[13:09:33] so the LVS traffic-class-blending seems to work [13:11:56] nice [13:21:25] I'm gonna spare-out lvs101[12] now I think, and then reinstall them all (1007-12) and see how it goes [13:23:27] bblack: should we re-enable puppet on maps? On Monday perhaps for safety sake? [13:23:55] I think maps puppetization is actually broken at this stage [13:24:00] until the next commit drops in [13:24:34] because the role::cache::maps references the LVS IP stanzas for maps that vanished [13:25:25] https://gerrit.wikimedia.org/r/#/c/352834/ "fixes" it :) [13:32:24] oh I didn't refactor the service IP lists in role::lvs::balancer yet heh [13:43:30] bblack, paravoid, about transport from Singapore to the US, there is also Hurricane Electrics that is present at all the Singapore IX and can do L2 transport to pretty much anywhere [13:43:54] they suck :P [13:44:41] ah! okay. maybe as backup though if they are cheap? [13:45:04] I never used them other than for v6 tunnels [14:06:09] https://www.cryptologie.net/article/400/maybe-dont-skip-sha-3/ [14:06:26] ^ I think this person has a decent point, as much as I'm an adam langley fan [14:06:40] historically, we've made different TLS tradeoffs than Google and likely will continue to do so [14:08:37] (TL;DR - we prefer stronger-but-slighty-slower crypto more strongly than they do in cipher ordering. we dumped RC4 and other weak ciphers long before they did, and likely will for e.g. 3DES and so-on. We've kept a well-managed DHE cipher in play to give forward secrecy to e.g. Android 2.x while they gave up made things faster and non-forward-secret for those clients by dumping all DHE, etc) [14:09:19] there's no right answers in any of this, everyone's situation and judgement will be a little different. But they do err in these edge cases towards speed and extreme compatibility over security, and we don't as much. [17:43:36] thanks for the tl;dr