/srv/irclogs.ubuntu.com/2008/05/08/#ubuntu-devel.txt

blueyed	Can somebody please clear vbox-ose-modules from NEW/hardy-proposed?	00:32
LaserJock	can anybody think of a reason why a package would just disappear from Hardy?	00:45
jdong	LaserJock: usually that involves sabdflatory processes ;-)	00:47
jdong	or launchpad magic.	00:47
LaserJock	I think perhaps something went boom	00:47
LaserJock	I don't see a removal bug	00:47
LaserJock	but a decently important science app is just gone	00:48
LaserJock	looking at the publishing history all the Hardy uploads are "superseded" and none are "published"	00:48
blueyed	btw: "hardy-proposed" is missing from http://ddebs.ubuntu.com/dists/	00:51
TheMuso	LaserJock: Has it been removed from Debian.	00:59
LaserJock	TheMuso: I seriously doubt it, let me check	01:00
LaserJock	oh, actually it appears it has!	01:01
bd_	heh, why was it removed?	01:03
LaserJock	RoQA; (very) RC-buggy	01:04
LaserJock	well that's kinda crappy	01:05
LaserJock	somebody was clearly trying to fix it up and they go and remove it	01:05
LaserJock	I don't suppose there's a way for us to get it back?	01:07
cjwatson	LaserJock: err, it could come back in intrepid, maaaaaaaaybe in hardy-proposed given an SRU	01:09
cjwatson	BTW the RoQA stuff typically only happens after the maintainer has been delinquent for some time, and is a reaction to many previous occurrences when people promised to fix things up and then forgot	01:10
LaserJock	I guess	01:11
cjwatson	for some reason, removing things seems to kick people into action ...	01:11
LaserJock	but why not orphan it for a while first	01:11
LaserJock	I can see removing it from testing	01:11
LaserJock	as it had problems with gcc 4.3	01:11
LaserJock	so instead I have users wondering where their app is	01:12
LaserJock	and turning to PPAs	01:12
LaserJock	which I guess is alright	01:12
LaserJock	but perhaps we should just get the PPA packages into Ubuntu and let Debian do whatever they're gonna do	01:15
LaserJock	cjwatson: would you just blacklist a package like that from syncing?	01:15
LaserJock	I guess there wouldn't be anything to sync anymore	01:16
* LaserJock shuts up for the moment :-)		01:16
cjwatson	LaserJock: usually we don't blacklist packages that have been removed from Debian, on the basis that if they get put back into Debian then we probably want to follow suit	01:21
cjwatson	the blacklist is for packages that have been removed from Debian but not for Ubuntu	01:21
LaserJock	yeah, makes sense	01:22
LaserJock	I'm sure we'll bring them back for Intrepid	01:22
LaserJock	I don't feel like trying an SRU for Hardy, especially when there are PPAs available for it now	01:22
cjwatson	LaserJock: what's the package name?	01:22
LaserJock	qgis	01:22
LaserJock	it's a very common/popular GIS gui	01:23
LaserJock	I've seen people who use Ubuntu soley for it	01:23
LaserJock	I was just reading a forum thread about people wondering where it went, that's how I found out	01:24
cjwatson	well, it'll come back if it gets accepted back into Debian before import freeze	01:24
cjwatson	or if somebody reuploads it manually to Ubuntu	01:24
LaserJock	I'll have to talk to the people who are running the PPA, I think they are upstream developers	01:25
LaserJock	maybe I can convince them to maintain it in Debian and/or Ubuntu	01:26
ScottK	LaserJock: If it gets into Intrepid, it can be backported to Hardy.	02:11
LaserJock	ScottK: good point	02:12
TheMuso	StevenK: Any objections to me doing your libsdl1.2 merge? I'm preparing an SRU for it for hardy, and need to get the same fix into intrepid, so I may as well merge while I'm at it.	03:30
StevenK	TheMuso: None.	03:30
TheMuso	StevenK: Thanks.	03:30
WhiteNoise	if anyone is good with cryptsetup and initramfs, please check out this confirmed bug exposed when upgrading to Hardy and the new kernel: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/213279	04:38
ubottu	Launchpad bug 213279 in linux "cryptsetup: source device not found during boot" [Undecided,Confirmed]	04:38
doctormo	Hey is anyone here involved in the Remote-Support thread on the mailing list?	05:36
ScottK	I haven't noticed that any of the people significantly involved in it are regulars here (I commented once or twice).	05:40
doctormo	ScottK: Ah, i got this stomach turning dread when i noticed the thread; "Ah damn they're reinventing our project"	05:43
ajmitch	which project is that?	05:44
doctormo	https://launchpad.net/locoremotesupport/	05:46
* Hobbsee tends to get people who give her an ssh login, and hand over root access, and say "fix it"		05:46
fabbione	morning guys	05:51
Hobbsee	morning fabbione	05:52
ion_	"ciao a tutti".upcase.l337ize.mirc_colorize	05:53
* StevenK slaps ion_ with a large trout.		05:55
StevenK	If I can remember mIRC's default ...	05:55
ion_	:-)	05:55
* ScottK pan fries the trout in butter and has a late night snack.		05:56
ajmitch	late?	05:58
ion_	Yeah	05:58
doctormo	ScottK: I was curious as to what you would make of our project, you seemed interested	05:59
ScottK	doctormo: I'm mostly interested in we don't compromise security in order to 'help'.	06:05
doctormo	ScottK: yea, something that has brought about grave discussion in our irc channel. One of the reasons we decided to make it elective	06:06
Hobbsee	ScottK: oh, but why don't we give ppa access, and so put the correct versions of everything in there, and do an upgrade of critical packages, jus tto fix things?	06:06
Hobbsee	blah. my brain's not doing thoughts in a coherant order, today	06:07
LaserJock	nifty idea	06:07
LaserJock	"download this package and it will fix everything up for you .. ;-)"	06:08
Hobbsee	LaserJock: it's called automatix3, and won't let you turn on your computer again.	06:10
ScottK	"download this package and you'll never need to worry about your data again."	06:10
StevenK	It melts the machine down and encases it in rapid-set concrete?	06:10
doctormo	StevenK: and drops it in a 27 foot hole and covers it with rocks and bolders?/	06:12
StevenK	doctormo: Not enough.	06:12
doctormo	StevenK: It was a weird-al quote from his "Virus alert" song	06:13
StevenK	Haha	06:13
doctormo	"Then burn any of the clothes you wore when you were online"	06:16
doctormo	hehe	06:16
ion_	Sorry if i'm being ignorant (i didn't read the mailing list thread or study the locoremotesupport project), but i'd just like to point out that it would be nice if there were an easy way for a helpee to connect to me so that i'd gain access to her system for a single session. She wouldn't need to have something listening to a port, and i would be the one to set up an open port etc.	06:20
LaserJock	ion_: that does seem more sane	06:21
doctormo	ion_: yes, that is what we're working on, elective ssh support	06:21
doctormo	it uses reverse ssh tunnels	06:22
ion_	Nice	06:22
RAOF	Heh. That was my one contribution to the thread :)	06:22
doctormo	The idea is that it would work even if your on a weird PPoE or a McDonnelds Wifi, although weather you'd want to...	06:23
doctormo	RAOF: really? heh, you should have been in #ubuntu-us-ma about 2 months ago when we were talking about it	06:23
RAOF	Reverse ssh seems eminently sensible.	06:24
doctormo	RAOF: so far we have `ssh -o "StrictHostKeyChecking yes" -nNT -R %s:%s:%s %s@%s`	06:26
=== asac_ is now known as asac
dholbach	good morning	07:06
Hobbsee	morning dholbach	07:07
dholbach	hiya Hobbsee	07:07
=== paran_ is now known as paran
norsetto	heya dholbach	07:14
dholbach	heya norsetto	07:15
LaserJock	guten morgen dholbach	07:18
dholbach	heya LaserJock	07:18
nixternal	w00t, 1 more week of classes baby!	07:19
nixternal	now I just need to find a job and I will be good to go	07:19
* dholbach hugs nixternal		07:20
LaserJock	nixternal: job? what's that?	07:20
doctormo	programming?	07:20
nixternal	I have no clue...only job I have held the last 3 years is right here with all of you :)	07:20
nixternal	though I have taken the slacker route obviously	07:21
nixternal	I quit Microsoft to work with you LaserJock!	07:21
LaserJock	haha	07:21
nixternal	for real!	07:21
nixternal	people think I quit to go back to school...in all honestly it was you!	07:22
LaserJock	yes, my magnetic charisma stole you away from Ballmer ;-)	07:22
nixternal	that and he didn't pay worth a crap	07:23
nixternal	they hated us so much they gave us crappy office space and all...wouldn't even let us come near redmond	07:23
ajmitch	free copies of vista weren't enough for you?	07:24
nixternal	oh, you test ms products and linux.....no redmond for you!	07:24
ion_	And free chairs	07:24
nixternal	ajmitch: you still using that free copy aren't you :p	07:24
LaserJock	I've been to the Redmond campus, it's very beautiful	07:24
ajmitch	of course	07:24
nixternal	LaserJock: I have seen the redmond campus	07:24
nixternal	in 2 presentations and on google maps	07:24
ion_	laserjock: Any chairs flying around?	07:24
LaserJock	ion_: I was just outside waking through, never dared go inside the buildings	07:25
