diff options
Diffstat (limited to 'tracker')
41 files changed, 0 insertions, 607 deletions
diff --git a/tracker/Allow_fripost_members_to_log_into_the_wiki_using_their_fripost_credentials.mdwn b/tracker/Allow_fripost_members_to_log_into_the_wiki_using_their_fripost_credentials.mdwn deleted file mode 100644 index 43481a8..0000000 --- a/tracker/Allow_fripost_members_to_log_into_the_wiki_using_their_fripost_credentials.mdwn +++ /dev/null @@ -1,3 +0,0 @@ -Right now, it supports using google, yahoo and other companies (is anyone still using AOL???) but not fripost. - -I don't know if ikiwiki supports ldap but it seems to support OpenID so a way to implement this could be to have an openid identity provider at fripost. diff --git a/tracker/CSP_too_strict.mdwn b/tracker/CSP_too_strict.mdwn deleted file mode 100644 index 308754d..0000000 --- a/tracker/CSP_too_strict.mdwn +++ /dev/null @@ -1,15 +0,0 @@ -On firefox 45, remote images are not shown in the webmail because of the CSP: - -``` -Content Security Policy: The page's settings blocked the loading of a resource at https://sendy.nitrokey.com/uploads/1431348652.png ("img-src https://mail.fripost.org"). -``` - -Oh wait, that's weird: it seems to block data-urls too: - -``` -Content Security Policy: The page's settings blocked the loading of a resource at data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACH5BAEAAAAALAAAAAABAAEAAAICRAEAOw== ("img-src https://mail.fripost.org"). -``` - -I'm not too excited about allowing browsers to load images from arbitrary sources, but [did it anyway](https://git.fripost.org/fripost-ansible/commit/?id=c90ae1fe9d40a0271844d321a7a54ee219735ccf) with the hope that roundcube's anti-XSS filter is good enough. -I've also checked with the [Email Privacy Tester](https://emailprivacytester.com/) that other external resources blocked by the CSP are probably malicious. -[[closed]]. -- [[guilhem]] diff --git a/tracker/CSP_too_strict/comment_1_4156da3309262dc53fff06dbbbcbb30c._comment b/tracker/CSP_too_strict/comment_1_4156da3309262dc53fff06dbbbcbb30c._comment deleted file mode 100644 index ce90b13..0000000 --- a/tracker/CSP_too_strict/comment_1_4156da3309262dc53fff06dbbbcbb30c._comment +++ /dev/null @@ -1,10 +0,0 @@ -[[!comment format=mdwn - username="Grégoire" - avatar="https://seccdn.libravatar.org/avatar/5ed039572e7af206cbc97a7c59dcb0ad" - subject="Still a problem with http urls" - date="2016-04-08T09:50:11Z" - content=""" -Now some of the images work but not all. According to Firefox' console, http URLs are upgraded to https which may not work all the time. - -I don't know if it is possible but a better way to do this may be to use roundcube as a proxy for images and other inline content? -"""]] diff --git a/tracker/CSP_too_strict/comment_2_01c8f3bc631f9ddecb109455233d6f09._comment b/tracker/CSP_too_strict/comment_2_01c8f3bc631f9ddecb109455233d6f09._comment deleted file mode 100644 index c6df409..0000000 --- a/tracker/CSP_too_strict/comment_2_01c8f3bc631f9ddecb109455233d6f09._comment +++ /dev/null @@ -1,8 +0,0 @@ -[[!comment format=mdwn - username="guilhem" - avatar="https://seccdn.libravatar.org/avatar/86d6cb4bde1ef88730b14ccad0414c28" - subject="Further weakened the Content-Security-Policy" - date="2016-04-08T12:14:46Z" - content=""" -Alright, just [removed](https://git.fripost.org/fripost-ansible/commit/?id=e370313ad5895871479fffc922e3c72c0375dbf2) [`upgrade-insecure-requests`](https://www.w3.org/TR/upgrade-insecure-requests/#upgrade-insecure-requests) and [`block-all-mixed-content`](https://www.w3.org/TR/mixed-content/#block_all_mixed_content) from the CSP. Again, with the hope that Roundcube's built-in filter is tight enough by default… -"""]] diff --git a/tracker/CSP_too_strict/comment_3_d0893142a031072c638d1e36b17aefe3._comment b/tracker/CSP_too_strict/comment_3_d0893142a031072c638d1e36b17aefe3._comment deleted file mode 100644 index 3c53e3c..0000000 --- a/tracker/CSP_too_strict/comment_3_d0893142a031072c638d1e36b17aefe3._comment +++ /dev/null @@ -1,12 +0,0 @@ -[[!comment format=mdwn - username="Grégoire" - avatar="https://seccdn.libravatar.org/avatar/5ed039572e7af206cbc97a7c59dcb0ad" - subject="comment 3" - date="2016-04-08T13:30:16Z" - content=""" -I understand your frustration... - -I found that someone openned an related issue agains Roundcube about this almost exactly 2 years ago: [Image proxy #5099](https://github.com/roundcube/roundcubemail/issues/5099). It doesn't seem to be considered high prirority and I can understand as it's probably not an easy thing to get right. - -An other interesting way to fix this would be to have at tool that inlines all the images in an email (turn the remote images into data urls) which you would run on all incomming messages (maybe using sieve?). The only problem is that it might considerably blow-up the size of your mailboxes but given the benefits, it might be worth a try. -"""]] diff --git a/tracker/CSP_too_strict/comment_4_b794220c7ed0f1b16daf3dd2970644d8._comment b/tracker/CSP_too_strict/comment_4_b794220c7ed0f1b16daf3dd2970644d8._comment deleted