00:06 <pinchartl> Consolatis: I find it hard to disagree

00:06 <pinchartl> would it be worth warning people, when they register an account, to not reuse an existing password ?

00:08 <pinchartl> even then, does this mean that in theory fastly could impersonate any user ?

00:26 <psykose> reminds me of the funny 'tls added and removed here :-)' graphic

00:42 <pinchartl> psykose: this one https://www.netresec.com/?page=Blog&month=2020-12&post=Capturing-Decrypted-TLS-Traffic-with-Arkime ?

00:42 <psykose> the first image on https://blog.encrypt.me/2013/11/05/ssl-added-and-removed-here-nsa-smiley/

00:53 <Consolatis> > even then, does this mean that in theory fastly could impersonate any user ?

00:53 <Consolatis> i don't see why it shouldn't be able to

00:54 <Consolatis> session cookie is available + fdo trusts the stated remote ip header of fastly

00:54 <Consolatis> so it wouldn't even leave a login log entry anywhere

00:57 <pinchartl> git should give us some protection against some malicious actions, but other features offered by gitlab can be more problematic

00:58 <Consolatis> in my opinion, use of CDNs to speed up dynamic pages can mostly be better implemented with own caches in front, close to the actual target app server. the question also is if it *actually* speeds up dynamic pages, from memory most of the gitlab pages do a dozen of XHR requests anyway for everything "dynamic"

01:01 <pinchartl> one of the reasons for using fastly is protection against AI bots

01:02 <pinchartl> it's not just speeding up delivery of content

09:13 <colinmarc> honestly, that's like saying "we shouldn't user hetzner because they will have root access to our servers". that logic could also be used to rule out hosted databases, managed certs (letsencrypt), and a host of other technologies that make it possible to run a website and also get some sleep sometimes. I'm a big fan of running owned hardware, but it's not practical for everyone

09:14 <colinmarc> I don't know gitlab's query/web patterns, but rails/activerecord are extremely slow and usually expect you to do caching on top

09:19 <dwfreed> every non-trivial webapp is slow as balls and needs a caching layer over it

09:19 <dwfreed> "every" may be a little harsh, "most" might be better

09:20 <colinmarc> every ruby on rails webapp is slow as balls :)

09:20 <dwfreed> you're not wrong

09:21 <colinmarc> lack of any real concurrency strategy outside "run a bunch of processes" is the real killer (my information might be out of date - I worked on a huge ruby deployment ten years ago)

09:22 <dwfreed> what keeps fastly from stealing your login information: they'd like to continue to make money for shareholders

09:22 <dwfreed> if anybody had any serious inkling that fastly was abusing their CDN to steal login information, fastly would be bankrupt by the end of the month

09:44 <emersion> btw, we have a legal contract with fastly, it's not just yolo

09:45 <emersion> stealing info would be a breach of contract

09:45 <emersion> also pretty much all websites use fastly or similar

09:45 <emersion> (not that I like this)

09:49 <dwfreed> "sued into the ground" is not a state any public company wants to be in

14:26 <pinchartl> another question on the same topic: does "handle TLS termination" mean traffic will be unencrypted between fastly and hetzner ?

15:13 <Consolatis> based on !2076 its client->TLS->fastly->TLS->hetzner

15:13 <Consolatis> > each of those services needs to have a let's encrypt certificate so we can have TLS between fastly and the service

18:52 <daniels> yeah

18:53 <daniels> the contract + reputation is why I’m personally very relaxed about fastly - as well as one of our long-term admins having previously worked there for years and having good things to say for it - even if you don’t trust their motives, pragmatically, spying on fd.o would be an utterly idiotic move in terms of risk:reward

19:25 <mupuf> daniels, bentiss: How about: Gitlab.freedesktop.org will be unavailable for up to a week starting March 16th, due to our ongoing infrastructure move. You can follow our planning tracker at https://gitlab.freedesktop.org/freedesktop/freedesktop/-/issues/2076#prepare-the-connection-from-faslty-cdn

19:34 <pinchartl> do you plan to report on the status of the migration somewhere ? I'm sure lots of people will be curious

19:46 <mupuf> irc, mastodon

20:20 <bentiss> pinchartl: I'll also try to set up a static HTML page with the status

20:20 <bentiss> I did that in the last migration and it seemed appreciated

20:22 <pinchartl> yes, kudos for that

20:22 <pinchartl> it looked nice too :-)

21:22 <sergi> Hi Mesa developers,

21:22 <sergi> I forgot to mention by the end the week (the working days I mean). Tomorrow Monday, we have scheduled a Collabora farm maintenance. See https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/33595