3:fe:9a:ac:a7:99:f4:d3:c1:93:4c:52:87:74:28 (DSA) 256 aa:6a:e4:74:1d:73:d2:5a:9f:45:9f:18:55:81:c9:9a (ECDSA) 256 1c:2e:99:7d:c7:f0:bc:3b:a9:fb:d0:3e:2c:2a:79:ba (ED25519) 2048 24:3b:2d:3b:47:ca:7e:62:48:97:49:6a:f5:ad:66:88 (RSA) Thanks, I found it now. Maybe it would still be better to repost this close before it actually hits us to minimize confusion.
Re: [gentoo-dev] Followup notes: {cvs,git,git.overlays}.gentoo.org migration; awol: some overlays commits, gitweb
On Tue, 19 Aug 2014 21:19:11 + hasufell hasuf...@gentoo.org wrote: Thanks, I found it now. Maybe it would still be better to repost this close before it actually hits us to minimize confusion. Quoting from Robin's email From Monday, Aug. 18, 2014: Last evening, the old sponsor where cvs/git/git.overlays was hosted turned off the old servers, earlier than I expected. So, I'm sure there would have been an announcement again before the final switch. Had the actual date been known in advance. -- Brian Dolbec dolsen
[gentoo-dev] Followup notes: {cvs,git,git.overlays}.gentoo.org migration; awol: some overlays commits, gitweb
Hi all, Last evening, the old sponsor where cvs/git/git.overlays was hosted turned off the old servers, earlier than I expected. With two notable exceptions listed below, almost everything should be how it should be, so you can continue as before. The new SSH keys, in case you still didn't have them: On Mon, Jun 30, 2014 at 10:26:52PM +, Robin H. Johnson wrote: 1024 5f:c3:fe:9a:ac:a7:99:f4:d3:c1:93:4c:52:87:74:28 (DSA) 256 aa:6a:e4:74:1d:73:d2:5a:9f:45:9f:18:55:81:c9:9a (ECDSA) 256 1c:2e:99:7d:c7:f0:bc:3b:a9:fb:d0:3e:2c:2a:79:ba (ED25519) 2048 24:3b:2d:3b:47:ca:7e:62:48:97:49:6a:f5:ad:66:88 (RSA) 1. Overlays missing commits since 2014/07/22 02:49 UTC --- So last time overlays had an outage, infra promised to look into a git mirroring setup, so when this forced migration was announced, I started to implement a very rough version of mirroring for both the main cvs/git repos, as well as the overlays repos. It worked on the primary repos, but after some initial runs it failed on all of the git.overlays repos at Jul 22 02:49 UTC. I've been busy with real life, and I unfortunately didn't notice it until too late. As a direct result, any commits pushed to git.overlays repos after 2014/07/22 22 02:49 UTC, are missing. If you have them locally, all you need to do is 'git push' for all of your branches, and they'll be restored. 2. gitweb/cgit offline, anongit rate-limited - One of the plans was to merge the hosting of git.gentoo.org and git.overlays.gentoo.org into a single large Gitolite deployment, in preparation for the Git migration of gentoo-x86. The gotcha is that while we want all of the write traffic to be consolidated, we want to be able to scale the readonly capacity easily (without the budget or sharding that GitHub has). It isn't a 100% solved problem yet (one of the reasons that I hadn't flipped stuff over yet). There is also a lot more read-only Git traffic than I expected (enough to kill some systems); so I'm NOT enabling a web server on the box that runs the readwrite traffic yet. The leading solution I have, that allows the most flexibility, is simply splitting at the hostname: http://gitweb.gentoo.org/$REPO git://readonly.git.gentoo.org/$REPO git://ro.git.gentoo.org/$REPO git+ssh://g...@readwrite.git.gentoo.org/$REPO git+ssh://g...@rw.git.gentoo.org/$REPO This also lets us trivially distribute readonly mirrors distributed around the world, which would hugely improve performance when the Git migration is done. As a migration plan, git.gentoo.org would continue to host R+RW git for a month. Any concerns or alternative ideas should be proposed on the gentoo-dev lists. -- Robin Hugh Johnson Gentoo Linux: Developer, Infrastructure Lead E-Mail : robb...@gentoo.org GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85