file mode 100644 index 144ef97..0000000 --- a/tracker/CSP_too_strict/comment_4_b794220c7ed0f1b16daf3dd2970644d8._comment +++ /dev/null @@ -1,8 +0,0 @@ -[[!comment format=mdwn - username="guilhem" - avatar="https://seccdn.libravatar.org/avatar/86d6cb4bde1ef88730b14ccad0414c28" - subject="comment 4" - date="2016-04-08T13:39:39Z" - content=""" -Would be nice to have such proxy, indeed. Beside the mailbox overhead, another downside of the sieve hack is that this would invalidate all integrity checking such as DKIM or OpenPGP. -"""]] diff --git a/tracker/Error_on_search_in_roundcube.mdwn b/tracker/Error_on_search_in_roundcube.mdwn deleted file mode 100644 index 796ccec..0000000 --- a/tracker/Error_on_search_in_roundcube.mdwn +++ /dev/null @@ -1,6 +0,0 @@ -I got the following error message when trying a search in the whole message on all my mails (I'll admit that it's maybe a bit brutal) - -[[!img screenshot.png align="left" size="" alt=""]] - - -Nice, let's call this [[done]] then :-) For some reason SELECT commands are extremely slow on virtual commands. After poking a bit I noticed that dropping on disks indexes gave a significant speed up (from 30s to 4s here). I guess dovecot does many useless seek/read/write somehow. Anyway the time lost when reconstructing the indexes is shorter than the time spend on disk I/O. -- [[guilhem]] diff --git a/tracker/Error_on_search_in_roundcube/comment_1_ab3c858438a2bb81a607d8dce7a30709._comment b/tracker/Error_on_search_in_roundcube/comment_1_ab3c858438a2bb81a607d8dce7a30709._comment deleted file mode 100644 index 2466c47..0000000 --- a/tracker/Error_on_search_in_roundcube/comment_1_ab3c858438a2bb81a607d8dce7a30709._comment +++ /dev/null @@ -1,24 +0,0 @@ -[[!comment format=mdwn - username="guilhem" - avatar="http://cdn.libravatar.org/avatar/86d6cb4bde1ef88730b14ccad0414c28" - subject="comment 1" - date="2015-06-05T15:37:37Z" - content=""" -Interesting. And no, it's not brutal at all, Dovecot should be able scale to millions of messages. Could you check if that happens again with Dovecot 2.2.13 (upgraded in early May)? If yes, could you type the following in a shell and see if that works for you? (The ‘S:’ prefixes denote server output; the ‘C:’ prefixes denote client input.) - - $ openssl s_client -connect imap.fripost.org:993 -CApath /etc/ssl/certs - S: […] - S: * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN AUTH=LOGIN] Dovecot ready. - C: a LOGIN guilhem \"my top secret password\" - S: a OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS THREAD=ORDEREDSUBJECT MULTIAPPEND URL-PARTIAL CATENATE UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS SPECIAL-USE BINARY MOVE NOTIFY] Logged in - C: b EXAMINE INBOX - S: […] - S: b OK [READ-ONLY] Examine completed (0.000 secs). - C: c UID SEARCH RETURN (ALL) UNDELETED TEXT blah - S: c OK Search completed (7.224 secs). - C: d LOGOUT - S: * BYE Logging out - S: d OK Logout completed. - - -"""]] diff --git a/tracker/Error_on_search_in_roundcube/comment_2_ac109ee66223f3878ac214f8158e1712._comment b/tracker/Error_on_search_in_roundcube/comment_2_ac109ee66223f3878ac214f8158e1712._comment deleted file mode 100644 index 7e00a26..0000000 --- a/tracker/Error_on_search_in_roundcube/comment_2_ac109ee66223f3878ac214f8158e1712._comment +++ /dev/null @@ -1,10 +0,0 @@ -[[!comment format=mdwn - username="Grégoire" - avatar="http://cdn.libravatar.org/avatar/5ed039572e7af206cbc97a7c59dcb0ad" - subject="comment 2" - date="2015-09-28T19:24:40Z" - content=""" -If I try in roundcube, it serches for a while and then tells me it didn't find anything (but it should!). - -If I try with openssl (same query), it seems to work (note that the problem happens with virtual/all, not with INBOX). -"""]] diff --git a/tracker/Error_on_search_in_roundcube/comment_3_a81381fc8c1c4fc165e152b09c584c46._comment b/tracker/Error_on_search_in_roundcube/comment_3_a81381fc8c1c4fc165e152b09c584c46._comment deleted file mode 100644 index 0aa3b91..0000000 --- a/tracker/Error_on_search_in_roundcube/comment_3_a81381fc8c1c4fc165e152b09c584c46._comment +++ /dev/null @@ -1,9 +0,0 @@ -[[!comment format=mdwn - username="guilhem" - avatar="http://cdn.libravatar.org/avatar/86d6cb4bde1ef88730b14ccad0414c28" - subject="comment 3" - date="2015-09-28T20:01:45Z" - content=""" -Roundcube might have killed the connection due to the IMAP timeout. (Since HTTP is stateless, each user event triggers a IMAP connection.) -How long did the the search take on the terminal (7.224 secs in my example)? We might have to raise the timeout. -"""]] diff --git a/tracker/Error_on_search_in_roundcube/comment_4_8642f30fd43365b55362691bb6835a88._comment b/tracker/Error_on_search_in_roundcube/comment_4_8642f30fd43365b55362691bb6835a88._comment deleted file mode 100644 index f820f34..0000000 --- a/tracker/Error_on_search_in_roundcube/comment_4_8642f30fd43365b55362691bb6835a88._comment +++ /dev/null @@ -1,8 +0,0 @@ -[[!comment format=mdwn - username="Grégoire" - avatar="http://cdn.libravatar.org/avatar/5ed039572e7af206cbc97a7c59dcb0ad" - subject="comment 