Enable DKIM for WordCamp GSuite?

While looking at DKIM for 3rd-party tools, I noticed we don’t have it setup for GSuite emails.

Do we need to setup DKIM for those domains? Or is the default gsuite dkim setup enough?

Direct link: https://admin.google.com/ac/apps/gmail/authenticateemail
You can login using the ?secret_id=7194 secret.

Outgoing emails from GSuite currently show this in gmail receivers:

SPF:  PASS with IP 209.85.220.41
DKIM:   'PASS' with domain wordcamp-org.20230601.gappssmtp.com
DMARC:  'PASS' 

While emails sent from WordCampWordCamp WordCamps are casual, locally-organized conferences covering everything related to WordPress. They're one of the places where the WordPress community comes together to teach one another what they’ve learned throughout the year and share the joy. Learn more. production show:

DKIM: 'PASS' with domain wordcamp.org
DMARC:  'PASS'

#prio2 #email #wordcamp

Enable DKIM for 3rd-party WordCamp emails

Since February 1, 2024, Gmail and Yahoo have implemented new requirements for email senders to protect users’ inboxes from spam more effectively while ensuring legitimate emails are received.

As y’all know, Google and Yahoo have changed how they handle non-authenticated emails. While emails we send are likely to have proper authentication in place, emails sent from 3rd-parties don’t.

Some 3rd-party tools can use the Gsuite account for emails (Freescout & HelpScout for example). Other tools, such as Mailchimp, Active Campaign, Brevo, and a long list of others don’t support it.

Mailchimp is currently enabled for DKIM, as it’s used for the main Central account – and as I’ve just found out, as long as you can receive email for a email address, any WordCampWordCamp WordCamps are casual, locally-organized conferences covering everything related to WordPress. They're one of the places where the WordPress community comes together to teach one another what they’ve learned throughout the year and share the joy. Learn more. can use that verification; so any WordCamp using Mailchimp is fine.

Active Campaign is used (at least) by WordCamp Asia, this requires adding additional DKIM keys and a CNAME to verify the domain ownership.

acdkim1._domainkey.wordcamp.org CNAME dkim.acdkim1.acems1.com
acdkim2._domainkey.wordcamp.org CNAME dkim.acdkim2.acems1.com

em-3501330.wordcamp.org CNAME cmd.emsend1.com

Brevo is currently used by (at least) WordCamp Europe. Similar to above, it requires the DKIM records and an ownership verification record.

Unfortunately these do not use CNAME’s and require TXT records be added:

wordcamp.org TXT brevo-code:[pixelated-text]
mail._domainkey.wordcamp.org TXT k=rsa;[pixelated-text]

(@casiepa can you let me know the actual values for these? I can only find pixelated images)

I don’t know how to handle this going forward; especially in the case of the above which require may require ownership verification from future WordCamps, I’m almost certain the above authentication steps won’t work for future camps.

If systems have any objections to enabling DKIM and ownership verifications of the domain for WordCamps, let us know and we’ll discuss if there’s an alternative; At present it doesn’t appear there’s many other options; aside from requiring WordCamps to use a limited selection of tools, or to use a 3rd-party domains (such as team@wc{city}.org).

Regional WordCamps (Asia, Europe, and US) get special treatment however in this regard; so I assume enabling DKIM is going to be possible.

#wordcamp #email #prio1 #dns

Enable SSL for additional *.wp.org domains

End-users often shorten links to WordPress.orgWordPress.org The community site where WordPress code is created and shared by the users. This is where you can download the source code for WordPress core, plugins and themes as well as the central location for community conversations and organization. https://wordpress.org/ with the wp.org domain. This isn’t an official domain that’s used, but we do have a redirect in place for it.

Currently the list of SSLSSL Secure Socket Layer - Encryption from the server to the browser and back. Prevents prying eyes from seeing what you are sending between your browser and the server.-enabled subdomains is rather small compared to the *.wordpress.org domains.