nixternal	they would have killed you..they have people dressed up like the imperial forces just waiting to get rid of your hippy ways	07:25
LaserJock	I was afraid they'd catch me and make me one of their code monkeys	07:25
LaserJock	I didn't have the lasers I have now for just such an occasion ;-)	07:25
nixternal	haha	07:25
nixternal	my 2 current job offers would require me to leave the community behind...and I can't deal with that honestly...I am to addicted	07:26
nixternal	plus mario lemonsquare owes me a drink	07:27
ajmitch	require?	07:28
nixternal	ya, as in I wouldn't be allowed to work on Ubuntu	07:28
superm1	lemonsquare?	07:28
ajmitch	harsh	07:28
nixternal	ya you superm1 :p	07:29
superm1	was that explicitly told to you?	07:29
superm1	that you'd have to leave them behind?	07:29
Yasumoto	nixternal: that's brutal.. :(	07:29
nixternal	superm1: ya	07:29
superm1	nixternal, yuck. w/ what groups/companies are these offers?	07:30
nixternal	and the one, was the Red Hat job down there by you	07:30
nixternal	but that was business services type stuff...marketing..they would only allow me to use what I was to support/market/manage/whatever	07:30
nixternal	the other is my old MS job :p	07:30
Hobbsee	!visternal	07:30
ubottu	Oh no! The pointy-clicky Vista lover has arrived! He's rumoured to be giving out free money, too!	07:30
Hobbsee	evil man.	07:30
nixternal	hehe	07:30
nixternal	only in your eyes!	07:30
nixternal	well, maybe a few others as well	07:31
superm1	nixternal, can they really dictate what you do on free time?	07:31
lucent	my evil sense is tingling	07:31
nixternal	I am hoping on a job opening with a local free software company that won't hamper anything but time	07:31
nixternal	superm1: not really, but it is easy for them to use it against you when you are sucking	07:32
Hobbsee	nixternal: then surely the solution is not to suck?	07:32
nixternal	most definitely, but everyone hits those times when they aren't 100%	07:32
nixternal	especially in business management	07:32
=== hunger_t is now known as hunger
nixternal	I so wish I would just go ahead and complete my damn CS stuff and forget this business crap	07:33
* Hobbsee thought there was more to the range, rather than just '100%' or 'sucky'		07:33
nixternal	anything less than 90% is sucky in my books :)	07:33
nixternal	unless of course you are talking about the humidity in Chicago, then anything above 60% is sucky	07:34
pitti	Good morning	07:34
Hobbsee	right.	07:34
Hobbsee	morning pitti!	07:34
* Hobbsee hugs pitti		07:34
nixternal	mornin' pitti	07:34
* pitti hugs Hobbsee and nixternal		07:34
superm1	nixternal, yeah well down here if you are talking about any part of the year between the end of may and end of august, it's always sucky	07:34
Hobbsee	:)	07:34
superm1	temperature wise at least	07:34
jsgotangco	evil nixternal making this channel noisy again!	07:34
nixternal	oh no!	07:34
* jsgotangco goes back to work		07:34
superm1	haha	07:34
\sh	nixternal, you need a new job? overseas? come to germany ;)	07:34
ajmitch	hi pitti	07:34
nixternal	whatever jerome! you know you want to come back to Chicago	07:35
\sh	nixternal, you can work on ubuntu full time ;)	07:35
nixternal	\sh: I am on my way!	07:35
nixternal	I will FedEx myself in the morning	07:35
jsgotangco	nope i am getting an island soon :)	07:35
\sh	nixternal, hehe...	07:35
nixternal	Blue Island?	07:35
nixternal	Stoney Island?	07:35
jsgotangco	i was supposed to be in ubuntu live but i have a sched that week elsewhere sunddenly came out i had to decline the slot	07:35
\sh	nixternal, na really, I need an add here for the sysadmin stuff, deploying ubuntu on servers, fixing packages, pushing new crack in	07:36
StevenK	\sh: Your servers run Automatix?	07:36
lucent	jsgotangco: a goose island?	07:36
nixternal	\sh: Hobbsee will attest...I am the best crack pusher this community has ever witnessed!	07:36
* Hobbsee beats StevenK		07:36
\sh	nixternal, you are allowed to even fix flash ,)	07:36
Hobbsee	nixternal: no, jdong is.	07:36
nixternal	ooh, good one lucent, I forgot about the all important Goose Island	07:36
\sh	StevenK, what is automatix?	07:36
nixternal	damn, I need to start producing more crack then	07:36
StevenK	\sh: Something you should continue to ignore.	07:37
nixternal	which they are closing at the end of the year except for their one cruddy spot near wrigleyville	07:37
lucent	nixternal: I was going to say "312" but it doesn't make itself immediately obvious to outsiders	07:37
\sh	StevenK, i thought the dev of autocracknix told the world that automatix died	07:37
nixternal	lucent: where the heck are you at?	07:38
nixternal	the name definitely rings a bell living right down the street from lucent	07:38
nixternal	hehe	07:38
lucent	I'm Eric Shattow	07:39
nixternal	have we met?	07:39
hunger	So what is the recommended upgrade path hardy/intrepid? Should I just remove the gcc-4.2 stuff? What about perl?	07:39
lucent	I live north of Chicago, IL	07:39
lucent	I don't know	07:39
nixternal	groovy...I am out by Schaumburg	07:39
\sh	hunger, there is no upgrade path...there is only pain...real pain...it will hurt...yay...pain is good ,->	07:39
RAOF	hunger: The currently recommended upgrade path is "don't".	07:39
nixternal	Schaumburg, a nice German town with more Greek restaraunts than you could shake a stick at	07:40
Yasumoto	\sh: haha. so reassuring.. :P	07:40
RAOF	Incidentally, it's also the currently recommended debootstrap path :(	07:40
* \sh doesn't even no Schaumburg...and the story about more greek restaurants...		07:40
hunger	\sh, RAOF: I know unstable ubuntu distris. Have been using them since before breezy:-)	07:40
Hobbsee	nixternal: do my assignment for me, kthxbye.	07:40
Hobbsee	this thing looks woefully stupid.	07:40
nixternal	haha, Hobbsee I spent all day doing a bogus Business Needs Analysis	07:41
\sh	hunger, it's too early to upgrade...believe us	07:41
Hobbsee	nixternal: this assignment refers to the internet consistently as the "InterNet"	07:41
nixternal	I faked an interview from about 3 of you in this channel actually :p	07:41
Yasumoto	hunger: it's still too early to upgrade yet though. the toolchain isn't even up yet (right?)	07:41
\sh	hunger, just try latest debootsrtap from intrepid and try to create a chroot...	07:41
hunger	Yasumoto: gcc 4.3 is uploaded and a lot of packages are already build.	07:41
RAOF	Yasumoto: The toolchain is, and stuff's building. The autosync hasn't finished yet IIRC, and it's not debootstrappable at the moment.	07:41
lucent	nixternal: I'm unemployed at the moment, work would be interesting	07:42
nixternal	hehe, you and I both :)	07:42
hunger	Yasumoto: gcc-4.3 transition does not seem done yet and perl is updated but not the perl addon libs.	07:42
lucent	I was doing some work as an installer for Allen Visual Systems in Buffalo Grove, IL	07:42
RAOF	Hobbsee: I suggest in your response you consistently capItalise rAndom chAracters.	07:43
\sh	yay..another re-installation of hardy in only 3 mins...ubuntu-minimal rocks	07:43
RAOF	hunger: If you know this, why are you asking how to upgrade? Either it works or it doesn't, and if it doesn't we don't much care yet :)	07:43
lucent	\sh: are we talking about a "netinst" version of Hardy?	07:44
hunger	RAOF: I have just checked what aptitude would do. And was wondering whether there are workarounds for these problems.	07:44
lucent	my friend asked me today if there exists a netinst version of Ubuntu Server, I told him "no" thinking that there was none	07:44
Yasumoto	hunger & RAOFL: gotcha, thanks	07:44
\sh	lucent, nope..I'm taking about a nice tool of this Hetzner company...they have actually a nice little util named installimage...and it takes finally 5 mins to install ubuntu...including changing the installation template	07:45
Hobbsee	RAOF: heh	07:45
\sh	lucent, for simple installations over network you can use the netboot image...	07:45
\sh	lucent, for real life mass deployment I advise looking at FAI	07:45
lucent	good info, thank you	07:46
pitti	yay, intrepid is sane again, perl works	07:46
RAOF	hunger: I'm not sure if anyone in here has actually upgraded anything but a build-chroot to Intrepid yet.	07:46
\sh	that reminds me, my new two servers arrived...2x DL365, 16GB+16GB, 2x Quad Core Opterons...yay	07:46
hunger	pitti: It is? Aptitude still wants to keep back perl since all the libs are not upgradeable at this time.	07:46
\sh	8 Cores for ESX...I'm a lucky guy	07:46
lucent	har... I saw a blog entry about "Completely Fucking Slow" (CFS) scheduler	07:47
hunger	RAOF: Where is the fun in waiting till everything works?	07:47
RAOF	pitti: Oh, does that make it debootstrappable?	07:47
pitti	hunger: hm, WFM now, I could dist-upgrade, and now build-essential (which includes perl) installed	07:47
\sh	pitti, you are my jesus with this message ;)	07:47
pitti	RAOF: should	07:47
RAOF	Yay!	07:47
pitti	intltool still seems to be broken, though	07:47
pitti	libxml-parser-perl	07:47
hunger	pitti: Well, I have a somewhat non-standard system, so maybe it is just additional stuff.	07:47