4" - date="2015-09-28T20:29:55Z" - content=""" -72.592 secs, so more than a minute... :-/ -"""]] diff --git a/tracker/Error_on_search_in_roundcube/comment_5_8d269a7cf3b5f938b70198b2f18af014._comment b/tracker/Error_on_search_in_roundcube/comment_5_8d269a7cf3b5f938b70198b2f18af014._comment deleted file mode 100644 index 09b9d8a..0000000 --- a/tracker/Error_on_search_in_roundcube/comment_5_8d269a7cf3b5f938b70198b2f18af014._comment +++ /dev/null @@ -1,8 +0,0 @@ -[[!comment format=mdwn - username="guilhem" - avatar="http://cdn.libravatar.org/avatar/86d6cb4bde1ef88730b14ccad0414c28" - subject="comment 5" - date="2015-09-28T23:03:31Z" - content=""" -The IMAP connection used the default socket timeout (60s). I know some servers send back continuation responses (“+”) to keep the connection alive and avoid triggering the timeout, but I don't kown Dovecot 2.2.13 behaves regarding that. I changed the default socket timeout to 180s, could you try again? If that solves your problem, I think the proper solution would be to change to the socket options to use keepalive probes either at the TCP level or higher at the IMAP layer. -"""]] diff --git a/tracker/Error_on_search_in_roundcube/comment_6_7f23c4c51e524470c1e776bc9fbc5de8._comment b/tracker/Error_on_search_in_roundcube/comment_6_7f23c4c51e524470c1e776bc9fbc5de8._comment deleted file mode 100644 index 9a296ed..0000000 --- a/tracker/Error_on_search_in_roundcube/comment_6_7f23c4c51e524470c1e776bc9fbc5de8._comment +++ /dev/null @@ -1,8 +0,0 @@ -[[!comment format=mdwn - username="Grégoire" - avatar="http://cdn.libravatar.org/avatar/5ed039572e7af206cbc97a7c59dcb0ad" - subject="comment 6" - date="2015-09-29T20:26:48Z" - content=""" -It works! Thanks! -"""]] diff --git a/tracker/Error_on_search_in_roundcube/screenshot.png b/tracker/Error_on_search_in_roundcube/screenshot.png Binary files differdeleted file mode 100644 index 46d2ce0..0000000 --- a/tracker/Error_on_search_in_roundcube/screenshot.png +++ /dev/null diff --git a/tracker/GDPR_och_organisationer.mdwn b/tracker/GDPR_och_organisationer.mdwn deleted file mode 100644 index c1b780b..0000000 --- a/tracker/GDPR_och_organisationer.mdwn +++ /dev/null @@ -1,8 +0,0 @@ -Beskriv på wikin vad organisationer ska tänka kring GDPR när de -använder Friposts funktioner som föreningsmedlemmar. Det enligt frågor -till styrelsen per e-post i 16--25 mars 2019. - -[[!tag wiki]] -[[!tag assignee:gustav]] - - diff --git a/tracker/Install_keyboard_shortcuts_on_roundcube.mdwn b/tracker/Install_keyboard_shortcuts_on_roundcube.mdwn deleted file mode 100644 index 0838f9b..0000000 --- a/tracker/Install_keyboard_shortcuts_on_roundcube.mdwn +++ /dev/null @@ -1,6 +0,0 @@ -There is a plugin that enable some features to be accessed with the keyboard. -http://plugins.roundcube.net/packages/cor/keyboard_shortcuts - -I'd like that :-) - -It might also be good for accessibility diff --git a/tracker/Install_keyboard_shortcuts_on_roundcube/comment_1_ae7383a784c52817db9238cd08d1847e._comment b/tracker/Install_keyboard_shortcuts_on_roundcube/comment_1_ae7383a784c52817db9238cd08d1847e._comment deleted file mode 100644 index 26adcd6..0000000 --- a/tracker/Install_keyboard_shortcuts_on_roundcube/comment_1_ae7383a784c52817db9238cd08d1847e._comment +++ /dev/null @@ -1,8 +0,0 @@ -[[!comment format=mdwn - username="Grégoire" - avatar="https://seccdn.libravatar.org/avatar/5ed039572e7af206cbc97a7c59dcb0ad" - subject="Ping" - date="2016-12-16T12:03:52Z" - content=""" -😉 -"""]] diff --git a/tracker/Merge_wiki_website_and_website.mdwn b/tracker/Merge_wiki_website_and_website.mdwn deleted file mode 100644 index 17e16d1..0000000 --- a/tracker/Merge_wiki_website_and_website.mdwn +++ /dev/null @@ -1,106 +0,0 @@ -[[!tag wiki]] [[!tag website]] - -Redesign the Fripost's wiki to function as a outsider facing website -and merge the content of the org-mode based into the wiki. - -[[gustav]] is working on the branch *fripost-wiki#ge-move-website*. - -Requirements -============ - -Regarding redesign, the following are requirements: - -* Visitors of [https://fripost.org] should be brought to the "Hem" page -* Visitors of [https://wiki.fripost.org] should be bought to the wiki index page. -* The pages "Hem", "Om", "Gå med", "Kontakt", "Certifikat", and - "English" should be locked from external edits, and edit buttons and - navigation should be hidden. -* The "FAQ" page should shared between the website and the wiki: It - should be editable but still displayed as if it was part of the - website. - -Checklist -========= - -Regarding merging, the following is the checklist: - -* In *from_wiki*, the following pages should be attended and possibly - added to the wiki. - * *budget.txt* -- Dropped - * *faq.txt* -- Content already in *faq.org* - * *fscons.txt* -- Added as *ideology/fscons-2010.mdwn* - * *index.txt* -- Dropped - * *ordlista.txt* -- Added as *dictionary.mdwn* - * *princip.txt* -- Added as *ideology/princip.mdwn* - * *protokoll.txt* -- Avaliable among minutes already - * *sidospår.txt* -- Incorporated in *hjalpa_till.mdwn* - * *stadgar.txt* -- Dropped. Statues