On czw, lut 21, 2019 at 11:01 AM, Lars Vogdt
Hi
Sorry for the long Email below, but the topic is triggering something in me that I can not hold any longer. Before you proceed reading, please note that I am speaking here as openSUSE member, not more, not less. I also don't want to attack anyone personally, just want to make clear where I see problems from my personal point of view.
On Thu, 21 Feb 2019 09:39:11 +0100 Richard Brown wrote:
On Thu, 21 Feb 2019 at 09:35, Maurizio Galli (MauG)
wrote: AFAIK Connect was declared soon to be dead some time ago.
Perhaps the way to deal with the spam is to pull the plug ASAP?
Pull the plug without a replacement for the Membership and the Membership application process and we'll be on course for not electing a new Board and having a constitutional crisis in the future
https://en.opensuse.org/openSUSE:Membership_officials#Process describes the current process and the requirements for such a replacement.
Getting a replacement should not be that hard. I could imagine anything from a Next-/Owncloud instance (with nice, additional features) over to something designed especially for membership management tasks like https://www.admidio.org/ for example.
But I see another, real problem: the amount of people willing to administrate and maintain all the infrastructure behind openSUSE is meanwhile down to less than a handful of people - and those need to be real super heroes as meanwhile they do not only need to administrate the "backend stuff" (means: operating systems, storage & network stuff) but ALSO all the running applications. I don't know how they manage all this in their spare time, but they have my deepest respect and I wish there would be more volunteers.
If you want to get an idea about the current status, just take the systems listed at https://status.opensuse.org/ (and keep in mind that there are many more systems in the backend that are not listed there):
* download.o.o -> maintained by one person, if I'm right * planet.o.o -> more or less unmaintained - old, outdated software
There is an issue of upstream, it seems that there is no good upstream planet software, I have been working between the breaks on something that would work for us, but gave up after being tired of how annoyingly unsupported planet software seems to be. Also it's realistically a static website + CRON, and all reports of spam before on it were handled well by the admins.
* etherpad.o.o -> running outdated version, unmaintained
I might reuse the instance with matrix, considering riot has etherpad integration :thinking: (heroes, take me, I can fix this :x)
* icc.o.o -> down since weeks now, and nobody cares * lizards.o.o -> 4.7.5 vs. 5.0.3 including security problems (please correct me here, if I'm wrong)
Also dead, the only posters are YaST team, which should move to their own yast.opensuse.org, when I get to creating a jekyll theme for posts and stuff needed to migrate. I will create a ticket to provo to export database later today.
* news.o.o -> at least the current version, but updates are happening only on special request
Funny you should mention that, I requested database export from provo, no response this far (please provo, it's not this hard)
* features.o.o -> luckily to be shut down soon * progress.o.o -> old, outdated
And actively used ;)
* connect.o.o -> old, outdated - topic of this thread ...
To me it looks like more or less everything which is currently not in scope for SUSE employees is unmaintained.
Please note: this should not be an attack to anyone - especially not to the openSUSE heroes, who do their best to keep the systems up and running - but the openSUSE community should IMHO decide sooner than later IF and HOW these systems should be handled in the future.
Most of the web-applications listed above started because of enthusiastic community members who invested a lot of their spare time into this. They learned a lot and others found their work useful - everybody had a lot of fun during these days. But live goes on, and people start having other interests and went away. Others still find the systems useful and want to use them - they became legacy.
From my point of view, openSUSE as community is very bad in managing those legacy systems. While for some of them (like crashdb.o.o) the right approach was taken and the systems were shut down, others are still there and need someone who takes care.
Because it is not clear who is responsible for them, this is one critisizm I would commit towards heroes here :P
We have an infrastructure policy [1] that says: "All running servers will be evaluated every 6 month to determined continued need for the services provided. If a service is deemed outdated or the server hosts content that may no longer be needed the maintainer on record will be contacted to provide additional details. If no response is received within a 2 week period the server will be shut down."
So either we - as community - decide to delete this sentence completely (as we do not want to follow the policy), or we allow our openSUSE heroes to follow the policy and shut down the services listed above. Sounds simple and consequent, right?
Agreed
If there is a need, requested from whomever (and from my personal history I know the board resp. the membership committee is asking again and again to keep connect.o.o alive), this person/group either has to invest the time and resources to keep the service in question up-to date, secure and alive or had to agree that they need to search for something else and find someone who takes over the administration.
I personally left the openSUSE heroes for many reasons. But one reason clearly was that I did not want to take over the responsibility for services that I did not set up/developed or have any interest in. Many users seem to anticipate that "keeping a service up and running" is very easy. I say: no, it isn't. Keeping a service not only available but secure and adjusted to changes (like PHP5 -> PHP7 or Ruby 2.3 -> 2.5 as example) needs time and knowledge. Of course, you could re-install it or re-deploying your docker image every time it has been hacked, but my personal demands are way higher than that.
So: saying that we need to keep old, outdated, already spammed services up and running "because our users - or better, a small group of users - want or need them" -- fully inheriting the risk of security and data breaches (how many people have their personal data stored in connect?) is not the way I can support. Not the way I can accept. Not the way I want to see openSUSE running and handling the personal data of the own community.
And I agree, some of those services should __not__ be handled by dynamic websites, all we really need for news, planet is jekyll frontend generated locally, which cannot be breached or contain personal details. I really want provo to respond with news and lizards, so we can have way nicer looking and working website for news, and send people articles they wrote on lizards in the past, so they can put them up somewhere they desire. BUT that requires provo to be responsive :/
I already took the consequences and stepped back from the openSUSE heroes. Looks like I need to step back as openSUSE member as well, as this is really nothing I want to be involved with.
openSUSE membership can be managed via paper. Setting up Email aliases and IRC cloaks can be stopped until there is a new tool established. Lost trust and data because of security breaches is way harder to restore and will result in much more work for everyone.
And it basically is managed via paper, or more precisely via spreadsheet from what I heard. From my POV, this is the perfect time to take action, considering that SUSE has to move away from majority of infra anyway, due to buyout, openSUSE could implement stuff like FAS and noggin for login, pagure for code etc. If you are passionate about managing web services, heroes have their arms more open than any other "team" in openSUSE from my experience (take note everybody >:D). There are also two services that weren't updated in a long time, paste and lists, those need some serious work too, but I believe there was a plan to move to gnu mailman anyway, so hopefully hyperkitty will be a thing for openSUSE in the future. Paste though? Well, well, uhh... LCP [Stasiek] https://lcp.world -- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org To contact the owner, email: opensuse-project+owner@opensuse.org