- DC-Users - DuckCorp Mailing-Lists

Subject: What happened while you were on the beach?
by DuckCorp Admin Team 04 Sep '17

04 Sep '17

Quack, === Backup Back Online === It took a while, but thanks to Pilou's hard work we have full backup coverage again. If you'd like some data to be excluded from backup, either because it's useless or because you prefer not, you just need to add an empty '.nobackup' file in the directory to ignore (recursively). It's the same behavior as before, so if you already setup things, nothing changed. === More Changes after Stretch Migration === Noone asked about the Webdesk, so we're going to remove it very soon. We have a new cute IRC on Web as previous one was unmaintained, and broken after migration, enjoy! Former stats using Awstats were utterly broken and noone noticed; Piwik has been working well since a while and was promoted instead. Please use webstats.dc.o (no more webstats-ng.dc.o). Ask if you need your website to be integrated into the new system. The photos website (using Gallery2) was utterly broken after migration; we have no replacement yet but we're looking into it, sorry. Blogs were never used and broken after migration; they were removed. === A few Security Changes === Users with shell access should review their SSH keys (both stored and authorized); DSS and low grade RSA will soon be removed (advice: use ed25519). Persons (not only users) managing a DNS zone should use DNS CAA RR to protect from domain hijacking (please read https://www.isc.org/blogs/certificate-authority-authorization-records/) This is far from a perfect solution but may still help. We can do that for you if the zone is hosted by DC, just ask us. We've activated HTTP2 support on all websites, and this comes with improved ciphers and web settings. Also we plan to ensure all websites, user ones included, are all redirected to HTTPS, no exceptions. === Mail Security when using the Webmail === There is now an option to PGP encrypt/decrypt mails using our webmail (Roundcube) using Mailvelope. It is a browser extension allowing to use your PGP key locally, so it stays stored on your computer and the encryption/decryption occurs on your computer too. Unfortunately it does not handle signatures but let's hope the support in Roundcube improves. You can have a look here: https://www.mailvelope.com/ === Quick NEWS === * 2017-07-29 around 09:00 CEST and for ~2h a DNSSEC problem broke all DNS resolution on duckcorp.org domain due to a bug in OpenDNSSEC; happily noone seem to have noticed \_o< -- Marc Dequènes (Duck)

1 0

What happened while you were on the beach?
by Marc Dequènes (duck) 04 Sep '17

04 Sep '17

Quack, === Backup Back Online === It took a while, but thanks to Pilou's hard work we have full backup coverage again. If you'd like some data to be excluded from backup, either because it's useless or because you prefer not, you just need to add an empty '.nobackup' file in the directory to ignore (recursively). It's the same behavior as before, so if you already setup things, nothing changed. === More Changes after Stretch Migration === Noone asked about the Webdesk, so we're going to remove it very soon. We have a new cute IRC on Web as previous one was unmaintained, and broken after migration, enjoy! Former stats using Awstats were utterly broken and noone noticed; Piwik has been working well since a while and was promoted instead. Please use webstats.dc.o (no more webstats-ng.dc.o). Ask if you need your website to be integrated into the new system. The photos website (using Gallery2) was utterly broken after migration; we have no replacement yet but we're looking into it, sorry. Blogs were never used and broken after migration; they were removed. === A few Security Changes === Users with shell access should review their SSH keys (both stored and authorized); DSS and low grade RSA will soon be removed (advice: use ed25519). Persons (not only users) managing a DNS zone should use DNS CAA RR to protect from domain hijacking (please read https://www.isc.org/blogs/certificate-authority-authorization-records/) This is far from a perfect solution but may still help. We can do that for you if the zone is hosted by DC, just ask us. We've activated HTTP2 support on all websites, and this comes with improved ciphers and web settings. Also we plan to ensure all websites, user ones included, are all redirected to HTTPS, no exceptions. === Mail Security when using the Webmail === There is now an option to PGP encrypt/decrypt mails using our webmail (Roundcube) using Mailvelope. It is a browser extension allowing to use your PGP key locally, so it stays stored on your computer and the encryption/decryption occurs on your computer too. Unfortunately it does not handle signatures but let's hope the support in Roundcube improves. You can have a look here: https://www.mailvelope.com/ === Quick NEWS === * 2017-07-29 around 09:00 CEST and for ~2h a DNSSEC problem broke all DNS resolution on duckcorp.org domain due to a bug in OpenDNSSEC; happily noone seem to have noticed \_o< -- Marc Dequènes

