Minutes of the SIPB Meeting of 2025-10-20 The meeting was called to order at 19:30 by $psvenk. In attendance were Student keyholders: psvenk, dtemkin, turino14, innaavo, anhad, skylarh Associate keyholders: almonds, scj643, rgabriel Members: kawcco, bzelnick, smith141, kshitij.ark, ryanruiz, guoj1112 Guests: hursh.ark Administrivia: [talk about how windows sucks] psvenk: I would like to nominate bzelnick for keyholdership. turino14: Seconded. bzelnick: I accept. psvenk: Any other administrivia? scj643: I would like to allocate $900 for Yubikeys and YubiHSM. psvenk: I'll second that. innavo:Is the Vault project getting off the ground, are there weekly meetings planned? scj643: I sent an email for interest, and updated the email today. I want to get this allocation through before the end of the month. psvenk: Has anyone responded to the email? scj643: Two people responded,one was a keyholder, I'm not sure about the other, but Vault should be restricted to keyholders. psvenk: You can access the list of keyholders ("members") and other members ("prospectives") in the afs, in the file /afs/sipb/admin/members/members_and_prospectives anhad: Do you mind explaining what SIPB Vault is? scj643: This is a project that was proposed a whiile ago that never took off, now I have more time for it. It is autorotating credentials, [plus more]. turino14: Do you already have the specific HSM? scj643: Its the Yubi HSM, its the cheapest while still being usable. scj643: So we get $100 off if we spend $1000, we're getting two free Yubikeys out of this basically. innaavo: We should prioritize figuring out the use case before we spend the money. scj643: Well the HSM is required for this, otherwise there will be a lot of downtime. You will only need to keep track of recovery keys. innaavo: is an update doing to be required soon? scj643: an update is when openbao requires an update, if we do not have an HSM we will have to manually update unseal instead of auto update. psvenk: On a day to day, what is the use case? scj643: Data base credentionals, if you need to share api keys it will manage it. psvenk: it will do this integrated with athena? scj643: You can sign in with kerberos and OICD. With vault you have rotate the database credentials for you. psvenk: when you say acl we dont mean afs we mean one tied to vault scj643: We could potentially have it tied to afs acls as well. psvenk: and that would be additional code we would write to support. so it is mainly for database credentials and authenticaton psvenk: what would the level of friction be? Everyone woujld need to use the Yubikey? scj643: no they use a kerberos login and they can get their credentials from there psvenk: And this works through command line? scj643: webinterface and command line. Yubikeys are needeed only for recovery. psvenk: I'm trying to see how this fits into different projects. scj643: and there are integrations with existing software that can use hashicorp vault credentials to sign into vault. I use this at home scj643: The HSM itself costs $650. psvenk: I'm worried about the cost-benefit here. scj643: well if we run it without the HSM, if there is any update, power outage, we will have to gather people and that means downtime psvenk: Compared to the status quo, how is the experience of an avg sipb member going to be improved? scj643: the average user just needs to grab credentials and use them, I can do a demonstration right now. bzelnick: would the HSM be attached to the server always? scj643: yes and yubikeys are used to unlock the HSM bzelnick: but the yubikeys are not needed unless disaster recovery scj643: yes dtemkin: How close is the project to deployment? scj643: Right now, I need to set up the HSM in a test environment, likely boss-baby, and then get a server for the Vault project. [demo ensues] psvenk: this is very interesting, but the main thing is the motivating use case. if you could prepare a writeup, it does not have to be too long. eg. these projects are doing these things and would be improved in these ways. its not just about the allocation its about getting more people involved. I dont mean this in the way of throwing stones from a glass house, many projects have low bus factors. I think it is good to have these things written down. innaavo: What's the bus factor mean? almonds: so like how AWS's us-east-1 went down, which made like a third of the internet go down, so the internet was a low bus number psvenk: the bus factor of a project/system are the number of people that have to be hit by a bus for it to stop working. for example: hydrant has a bus factor of two, if dtemkin and I get hit by a bus then we are cooked. but if one of us gets hit by a bus, we are okay. dtemkin: the examples on the Wikipedia page are hilarious psvenk: if you do not bring it up, there may not be a sucession plan, bad things could happen, scj643: Vault would have well documented processes. psvenk: One week from now it will still be October, we would just like more specifics on how it would work. asahteck: I'm an alum and it's nice to see membership is back up since the covid lockdown! sorry the Minecraft server is defunct <3 scj643: how would people feel is we allocate for just the HSM and have is&t allocate for the HSM dtempkin: could you make a general budget for the semester, how much we should allocate vs events and