Cache corruption issue

Something is causing the Credits API results cache to be corrupted – I’m assuming a job somewhere is triggering it, but I have no way to track it down.

Are you able to find out what is writing to the props-4.9 key in the core-credits-api cache group?

#prio2

Incorrect Return-Path on mail from wordcamp.org

The Return-Path is currently set to bounce@wp.com, which may be contributing to emails getting marked as spam for some recipients. Relevant headers from one such email:

Received-SPF: Neutral (zoho.com: xx.xxx.xx.xxx is neither permitted nor denied by domain of bounce@wp.com ) client-ip: xx.xxx.xx.xxx
Authentication-Results: mx.zohomail.com;
    spf=neutral (zoho.com: xx.xxx.xx.xxx is neither permitted nor denied by domain of wp.com) smtp.mailfrom=bounce@wp.com
Return-Path: <bounce@wp.com>
...
Date: Fri, 20 Oct 2017 12:20:46 +0000
From: WordPress <wordpress@wordcamp.org>
Reply-To: support@wordcamp.org

This same issue has come up before (1, 2), and it appears that the Return-Path was changed at that time, so perhaps it was somehow reverted at a later date?

cc @stankea

#prio2

Hi, can you please setup…

Hi, can you please setup proxy access for @casiepa? As a polyglots mentor he’ll be helping out with managing rosetta sites and will need access to the global.WordPress.org network.

His public key is:

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCvMct8ARk0CEftQLiMZETj2Ndsk6Ns7sFaq6iLGybf2hFXNRY9rHSeZIACzlBoFm7UwKp9FCBbYW/ead4xVV3XaX20UeF2JB5TtlJ7mdQK9Rdd0NQq60EL5pNmPHKbOf2gHuULovuU/CzzUw/MGUxk8HIpRa+x9WdXsDjmsMF7Y5x/a4w4nypvojKh1YTT7VfH8s9c7buy5S0G8VZr+e/wqPKwl5BoSTuxGPxk5vsFYzJ7gSVkUGNMU62h/MP6c5QeP4KqzdhdsVOe04HWGrC37IkFRblUnHieYWoK9EIKUCkQwqXMOOlrID0Ll8JcbuN0E3LsUGLjb8+5fhBXECshl7nIfhbSL+1zhrEoibDH1Nvcxe96Xaj4OqObh4AZIS4aQNumtMZV56D5bpFzs47QXa3dzml8Nv6eEChUcZMzm0duxV1wteNeteSTgNkrFRoaqBUsb/n35iwgQZ0l7ulzjB79ZCz1ufp9HUQn1F0JGDjasyPupJzBBurhROcb1PNc5+nBB1UGQsSdWkUSTavLpgyZBPN4O8s05FxOduYcBxcZrl78eQECHVDE3vHlOMxCZO26L8FsAfVRCopCEDAyHlnqSvtYbjmZvq7ynE9dy+ABfFYQxhp1zJMo8dXPEuzsckzaViTOyaTr13paWEP3QRJJPlpjL0emsB/oVZ0i4Q== pascal.casier@gmail.com

Thanks!

#prio2

Hi, can you please setup…

Hi, can you please setup proxy access for @coachbirgit? As a polyglots mentor she’ll be helping out with managing rosetta sites and will need access to the global.WordPress.org network.

Her public key is:

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDLEeqcc5blku3s2AS5hvwF7yYVb6pAzbpx3Dg8a2a3RbxNXIIb21099UB6vCwtFqu0en8cU3S944KsDJ69H39B3y11qndjKy2TnH+a8N7TgBfFBQ5yOClAAUHKg/PwIiZyF1AXpmUBHr9OSPHrSsSrOcpfxDnbR9bcxPambP2G8T1eLgxuL+EMwvHZyg1ELDbr8+Ns/OtaHdx1ps0gVT40F5FyeBZLxNtCGDqpTg+KP0feAgHLu2S/EL/tNhhXLqfIiF07WBc5QpqyVhovcuKH7D2IzPmNeyPoTisMIq27kRh2MRbhhm6UAqL89rws3HqpunEPayKXv8NtbzjBAQvyeSkiF7Lyxwhn2fhKn5LyEI7qsRjdfTGRQVayLklyyPYPDpt3ljdxjf/AqIRAZz8g+80ZDIWtrORCIU8VybzUNpL9jgq37xVTcKRQS3NtVskPJRQa83Pv0FyF+pVQIrsIfOWpWcUNqBtMoj3pBv0vtqGl/M8JTLBzBgK68/DDg3Igq1Zj9NCYRyrkkPTcluuWwkNfn1XPzOrI1N68upksbUkby1ivmd5L8XChWdyhM97GTejvJFCTvzHlMLGDFZ40XYPPdW2GjO5igWjRu+6hgNVVqtk8ZrvlRjxvYygULk7U7olwAwCFSE25OejojdSBaYdcIbkXpS17cj6mwXWZQw== coachbirgit@gmail.com

Thanks!