1 0

Happy Duck Time
by DuckCorp Admin Team 18 Jun '17

18 Jun '17

Quack, Debian has been released! Omedetou!!! === Global Thermonucl^WUpgrade === Joshua will shortly upgrade all hosts and schedule reboot to use the new kernel. We will announce disruptions on IRC. We have already decided to deprecate a few services (see below) and more may come. Maintaining unused softwares is painful and if noone cares then we'd better redirect our efforts elsewhere. If we announce a deprecation and you're still an active user or the replacement does not suit your need, then please contact us. === Webmail === Squirrelmail is unmaintained, has security issues, and will be removed during the previously announced upgrades. Someone even told me it fell broken recently, so I guess it's a sign retirement has been postponed long enough. Horde works, and should continue to, but does not add much now that RounCube made quite some progress (and more after upgrade) and the extra apps are not very useful compared to what StuffCloud offers; it will be reevaluated, so tell us if you wish it to stay. === StuffCloud recent upgrade === Well, not so recent now. For a few hours the file view was utterly broken after an upgrade due to a bug, sorry for that. A new 'Circles' application allowing private/shared groups has been added. In the past we add an application for personal groups but it was not well maintained and this one makes this feature available again and more (and should be better maintained as it is a core-app). === Quick NEWS === * [2017-04-30] updated TLS certificates => services restart (very short disruption) * VCS: ** It has never been properly advertized but rcs*.duckcorp.org are deprecated and will be removed in September; please use vcs* addresses instead ** Git protocol enabled for Bip project, thanks to Trou for pointing this was missing * IRC on Web: The qwebirc instance available on https://irconweb.milkypond.org has been updated to use TLS while connecting to the IRC server * NTSX: Noone is using it and now tethering, plans, and local free WIFI (when you travel for eg) improved quote a bit so it is useless now and is gonna be removed soon Don't forget your umbrella. \_o< -- Marc Dequènes (Duck)

1 0

Grumpy Bear time
by DuckCorp Admin Team 02 Mar '17

02 Mar '17

Quack, Long time no quack, busy being ill… === Mail Rejection === As announced we had to change Orfeo's IPv4 recently. The new one was unused, so no previous spammer owned it, but the big corps have wittingly decided to consider it having a bad reputation by default. Also we discovered a user recently had his account compromised and it was used to relay SPAM. So we're stripping naked and leaking their asses to get our mails accepted, but it's taking time and maybe we'll need to give more of ourselves to get it. So please bear with us and report your problems with as much details as possible so we can debug and act accordingly (even if much of it is out of our control). === StuffCloud Ultimate Upgrade === This is an upgrade we've been postponing for too long. At some point having no fixes and no security support is really bad (even if it's not that great anyway). Also the next Debian release is coming and this software would not work anymore. So we've decided to switch from OwnCloud to NextCloud, and upgraded step by step. This was not easy to get something working in the end but here we are. Please tell us if you experience any difficulties. The list of apps is quite similar, so no data loss. The interface gained a bit of slowlessness too, charming. But there's fixes and a few new features you may like. Please note there is a NextCloud Android app on F-Droid, so while the old OwnCloud one still works, you should probably replace it. Also, to ease communication with the rest of the world, we decided to use letsencrypt to provide the HTTPS certificate for this service. This means it is now easier to give URLs to external people for sharing (no certificate to add to the browser manually). We may use letsencrypt for other websites in the future, but no decision made yet. === Out of Backup === Our previous backup system (Bacula) had some shortcomings and we ended-up having all backup expired and purged while we were busy elsewhere. We believe the current behavior is flawed and this software has proved to be slightly complicated to maneuver, so it is time to have some fresh air. We're working on deploying a new system, but in the meanwhile we're naked and if you have critical data I would advise you to do your own backup for the time being. We're really sorry of the situation and hope to have it solved really soon. Grrr Grrr Grrr \_o<

