Talk:SAC Meeting 2018-02-01

Transcript
[15:02] time for meeting [15:02] https://wiki.osgeo.org/wiki/SAC_Meeting_2018-02-01 [15:02] Title: SAC Meeting 2018-02-01 - OSGeo (at wiki.osgeo.org) [15:03]  jody here [15:03] hi jody [15:03] so looks like first on list is foss4g2018 have we done anything with that? [15:04] do we have any one on foss4g2018 group here? [15:04] strk are you awake? [15:04] == markusN [2e5a99d5@gateway/web/freenode/ip.46.90.153.213] has quit [Ping timeout: 260 seconds] [15:04] here almost not here [15:04]  If we do I would love to ask them how to sponsor foss4g 2018 (I have people asking me) [15:06] howdy (was watching a movie) [15:06] cvvergara: here or not ? [15:06] here still [15:06] * strk is going to miss cvvergara driving the meeting [15:06] okay doesn't sound like we have anyone from foss4g2018 here -- maybe we can followup with them after. [15:06] strk yes I will too :)   [15:06] roll call ?    [15:07] jive[m], cvvergar (half here about to scram), robe2 here    [15:07] and strk just woke up    [15:07] that's it ?    [15:07] no PSC chair ? no contracted sysadmin ?    [15:07] yah I was expecting wildintellect to be here    [15:07] he's been updating the agenda notes in past hour or so    [15:07] strk correct both missing    [15:08] can you chair this meeting ? let's make it short    [15:08] I thought I already agreed to chair :) [15:08] I left a detective looking for SS nazis ... [15:08] col [15:09] IIRC foss4g2018 wanted to move website on OSGeo infra, but I don't think anyone did anything for that [15:09] strk yah that's what I recall too [15:09] wew were busy with the new website [15:09] == markusN [2e5a99d5@gateway/web/freenode/ip.46.90.153.213] has joined #osgeo-sac [15:09] I can try to talk to timlinux as I recall, they said he's hosting the main site on his company infra [15:09]  hi   [15:10] \o/ meeting population growing [15:10] hi markusN - have anything to add to current discussion about foss4g2018 site [15:11]  no, nothing to add [15:11] * markusN re-reads logs of now [15:11] == tomkralidis [~tomkralid@osgeo/member/tomkralidis] has quit [Quit: Textual IRC Client: www.textualapp.com] [15:12] while markusN is reading we'll move on to new website [15:12] +1   [15:13] so wildintellect wrote in the agenda status that he has the new OSUOSL cloud host debian 9 server up    [15:13] == TemptorSent [68ff7e4b@gateway/web/freenode/ip.104.255.126.75] has joined #osgeo-sac [15:13] jive[m]: and me made some tests for the roles [15:13] yep, I saw that mail. we have a new server (exciting!) [15:13] posted comments on the trac issue about roles ... [15:14] new only thing is to do the stuff on main site [15:14] He'll give me the credentials -- I'll resetup staging.www.osgeo.org on it, with plans to shortly after move www.osgeo.org (note new server will be running PHP7 and MariaDb 10 - instead of that ancient PHP5 / MySQL 5something the cloudvps is running) [15:14] need approval motion? [15:14] It seems like not much broke on staging2 which is running that new stuff, so I expect transition to be smooth [15:15] oh, so the new server is only for the website ? [15:15] cvvergara yes approval motion for www.osgeo.org -- [15:15] excitement-- [15:15] but I'm going to move staging.www.osgeo.org without approval, cause it's off anyway [15:15]  I like that you got roles to work, we should be careful about introducing too much process. Goal should be to enable projects and committee to "do the website" without SAC intervention. [15:15] right, that is the idea delegate tasks [15:16] jive[m] speaking of roles -- can I remove all those people out of the PostGIS project who think they are involved, but they aren't involved enough for me to consider them involved :)   [15:16]  quick check: are you a postgis psc? then yes ...    [15:16] yes    [15:17] I'd actually like to remove ability of users to deignate they are involved in a project, it's annoying to have people I don't know showing up on my project page    [15:17]  so yes    [15:17] jive[m] yes both strk and I are postgis psc    [15:17] I think that is a design issue ... I thought the list was to mark your self as "users" but there is no distintion on "user of" and "involved in"    [15:17]  (SAC wants to stay out of this kind of thing, only the project teams know who is involved)    [15:17] okay let me do that now.  