Re: HSTS and expired cert: our site is down for now
On Tue, 2017-04-11 at 13:28 -0300, Fernando Mumbach wrote: > Thank you Florent for answering in such a well explained form. > > If the subdomain "downloads" is deprecated, how are we supposed to > get the seednodes for the first install? They are shipped with the various installers we provide; but that doesn't help the package managers... > As of now, the AUR package for freenet is totally broken because you > can't download that file, so I'm assuming it's going to move to S3? Or github. Whatever our release manager decides. > If the plan is moving to S3, why not make a > downloads.freenetproject.org a CNAME pointing to the S3 bucket, so we > can keep the paths and everything would JustWork? (AFAIK, never tested > using CNAMEs with S3) > Making something like that work could have been possible if it was planned... but would have been risky (most "clients" pin the certificate). Changing to a different FQDN and hierarchy makes a lot of sense since all the places that do reference the existing URLs will have to be touched anyway. That vhost does various kinds of redirect-based magic (/latest/ but also the .url and the .registry files) under the scene and that is non straightforward to emulate with S3. I have sent an email months ago saying that downloads.freenetproject.org was going away... no one has objected at the time. > So much confusion around this issue. I understand 100% of the work is > voluntary, but this became a mess in no time, and seems like no one > wants to take responsibility. > > > I'm still not sure about these: > - I should be able to update from freenet itself, but what about new > users? Where do they get the initial files? Currently from github. The project's officially supported installer do ship with a seednode file (don't ask me how it's updated; it's probably not :p) > - The update script for the new version should be working, but how am > I supposed to update using the script if the URLs change? I don't think it is. Fred can update the script in place on existing/working installs (again, that doesn't help packagers I guess). > - Has anyone started a petition for AWS non profits? I remember > reading that some open source projects get free credits on Amazon > AWS¹. These credits could help pay the hosting services. > > ¹: https://aws.amazon.com/government-education/nonprofits/?nc1=h_ls > That's on my TODO (after finishing the migration). Florent > On 11-04-2017 05:38, Florent Daigniere wrote: > > On Sun, 2017-04-09 at 19:57 -0300, Fernando Mumbach wrote: > > > Hello, > > > > > > > Hi Fernando, > > > > Since no one is replying to you, I will attempt to... > > > > > > > downloads.freenetproject.org is still using the old cert, > > > > It is a feature, not a bug :) > > > > The plan was to drop that FQDN... and then at the last minute, Arne > > has > > decided to release a build (1478) that has changed the plan. > > > > I have made it clear that it wouldn't work... but been ignored. > > > > > > > and the archlinux package fails to update because the cert is > > > invalid. Did you maybe forgot to also update the subdomain? > > > > The plan has always been to drop that vhost altogether. I haven't > > dropped it because of the last minute change to the plan, that's > > all. > > > > Its organization doesn't make sense (keeping alpha in the path, ...) > > and > > is unsuitable for everyone (packagers, build tools that expect > > metadata, > > ...), not to mention that it costs the project money to keep the VPS > > it > > sits on up. That's why I am keen on getting rid of it once and for > > all. > > > > The initial plan was to setup a new vhost (mvn.freenetproject.org) > > that > > would be AWS/S3 baked and would provide a maven-like repository > > structure we would push our builds to (and that packagers, > > installers, > > build tools, ... ) could use. > > > > Just like you, I have zero visibility on what is supposed to be > > happening... or what the current plan is; rest assured that it's not > > just the various packages that are broken (1478 doesn't magically > > bypass > > the certificate expiry check and has obviously not received any > > testing > > before being released). > > > > I have stopped to work on next since that isn't where the builds are > > being released from anymore... > > > > > > > The subdomain "wiki" works okay for me (it redirects correctly > > > to > > > github). I do not know of others subdomains, but we should test > > > all > > > the domains. > > > > > > > All the domains for which a plan did exist have been migrated > > (website, > > bugs, wiki). Those that haven't will see their DNS entry removed > > soon > > (doc-fr, testing, old-wiki, archives, downloads, emu). > > > > Florent > > > > > On 05-04-2017 20:35, Arne Babenhauserheide wrote: > > > > Hi, > > > > > > > > The certificate expired and we use HTTP Strict Transport > > > > Security > > > > (HSTS). That means: Our old site is down until the DNS
