[12:50] <_ion> Already over 200 downloads of the default wallpaper debs with the warning about untrusted repositories.
[12:50] <Hobbsee> hehe, nice
[12:50] <_ion> http://johan.kiviniemi.name/tmp/wallpaper-dl-count
[12:50] <Hobbsee> i still think you should have changed their repos back at the same time
[12:51] <Hobbsee> or just installed some crack on their machines
[12:51] <Hobbsee> haha, nice pic
[12:51] <Hobbsee> _ion: s/may/will/g
[12:52] <Fujitsu> _ion: It replaces the Edgy wallpaper package?
[12:52] <Hobbsee> _ion: but what happens if they're not using the default?
[12:52] <_ion> I don't want to do any harm (or anything that could even remotely be considered as harmful) to their systems, just warn them.
[12:52] <_ion> hobbsee: Then they won't see it, unfortunately.
[12:52] <Hobbsee> _ion: can you force it that they will?
[12:53] <Fujitsu> It'd be nice to do that to GDM, but it's not too easy to make GDM themes.
[12:53] <_ion> Some horrible kluge that changes users' wallpaper gconf settings in postinst has passed my mind, but i don't know...
[12:53] <Hobbsee> _ion: i suppose you could always remove the file where it says what the default desktop is
[12:53] <Hobbsee> sounds sane to me
[12:53] <Fujitsu> A usplash!
[12:54] <Hobbsee> _ion: also, you probably want a link to why unofficial repos are bad, and how to fix them
[12:54] <Hobbsee> Fujitsu: its' too quick
[12:54] <Fujitsu> True.
[12:54] <Hobbsee> _ion: if it's a desktop background, they'll get the message - but you do want a link as to why they're bad
[12:54] <Hobbsee> seeing as these users dont seem to know any better
[12:56] <_ion> I'm quite tired currently, i don't feel like gimping, but if someone else makes a nice replacement picture, i'll package it.
[12:57] <Hobbsee> _ion: however, yours does look really cool :)
[12:57] <geser> _ion: have you checked if you can overwrite the users wallpapers by setting a mandatory gconf key?
[12:58] <_ion> geser: Hm, nope. I'll look into that.
[12:58] <Hobbsee> geser: that's a question of morality
[12:58] <Hobbsee> _ion: something tells me that would scare a user enough to revert
[12:59] <_ion> There's the problem that just reverting their sources.list doesn't revert any harm that's done. The next distribution upgrade *will* break.
[01:00] <Hobbsee> _ion: that is a point.  how is mvo going to deal with that with the upgrader?
[01:00] <lifeless> force
[01:00] <lifeless> so the user has two options
[01:00] <Hobbsee> _ion: that being said, the less updates gotten thru there the better - ie, the less damage.  less crap to fix
[01:00] <lifeless> a) uninstall things until the upgrade can work
[01:00] <Hobbsee> hey BenC 
[01:01] <Hobbsee> lifeless: they can force that?
[01:01] <BenC> hey
[01:01] <Hobbsee> b) let the upgrader do it for them
[01:01] <lifeless> b) tell the upgrader to do its best.
[01:01] <Hobbsee> i wouldnt trust a user to actually get all of their crap uninstalled
[01:01] <Hobbsee> i would be of the opinion that the installer had to do it itself
[01:02] <geser> Hobbsee: of course it's a question of morality. but if you want to do it it's imho better to set a mandatory key instead of changing the users settings
[01:02] <Hobbsee> geser: whichever works
[01:02] <lifeless> users will hurt us if we lose their settings
[01:02] <jdub> "if you want to fix this, remove BLAH package"
[01:02] <lifeless> extremely bad idea to overwrite one of their settings.
[01:03] <jdub> ^ easy way to handle it if doing it via mandatory settings
[01:03] <jdub> whereas you have no recourse if you overwrite (even relatively unimportant) user settings
[01:04] <Hobbsee> true
[01:04] <_ion> lifeless: Not "we" as in Ubuntu, but a package somewhere in a kilometer-long list of unofficial repositories dumped to their sources.list because some random Italian guy said so in his blog.
