[02:43:58] 10Traffic, 10Operations, 10Community-Liaisons (Jul-Sep 2017), 10User-Johan: Communicate dropping IE8-on-XP support (a security change) to affected editors and other community members - https://phabricator.wikimedia.org/T163251#3496011 (10Johan) Sounds like a plan. Additionally, this should be mentioned in... [02:45:05] 10Traffic, 10Operations, 10Patch-For-Review, 10User-notice: Removing support for DES-CBC3-SHA TLS cipher (drops IE8-on-XP support) - https://phabricator.wikimedia.org/T147199#3496013 (10Johan) [04:01:43] 10Traffic, 10DBA, 10MediaWiki-extensions-WikibaseClient, 10Operations, and 5 others: Cache invalidations coming from the JobQueue are causing lag on several wikis - https://phabricator.wikimedia.org/T164173#3496077 (10Krinkle) [04:22:07] 10Traffic, 10Operations, 10Community-Liaisons (Jul-Sep 2017), 10User-Johan: Communicate dropping IE8-on-XP support (a security change) to affected editors and other community members - https://phabricator.wikimedia.org/T163251#3496111 (10Johan) How do we do on the translation side for this, by the way? W... [04:38:48] 10Traffic, 10Operations, 10Community-Liaisons (Jul-Sep 2017), 10User-Johan: Communicate dropping IE8-on-XP support (a security change) to affected editors and other community members - https://phabricator.wikimedia.org/T163251#3496127 (10Johan) Regarding Firefox, Firefox 52 is the last version to work reli... [04:40:48] 10Traffic, 10Operations, 10Patch-For-Review: Planning for phasing out non-Forward-Secret TLS ciphers - https://phabricator.wikimedia.org/T118181#1793501 (10Mostafa2018k) ipad air 2 [04:41:20] 10Traffic, 10Operations, 10Patch-For-Review, 10User-notice: Removing support for DES-CBC3-SHA TLS cipher (drops IE8-on-XP support) - https://phabricator.wikimedia.org/T147199#2684468 (10Johan) Since this task was created in 2015, Firefox has stopped supporting Windows XP. They might need to install Firefox... [07:32:31] 10Traffic, 10Operations, 10Community-Liaisons (Jul-Sep 2017), 10User-Johan: Communicate dropping IE8-on-XP support (a security change) to affected editors and other community members - https://phabricator.wikimedia.org/T163251#3496208 (10MoritzMuehlenhoff) @Johan: Firefox is provided by Mozilla in two rele... [07:53:38] FYI there's a couple of diffs that came up yesterday at ops/perf syncup that would need a set of eyes and possibly merge, https://gerrit.wikimedia.org/r/#/c/365589/ https://gerrit.wikimedia.org/r/#/c/355338/ [07:54:07] thanks godog [07:57:33] np! [09:39:12] bblack: upload upgrade in progress, I've prepped https://gerrit.wikimedia.org/r/#/c/369859/ to limit the workaround to text-only once upload is done [09:43:44] ema: the call to the workaround should not be in the vcl_recv? [09:44:06] or cluster_fe_recv_pre_purge is somewhat equivalent [09:44:24] volans: hey :) [09:44:30] it is called by vcl_recv [09:44:37] (cluster_fe_recv_pre_purge) [09:45:45] volans: so there's vcl_purge in modules/varnish/templates/vcl/wikimedia-frontend.vcl.erb [09:45:52] s/purge/recv/ [09:45:58] yeah saw that [09:46:05] but is a bit down the vcl_recv [09:46:25] (saw that now) [09:46:50] so I was wondering if it's equivalent or given we might return earlier in the vcl_recv [09:46:53] it could still be an issue [09:47:19] yeah [09:47:36] assume zero varnish-internal knowledge on my side ;) [09:47:39] more in general we might want to have a cluster_fe_recv_very_early kind of thing [09:50:17] makes sense [09:57:45] at any rate looking at the code it seems that the vulnerable part is called by V1F_Setup_Fetch, so it probably does not really matter where in vcl_recv you call the workaround, as soon as it's before anything that jumps from recv to hash [09:57:49] http://book.varnish-software.com/4.0/_images/detailed_fsm.svg [09:58:11] s/as soon/as long/ I can't speak today [09:59:43] or from recv to pass [10:01:05] which is of course trivial to verify by looking at our straightforward VCL! [10:19:53] of the subroutines called before cluster_fe_recv_pre_purge, only https_recv_redirect returns something, and it returns synth, so I think we're fine [10:21:23] 8/40 upload nodes upgraded so far [12:39:19] How could it be anything but straightforward? There's none of the awful return statements or or return values or pesky local variables that other languages use to confuse you, just linear code! [12:42:07] well ok there are return