Re: HSTS and expired cert: our site is down for now
Thank you Florent for answering in such a well explained form. If the subdomain "downloads" is deprecated, how are we supposed to get the seednodes for the first install? As of now, the AUR package for freenet is totally broken because you can't download that file, so I'm assuming it's going to move to S3? If the plan is moving to S3, why not make a downloads.freenetproject.org a CNAME pointing to the S3 bucket, so we can keep the paths and everything would JustWork? (AFAIK, never tested using CNAMEs with S3) So much confusion around this issue. I understand 100% of the work is voluntary, but this became a mess in no time, and seems like no one wants to take responsibility. I'm still not sure about these: - I should be able to update from freenet itself, but what about new users? Where do they get the initial files? - The update script for the new version should be working, but how am I supposed to update using the script if the URLs change? - Has anyone started a petition for AWS non profits? I remember reading that some open source projects get free credits on Amazon AWS¹. These credits could help pay the hosting services. ¹: https://aws.amazon.com/government-education/nonprofits/?nc1=h_ls On 11-04-2017 05:38, Florent Daigniere wrote: On Sun, 2017-04-09 at 19:57 -0300, Fernando Mumbach wrote: Hello, Hi Fernando, Since no one is replying to you, I will attempt to... downloads.freenetproject.org is still using the old cert, It is a feature, not a bug :) The plan was to drop that FQDN... and then at the last minute, Arne has decided to release a build (1478) that has changed the plan. I have made it clear that it wouldn't work... but been ignored. and the archlinux package fails to update because the cert is invalid. Did you maybe forgot to also update the subdomain? The plan has always been to drop that vhost altogether. I haven't dropped it because of the last minute change to the plan, that's all. Its organization doesn't make sense (keeping alpha in the path, ...) and is unsuitable for everyone (packagers, build tools that expect metadata, ...), not to mention that it costs the project money to keep the VPS it sits on up. That's why I am keen on getting rid of it once and for all. The initial plan was to setup a new vhost (mvn.freenetproject.org) that would be AWS/S3 baked and would provide a maven-like repository structure we would push our builds to (and that packagers, installers, build tools, ... ) could use. Just like you, I have zero visibility on what is supposed to be happening... or what the current plan is; rest assured that it's not just the various packages that are broken (1478 doesn't magically bypass the certificate expiry check and has obviously not received any testing before being released). I have stopped to work on next since that isn't where the builds are being released from anymore... The subdomain "wiki" works okay for me (it redirects correctly to github). I do not know of others subdomains, but we should test all the domains. All the domains for which a plan did exist have been migrated (website, bugs, wiki). Those that haven't will see their DNS entry removed soon (doc-fr, testing, old-wiki, archives, downloads, emu). Florent On 05-04-2017 20:35, Arne Babenhauserheide wrote: Hi, The certificate expired and we use HTTP Strict Transport Security (HSTS). That means: Our old site is down until the DNS can be switched over to the AWS site. Let’s treat this as a test of what would happen if an attacker were to take down our clearnet infrastructure. Best wishes, Arne -- Unpolitisch sein heißt politisch sein ohne es zu merken
Re: HSTS and expired cert: our site is down for now
On Sun, 2017-04-09 at 19:57 -0300, Fernando Mumbach wrote: > Hello, > Hi Fernando, Since no one is replying to you, I will attempt to... > downloads.freenetproject.org is still using the old cert, It is a feature, not a bug :) The plan was to drop that FQDN... and then at the last minute, Arne has decided to release a build (1478) that has changed the plan. I have made it clear that it wouldn't work... but been ignored. > and the archlinux package fails to update because the cert is > invalid. Did you maybe forgot to also update the subdomain? The plan has always been to drop that vhost altogether. I haven't dropped it because of the last minute change to the plan, that's all. Its organization doesn't make sense (keeping alpha