[01:04] <Hobbsee> however, _ion's stuff isnt official, so not really bound by the same constraints
[01:04] <lifeless> anyhow, its quite straightforward for the upgrader to roll backk everything they had installed extra, upgrade, and then try to install their things again
[01:04] <lifeless> _ion: I know that
[01:05] <Fujitsu> _ion: You can easily set a mandatory gconf key to dictate wallpaper.
[01:05] <_ion> fujitsu: Yeah, i already looked how it's done.
[01:05] <Fujitsu> _ion: Great!
[01:05] <_ion> Still unsure whether i should actually do that.
[01:05] <Hobbsee> you could always just replace upstart by something that wont boot.  or just take out gdm.  but that would be truly evil
[01:05] <Fujitsu> _ion: It's not going to damage anything... Have it reverted in the prerm or something.
[02:09] <_ion> hobbsee, fujitsu etc: Comments? http://johan.kiviniemi.name/tmp/untrusted_repositories
[02:09] <Hobbsee> _ion: stick a link as to why?
[02:10] <_ion> I added some additional text to the image.
[02:11] <Hobbsee> yes, i thought you had.  right now, i cant see waht it is though
[02:11] <_ion> I guess the image you see comes from your browser's cache. Please reload.
[02:12] <Hobbsee> oh yeah :P
[02:12] <Hobbsee> very nice :)
[02:12] <Hobbsee> only thing possibly missing is a list of proper repos?
[02:12] <Hobbsee> well, a link to one?
[02:12] <Hobbsee> maybe
[02:13] <_ion> They'll probably need to ask a more tech-savvy friend of theirs to help anyway.
[02:14] <Hobbsee> true
[02:14] <Hobbsee> there's a point
[02:15] <Hobbsee> _ion: i wonder if there's a way to detect how many people have fixed their systems
[02:15] <Hobbsee> so you could see if it was working
[02:15] <_ion> I could calculate the number of hosts that "apt-get update" my repository per day.
[02:16] <_ion> It should be, well, near zero. The last time i checked it was about 700. :-)
[02:16] <Hobbsee> :)
[04:14] <niksoron> hi. i'm hacking /usr/share/hal/scripts/hal-system-power-suspend. is this the right way to do suspend to disk from the command line?
[04:25] <jdong> FORCE=true /etc/acpi/sleep.sh
[04:26] <mjg59> /etc/acpi/sleep.sh force
[04:26] <mjg59> Should work too
[04:29] <niksoron> mjg59, jdong, cool. thanks
[12:22] <pygi> sivang: ping?
[01:27] <shawarma> Where do I find the source for d-i?
[01:28] <Burgundavia> apt-get source
[01:29] <Burgundavia> shawarma: or upstream cvs
[01:29] <bhale> hi Burgundavia 
[01:29] <Burgundavia> hey bhale
[01:29] <shawarma> Burgundavia: Oh, there's a debian-installer package? Doh.. I didn't even check that.
[01:29] <shawarma> Burgundavia: thanks.
[01:30] <hyakuhei> hi all, where can I grab the docs for devel, Man 3 "The linux programmers manual" being most pressing?
[01:31] <bhale> hyakuhei: manpages-dev most likely
[01:32] <shawarma> Burgundavia: Actually, I'm looking for the particular script that sets up the initial user. Do you happen to know which script that would be?
[01:32] <hyakuhei> bhale: thanks muchly
[01:34] <Burgundavia> shawarma: look at the package user-setup
[01:34] <shawarma> Burgundavia: Yeah, I just stumbled upon that one as well. Thanks.
[03:11] <bddebian> Heya
[07:10] <_ion> Sigh. Any of the people who dumped that list of 50 random repositories to their sources.list don't seem to acknowledge the point of the warning message in the changed wallpaper, instead they're crying "zomg u hax my computar".
[07:11] <_ion> http://ubuntuforums.org/showthread.php?t=297814&page=4
[07:18] <minghua> _ion: people will always find things to complain
[07:18] <minghua> if you think you are doing the right thing, keep it going and ignore them
[07:19] <minghua> _ion: I for one strongly support your "raise-the-awareness-of-potential-harm-of-unofficial-repositories" campaign
[07:21] <_ion> Anyway, i didn't push anything to their computers, instead they decided to pull packages from my website, then declare they trust my PGP key, and install the packages. :-)
[07:21] <_ion> I never asked for that.
