Apache Infrastructure Team

Thursday September 25, 2014

Committer shell access to people.apache.org

Apache committers are granted shell access to a host know as either people.apache.org or minotaur. As you may know, there has been a two year grace period in which we have advertised the upcoming change away from password logins to SSH key only.

Due to a recent significant increase in security issues, the Infrastructure team has taken steps to complete the implementation of key-only logins to protect ASF computing resources. 

If you can't access the host anymore then it is very likely you do not have your key stored in LDAP.  Please check your LDAP data in https://id.apache.org - and add your key(s) if they are not present.  If neccessary, ensure your keys are loaded locally (for linux see http://linux.die.net/man/1/ssh-add  and http://linux.die.net/man/1/ssh-agent)

The host will pick up this change within 5 minutes of you making your change and you should be able to get in again.

As always if you have any issues please open a JIRA issue in the INFRA project and we will help you as soon as we can.  

Committers mail relay service

For a very long time now we have allowed committers to send email from their @apache.org email address from any host.  10 years ago this was less of an issue than it is today.  In the current world of mass spam and junk flying around, mail server providers are trying to find better ways to implement a sense of safety from this for their users.  One such method is SPF [1]. These methodologies check that incoming email actually originated via a valid mail server for the senders domain. 

For example if you send from myuserid@apache.org, but you just send that via your ISP at home, it could be construed as being junk as it never came via an apache.org mail server.  Some time ago we setup a service on people.apache.org to cater for this, but it was never enforced and it seems that the SMTP daemon running the service is not 100% RFC compliant and thus some people have been unable to use this service.

As of today, we have stood up a new service on host mail-relay.apache.org that will allow committers to send their apache.org emails via a daemon that is RFC compliant and uses your LDAP credentials. You can read here [2] what settings you will need to be able to use this service. 

On Friday October 10th, at 13:00 UTC the old service on people.apache.org will be terminated, and the updates to the DNS to enforce sending of all apache.org email to have originated via an ASF mail server will be enabled. This means that as of this time if you do not send your apache.org email via mail-relay it is very likely that the mail will not reach it's destination.  

When we say 'send your apache.org email'  - we mean that when you send *from* your userid@apache.org email.   Emails sent *to* any apache.org email address will not affected by this. 

[1] - http://en.wikipedia.org/wiki/Sender_Policy_Framework

[2] - https://reference.apache.org/committer/email#sendingemailfromyourapacheorgemailaddress

Calendar

Search

Hot Blogs (today's hits)

Tag Cloud

Categories

Feeds

Links

Navigation