On czw, lut 21, 2019 at 11:01 AM, Lars Vogdt <Lars.Vogdt(a)suse.com>
Sorry for the long Email below, but the topic is triggering something
in me that I can not hold any longer. Before you proceed reading,
please note that I am speaking here as openSUSE member, not more, not
less. I also don't want to attack anyone personally, just want to make
clear where I see problems from my personal point of view.
On Thu, 21 Feb 2019 09:39:11 +0100 Richard Brown wrote:
On Thu, 21 Feb 2019 at 09:35, Maurizio Galli
AFAIK Connect was declared soon to be dead some time ago.
Perhaps the way to deal with the spam is to pull the plug ASAP?
Pull the plug without a replacement for the Membership and the
Membership application process and we'll be on course for not
a new Board and having a constitutional crisis in the future
describes the current process and the requirements for such a
Getting a replacement should not be that hard. I could imagine
from a Next-/Owncloud instance (with nice, additional features) over
something designed especially for membership management tasks like
But I see another, real problem: the amount of people willing to
administrate and maintain all the infrastructure behind openSUSE is
meanwhile down to less than a handful of people - and those need to be
real super heroes as meanwhile they do not only need to administrate
"backend stuff" (means: operating systems, storage & network stuff)
ALSO all the running applications. I don't know how they manage all
this in their spare time, but they have my deepest respect and I wish
there would be more volunteers.
If you want to get an idea about the current status, just take the
systems listed at https://status.opensuse.org/
(and keep in mind that
there are many more systems in the backend that are not listed there):
* download.o.o -> maintained by one person, if I'm right
* planet.o.o -> more or less unmaintained - old, outdated software
There is an issue of upstream, it seems that there is no good upstream
planet software, I have been working between the breaks on something
that would work for us, but gave up after being tired of how annoyingly
unsupported planet software seems to be.
Also it's realistically a static website + CRON, and all reports of spam
before on it were handled well by the admins.
* etherpad.o.o -> running outdated version,
I might reuse the instance with matrix, considering riot has etherpad
(heroes, take me, I can fix this :x)
* icc.o.o -> down since weeks now, and nobody
* lizards.o.o -> 4.7.5 vs. 5.0.3 including security problems (please
correct me here, if I'm wrong)
Also dead, the only posters are YaST team, which should move to their
, when I get to creating a jekyll theme for posts
and stuff needed to migrate. I will create a ticket to provo to export
database later today.
* news.o.o -> at least the current version, but
updates are happening
only on special request
Funny you should mention that, I requested database export from provo,
no response this far (please provo, it's not this hard)
* features.o.o -> luckily to be shut down soon
* progress.o.o -> old, outdated
And actively used ;)
* connect.o.o -> old, outdated - topic of this
To me it looks like more or less everything which is currently not in
scope for SUSE employees is unmaintained.
Please note: this should not be an attack to anyone - especially not
the openSUSE heroes, who do their best to keep the systems up and
running - but the openSUSE community should IMHO decide sooner than
later IF and HOW these systems should be handled in the future.
Most of the web-applications listed above started because of
enthusiastic community members who invested a lot of their spare time
into this. They learned a lot and others found their work useful -
everybody had a lot of fun during these days. But live goes on, and
people start having other interests and went away. Others still find
the systems useful and want to use them - they became legacy.
From my point of view, openSUSE as community is very bad in managing
those legacy systems. While for some of them (like crashdb.o.o) the
right approach was taken and the systems were shut down, others are
still there and need someone who takes care.
Because it is not clear who is responsible for them, this is one
critisizm I would commit towards heroes here :P
We have an infrastructure policy  that says:
"All running servers
will be evaluated every 6 month to determined continued need for the
services provided. If a service is deemed outdated or the server hosts
content that may no longer be needed the maintainer on record will be
contacted to provide additional details. If no response is received
within a 2 week period the server will be shut down."
So either we - as community - decide to delete this sentence
completely (as we do not want to follow the policy), or we allow our
openSUSE heroes to follow the policy and shut down the services listed
above. Sounds simple and consequent, right?
If there is a need, requested from whomever (and from
history I know the board resp. the membership committee is asking
and again to keep connect.o.o alive), this person/group either has to
invest the time and resources to keep the service in question up-to
date, secure and alive or had to agree that they need to search for
something else and find someone who takes over the administration.
I personally left the openSUSE heroes for many reasons. But one reason
clearly was that I did not want to take over the responsibility for
services that I did not set up/developed or have any interest in. Many
users seem to anticipate that "keeping a service up and running" is
very easy. I say: no, it isn't. Keeping a service not only available
but secure and adjusted to changes (like PHP5 -> PHP7 or Ruby 2.3 ->
2.5 as example) needs time and knowledge. Of course, you could
re-install it or re-deploying your docker image every time it has been
hacked, but my personal demands are way higher than that.
So: saying that we need to keep old, outdated, already spammed
up and running "because our users - or better, a small group of users
want or need them" -- fully inheriting the risk of security and data
breaches (how many people have their personal data stored in connect?)
is not the way I can support. Not the way I can accept. Not the way I
want to see openSUSE running and handling the personal data of the own
And I agree, some of those services should __not__ be handled by dynamic
websites, all we really need for news, planet is jekyll frontend
locally, which cannot be breached or contain personal details.
I really want provo to respond with news and lizards, so we can have
way nicer looking and working website for news, and send people
articles they wrote on lizards in the past, so they can put them up
somewhere they desire. BUT that requires provo to be responsive :/
I already took the consequences and stepped back from
heroes. Looks like I need to step back as openSUSE member as well, as
this is really nothing I want to be involved with.
openSUSE membership can be managed via paper. Setting up Email aliases
and IRC cloaks can be stopped until there is a new tool established.
Lost trust and data because of security breaches is way harder to
restore and will result in much more work for everyone.
And it basically is managed via paper, or more precisely via
spreadsheet from what I heard.
From my POV, this is the perfect time to take action, considering that
SUSE has to move away from majority of infra anyway, due to buyout,
openSUSE could implement stuff like FAS and noggin for login, pagure
for code etc. If you are passionate about managing web services,
heroes have their arms more open than any other "team" in openSUSE
from my experience (take note everybody >:D).
There are also two services that weren't updated in a long time,
paste and lists, those need some serious work too, but I believe
there was a plan to move to gnu mailman anyway, so hopefully
hyperkitty will be a thing for openSUSE in the future.
Paste though? Well, well, uhh...
To unsubscribe, e-mail: opensuse-project+unsubscribe(a)opensuse.org
To contact the owner, email: opensuse-project+owner(a)opensuse.org