Transition Technology: Ticket Query

#849: (No subject)

paul — Tue, 28 Apr 2015 12:35:03 GMT

Hi Sam / Ade
Would you advise when outstanding invoices will be paid? We used to get our
invoices paid every month.
--
Best
Paul Booker
Drupal Developer & Linux Systems Administrator
Website: http://www.paulbooker.co.uk
Drupal.org: https://www.drupal.org/u/paulbooker
Twitter: @paulbooker <https://www.twitter.com/paulbooker>
Tel: +44 01922 861636

#865: synchronisation

annesley — Wed, 15 Jul 2015 13:26:48 GMT

ideas. please query them.

we are synchronising between different data structures: WordPress and Drupal and anything else the plugin is installed on. therefore standard *database level* distributed synchronisation management tools will not be appropriate. this is unfortunate because synchronisation is a big task. however, it is possible that there are some CRUD / REST based sync tools. so: we need an XML abstraction layer (partially done already) produced by the Drupal, Wordpress, etc. plugin that is standardised and can then be compared and synced via standard API calls.

Steps:

new Transition Town registration on server A notify server B that there is new data and send the GUID of this new data server B then requests only the new data from server A (incremental) using the GUID server B creates the new item in it's database with a new native ID using the abstraction layer in it's plugin / module

addtions to this universal data pool, e.g. a new Transition Town, will be propagated via a network sync request at point of addition. "listener servers" will then request the new data (incremental only) and, in turn push that out to all other listeners. each plugin will therefore extend and expose it's CRUD style synchronisation abstraction functions:

add-user add-local-group change-user etc.

many of these are already available as part of the framework-independent plugin / module

currently, i suggest that ALL plugins contain ALL the international user and Transition Town data. passwords and emails, contact info will be handled by a 3rd server, either Mozilla Persona or Open ID. user accounts will also be synchronised on to ALL plugins but without passwords as those are held on the 3rd server. thus far had already been agreed with Ed. but, ofc, can be changed :)

new plugin installations will receive a full complement of data at time of installation. check digits will be periodically shared to check that all data is in-line. all users will be able to register and edit their data on ANY website holding the plugin. TT and USER changes and registrations will then propagate via PUSH notifications across the entire network all native IDs will be different. i.e. TT Brixton will have a different ID on each server. thus, as always with synchronissation, all IDs will be transformed to GUIDs by the abstraction API and only GUIDs will be used to analyse the network of data and synchronisation. login to any website containing the plugin will be transparent (unlike the demo i set up) through the normal wordpress and drupal login screens. the plugin will intercept failed authentication and attempt to authenticate against the universal servers. new accounts created via universal registration on any server will have a framework specific configurable role and thus permissions on that server will be set by the administrator specific to that server.

#877: RE: outstanding invoices

paul — Thu, 15 Oct 2015 11:20:05 GMT

Hi Sam,
Hope you're well.
Any chance you could pay my 3 outstanding invoices today?
Best, Paul
--
Paul Booker
Drupal Support for Websites and Linux Servers
Website: http://www.paulbooker.co.uk
Tel: +44 01922 861636

#884: RE: http://news.transitionnetwork.org

paul — Thu, 03 Dec 2015 12:40:03 GMT

Hi Chris, All
Can you help me to reset my password for paulbooker for
news.transitionnetwork.org? I just tried to use the reset password form but
I never received an email and when I Iooked at the settings,php file for
the website (generated by Aegir) I couldn't see immediately where to find
the database.
I think I may have missed some recent updates to news.transitionnetwork.org
so urgently need to resolve this today.
Not sure how this has fallen of my radar, but, I just noticed that
news.transitionnetwork.org is no longer mentioned on the platform page on
Aegir so may have got into thinking that this site no longer exists.
http://news.transitionnetwork.org
https://tn.puffin.webarch.net/hosting/platforms
--
Paul Booker
Drupal Support for Websites and Linux Servers
Website: http://www.paulbooker.co.uk
Tel: +44 01922 861636

#887: Lot's of failed logins on conference15.transitionnetwork.org

sam — Fri, 04 Dec 2015 11:39:10 GMT

Hi all

Overnight I had 150 notifications of failed login attempts and subsequent IP address bans from the https://en-gb.wordpress.org/plugins/wordfence/ security plugin I installed.

It's coming from multiple IP addresses in multiple countries.

It seems like Wordfence is doing it's job and blocking IP's. I only mention it as I'm wondering if it could be related to the recent downtime.

Feel free to close this ticket, just thought it was worth sticking in here.

Thanks

Sam

#890: Site offline.

sam — Sat, 12 Dec 2015 10:54:36 GMT

It's serving a page, so may be Drupal level problem rather than server level?

https://www.transitionnetwork.org/

#899: Managing security after Feb 24th, 2016.

paul — Thu, 28 Jan 2016 15:22:28 GMT

Hello,

Just did some research to check how we will manage security after Feb 24th, 2016.

A small group of vendors (approved by the security team) will provide patches for core and some of the most commonly used contributed modules, that are used on their client websites. Security patches will be put in the Git repo for the D6LTS project on Drupal.org, and will be announced in the issue queue. We will just need to monitor this issue queue and apply any security patches.

However, these vendors will not be supporting ALL contributed modules. Each of the vendors will be maintaining lists, and providing them to the Drupal Security Team so they know which issues to include them on. With this in mind shall we send a copy of our list of contributed modules to each of the vendor companies and ask them to provide us with a list of our modules that they are currently not supporting? We can then decide how we should support the modules that are not supported by the vendors.

Best, Paul

#922: SSH to parrot please

sam — Thu, 28 Jul 2016 15:30:37 GMT

Hi Chris

Could I get SSH access to parrot please?

samrossiter@…

Thanks

Sam

#746: New comment notifications not being sent to content owners.

sam — Tue, 24 Jun 2014 09:27:11 GMT

Hi Paul, Annesley, Chris

Ed hasn't been getting notifications for new comments.

"Please check if new comment notifications are being sent to content owners. I don’t think I am receiving email alerts for my blog posts."

I'll email Rob to see if he's getting any.

Could you investigate?

Thanks

Sam

#764: Policy decisions re-assessment on BOA and Drupal security updates

annesley — Tue, 22 Jul 2014 14:10:38 GMT

on-line meeting 5 / August @ 14:00 GMT: we are phasing out the current D6 / BOA system. the new system may not use either. The TN.org website is not attractive to high level hackers or DOS attacks.

what are the risks with cancelling all further Unix, BOA and Drupal updates completely that do not allow direct un-mitigated access to the backend via bad PHP code / SQL?

#806: IIRS pre-beta usability issues

chris — Mon, 10 Nov 2014 21:30:27 GMT

Ticket to track usability issues etc.

#738: Change 'ben' account to have Ben Jarlett as owner

ed — Tue, 10 Jun 2014 09:14:06 GMT

Chris: change the ‘ben’ account’s password Chris; change the ‘ben’ account to have 'emailme@…’ as the p.o.c. Chris? Ben?: change the ‘benj’ account to have ‘web project@…’ as the p.o.c. and Ed to forward anything vital if/when it comes up ALL to use only ‘ben’

#794: Time estimate: change TN.org background image

ed — Fri, 10 Oct 2014 09:06:29 GMT

Rob is thinking about doing a 1970s editorial month, and would like a 1970s style 'naff' wallpaper.

Ben please can you provide a time estimate for replacing the tasteful blue dotty background with some semi-transparent paisley thing for a month, and then reverting to the tasteful blue dots

#740: Add 'class button block' to Soundcloud block

sam — Thu, 12 Jun 2014 09:55:05 GMT

Hi Ben

Could you add 'class button block' to the block class settings for this block:

https://www.transitionnetwork.org/admin/build/block/configure/block/98?destination=blogs%2Frob-hopkins

Or shall I give myself 'developer' permissions so I can add these myself?