exists in the *meetings* git repository - * *teknik.txt* -- Dropped - * *årsmöte.txt* -- Dropped -* In *sites* the following pages should be attended and possibly be - added to the wiki - * *certs* -- Added as a page, *certs.mdwn*, which is accessed from the main navigation bar - * *certs.asc* -- Added as a file, accessed from *certs.mdwn* - * *default.css* -- Dropped - * *faq.org* -- Merged with *faq.mdwn* - * *gnutiken.org* -- Dropped - * *index.en.org* -- Information added as *english.mdwn* - * *index.org* -- Text available as *hem.mdwn* - * *kontakt.en.org* -- Information added as *english.mdwn* - * *kontakt.org* -- Added as *kontakt.mdwn* - * *medlemskap.en.org* -- Information added as *english.mdwn* - * *medlemskap.org* -- Added as *medlemskap.mdwn* - * *organisation.org* -- Available as *om.mdwn* - * *progressbar-example.html* -- Droped - * *robots.txt* -- Dropped - * *sitemap.org* -- Dropped -* Describe the press presence according to the following files - * *images/press/spionen2011_liten.jpg* - * *images/press/fripost_fria_tidningen_2011_1.jpg* - * *images/press/fripost_fria_tidningen_2011_2.jpg* -* Check whether the content in *material* is available from the - *propaganda* git repository. If it isn't, do something about it -* Check where *logo2011.eps* is available elsewhere. - -Doubts -====== - -There are still some doubts about how to proceed: - -**1.** How shall the becoming *fripost.org* be prepared for -publications from other sources, like the *fripost-meetings* Git -repository? Currently publication happens through - - rsync -ruvp --chmod=Dugo+rx,Fugo+r $(send-files) fripost@fripost.org:fripost.org/minutes/ - -and access through - - https://fripost.org/minutes/<whatever-asked-for> - -**2.** I assume press images and similar can be published according to -the same structure: - - https://fripost.org/images/<whatever-asked-for> - -**3.** Regarding how to enforce the soft separation between the wiki -and the website content, I don't know how to achieve that. - -I tried the following idea that did not work. The wiki content is left -untouched. All website content (apart from *hem.mdwn*) is moved into a -directory, *website*, and *hem.mdwn* is named *website.mdwn*. Then the -website is reached through *https://fripost.org* simply by making the -web server point those request to -*<path-to-fripost-wiki>/website*. The *website.mdwn* will be -*<path-to-fripost-wiki>/website/index.html* and default target. - -The problem was that links to shared static content (style sheets and -similar) with relative paths did not work. - -Other ideas to track -==================== - -Consider to get back to how the certificate pages are accessed. It -would be more natural to access a certificate page from a side note on -the "Hem" page, the way it was done in the org-mode based website. - -[[closed]] diff --git a/tracker/Need_a_way_to_close_issues.mdwn b/tracker/Need_a_way_to_close_issues.mdwn deleted file mode 100644 index 79b6ddb..0000000 --- a/tracker/Need_a_way_to_close_issues.mdwn +++ /dev/null @@ -1,3 +0,0 @@ -Tags: [[wiki]] [[closed]] - -We probably should have a way to close resolved issues... diff --git a/tracker/New_template_for_the_wiki.mdwn b/tracker/New_template_for_the_wiki.mdwn deleted file mode 100644 index 41b0167..0000000 --- a/tracker/New_template_for_the_wiki.mdwn +++ /dev/null @@ -1,9 +0,0 @@ -Tags: [[wiki]] [[design]] - -[[!img screen.jpg align="right" size="500x" alt=""]] - -Not finished yet... -[[0001-Bootstrap-template.patch]] - - -[[closed]] diff --git a/tracker/New_template_for_the_wiki/0001-Bootstrap-template.patch b/tracker/New_template_for_the_wiki/0001-Bootstrap-template.patch deleted file mode 100644 index 96daf15..0000000 --- a/tracker/New_template_for_the_wiki/0001-Bootstrap-template.patch +++ /dev/null @@ -1,125 +0,0 @@ -From 200490842426b70eb2d5fbcc9e8211e9b0845b1f Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Gr=C3=A9goire=20D=C3=A9trez?= <gregoire.detrez@gu.se> -Date: Tue, 7 Jan 2014 18:20:07 +0100 -Subject: [PATCH] Bootstrap template - ---- - templates/page.tmpl | 106 ++++++++++++++++++++++++++++++++++++++++++++++++++++ - 1 file changed, 106 insertions(+) - create mode 100644 templates/page.tmpl - -diff --git a/templates/page.tmpl b/templates/page.tmpl -new file mode 100644 -index 0000000..023121c ---- /dev/null -+++ b/templates/page.tmpl -@@ -0,0 +1,106 @@ -+<!DOCTYPE html> -+<html> -+ <head> -+ <title>Fripost | democratisk e-post</title> -+ <meta name="viewport" content="width=device-width, initial-scale=1.0"> -+ <!-- Bootstrap --> -+ <link rel="stylesheet" href="https://netdna.bootstrapcdn.com/bootstrap/3.0.3/css/bootstrap.min.css"> -+ <!-- HTML5 Shim and Respond.js IE8 support of HTML5 elements and media queries --> -+ <!-- WARNING: Respond.js doesn't work if you view the page via file:// --> -+ <!