Can we expand the list of subdomains SSL is supported on, at least to the non-locale-site domains used by contributors?

wp.org www.wp.org developer.wp.org events.wp.org make.wp.org learn.wp.org login.wp.org profiles.wp.org sv.wp.org translate.wp.org schemas.wp.org

I do note that sv.wp.org is included in the current SSL cert, I’m unsure why that domain was specifically included, I don’t personally think it’s worth listing all rosetta subdomains, as we’d have to constantly update the list, so I haven’t included those above. Similarly, I don’t think it’s worth enabling wildcard support for this domain at this time due to the LE integration limitations at present.

ref: https://meta.trac.wordpress.org/ticket/7526

cc @flexseth

#prio3 #ssl

Update Git author script

During the svn => git sync process we rewrite the author using a bash script that fetches the user details. This is get-author.sh in the git home directory on svn servers.

Due to character sets, it appears that non-latin names are being corrupted.
For example:

$ git clone git://develop.git.wordpress.org/
$ cd develop.git.wordpress.org
$ git show f047b94d71e780cbd7595047f28a644955d35fff | head -n3
commit f047b94d71e780cbd7595047f28a644955d35fff
Author: Greg Ziółkowski <gziolo@git.wordpress.org>
Date:   Fri Apr 21 10:41:58 2023 +0000

Greg Ziółkowski should be Greg Ziółkowski as shown on his profile.

The SQL used for this is CONCAT(display_name, '|', user_nicename). I can’t test it as I don’t have mysqlMySQL MySQL is a relational database management system. A database is a structured collection of data where content, configuration and other options are stored. https://www.mysql.com/. tools on my sandbox, but I suspect either

  • Character sets need to be specified on the mysql command, I suspect either --default-character-set=latin1 or --default-character-set=utf8mb4 would work.
  • The above concat should do some character-set conversions; I think CONCAT( CONVERT( CAST( CONVERT( display_name USING latin1) AS BINARY) USING utf8), ‘|', user_nicename) would work.

To duplicate it, you should be able to run this on the svn host:
get-author.sh gziolo

Note: You can likely remove the 2015-era logging/debugging from the file at the same time, I don’t recall the outcomes of that, but I suspect it was long fixed.. Review the logs I guess!

Let me know if you’d like me to test or debug anything.

cc @dmsnell @gziolo (Apologies for the months long delay!)
#prio3 #git #svn

Redirect gutenberg.run

Currently gutenberg.run is hosted by a DigitalOcean instance that we’d like to shut down.

Can we please have that domain setup as a redirect to https://playground.wordpress.net/gutenberg.html?

Thanks in advance!

cc @adamziel
#gutenberg-run #playground #redirect #prio3

Delete 6.6 git branches

Today r57779-core accidentally created branches/6.6 when the intention was to create branches/6.5, this has been cleaned up in develop.svn and core.svn, but that doesn’t sync through to develop.git & core.git.

Thankfully it appears that the git sync has continued to operate without issues.

Could the following branch please be deleted from the git mirrors?

$ git remote -v
origin  git://develop.git.wordpress.org/ (fetch)
$ git branch -r | grep 6.6
  origin/6.6

$ git remote -v
origin  git://core.git.wordpress.org/ (fetch)
$ git branch -r | grep 6.6
  origin/6.6

The branch on Github should automatically be removed when it’s removed from the source repo.

FYI @davidbaumwald

#git #core #prio2

IPv6 Support

WordPress is deployedDeploy Launching code from a local development environment to the production web server, so that it's available to visitors. in a large number of environments; and increasingly this is leading to WordPress being used within IPv6-only deployments, where there exists no form of IPv4/dual-stack/IPv64 gateway.

It’s no secret that hosts should realistically provide a 6to4 gateway, or NAT64 / DNS64 service when supplying IPv6-only hosts, but due to the extra burden that supporting both IPv6 and IPv4 places upon them, they’re often (especially in low-cost/low-end VPS markets) choosing against this, and placing the burden upon other hosting infrastructure (WordPress.orgWordPress.org The community site where WordPress code is created and shared by the users. This is where you can download the source code for WordPress core, plugins and themes as well as the central location for community conversations and organization. https://wordpress.org/) instead.