Thanks

Sam

#519: Fixing various URL in the Database

chris — Fri, 15 Mar 2013 13:47:21 GMT

This page:

http://transitionnetwork.org/support/what-transition-initiative

Contains this HTML:

<p><img alt="TransitionSantaCruz" src="http://transitionsc.org/sites/www.transitionnetwork.org/files/pixture_reloaded_logo.png" align="right" height="69" width="150"></p>

The image is a 404:

http://transitionsc.org/sites/www.transitionnetwork.org/files/pixture_reloaded_logo.png

The correct location for the image is:

http://transitionsc.org/sites/default/files/pixture_reloaded_logo.png

Looking at the Internet Archive this was correct back in October 2012,

http://web.archive.org/web/20121022030350/http://www.transitionnetwork.org/support/what-transition-initiative

Their munged HTML contains the correct URL:

<p><a href="/web/20121022030350/http://transitionsc.org/sites/default/files/pixture_reloaded_logo.png" class="colorbox initColorbox-processed cboxElement">

It appears to me that an edit must have been done on the database something like:

s;/sites/default/files/;/sites/www.transitionnetwork.org/files/;

There might well be other URLs to other Drupal sites that were changed when they shouldn't have been?

I have had a quick look at the database dump and couldn't find any examples of this problem, but there are 113 lines to check:

grep "sites/www.transitionnetwork.org/files" /var/backups/mysql/sqldump/transitionnetwor.sql | wc -l
113

I did notice that there are a lot of URLs in the database like this:

src=\"http://www.transitionnetwork.org/sites/www.transitionnetwork.org/files/uploaded/u5857/Map-TransitionNetworkOffice.jpg\"

And

src=\"https://www.transitionnetwork.org/sites/www.transitionnetwork.org/files/uploaded/u4/transition%20companion%20cover.jpg\"

Both the above links would be better starting with / or //www.transitionnetwork.org/ as this would avoid people getting HTTPS content when using HTTP and also getting HTTP content when using HTTPS.

I think it would be worth putting the site into maintenance mode, doing a dump of the database, checking these 113 lines for issues like those above, correcting them all and then reinserting the data, however this would need to be done at a suitable time.

I'd be happy to do this task. Ed, Jim, any thoughts about when would be a good time to do it?

#537: Parrot setup and documentation

chris — Tue, 30 Apr 2013 11:11:36 GMT

Things done setting up parrot.webarch.net -- a new virtual machine for running Wordpress sites, see wiki:ParrotServer

#540: HTTPS for WordPress sites

chris — Wed, 01 May 2013 20:20:32 GMT

Currently the wiki:WordPress sites have have the following SSL certificates:

https://www.intransitionmovie.com/ -- Gandi commercial certificate and dedicated IP address
https://www.reconomy.org/ -- CAcert non-commercial certificate and shared IP address (SNI)
https://www.earthinheritors.net/ -- CAcert non-commercial certificate and shared IP address (SNI)
https://parrot.transitionnetwork.org/ -- Gandi TN wild card cert and shared IP address (SNI)
https://parrot.webarch.net/ -- CAcert non-commercial certificate, this is the default site for clients without SNI support

None of the site are set to enforce HTTPS for logins, this should be done ASAP for intransitionmovie.com

I think we have several options going forward, the first 3 of this are the only viable ones though, IMHO:

SNI and Seperate Certs and Shared IP

Get a Gandi SSL cert for each site and rely on SNI rather than having a dedicated IP address for each site, this is the cheapest way to solve the problem, the certs are around £15 each.

The clients that don't work with SNI are listed here: https://en.wikipedia.org/wiki/Server_Name_Indication#Client_side

Multi-domain Cert and Shared IP

Get a Gandi SSL cert with all the domains in, this is a little more expensive than seperate certs (around £20 per site) but it means that all the clients that don't work with SNI will work. One issue with this is when adding new site is that a brand new cert would be needed as additional names can't be added to multi-domain certs during their lifetime, this could be worked around by getting a single domain cert to run to the end of the life of the multi domain cert (this would use SNI).

Seperate Certs and Dedicated IPs

Getting a cert per site and a dedicated IP per site, this would cost the most as each IP address costs around the same as each cert, (so about £30 per site). It also seems like a great waste to use up a IP per site when they are so scarce and when technical workarounds to this old problem like multi-domain certs and SNI are now available. I don't favour this option.

Non-commercial CAcert Cert

This is the cheapest, it's fine if people are able to install the http://cacert.org/ root certificate but this is something that non-technical people seem to find hard and they also don't understand the security warnings that they get when the cert isn't installed. This option is the one currently in use but it's far from ideal and one of the other options needs to be adopted before enforcing HTTPS logins is deployed. I don't favour this option.

#541: Documentation of the WordPress sites

chris — Wed, 01 May 2013 20:25:57 GMT

These pages have been created for the documentation of the wiki:WordPress sites running on wiki:PenguinServer:

So far they only have a listing on the plugins for each site.

Ideally they would document all the plugins, the theme and the steps that need to be taken to upgrade each site and also any other things that need documenting.

Laura is this something you might be able to help with? I'm happy doing some work on it but you know your way around these sites far better than anyone else.

#587: Puffin MySQL Tuning

chris — Thu, 05 Sep 2013 12:54:47 GMT

This ticket is to track the tuning we do to MySQL on PuffinServer.

See also previous comments on this issue:

#598: Redirect reconomyproject.org to reconomy.org

chris — Fri, 20 Sep 2013 12:16:56 GMT

Request from Shane:

I've noticed that the domain www.reconomyproject.org is still live and running. i.e. can surf around it. I think you set it up so that it would auto redirect to reconomy.org - not 100% sure about the technical spec behind how you did this but is it still working? I noticed this because a lot of the referrals on to our fb page our coming from reconomyproject.org rather than reconomy.org

#619: Upgrade WordPress sites to 3.9.1

chris — Fri, 15 Nov 2013 14:38:05 GMT

News regarding the WordPress versions released since the sites were upgraded to 3.6.1 on ticket:594

We should consider how best to upgrade the wiki:WordPress sites running on wiki:ParrotServer and then ensure that they are upgraded.

#626: Add redirect from an old CMS to a new URL

ed — Wed, 20 Nov 2013 12:11:14 GMT

Can Ed add a redirect from:

https://www.transitionnetwork.org/cms/haddenham

to another URL easily? Or does he need to ask Chris to do it?

#644: AWstats Nginx config breaks aegir

jim — Mon, 09 Dec 2013 16:46:05 GMT

Since the last update we've had a silent ngnix error that means http://tn.puffin.webarch.net was not available.

I restarted nginx and got:

[  ok  ] Stopping Nginx Server...:
[ .... ] Starting Nginx Server...:nginx: [emerg] "log_format" directive is not allowed here in /etc/nginx/nginx.conf:28

Which equates to the AWstats entry which is now commented out per:

# log for awstats
#log_format apache '$remote_addr - $remote_user [$time_local] "$request" '
#                   '$status $body_bytes_sent "$http_referer" '
#                   '"$http_user_agent"';
#access_log         /var/log/nginx/awstats.log apache;

I/we need access to aegir more than AWStats, so I've commented out the lines above and restarted nginx. Aegir is back and working well.

This ticket is to find the correct log_format for modern nginx versions and reinstate AWstats -- assigning to Chris as a low priority thing.

#645: APC Tuning on Parrot and Penguin

chris — Tue, 10 Dec 2013 10:52:31 GMT

As part of the upgrade from Squeeze to Wheezy, see ticket:535, Munin graphs for APC were added:

There is also more APC info here:

The documentation for the variables which can be set in /etc/php5/mods-available/apc.ini can be found here:

http://php.net/manual/en/apc.configuration.php

This monitoring is generating quite a high volume of warnings about fragmentation and purges and this ticket has been created to try to sort this issue out.

#675: Piwik Geolocation

chris — Tue, 14 Jan 2014 12:16:36 GMT

We have this warning in the Piwik admin interface:

Geolocation works, but you are not using one of the recommended providers. If you have to import log files or do something else that requires setting IP addresses, use the PECL GeoIP implementation (recommended) or the PHP GeoIP implementation.