[07:33] <pygi> hey ogra 
[07:33] <ogra> yo
[07:33] <pygi> how are you ?
[07:37] <ogra> so so ...
[07:38] <pygi> uh, that doesn't sound too good :-/
[09:17] <_ion> "whoever operates that repository should be blacklisted by the Ubuntu community" :-D
[09:17] <_ion> Wtf is blacklisting by the Ubuntu community? :-)
[09:18] <minghua> draft a "enemy of the community" list and put your name on it :-P
[09:18] <cjwatson> I commented on that thread trying to correct a false analogy
[09:19] <_ion> Yep, thanks for commenting.
[09:26] <minghua> which proves a point by its own
[09:26] <pygi> minghua, url,lol? 
[09:27] <minghua> http://ubuntuforums.org/showthread.php?t=297814
[09:32] <_ion> One point is that my repository is behind my home ADSL. It had like five users or so, until suddenly hundreds of computers started using it. :-)
[09:32] <_MMA_> " And yes, it's coming from trevino's list for sure." http://ubuntuforums.org/showpost.php?p=1746779&postcount=15
[09:33] <minghua> _ion: did you change it to lock down the "change desktop background" gconf entry as well?
[09:33] <_ion> minghua: Yep. It removes it in postrm, so after cleaning sources.list they just need to apt-get install edgy-wallpapers/edgy and it's gone without a trace.
[09:33] <_ion> prerm even
[09:34] <pygi> minghua, dude is formatting drive!!!
[09:34] <minghua> _ion: very cool.  I may ask you for this package one day, so that I can put it in my experimental repo :-)
[09:34] <minghua> pygi: yeah, I've just read that too
[09:35] <minghua> I wonder if he is going to add that sources.list again after the reinstall
[09:35] <pygi> and what exactly is that repo advertising that it contains?
[09:37] <_MMA_> As a community should we be doing this? Is this the way to act? I think the wall is funny but to let the guy format his drive instead of telling him how to fix it is wrong.
[09:38] <_ion> Actually the text in the warning tells what he should do. That's the whole point.
[09:40] <_MMA_> "Review your sources.list"? Is that what your referencing?
[09:40] <minghua> he said himself that his /etc/sudoers and /etc/fstab are changed after he upgraded with that sources.list
[09:41] <minghua> I honestly think a reinstall does him more good than bad
[09:41] <_ion> minghua: Yes, other repositories in the trevio list are screwing his system.
[09:41] <cjwatson> _MMA_: as a community, we should not be DOSing an innocent developer's home ADSL line because somebody thought it might be a good idea and couldn't be bothered to check
[09:41] <_ion> *Actually* screwing instead of just changing the wallpaper.
[09:41] <cjwatson> I mean, seriously, common civility ...
[09:41] <_ion> He also said "my edgy is used by me as a tinker toy [...]  I have Dapper as my standard fall back for ubuntu when things go south"
[09:43] <_MMA_> cjwatson: I agree. I just think its a little much. Its not the "community" message I got at UDS/MV.
[09:43] <cjwatson> there also may not be a particularly straightforward fix that doesn't involve installation. Our package management system has never smoothly supported downgrades, particularly not from unofficial package
[09:43] <cjwatson> s/installation/reinstallation/
[09:44] <cjwatson> and if something else is pissing around with /etc/sudoers, then _ion's wallpaper may well be a timely warning
[09:44] <cjwatson> a downgrade would certainly not undo that; somebody would need to figure out exactly what was done to the system and work out how to revert it all by hand
[09:45] <cjwatson> if somebody wants to work that out, that would be good, but it's a fairly big task
[09:46] <cjwatson> really, we need to make it easier to install just certain packages from given repositories
[09:46] <cjwatson> you can do it with /etc/apt/preferences, but few actually do
[09:47] <pygi> cjwatson, because few know about it
[09:47] <cjwatson> I wonder if something like 'deb http://foo.example/bar unstable main [beryl compiz] ' would be more likely to cause people to use it
[09:47] <cjwatson> pygi: it's also a hideously complicated syntax
[09:47] <pygi> cjwatson, indeed
[09:47] <_ion> I would appreciate it if that thought about sudoers was mentioned in the forum thread by someone with the "Ubuntu Developer" title for authority. :-)
[09:48] <wasabi> Largely I think this is a matter of training on the part of third party repos.