in the path, ...) and is unsuitable for everyone (packagers, build tools that expect metadata, ...), not to mention that it costs the project money to keep the VPS it sits on up. That's why I am keen on getting rid of it once and for all. The initial plan was to setup a new vhost (mvn.freenetproject.org) that would be AWS/S3 baked and would provide a maven-like repository structure we would push our builds to (and that packagers, installers, build tools, ... ) could use. Just like you, I have zero visibility on what is supposed to be happening... or what the current plan is; rest assured that it's not just the various packages that are broken (1478 doesn't magically bypass the certificate expiry check and has obviously not received any testing before being released). I have stopped to work on next since that isn't where the builds are being released from anymore... > The subdomain "wiki" works okay for me (it redirects correctly to > github). I do not know of others subdomains, but we should test all > the domains. > All the domains for which a plan did exist have been migrated (website, bugs, wiki). Those that haven't will see their DNS entry removed soon (doc-fr, testing, old-wiki, archives, downloads, emu). Florent > > On 05-04-2017 20:35, Arne Babenhauserheide wrote: > > Hi, > > > > The certificate expired and we use HTTP Strict Transport Security > > (HSTS). That means: Our old site is down until the DNS can be > > switched > > over to the AWS site. > > > > Let’s treat this as a test of what would happen if an attacker were > > to > > take down our clearnet infrastructure. > > > > Best wishes, > > Arne > > -- > > Unpolitisch sein > > heißt politisch sein > > ohne es zu merken signature.asc Description: This is a digitally signed message part
Re: HSTS and expired cert: our site is down for now
Hello, downloads.freenetproject.org is still using the old cert, and the archlinux package fails to update because the cert is invalid. Did you maybe forgot to also update the subdomain? The subdomain "wiki" works okay for me (it redirects correctly to github). I do not know of others subdomains, but we should test all the domains. On 05-04-2017 20:35, Arne Babenhauserheide wrote: Hi, The certificate expired and we use HTTP Strict Transport Security (HSTS). That means: Our old site is down until the DNS can be switched over to the AWS site. Let’s treat this as a test of what would happen if an attacker were to take down our clearnet infrastructure. Best wishes, Arne -- Unpolitisch sein heißt politisch sein ohne es zu merken
Re: HSTS and expired cert: our site is down for now
On Thu, 2017-04-06 at 17:19 +, Ian Clarke wrote: > On Thu, Apr 6, 2017 11:19 AM, Florent Daigniere nextgens@freenetproje > ct.org wrote: > > On Thu, 2017-04-06 at 15:08 +, Ian wrote: > > > Well, it's an improvement over what we have now even if it is > > > incomplete :) > > > Just for clarity, what is the procedure for deploying > > improvements? > > > > Pushing them to the existing repository on a different branch. > > Travis > > will auto-build/deploy from there if the build succeeds. > > > > The list of authorized people/process hasn't changed; anyone not on > > the > > list has to send a pull request. > > > > Where is the list? https://github.com/freenet/website/settings/collaboration > Any chance you can provide a top-down overview of the setup, or if > this is documented anywhere can you point me to it? Maybe I've just > been out-of-the-loop but I definitely don't have a good top-down > understanding of the setup. At least 2 people should have a good > enough understanding of this to admin it. > It's as simple as it can get: 1) Code lands on https://github.com/freenet/website/tree/2016-redesign 2) Travis runs https://travis-ci.org/freenet/website using https://github.com/freenet/website/blob/2016-redesign/.travis.yml that builds and deploy the website to an AWS s3 bucket Anyone with push access can change the travis config file and influence the build process. > > Now that it's live hopefully multiple people can fork it and start > > pushing improvements which we can review and merge. > > We should have an approval process for it - it would be ideal if we > > had staging where changes could be reviewed live before being pushed > > to production. > > That's the plan. When I get some time I will set it up (two branches, > deploying to two different buckets/FQDNs, like we used to have). > > I'm puzzled, when you said: > > I won't have time to do anything more for the foreseeable future. > > I assumed it meant that we couldn't expect you to do any more work on > this, did I misunderstand? > I have poorly expressed myself, what I meant is that I have little time and visibility