#prio2

Update Apache on lists.wordpress.org

A report came in via HackerOne informing us that lists.wordpress.org is running a version of the Apache web server which contains several known vulnerabilities. It should be updated to the latest in either the 2.2.x or 2.4.x branch.

#prio3

CAA for wordpress.org

A report came in via HackerOne recommending that Certificate Authority Authorization be implemented for wordpress.org (and other W domains).

CAA allows a domain owner to restrict which CAs are allowed to issue certificates for the domain. It’s been useless until quite recently: the CAB Forum recently voted to enforce CAA checks for all new certificates starting next month, so it’s definitely a useful measure to implement.

More info: https://scotthelme.co.uk/certificate-authority-authorization/

#prio3

Could you please make a…

Could you please make a w.org sandbox for @sergeybiryukov? Here’s his public key:

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDUu7co8f4xxOAtN4AASut9N64MhOIDuHGUzJMr29yTU4OY4SfLaAmnOYggUqBO9dWUNo6dtNcqqSdF8A4lpUdkk5JTkrXHsu1Ah+EjchdnOCffJYRBdHI+x6esL9gIS31VANkmoMMc+PVf5PP+E0rXSUoop2nwHR5RUKqSYafKXs5KRgU9l35Zwc48swPbq0X+swx19MMOtsdZzSKrcOdVJntn9z+WN2YyqobE3v15/uqaRzcTrcn6EPwVWsHY8xMfsIVFlHDMtnXSw25gSCcQWkGg0LAb//LNGY0bzDgBO9NW5+TYnKUTETES//S+haFNzy6kSULaH5KiXmOXlWWxWiDhXccNdKnCU4yuyYcZfMOUWZInDSlnwlYCDFpA71o6wfpLnO2w8NWUcpK7GLKX/qbOBox0pAsskxIRnEpxSUnd0J1eQrfAQzJuy5cgZrrGJlyVsFJWW18njYY0D6h4806JaHiX2wGSA6f7LfMEKA315B2OcFsfpDIwBXsfqYBgcB+DVrPU6qoSRz2T1+XBumZHIUVdrx5FqA8bWEvWt4IWJ4jp3KbRjqF33ug3u79GV3HG6t69Jv0NdfR8wi4JdLmtvYKQ0W7mEGhlRONKcMoRfP2aU74AHUJSJl6f7eOlOTF6hep6n0SzCXfYsneGqbzY84ElKfMt4267hR7FUQ== sergeybiryukov.ru@gmail.com

#prio2

Could you please make a…

Could you please make a w.org sandbox for @danielbachhuber? Here’s his public key:

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDclohmuQz4fP5vdGvHQIZosAOy/CuQctD9GEGXsHVXFTN0ROpcQLRW8P789xtvDBX3u/SlxP1KpodkccY45PvcvKRzttH9lt9TcDjQd38pNYMRFeguU5k8tP54mUG4rkqoEo4KkH43qCr77qcSiLxcjpTSwsrRNhPlhEHRxy5a5qSnv0LzluDWS2gaacBskRArf0vGFyDPPSUSFgsDM9+FgYLHwI7/fSaHYuxvqpHYBz17m2h3Zi2hcc3IdVEFQi84mNIECs6k40+UihmKR43eCnOc9qkZOo0Rs5dbAi+g9v9e20ODHyfMIg4lvv0zwW//LpZvrv0m4ZCD/fgfhtS9 d@danielbachhuber.com

https://meta.trac.wordpress.org/ticket/3045

Update Trac to 1.0.16

There are a bunch of useful bits in more recent Trac 1.0 releases that we could use.

Also, the TracXMLRPC plugin had some compatibility issues with Trac 1.0, they were fixed in version 1.1.3, but there were also a handful of bug fixes in later versions, so upgrading that to 1.1.6 would be nice.

 

HSTS on wordpress.tv

Per a hackerone.com report, we need to get HSTS setup on wordpress.tv. The alternative being setting the secure only flag for the auth cookies.

#prio2