[09:48] <wasabi> They shouldn't distribute software that is already in the main repository. That would be silly.
[09:49] <wasabi> A lot of these third party repos are people's personal thingies where they drop whatever they want for themselves.
[09:49] <wasabi> They probably shouldn't advertise those as stable sources for third party products.
[09:49] <_ion> wasabi: Many of the users of that sources.list seem to be using exactly for newer versions of packages already in Ubuntu: "All Im saying is that if you want to attract people that know how to get around in Windows (what you might call the power users) and get them to try Linux, one thing you absolute cannot expect them to do is sit on their hands and watch new version of software be released, only to be told they cant install them because ...
[09:50] <_ion> ... they arent yet in the official repositories blessed by whatever royal priesthood controls the repositories for that distribution. Maybe people in some nations might put up with that (the folks used to living under totalitarian governments) but I can guarantee you that folks from the USA and other freedom-loving countries are going to tell your royal priesthood to go screw themselves."
[09:50] <wasabi> Agreed. I fully agree.
[09:50] <_ion> (That quote is so wrong on so many levels :-).)
[09:50] <wasabi> But still, it is a matter of those third party repositoriies to not break shit.
[09:50] <Treenaks> they could just run the development version ;)
[09:51] <_ion> treenaks: Agreed.
[09:51] <pygi> Treenaks, nod:)
[09:51] <wasabi> If they want to distribute later versions of software, they should do so properly... provide a later version of the software, hopefully backported to run on earlier libraries when possible.
[09:51] <wasabi> Perhaps, if they are targeting a specific ubuntu release, package a seperate install of the library.
[09:52] <cjwatson> wasabi: right, but a much easier way for people who distribute this sort of "big list of sources.list entries" to say "take these particular packages from these sources" would make breakage much less likely
[09:52] <wasabi> Yeah. Well, that is apt preferences. And it should work.  By the way, check this out:
[09:52] <wasabi> wiki.ubuntu.com/ThirdPartyApt
[09:52] <cjwatson> wasabi: and make the effects of malice less serious
[09:52] <wasabi> It can semi address this
[09:52] <wasabi> http://wiki.ubuntu.com/ThirdPartyApt
[09:52] <cjwatson> wasabi: I know about /etc/apt/preferences, but it's too complicated to actually get recommended in practice
[09:53] <imbrandon> cjwatson, ...... deb http://foo.example/bar unstable main [beryl compiz]  ......... that would help a ton imho
[09:53] <pygi> cjwatson, what about doing a frontend to it?
[09:53] <wasabi> A frontend should update apt preferences properly.
[09:53] <wasabi> No new syntax in sources.list needs to be introduced.
[09:53] <minghua> imbrandon: there is still the problem of dependencies
[09:54] <wasabi> It's a matter of priority. Only teh package you want should be high, the rest should be very very low.
[09:54] <wasabi> Then deps will come from Ubuntu proper, unless they don't exist.
[09:54] <ttoine> hey men
[09:54] <cjwatson> wasabi: that is strictly true but in practice people continue to edit /etc/apt/sources.list directly despite the existence of frontends, and I think that will continue
[09:54] <wasabi> Of course. Those same people can edit /etc/apt/preferences. ;)
[09:54] <minghua> one thing I see that can be improved is to make it easier to create different-software-in-different-directories repo instead of flat one that most third-party repo is using now
[09:54] <imbrandon> and howtos will still tell them too also
[09:54] <cjwatson> but they don't, and I don't see that changing.
[09:55] <minghua> and teach third-party repo maintainers to use that layout
[09:55] <cjwatson> I do not see a reason to resist simplifying overcomplicated syntax
[09:55] <wasabi> Silly argument. We are assuming users are doing something unsupported (if we've provided a proper interface.) 
[09:55] <wasabi> At which point it becomes a "don't do that, silly" argument.
[09:56] <wasabi> We of course need to build awareness of the proper method.
[09:56] <imbrandon> brb
[09:56] <_ion> Oh well, i took down the wallpaper packages. The only people who "get it" already know better than to use trevio's list. The users of that list seem just to get aggressive. They'll probably continue using it anyway.