RAOF	hunger: Yeah, but where's the fun in installing before _anything_ works?	07:47
\sh	if only our a.u.c. servers were letting me sync intrepid..	07:48
hunger	pitti: Well, still 33 perl packages waiting to get build... lets see how things are once they are there.	07:48
lucent	intrepid? what's so hot about that	07:48
RAOF	lucent: Goats are hot.	07:48
lucent	I've run debian unstable before, mostly because it was more or less stable	07:48
RAOF	The internet knows that!	07:49
pitti	hunger: ah	07:49
lucent	compared to say, any other OS I've used for the desktop	07:49
pitti	hunger: libxml-parser-perl is current, though	07:49
pitti	ah, it was built against the old perl	07:50
* pitti does another rebuild		07:50
stgraber	morning	07:52
\sh	waaaaaa	07:54
\sh	passwd -l root	07:54
\sh	apt-get install mysql-server	07:54
\sh	failed	07:54
\sh	Unpacking mysql-server-5.0 (from .../mysql-server-5.0_5.0.51a-3ubuntu5_amd64.deb) ...	07:54
\sh	Your account has expired; please contact your system administrator	07:54
\sh	chfn: PAM authentication failed	07:54
\sh	wth?	07:54
\sh	well, sudo su - <-- tells me the same, sudo -i doesn't	07:55
ion_	sh: Well, please contact your system administrator. ;-)	07:55
\sh	ion_, hehe	07:55
\sh	we do agree here, this shouldn't happen	07:55
* \sh looks at mysql this evening...		07:56
ion_	Do the passwd/shadow lines for root look ok?	07:56
\sh	ion_, root is enabled during installation from the rootserver provider...	07:57
\sh	ion_, passwd -l root locks root account and make it unusable...it should be the same as the default non-root install now	07:57
\sh	i am logged in via useraccount , sudo -i to become root, and install the package...	07:58
\sh	mysql-server does something during postinst..and runs into a pitfall, because passwd -l root is not the same as telling the passwd package somehow to not enable root	07:58
ion_	Yeah, i'd assume that, but have you actually looked at passwd/shadow? I mean, is passwd/shadow broken by passwd -l root or is e.g. PAM broken?	07:59
\sh	ion_, na passwd/shadow are looking sane	07:59
\sh	ion_, and no...pam is not broken ;) because in the end everything works.	08:00
pitti	yay, with that libxml-parser-perl upload, intltool becomes installable	08:00
pitti	and cdbs	08:00
TheMuso	The joys of the first weeks of a new release cycle.	08:01
pitti	so everyone who would like to see their intrepid upload build, please compile a list of source packages (NO commas in between) and toss it to me, I can give them back	08:01
pitti	(their uploads which FTBFSes because of intltool, that is)	08:01
Hobbsee	pitti: can't you just get someone to do a mass giveback for anything that didn't build in intrepid?	08:02
* \sh checks this afternoon after rollout of companies new product release		08:02
TheMuso	pitti: jack-audio-connection-kit	08:02
pitti	Hobbsee: yes, infinity can	08:02
pitti	(and will)	08:02
Hobbsee	pitti: right	08:02
pitti	TheMuso: noted, will do	08:03
TheMuso	pitti: oh and at-spi	08:03
TheMuso	pitti: Thanks.	08:03
=== tkamppeter_ is now known as tkamppeter
norsetto	pitti: re. the intltool ftbfs, I only have gnome-radio to be given back	08:39
pitti	norsetto: noted down, will do	08:39
norsetto	pitti: danke	08:39
pochu	pitti: could you also put gstreamer0.10 and libbeagle on that list to give back? re: intltool uninstallable	09:31
pitti	pochu: done	09:32
pitti	I'm still waiting for the new libxml-parser-perl to become really published	09:32
pochu	sure, no hurry. thank you	09:32
Ng	pitti: is apport supposed to get disabled at release? or am I on crack? ;)	09:33
pitti	Ng: it is supposed to, and it's actually disabled for SIGSEGV-like crashes	09:33
pitti	Ng: it's not yet for Python crashes, that's bug 222260	09:33
ubottu	Launchpad bug 222260 in apport "apport_python_hook.py doesn't check to see if apport is enabled" [Medium,In progress] https://launchpad.net/bugs/222260	09:33
Ng	pitti: ahh, that would explain why we're seeing python crash reports here, thanks :)	09:34
cylex	hello.. I am wondering if anyone's home	09:35
emgent	morning	09:36
cylex	I had a question... if I want to develop something for Xwindows.. like a small app	09:36
cylex	morning emgent	09:36
cylex	What language do I use?	09:36
cylex	C ok?	09:37
cylex	or better question.. what languages most packages are written in.. for Xwindows?	09:38
pitti	cylex: depends on which language you know and prefer; personally I find Python and pygtk rocking, and it's so easy and fast to develop small GUI apps	09:41
pitti	cylex: C works fine, of course	09:41
pitti	cylex: BTW, this is off topic here (not related to Ubuntu development, not even to Ubuntu in particular)	09:42
cylex	Are there mailing lists or any development places I can go for help	09:43
cylex	with this stuff	09:43
pitti	cylex: maybe try http://library.gnome.org/devel/gtk-tutorial/stable/ if you want GTK?	09:44
cylex	and is it difficult to code with C for GUI?	09:44
tseliot	cylex: try asking in the "Programming Talk" section of ubuntuforums:	09:44
tseliot	http://ubuntuforums.org/forumdisplay.php?f=39	09:44
pitti	cylex: in C it is not more difficult, but much less comfortable than in scripting languages like Python or Perl	09:44
lucent	cylex: Gnome lovers will strike me, but the Qt toolkit provides a solid multi-platform base of code in C++ language to work with for professional application development	09:45
pitti	cylex: (you need much more code, since C is a low-level language)	09:45
lucent	cylex: the other popular choice is Python language with Gtk+ bindings	09:46
cylex	ok thanks, you guys been great help :)	09:47
cylex	Is there chan on this network for programming talk?	09:51
Le-Chuck_ITA	Hi there, I would like to prepare a patch to dexconf, but I don't understand: in /etc/X11/xorg.conf it says that the file is regenerated whenever xorg is upgraded	09:51
Le-Chuck_ITA	on my system this does not happen even though I reconfigured X manually to get back the original file without my modifications	09:52
pochu	cylex: generally or for a specific language?	09:52
chmj	:'(	09:53
cylex	pochu: C/gtk for ubuntu	09:53
cylex	pochu: language specific	09:53
lucent	what the heck is ctrl+Y in irssi hmm	09:54
cylex	I think I got it.. I'll just join #c	09:56
broonie	Has the process for doing SRUs for main changed in the past 6 months or so?	09:57
pochu	cylex: and #gtk+	09:57
Le-Chuck_ITA	nobody can tell me how to force xorg.conf to be updated in a patched package for xorg or x11-common?	09:57
pitti	broonie: the procedure became a bit more streamlined, and we added a few acceptable cases	09:58
pitti	Le-Chuck_ITA: no, because packages must not touch xorg.conf	09:58
broonie	Hrm, right. Might be worth trying then.	09:58
broonie	Thanks.	09:58
pitti	broonie: see the current policy document	09:58
pitti	it has been rearranged quite a bit for readability	09:59
broonie	The last policy didn't look too bad either...	09:59
broonie	But yes, I'll have a look.	09:59
=== Great_Briton_ is now known as Great_Briton
Le-Chuck_IT1	pitti: sorry for disappearing so suddenly, my laptop is breaking and sometimes it dies	10:03
Le-Chuck_IT1	You said packages shouldn't touch xorg.conf but when is dexconf triggered? Never?	10:03
pitti	Le-Chuck_IT1: oh, I just read your previous lines, when I replied I just saw the last one	10:04
xivulon	seb128, had a quick look at changing the bookmarks yesterday night	10:04
pitti	Le-Chuck_IT1: no, dexconf does not change xorg.conf automatically either	10:04
xivulon	but it seems that the default bookmarks are hardcoded :(	10:04
pitti	Le-Chuck_IT1: just if you manually do dpkg-reconfigure xserver-xorg	10:04
Le-Chuck_IT1	pitti so why in xorg.conf it says that the file is not regenerated when manually modified? Is it just an old comment and should be removed?	10:05
xivulon	seb128 would it be possible to change xdg-user-dirs-gtk so that it sources the default bookmarks from a config file?	10:05
xivulon	unless you have a better idea on how to do this, that is	10:05
pitti	Le-Chuck_ITA: ah, I think it might still be true	10:06
seb128	xivulon: I guess everything is possible, it just require somebody doing the changes	10:06
Le-Chuck_IT1	er... pitti: now it was pidgin that died	10:06
pitti	Le-Chuck_IT1: bryce and tjaalton would know better	10:06
xivulon	seb128 I guess by "possible" in this case I mean "appropriate for point release" :)	10:07
Le-Chuck_IT1	thank you pitti	10:07
pitti	Le-Chuck_IT1: ugh, what's wrong on your machine, that everythign crashes? bad rAM?	10:07
seb128	xivulon: well, depends what you suggest to do	10:07
Le-Chuck_IT1	pitti: this is a different laptop than the other one really :) This time I think it was a crash in pidgin since I pressed ctrl+w to close a tab	10:08
xivulon	seb128, as you know, I would need to change the default bookmarks generated on first login	10:08
Le-Chuck_IT1	pitti: the other laptop is dying for something related to temperature	10:08
xivulon	I guess my idea would be to have some file in /etc/xdg or such that contains a list of default boomkark types	10:08
seb128	xivulon: /etc/xdg/user-dirs.defaults for example?	10:09