--[if lt IE 9]> -+ <script src="https://oss.maxcdn.com/libs/html5shiv/3.7.0/html5shiv.js"></script> -+ <script src="https://oss.maxcdn.com/libs/respond.js/1.3.0/respond.min.js"></script> -+ <![endif]--> -+ </head> -+ <style> -+ .navbar-fripost { -+ background-color: inherit; -+ border-bottom: black thin solid; -+ border-radius: 0; -+ margin-top: 1em -+ } -+ .navbar-fripost a { -+ color: black; -+ } -+ </style> -+ <body> -+ <div class="container"> -+ <nav class="navbar navbar-fripost" role="navigation"> -+ <!-- Brand and toggle get grouped for better mobile display --> -+ <div class="navbar-header"> -+ <button type="button" class="navbar-toggle" data-toggle="collapse" data-target="#bs-example-navbar-collapse-1"> -+ <span class="sr-only">Toggle navigation</span> -+ <span class="icon-bar"></span> -+ <span class="icon-bar"></span> -+ <span class="icon-bar"></span> -+ </button> -+ <a class="navbar-brand" href="#"><b>fripost</b> | democratisk e-post</a> -+ </div> -+ -+ <!-- Collect the nav links, forms, and other content for toggling --> -+ <div class="collapse navbar-collapse" id="bs-example-navbar-collapse-1"> -+ <ul class="nav navbar-nav"> -+ <li class="active"><a href="#">Hem</a></li> -+ <li><a href="<TMPL_VAR BASEURL>om/">Om</a></li> -+ <li><a href="<TMPL_VAR BASEURL>faq">FAQ</a></li> -+ <li><a href="<TMPL_VAR BASEURL>ga-med">Gå med</a></li> -+ <li><a href="<TMPL_VAR BASEURL>kontakt">Kontakt</a></li> -+ </ul> -+ <ul class="nav navbar-nav navbar-right"> -+ <li> -+ <a href="#" class="dropdown-toggle" data-toggle="dropdown"><span class="glyphicon glyphicon-user"></span> Members <b class="caret"></b></a> -+ <ul class="dropdown-menu"> -+ <li><a href="https://mail.fripost.org/"><span class="glyphicon glyphicon-envelope"></span> Webmail</a></li> -+ <li><a href="https://antilop.fripost.org/mailman/listinfo"><span class="glyphicon glyphicon-list"></span> Mailing lists</a></li> -+ <li class="divider"></li> -+ <li><a href="#"><span class="glyphicon glyphicon-wrench"></span> Admin panel</a></li> -+ </ul> -+ </li> -+ </ul> -+ </div><!-- /.navbar-collapse --> -+ </nav> -+ -+ <div id="content" style="padding:0 1em 0"> -+ <TMPL_VAR CONTENT> -+ -+ <div class="row"><div class="col-md-6"> -+ <ol class="breadcrumb"> -+ <TMPL_LOOP NAME="PARENTLINKS"> -+ <li><a href="<TMPL_VAR NAME=URL>"><TMPL_VAR NAME=PAGE></a></li> -+ </TMPL_LOOP> -+ <li class="active"><TMPL_VAR TITLE> -+ </ol> -+ </div> -+ -+ <div class="btn-toolbar col-md-6" role="toolbar"> -+ <TMPL_IF HAVE_ACTIONS> -+ <div class="btn-group"> -+ <TMPL_IF EDITURL> -+ <a class="btn btn-default" href="<TMPL_VAR EDITURL>" rel="nofollow">Edit</a> -+ </TMPL_IF> -+ <TMPL_IF RECENTCHANGESURL> -+ <a class"btn btn-default" href="<TMPL_VAR RECENTCHANGESURL>">RecentChanges</a></li> -+ </TMPL_IF> -+ <TMPL_IF HISTORYURL> -+ <a class"btn btn-default" href="<TMPL_VAR HISTORYURL>">History</a></li> -+ </TMPL_IF> -+ <TMPL_IF GETSOURCEURL> -+ <a class"btn btn-default" href="<TMPL_VAR GETSOURCEURL>">Source</a></li> -+ </TMPL_IF> -+ <TMPL_IF PREFSURL> -+ <a class"btn btn-default" href="<TMPL_VAR PREFSURL>">Preferences</a></li> -+ </TMPL_IF> -+ </ul> -+ </div> -+ </TMPL_IF> -+ </div> -+ </div> -+ </div> -+ </div> -+ -+<!-- jQuery (necessary for Bootstrap's JavaScript plugins) --> -+<script src="https://code.jquery.com/jquery.js"></script> -+<!-- Include all compiled plugins (below), or include individual files as needed --> -+<script src="https://netdna.bootstrapcdn.com/bootstrap/3.0.3/js/bootstrap.min.js"></script> -+</body> -+</html> --- -1.8.3.2 - diff --git a/tracker/New_template_for_the_wiki/screen.jpg b/tracker/New_template_for_the_wiki/screen.jpg Binary files differdeleted file mode 100644 index 4e64bb2..0000000 --- a/tracker/New_template_for_the_wiki/screen.jpg +++ /dev/null diff --git a/tracker/Poor_score_on_starttls.info.mdwn b/tracker/Poor_score_on_starttls.info.mdwn deleted file mode 100644 index 29e298e..0000000 --- a/tracker/Poor_score_on_starttls.info.mdwn +++ /dev/null @@ -1,8 +0,0 @@ -[[!img screenshot.png align="center" size="" alt=""]] -See [https://starttls.info/check/fripost.org](https://starttls.info/check/fripost.org) -(ok, only one server has a D score, but still ;-)) - -I'm not sure what the metric is worth exactly but the tool was [advertised by the EFF](https://www.eff.org/deeplinks/2014/12/email-encryption-surged-2014-still-needs-work-2014-review) - -Fun facts: Fripost is still doing better than [chalmers.se](https://starttls.info/check/chalmers.se), [gu.se](https://starttls.info/check/gu.se) and [goteborg.se](https://starttls.info/check/goteborg.se) but [riseup.net](https://starttls.info/check/riseup.net) does better than [gmail.com](https://starttls.info/check/gmail.com)! - diff --git a/tracker/Poor_score_on_starttls.info/comment_1_96728869b78cedfd11594828615e5079._comment b/tracker/Poor_score_on_starttls.info/comment_1_96728869b78cedfd11594828615e5079._comment deleted file mode 100644 index c665ac7..0000000 --- a/tracker/Poor_score_on_starttls.info/comment_1_96728869b78cedfd11594828615e5079._comment +++ /dev/null @@ -1,8 +0,0 @@ -[[!comment format=mdwn - username="guilhem" - avatar="http://cdn.libravatar.org/avatar/86d6cb4bde1ef88730b14ccad0414c28" - subject="comment 1" - date="2015-06-05T15:52:00Z" - content=""" -I'm all for ubiquitous encryption, but