[09:56] <wasabi> Some nice chaps should volunteer to finish implementing ThirdPartyApt
[09:57] <cjwatson> wasabi: no, I don't think it's silly. Editing /etc/apt/sources.list is *not* an unsupported method.
[09:57] <wasabi> It is when you're adding third party repositories.
[09:57] <Treenaks> cjwatson: that depends on what you add
[09:58] <bhale> wasabi: when editing a config file with vi becomes unsupported ill give up
[09:58] <wasabi> bhale: Unsupported to the extent that you have to edit it right.
[09:58] <cjwatson> the present syntax for adding third-party repositories in a safe manner is overcomplicated and should be simplified REGARDLESS of the existence of frontends, proposals such as ThirdPartyApt, etc.
[09:58] <Treenaks> cjwatson: I've had to "rescue" installs that broke.. because they had 2 versions of Ubuntu, 1 Debian and dozens(!) of third-party repositories in their sources.list
[09:58] <wasabi> And if you edit it wrong, we'll laugh at you.
[09:59] <cjwatson> Treenaks: and if it weren't so excessively complicated to limit third-party repositories to just a few packages then I'm prepared to bet that howtos would actually bother to recommend doing so
[09:59] <wasabi> Anyways, I fully think the problem goes away if somebody finished ThirdPartyAPt.
[09:59] <cjwatson> wasabi: I doubt it
[09:59] <imbrandon> i dont agree wasabi
[09:59] <cjwatson> ThirdPartyApt is potentially neat but people will still recommend the lower-level interfaces
[09:59] <imbrandon> but anyhow i have to run, cjwatson exactly
[09:59] <ttoine> so everybody is at home ?
[09:59] <wasabi> Uh huh. And those low level interfaces are well defined.
[09:59] <cjwatson> and the existence of higher-level tools is never a valid argument for failing to fix the lower-levell interfaces
[09:59] <wasabi> sources.list and apt_preferences
[10:00] <wasabi> Unless they're not broken. ;)
[10:00] <Treenaks> apt_preferences is a HORROR
[10:00] <cjwatson> they're well-defined but overengineered for most purposes
[10:00] <cjwatson> that overengineering is a bug
[10:00] <wasabi> I guess.
[10:00] <Treenaks> try figuring out pinning from the manpage.. it's impossible
[10:01] <wasabi> I agree. I'd like a UI.
[10:01] <cjwatson> and it's fundamentally hard to document because the interface sucks
[10:02] <cjwatson> it was written for complete generality by somebody who thoroughly understood apt internals, without a lot of thought directed at the most common cases
[10:02] <wasabi> K. Well. Whatever. ;)
[10:04] <cjwatson> wasabi: ThirdPartyApt seems to me to solve a slightly different problem, namely how to publish the necessary information about a repository as a single bundle
[10:05] <wasabi> Yup. One click, it would pin the proper things.
[10:05] <wasabi> Problem gone.
[10:05] <cjwatson> seems kind of orthogonal; in this case, the victim users were entirely happy to edit the files
[10:06] <cjwatson> and also in this case, remember that that would have been fifty clicks, not one ...
[10:06] <cjwatson> or a giant .apt file, I guess
[10:06] <Amaranth> is it even possible to pin things so the supported repos are always used unless you specifically add a pin for a certain package to come from somewhere else?
[10:06] <Amaranth> if so that first part should be a part of the shipped file
[10:07] <wasabi> Amaranth: You can make hte priority for the official origin be higher than default, and make specific packages be one higher than that.
[10:07] <Amaranth> yeah
[10:07] <_ion> I wonder whether they'd have prefered me doing *nothing* when i noticed hundreds of computers were using my repository. They'd have a broken linux-restricted-modules package currently. I removed everything from the 'all' section immediately back then.
[10:07] <wasabi> Again though, it is ultimatly still up to the provider of the repository to make sure the right stuff gets pinned.
[10:07] <Amaranth> synaptic could show package in "New in Repository" but not upgrade them automatically
[10:07] <cjwatson> wasabi: oh, hey, I have a concrete technical argument ...
[10:07] <wasabi> And not to upload bad shit into his repos.