We currently do Geolocation at a Nginx level, it is possible that it would now be better to switch to do it at a Piwik level, see the documentation here: http://piwik.org/docs/geo-locate/

#676: Alternative to Skype for TTech Meetings

chris — Tue, 14 Jan 2014 13:33:51 GMT

Jim has pointed out that:

Skype costs us 15-30 minutes of grinding pain every time we do this!

So what are the alternatives and what are our requirements?

#692: Debian Updates

chris — Tue, 25 Feb 2014 15:16:17 GMT

This is a ticket to track debian upgrades to the wiki:PuffinServer, wiki:PenguinServer and wiki:ParrotServer the time they take.

See:

These updates are generally done using the wiki:AptitudeUpdateScript and this records all the changes in the /root/Changelog and then the contents of the Changelog are pasted into the ticket to document the upgrade.

This ticket took over from ticket:218 on 2014-02-25.

#716: Heartbleed

chris — Wed, 09 Apr 2014 08:53:58 GMT

Following on from ticket:692#comment:18 we should undertake the steps Drupal have taken: https://drupal.org/news/2014-04-08-security-update

#734: Create Trac & Wiki account for Annesley

ed — Tue, 03 Jun 2014 11:04:10 GMT

email: Annesley Newholm <annesley.newholm@…>

#735: Add Annesley to github

ed — Tue, 03 Jun 2014 11:05:40 GMT

Once Annesley is on TRAC, we can point him at this ticket, he can give us his github id and we can add it https://github.com/orgs/transitionnetwork/members

#750: Annual update of SSL cert fingerprint for incomming emails to Trac

chris — Thu, 26 Jun 2014 13:42:42 GMT

Laura said she had replied to Trac email today but they didn't get through.

The issues has come up before, see wiki:TransitionTrac#Fetchmail

#763: Server Backups

chris — Mon, 21 Jul 2014 17:09:21 GMT

Two weeks ago annesley asked:

what off-site data storage, file backup and quick setup do we have?

I answered:

The 3 virtual servers have their file system mounted off a BSD/NFS/ZFS file server and the whole file system is backed up and stored onto another BSD/ZFS server in the same data centre. We did have backups also being copied to a server in Manchester but this is currently off-line as the Manchester server needs a disk swapping and rebuilding as a BSD/ZFS server.

A problem with this is that it's only me and Alan that have access to these backups, so I'd like to suggest I set up a new account for backups on our backup server and sort out cron jobs to rsync data to this account and document how people can access these backups.

The result would be that everybody would have SFTP access to 60 days worth of snapshots of backups from all three servers whenever needed without any need for my or Alan's intervention.

I expect this would take abount an hour to set up and another hour to document and help people understand it.

There would be no additional cost to the TN because backup space is already paid for.

#768: Piwik Archive Cron Error

chris — Fri, 01 Aug 2014 17:14:59 GMT

Have been getting these emails from PiwikServer:

From: root@penguin.webarch.net (Cron Daemon)
Date: Fri,  1 Aug 2014 14:06:48 +0100 (BST)
To: root@localhost
Subject: Cron <www-data@penguin> /web/stats.transitionnetwork.org/piwik/console core:archive --url=http://stats.transitionnetwork.org/ > /var/log/piwik-archive.log
ERROR CoreConsole[2014-08-01 13:05:18] [3e5ac] Got invalid response from API request:
+http://stats.transitionnetwork.org/index.php?module=API&method=API.get&idSite=1&period=week&date=last2&format=php&token_auth=XXXXXXXXXXXX&trigger=archivephp. Response was ' <div style='word-wrap: break-word; border: 3px solid red; padding:4px; width:70%;
+background-color:#FFFF96;'>         <strong>There is an error. Please report the message (Piwik 2.4.1)         and full backtrace in the <a
+href='?module=Proxy&action=redirect&url=http://forum.piwik.org' target='_blank'>Piwik forums</a> (please do a Search first as it might have
+been reported already!).<br /><br/>         Warning:</strong>
+<em>file_get_contents(http://api.piwik.org/1.0/getLatestVersion/?piwik_version=2.4.1&php_version=5.4.4-14%2Bdeb7u12&url=https%3A%2F%2Fstats.
+transitionnetwork.org%2Fweb%2Fstats.transitionnetwork.org%2Fpiwik%2Fconsole&trigger=API&timezone=Europe%2FLondon): failed to open stream:
+HTTP requ
 est fail
 ed! </em> in <strong>/web/stats.transitionnetwork.org/piwik/core/Http.php</strong> on line <strong>406</strong> <br /><br />Backtrace
+--&gt;<div style="font-family:Courier;font-size:10pt"><br /> #0  Piwik\Error::errorHandler(...) called at [:]<br /> #1
+file_get_contents(...) called at [/web/stats.transitionnetwork.org/piwik/core/Http.php:406]<br /> #2  Piwik\Http::sendHttpRequestBy(...)
+called at [/web/stats.transitionnetwork.org/piwik/core/Http.php:94]<br /> #3  Piwik\Http::sendHttpRequest(...) called at
+[/web/stats.transitionnetwork.org/piwik/core/UpdateCheck.php:72]<br /> #4  Piwik\UpdateCheck::check(...) called at
+[/web/stats.transitionnetwork.org/piwik/plugins/CoreUpdater/CoreUpdater.php:142]<br /> #5
+Piwik\Plugins\CoreUpdater\CoreUpdater->updateCheck(...) called at [:]<br /> #6  call_user_func_array(...) called at
+[/web/stats.transitionnetwork.org/piwik/core/EventDispatcher.php:98]<br /> #7  Piwik\EventDispatcher->postEvent(...) called at
+[/web/stats.transitionnetwor
 k.org/pi
 wik/core/Piwik.php:766]<br /> #8  Piwik\Piwik::postEvent(...) called at
+[/web/stats.transitionnetwork.org/piwik/core/FrontController.php:391]<br /> #9  Piwik\FrontController->init(...) called at
+[/web/stats.transitionnetwork.org/piwik/core/dispatch.php:33]<br /> #10  require_once(...) called at
+[/web/stats.transitionnetwork.org/piwik/index.php:47]<br /> #11  require_once(...) called at
+[/web/stats.transitionnetwork.org/piwik/core/CliMulti/RequestCommand.php:53]<br /> #12  Piwik\CliMulti\RequestCommand->execute(...) called
+at [/web/stats.transitionnetwork.org/piwik/vendor/symfony/console/Symfony/Component/Console/Command/Command.php:252]<br /> #13
+Symfony\Component\Console\Command\Command->run(...) called at
+[/web/stats.transitionnetwork.org/piwik/vendor/symfony/console/Symfony/Component/Console/Application.php:887]<br /> #14
+Symfony\Component\Console\Application->doRunCommand(...) called at
+[/web/stats.transitionnetwork.org/piwik/vendor/symfony/console/Symfony/Component/Co
 nsole/Ap
 plication.php:193]<br /> #15  Symfony\Component\Console\Application->doRun(...) called at
+[/web/stats.transitionnetwork.org/piwik/core/Console.php:64]<br /> #16  Piwik\Console->doRun(...) called at
+[/web/stats.transitionnetwork.org/piwik/vendor/symfony/console/Symfony/Component/Console/Application.php:124]<br /> #17
+Symfony\Component\Console\Application->run(...) called at [/web/stats.transitionnetwork.org/piwik/console:31]<br /> </div><br />
+</pre></div><br />  <div style='word-wrap: break-word; border: 3px solid red; padding:4px; width:70%; background-color:#FFFF96;'>
+<strong>There is an error. Please report the message (Piwik 2.4.1)         and full backtrace in the <a
+href='?module=Proxy&action=redirect&url=http://forum.piwik.org' target='_blank'>Piwik forums</a> (please do a Search first as it might have
+been reported already!).<br /><br/>         Warning:</strong>
+<em>file_get_contents(http://api.piwik.org/1.0/getLatestVersion/?piwik_version=2.4.1&php_version
 =5.4.4-1

#787: Access to Parrot

annesley — Mon, 15 Sep 2014 07:21:51 GMT

is it ok for me to send through my normal, non-passphrase protected public key to you Chris for parrot?

the documentation wants a passphrase protected key. however this may be what is causing the access issues from my laptop. i certainly could find a way around it but would suggest that the passphrase is not a great improvement to security anyway in this instance so it would be ok to use my normal public key. note that i can access all my other servers with the normal key without problems.