things innaavo: I had a presentation, I could pull up what we did. I want to say it was 60% on hardware. I think aiming for a little over 50% on hardware is reasonable. almonds: do we need to set up tax exemption with the company for a week from now? innaavo: scj643 is it just a form? scj643: yes scj643: for now we could just use the HSM for a dev environment before we roll it out. and we could use any server for this scj643: We also don't have a production ready server for this project. We need a system that needs dual power supply. dtempkin: we need a proposal with everything psvenk: I think a good action plan is coordinating tax exemption, and a week from today we have the use cases of vault, how it will integrate with existing projects, and an itemized list. Ideally all projects should do this but I think its especially critical for a project with this much scope. psvenk: any other administrivia Project Reports: scj643: Vault continues dtemkin: Hydrant continues, we met with PE&W and they're willing to give PE schedules to Hydrant (but they're still working out the logistics and getting it approved by the right people). Expect PE schedules on Hydrant eventually. psvenk: Shoutout to Michele McCauley from PE&W! turino14: HWOps continues. almonds: LLMs continues. The LLMs keep going on the CPU instead of GPU, I don't know why. bzelnick: Discord continues. Discord does do database access and deal with a number of secrets since it is interacting with the Discord API, MongoDB (SIPBGo), etc. Perhaps Vault would be helpful for that? Another thing is that occasionally the MongoDB/SIPBGo TLS certificate will expire; I don't know if Vault would perhaps be able to help with certificate management for MongoDB, but I think that's a question for suufi. scj643: It wouldn't help I think unless we are using self-signed certificates. Vault does not have a plugin for MongoDB credential management. almonds: Talk to suufi. nmorgan: ark continues, we have a working memory module, were working on hosting the memory files in a centralized database and passing in user_ids to improve scalability. development for mcp integration began this week. YC IAP Grant responded, we did not get the 5K but we did get 1:1 office hours and credits. Figuring out what that means but we're pretty happy. nmorgan: ARK has about 3 members outside of MIT, I found it hard to PM things individually, but we requested a Slack account from IS&T to have a Slack under MIT. almonds: who are the 3 individuals? nmorgan: Jack from Georgia Tech, ilya, kshitij.ark Other: kshitij.ark: I noticed the chicken noodle ramen expired in September. psvenk: if you want to eat expired noodles you may, SIPB is not responsible for any injury or death in completion of this activity. guoj1112: AWS was down psvenk: canvas was down guoj1112: canvas is back up bzelnick: how much do we rely on external cloud services? almonds: For MIT generally, unfortunately, a lot bzelnick: For SIPB? psvenk: For SIPB, not a lot, we try to do most things self-hosted or IS&T hosted, like confluence. almonds: IS&T hosted an IT partners coffee chat last week. Was fun! Cool seeing how different organizations and people all work in IT at MIT in different ways. psvenk: dtemkin and I were also there but we couldn't say hi to you because you were deep in conversation. [talking about Sloanies because they had a conversation with one] Other Other: kawcco: so aws has a white label video conferncing service called chime. so MIT health uses chime, guess what happened when I tried to attend my therapy session today. We were having so many issues. rgabriel [chat]: MIT health uses chime???? bruh rgabriel [chat]: Chime is being replaced with Zoom at Amazon so this is definitely accelerating the transition. And I think it's also being phased out in general, so MIT health will have to find a replacement rgabriel [chat]: We could tell them about our jitsi [talk about how we wou] dtemkin: We could configure HIPAA to be Jitsi compliant. psvenk: Also, who uses chime? Even AWS is phasing it out to use Zoom instead. kawcco: she had to call me over the phone. studying for the 18.701 midterm today was a bit stressful bzelnick: I think we should have a moment of silence for all the AWS engineers who had to wake up at 01:00 to work on this. almonds: and for all the AI bots that replaced some of them? dtemkin: so what actually happened, someone in tyson [] up? [discussion on Northern Virginia] innaavo: It was a DNS problem. scj643: Apparantly Minecraft can cause a kernel lock up, if you use Spark as a profiler. bzelnick: I think that Spark is built into a lot of Minecraft servers, which isn't good. almonds: 7 million people did Things on Saturday. It would be cool if 7 million people did Things every day, then maybe Something would Happen. But just spread kindness at the local level, and it should bubble up. psvenk: when I was in highschool I was still in my closeted (or more accurately, egg) linux user era. I was telling myself I like windows but only older versions of windows. I bought windows 7 for $40. I cared about these things, I wanted it legally. I got the boxed copy. And it didnt recognize my keyboard or mouse as they chipset was too new. So then I downloaded windows 10 using the windows 7 product key. The meeting was adjourned at 20:17. Minutes taken and submitted by $nmorgan.