[10:07] <Amaranth> choosing to install them from the "New in Repository" list would add the pin
[10:08] <cjwatson> wasabi: apt needs to know about the limitation on which packages are included because the added GPG keys should be restricted to only certain packages
[10:08] <cjwatson> which mitigates the hideously bad effects of GPG keys being added by something you click on in a web page
[10:08] <wasabi> cjwatson: Not effective as a security measure, and the practicle is more easily implemneted with pinning
[10:08] <cjwatson> and that needs to be a hard restriction, not merely a lowering of priority
[10:08] <cjwatson> so it's not actually quite the same as pinning
[10:09] <wasabi> Sure, but it doesn't protect you from anything.
[10:09] <wasabi> So, it's not worth doing.
[10:09] <mjg59> cjwatson: Go cycle :p
[10:09] <wasabi> Any package, even one, installed from a remote repository, of course, runs as root, and is more than welcome to do whatever it wants.
[10:09] <cjwatson> sure, but it can't e.g. overwrite your kernel unless you supply --force-overwrite
[10:10] <wasabi> Sure it can.
[10:10] <wasabi> It just needs to run a rm in postinst
[10:10] <Amaranth> it can rm it
[10:10] <Amaranth> yeah
[10:10] <cjwatson> I realise it only raises the bar a little bit, but I don't agree that that's not worth it
[10:10] <wasabi> It's a lot of work. ;)
[10:10] <wasabi> The pinning takes care of the actual problem.
[10:10] <cjwatson> wasabi: uh - dpkg tracks overwrites by means of its file lists, not what happens to be on the filesystem
[10:10] <wasabi> cjwatson: So?
[10:11] <cjwatson> so "it just needs to run a rm in postinst" is false
[10:11] <wasabi> I don't follow.
[10:11] <wasabi> What are you trying to prevent?
[10:11] <wasabi> A remote legitimate kernel package being installed when the user attempts to install it, or?
[10:11] <mjg59> cjwatson: It can mv a replacement kernel on top of the packaged one
[10:11] <wasabi> Or malicious remote software?
[10:12] <cjwatson> mjg59: true. whatever
[10:12] <cjwatson> everyone seems to think security is binary, so I'll slink off and go cycling
[10:12] <Amaranth> once the user starts installing the package all bets are off
[10:13] <wasabi> Yeah. All I want to do is provide tools to repositoiry owners so they can release software in a supported fashion without breaking peoples stuff on accident.
[10:13] <wasabi> They can still break it on purpose. ;)
[10:13] <Amaranth> wasabi: what sorts of tools? I missed that part
[10:13] <wasabi> https://wiki.ubuntu.com/ThirdPartyApt
[10:14] <wasabi> Please finish it up. I have a half-assed python implementation right now.
[10:14] <wasabi> Which does a ton of popen's to do it's owkr.
[10:17] <Amaranth> sounds interesting
[10:17] <Amaranth> the spec i mean, not the code :P
[10:18] <Amaranth> i think modifying apt itself to do the pin stuff would be even better
[10:19] <Amaranth> a repo not in some list of defaults cannot be upgraded to, you have to explicitly choose to install things, then you get a pin that lets you upgrade that one package from that repo
[10:19] <wasabi> Well, that requires a list of defaults. ;)
[10:19] <wasabi> Which is seperatly maintained from the primary list.
[10:20] <wasabi> Does Pinning let you pin based on a GPG key?
[10:20] <wasabi> That's the ideal circumstance.
[10:20] <wasabi> Ubuntu pin's itself at some known level, everything else gets lower.
[10:21] <wasabi> the .apt handler pins things at a level higher than Ubuntu, but only for the GPG key.
[10:21] <Amaranth> i would say only for the package you've chosen to install that has that GPG key
[10:21] <wasabi> Yup.
[10:21] <wasabi> The .apt file isn't just to add repos, btw.
[10:21] <wasabi> It speciies a set of packages to install from the new repos.
[10:21] <Amaranth> yeah, it installs things too
[10:22] <wasabi> I would say, unless that is specified, it should not allow the .apt file to be added.
[10:22] <wasabi> There's no point in clicking on a link on a web site that results in nothing happening.
[10:22] <Amaranth> brb
[10:22] <Amaranth> i agree
[10:23] <wasabi> brbtoo
[10:36] <Amaranth> wasabi: you said you had some code?
[10:37] <Amaranth> ah, found it