July 5th, 2021

Channel

  • Jitsi
  • The dial code is 820405

Agenda

  • News from IPFire 3.x ecosystem (Pakfire, installer)
  • Status quo of Core Update 158 and beyond
  • Assorted firewall.cgi bugs, especially #12265
  • Users reporting ports reachable on RED
    • May 2020 incident: Caused by user configuration error in firewall.local
    • December 2020 incident: Unknown, some overcredulous SNAT rule in firewall.local suspected, but the user did not report back
    • June 26th incident: Unknown, seems to be gone after a reboot (?!), user is still investigating
    • June 28th incident: Port in question was apparently opened on a router before IPFires' RED interface, user refused to provide logs/command outputs

Attendees

  • Arne
  • Jonatan
  • Michael
  • Peter

Log

Core Update 158

  • IPsec with Apple iOS & Mac OS still needs documentation
  • sshctrl call still needs to be fixed
  • Updates are quite big, and require a lot of disk space and RAM (while decrypting and verifying them)
  • Not clear if the UDP fragmentation problem is solved or not
  • No other major quirks known at the moment
  • Some bugs introduced in Core Update 157, still awaiting fixes
  • Root cause of broken Grub configs unknown, we need more feedback
  • Rest is still awaiting patches, will be handed in eventually

Core Update 159

  • We have a new Linux kernel - yay!!!
  • armv5tel will be dropped: There are no compatible boards around anymore according to Fireinfo, we will require armv6l in future
  • No other changes planned, the update is big enough already

firewall.cgi bugs

  • Alex disappeared and/or does not respond anymore, we need to take care of this ourselves :-/
  • Stefan volounteered to fix them peu a peu (many thanks)
  • Will take time and require feedback
  • By the way: The port redirect add-on seems to be an overkill, Stefan replaced this by a ~ 20-line patch...

Users reporting ports reachable on RED

  • Except for one case are all incidents cleared
  • Known penetration tests of IPFire never revealed a similar behaviour
  • We do not believe to have a bug related to this...

"Das ist alles nur gecloud (eh-oh, eh-oh), / das ist alles nicht mehr deine..."

  • Swiss government decided to toss their stuff to Alibaba m(
  • Google Cloud suffers from an - um - interesting security vulnerability
  • You cannot buy VMs at Hetzner and Exoscale without a public interface m(
  • You cannot trust any cloud provider, hence we will never move our critical infrastructure to infrastructure located beyond our control
  • However, we currently offer IPFire images on AWS, Hetzner, Exoscale, et al., it makes sense to extend this range to Alibaba and Tencent for APAC users

Pakfire & IPFire 3.x

  • Mitigating ccache poisoning
    • Expensive, but necessary
    • Throwaway cloud VMs might be a solution for non-release builds
    • We need to use them efficiently to save money
  • IPFire 3.x
    • Michael made major process
      • Pakfire has been re-implemented in C, almost feature complete
      • Signatures are still missing and TBD
      • Python module is merely a wrapper now
      • CLI needs to be cleaned up and some comfort features added
      • Debian Bullseye required (Linux kernel >= 5.4, libsolv > 4.7)
    • Next step: Move PBS to Python 3.x and integrate new Pakfire, Michaels' project for July
    • New installer: Bricklayer
      • Written in pure Python
      • We will support Btrfs only, primarily because of snapshot support (which still requires physical access or a KVM console)
      • Relatively feature-complete
      • Collateral usage: Installing IPFire out of other operating systems running, on loopback devices, etc.
      • Concrete implementation of network to be defined
    • Having PBS running will be a major milestone
    • Test Driven Development is tricky in build environments without networking
    • Michael is working on Pakfire and the IPFire 3.x ecosphere almost full-time in his spare time

Miscellaneous

  • GitHub Copilot
    • Ignores Open Source licenses, including ours (we are quite pissed about this)
    • Smells like supply chain attacks incoming
Edit Page ‐ Yes, you can edit!

Older Revisions • July 5 at 8:08 pm • Peter Müller