xivulon	yep, that contains the dirtype <-> dir	10:09
xivulon	we need another similar file to give me a list of default dirtypes	10:09
\sh	pitti, we need something to ensure, that if some build-deps are name-changing all packages source-build-depending on them are recompiled automatically	10:09
xivulon	such as "VIDEOS PICTURES MUSIC... HOST"	10:10
pitti	\sh: how do you want to do that? you need actual uploads for that	10:10
seb128	xivulon: ok, so you suggest changing the way it's working	10:10
xivulon	yep update.c	10:10
pitti	\sh: and if the build deps actually change names, you need to modify the source	10:10
seb128	xivulon: I'm too busy to look at doing that but if you come with a reasonable patch why not	10:10
\sh	pitti: e.g. php5 -> php5-imagick , needs libWand.so.9 now (in hardy) but we have libmagick10 in our archives, and libmagick9-dev still available...	10:11
xivulon	seb128: I am not on my machine now (and not too familiar with gnome code) but I will think of something	10:11
\sh	pitti, php5 compiled against the old version, so the imagick extension does not work and failes to load	10:11
seb128	xivulon: ok, cool	10:12
xivulon	seb128 is there any xdg standard for bookmarks?	10:12
\sh	pitti, looks like that libmagick9-dev still available, but there is no libmagick10-dev ... I wonder what happend actually	10:12
* xivulon reading http://www.freedesktop.org/wiki/Specifications/desktop-bookmark-spec		10:14
pitti	\sh: yeah, that's very inconsistent and a broken name	10:14
\sh	s/php5/php-magick/ ;)	10:15
seb128	xivulon: not that I know about	10:17
\sh	pitti, src imagemagick still builds libmagick9-dev ... but somehow we really need to ensure a rebuild of all rdependant packages after such an upload...	10:18
xivulon	seb128: I suggest /etc/xdg/user-boomarks as a flat list of dirtypes	10:18
xivulon	seb128: I /etc/xdg/user-boomarks.defaults	10:18
\sh	pitti, and kick the maintainer if imagemagick to not take care in the first place ;)	10:19
\sh	s/if/of/	10:19
\sh	now for an SRU for php-magick, to be just an rebuild ;)	10:21
=== cprov is now known as cprov-afk
Le-Chuck_ITA	Is there a channel for talking about xorg bugs in ubuntu?	10:48
dholbach	Le-Chuck_ITA: try #ubuntu-x or #ubuntu-bugs	10:49
Le-Chuck_ITA	thanks dholbach	10:51
=== thekorn_ is now known as thekorn
=== cprov-afk is now known as cprov
\sh	hooray...I can create intrepid chroots ;) thx	11:10
\sh	pitti, can you give-back ddccontrol? (libxml-parser-perl ftbfs)	11:12
emgent	W: Failure trying to run: chroot /home/emgent/.chroots/intrepid dpkg --force-depends --install var/cache/apt/archives/libc6_2.7-10ubuntu3_i386.deb	11:23
emgent	argh..	11:23
emgent	italian mirror dont work fine	11:24
\sh	emgent, it's not updated...	11:25
\sh	emgent, this problem is resolved since yesterday/today	11:25
emgent	i will try to use international mirror :)	11:26
\sh	emgent, be careful of leningradskaya ;)	11:28
emgent	:)	11:28
calc	cjwatson: bug 186049 appears to be it was mentioned in the arstechnica review	11:51
ubottu	Launchpad bug 186049 in galago-sharp "System.DllNotFoundException: libgalago" [Undecided,Confirmed] https://launchpad.net/bugs/186049	11:51
cjwatson	calc: yeah, that was why I stuck an 8.04.1 milestone on it	11:56
cjwatson	I got to it from arstechnica	11:56
calc	ah ok	11:57
cjwatson	looks easy to fix and worth fixing	11:57
\sh	grmpf...a lot of stuff ftbfs because of this intltool/perl problem earlier on...more difficult that it hit on most of auto-synced packages	12:04
cjwatson	that's what mass give-backs are for ...	12:11
\sh	cjwatson, for sure...but it's hard to tell now, if packages are already NEWed + building or NEWed + FTBFS ... the webfrontend is not as nice as it could be ;)	12:14
cjwatson	that much is pretty clear from the builds page for the relevant package version	12:18
asac	siretart: wpasupplicant 0.6.x - is it safe to just use the debian version or are there any changes you would like to add/keep?	12:22
\sh	cjwatson, yes..when you click on the version in <release> first...clicking through the buildlogs to find out why etc...quite long ways for a simple info ;) anyways..	12:22
siretart	asac: I was about to ask you, no, AFAIK we can and should just sync the debian package	12:34
siretart	asac: if you need to do some changes to the package, let's please do them to the debian package directly, okay?	12:35
cody-somerville	Is the UDS "business" or can I say I'm a "tourist"?	12:35
asac	siretart: sure. if i add you to ~network-manager team would you upload updates there for the next few weeks (until i have sorted some grave issues for NM 0.7)	12:37
asac	to PPA i mean	12:37
asac	siretart: i have a question though. how is wpasupplicant started? for me it first didn't start, but then (i don't remember exactly what i fixed) it started automagically	12:37
siretart	asac: it depends. from the wpasupplicant maintainers POV, the recommended way is via ifupdown	12:38
siretart	see /usr/share/doc/wpasupplicant/README.modes for details	12:38
siretart	NM however is starting it on its own behalf	12:38
siretart	and AFAIUI, NM 0.7 is supposed to use this dbus activation service thingy, which I haven't seen in action yet	12:39
siretart	does this answer your question?	12:39
asac	yes its dbus	12:39
asac	no, but i'll look closer and ask later i guess ;)	12:40
siretart	may I ask why you suggest uploading to the ~network-manager PPA first instead of directly into intrepid?	12:40
siretart	or do you want to develop in hardy first?	12:40
siretart	asac: if you want we can also phone about that	12:40
asac	i am on hardy still yes.	12:40
siretart	same here	12:40
siretart	I have uploaded a wpasupplicant package in my personal PPA. you should be able to just copy it from there	12:41
asac	siretart: cool, would you be available tomorrow? i still need to actually know for sure what i am talking about :)	12:42
asac	(phone call)	12:42
siretart	I should be. ping me on irc first to be sure	12:42
asac	awesome	12:42
pitti	\sh: noted; let's see whether it finally got published	12:56
pitti	\sh: ah, seems to	12:56
\sh	pitti, thx...	12:58
\sh	is zope3 working now with py2.5 or is it still only usable with 2.4?	13:00
pitti	\sh: I gave back one arch:all test package for now, building now; cross your fingers!	13:03
\sh	pitti, I'll pray to the mighty sbuild ... somehow right now everything is blocking my merges/syncs mostly because of missing new package releases ... and in the meantime fighting with stupid commercial software a la adobe flash media server is not even better	13:07
pitti	Status: Successfully built	13:07
* pitti does the intrepid dance		13:07
* pitti flushes his give-back list		13:07
TheMuso	pitti: I've just discovered that ardour, a package that got autosynced, was hit by the libxmlparser-perl issue discussed earlier. That can be given back too while you're at it.	13:10
seb128	is launchpad down?	13:11
elmo	seb128: works for me?	13:11
* ogra points pitti to dia and italc while he is at it		13:11
TheMuso	seb128: No problem here.	13:12
seb128	elmo, TheMuso: thanks, looks like an url copy error, works now	13:13
pitti	TheMuso, ogra: done	13:20
ogra	gracias :)	13:21
* ogra wnders if we could/should drop hwdb-client from the archive in intrepid ... there are still bugs rolling in for it		13:22
TheMuso	pitti: thanks.	13:22
* ion_ hopes X in intrepid will gain input hotplug and MPX. I’m going to buy a remote mouse-keyboard combination for sofa usage and keep the current keyboard and mouse on the desk.		13:24
ogra	ion_, works for me since gutsy with a wirelesss usb media keyboard	13:25
ogra	and didnt break in hardy	13:25
ion_	ogra: I mean, i’d really love to have separate focus for both keyboard/mice pairs.	13:26
ogra	ah	13:26
jcwinnie	Hardy Heron is a marvelous OS and aptly named because it can stand there and do nothing for evah!	13:35
* cody-somerville blinks.		13:35
siretart	hm. since the upgrade to intrepid, my laptop heats up way more. did anyone notice that as well on his laptop?	13:36
ion_	This insight was provided by: having accidentally dropped the baby ten years ago.	13:36
cjwatson	ion_: I think that's needlessly harsh	13:36
ion_	cjwatson: Sorry, didn’t mean to be malicious.	13:37
pitti	seb128: btw, intltool buildd issue in intrepid is solved, happy uploading	13:56
Hobbsee	\o/	13:57
pitti	infinity: I think now is a good time for a mass-give back in main	13:57
infinity	pitti: Kay. Doing so.	14:02
pitti	infinity: cheers	14:02
infinity	pitti: When you say "solved", you mean "completely published on drescher", right?	14:03
pitti	infinity: yes, I just gave-back some of the failed packages, and they worked	14:03
pitti	infinity: well, the Perl issue anyway	14:03
infinity	pitti: Alright. The queues on /+builds just got a lot longer again.	14:04
pitti	:)	14:05
ogra	sigh	14:05
* ogra watches dia explode again on other missing packages now		14:06
ogra	i guess i'll wait a week asking for the next give back	14:06
* ogra sighs about tuxtype merge ....		14:24
Hobbsee	what about it?	14:25
