Where to post infrastructure discussions?

Community Infrastructure
1

I have some updates and discussions about infrastructure that I want to post on Talk. Where does everyone think I should post those?

  • Development Category
  • Community Category
  • New ā€œInfrastructureā€ Category
  • Other - please reply with a text responseā€¦

0 voters

2

Create an ITSM category

3

Well, I hope this does not backfires.

Thereā€™s usually two problems with public infrastructure discussions:

  • bike shedding. Something around the fact that everything looks simple and small makes this topic particularly exciting for bike shedding.
  • reconnaissance for attackers. This is a dangerous one. If we make public how we handle backups, when, how often, who has access, which systems controls it, every other detail about our networkā€¦ well, we are making ourselves easier to be attacked. Like http://itsecurity.telelink.com/reconnaissance/ . Thereā€™s always this tug-of-war between security and convenience, which makes it harder.

Today ITSM has a somehow ā€˜privateā€™ wiki space, which Iā€™m adding every one which I believe could benefit from having access (@janflowers I can add you!) .

Iā€™m a little bit afraid of making all this information/discussions public (as in, to the whole internet), instead of a reasonably-sized groups of people who are actively involved somehow). Iā€™m all for sharing as much info as we can, but with caution.

The category itself, I donā€™t mind that much.

4

Thatā€™s a great point @cintiadr. Iā€™m trying to figure out how to provide transparency into our discussion regarding strategy and long term planning, volunteer scheduling, etc and balance that with the need for security around certain discussions. I wanted to post some things that I got back from UberOps regarding how to think about our long term strategy, but I wasnā€™t sure where to start that discussion - or where to post updates as we progress in our strategy. I like the default open motto unless absolutely necessary, so it might be important to have explicit rules around what we disclose only privately. This way we default to open unless itā€™s explicitly stated in those rules. The other option would be to create a category in a way that is moderated, so posts only occur after a security expert (such as yourself) reviews and allows the post to be published. That means more work for our infrastructure team though.

Just to note, this wouldnā€™t replace our current Telegram management chat which is important to keep internal for security, but would rather be a way to include the broader community in infrastructure discussions that donā€™t include security information. As well as, just a way to keep the community up to date on important infrastructure progress.

Thoughts?

5

@janflowers well so far we been discussing in the telegram chat since that is more private. Although its harder to grab info and note decisions. But, has somewhat worked for the moment. The next thing would be to use the wiki like @cintiadr said since its more private. I would start by posting what you got in uberops in the chatroom and we can go from there and put decisions or more structure decisions in the wiki.

6

Visibility for infra has being suboptimal, thatā€™s something Iā€™m very conscious and Iā€™ve been actively working on. So, this is a pretty dear subject to me :slight_smile:

Prepare for a wall of text.

For the wiki what Iā€™m actually trying to aim is for two wiki spaces: one public and one private. https://wiki.openmrs.org/display/ISM/Home is the public one, Iā€™ve spent quite a few time getting it clean and nice recently.

Iā€™m cleaning JIRA project too, to make sure we can improve visibility of the project tasks pending or being worked on. I know that helpdesk doesnā€™t help with visibility, but I think in the future they can coexist.

Telegram is very verbose and itā€™s harder for those not following it closely, itā€™s hard to tell which bits and pieces of info would actually be useful for you.

I like talk/email for structured talks, it works well. I think it makes all sense to me to have infra category for our longer discussions. Itā€™s a tool I believe it can play a pretty good role. Iā€™m voting +1 for talk infra.

Security is a pretty complicated topic. Thereā€™s no black and white here, and I can guarantee you that no single person will ever get it all right. Itā€™s a balance, about how much info you are handing vs the benefit of spreading it. For example, the benefit of making the outages registry public is so huge that I think itā€™s worth making public.

Iā€™d think we should have both a public category (the Community one is fine), and a new one private. By private I never mean infra team only, thatā€™s not enough. I think we need to grow the trust circle, I want to have infra team + leadership + maybe /dev/4-5? This ā€˜extendedā€™ infra should have access to all JIRA tickets, both wikis and both talk categories.

An absolute non-comprehensive list of dangerous things we should not say in public repos:

  • Versions of software we are running (including OS and other ā€˜patchableā€™ things)
  • Network topology, providers, SSH or authentication config, firewall config/version
  • Users (including bot accounts, access, and where to find credentials)
  • Password and secret management
  • Mentioning which groups of software are running on a single box ( bonus points for ldap and database locations)
  • Backups location, policy, how to retrieve it
  • How access is granted, to whom (targeting some specific users for access)

What we can do, Iā€™d think, is that every topic we create on the private repo, we can always question if it should be public and move it.

7

Well, I think thereā€™s no harm trying it out.

https://talk.openmrs.org/c/community/itsm is private:

Infrastructure - OpenMRS Talk is now public.

3 Likes
8

Not to mention who the teams are ā€“ granted itā€™s kinda public ā€“ I think we SHOULD open things up and be more transparent.