statements, but they're special ones that return straight up through all VCL-level calls, all the way back to top scope (varnish itself) [13:11:59] rotfl [13:17:59] 10Traffic, 10Analytics-Kanban, 10Operations, 10Patch-For-Review, 10User-Elukey: Update Varnishkafka to support TLS encryption/authentication - https://phabricator.wikimedia.org/T165736#3496930 (10elukey) Re-tested it in labs now and the current version of varnishkafka is able to use TLS without any modif... [13:22:50] 10Traffic, 10Android-app-feature-Compilations, 10Operations, 10Reading-Infrastructure-Team-Backlog, 10Wikipedia-Android-App-Backlog: Determine how to upload Zim files to Swift infrastructure - https://phabricator.wikimedia.org/T172123#3496939 (10fgiunchedi) >>! In T172123#3490510, @Mholloway wrote: > Hey... [13:34:20] 10Traffic, 10Android-app-feature-Compilations, 10Operations, 10Wikipedia-Android-App-Backlog, 10Reading-Infrastructure-Team-Backlog (Kanban): Determine URL paths for Zim files - https://phabricator.wikimedia.org/T172148#3496966 (10fgiunchedi) >>! In T172148#3490229, @Fjalapeno wrote: > @fgiunchedi We can... [13:47:23] 10Traffic, 10Operations, 10Community-Liaisons (Jul-Sep 2017), 10User-Johan: Communicate dropping IE8-on-XP support (a security change) to affected editors and other community members - https://phabricator.wikimedia.org/T163251#3497006 (10BBlack) >>! In T163251#3496111, @Johan wrote: > How do we do on the t... [13:49:19] 10Traffic, 10Android-app-feature-Compilations, 10Operations, 10Reading-Infrastructure-Team-Backlog, 10Wikipedia-Android-App-Backlog: Determine how to upload Zim files to Swift infrastructure - https://phabricator.wikimedia.org/T172123#3497011 (10Mholloway) >>! In T172123#3496939, @fgiunchedi wrote: >>>!... [14:07:59] 10Traffic, 10Operations, 10Patch-For-Review, 10User-notice: Removing support for DES-CBC3-SHA TLS cipher (drops IE8-on-XP support) - https://phabricator.wikimedia.org/T147199#3497100 (10BBlack) Cross-ticket updates: There's a separate sub-ticket for the Communications side of this change at T163251, and a... [14:09:35] 10Traffic, 10Operations, 10Community-Liaisons (Jul-Sep 2017), 10User-Johan: Communicate dropping IE8-on-XP support (a security change) to affected editors and other community members - https://phabricator.wikimedia.org/T163251#3191313 (10BBlack) And for those wanting to follow the changes in 3DES percentag... [16:48:59] 10Traffic, 10Operations, 10Community-Liaisons (Jul-Sep 2017), 10User-Johan: Communicate dropping IE8-on-XP support (a security change) to affected editors and other community members - https://phabricator.wikimedia.org/T163251#3497835 (10Johan) Meta will probably do. I'll take care of it. [17:00:36] 10Traffic, 10Operations, 10Community-Liaisons (Jul-Sep 2017), 10User-Johan: Communicate dropping IE8-on-XP support (a security change) to affected editors and other community members - https://phabricator.wikimedia.org/T163251#3497892 (10Whatamidoing-WMF) >>! In T163251#3497006, @BBlack wrote: > For the te... [17:20:29] 10Traffic, 10Operations, 10Community-Liaisons (Jul-Sep 2017), 10User-Johan: Communicate dropping IE8-on-XP support (a security change) to affected editors and other community members - https://phabricator.wikimedia.org/T163251#3497942 (10BBlack) The current message text (which needs massaging and updating... [17:26:08] 10Traffic, 10Operations, 10Community-Liaisons (Jul-Sep 2017), 10User-Johan: Communicate dropping IE8-on-XP support (a security change) to affected editors and other community members - https://phabricator.wikimedia.org/T163251#3497948 (10Johan) If possible, I'd like to have "Wikipedia won't work in Interne... [17:26:59] 10Traffic, 10Operations, 10Community-Liaisons (Jul-Sep 2017), 10User-Johan: Communicate dropping IE8-on-XP support (a security change) to affected editors and other community members - https://phabricator.wikimedia.org/T163251#3497949 (10Johan) (I'll take care of gathering translations, in that case.) [17:29:07] 10Traffic, 10Operations, 10Community-Liaisons (Jul-Sep 2017), 10User-Johan: Communicate dropping IE8-on-XP support (a security change) to affected editors and other community members - https://phabricator.wikimedia.org/T163251#3497950 (10BBlack) Works for me. If you can paste back the text form of whateve... [17:40:02] 10Domains, 10Traffic, 10Wikimedia Resource Center: Create resources.wikimedia.org