ogra	* use dh_desktop to add maintainer script fragments to call	14:25
ogra	update-desktop-database	14:25
ogra	from the latest debian changelog	14:25
ogra	but there is no .desktop file in the whole package	14:25
ogra	(it never had one)	14:25
ogra	i'D love to drop our patch tat creates one if i knew debian added on	14:26
ogra	e	14:26
Hobbsee	interesting.	14:26
ogra	oh, debian uses ours in the same place	14:27
ogra	thats why it didnt show up in the patch	14:27
Riddell	"W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/intrepid/universe/binary-i386/Packages.bz2 Hash Sum mismatch" humph	14:51
=== Shely_ is now known as Shely
cjwatson	testing germinate-update-metapackage changes is no fun with a loaded archive.u.c	15:17
* ogra wonders when mom runs again, all stuff i uploaded yesterday still shows up		15:31
andrew___	Hi, I'm Andrew Sayers. Martin Owens wanted to talk to me - are any of you him?	15:32
=== thekorn_ is now known as thekorn
cjwatson	andrew___: doctormo	15:32
cjwatson	ogra: stuck on archive.ubuntu.com coming up to date, which is having serious load trouble	15:33
ogra	ah, still ?	15:33
cjwatson	IS are aware, but we have those pesky users	15:33
ogra	i thought that was solved	15:33
andrew___	cjwatson, thanks. I'll nudge him.	15:33
ogra	well, i using a localhos apt-proxy here in pbuilder and for the chroots so i dont really notice slowness anymore	15:34
ogra	s/i/i started/	15:34
doctormo	hey andrew___	15:40
doctormo	andrew___: thanks for popping by, email can be fustrating at times.	15:42
doctormo	So our plan is to have vnc-x11 running over the reverse ssh tunnel. my guess is that this is a similar plan as yours	15:43
doctormo	the ssh part is set up by creating a support user, creating a random password (putting it in .bashrc as an echo) using the helpers public ssh keys to get access over the tunnel. keys are transmitted over jabber (ssl)	15:45
andrew___	Yeah, our plans have gone a little further since then :)	15:46
andrew___	I've not really talked to Justin about this, but I'm personally most interested in the case of nearly-broken systems.	15:47
doctormo	As you may have noticed, I've been working on the support tool side of things.	15:47
andrew___	Busted video card, dist-upgrade cancelled halfway, etc.	15:47
andrew___	Where you really can't make many assumptions at all about the system.	15:47
andrew___	(e.g. Python working)	15:47
doctormo	andrew___: broken video card means a trip to the nearest techy, not a support call	15:47
andrew___	Yeah, once you've confirmed that's what it is.	15:48
doctormo	Anything that would undermine the system, we would ask users to load a live cd	15:48
andrew___	That's another thing - we're looking at the "technical friend" case...	15:49
doctormo	andrew___: meet leftyfb, a technical friend who is my case.	15:49
andrew___	As in, you get a phone call from a friend of yours saying "hey, you know something about Linux, right? Well, my computer doesn't work. Please fix it"	15:49
andrew___	Hey leftyfb.	15:49
leftyfb	hi	15:50
leftyfb	i've already done all this a few times using scripts ... works well	15:50
doctormo	andrew___: I'm sure we're all used to taking those calls, but leftyfb has a whole load of people doing that to him.	15:50
andrew___	leftyfb, are they available online somewhere?	15:51
leftyfb	nope, i write them up as needed .... all it does is ssh back to me and create a reverse tunnel	15:51
andrew___	Ah right.	15:51
doctormo	So, we were talking about the very broken case leftyfb, where the computer has a hardware fault or isn't software sane.	15:52
leftyfb	doctormo's project will simplify this with a nice gui, but also provide the ability to troubleshoot some things without needing full ssh access. It also audits the whole process with a ticketing system	15:52
leftyfb	oh	15:52
leftyfb	uh	15:52
leftyfb	nothing you can do there	15:53
andrew___	My original impetus for this was a friend that had a power cut (or similar) halfway through an upgrade to 8.04.	15:53
* Hobbsee wonders what happens if ssh is dead.		15:53
leftyfb	unless the tool is included on the live cd	15:53
leftyfb	or we put one out	15:53
doctormo	Hobbsee: we can still help via chat	15:53
Hobbsee	doctormo: i guess you can't do anything if nm decides to fall over.	15:53
andrew___	Hobbsee, use socat, or cryptcat, or netcat, or try to resurrect ssh with custom config files...	15:53
doctormo	Hobbsee: yep	15:53
leftyfb	Hobbsee: I think we talked about that ... doing some basic testing of an inet connection and either fixing it if it's absent or forcing one for the session	15:54
andrew___	The actual code we're looking to write is looking like it'll be a general mechanism for creating a session on one computer, accessible from another, using whatever tools are available/working.	15:54
leftyfb	what about adding in your own ssh daemon and making x11vnc a dependency of the tool?	15:55
andrew___	Again I haven't talked to Justin about this, but I'd like to have a tool with no explicit dependencies, then metapackages called something like technical-friend/nontechnical-friend that depend on a useful collection of tools.	15:57
doctormo	andrew___: I didn't want to get too far into the broken use cases, there is only so much you can mitigate before you end up http://xkcd.com/416/	15:58
andrew___	True. I'm not planning to go nuts about that sort of thing until there's some evidence for what actual problems people have in real life.	15:59
doctormo	andrew___: there is no reason why a cli version of our support tool couldn't be made. your scripts could download deps if broken.	16:00
doctormo	but I'd want to mop up these things after the first release	16:00
andrew___	True, although it's overkill for a friend that you're already talking to on the phone.	16:00
andrew___	Would you agree with this general assessment:	16:01
andrew___	You want to create a Jabber-based support tool that makes it easy for a sitting group of experts to debug the computer of someone they don't know, and in order to do that, you need a tool to start SSH or VNC sessions, although that's not really where your technical interest lies.	16:03
doctormo	andrew___: not quite, leftyfb knows all the people he helps but would still use this tool	16:03
leftyfb	this tool is for people I already know, at home, who need help from me and need to give me access to logs/etc or full ssh/vnc access to help troubleshoot their problem. You don't create scripts for helping people over the phone.	16:04
doctormo	andrew___: and, past tense. Have created a jabber-based...	16:04
* Robot101 would like to point out that Telepathy and Empathy provide excellent infrastructure for such a tool...		16:04
leftyfb	jabber is more established	16:05
doctormo	leftyfb: er, they're just a set of gtk widgets and libs for chat	16:05
Robot101	yes, telepathy uses it, amongst other protocols	16:05
doctormo	leftyfb: imagen libpurple but for gnome ;-)	16:06
Robot101	we've actually got branches to Empathy which let you click a buddy and share your desktop with him	16:06
Robot101	telepathy deals with nat traversal etc for you, you just ask it for a "stream tube"	16:06
leftyfb	so this would be instead of using python to create the client which doctormo has already done?	16:07
* ogra just read steam tube above :)		16:07
Robot101	mm, well there are benefits to integrating with an existing mechanism of communicating with people	16:07
leftyfb	i'll let doctormo handle that part of it :)	16:08
* Robot101 thinks this is very much a use case we'd be interested in addressing		16:08
leftyfb	my only concern is the security and functionality of the tool, now how it's made :)	16:08
cody-somerville	crap	16:08
doctormo	Robot101: It's an interesting idea, I'd need convincing since I've spent time getting pyxmpp working with all the business logic we have.	16:08
Robot101	so you can be IM or VOIP chatting with someone and then they can say, oh yeah this pops ups, what do I do	16:08
Hobbsee	ogra: you can have steam if you want.	16:08
Hobbsee	ogra: but it's probably not useful.	16:09
Robot101	then you can just click share desktop, and the other guy gets a libnotify, clicks OK, and is then in the VNC viewer...	16:09
ogra	Hobbsee, telepathic steam :)	16:09
cody-somerville	If I cancel a dput upload in progress, what are the implications?	16:09
doctormo	ogra: sounds like a doctor who	16:09
ogra	haha	16:09
Robot101	also it works over link-local contacts using the bonjour backend	16:09
Robot101	that being somewhat the purpose of the abstraction :)	16:10
doctormo	Robot101: We're doing fancy stuff with ticket handeling, auditing and various other things. Useful for one to one help, though community help use case is not there.	16:11
Mithrandir	cody-somerville: it gets thrown away.	16:12
cody-somerville	Mithrandir, \o/ cheers.	16:13
doctormo	But it sounds interesting, maybe future versions could use it, though I'd not want to risk changing direction now that we're so close to finishing the first version	16:13