1 0

Strap yourselves in, boys. Planned maintenance during the night of 2/3 February
by DuckCorp Admin Team 31 Jan '17

31 Jan '17

Happy new year ! === Planned maintenance === In order to apply updates, all servers will be restarted during the night of Thursday 2 and Friday 3 February. Restarts will be performed one by one in the following order: Orfeo, Thorfinn, Jinta, Toushirou. All services will be affected, hopefully services with some redundancy will remain available: - mail (redundancy: mx1.duckcorp.org, mx4.duckcorp.org) - websites - DNS (redundancy) - IRC (redundancy: irc1.duckcorp.org, irc2.duckcorp.org) - Bip - IRC2IM gateway - Jabber - PostgreSQL - MySQL - LDAP (redundancy) - NTP sorry for the inconvenience. === Orfeo: accommodation === Thanks to Hivane, Orfeo has now a more durable location. Again, big thank to Hivane for the hosting, you may want to consider making a donation to them [1]. === Orfeo: new IPv4 address === Soon, the main IPv4 address of Orfeo will be changed from 193.17.192.211 to 193.200.43.105. The new IPv4 is already added, we still need to update the DNS configuration. [1] http://www.hivane.net/donate.html -- Pilou

1 0

This is not an idle threat! Planned outage: Orfeo 2016-02-26
by DuckCorp Admin Team 26 Feb '16

26 Feb '16

Youhou, === Planned outage === Our most important machine, Orfeo, is gonna be kicked out of its cosy sponsored place: Orfeo will be moved on 2016-02-26 in the afternoon to a new short term hosting. Big thanks to Hivane for the short term hosting. A few services will be unavailable: - mail (mx1.duckcorp.org) - websites (webmail, lists, webdesk, web IRC) - DNS (but Toushirou should handle) - IRC (but Jinta should handle), - Jabber (but Thorfinn should handle), - PostgreSQL - IRC2IM gateway - LDAP (but other nodes should handle in read-only mode), - NTP, sorry for the inconvenience. Orfeo === Still Looking for Sponsoring === The new accommodation is temporarily, Orfeo will be moved again before this summer. If you have any knowledge about generous people who may be willing to host this small (1U) machine, please tell us. バイバイ。 -- Pilou

1 1

This is not an idle threat! Planned outage: Orfeo 2016-02-26
by DuckCorp Admin Team 25 Feb '16

25 Feb '16

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Youhou, === Planned outage === Our most important machine, Orfeo, is gonna be kicked out of its cosy sponsored place: Orfeo will be moved on 2016-02-26 in the afternoon to a new short term hosting. Big thanks to Hivane for the short term hosting. A few services will be unavailable: - - mail (mx1.duckcorp.org) - - websites (webmail, lists, webdesk, web IRC) - - DNS (but Toushirou should handle) - - IRC (but Jinta should handle), - - Jabber (but Thorfinn should handle), - - PostgreSQL - - IRC2IM gateway - - LDAP (but other nodes should handle in read-only mode), - - NTP, sorry for the inconvenience. Orfeo === Still Looking for Sponsoring === The new accommodation is temporarily, Orfeo will be moved again before this summer. If you have any knowledge about generous people who may be willing to host this small (1U) machine, please tell us. バイバイ。 - -- Pilou -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQGcBAEBCgAGBQJWzmJfAAoJEFmb43K6MKeM/pAL/jxfjYyAWc4F6Y34EAESEV2I GzXSgTo6qjFzzFVh0jLVClY1EtwVzAt9U70wtNXIR8250/nuTHEq3PnkYp5BCzN5 P7ROCmscNYjNgtvy8HZfYDUdsYHu3SwB8153cP6zTEqAP/qj5pCDASPs26fyMuhT kXOd0uH3cioYkaTzkh8rnhzu7y5N6ffXAj2X77F36FN/RWk8+5i9YgSQ0Zs3bs11 mtR7l9wM9O/I+AUYstES2af0VISnIfIYoRU6PkC9xXWr4qUKVTkP8jpA/n3yz7RF 83f3xFhBV9EPOiUs6kN8le9uzfEujKnupkIR5w0lWBZtCGqEDnYfCLbGcTcHyMaq RnrLL8aesIXvRF935/yjYU6SaIOPptjYRonkOjp0s8A3m818TyJUzKfv9odjmPjD NuC/8kIu5e2Brf7Q4FIVG1P3KpuotOOFpHYmbEYyaat5bO0IlNFaxhGLjBB+ulpb pqBe8mnSUF5dD8fN+6zZ6M/uUGZZNwaXukzMR6TnJw== =u5wI -----END PGP SIGNATURE-----