on my calendar for the next few weeks... and that I currently don't have access to all the credentials I hold on behalf of FPI (I am abroad). > > Florent, if you won't have time to do anything for the foreseeable > > future, is there someone else familiar enough with how things are > set > > up that they can work on it? > > Right now there is still massive amounts of work to be done on the > content; IMHO a two step review process would be overkill for now... > > Ok, I agree that we should minimize red tape while there is still a > lot to be done. > > > It would be well worth spending some of our funding to hire an AWS > > expert to ensure everything is set up nicely and minimize the risk > of > > something like this happening in future. I have a good guy in mind > > (used to work for Amazon so very familiar with AWS). > > Thoughts? > > I don't think it would be. This happened because we weren't using AWS > yet. Our new setup is rock-solid and fairly standard: it's an S3 > bucket where the content is served by cloudfront. > > I was mostly motivated by the fact that I thought you said you > wouldn't be able to do any more, and yet you seem to be the only > person who knows how everything fits together. Please correct me if > I'm wrong, > > I just want to make sure we don't end up in a situation again where > something breaks and the only person who can fix it is unavailable. > If we can pay someone competent to help us to get to this point I > think it would be well worth it - but happy to discuss if you think > differently. > I am not the only person who can fix it, the bus-factor is catered for; Steve has all the credentials... as for the lack of documentation, it's lacking for both the legacy and "new" infrastructure. Feel free to start a page about it on the new wiki ;) Florent signature.asc Description: This is a digitally signed message part
Re: HSTS and expired cert: our site is down for now
On Thu, Apr 6, 2017 11:19 AM, Florent Daigniere nextg...@freenetproject.org wrote: On Thu, 2017-04-06 at 15:08 +, Ian wrote: > Well, it's an improvement over what we have now even if it is > incomplete :) > Just for clarity, what is the procedure for deploying improvements? Pushing them to the existing repository on a different branch. Travis will auto-build/deploy from there if the build succeeds. The list of authorized people/process hasn't changed; anyone not on the list has to send a pull request. Where is the list? Any chance you can provide a top-down overview of the setup, or if this is documented anywhere can you point me to it? Maybe I've just been out-of-the-loop but I definitely don't have a good top-down understanding of the setup. At least 2 people should have a good enough understanding of this to admin it. > Now that it's live hopefully multiple people can fork it and start > pushing improvements which we can review and merge. > We should have an approval process for it - it would be ideal if we > had staging where changes could be reviewed live before being pushed > to production. That's the plan. When I get some time I will set it up (two branches, deploying to two different buckets/FQDNs, like we used to have). I'm puzzled, when you said: I won't have time to do anything more for the foreseeable future. I assumed it meant that we couldn't expect you to do any more work on this, did I misunderstand? > Florent, if you won't have time to do anything for the foreseeable > future, is there someone else familiar enough with how things are set > up that they can work on it? Right now there is still massive amounts of work to be done on the content; IMHO a two step review process would be overkill for now... Ok, I agree that we should minimize red tape while there is still a lot to be done. > It would be well worth spending some of our funding to hire an AWS > expert to ensure everything is set up nicely and minimize the risk of > something like this happening in future. I have a good guy in mind > (used to work for Amazon so very familiar with AWS). > Thoughts? I don't think it would be. This happened because we weren't using AWS yet. Our new setup is rock-solid and fairly standard: it's an S3 bucket where the content is served by cloudfront. I was mostly motivated by the fact that I thought you said you wouldn't be able to do any more, and yet you seem to be the only person who knows how everything fits together. Please correct me if I'm wrong, I just want to make sure we don't end up in a situation again where something breaks and the only person who can fix it is unavailable. If we can pay someone competent to help us to get to this point I think it would be well worth it - but happy to discuss if you think differently. Ian.