Been dying to delete people from postgis project page :) [15:18]  If you can figure out how to do so robe2 then please go ahead, I think you had the idea of a "PSC" role. [15:18] yah I think you changed recently so I was able to resort people [15:18] and looks like I can delete them too [15:18]  aside: Do you think any other project leads are "waiting for permission" before editing or deleting stuff on their project pages? [15:19] after createing the role we can ask in projects mailing list [15:19] there's a "website" trac component on trac.osgeo.org/osgeo [15:19] easy to request access [15:20] done [15:20] feels good to have a clean list of real contributors :)   [15:21] jive[m] not sure, should we send a list to projects osgeo mailing list    [15:21]  we should send to "projects", also ask if any projects are not yet on the website....    [15:22] cvvergara yah there is a distinction on the contributors, but contributors are companies    [15:22]  although discuss@osgeo.org  is fun, it is not the best venue for communicating to our project leads.    [15:22] but people contributing list    [15:22] so those just involved (e.g. training etc), don't show up on the project page unless they are specifically added to the project page    [15:22]  for people we have "who's involved"    [15:23] jive[m] well we don't have that many -- maybe we just send a psuedo personal email to all the psc of projects and community projects    [15:23]  yes, in both cases the PSC should be calling the shots on who (people) or what (organizations) are listed. Similar to https://www.qgis.org/en/site/forusers/commercial_support.html [15:23] Title: Commercial support (at www.qgis.org) [15:23]  that is what the projects@osgeo.org email list consists of.... [15:24]  (but I agree personal email is more effective) [15:24] jive[m] so how hard would it be to make the people involved behave like the contributors involved piece? contributors involved has the right balance of allowing people to self align, vs. allowing project psc control over who shows up on their project page [15:24] <jive[m]> so plan 1) roles 1st - with approval from SAC 2) contact proejcts email list 3) email project leads directly   [15:25] <jive[m]> I am not sure I understand robe2    [15:27] well on the project page -- on the Contributors section, I can put in any service provider.    [15:27] we email asking for the psc names to add them the psc role, and then they can decide things like what regina did, or modify their project page    [15:27] The service provider when editing their profile can say they are involved in say PostGIS, but they don't end up on the PostGIS page    [15:28] they show when I think you click the More Contributors link    [15:28] or that is the way I saw it work a week ago anyway    [15:28] <jive[m]> and on the "about' page you can put in any individual under "who's involved".    [15:28] yes, but the problem with that is they can edit that on their profile page, so I end up with all these half-assed postgis contributors on the postgis page [15:29] sorry for using half-assed, I'm sure they think they are involved, but to me I can't tell them from joe user of postgis [15:29] <jive[m]> Q: when they edit their profile page ... do they show up on the PostGIS page? [15:29] yes they do   [15:30] <jive[m]> The service providers work the same way, they show up when filtering the list of service providers (with core contirbutors and contributors) sorted near the top. [15:30] <jive[m]> Look I would be happy to collect out thoughts and make an enhancement contract with get interactive; we want this to work - and not all of this came to light during testing. [15:30] <jive[m]> (ie I cannot answer "how hard", but I think we should get it done) [15:30] which is what annoys me. So either we prevent them from editing that on their profile page, or we make it behave like service providers, where they are just self-proclaimed contributors, but not officially recognized by the proejct [15:30] project [15:31] <jive[m]> it is the 2nd approach we were trying for [15:32] <jive[m]> (with the list of "postgis contirbutors" being sorted by the order the postgis PSC defines...) [15:32] yah 2nd approach is fine. I don't want to take away power of people to say they are involved, I just don't want them showing up on the flash page :)   [15:32] <jive[m]> so do you have a bug? or an enhancement? lets "trac" accordingly and get it fixed.    [15:33] well I think it's doing more than sorting - it's leaving self-proclaimeds off the front-page    [15:33] jive[m] okay I'll add to osgeo github tickets    [15:33] The title of the input field is "Projects", change it to "Project contributor"    [15:34] <jive[m]> I guess I am just confused that self-proclaimed showed up on the postgis page; that was not the idea.    [15:34] so maybe it's a bug then    [15:34] <jive[m]> yeah looking at that now, I expect people just take this as "what proejcts do I use"    [15:34] Also says only "Chapter" change it to Belongs to chapter    [15:34] <jive[m]> (which would be fine, we just don't want that being used to cross list onto the proejct pages) [15:35] So by making the titles more meaningful people will not over use [15:35] okay 30 minutes is over we should rush thru the rest of items [15:35] <jive[m]> final wish is for the "committee" pages to cross link so we do not have to edit them all the time. [15:35] and with time make another column on the database for "PRojects I use" [15:35] <jive[m]> agreed [15:35] I think contract, moving off old hardware needs wildintellect, so skipping that [15:36] GeoForAll jmckenna, cvvergara doing anything about that? [15:36] wildintellect put you two as in charge of that [15:36] as I mentioned I can follow up with Jason now that strk has bestowed me with Pair Network powers :)   [15:37] if this is about DNS about a month ago or more i filed several tickets, to begin that    [15:37] i tried :) [15:37] powers! [15:37] I assume all involved will be for me to have Jason initiate the Registrar transfer on his end, I except on Pair end, repoint the dns entries at what they were before [15:38] we should discuss how to organize credentials access too, right now there's a single file, it takes "sudo" access to read, on the "secure" machine [15:38] it's under git too [15:38] jmckenna so what was the stumbling block -- seemed like the registrar transfer would have to happen first. [15:38] IIRC (but I could be wrong) [15:38] or was Jason not responsive? [15:39] accept on Pair [15:39] strk want to put the organized credentials for discussion at next meeting? [15:39] yes the ticket was exactly about all this, on secure [15:40] goto go   [15:40] i even pointed to the file [15:40] jmckenna oh I thought you already had the pair credentials no?   [15:40] when i got no response i figured it was a hierarchy thing [15:40] i do not [15:40] ah okay [15:40] sorry, i have requested it   [15:41] strk you want to give jmckenna the pair credentials? or I could just take it from here [15:41] formally in ticket [15:41] == wildintellect [~wildintel@169.237.167.196] has joined #osgeo-sac [15:42] hi wildintellect -- we were talking about GeoForAll and how Jeff is powerless cause he doesn't have the Pair credentials [15:42] maybe wildintellect wants to handle all that, which is fine too [15:42] I can help with that, it wasn't clear from the ticket if anyone had made contact to start the process [15:42] but i did request formally [15:42] and strk mentioned the need for defining how we will organize credentials -- e.g keep in secure, put in private git repo etc [15:43] <jive[m]> aside: GRASS team asked about getting a signing certificate, there should be a trac ticket for SAC somewhere ...   [15:43] wildintellect for the OSUOSL if I give you my ssh key will that be sufficient for you to give me access? [15:44] yes [15:44] okay will send off list [15:44] jive[m], Signing certificate for software? [15:45] OSGeo has one, contact is Larry from QGIS (whose on SAC for this reason) [15:45] <jive[m]> yes, same as was for QGIS and GeoServer last year. [15:45] <jive[m]> Think we just find the ticket and give them permission to contact Michael Smith? [15:45] robe2: pass them on and close the ticket ? [15:46] <jive[m]> Okay, give them permission to contact Larry, let's assign him that ticket, when it is made ...   [15:46] strk close what ticket? [15:46] <jive[m]> that works, did not look for the ticket yet. [15:46] jive[m], do they need a new cert? can't they just work out with Larry how to use the current cert? [15:47] permission to buy a new cert would require some formal application/vote [15:47] <jive[m]> GRASS asked the board how to request signing certificate, answer is to talk to SAC. [15:47] robe2: sorry, the DNS credentials to Jeff [15:47] <jive[m]> I expect they can use the current certificate. [15:47] let's not let burocracy block the flow [15:47] okay will do   [15:47] (but we should really define that process better) [15:47] yes if they can use the new cert then they just to need to talk to Larry on how to use it   [15:47] strk: i like your idea of storing in gitea etc [15:48] but I was wrong, it's not under git [15:48] i thought it wasn't   [15:48] i looked too ha    [15:49] only I created a subdirectory with per-service file in    [15:49] it's not, if we moved credential storage, I would prefer it be moved to a passord manager type system [15:49] jmckenna I sent you an email [15:49] so to eventually be able to grant access to a portion of credentials (more granularly) [15:49] did you get it? [15:49] wildintellect: I think there's a password store that is more or lass that way (a file for each "record") [15:49] forgot the name [15:50] I don't use it myself [15:50] robe2: thank you received :)   [15:50] <markusN> @jive: what is that "GRASS team asked about getting a signing certificate, there should be a trac ticket for SAC somewhere" ?    [15:50] strk folder is access    [15:50] I think only the ones I put in are there    [15:51] <markusN> it is about signing the GRASS GIS Mac OSX package    [15:51] <markusN> it is about signing the GRASS GIS Mac OSX package, so Apple stuff    [15:51] markusN just occurred to be doesn't QGIS have the same issue    [15:51] would both groups be able to share the same signing cert?    [15:52] <markusN> would be good but I have no idea about this    [15:52] robe2, yes, that is what I proposed avoce    [15:52] especially since GRASS and QGIS seemed to be used together frequently    [15:52] QGIS does already sign some of their installers    [15:52] ah okay    [15:52] sorry missed that Larry was QGIS    [15:53] <jive[m]> sorry was busy. We purchased an OSGeo signing certificate so OSGeo could sign QGIS, GeoServer, ... and now GRASS downloads. [15:54] <jive[m]> Windows and MacOS are starting to lock down applications that are not signed by a developer (or organization). [15:54] robe2: yes, "access" group [15:55] <jive[m]> So they can share a cert. We actually bought a pack of three. For OpSec we may wish to provide each developer group a different cert. [15:55] there's just me and you in that group [15:55] <markusN> I'll try to make Michael Barton to Larry directly [15:55] jmckenna: do you have ssh on the machine ? guess we can add you to that group [15:55] strk: yes i have ssh to machine [15:55] i was in access folder and filed ticket, i remember ha   [15:55] i am not on machine at second, but i remember seeing contents and could not view files [15:56] jmckenna so guess you can add the pair file to access folder once you are in access group [15:56] robe2: ok   [15:56] jmckenna: added you to group [15:56] strk: k thanks [15:57] robe2: staging2.osgeo.org file was world-readable [15:57] I just changed it   [15:57] please beware [15:57] strk okay sorry about that [15:57] does "access" group need write access to files too ? [15:57] next topic moving off old hardware [15:58] wildintellect any further thoughts on that -- guess first issue is how trac is really slow (though moving off old hardware might not be necessary to fix that) [15:58] pair would need to be moved from access.txt to specific file under access/ [15:58] yeah, we'd want to figure that out [15:58] I think finishing the migration off osgeo4 should be a task for Martin [15:58] not only tracsvn, also mailing lists are slow [15:58] robe2, I have thought about the trac issue [15:59] strk yes access group should have write rights [15:59] I'm surprised that the decrease in load of the website