Robot101	doctormo: reading scrollback a bit, it sounds like you're solving a slightly different set of problems	16:14
leftyfb	remote support that's easy for the user to install and use to give us access to help them	16:14
Robot101	doctormo: but I just thought I should let you know there are some options for the p2p/interactive support case where you're already using IM/VOIP to talk to someone	16:14
Robot101	seems to me like adding new users to the system and requiring sshd to be installed is kinda overengineering isn't it?	16:15
leftyfb	nope	16:15
leftyfb	ssh = ability to fix anything	16:16
hunger	Robot101: Incoming connections are blocked in most home setups.	16:16
leftyfb	lots of other programs add users/groups .... vmware for one	16:16
Robot101	hunger: exactly why you should leave this to the NAT traversal experts :D	16:16
leftyfb	hunger: this works off reverse ssh connections	16:16
leftyfb	no inbound ports needed	16:16
hunger	leftyfb: Oh, great:-) Then why do you need a sshd?	16:17
leftyfb	uh	16:17
Robot101	oh, maybe I misunderstood	16:17
doctormo	hunger: how would it do it otherwise?	16:17
leftyfb	you want me to answer that?	16:17
leftyfb	:)	16:17
Robot101	does the user's system need sshd installed?	16:17
leftyfb	yes	16:17
leftyfb	how else are you going to connect to them?	16:17
Robot101	so the helper ssh's to the user's system?	16:18
andrew___	leftyfb, ssh client != ssh daemon	16:18
hunger	Does the outgoing SSH do port forwarding so that somebody can via that?	16:18
* leftyfb sigh		16:18
Robot101	or the user ssh's somewhere, with a port forward, so the helper can ssh back?	16:18
doctormo	andrew___: can you create a reverse tunnel without sshd?	16:18
andrew___	What are you referring to as a "reverse tunnel" here?	16:18
Robot101	doctormo: (yes, use a stream tube from telepathy :D)	16:18
doctormo	hunger: no port forwarding	16:19
doctormo	Robot101: no steam tubes ;-)	16:19
Robot101	can you explain in terms of a sequence of connections (who connects to who) how it'd work?	16:19
leftyfb	customer ssh's to our remote/secure server using generated ssh keys using an account that doesn't have shell access. This creates a reverse tunnel back to their local sshd service. We, as support, login to the server and ssh to the localhost port created by the reverse ssh tunnel giving us access to the customers account. All automated. Customer see's a pretty chat windows with a "remote access button". We click connect and up comes gnome	16:20
leftyfb	-terminal with the connection open.	16:20
doctormo	Robot101: user -> server, helper -> server -> user	16:20
Robot101	this seems alarmingly overengineered. cool. :)	16:20
leftyfb	overly secure is the word you are looking for	16:21
Robot101	encrypting things more times isn't more secure, and nor is granting remote shell access to people without being able to supervise (or even understand) what it is they're doing	16:21
doctormo	Robot101: I'm larry wall lazy	16:21
andrew___	If you're assuming the user has a GUI fired up, why not use VNC?	16:21
Robot101	andrew___++	16:21
doctormo	I'll let leftyfb handle these questions	16:22
leftyfb	I use this method all the time just fine	16:22
leftyfb	we don't always need VNC access	16:22
leftyfb	in fact, VNC is just going to slow most troubleshooting down	16:22
leftyfb	most things can be fixed via ssh	16:22
Robot101	VNC has the benefit that the user can /see/ what the helper is doing	16:22
doctormo	We want to use vnc access to show the user how to do things, not to do things ourselves	16:22
leftyfb	if the user request that, then that's what we use	16:23
andrew___	Also, they can type in their passwords without telling you them.	16:23
leftyfb	but it's not the default method of troubleshooting	16:23
leftyfb	a lot of users don't care	16:23
leftyfb	we will have a local account with sudo access	16:23
leftyfb	we don't need their passwords	16:23
leftyfb	again, this isn't the first program to create local accounts/groups to get things done	16:24
andrew___	That's fair enough for people that know you, but training users to hand out root access to people online they've never met seems like a bad plan.	16:24
doctormo	Robot101: We use auditing, although users don't generally mistrust their geeky friends	16:24
Robot101	it's the first program I've heard of which automatically grants local root access to 3rd parties :P	16:24
Robot101	and also installing a sshd service behind the user's back, unless you bind it localhost only or something, seems extremely undesirable	16:24
doctormo	Robot101: who said anything about automatically?	16:25
Mithrandir	uh, is this a package which is going to go into the normal repositories?	16:25
leftyfb	andrew___: people give M$ compete access to their computer when doing remote support. This support tool is meant to be used by groups/companies providing support to a large customer base	16:25
Hobbsee	Mithrandir: supposedly.	16:25
leftyfb	it will be bound to localhost	16:25
Hobbsee	Mithrandir: i'm sure it will show up as forums crack for a while	16:25
leftyfb	the sshd	16:25
Robot101	doctormo: automatically as in "Do you want foo to fix your system? [ Yes ]" is sufficiently automatic	16:25
Hobbsee	fix == sudo rm -rf /	16:25
leftyfb	it'll be a custom sshd access only accessible via pregenerated keys and via localhost only	16:25
Robot101	oh well. I prefer the idea that you can hook these things into a conversation with someone, and not let them do things you can't see.	16:26
* Hobbsee grins maliciously		16:26
Robot101	which could be sharing a pty and exporting it over a socket, or VNC	16:26
doctormo	Robot101: that's because you know what your doing	16:26
Hobbsee	"i'm a core dev, of course i'll fix your getdeb'enated or automatixenated machine!"	16:27
Robot101	doctormo: yes, not letting 3rd parties cheese around with my system :P	16:27
andrew___	Robot101, speaking of PTYs, can Telepathy do that on its own?	16:27
doctormo	Robot101: Some people don't mind	16:27
* Mithrandir makes a mental note to get that package blacklisted from all his hosts. Seriously, shipping a package that includes a) pregenerated ssh keys and b) new user with full sudo access? Are you guys completely out of your mind? What happens when you lose the private SSH key to a disgruntled employee or a cracker?		16:27
leftyfb	ssh access is preferable and MUCH quicker for someone that just wants to finish their report and doesn't care how the person is fixing their computer	16:27
Robot101	Mithrandir: yeah seriously	16:27
doctormo	Mithrandir: thanks for joinging the discussion constructivly	16:27
Robot101	andrew___: no, it'd be something the "support app" would hook up and provide to telepathy	16:27
Hobbsee	doctormo: the guy is an archive admin, FYI. and also a core dev.	16:28
Mithrandir	to quote somebody much smarter than me, the interesting bit about security system is not how they work, it's how they fail.	16:28
Hobbsee	doctormo: you may not want to blow him off like that. he might end up reviewing your package, fi it goes into ubuntu.	16:28
Hobbsee	it's called karma.	16:28
Robot101	andrew___: telepathy itself is plumbing, it abstracts different protocols and types of communication. one of them is "tubes" for plugging arbitrary apps together.	16:28
doctormo	Hobbsee: I'm not partial to being treated baddly even by karma gods	16:28
andrew___	Robot101, Yeah, I'm starting to understand. You can rip on my idea later ;)	16:29
Hobbsee	Mithrandir: i'm assuming they generate the ssh keys on the fly, though.	16:29
Hobbsee	Mithrandir: they'd have to...	16:29
* cody-somerville is scarred to ask what is being discussed.		16:30
Hobbsee	cody-somerville: see ubuntu-devel-discuss ML	16:30
Robot101	cody-somerville: remote support tools	16:30
Mithrandir	Hobbsee: oh, how would you do that? You'd need to do secure key exchange somehow, then.	16:30
Hobbsee	cody-somerville: system recovery by ssh, basically, for non-secure users.	16:30
Robot101	andrew___: in this case, telepathy would use XMPP to say you'd started a local VNC/whatever service (which could be "Share my desktop" or "Share a terminal" or such)	16:30
Hobbsee	Mithrandir: dunno - send by email / other IM is all i'm really coming up with. But that's still better than pregenerated.	16:30
doctormo	Hobbsee: not seeing what you guys are talking about, maybe not required?	16:31
Mithrandir	Hobbsee: yes, it's better than pregenerated, but it didn't sound like what leftyfb/doctormo was talking about.	16:31
cody-somerville	I've never found it very difficult to tell someone how to install openssh-server and how to add a new account for me.	16:31
cjwatson	doctormo: if you guys are trying to solve the key exchange problem, I suggest reading the several decades' worth of cryptographic literature on the subject ... it's not a trivial problem	16:31
cody-somerville	Or how to get them to enable the remote desktop	16:31
doctormo	cjwatson: nope	16:31
Mithrandir	doctormo: prove me wrong by showing me a page with a thorough design and analysis of the security architecture, then.	16:31