#790: Annesley locked out of puffin

chris — Tue, 23 Sep 2014 14:05:18 GMT

Email from lfd:

Time:     Tue Sep 23 13:47:01 2014 +0100
IP:       XX.XX.XX.XX (HU/Hungary/XXXXXX.catv.pool.telekom.hu)
Failures: 5 (sshd)
Interval: 300 seconds
Blocked:  Permanent Block
Log entries:
Sep 23 13:46:28 puffin sshd[6056]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=XX.XX.XX.XX  user=tn.ftp
Sep 23 13:46:30 puffin sshd[6056]: Failed password for tn.ftp from XX.XX.XX.XX port 54327 ssh2
Sep 23 13:46:33 puffin sshd[6056]: Failed password for tn.ftp from XX.XX.XX.XX port 54327 ssh2
Sep 23 13:46:56 puffin sshd[6409]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=XX.XX.XX.XX  user=anewholm
Sep 23 13:46:58 puffin sshd[6409]: Failed password for anewholm from XX.XX.XX.XX port 54328 ssh2

#808: WordPress email being rejected due to From field

chris — Mon, 17 Nov 2014 19:28:23 GMT

This issues is like ticket:737 but with WordPress rather than Drupal causing the problem.

Laura has forwarded one of the returned emails which contains:

host aspmx.l.google.com [173.194.67.26]: 550-5.7.1 Unauthenticated email from yahoo.com is not accepted due to domain's 550-5.7.1 DMARC policy. Please contact administrator of yahoo.com domain if 550-5.7.1 this was a legitimate mail. Please visit 550-5.7.1 http://support.google.com/mail/answer/2451690 to learn about DMARC

#812: space.transitionnetwork.org hacked?

chris — Thu, 27 Nov 2014 11:09:32 GMT

BOA email from PuffinServer:

Hello,
Our system detected that the site space.transitionnetwork.org has been hacked!
Common signatures of an attack which triggered this alert:
You are required to change your password immediately (password aged)
su: Authentication token is no longer valid; new one required
(Ignored)
Site tested positive for known Drupalgeddon exploit checks               [error]
Update module is disabled and Drupalgeddon cannot check for Drupal       [error]
Security Updates. Please check for a security update manually.
You are running Drupal 7.31
https://www.drupal.org/node/3060/release?api_version%5B%5D=103
The platform root directory for this site is:
  /data/disk/tn/distro/008/openatrium-7.x-2.19-7.31.1
The system hostname is:
  puffin.webarch.net
To learn more on what happened, how it was possible and
how to survive #Drupageddon, please read:
  https://omega8.cc/drupageddon-psa-2014-003-342
--
This e-mail has been sent by your Aegir system monitor.

#814: Higher that usual loads on PuffinServer since early September

chris — Wed, 03 Dec 2014 17:12:35 GMT

The following load graph from PuffinServer shows that the load increased substantially in early September 2014, does anyone know why?

When I found I went to Drupal 7.33 and all I got was a slow site I thought that perhaps a Drupal 7 site on the server could be the cause but 7.33 came out on 7th November 2014.

Anyone have any ideas?

#819: Trac anti-spam measures

chris — Fri, 19 Dec 2014 10:28:01 GMT

Today we had our first item of Trac spam, ticket:818, since the open email interface was enabled almost 2 years ago on ticket:494.

This ticket has been created to investigate and implement some anti-spam measures.

#824: Analysis of the 2014 maintenance ticket time

chris — Wed, 07 Jan 2015 15:48:14 GMT

Ed has ask that I spend up to 2 hours on an analysis of the 2014 maintenance ticket time for our meeting tomorrow in Bristol.

#847: Upgrade Servers to Debian Jessie

chris — Mon, 27 Apr 2015 09:30:11 GMT

The latest version of Debian, Jessie, 8.0, came out over the weekend, we should consider upgrading the three servers, PuffinServer, PenguinServer and ParrotServer and what issues would arrise when we do.

See the documentation on Upgrades from Debian 7 (wheezy) and Issues to be aware of for jessie, specifically:

#851: Bot attacks on Transition Culture

chris — Sun, 10 May 2015 11:12:12 GMT

Yesterday there was a load spike on ParrotServer caused by a bot doing thousands of POSTs to xmlrpc.php.

#853: Parrot access please

sam — Tue, 19 May 2015 17:07:13 GMT

Hi Chris

Ade & I were going to have a play around with making a proof of concept Wordpress microsite on Parrot.

Could you add me as a SSH user using the SSH keys associated with my sam@… account so I can follow the instructions here: https://trac.transitionnetwork.org/trac/wiki/ParrotServer#AddingaNewWordPressSite

Or if you'd rather not do that, just spin up a site titled 'conference15' with a user 'conference15' and my TN email as the admin email.

Thanks

Sam

#855: Piwik plugins

sam — Tue, 26 May 2015 12:10:13 GMT

Hi Chris

I spotted Piwik has some plugins to extend it's usefulness.

I'm quite interested in playing with some of them, particularly the clickheat one:

https://stats.transitionnetwork.org/index.php?module=CorePluginsAdmin&action=userBrowsePlugins&idSite=1&period=range&date=previous30&activated=#

Is it OK for me to install it to try? Or do you think the whole thing would grind to a halt?

Thanks

Sam

#856: Blocked IP?

sam — Tue, 02 Jun 2015 13:12:52 GMT

Hi Chris

I was trying to SSH into the site and got my password wrong a couple of times.

Shortly afterwards the site appeared to be unavailable from this location.

It seems fine in pingdom/proxy servers.

My guess is something like fail2ban or similar has added this IP to a blacklist?

I wouldn't be too bothered except it's Ade's address and I think he probably wants access..

Could you check the logs if there is a blacklist and remove 146.198.11.57

Thanks

Sam

#860: More details on Server provision

annesley — Fri, 19 Jun 2015 10:29:09 GMT

we would like the following details on all servers provided by WebArchitects? (Penguin, Puffin and Parrot):

CPU type, speed, and characteristics Disk Space RAID type Traffic limits and characteristics Bandwidth limits and characteristics

Thanks!

#868: Is conference15.tn.org backed up in a convenient manner?

sam — Tue, 28 Jul 2015 13:05:25 GMT

Hi Chris

I was just wondering if the conference site is backed up in such a way that it would be easy to restore?

I could set up a database backup onto some free file hosting if not?

Thanks

Sam

#870: MediaWiki 1.23.10

chris — Mon, 24 Aug 2015 12:18:48 GMT

The announcement contains:

Bug Fixes in 1.23.10

(bug 67644) Make AutoLoaderTest handle namespaces
(T91653) Minimal PSR-3 debug logger to support backports from 1.25+.
(T102562) Fix InstantCommons parameters to handle the new HTTPS-only policy of Wikimedia Commons.

#871: Brute Force Attacks Against WordPress Sites

chris — Mon, 21 Sep 2015 13:41:26 GMT

Today there have been 53,932 attempts to login to the TTT web site on ParrotServer all from the same IP address:

grep POST /home/ttt/logs/access.log | grep wp-login.php | grep 217.174.240.254 | wc -l
53932

I noticed this due the higher than usual load it was generating.

Would it be OK to spend an hour or two installing the WP fail2ban plugin on all the sites on the server?

Some more background on this issue:

https://docs.webarch.net/wiki/WordPress#Brute_Force_Attacks

#873: New Wordpress site please

sam — Tue, 22 Sep 2015 12:25:12 GMT

Hi Chris

I couldn't ssh into parrot for some reason, I think you said you created me a 'sam' user on there but I can't get in.

So could you set up a new Wordpress site on there.

wpdev.tn.org or similar, it's only going to be for testing some stuff so URL doesn't really matter.

Thanks

Sam

#875: Free HTTPS certificates from Let's Encrypt

chris — Mon, 05 Oct 2015 10:48:11 GMT

From mid November 2015 Let's Encrypt should be live, providing free SSL/TLS certificates. Currently the TN pays for a Gandi wild card cert, costing £130.50 a year, in addition most the WordPress sites on ParrotServer don't have certs due to the cost, see ticket:540.

