X.Org BoD meeting minutes 2016-02-04

Daniel Stone daniel at fooishbar.org
Sat Feb 6 13:58:42 CET 2016


Hi,

On Saturday, 6 February 2016, Luc Verhaegen <libv at skynet.be> wrote:

> On Sat, Feb 06, 2016 at 12:36:09PM +0000, Daniel Stone wrote:
> > Nothing exciting to report. expo.x.org is ageing badly, as previously
> > reported here, so I was asked to help move services off it.
> >
> > The web services have now been moved to gabe.freedesktop.org; there were
> > some MoinMoin issues which Rob fixed, and also it took a while to
> arrange a
> > replacement (non-expired) SSL cert for members.x.org; Peter was also
> > missing access to gabe to update the site for coming elections. Those
> last
> > three were what was mentioned.
> >
> > All these are now resolved, and the Mailman web interface is now on SSL
> for
> > good measure. It looks like Egbert managed to catch the transient DNS
> > failure for the five minutes or so it was broken, but this is now fixed.
> >
> > Having the last of the x.org services under the fd.o umbrella means
> it's on
> > a machine which is actively administered and updated. expo is still
> > required as a DNS server until we can get our glue records sorted though.
>
> So all of X.org is now running on fd.o? Even the elections?


Correct.


> Since you yourself were involved in a major security issue just over 5
> years ago (1), you can understand that i do not trust fd.o one bit.
> Especially when it comes to x.org member elections.


Last I saw you had repeatedly declined to stand for election, so presumably
that isn't a concern.

>From a practical point of view, using fd.o as a nameserver with a snakeoil
certificate for the longest time (or, until recently, an expired StartCom
cert) meant that it was pretty open to exploitation anyway.

If you have concerns about the trustworthiness of the election process,
perhaps a good place to start could be raising concrete suggestions for
change, e.g. allowing voters to validate their vote.

I think it's fairly apparent that x.org lacks the practical capacity to run
its own services, and has done for some time.


> (1) The hacking of the radeonhd repository, for which you claim you
> "only" gave your root key to ajax, and did nothing else.


Not what I said either at the time or subsequently, but I'm not going over
this yet again. We have very different views of the history (and yet again,
some of your claims are factually incorrect), and will evidently never
agree on it.

Where to place services is a matter for the board; if you want to discuss
it with them then please feel free, but I'm not going to debate things with
you again.

Cheers,
Daniel
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://foundation.x.org/archives/members/attachments/20160206/33ff8eed/attachment-0001.html>


More information about the members mailing list