note that without TLSA records and DNSSEC, any MX is trivially vulnerable to downgrade attacks: an adversary sitting in the middle can easily strip the STARTTLS EHLO/HELO response, and force the communication to happen in the clear :-P -"""]] diff --git a/tracker/Poor_score_on_starttls.info/comment_2_6af51a73a33ae813cbe5104943437eb2._comment b/tracker/Poor_score_on_starttls.info/comment_2_6af51a73a33ae813cbe5104943437eb2._comment deleted file mode 100644 index 819277d..0000000 --- a/tracker/Poor_score_on_starttls.info/comment_2_6af51a73a33ae813cbe5104943437eb2._comment +++ /dev/null @@ -1,8 +0,0 @@ -[[!comment format=mdwn - username="Grégoire" - avatar="http://cdn.libravatar.org/avatar/5ed039572e7af206cbc97a7c59dcb0ad" - subject="comment 2" - date="2015-10-01T18:00:18Z" - content=""" -But I guess in this case either side could decide to stop the communication. Either because you have some [add-hoc list](https://support.google.com/a/answer/2520500?hl=en) or a heuristic like *connection to @foobar.com was encrypted last time so I expect it to be encrypted forever* -"""]] diff --git a/tracker/Poor_score_on_starttls.info/comment_3_e7e46a099bbcbef7bdacd4249e1d26aa._comment b/tracker/Poor_score_on_starttls.info/comment_3_e7e46a099bbcbef7bdacd4249e1d26aa._comment deleted file mode 100644 index bcea26e..0000000 --- a/tracker/Poor_score_on_starttls.info/comment_3_e7e46a099bbcbef7bdacd4249e1d26aa._comment +++ /dev/null @@ -1,13 +0,0 @@ -[[!comment format=mdwn - username="guilhem" - avatar="http://cdn.libravatar.org/avatar/86d6cb4bde1ef88730b14ccad0414c28" - subject="comment 3" - date="2015-10-06T12:21:01Z" - content=""" -Doing so would violate the SMTP protocol, so it's unlikely to be implemented on non-private MTAs. (And end users typically don't talk directly to a MX.) - -Furthermore, while ad-hoc lists are very useful on a local MTA (list the fingerprints of all known SMTPSA servers to defeat MITM attacks) or to specify an encryption policy within a given Email Service Provider (which is [what we're doing](https://git.fripost.org/fripost-ansible/tree/roles/common/templates/etc/postfix/tls_policy.j2) by the way), they don't really scale. Like the heuristic you described, they also fail to properly address key rotation and/or expiration. (If the certificate has changed, how to determine if it was done by the MTA operator or if the connection is being MITM'ed? By relying on the CA model? -Should the client decide to bounce the message or to send it in the clear?) Also, what if the service operator suddenly decide to remove TLS support? As far as SMTP is concerned this is perfectly fine since STARTLS is optional. - -On the other hand, by publishing some (signed) TLSA records a site operator can broadcast their certificate fingerprint or signing CAs. Clients no longer have to guess a heuristic since they can rely on the information provided by site operators themselves. This is what we get when not-security-focused 30 years-old protocols are being patched up to meet today's standards: fixes come with yet another RFC extension. And care must be taken to defeat downgrade attacks. -"""]] diff --git a/tracker/Poor_score_on_starttls.info/screenshot.png b/tracker/Poor_score_on_starttls.info/screenshot.png Binary files differdeleted file mode 100644 index 06ca3af..0000000 --- a/tracker/Poor_score_on_starttls.info/screenshot.png +++ /dev/null diff --git a/tracker/Public-Key-Pins_not_accepted_by_firefox.mdwn b/tracker/Public-Key-Pins_not_accepted_by_firefox.mdwn deleted file mode 100644 index d7245cc..0000000 --- a/tracker/Public-Key-Pins_not_accepted_by_firefox.mdwn +++ /dev/null @@ -1,9 +0,0 @@ -Still in firefox 45, I found this in the console on roundcube: - -``` -Public-Key-Pins: The certificate used by the site was not issued by a certificate in the default root certificate store. To prevent accidental breakage, the specified header was ignored. -``` - -I'm not sure why as Firefox does accept Let's Encrypt certificates otherwise... - -[[closed]] diff --git a/tracker/Public-Key-Pins_not_accepted_by_firefox/comment_1_b4a4c48337c46bc9f2435fe6df8b382e._comment b/tracker/Public-Key-Pins_not_accepted_by_firefox/comment_1_b4a4c48337c46bc9f2435fe6df8b382e._comment deleted file mode 100644 index 6a15cd2..0000000 --- a/tracker/Public-Key-Pins_not_accepted_by_firefox/comment_1_b4a4c48337c46bc9f2435fe6df8b382e._comment +++ /dev/null @@ -1,33 +0,0 @@ -[[!comment format=mdwn - username="guilhem" - avatar="https://seccdn.libravatar.org/avatar/86d6cb4bde1ef88730b14ccad0414c28" - subject="Unreproducible here (Firefox ESR 45.0.1)" - date="2016-04-07T16:32:37Z" - content=""" -Keys are properly pinned here - - 1. Close the browser - 2. Remove all mentions of `fripost.org` in `~/.mozilla/firefox/<profile>/SiteSecurityServiceState.txt`: - - ~$ sed -i -r '/^(\S+\.)?fripost\.org:/d' ~/.mozilla/firefox/<profile>/SiteSecurityServiceState.txt - - 3. Start the browser (without HSTS or HPKP knowledge for `fripost.org` or any of its subdomains) - 4. Open `https://mail.fripost.org/` in a new tab - 5. (After waiting a few seconds to let firefox flush the data.) The - HSTS policy and the two pins appear in the file: - - ~$ grep -E '^(\S+\.)