Re: HSTS and expired cert: our site is down for now
On Thu, 2017-04-06 at 15:08 +, Ian wrote: > Well, it's an improvement over what we have now even if it is > incomplete :) > Just for clarity, what is the procedure for deploying improvements? Pushing them to the existing repository on a different branch. Travis will auto-build/deploy from there if the build succeeds. The list of authorized people/process hasn't changed; anyone not on the list has to send a pull request. > Now that it's live hopefully multiple people can fork it and start > pushing improvements which we can review and merge. > We should have an approval process for it - it would be ideal if we > had staging where changes could be reviewed live before being pushed > to production. That's the plan. When I get some time I will set it up (two branches, deploying to two different buckets/FQDNs, like we used to have). > Florent, if you won't have time to do anything for the foreseeable > future, is there someone else familiar enough with how things are set > up that they can work on it? Right now there is still massive amounts of work to be done on the content; IMHO a two step review process would be overkill for now... > It would be well worth spending some of our funding to hire an AWS > expert to ensure everything is set up nicely and minimize the risk of > something like this happening in future. I have a good guy in mind > (used to work for Amazon so very familiar with AWS). > Thoughts? I don't think it would be. This happened because we weren't using AWS yet. Our new setup is rock-solid and fairly standard: it's an S3 bucket where the content is served by cloudfront. Florent > Ian. > > > On Thu, Apr 6, 2017 2:49 AM, Florent Daigniere nextgens@freenetproject > .org wrote: > > I have made the DNS changes; these aren't the problem... > > > > The problem is that the content we serve from the new infrastructure > > isn't ready... almost a year in the making... so we have never > > finished > > the infrastructure switch. > > > > Whatever is pushed to > > https://github.com/freenet/website/tree/2016-redesign > > will go live; both of you have access; if you care, fix it :) > > > > I won't have time to do anything more for the foreseeable future. > > > > Florent > > > > On Thu, 2017-04-06 at 00:10 +, Ian wrote: > > > Crap, what are we waiting on to get it back up? > > > > > > > > > On Wed, Apr 5, 2017 6:35 PM, Arne Babenhauserheide arne_...@web.de > > > wrote: > > > > Hi, > > > > > > > > The certificate expired and we use HTTP Strict Transport > > Security > > > > (HSTS). That means: Our old site is down until the DNS can be > > > > switched > > > > over to the AWS site. > > > > > > > > Let’s treat this as a test of what would happen if an attacker > > were > > > > to > > > > take down our clearnet infrastructure. > > > > > > > > Best wishes, > > > > Arne > > > > -- > > > > Unpolitisch sein > > > > heißt politisch sein > > > > ohne es zu merken > > > > > > > > > > signature.asc Description: This is a digitally signed message part
Re: HSTS and expired cert: our site is down for now
The jnlp download for Linux requires review and almost certainly modification. I'm not familiar with jnlp itself but I will try to review it and the rest of the downloads in the next half hour on public transit. I don't know if I'll have enough time to complete that this morning however, it would be great for someone to review that too. Thanks, Dan On Apr 6, 2017 12:49 AM, "Florent Daigniere"wrote: > I have made the DNS changes; these aren't the problem... > > The problem is that the content we serve from the new infrastructure > isn't ready... almost a year in the making... so we have never finished > the infrastructure switch. > > Whatever is pushed to > https://github.com/freenet/website/tree/2016-redesign > will go live; both of you have access; if you care, fix it :) > > I won't have time to do anything more for the foreseeable future. > > Florent > > On Thu, 2017-04-06 at 00:10 +, Ian wrote: > > Crap, what are we waiting on to get it back up? > > > > > > On Wed, Apr 5, 2017 6:35 PM, Arne Babenhauserheide arne_...@web.de > > wrote: > > > Hi, > > > > > > The certificate expired and we use HTTP Strict Transport Security > > > (HSTS). That means: Our old site is down until the DNS can be > > > switched > > > over to the AWS site. > > > > > > Let’s treat this as a test of what would happen if an attacker were > > > to > > > take down our clearnet infrastructure. > > > > > > Best wishes, > > > Arne > > > -- > > > Unpolitisch sein > > > heißt politisch sein > > > ohne es zu merken > > > > > >