being moved didn't help [15:59] like if we go to a site and are forced to change the password, we would have to put in the new one [15:59] yah seems like something else is amiss there. Did munin give any clues [15:59] the only other thing with high load is download, but that hasn't increased at all [16:00] right munin doesn't seem to show any particular issues [16:00] could postgres db need maintainence? [16:00] possibly [16:01] DNS credentials moved from access.txt to access/pairdomains.com [16:01] its not cpu, maybe it's ram - but it's not swapping, however maybe something want's more room to cache [16:02] so postgres, and maybe reduce the kernel swapiness seem like 2 easy steps [16:02] I'll take a look at that postgres logs and see if anything shows and what kind of performance we are getting on the queries [16:02] could it be just bandwidth ? [16:03] unlikely but possible, maybe check to see if net io on download has spiked [16:03] strk it doesn't use much bandwidth though does it, seems to get stuck TLS handshaking [16:03] strk: thanks i see it there [16:04] and can read it/access it   [16:04] robe2, ah TLS good be part of the issue - that whole need update to the SSL stack [16:04] read&write (be careful!) [16:05] yes but SSL issue isn't new [16:05] unless clients changed to take longer to accept the old ssl ... [16:05] strk: understood [16:05] strk you want to add a chron job to set the chmod on those files to remove public read, and various write options regularly [16:05] strk it's possible clients take longer now [16:05] strk, it's possible the web browsers are changing quite a pit [16:06] but also email is slow, is that on the same machine ? [16:06] which emails? [16:06] as old ssl is being slowly phased out. Like I said I had to explicitly add old ssl to my caddy config to allow trac to reach it   [16:06] mailing lists [16:06] trac notifications [16:06] mantra requests... [16:06] no mailing lists are on osgeo6 [16:06] we often answer multiple times becuase mail arrives slow [16:06] though trac notifications come from tracsvn [16:07] true [16:08] also commit notifications come from tracsvn :/ [16:08] should we file a ticket for martin, blocker, to try at understanding the issue ? [16:08] well so the mail service is a 2nd possibly unrelated issue [16:08] I haven't tried committing anything lately I recall last I did svn was slow to authenticate too [16:08] yes, martin knows the mail config well [16:08] hmm i haven't noticed mail service problems recently [16:09] (i'm usually good to yell ha) [16:09] tracsvn, I think we should push ahead on osgeo7 purchase and move it   [16:09] well rebuild it    [16:09] yah the only mail issue I ran into was that bounce back from netherlands when doing reply to mantra@... [16:09] <markusN> yes, pls let's put trac stuff at high proprity, it is too annoying [16:09] that could just be a group member in mantra list though (mail box is full) [16:09] osgeo7 is the machine that will host the website ? [16:09] osgeo7 [16:09] i have also started to fix some issues from automated wiki bounces, to cut down those emails [16:09] osgeo7 is the new hardware for whatever we need it for [16:10] (wiki notifications) [16:10] no I thought we got a cloud server for website [16:10] no necessarily the new website [16:10] osgeo7 will be the new physical server we setup once we have new hardware [16:10] hardware is available now isn't it ? [16:11] wildintellect so are we any nearer to a decision about getting new hardware in   [16:11] I think we'll have to take a straw poll on if we want to do virtualization or not [16:11] based on that the decision is somewhat easier [16:11] at this point I'd except any virtualization solution just to get new hardware and new OS in place (Debian 9 as our new standard) [16:12] sure but we have to have people in place who can run the choice we make [16:13] well I do like the idea of virtualization -- just because I like the idea of being able to run a new OS without having to tear the whole machine apart [16:13] and the possibility of running different kinds of OS if needed [16:13] maybe we just limit the number of virtual machines, to make keeping them patched less work [16:14] wildintellect