?fripost\.org:' ~/.mozilla/firefox/<profile>/SiteSecurityServiceState.txt - mail.fripost.org:HSTS 0 16898 1475812232563,1,1 - mail.fripost.org:HPKP 0 16898 1460047832565,1,0,SHfniMEapxeYo5YT/2jP+n+WstNaYghDMhZUadLlPDk=/Tt92H3ZkfEW1/AOCoGVm1TxZl7u4c+tIBnuvAc7d5w= - - There is no warning in the log, either. - -The root CA (*DST Root CA X3*) appear in Firefox's CA store as a \"Builtin Object Token\", while the intermediate CA (*Let's Encrypt Authority X3*) is supplied by the server and automatically stored by Firefox as a \"Software Security Device\". - -Do you have default settings for the `security.cert_pinning.*` [tunables](https://wiki.mozilla.org/SecurityEngineering/Public_Key_Pinning)? - - security.cert_pinning.enforcement_level = 1 - security.cert_pinning.process_headers_from_non_builtin_roots = false - -Please also verify that you have no weird non-default tunables for `security.*`. -"""]] diff --git a/tracker/Public-Key-Pins_not_accepted_by_firefox/comment_2_1f3c32a22218d2a016f0bf97cc3f04b8._comment b/tracker/Public-Key-Pins_not_accepted_by_firefox/comment_2_1f3c32a22218d2a016f0bf97cc3f04b8._comment deleted file mode 100644 index 85e2da6..0000000 --- a/tracker/Public-Key-Pins_not_accepted_by_firefox/comment_2_1f3c32a22218d2a016f0bf97cc3f04b8._comment +++ /dev/null @@ -1,10 +0,0 @@ -[[!comment format=mdwn - username="Grégoire" - avatar="https://seccdn.libravatar.org/avatar/5ed039572e7af206cbc97a7c59dcb0ad" - subject="Whoops, not your fault ;-)" - date="2016-04-08T13:00:11Z" - content=""" -I looked into it a bit more and it seems that it's a bug in Firefox in fedora (something to do with the nss library being different). - -Sorry about the noise. -"""]] diff --git a/tracker/Publish_all_certificates_reachable_from_outside_to_the_monkeysphere.mdwn b/tracker/Publish_all_certificates_reachable_from_outside_to_the_monkeysphere.mdwn deleted file mode 100644 index cbdfb3d..0000000 --- a/tracker/Publish_all_certificates_reachable_from_outside_to_the_monkeysphere.mdwn +++ /dev/null @@ -1,4 +0,0 @@ -The admins should also sign the generated OpenPGP key, so that -non-admins members can rely on the Web of Trust instead of the usual CA -model. (Both are compatible, by the way.) See -[[http://web.monkeysphere.info/]]. diff --git a/tracker/Publish_an_SPF_policy_to_the_DNS_zone.mdwn b/tracker/Publish_an_SPF_policy_to_the_DNS_zone.mdwn deleted file mode 100644 index bdbec77..0000000 --- a/tracker/Publish_an_SPF_policy_to_the_DNS_zone.mdwn +++ /dev/null @@ -1,57 +0,0 @@ -We need to create a new subdomain `outgoing.fripost.org` which A and -AAAA records point to machines currently serving as outgoing SMTP -servers. Then we would add the following records to the DNS zone -([RFC 4408 section 3.1.1](https://tools.ietf.org/html/rfc4408#section-3.1.1) -recommends both SPF and TXT records, with identical content.): - - outgoing.fripost.org IN SPF "v=spf1 a ~all" - outgoing.fripost.org IN TXT "v=spf1 a ~all" - fripost.org IN SPF "v=spf1 redirect=outgoing.fripost.org" - fripost.org IN TXT "v=spf1 redirect=outgoing.fripost.org" - -That essentially means whenever someone receives a message from a -`@fripost.org` address, we can say the address hasn't been spoofed (or -been spoofed by another fripost member) if the message was originating -from `outgoing.fripost.org` (i.e., was sent from the webmail, the Mail -Submission Agent, or was the target of an alias or subscribed on a -list). Otherwise, things are like there wasn't an SPF policy. With that -information at hand, the recipient may decide to classify the message as -SPAM or HAM for instance. - -If we were to disallow (we probably aren't) messages from `@fripost.org` -addresses to be sent from anything else than what `outgoing.fripost.org` -points to, we could replace the trailing `~all` (softfail) by `-all` -(fail). - -Having an SPF policy for Fripost is also useful for domains using -fripost.org as MX:es. For instance, to allow `@example.org` messages to -be sent from either `fripost.org`'s outgoing machines (without knowing -what they are a priori, therefore the SPF policy is copied) or -`example.org`'s A/AAAA records, but nothing else: - - example.org IN SPF "v=spf1 ?include:fripost.org a -all" - example.org IN TXT "v=spf1 ?include:fripost.org a -all" - -Hopefully one day we'll have DNSSEC, defeating DNS-spoofing. The the -[qualifier](https://tools.ietf.org/html/rfc4408#section-5.2) could be -changed to something tighter: - - example.org IN SPF "v=spf1 include:fripost.org a -all" - example.org IN TXT "v=spf1 include:fripost.org a -all" - -Here too the default action `-all` (fail) could be replaced by `~all` -(softfail) to allow mails from `@example.org` addresses to be sent from -other locations, but without asserting they aren't spoofed in that case. - -If `example.org`'s has no A/AAAA records, or if the machine they point -to are not supposed to relay mails to the outside, one may prefer to -merely copy our