Re: HSTS and expired cert: our site is down for now
Well, it's an improvement over what we have now even if it is incomplete :) Just for clarity, what is the procedure for deploying improvements? Now that it's live hopefully multiple people can fork it and start pushing improvements which we can review and merge. We should have an approval process for it - it would be ideal if we had staging where changes could be reviewed live before being pushed to production. Florent, if you won't have time to do anything for the foreseeable future, is there someone else familiar enough with how things are set up that they can work on it? It would be well worth spending some of our funding to hire an AWS expert to ensure everything is set up nicely and minimize the risk of something like this happening in future. I have a good guy in mind (used to work for Amazon so very familiar with AWS). Thoughts? Ian. On Thu, Apr 6, 2017 2:49 AM, Florent Daigniere nextg...@freenetproject.org wrote: I have made the DNS changes; these aren't the problem... The problem is that the content we serve from the new infrastructure isn't ready... almost a year in the making... so we have never finished the infrastructure switch. Whatever is pushed to https://github.com/freenet/website/tree/2016-redesign will go live; both of you have access; if you care, fix it :) I won't have time to do anything more for the foreseeable future. Florent On Thu, 2017-04-06 at 00:10 +, Ian wrote: > Crap, what are we waiting on to get it back up? > > > On Wed, Apr 5, 2017 6:35 PM, Arne Babenhauserheide arne_...@web.de > wrote: > > Hi, > > > > The certificate expired and we use HTTP Strict Transport Security > > (HSTS). That means: Our old site is down until the DNS can be > > switched > > over to the AWS site. > > > > Let’s treat this as a test of what would happen if an attacker were > > to > > take down our clearnet infrastructure. > > > > Best wishes, > > Arne > > -- > > Unpolitisch sein > > heißt politisch sein > > ohne es zu merken > > > >
Re: HSTS and expired cert: our site is down for now
I have made the DNS changes; these aren't the problem... The problem is that the content we serve from the new infrastructure isn't ready... almost a year in the making... so we have never finished the infrastructure switch. Whatever is pushed to https://github.com/freenet/website/tree/2016-redesign will go live; both of you have access; if you care, fix it :) I won't have time to do anything more for the foreseeable future. Florent On Thu, 2017-04-06 at 00:10 +, Ian wrote: > Crap, what are we waiting on to get it back up? > > > On Wed, Apr 5, 2017 6:35 PM, Arne Babenhauserheide arne_...@web.de > wrote: > > Hi, > > > > The certificate expired and we use HTTP Strict Transport Security > > (HSTS). That means: Our old site is down until the DNS can be > > switched > > over to the AWS site. > > > > Let’s treat this as a test of what would happen if an attacker were > > to > > take down our clearnet infrastructure. > > > > Best wishes, > > Arne > > -- > > Unpolitisch sein > > heißt politisch sein > > ohne es zu merken > > > > signature.asc Description: This is a digitally signed message part
Re: HSTS and expired cert: our site is down for now
Crap, what are we waiting on to get it back up? On Wed, Apr 5, 2017 6:35 PM, Arne Babenhauserheide arne_...@web.de wrote: Hi, The certificate expired and we use HTTP Strict Transport Security (HSTS). That means: Our old site is down until the DNS can be switched over to the AWS site. Let’s treat this as a test of what would happen if an attacker were to take down our clearnet infrastructure. Best wishes, Arne -- Unpolitisch sein heißt politisch sein ohne es zu merken