The Let's Encrypt code is designed to be set up to run automatically -- certs are only valid for 90 days and the automatic renewal process runs when the cert is 60 days old.

We should consider if we want to use Let's Encrypt and what things would need to be put in place to use it, the wild card cert is due to expire on 22/01/16.

PuffinServer -- are we still going to be running PuffinServer in January 2016? Is there any chance that we might be able to consider the suggestions in ticket:754#comment:61? I'm not sure if I want to spend time trying to get Let's Encrypt working with a old version of BOA, up to date versions of BOA might support it out of the box.
PenguinServer -- this site hosts a lot of sites, see the listing, automating Let's Encrypt would probably be a hour or two of work, it might makes sense to upgrade it to Debian Jessie at the same time.
ParrotServer -- I suggest we rebuild this server from scratch, this would enable it to have the latest version of the Webarch Secure Hosting scripts and this include support for fail2ban for WordPress and phpMyAdmin, thus solving ticket:871 and includes automatic provisioning of Let's Encrypt certs for sites.

What do people think?

#879: MediaWiki 1.23.11

chris — Fri, 16 Oct 2015 08:42:45 GMT

Email on the announcements list:

Tomorrow we will be issuing a security release to all supported
branches of MediaWiki.
The new releases will be:
1.25.3
1.24.4
1.23.11
Fixes will be available in these respective release branches, the
unreleased 1.26.x branch, and master. Tarballs will be available
for the above mentioned point releases as well.
This security release will encompass core only, no bundled extensions
are affected.

#881: Site on ParrotServer with a memory leak?

chris — Fri, 23 Oct 2015 11:19:04 GMT

It appears a site, or application, on ParrotServer might have a memory leak.

#882: Login to PiWik stats

annesley — Tue, 03 Nov 2015 10:52:30 GMT

hi Chris! could i have a login to PiWik? stats please?

#892: MediWiki Security Release: 1.26.1, 1.25.4, 1.24.5 and 1.23.12

chris — Fri, 18 Dec 2015 10:46:18 GMT

Email to the announcements list:

I would like to announce the release of MediaWiki 1.26.1, 1.25.4, 1.24.5,
and
1.23.12.
These releases fix five security issues in core, in addition to other bug
fixes. Download links are given at the end of this email
== Security fixes ==
(T117899) SECURITY: $wgArticlePath can no longer be set to relative paths
that
do not begin with a slash. This enabled trivial XSS attacks. Configuration
values such as "http://my.wiki.com/wiki/$1" are fine, as are "/wiki/$1". A
value such as "$1" or "wiki/$1" is not and will now throw an error
(T119309) SECURITY: Use hash_compare() for edit token comparison
(T118032) SECURITY: Don't allow cURL to interpret POST parameters starting
with
'@' as file uploads
(T115522) SECURITY: Passwords generated by User::randomPassword() can no
longer
be shorter than $wgMinimalPasswordLength
(T97897) SECURITY: Improve IP parsing and trimming. Previous behavior could
result in improper blocks being issued
(T109724) SECURITY: Special:MyPage, Special:MyTalk, Special:MyContributions
and
related pages no longer use HTTP redirects and are now redirected by
MediaWiki
== Note about EOL of 1.24.x ==
Please note that 1.24.5 marks the end of support for the 1.24.x series of
releases. Technically this ended a few weeks ago with the release of 1.26.0
but
we dropped one final release of 1.24.x here to give it a nicer send off for
those who have not yet upgraded.
== Release notes ==
Full release notes for 1.26.1:
<https://www.mediawiki.org/wiki/Release_notes/1.26>
Full release notes for 1.25.4:
<https://www.mediawiki.org/wiki/Release_notes/1.25>
Full release notes for 1.24.5:
<https://www.mediawiki.org/wiki/Release_notes/1.24>
Full release notes for 1.23.12:
<https://www.mediawiki.org/wiki/Release_notes/1.23>
For information about how to upgrade, see
<https://www.mediawiki.org/wiki/Manual:Upgrading>

#893: BOA Cron Jobs

chris — Thu, 24 Dec 2015 11:39:51 GMT

All the BOA cron jobs were stopped on ticket:846#comment:88. This ticket is for looking at them all and deciding which, if any, are needed.

#894: Brute Force Attacks Against WordPress XMLRPC

chris — Thu, 07 Jan 2016 11:23:51 GMT

For a few months I have see a lot of requests going to WordPress /xmlrpc.php and wasn't sure why, now it is clear:

Instead of going against wp-login.php (which can be easily blocked or protected via .htaccess) or doing a single attempt against xmlrpc, attackers are leveraging the system.multicall method to attempt to guess hundreds of passwords within just one HTTP request.

https://blog.sucuri.net/2015/10/brute-force-amplification-attacks-against-wordpress-xmlrpc.html

I'd like to install Stop XML-RPC Attack on all the WordPress site we host, unless anyone has a good reason not to. This plugin simply whitelists the JetPack/Automattic's subnets and blocks all other access to /xmlrpc.php.

I started tracking the abuse a while ago and you can see it and manually address it on ParrotServer like this:

sudo -i
wp-xmlrpc-abuse
IP addresses accessing xmlrpc.php more than twice for the last 1000 lines of each access.log:
      2 46.148.XX.XX
    733 195.62.53.243
    177 195.62.53.243
      2 66.76.XX.XX
dig -x 195.62.53.243 +short
  53-243.static.spheral.ru.
ipdrop 195.62.53.243

But we need to be more pro-active in blocking access or we are going to probably see some compromised sites.

#897: Hosting information/requirements for 2016

chris — Tue, 19 Jan 2016 10:14:57 GMT

This is a ticket to track the time spent on an email thread with Ade.

#898: Fwd: Access to Drupal

ade — Tue, 26 Jan 2016 17:35:05 GMT

Hi Chris,
The web team at the development agency are requesting access to the
webserver so that they can look at the sites make up.
(Please see below)
Would you please set up an account so that they can get root read access?
I guess this would be done via FTP, but your thoughts greatly appreciated.
best regards
Ade
---------- Forwarded message ----------
From: Ainslie Beattie <ainsliebeattie@transitionnetwork.org>
Date: 26 January 2016 at 17:25
Subject: Fwd: Access to Drupal
To: Sam Rossiter <samrossiter@transitionnetwork.org>, Ade Stuart <
adestuart@transitionnetwork.org>, Yvonne Struthers <yvonne@thisisyoke.com>
Hey both, can you please action this urgently so that Yoke can have access.
Cheers
---------- Forwarded message ----------
From: "Yvonne Struthers" <yvonne@thisisyoke.com>
Date: 26 Jan 2016 10:58
Subject: Access to Drupal
To: <ainsliebeattie@transitionnetwork.org>
Cc:
Hi Ainslie,
Just a quick email as I'm out seeing a client today,but just to say,it
looks like you have only given us access to the database. What we need
please is admin access to the Drupal site and to the code base so that we
can get a sense of how it's all set up.
Thanks in advance!
Yvonne
Sent from my iPhone
--
Ade Stuart
Web Manager - Transition network
07595 331877
The Transition Network is a registered charity
address: 43 Fore St, Totnes, Devon, TQ9 5HN, UK
website: www.transitionnetwork.org
TN company no: 6135675 TN charity no: 1128675

#901: Enable SSH access to PuffinServer for Ade

chris — Wed, 03 Feb 2016 13:25:27 GMT

This is a ticket to track the time spent sorting out SSH access for Ade to PuffinServer.

#903: Large load spike on PuffinServer

chris — Mon, 08 Feb 2016 08:46:37 GMT

There was a large load spike this morning on PuffinServer, which appears to have been caused by 12k requests for pages (Nginx doesn't log requests for anything other than PHP generated pages) from one IP address, this IP address has been blocked and I'll post some details below.

#904: Issues to consider in the migration from Drupal to WordPress

chris — Fri, 19 Feb 2016 10:41:04 GMT

A few weeks ago Ade said he though it would be worth me opening a ticket to use to flag up some issues to be considered in the migration of the Transition Network site from Drupal 6 to WordPress.