policy: - - example.org IN SPF "v=spf1 redirect=outgoing.fripost.org" - example.org IN TXT "v=spf1 redirect=outgoing.fripost.org" - -References: RFCs [4408](https://tools.ietf.org/html/rfc4408) and -[6652](https://tools.ietf.org/html/rfc6652); See also the -[Wikipedia page](https://en.wikipedia.org/wiki/Sender_Policy_Framework). - -[[closed]] diff --git a/tracker/Publish_the_DKIM_public_key_to_the_DNS_zone.mdwn b/tracker/Publish_the_DKIM_public_key_to_the_DNS_zone.mdwn deleted file mode 100644 index 00f6062..0000000 --- a/tracker/Publish_the_DKIM_public_key_to_the_DNS_zone.mdwn +++ /dev/null @@ -1,19 +0,0 @@ -So anyone receiving an e-mail from `fripost.org`'s outgoing SMTP server -(possibly indirectly) can decide whether it's legit or tampered with. - -The DKIM public key should be added to `fripost.org`'s DNS zone as a TXT -record, as follows: - - 20140112._domainkey.fripost.org. 86400 IN TXT "v=DKIM1\; k=rsa\; p=…" - -Having one sub-domain (here `20140112`, the date where the key was -generated) is what Google does; that's a clever way to allow multiple -keys, which is useful for a smooth transition to a stronger key for -instance. - -See RFCs [6376](https://tools.ietf.org/html/rfc6376) and -[7001](https://tools.ietf.org/html/rfc7001) for references. The -[Wikipedia page](https://en.wikipedia.org/wiki/Dkim) might be another -good read. - -[[closed]] diff --git a/tracker/Two-Factor_Authentication.mdwn b/tracker/Two-Factor_Authentication.mdwn deleted file mode 100644 index dc5cdc7..0000000 --- a/tracker/Two-Factor_Authentication.mdwn +++ /dev/null @@ -1,8 +0,0 @@ -Is it possible two use some kind of Two-factor authentication? - -Such as TOTP? -https://en.wikipedia.org/wiki/Time-based_One-time_Password_algorithm -To use from Keepassxc, Andotp, Freeotp or similar. - -At least in Nextcloud it should be simple to set up but I would prefer to use it on both e-mail and Nextcloud. Especially on mail because it will be used as mean to reset passwords to some services. - diff --git a/tracker/Update_Data_policy_2018.mdwn b/tracker/Update_Data_policy_2018.mdwn deleted file mode 100644 index 7a71d52..0000000 --- a/tracker/Update_Data_policy_2018.mdwn +++ /dev/null @@ -1,4 +0,0 @@ -Update the data policy page according to board decision May 28, 2018: - -[[board]] -[[!tag assignee:ljo]] diff --git a/tracker/Upgrade_Pandoc_plugin.mdwn b/tracker/Upgrade_Pandoc_plugin.mdwn deleted file mode 100644 index 1428353..0000000 --- a/tracker/Upgrade_Pandoc_plugin.mdwn +++ /dev/null @@ -1,14 +0,0 @@ -Reminder when upgrade happens of Pandoc > 1.8 make sure to upgrade -also -the [ikiwiki-pandoc](https://github.com/sciunto-org/ikiwiki-pandoc/) -plugin. - -Story is that [user/gustav] tried compilation of Fripost wiki with -Pandoc 2.7.2. Some flags, e.g. `--normalize` and `--smart` are removed -compared to the Pandoc verison 1.17.2 of Debian Jessie (installed on -*civett*) - -Checklist: - - * Latest *ikiwiki-pandoc* version of *pandoc.pm* in ansible - * Remove config for `--smart` in *fripost-wiki.setup* diff --git a/tracker/Wiki_describe_mutt_config.mdwn b/tracker/Wiki_describe_mutt_config.mdwn deleted file mode 100644 index 414c8eb..0000000 --- a/tracker/Wiki_describe_mutt_config.mdwn +++ /dev/null @@ -1,8 +0,0 @@ -Describe Gustav's configuration of *mutt*, *msmtp*, *GNU Emacs* and -its client, *DavMail*, etc - -Bring up the pitfalls from Guilhem's and Gustav's email conversation -August 2015. - -[[!tag wiki]] -[[!tag assignee:gustav]] diff --git a/tracker/closed.mdwn b/tracker/closed.mdwn deleted file mode 100644 index 59cf65c..0000000 --- a/tracker/closed.mdwn +++ /dev/null @@ -1 +0,0 @@ -[[!inline pages="tracker/* and !*/Discussion and !*.* and (link(closed) or link(done))" show="10" rootpage="tracker" postformtext="Open a new issue" archive="yes"]] diff --git a/tracker/done.mdwn b/tracker/done.mdwn deleted file mode 100644 index 59cf65c..0000000 --- a/tracker/done.mdwn +++ /dev/null @@ -1 +0,0 @@ -[[!inline pages="tracker/* and !*/Discussion and !*.* and (link(closed) or link(done))" show="10" rootpage="tracker" postformtext="Open a new issue" archive="yes"]] diff --git a/tracker/nowikilogout.mdwn b/tracker/nowikilogout.mdwn deleted file mode 100644 index e857243..0000000 --- a/tracker/nowikilogout.mdwn +++ /dev/null @@ -1,5 +0,0 @@ -I can't find a 'logout' button on the wiki. - -> Oh, there's actually one on the "Preferences" page --[[Grégoire]] - -[[closed]] diff --git a/tracker/use_proper_certificates_for_lists.f.o__044___wiki.f.o__044___and_git.f.o.mdwn b/tracker/use_proper_certificates_for_lists.f.o__044___wiki.f.o__044___and_git.f.o.mdwn deleted file mode 100644 index 03a6f3d..0000000 --- a/tracker/use_proper_certificates_for_lists.f.o__044___wiki.f.o__044___and_git.f.o.mdwn +++ /dev/null @@ -1,3 +0,0 @@ -Maybe a certificate signed by [CAcert](https://wiki.cacert.org/) would be enough (unless the wiki is gonna be used to power the site...) - -[[Done]]. The certificates of [our public services](https://fripost.org/certs/) are now all issued by [Let's Encrypt](https://letsencrypt.org). |