1 0

Silent but still around
by DuckCorp Admin Team 12 Jul '15

12 Jul '15

Coin, Long time no quack, but even if there was some work and maintenance done, not much was really visible and needed advertisement. === Still Looking for Sponsoring === Our most important machine, Orfeo, is gonna be kicked out of its cosy sponsored place. Currently the costly but possible plan is probably a few months far but we have no certainty about the exact date of availability and we may be forced to remove the machine very soon. So if you have any knowledge about generous people who may be willing to host this small (1U) machine, please tell us. === Upcoming Maintenance === The PostgreSQL database is gonna be upgraded, which means a few things will be on hold until it finishes (mostly incoming mail and webmails). This would probably take a few hours, so please be patient. We'll been upgrading servers under the hood, but it is now time to remove obsolete feature: the old Apache ACLs will be deactivated in a matter of hours/days. Moreover, to finish these upgrades, we need to reboot Orfeo and Toushirou, which is gonna take place on the next we (2015-07-18/19). === Security Updates === With all the bad bugs and protocol problems discovered, the insecure SSH DSA keys were removed. On all services the accepted ciphers and algorithms were, again, tightened, so you should upgrade your systems too if you don't want to be out one day. === Security Certificated === As we are using a self-signed CA, this is a recurring topic when people try to access our services. The way to solve this problem in a secure fashion has been summarized here: http://ca.duckcorp.org/ We also had time to implement a security alternative: DANE/TLSA[1]. If you are using secure DNS[2] (DNSSEC validation) on your systems, then you may have another way to access our services securely. Currently the software support is not very widespread and requires additional software. Plugins for major browsers have been implemented here and seems to be working well: https://www.dnssec-validator.cz/ On Chromium nevertheless the plugin is a bit ugly to install. The browser may still complain about the certificate, but if you proceed to the page the DNSSEC+TLSA indicators should help recognize you're connected to the right site. [1] https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities [2] https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions === Quick News === * [2015-07-08] Throfinn was rebooted due to an hypervisor problem in the Hivane architecture * [2015-07-11] Jinta was rebooted * [???] stuff.duckcorp.org improvements: new SMS (not MMS!) app, experimenting a new Notes app (old notes are in your Files), raised quota from 1GB to 5GB \o/ Have a pleasant summer! -- Marc Dequènes (Duck)

1 0

Maintenance: Thorfinn rebooted Saturday
by DuckCorp Admin Team 12 Feb '15

12 Feb '15

1 0

DuckCorp CA rollover -- update your config *NOW*
by DuckCorp Admin Team 06 Nov '14

06 Nov '14

Coin, All our encrypted services are based on our self-signed CA which in turn generates SSL/TLS certificates for all secure services. Our current CA is now 10 years old and using older encryption algorithms, so it's time to rollover. Thus, you need to add the new 'duckcorp.crt' file on your systems _before_ 2014-10-04. The switch may occur a tad later but i plan to swiftly get this over with. If you don't know to install the file, you should have a look in the wiki: https://users.duckcorp.org/index.php/Services/Security#TLS.2FSSL-based_Serv… Beware you need to leave the previous file around until the switch is done (simply rename it). As for the new file itself, 'duckcorp.crt', it is attached in this mail (and updated in the wiki too). Nevertheless, if you have keysigned (GPG) with one of the admin, you should verify and extract it using the following command: gpg --output duckcorp.crt <pilou_duckcorp.crt.asc (replace 'pilou' by 'arnau' or 'duck' accordingly to your web of trust) Have a Lot of FUN ! -- Marc Dequènes (Duck)

1 1