#905: TN site down due to redis not running

chris — Thu, 25 Feb 2016 10:28:40 GMT

I'm working on this...

#907: TN Drupal database size

chris — Wed, 02 Mar 2016 10:20:10 GMT

6 weeks ago the datadase dump was 447M, see trac:ticket/896#comment:3 but now it is 1.8G:

ls -lah /var/backups/mysql/sqldump/transitionnetw_0.sql
-rw------- 1 root root 1.8G Mar  2 01:23 /var/backups/mysql/sqldump/transitionnetw_0.sql

Anyone have any idea what happened to cause this? Are we keeping too many log entries?

#909: What's involved in enabling longer Piwik reports?

sam — Thu, 10 Mar 2016 15:47:27 GMT

Hi Chris

I seem to remember you were able to make Piwik run reports longer than a couple of months by adding some RAM? Is this a virtual thing you can do remotely? Or do you have to physically visit the box to make this happen?

I'd like to run longer reports to do a bit of analysis, but not if it's going to cost loads to make it happen.

Thanks

Sam

#912: Stats for TTT

chris — Tue, 21 Jun 2016 10:29:02 GMT

Nicola at TTT has asked:

Could you let me know the size of the TTT and Transition Streets sites please? I have Google Analytics for TTT but not for Transition Streets, and I wonder if you could also tell me how many visitors it gets annually?

#916: SSH to parrot please

sam — Wed, 13 Jul 2016 11:01:58 GMT

Hi Chris could you set up a SSH account on parrot please

Kevin support@…

Public SSH key attached.

Thanks

Sam

#917: Any misc files in Transition Culture web root?

sam — Thu, 14 Jul 2016 11:54:50 GMT

Hi Chris

Simon from Lumpy lemon has migrated Transition Culture.

We only have WP admin access & he was wondering:

"Just one small question: can you check in the webroot folder on your server and let me know if there are any non-WordPress files in there? e.g. Google verification files, that sort of thing. I don't think there should be, but best to check. If there are, can you send them over."

Thanks

Sam

#918: redirects?

sam — Thu, 14 Jul 2016 12:33:42 GMT

Hi Chris

All going well I think we're going to move the TN.org site to Hetzner later today.

I was just having a look through the zone file on Gandi. There's an entry:

'redirects A 81.95.52.111'

Do you know what that one does?

Thanks

Sam

#919: Site offline

chris — Thu, 14 Jul 2016 18:17:26 GMT

The https://www.transitionnetwork.org/ site has been "off-line" since about 7pm, I see that Paul is logged on via ssh -- is this something that we should worry about or is this intentional?

#924: Sheffield Server Shutdown Timetable?

chris — Mon, 05 Sep 2016 08:46:27 GMT

Since www.transitionnetwork.org is now running on dedi2835.your-server.de there seems little point in the Transition Network continuing to pay for the PuffinServer and my time doing sysadmin updates on it?

If the Transition Network would like Webarchitects to shutdown and delete this server and all it's backups could you please let me know when you would like it doing?

I guess the same goes for PenguinServer and ParrotServer, though these servers still have live sites on them, including this Trac site that I use to keep track of time worked -- when PenguinServer is shutdown I will no longer have a public place to document the time I work for the Transition Network and all the server and site documentation from the last six years will be lost.

#925: Piwik 2.16.3

chris — Mon, 03 Oct 2016 10:25:36 GMT

The Changelog contains:

Security release

This release is rated critical.

The Piwik security engineering team has internally identified a critical security issue and has fixed it in Piwik 2.16.3. We recommend all users to upgrade to this latest version.

Database upgrade

Note: This release contains major database upgrades and upgrading your database will take a long time if you have a lot of data in your database.

Please make sure you read the Update Piwik guide for high traffic instances.

#127: Link checker module

ed — Fri, 23 Jul 2010 09:12:15 GMT

It would be very very handy to have a link checker of some form to check for internal and external links. Site editors are adding pages, navigation is changing etc. If possible, the link module would update links as they move internally, but that's a nice to have. Please install one and Ed can manage it.

Putting to critical to get it on, shouldn't take long...

#457: Projects form - Enhance form entry

laura — Thu, 08 Nov 2012 18:15:44 GMT

1 - Entry Form:

Set up new fields and permissions and groupings
Enhance ‘helper’ texts and any links to other parts of TN listed on form to enhance usability and context.
CSS and potential of custom templating/panels if needed for style and layouts

#461: Spam account war

ed — Wed, 21 Nov 2012 16:19:10 GMT

Aim:

tell drupal (and server level stuff?) to sniff out and destroy spam accounts without them knowing we did it, and ban them from doing it again

Wiki page:

https://wiki.transitionnetwork.org/Spam_accounts

#469: PSE project submission submitter cannot then edit their own project

ed — Tue, 04 Dec 2012 19:33:46 GMT

The user who has added a pse submission which has been approved cannot then edit the project profile when it has been approved. The webmaster who approved it can edit it.

This is not right - the user who added the pse submission which then got turned into a project needs to be the project owner.

The new project is set to the correct author. But that author doesn't have edit rights.

Project (unpublished): https://www.transitionnetwork.org/projects/test-user-3-test-project

#504: Images missing from widget and site in general

ed — Fri, 01 Mar 2013 16:00:39 GMT

Submit button missing from widget (see bottom right here: http://www.edmitchell.co.uk/blog/).

Quite a few images are missing from the site - profile pictures of people who don't have pictures as well.

Please have a look.

#513: Please clarify what is a widget user

ed — Mon, 11 Mar 2013 08:17:47 GMT

What is a widget user? What role is this? Please clarify?

#514: Spam issues - users not being able to comment

ed — Tue, 12 Mar 2013 17:25:29 GMT

Ed is receiving a selection of users not being allowed to post since the spam changes. We are seeing a pattern now. Setting this ticket up - will add user details tomorrow.

#516: Search: not showing events or initiatives

ed — Thu, 14 Mar 2013 10:16:41 GMT

Search for Woking from homepage. I know that there are two events and two initaitives with Woking in them. Neither are shown: https://www.transitionnetwork.org/search/node/woking

Advanced search does not bring them up either (ticking the initiatives box).

If I am in the initiatives section it returns the TIs though.

General search used to show TIs and events. Now it's only showing results of word searches.

General search needs to show TIs and events, and other nodes.

Please look into this.

#517: News widgets not working

ed — Thu, 14 Mar 2013 12:39:57 GMT

News widgets not working - noticed here: http://transitionfinsburypark.org.uk/

and here: http://wwww.edmitchell.co.uk

Checked by putting code from http://www.transitionnetwork.org/syndication-and-social-media into new widget - showing a blank.

News feed working here: http://www.transitionnetwork.org/news/feed

So must be widget code.

Adding to Jim, but is it Laura?

#533: Five star ratings: remove from resources CT

ed — Mon, 22 Apr 2013 10:56:34 GMT

We aren't using the fivestar ratings from the resources CT. There were some problems with it ages ago. Remove them from the resources CT and interface (public and edit)

#606: Site upgrade tasks -- pre-migration cleanup

jim — Fri, 11 Oct 2013 12:00:13 GMT

This ticket is to track the issues left over from #590 that need to be considered and tackled prior to migrating the site from D6 to D7 (or 8).

Please feel free to add as needed, but sticky to the

C) Cleanup: List of features we don't really need

Ed to add his items to following list... Need rational and alternative approaches for each.

C.1) Remove 'Geographic region' and related taxonomy and Hierarchical Select modules 1 hour, low reward, low risk -- never really been used and is effectively a duplicate of the location field. let's kill it!
C.2) Kill Microsites and the Forums -- The handful of people using the CMS feature should be migrated to Open Atrium if they need such features.
C.3) Remove forums -- We could migrate the forum to a simpler setup (not using forum module) that leverages normal commenting, or even Disqus or other services to offload comments and moderation. Also encourage user-submitted ocontent and promote that if it's good or gets interesting debate.

