Coin,
Long time no quack, but even if there was some work and maintenance
done, not much was really visible and needed advertisement.
=== Still Looking for Sponsoring ===
Our most important machine, Orfeo, is gonna be kicked out of its cosy
sponsored place. Currently the costly but possible plan is probably a
few months far but we have no certainty about the exact date of
availability and we may be forced to remove the machine very soon. So
if you have any knowledge about generous people who may be willing to
host this small (1U) machine, please tell us.
=== Upcoming Maintenance ===
The PostgreSQL database is gonna be upgraded, which means a few things
will be on hold until it finishes (mostly incoming mail and webmails).
This would probably take a few hours, so please be patient.
We'll been upgrading servers under the hood, but it is now time to
remove obsolete feature: the old Apache ACLs will be deactivated in a
matter of hours/days.
Moreover, to finish these upgrades, we need to reboot Orfeo and
Toushirou, which is gonna take place on the next we (2015-07-18/19).
=== Security Updates ===
With all the bad bugs and protocol problems discovered, the insecure
SSH DSA keys were removed.
On all services the accepted ciphers and algorithms were, again,
tightened, so you should upgrade your systems too if you don't want to
be out one day.
=== Security Certificated ===
As we are using a self-signed CA, this is a recurring topic when
people try to access our services. The way to solve this problem in a
secure fashion has been summarized here:
http://ca.duckcorp.org/
We also had time to implement a security alternative: DANE/TLSA[1]. If
you are using secure DNS[2] (DNSSEC validation) on your systems, then
you may have another way to access our services securely.
Currently the software support is not very widespread and requires
additional software. Plugins for major browsers have been implemented
here and seems to be working well:
https://www.dnssec-validator.cz/
On Chromium nevertheless the plugin is a bit ugly to install. The
browser may still complain about the certificate, but if you proceed
to the page the DNSSEC+TLSA indicators should help recognize you're
connected to the right site.
[1] https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities
[2] https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions
=== Quick News ===
* [2015-07-08] Throfinn was rebooted due to an hypervisor problem in
the Hivane architecture
* [2015-07-11] Jinta was rebooted
* [???] stuff.duckcorp.org improvements: new SMS (not MMS!) app,
experimenting a new Notes app (old notes are in your Files), raised
quota from 1GB to 5GB \o/
Have a pleasant summer!
--
Marc Dequènes (Duck)
