Re: a SIP or XMPP service for debian.org

[Daniel Pocock <daniel@pocock.com.au>]

Stephen Gran <sgran@debian.org> wrote:

>This one time, at band camp, Daniel Pocock said:
>> On 22/12/13 10:52, Martin Zobel-Helas wrote:
>> > On Sun Dec 22, 2013 at 10:44:08 +0100, Daniel Pocock wrote:
>> >>
>> >> I've started a wiki on this topic, it provides a detailed plan
>from
>> >> start to finish:
>> >>
>> >> https://wiki.debian.org/UnifiedCommunications/DebianDevelopers
>> >>
>> >> As one of the leading free software projects and given Debian's
>> >> particularly outspoken attitude that we do not rely on third party
>> >> "free" services there are compelling reasons to try and finally
>> >> implement this entirely using our own packages and infrastructure.
>> >>
>> >> * do people generally agree with it?
>> >>
>> >> * would the DSA team be willing to provide and support the
>underlying
>> >> infrastructure for this or have it on any existing servers?
>> > 
>> > zobel@kvasir ~ % ldapsearch -LLL -x -H ldap://db.debian.org -b
>ou=hosts,dc=debian,dc=org '(host=cilea)' purpose
>> > dn: host=cilea,ou=hosts,dc=debian,dc=org
>> > purpose: voip.debian.{net,org}
>> > zobel@kvasir ~ % 
>> > 
>> > For more details, please contact Phil Hands.
>> 
>> I've had some ongoing discussions with Phil but ultimately, like SMTP
>> for debian.org, these things would need to be formally accepted by
>DSA
>> at some point.
>
>Sure.  I think maybe this is turning into some sort of comic loop.  The
>understanding on the DSA side, as far as I'm aware, is that the VOIP
>setup on cilea is still a bit fragile and not ready for wider
>deployment.  If that's not the case, letting us know that it's ready
>for
>widespread adoption would be a good start.  If it is the case, I think
>we're expecting the people interested in VOIP for debian to make it
>ready for prime time before anything else happens.  If you/fil/whoever
>else is involved have a different deployment strategy, I think we'd
>like
>to hear about it.
>

I believe the solution on the wiki now is stable because it is duplicating my other deployments, e.g. lumicall (using SIP domain sip5060.net)

Another requirement for stability is TLS - will DSA be happy to deploy a debian.org certificate on that box or do you have dedicated boxes where you run things that have sensitive key material?

>> Amongst other things, Phil commented on the password situation but it
>is
>> ultimately up to the LDAP administrator to decide whether H(A1)
>hashed
>> passwords are supported and whether they can be accessed by these
>processes.
>
>I don't think we want to use regular LDAP bind, if we can help it.
>For some other things, we've introduced <service>Password (we have a
>sudo
>password field and so on).  Is it possible to do a similar thing for
>VOIP?

Probably - our processes will either need a copy of the hashed passwords or access to a RADIUS server with the SIP digest module enabled.  Please just tell me how you would like it done or point me to the relevant documentation link and I'll build the necessary config files for the processes.