D) Key development tasks

D.1) All inline PHP must be moved to modules and features -- This has great benefit for management, maintenance and developers. Eval()uated code is much slower than PHP in files, especially since it can't be accelerated by APC or Zend Opcode cache... We have a few blocks and many views that are loaded from the database and evaluated. Ideally the blocks would be moved to the 'Transition Extras' module, and the views would be pushed into features. This work is good to do for maintainability and D7 upgrades, too. See: http://2bits.com/api/abuse-drupal-best-practices-your-own-peril-poor-performance.html and http://2bits.com/articles/free-your-content-php-moving-php-code-out-blocks-views-and-nodes.html

D.2) Build in ESI (Edge Side Includes) support from the outset, ensure Drupal renders only what it needs to -- BOA packages the ESI (Edge Side Includes integration) module, which makes NginX cache the whole page (as it does now), but also for user-logged in pages (which it does for 5 seconds since the page data changes). This means Drupal renders the ESI component (blocks, panels panes) that are have user-specific data in. Potential boost quickly, but will need time to tweak settings to get best from this across whole site. See comments in 4 & 5 below for discussion~~, should be done after proposal F, above~~.

E) Key editorial tasks

E.1) More Taxonomy cleanup -- try to merge terms with the same names, clear out spammy terms, general spit-and-polish. Ed plus team of busy interns to do this when the time is right.

Z) old stuff for reference; tasks from #590 rendered pointless by move

Z.1) Find Variable table writes and kill them -- seeing plenty of SELECT * FROM variable calls, which imply a cache clear due to a variable being set. In normal use variables shouldn't be set (admin screens tend to do this), so I'd like to try to see what module it causing this and patch/remove it. Will need to run grep -R "variable_set() * > ~/static/variable_set-calls.txt" in the {{{sites/all directory to generate a list, then trawl though it to find candidates/bad modules practice.

#638: Question about notifications option for content creators

ed — Thu, 28 Nov 2013 12:32:57 GMT

Content creators (news, Rob's blog, social reporters) struggle with the notifications. the problem is that they forget to click the option to 'do not send notifications for this update' and then notifications are sent out. It is easy for us to think this is easy for them, but when you are bashing stuff out in a hurry, it's easy to forget this fiddly bit.

CAN WE set drupal to NOT send notifications out as standard for some of the content types?

And change it so that the content creators (news, Rob's blog, social reporters) choose to SEND notifications out instead (of NOT sending them) ?

#671: Replace core Search module with Apache Solr

jim — Sat, 11 Jan 2014 21:11:14 GMT

Issue & background During work on #610, it was discovered that of a 1/4GB database dump for TN.org, ~80% (180Mb) of it was related to the Drupal 6 core Search module.

It's worth noting this was raised when we migrated the site to the Puffin server in March 2013, but it's generally the case that the core Search module does not scale easily beyond a few thousand nodes.

www.transitionnetwork.org has 23,803 nodes at time of writing -- this is probably approaching the sensible limit of the core module's capability.

Note also, any future D7 or D8 version of the site would also hugely benefit from using Solr, so the server config part is time well spent.

Proposed solution

Add the Apache Solr option to BOA, re-run the installer to get it installed and configured automatically.
Add the ApacheSolr module and any related required modules to the TN D6 makefile -- it's not clear if the 6.x-3.x branch or 6.x-1.x branch is the right choice at present.
Build a new platform containing these modules, migrate a clone of STG to it.
Enable the modules, configure them, disable core Search.
Create a feature that wraps up config for Solr and required modules. Add to Git, add reference to feature to makefile
Test, tweak, repeat 3 & 4 & 5 as needed.
Migrate PROD to the new plaform, enabled feature, index site.

This could be parked until D7/8 migration, or not... Ed's call.

#690: Paul learning the ways of the force.

paul — Thu, 20 Feb 2014 15:00:41 GMT

I'm not a jedi yet

#### Transition Network

Week ending 16 February Monday (0,45) Phone call | Emails (not issues) | Creating a test site on Aeigr Tuesday (0.45) Reading Wiki pages | Setting up local server (Generated notes for WIki) Wednesday (0.45) Reading wiki pages: setting up a platform / cloning a stage site. Friday (3.00) Reading wiki pages , listening to Jim's talks, Emails (not issues). (Generated notes for WIki for setting up a local server)

Finished reading wiki. I'll re-read these as required on my own time going forward.

Week ending 23 February Monday (0,15) Emails (not issues) (Mailing list) Thursday (0,30) Phone call / Emails (not issues)

Total 6, 00 hours

#719: Transition Culture HTML Problems

chris — Mon, 14 Apr 2014 20:07:09 GMT

If you look at old Transition Culture articles they had hyperlinks and blockquotes, for example:

https://web.archive.org/web/20070228081440/http://transitionculture.org/2006/01/24/local-energy-local-currency-local-power/

If you look at the version we now have this formatting has been lost and the first paragraph is a mess:

http://transitionculture.org/2006/01/24/local-energy-local-currency-local-power/

The formatting wasn't lost when the new TC design was first deployed:

https://web.archive.org/web/20080429205320/http://transitionculture.org/2006/01/24/local-energy-local-currency-local-power/

It has happened since then.

We should consider investigating what caused the problems and how they can be fixed?

This might be a task that Simon would be best placed to undertake?

#731: Meetings in maintenance

chris — Fri, 23 May 2014 10:47:39 GMT

Ticket to record time spent on Skype call on 22nd May 2014.

#747: Accessibility / archiving of podcasts

chris — Tue, 24 Jun 2014 10:39:14 GMT

Would it be possible to consider making podcasts available as MP3's via RSS feeds? This would enable applications such as AntennaPod to play the podcasts.

Currently podcasts such as this one:

https://www.transitionnetwork.org/blogs/rob-hopkins/2014-06/alan-simpson-transition-has-enormous-strength-moment

Appear to only be available via the Soundcloud web interface?

https://soundcloud.com/transition-culture/alan-simpson-on-growth-renewables-and-transition

There might be Soundcloud settings to enable MP3 downloads and / or RSS feeds?

In addition having a copies available / archived on a non-corporate site, eg a *.transitionnetwork.org site and / or archive.org would be a good addition?

Sorry if this isn't the right place to raise this, I did consider posting it as a comment on Robs blog but thought that would be even less appropriate.

#757: Research and Design for TNv3

ed — Fri, 11 Jul 2014 13:36:54 GMT

R&D for TNv3

#759: [Security-news] SA-CONTRIB-2014-071 - FileField - Access bypass

paul — Wed, 16 Jul 2014 21:59:46 GMT

View online: https://www.drupal.org/node/2304561

Advisory ID: DRUPAL-SA-CONTRIB-2014-071
Project: FileField? [1] (third-party module)
Version: 6.x
Date: 2014-July-16
Security risk: Critical [2]
Exploitable from: Remote
Vulnerability: Access bypass

The FileField? module enables you to define and use fields that contain files.

The module doesn't sufficiently check permission to view the attached file when attaching a file that was previously uploaded. This could allow attackers to gain access to private files.

This vulnerability is mitigated by the fact that the attacker must have permission to create or edit content with a file field.

/A CVE identifier [3] will be requested, and added upon issuance, in

accordance with Drupal Security Team processes./

FileField? 6.x-3.x versions prior to 6.x-3.13.

Drupal core is not affected. If you do not use the contributed FileField? [4] module, there is nothing you need to do.

If you use the FileField? module for Drupal 6.x, upgrade to Filefield

6.x-3.13 [5], and also update to Drupal core 6.32 [6] (see SA-CORE-2014-003 [7]).

Ivan Ch [8]

Nate Haug [9]
Ivan Ch [10]
David Snopek [11] of the Drupal Security Team.

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [12].

Learn more about the Drupal Security team and their policies [13], writing secure code for Drupal [14], and securing your site [15].