as a redirect - https://phabricator.wikimedia.org/T172417#3497968 (10Harej) [17:47:04] 10Traffic, 10Operations, 10Community-Liaisons (Jul-Sep 2017), 10User-Johan: Get translations for "IE8 on XP won't work" for page - https://phabricator.wikimedia.org/T172418#3497985 (10Johan) [18:00:03] 10Traffic, 10Operations, 10Patch-For-Review, 10User-notice: Removing support for DES-CBC3-SHA TLS cipher (drops IE8-on-XP support) - https://phabricator.wikimedia.org/T147199#2684468 (10Bawolff) perhaps in the error page, the "use Firefox!" should be directly linked to the firefox 52 esr download page. The... [18:01:09] 10Domains, 10Traffic, 10Operations, 10Wikimedia Resource Center, 10Patch-For-Review: Create resources.wikimedia.org as a redirect - https://phabricator.wikimedia.org/T172417#3498059 (10Harej) Note that this is pending final c-level approval. [18:05:27] 10Traffic, 10Operations, 10Community-Liaisons (Jul-Sep 2017), 10User-Johan: Get translations for "IE8 on XP won't work" for page - https://phabricator.wikimedia.org/T172418#3498116 (10Whatamidoing-WMF) [20:23:29] 10Traffic, 10Operations, 10Patch-For-Review, 10User-notice: Removing support for DES-CBC3-SHA TLS cipher (drops IE8-on-XP support) - https://phabricator.wikimedia.org/T147199#2684468 (10Quiddity) >>! In T147199#3498052, @Bawolff wrote: > perhaps in the error page, the "use Firefox!" should be directly link... [21:12:40] 10Traffic, 10Operations: Non zero rated LVS IPs - https://phabricator.wikimedia.org/T170518#3498973 (10ayounsi) [22:14:51] what happens if, in cache::misc, there is a director defined with "eqiad: 'foo.codfw.wmnet'" vs. "codfw: 'foo.codfw.wmnet" [22:15:22] saw some where there is only 1 backend.. but it's called "eqiad" followed by a codfw hostname [22:15:48] does it break anything vs. "codfw: foo.codfw.wmnet" if it also just has one 1 backend but it's matching [22:18:07] I guess you mean graphite2001? I don't know why it's that way tbh, but it doesn't technically break anything [22:18:21] it does create x-dc un-encrypted traffic, though [22:19:38] yes, i guess that was the one [22:19:52] i wanted to add a director with just one backend. that is codfw-only [22:20:07] it should be codfw: foo.codfw.wmnet in the normal case [22:20:13] then i saw that example and thought "i hope i don't have to call the "first" one eqiad or something for technical reasons" [22:20:20] ok, ack :) [22:20:21] thanks [22:20:37] I'm guessing the graphite2001 thing is some kind of mistake [22:20:59] uploads a patch to fix it then [22:21:04] it's not used as a backend to any service anyways [22:21:12] oh [22:21:20] but it should probably be solved a different way [22:22:03] the relevant bits now are: [22:22:04] graphite1001: [22:22:04] backends: [22:22:04] eqiad: 'graphite1001.eqiad.wmnet' [22:22:04] graphite2001: [22:22:04] backends: [22:22:06] eqiad: 'graphite2001.codfw.wmnet' [22:22:16] graphite.wikimedia.org: [22:22:16] director: 'graphite1001' [22:22:24] performance.wikimedia.org: [22:22:24] director: 'graphite1001' [22:22:37] ugh.. the director should be called just "graphite" and not contain numbers [22:22:41] fixed similar thing for phab [22:22:47] I think that's just a mis-translation from before the new schema there [22:23:08] yeah should be just one director called "graphite" with both entries listed separately under their own DCs [22:23:32] but if graphite's not active-active (it probably isn't), should probably have the codfw one commented-out to keep it active/passive until needed [22:24:04] yes, will make a change [22:24:09] thanks! [22:33:26] https://gerrit.wikimedia.org/r/#/c/370107/ [23:01:27] 10Traffic, 10Operations, 10Patch-For-Review, 10User-notice: Removing support for DES-CBC3-SHA TLS cipher (drops IE8-on-XP support) - https://phabricator.wikimedia.org/T147199#3499252 (10Bawolff) >>! In T147199#3498842, @Quiddity wrote: >>>! In T147199#3498052, @Bawolff wrote: >> perhaps in the error page,... [23:04:52] 10Traffic, 10netops, 10Operations: eqiad row D switch upgrade - https://phabricator.wikimedia.org/T172459#3499267 (10ayounsi) [23:20:38] 10Traffic, 10Operations, 10Patch-For-Review, 10User-notice: Removing support for DES-CBC3-SHA TLS cipher (drops IE8-on-XP support) - https://phabricator.wikimedia.org/T147199#3499332 (10BBlack) Even while FF 52 is still supported by Mozilla, it's unlikely that Mozilla's security efforts can actually preven...