Robot101	andrew___: and then when the remote user accepts, it'll signal over XMPP and do some negotiation (TCP, NAT traversal, tunnel via the server) to open the connection	16:31
doctormo	not trying to solve that	16:31
cjwatson	doctormo: it sounds like a necessary element	16:32
hunger	KDE has a system where a user generates invitations (valid for 60min) that can get submitted to "support guys" via mail or whatnot.	16:32
cjwatson	doctormo: if you aren't trying to solve it, the system seems fatally flawed ...	16:32
Mithrandir	cjwatson: either that or ship pregenerated keys with all the fun that entails.	16:32
Hobbsee	Mithrandir: true	16:32
hunger	Whoever has that invitation can get a VNC session.	16:32
Hobbsee	doctormo: you have to have some way of generating the key, and getting it to the clued user.	16:32
doctormo	Mithrandir: remind me what the keys are for again?	16:32
Hobbsee	doctormo: root access on the system.	16:32
ogra	doctormo, safety :)	16:32
Mithrandir	doctormo: you need to log into the localhost-only ssh?	16:32
Mithrandir	doctormo: technically, you could use a preset password, but that would be even worse.	16:33
doctormo	public key of the helper copied over to client on elective basis? must be missing something since you guys seem very concerned	16:33
ogra	well, without that you can as well use telnetd	16:34
Hobbsee	doctormo: because listing the private key in a publically available source is akin to suicide.	16:34
Hobbsee	doctormo: which appears to be what you're thinking about doing.	16:34
doctormo	Hobbsee: I didn't mention private key	16:34
Hobbsee	doctormo: so, how does the private, and public key, get generated?	16:34
doctormo	Hobbsee: what public private key?	16:34
cjwatson	doctormo: I think what we're missing is how the server gains access to the user's machine	16:35
Hobbsee	2 keys.	16:35
Mithrandir	doctormo: yes, the public key. How do you get it onto the system and copied into this brokensystem:~helper/.ssh/authorized_keys?	16:35
Mithrandir	s/this/the/	16:35
doctormo	Mithrandir: xmpp	16:35
Mithrandir	doctormo: so you're vulnerable to mitm attacks then.	16:35
doctormo	Mithrandir: jabber using ssl? odd	16:35
Mithrandir	to a host where you ship the ca certs used for the host in the package itself and do proper certificate validation, then? In that case, who are running the CA?	16:37
leftyfb	the jabber connection is SSL and the ssh is encrypted. What mitm?	16:37
Mithrandir	SSL isn't magic powder you can sprinkle on a TCP connection to make it secure, it takes a little bit more than that.	16:37
hunger	Mithrandir: The community of course;-)	16:37
Mithrandir	but I have to go now. Drop me a link to a design document about this and I might go poke at it and see if I can find weak spots.	16:38
doctormo	Mithrandir: your skill may be required	16:38
cjwatson	the CA here is a great big target for compromise	16:38
hunger	Who will do the support by the way?	16:38
Hobbsee	require all you like.	16:38
Hobbsee	hunger: them, methinks.	16:38
cjwatson	Hobbsee: easy ...	16:38
Mithrandir	(tfheen@ubuntu.com or just highlight me here.)	16:38
hunger	Hobbsee: Them, who?	16:38
Hobbsee	hunger: it's not an #ubuntu issue unless it gets in the archive, afaik.	16:38
leftyfb	the client generates their own private keys on installation, then sends the public key via xmpp to the server via our "bot" which places it in the proper ~/.ssh/authorized_keys for the session and removes it when the session is over	16:38
Hobbsee	hunger: those who are writing the system	16:38
Hobbsee	leftyfb: bot?	16:39
leftyfb	jabber client	16:39
doctormo	Now that we've struck fear into the hearts of ubuntu developers.	16:39
Hobbsee	leftyfb: how does that scale?	16:39
leftyfb	scale?	16:39
leftyfb	speak english please	16:39
hunger	doctormo: Assuming that the system is safe: Who will do the support?	16:39
cjwatson	leftyfb: "scale" is perfectly normal English in system design	16:40
Hobbsee	leftyfb: as in, how will it work with 1000000000 users, for eg?	16:40
doctormo	hunger: business is the main candidate	16:40
hunger	doctormo: Which business? Is there a company doing the support?	16:40
doctormo	hunger: That is probably the problem right there.	16:40
hunger	doctormo: Are you developing this for a company?	16:40
leftyfb	Hobbsee: what would the difference be with supporting 10 users as opposed to 1000? If it gets beyond 1000, of course you need to think about multiple servers and load balancing	16:40
cjwatson	doctormo: is the server capable of sending essentially arbitrary commands to the client (upon request by the helper)?	16:41
doctormo	hunger: no	16:41
doctormo	cjwatson: no	16:41
Hobbsee	leftyfb: right, so this would be a service you were charging to your users, running on your HW, i take it.	16:41
cjwatson	doctormo: is it capable of sending any commands to the client?	16:41
doctormo	cjwatson: no	16:41
hunger	How do you select the helpers if this is a community effort?	16:42
leftyfb	Hobbsee: for right now, i'll be using this to support my own customers who I do consulting for. We as a LoCo team will also use it as a group to support people we come in contact with.	16:42
leftyfb	hunger: carefully	16:42
cjwatson	doctormo: I think I'm missing how it's useful, then; I thought the point of this was to be able to remotely extract information from the client system	16:42
Hobbsee	cjwatson: it's to remotely fix it - adn to set up an ssh tunnel so they can.	16:42
leftyfb	signed pgp keys and CoC signing is required	16:42
doctormo	cjwatson: It's able to send information upon request, the supporter tool is able to send requests for information and requests for access.	16:42
cjwatson	doctormo: so it must be capable of sending some kind of command to the client, then? (Note I don't necessarily mean shell command here.)	16:43
doctormo	cjwatson: there is a difference between the server and the supporter client.	16:43
doctormo	which do you mean	16:43
cjwatson	err, I don't know your precise terminology. I mean the client as in the end user's system (as a whole) and the server as in the thing that both the client and the helper connect to.	16:44
doctormo	cjwatson: ok, the server is not able to send commands, it can send information to both the supporter (helper) and the suportee (client) upon request	16:44
doctormo	It's actually a bot program	16:45
* Hobbsee is greatful that e l m o has not been highlighted about this.		16:45
cjwatson	I'm not bothered about the implementation; I want a data and command flow diagram really	16:45
cjwatson	doctormo: how is information extracted from the client system?	16:45
doctormo	cjwatson: I see, supporter tool sends request to client tool, client tool asks user if it's ok. information is sent back.	16:46
cjwatson	what format do the requests take? They must have to be pretty general	16:46
doctormo	cjwatson: not that general, for instance to request logs: "@request logs xorg" would ask for xorg logs (various) which are pre-defined.	16:47
* Hobbsee assumes that's after the authentication.		16:48
cjwatson	I think what is confusing us is that you and leftyfb seem to be talking about radically different things	16:48
cjwatson	leftyfb is saying things like:	16:48
cjwatson	16:23 <leftyfb> we will have a local account with sudo access	16:48
cjwatson	16:23 <leftyfb> we don't need their passwords	16:48
cjwatson	16:25 <leftyfb> andrew___: people give M$ compete access to their computer when doing remote support. This support tool is meant to be used by groups/companies providing support to a large customer base	16:48
cjwatson	16:25 <leftyfb> it will be bound to localhost	16:48
cjwatson	16:25 <leftyfb> the sshd	16:48
cjwatson	16:25 <leftyfb> it'll be a custom sshd access only accessible via pregenerated keys and via localhost only	16:48
doctormo	cjwatson: I'm a programmer, leftyfb is a sysadmin we talk on different levels.	16:49
andrew___	doctormo, what does "@request logs ../../etc/shadow" do?	16:49
cjwatson	that isn't "different levels", that's a completely and utterly different designm	16:49
doctormo	andrew___: sends an error	16:49
leftyfb	i'm talking about ssh access	16:49
andrew___	doctormo, Good :)	16:49
cjwatson	leftyfb: so I think we should be interrogating you about your plans, rather than doctormo about his :-)	16:49
leftyfb	doctormo: is talking about the programs ability to send logs/etc to the helper without giving ssh access	16:49
cody-somerville	leftyfb, If you want ssh access to someones computer, get them to install the openssh server and create you an account. It is very very easy already. What use case are you trying to fullfill here?	16:49
cjwatson	leftyfb: how do you plan to arrange for safe authentication?	16:50
Hobbsee	cody-somerville: the 'user is clueless, can't do that'	16:50
leftyfb	I don't have much part in the design/implementation of the requesting logs part, only the giving ssh access part	16:50
Hobbsee	cody-somerville: the idea of one-click-authentication, etc.	16:50
Hobbsee	(i assume)	16:50
