Issues with security and reliability of our infrastructure

[AlexDaniel]

See matrix-org/matrix.org#371.

Also maybe:

• [security] switch away from self-hosted packages matrix-org/matrix.org#370
• We should start recommending distro packages (when possible) user-experience#29

Basically, there's some perl 6 infrastructure that is used to host a bunch of stuff, including rakudo tarballs and msi's. I guess it's just a matter of time before things gets hacked? There's no hardening of any sort that I'm aware of, and definitely no policies to make things more secure. Also, last time I looked I saw a bunch of ssh keys of people who were no longer actively involved in the project, and at least one key of someone who is no longer alive.

I think a lot can be learned from matrix-org/matrix.org#371.

Also, I don't think that fixing a few things will cut it. IMO we need to be taking steps with much broader scope when it comes to security.

[AlexDaniel]

meta label because nothing else fits. If someone wants to start a new label, please let me know.

[lizmat]

For some reason I cannot see what labels are possible, nor can I add a label or assign it. If this is intentional, that's fine by me. If not, please give me access :-)

I would think a "infrastructure" label would be appropriate here. Using "meta" here just feels like "dunno" here.

[AlexDaniel]

@lizmat the list of labels is here and creating new ones is possible as long as somebody is ready to be assigned for that area of expertise. Who'd be that person for infrastructure?

[AlexDaniel]

Ah, as for not seeing all of the labels, this wasn't exactly intended… But it's also not wrong, as in people shouldn't be adding more labels without modifying the README.

[Altai-man]

With the recent outage of our main server, it is obvious we have to take measures to not only secure "all our bases", but to make them reliable and keep them reachable in case of a failure.

Unfortunately, I lack necessary admin skills for planning out things. Probably ping @kawaii?

Other than this, I can provide some funding for necessary additional servers / services. Not insane amounts of money, but hosting is relatively cheap right now, and not so much resources are actually needed: current DO droplet own by me is the smallest one, and its configuration is much more than enough for the load.

As for the ticket title... I would change it to something more general like "Review, analyze and improve-secure our infrastructure". And for it to not be "too broad" for people to think, maybe add a list of things that have to be considered, including security, reliability, keeping ways to handle possible failures and so on.

[rba]

@lizmat the list of labels is here and creating new ones is possible as long as somebody is ready to be assigned for that area of expertise. Who'd be that person for infrastructure?

I would volunteer to take care of infrastructure stuff. Would be great to have someone else on this topic as well yet.

[AlexDaniel]

@rba can you review what we have now and propose some initial changes? Also, are you on IRC?

[AlexDaniel]

Ping @moritz, @niner, @jnthn.

[kawaii]

I forgot that I'd been pinged here. I'd be happy to get involved looking at the infrastructure side of things and helping to maintain that too.

[niner]

If we need hosting/hardware, I can add some as well. As well as the server located in Germany that's hosting camelia and has all the infrastructure needed to run additional VMs, I could also offer hosting of VMs on Atikon's company infrastructure. We're running a failover cluster behind a DDOS protected proxy.

Is there some documentation of our current website and infrastructure setup? How does it all work? And where?

[AlexDaniel]

There's some info on https://github.com/perl6/infrastructure-doc/

[AlexDaniel]

Also, any thoughts on dockerizing all the things we have? Will it help?