Server Deployments: Week 23
“We had a rather ‘exciting’ week in server updates,” Maestro Linden announced, kicking-off the Server Beta meeting on Thursday June 5th. “Or rather, exciting day, yesterday.”
Things started well enough, following the planned deployment schedule, namely:
- There was no main channel deployment on Tuesday June 3rd
- On Wednesday June 4th:
- BlueSteel remained on the AIS v3 inventory update project
- Magnum initially received updates to the Experience Tools project
- LeTigre initially received simulator updates for the Group Bans project.
GnuTLS Issue and Update
Following the deployments to the RC channels on Wednesday June 4th, it was discovered that the version of a library used by the simulators had a potential security issue. This issue lay in GnuTLS, a secure communications library implementing the SSL, TLS and DTLS protocols and the technologies around them. Maestro explained the situation thus:
The concern was that a 3rd party site could trigger the issue, which could be triggered by a LSL script doing llHTTPRequest() to an HTTPS URL. To keep things slightly more sane, we took the current version of the server code on the main channel, and rebuilt it with the newer version of GnuTLS.
After testing the new build on Aditi, it was deployed to all channels on the main grid, starting at 17:00 SLT on Wednesday June 4th and running through until 01:30 SLT on Thursday June 5th. As this build was functionally identical to the Main channel build, but with the GnuTLS update, the Experience Tools and Group Ban updates deployed to Magnum and LeTigre were overwritten.
As Aditi also had vulnerable server versions, log-ins to the beta grid were suspended for part of the time, as updates were deployed there as well.
While the issue has been resolved, it will have an impact on server updates, inasmuch as it is now anticipated that the scheduled deployments this week will be re-deployed in week 24 (week commencing Monday June 9th).
This problem was not connected to the unscheduled maintenance which also took place on Thursday June 5th.
LSL Functions for Materials
Maestro also reported that it is believed that the LSL support for materials is now functionally complete. There is still currently no throttle in place against the risk of the capabilities being abused, and thought is still being given as to what any such throttle might be. “I just barely got to finding out what bad stuff happens without one,” Maestro said in answer to a question on this very point. Simon Linden than added:
I think that if we do a throttle, it will only be to handle quite extreme cases. We haven’t figured out the best way to throttle it … because we haven’t really seen a problem yet, but I think most of them fail silently now. So we’re likely to do something similar.
One thing the Lab will do with regards to any throttle imposed, is to set it so that it cannot be avoided by adding more scripts to the offending objects which then generate changes to the maps being displayed without individually breaking any imposed limits.
Aditi Log-in Issue / Inventory Update Issue
As reported in week 15, The script which should synchronise people’s passwords and inventories between Agni (the main grid) and Aditi (the beta grid) has not been functioning correctly (see BUG-5563), with the result the password updates and inventory syncing between the Agni and Aditi grids has not been occurring properly.
During the Server Beta meeting on Thursday May 29th, Maestro indicated that it had been thought Coyot Linden had identified and fixed the root cause of the problem, so that any password update would synch during the overnight run of the script (around 02:00 SLT). However, following that meeting it was found that inventory syncing was still not occurring following a password change.
A further investigation by Coyot revealed a further problem (unrelated to the first) preventing inventories between the two grids being synched, although passwords were. This additional issue has also now been fixed.