This is leading to an increase in the number of end-user requests along the lines of “Why doesn’t WordPress just work” and “Get with the times”, which while unhelpful, are a valid segment of the WordPress users.

WordPress is not alone in the list of applications installed in hosting environments which doesn’t natively support IPv6, but we’re also not important enough to many of the use-cases for those services (Who often explicitly state, that it’s not viable to be used as a production hosting environment) to cause them to implement basic network functionality to support us.

Current state of IPv6 on WordPress.org:

  • ✅ WordPress.org CDN supports IPv6 (s.w.org)
  • ❌ WordPress APIAPI An API or Application Programming Interface is a software intermediary that allows programs to interact with each other and share data in limited, clearly defined ways. & Downloads are available over IPv6
  • ❌ WordPress.org website is available over IPv6

Meta ticket for reference: https://meta.trac.wordpress.org/ticket/3090

This isn’t a ticket requesting IPv6 support; but rather, a discussion point over when IPv6 support may be able to be offered, and any limitations in the WordPress.org infrastructure that currently limits us in providing that.

#prio3 #ipv6

Update plugins.trac templates.

Similar to https://make.wordpress.org/systems/2023/02/06/update-plugins-trac-templates/ can we please have svnup-meta-checkouts.sh run on svn2?

Could we also consider adding it to a cron task that runs daily on svn2? (svn1 does not need this)

On svn1 it runs whenever a change to the paths it checks out is modified.

#trac #svn #prio3

ImageMagick for Photo Directory?

https://meta.trac.wordpress.org/ticket/7460 has asked:

Would it be possible to use ImageMagick for the Photo Directory to better preserve the original colors in the submitted photos?

Is it possible to enable ImageMagick on WordPress.orgWordPress.org The community site where WordPress code is created and shared by the users. This is where you can download the source code for WordPress core, plugins and themes as well as the central location for community conversations and organization. https://wordpress.org/? Any systems reasons why it shouldn’t be?

#prio3 #photos #imagemagick

CORS requests for api.wordpress.org

Most of the WordPress.orgWordPress.org The community site where WordPress code is created and shared by the users. This is where you can download the source code for WordPress core, plugins and themes as well as the central location for community conversations and organization. https://wordpress.org/ APIAPI An API or Application Programming Interface is a software intermediary that allows programs to interact with each other and share data in limited, clearly defined ways. endpoints accept CORS requests, but nginxNGINX NGINX is open source software for web serving, reverse proxying, caching, load balancing, media streaming, and more. It started out as a web server designed for maximum performance and stability. In addition to its HTTP server capabilities, NGINX can also function as a proxy server for email (IMAP, POP3, and SMTP) and a reverse proxy and load balancer for HTTP, TCP, and UDP servers. https://www.nginx.com/. isn’t forwarding OPTIONS requests to these endpoints, when nginx considers it a “static” resource (ie. / and not /index.php)

$ curl -IsX OPTIONS https://api.wordpress.org/core/version-check/1.7/ | grep -Ei '^(HTTP|Access)'
HTTP/1.1 405 Not Allowed

$ curl -IsX OPTIONS https://api.wordpress.org/core/version-check/1.7/index.php | grep -Ei '^(HTTP|Access)'
HTTP/1.1 200 OK
Access-Control-Allow-Origin: *

This is causing problems for playground when making requests that include custom headers, as a preflight request needs to be made.

Would it be possible to redirect OPTIONS on “static” URIs to PHPPHP PHP (recursive acronym for PHP: Hypertext Preprocessor) is a widely-used open source general-purpose scripting language that is especially suited for web development and can be embedded into HTML. http://php.net/manual/en/intro-whatis.php.? Looks like error_page 405 =200 $uri; would do it.

Thanks!

#prio3 #playground #cors