Markdown Version | Session Recording

Session Date/Time: 11 Oct 2022 18:00

TOOLS

Summary

The TOOLS working group held a session to discuss various infrastructure and operational updates. Key discussions included the plan for the November call (skipping a dedicated call in favor of a Code Sprint discussion), progress on the infrastructure strategy document, and plans for a workshop on document publication. Several security-related incidents and their resolutions were reported. Updates were also provided on IMAP authentication, FTP service retirement, ID-diff adoption, Mailman infrastructure changes, NomCom eligibility calculations, Wiki.js deployments, and DNSSEC migration. A specific technical question regarding XML name parsing was raised and will be followed up on.

Key Discussion Points

• Meeting Format: The meeting adopted a new format, focusing on detailed discussion for "Hot Topics" and taking other agenda items "as read" with opportunities for real-time scanning and questions. The format received positive feedback for focusing on discussions, though some noted limited additional information beyond reading notes.
• November TOOLS Call: The scheduled November call conflicted with IETF 115. A sense of those present leaned towards skipping a separate November call.
  • Code Sprint Discussion: It was suggested to reserve half an hour during the IETF 115 Code Sprint for a general TOOLS discussion, allowing for remote participation.
• Infrastructure Strategy: The infrastructure strategy document, outlining how TOOLS services will be run and evolved, received limited feedback. Comments received have been incorporated. The framework for moving forward appears acceptable.
• Document Publication Workshop: A workshop is planned for the first two weeks of December to gather input on how documents (RFCs, Internet Drafts, meeting materials, photos) are published on the internet. Topics will range from centralized storage with short URLs to content vs. metadata pages. Policy-related discussions will serve as input for the rswg.
• Security Incidents:
  • Open Redirect: An open redirect vulnerability, present for approximately a decade, was discovered and patched. It originated from Django middleware intended to support legacy Pearl URLs, which bypassed Django's redirect protection. The middleware was removed.
  • Role-Based Access Control (RBAC) Bypass: An edge case in the RBAC mechanism allowed an unauthenticated user to deface the group used for individual submission drafts. The issue was fixed by correctly handling situations with no target roles.
  • IESG Notification: A discussion arose regarding notifying the IESG chair when security incidents (especially those affecting data integrity or availability) are discovered, even if no outage occurs.
• NomCom Historical Data: Mary Barnes reported broken links to old NomCom information. Investigation revealed this data was previously hosted on Henrik's tool servers as handcrafted pages, was not fully archived by the Internet Archive, and was removed by Henrik many years ago after NomCom information moved to the data tracker. Recovery of this lost data is unlikely.
• IMAP Authentication (Auth-PD): An attempt to add user identity mapping to the IMAP server exposed that auth-pd was still dependent on an old Python 2.7 data tracker instance. The Python 2.7 instance was temporarily reinstated.
  • Migration Plan: The plan is to migrate auth-pd to the modern Python 3.9 data tracker and separate their lifecycles by having auth-pd use a dedicated API instead of directly accessing data tracker models.
• General Updates (Taken as Read):
  • Cloudflare Streaming: Work is in progress to add Cloudflare streaming services alongside YouTube for broader global reach.
  • FTP Service: The FTP service has been configured to serve only a tombstone file; usage has dropped to zero.
  • Mailman Integration: Email list bridging in Zulu has been removed, and Zulu archives have been cleared.
  • ID-diff: Work continues to finalize ID-diff adoption for data tracker and author tools, replacing rfc-diff. The pyhd scripts on www.ietf.org will be taken offline once this is complete.
  • Post-confirm: Google's stricter enforcement of RFC 5388 headers (comma-separated vs. multiple headers) required a patch. This highlighted that post-confirm in production is a hand-installed Python 2.7 script, not a packaged release, and will require rewriting for Mailman 3. The extent of DMARC rewriting functionality for Mailman 3 is still under consideration.
  • NomCom Eligibility: Improvements have been made to NomCom eligibility calculations, with ongoing discussions about handling users registered in multiple ways.
  • Wiki.ietf.org: Wiki.ietf.org has been moved behind Cloudflare. The process for auto-generated certificates will be improved for future migrations (e.g., Chairs and Authors wiki instances). The IETF-specific Wiki.js plugin has been merged into a new repository, streamlining deployments.
  • Other Tools: Brief mentions (taken as read) of ongoing work on Data Tracker, bibxml, author tools, the IETF website, NXML-RFC, mail archive, and Ying catalog.
  • NXML forename Parsing: Ross asked about the deployment status of a fix for a forename parsing issue in NXML-RFC, which is causing problems with XML includes.
  • DNSSEC: The current DNSSEC records for ietf.org use deprecated crypto algorithms. A proposal is in progress to move all DNS services to Cloudflare and update algorithms after IETF 115.

Decisions and Action Items

• November TOOLS Call: No dedicated TOOLS call will be held in November. Instead, a specific half-hour general TOOLS discussion will be scheduled during the IETF 115 Code Sprint to accommodate remote participants. The chair will determine the best time and advertise it.
• Infrastructure Strategy: The current infrastructure strategy document is considered "done" as a framework. Jay will work with the IETF LLC Executive Director on one or more RFPs for delivery around this strategy.
• Document Publication Workshop: Target the first two weeks of December for the workshop on document publication. Alexis and the chair will develop driving questions.
• Security Incident Reporting: Secretariat and the tools team are to note that in the future, if a security issue is discovered, a note should be dropped to the IESG chair of the time, especially if it affects data integrity, availability, or functionality.
• IMAP auth-pd Migration: The plan is to migrate auth-pd to the modern Python 3.9 data tracker, using a separate API to decouple their life cycles.
• Post-confirm Packaging: Infrastructure needs to be built to make post-confirm installable as a package, addressing the current manual deployment issue.
• NXML forename Issue: Jay will follow up with Ross on the status of the forename parsing fix in NXML.
• DNSSEC Migration: Steps will be taken to move DNS services to Cloudflare and update crypto algorithms after IETF 115 (between IETF 115 and 116).

Next Steps

• Jay will work on RFPs for the infrastructure strategy.
• The document publication workshop will be organized for early December.
• Migration of auth-pd to Python 3 with API separation.
• Work on packaging post-confirm and planning its rewrite for Mailman 3.
• The chair will determine and advertise the time for the TOOLS discussion during the IETF 115 Code Sprint.
• Proceed with DNSSEC migration and algorithm updates after IETF 115.
• IETF 115 attendance in London.