tiber down, revu back up

Stefan Potyra sistpoty at ubuntu.com
Sun Aug 19 16:14:41 BST 2007 

Hi folks,

as you may have read at [1], several community servers have been compromised 
and where thus taken offline. Tiber, the server running REVU was among these. 
However I don't know, if tiber was compromised as well, but I wouldn't say 
that it was too unlikely, since it also was still running breezy.

During this weekend, I've set up a revu-instance on sparky (from the 
ubuntu-wire network). The setup is not yet complete, the following things are 
known to not yet work:

- revu-tools: running revu-report is currently not yet supported, and probably 
won't be on sparky.
- nuking uploads: need to look over the scripts involved with nuking first
- auto-updating gpg keys from LP: currently, only manual updating of the 
keyring is supported (and it's a little bit fragile, I must have missed s.th. 
to adjust there somewhere)

Since we cannot assume, that tiber was in fact not compromised, all the 
previously uploaded packages were not imported into the new instance. Also 
the database started completely empty.

I've just finished to refill the database using some heuristics to create the 
necessary reviewer accounts. For this, I've taken the very last Changed-By: 
Email from gutsy changes for everyone in the ubuntu-dev group. I've set all 
passwords using pwgen, so you'll want to recover your passwords.

If anything else is broken on the new revu instance as well, or you've got any 
questions, please contact me directly (via mail or irc in case I'm online).

Since sparky is not the worlds most powerful box, please don't expect super 
performance of revu. Also, being part of ubuntu-wire means that there are 
quite a number of accounts on the box, which is suboptimal. Hence, it's 
planned to migrate revu to a different (faster) box which is also located at 
the university of erlangen in about two-three weeks.

Of course tiber was not only used to host revu. If you had some data in your 
home-directories, which you definitely need to recover, I'll suggest to ask 
in #canonical-sysadmin for retrieval.

To keep revu more secure, we'll also need to tighten the security policy for 
the new box. I'm thus sorry to say that we'll not be handing accounts in the 
same open manner we did for tiber, and may not be able to host any additional 
services apart from revu on it.

I'm sorry for the inconvenience.

Cheers,
   Stefan.
--
[1]: https://lists.ubuntu.com/archives/loco-contacts/2007-August/001510.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
Url : https://lists.ubuntu.com/archives/ubuntu-motu/attachments/20070819/f8021343/attachment.pgp

More information about the Ubuntu-motu mailing list