yes [16:14] I personally find ubuntu's unattended-upgrades very helpful, not sure if Debian has the same [16:14] anyway I think if we can limite VMS to 3 or so we'll be good [16:15] currently osgeo3 has: web, wiki, tracsvn, webextra, download [16:16] so our options are still ganeti, libvrt, open stack, docker (with docker I feel is so common, we can have in addition to the others, can just go on osgeo6 or something) [16:16] osgeo4 I guess still has: projects (should go to osgeo6), QGIS, going away, and adhoc (no idea what to do with it) [16:16] I think we agreed docker on osgeo6, soon as someone configures it   [16:17] so that could be one of martin's tasks. I thought he said he had already started or planned to   [16:17] ganeti or libvirt for osgeo7, ganeti is not really useful with only 1 node [16:17] so libvirt [16:17] it's possible to migrate them to ganeti later [16:17] without even moving the files [16:17] wildintellect okay so libvirt then [16:18] we can always get same configuration of hardware next share and then maybe migrate back to ganeti [16:18] ok, I'll get fresh quotes on the hardware, we can then vote on it and order [16:18] next year [16:18] wildintellect great [16:19] as I was saying to strk, we should probalby make it a policy we get new hardware once a year or every 2 years [16:19] wildintellect: debian does have unattended-upgrade [16:19] hardware prices especially disk are constantly dropping. [16:19] +1 for unattended-upgrades on most VMs then [16:19] it's almos silly to waste breath thinking about it given the amount of time we spend troubleshooting old crappy hardware [16:19] agreed [16:19] agreed [16:20] oh, right, I'm going to email list, about approving donation of $2000 to OSUOSL as budgeted for this year [16:21] yes great [16:21] though I suppose if it's the budget do we need to vote on it? [16:21] <TemptorSent> Hello all. Regarding postgres performance, mentioned earlier, is VACUUM being run on a regular basis? [16:21] (OSGeo board bumped up the donation to 2k) [16:22] wildintellect I don't personally think we need to vote on it if it's already in budget [16:22] we discused in board meeting and approved [16:22] ok then I'll contact Treasurer to make the donation [16:22] TemptorSent - not sure it should be if it wasn't explicitly turned off [16:22] I have the info on how now [16:22] but I can check the configs on the postgres instance when I look at it   [16:22] wildintellect: great [16:22] I think we can officially close the meeting.... and continue discussions as needed [16:23] <TemptorSent> Regarding virtualization - What sort of storage will be backing the VMs? [16:23] agreed [16:23] TemptorSent, lvm [16:23] on same hardware [16:23] raid 5 disk array under (software raid) [16:24] <TemptorSent> And a request to enable SSH keys for gitea to avoid the insanely insecure practice of logging in with username and password each time :)   [16:24] TemptorSent I recall that was something strk wanted to do but I forget the issue with LDAP etc. why we can't do that yet    [16:25] <TemptorSent> wildintellect - okay, that works for snapshotting. Has ZFS been given any consideration perchance?    [16:25] <markusN> ZFS on BSD...    [16:25] TemptorSent: I'm happy to see someone new interested in SAC, but who are you ? :) [16:25] it's possible in this context, but that requires quite a bit of ram, and several people who know ZFS [16:26] <TemptorSent> robe2 - Okay, it's probably something to consider prioritizing. [16:26] Gitea supports fetching ssh public key from LDAP (syncrhonizing it) - would be great to allow adding SSH key to LDAP ? [16:26] but we're still not asking GivenName in that form, so there are small things that can be done [16:26] TemptorSent I think it was along the lines of moving gitea to new hardware where we can use good grade ssl too [16:26] <TemptorSent> Hi strk - I've been around for a while actually, but haven't been terribly active until recently. [16:27] which server is ldap running on? [16:27] I don't remember your nick, do you use another on mailing lists or IRC ? [16:27] robe2: secure [16:28] <TemptorSent> I'm working on some OSGeoLive related testing with dbb, as well as various geo libraries.