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [16]

_ Security-news mailing list Security-news@… Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news

#767: robots.txt on dev site

sam — Thu, 31 Jul 2014 11:07:39 GMT

Hi Paul

Could you fix the robots.txt here:

https://booker-stage-20140501.transitionnetwork.org/robots.txt

Sam

#783: IIRS design and development

ed — Mon, 08 Sep 2014 14:20:58 GMT

Ticket to track ongoing work on IIRS

#789: SA-CONTRIB-2014-088 - Mollom - Cross-site scripting (XSS)

paul — Mon, 22 Sep 2014 13:09:48 GMT

View online: https://www.drupal.org/node/2340029

Advisory ID: DRUPAL-SA-CONTRIB-2014-088
Project: Mollom [1] (third-party module)
Version: 6.x, 7.x
Date: 2014-September-17
Security risk: 11/25 ( Moderately Critical)

AC:Complex/A:User/CI:Some/II:Some/E:Theoretical/TD:Uncommon [2]

Vulnerability: Cross Site Scripting

Mollom is an "intelligent" content moderation web service which determines if a post is potentially spam; not only based on the posted content, but also on the past activity and reputation of the poster across multiple sites.

Mollom offers a feature to report submitted content as inappropriate which allows end users to indicate that a piece of site content is objectionable or out of place. When reporting content, the content title is not sufficiently sanitized to prevent cross-site scripting (XSS) attacks.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission to create content and the content type must be enabled for "Flag as Inappropriate" within the Mollom advanced configuration settings (which is not the default setting).

/A CVE identifier [3] will be requested, and added upon issuance, in

accordance with Drupal Security Team processes./

Mollom 6.x-2.x versions from 6.x-2.7 to 6.x-2.10
Mollom 7.x-2.x versions from 7.x-2.9 to 7.x-2.10

Drupal core is not affected. If you do not use the contributed Mollom [4] module, there is nothing you need to do.

Install the latest version:

If you use the Mollom module for Drupal 6.x, upgrade to Mollom 6.x-2.11

[5]

If you use the Mollom module for Drupal 7.x, upgrade to Mollom 7.x-2.11

[6]

Also see the Mollom [7] project page.

Matt Vance [8]

Lisa Backer [9] the module maintainer
Matt Vance [10]

Greg Knaddison [11] of the Drupal Security Team

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [12].

Learn more about the Drupal Security team and their policies [13], writing secure code for Drupal [14], and securing your site [15].

#792: [Security-news] SA-CONTRIB-2014-094 - Webform Patched - Cross Site Scripting (XSS)

paul — Mon, 29 Sep 2014 09:28:08 GMT

View online: https://www.drupal.org/node/2344369

Advisory ID: DRUPAL-SA-CONTRIB-2014-094
Project: Webform Patched [1] (third-party module)
Version: 6.x, 7.x
Date: 2014-September-24
Security risk: 13/25 ( Moderately Critical)

AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default [2]

Vulnerability: Cross Site Scripting

The Webform Patched module is a fork of the Webform module with Token support added. The module enables you to create forms which can be used for surveys, contact forms or other data collection throughout your site.

The module doesn't sufficiently sanitize field label titles when two fields have the same form_key, which can only be managed by carefully crafting the webform structure via a specific set of circumstances.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "create webform content".

/A CVE identifier [3] will be requested, and added upon issuance, in

accordance with Drupal Security Team processes./

Webform Patched 6.x-3.x versions prior to 6.x-3.20.
Webform Patched 7.x-3.x versions prior to 7.x-3.20.

Drupal core is not affected. If you do not use the contributed Webform Patched [4] module, there is nothing you need to do.

Install the latest version:

If you use the webform module for Drupal 6.x, upgrade to webform_patched

6.x-3.20 [5]

If you use the webform module for Drupal 7.x-3.x, upgrade to

webform_patched 7.x-3.20 [6]

Also see the Webform Patched [7] project page.

Maurits Lawende [8]
Matt Vance [9]

Nate Haug [10] the module maintainer

Greg Knaddison [11], Dan Smith [12] and Lee Rowlands [13] of the Drupal

Security Team

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [14].

Learn more about the Drupal Security team and their policies [15], writing secure code for Drupal [16], and securing your site [17].

#804: Investigating the site security following SA-CORE-2014-005 (Drupal 7.32)

paul — Mon, 03 Nov 2014 15:20:25 GMT

It was discovered that TN could have have been compromised from the recent security vulnerability (even though we are running Drupal 6) as the site is using the DBTNG module. However the site doesn't appear to have been compromised. I'll post my findings shortly.

#818: For watch lovers. superwatches

gatomur@… — Fri, 19 Dec 2014 07:55:04 GMT

 all kind of watches    - htt&#112;://&#103;oo.&#103;l/3&#75;&#85;ebe
htt&#112;://&#103;oo.&#103;l/j&#99;kF3&#87; &#104;t&#116;p:/&#47;&#103;oo&#46;gl/&#117;&#116;&#71;eX0 qxs dzge l urqgp
kqv v jzqky wtmu tnoag y
ptp ldv ody oif ap cbbds
nuhk updsz bhpz zktlx nz jzcu
h rv qwvz bz h nbm
tiu g ljll lyomu yyf nboz
vi xz voxls ioiu cen tfq
pjs lrvbs veb sh ynnoq yh
l jd mppk yyc ughd upxg
uwyx ru gb wbmt w q
qcn aerpv m tpxg u nga
rc kjci t zgdqq f apb
vgrse gxyu gmiij rrfh gxvpm hv
a vn iwt dzisl eczkx rl
p nq nocyu motht sjan yyjnk
oajv ibz atjno w zp vrg
g bo wdy b blwg slzze
hqmol uo ajgit snd qc ytyi
b yr tivb dyw ax kg
fpl nufto sxqoe nag cnk ucur
mqpq swpvf pib mx fxb mf
shg ac lkt jiir xm wkskg
de v bde z p rrx
yykms tln zqq nzdmd g fhnc
mgc wfr mntuv arc j tjzdk
t b wx jao xmf adwji
z k hg urgsz qqz enuxt
wk j cgvr kvl gn zkqo
czhs hrll lot j kkpu fam
ehm fnr ajvea cut axv anjt
i zrbab lximl x tmwi v
gngrg w q s hg yaue
btrs kf zki zoe nd yyafq
s oaipz st toevj yd a
pzw l gmu hvgc vqxx jh
a gi wyyyg yhch chlcc tznsw
cohr zxvid jsw wunh hq nmcr
oowj wpdn yq br we y
kyqwe gd t uzp svvy do
slyt mof qngf b o crd
t gd dd ioa hxai m
f fhqsm ayrs xxk ehl ho
vxupt iyhu p frkt moarl e
j zxq odnq y t lv
jc lkk wcnzg k pldvj mf
crvx xb ifsmk yylz fj dg
k ywt iapns zw hyvsv jdc
tmp mfin jaw c is s
v w h hoc qguhh cv
vlz zntcm fohau evv b p
ujsbw aobr omp o dptn b
qorl iyfjh ttd uln k lakhk
mihmo tmru ofde imic q bqbj
vyl yz f ea e f

#123: City name in personal profiles

ed — Tue, 20 Jul 2010 10:38:47 GMT

Please either:

add city name into the personal profiles as it is in initiative profiles

OR:

if it's a straightforward replicate from the initiative profile, tell ed this and he will do it

#262: US users adding Ini profiles through the US site

ed — Fri, 17 Jun 2011 12:10:40 GMT

This is *the* big job for phase 4. The US is a pilot for other countries, and other content types. The aim is for TN to be able to publish project directory on TI sites, and enable anyone to add a project via the TI sites in the long term.

US user can add an ini profile to the US site which is also added to the TN directory
US site has a special map and directory view of US inis only (both muller and official)
US user can edit the ini profile via the US site (possibly not on TN site)
US user account: with TN or TUS? tbd
Creation of a 'slimline' user acct showing only 'critical data'?
Creation of a 'slimline' ini profile showing only'critical data'?
This is a pilot for other countries in the future
This process will be used in some way to enable anyone to add project information from and through TI sites
Fiddle with slimline user accounts and/or use third party process a la facebook/google/yahoo accts?
US has a US-only map view of users who are speakers

#304: Make the five star ratings filter-able in the resources directory view

ed — Thu, 18 Aug 2011 16:55:00 GMT