cody-somerville	Hobbsee, No matter how clueless the user is, they can type in what you tell them to pretty easily.	16:50
Hobbsee	s/authentication/implementation/	16:50
cjwatson	I'm much happier with what doctormo outlined above than anything that involves "type in what you tell them"	16:50
leftyfb	cody-somerville: my grandmother doesn't want to install ssh, generate keys, set it up for localhost access only, and ssh to me, creating a reverse ssh tunnel	16:51
doctormo	cody-somerville: I've done remote support a lot, it's not that easy behind a router.	16:51
Hobbsee	cody-somerville: actually, they can't. i've seen all sorts of users doing strange things, when you tell them to type in some commands.	16:51
andrew___	cody-somerville, it's not so much a matter of clueless, as good at describing things.	16:51
* _MMA_ hates the idea that"users are clueless" and the dumbing-down that goes on because of it. But that's a topic for a different time.		16:51
Hobbsee	leftyfb: how does the localhost access only?	16:51
Hobbsee	er, stuff work?	16:51
cjwatson	type in what you tell them might involve "sudo apt-get install symlinks; sudo symlinks -d /" for example, which looks just as innocuous as many other commands one might request that a user issue, but will subtly screw up the user's system	16:51
Hobbsee	by definition, isn't the idea that it's remote, ssh'ing in?	16:51
cody-somerville	leftyfb, and all of that is required why	16:51
cody-somerville	?	16:51
leftyfb	Hobbsee: you can configure sshd to only listen on localhost	16:52
cody-somerville	doctormo, true.	16:52
Hobbsee	leftyfb: yes, i know, but then, if you can't physically get to the box, you can do nothing.	16:52
andrew___	cody-somerville, For example, I was helping out a fairly technical friend lately, and we went round in circles for about 15 minutes because he hadn't understood that lines beginning with a '#' are comments	16:52
leftyfb	cody-somerville: security, simplicity as far as the user is concerned ... no firewalls to mess with	16:52
cjwatson	security is not achieved simply by adding ssh to the equation	16:52
Hobbsee	leftyfb: if you're going to do that, then why not just get the user to login, sudo -s, put in their password, then tell them to go make coffee for a while?	16:52
andrew___	(Or indeed that '#' is a character that needs spelling out)	16:52
cjwatson	which is why I asked the question above "how do you plan to arrange for safe authentication?"	16:52
leftyfb	cjwatson: security is achieved by ONLY allowing ssh to the customers machine via keys and a reverse ssh tunnel	16:53
cjwatson	leftyfb: how are those keys distributed?	16:53
doctormo	cjwatson: I'll get you a diagram, I think I have one	16:53
hunger	leftyfb: Where do the keys come from?	16:53
cjwatson	leftyfb: I'm interested in cases where there is no customer<->consultant relationship as well	16:53
Hobbsee	cjwatson: by the xmpp, which is vulnerable to mitm attacks, as Mithrandir said.	16:53
Hobbsee	hunger: presumably they get generated on first launch.	16:54
cjwatson	Hobbsee: please let them answer the questions I've posed, rather than answering for them	16:54
leftyfb	I already said that ... the ssh keys are generated at install time .. the public key is then sent via XMPP to the server where the "bot" on the server puts the keys into the proper place for the session and removes the keys after the session is closed	16:54
hunger	Hobbsee: Can't work... the consultant will need to have the private key so that he can authenticate.	16:54
Hobbsee	cjwatson: apologies, i was effectively regiving answers discussed above.	16:54
leftyfb	Hobbsee: the public key is sent to the server, not the private key	16:54
Hobbsee	leftyfb: i think that was directed at hunger	16:55
hunger	leftyfb: How does that allow the consultant to gain ssh access to the requestors computer?	16:55
doctormo	There are two instances were public keys are transmitted	16:55
cjwatson	leftyfb: the supporter needs to have a private key that grants authentication to the client system. How does the server ensure that the public key matches a trusted user?	16:55
cjwatson	s/user/supporter/	16:55
leftyfb	our public keys are either prepackaged or uploaded to the client at install and/or via xmpp for the session ... same drill	16:55
doctormo	leftyfb: not quite	16:55
leftyfb	sorry, not at install	16:56
cjwatson	leftyfb: what happens the first time the server is compromised and starts allowing evil public keys?	16:56
leftyfb	during the session	16:56
Hobbsee	hunger: er, the consultant generates the keypair, then sends it to the broken system, not the other way around.	16:56
doctormo	cjwatson: the public key for the supporter is transmitted over xmpp to the client.	16:56
hunger	Hobbsee: Yeap. But I do not get how it gets there.	16:56
Hobbsee	hunger: that's the discussion now	16:56
cjwatson	doctormo: that simply pushes the authentication problem one step back	16:56
doctormo	cjwatson: probably	16:56
hunger	Hobbsee: Yeap... that was what I was trying to ask, too:-)	16:57
cjwatson	you still have to trust that the supporter is Alice Aidgiver, not Evil Eye	16:57
cjwatson	s/Eye/Eve/	16:57
leftyfb	cjwatson: what happens when the support/client/server/canonical is compromised? We work on not letting that happen.	16:57
cjwatson	so you have to authenticate that somehow	16:57
cjwatson	leftyfb: Canonical has a key rollover procedure for compromise of the central archive key	16:57
doctormo	cjwatson: The supporter doesn't send the public key, the server does. the server has a list of good guys	16:57
cjwatson	leftyfb: I expect the same of any similarly-critical system	16:57
cjwatson	doctormo: how is that list maintained?	16:58
Hobbsee	cjwatson: out of curiosity, is that documented publically anywhere? i'd be interested in seeing what that is.	16:58
doctormo	cjwatson: at the moment, by hand	16:58
cjwatson	Hobbsee: no, though it probably should be (with the list of people you need to mug excised)	16:58
Hobbsee	cjwatson: heh, yes.	16:58
cjwatson	so I think this probably can be made secure, but it does need a competent security review, and for its proponents to be willing to make changes as a result of that review as necessary	16:59
doctormo	cjwatson: I agree	16:59
Hobbsee	oh, ffs.	17:00
doctormo	I'm not a security expert and I would a fool to sugest otherwise.	17:00
* Hobbsee goes off to rant elsewhere.		17:00
cjwatson	and you will encounter problems. At some point you have to assume that a supporter will go bad.	17:00
leftyfb	cjwatson: public keys will be flushed from the customer's system and the server each time a session is created and repopulated with the public key from the supporter uploaded via xmpp on the fly (yes doctormo ,this is new but doable)	17:00
doctormo	cjwatson: yes, I've thought about that.	17:00
doctormo	not enough to solve it though	17:01
leftyfb	that sound better?	17:01
cjwatson	leftyfb: the key rollover problem I refer to is that, when the server is compromised, you need to have a trusted way to re-secure all clients	17:01
cjwatson	because you will have to regenerate the keys used to authenticate the server to the client	17:01
leftyfb	if the server is compromised, they get nothing. No ssh private or public keys, no access to ssh to anywhere using passwords	17:01
cjwatson	err	17:02
doctormo	leftyfb: no, your suggestion won't work	17:02
leftyfb	?	17:02
cjwatson	that can't be true, given what you've said	17:02
cjwatson	the client is given supporter keys by the server	17:02
cjwatson	ergo, the server has a means to authenticate its identity to the client	17:02
cjwatson	this further implies that a compromised server can feed evil supporter keys to the client	17:02
cjwatson	(only once a client connects of course, but that's just a matter of time0	17:03
cjwatson	)	17:03
doctormo	cjwatson: those keys are use once, if the server is recovered the effects are null	17:03
cjwatson	doctormo: we're talking about different keys	17:03
doctormo	I think so	17:03
cjwatson	I don't mean the session keys for an individual client<->supporter session	17:03
cjwatson	I mean the keys that protect the exchange that delivers new session keys	17:03
cjwatson	there must be such keys	17:04
doctormo	Over ssh or xmpp? just to be sure I understand	17:04
cjwatson	transport is unimportant	17:04
cjwatson	at the level of protocol design, details of transport are a distraction and best ignored	17:04
doctormo	cjwatson: no I mean not in tech terms. in our context where we are using ssh or where we are using xmpp.	17:05
cjwatson	I honestly haven't followed in enough detail to know and it doesn't matter to my question	17:05
xivulon	out of curiosity, is this a different problem from a (trusted) repo providing packages as opposed to keys?	17:05
cjwatson	xivulon: it's related	17:05
doctormo	cjwatson: true, it just matters for my understanding	17:05
xivulon	then couldn't similar techniques be applied in both cases?	17:06
cjwatson	xivulon: that's part of where I'm headed	17:06
cjwatson	but it's dangerous to make too many assumptions up front ...	17:06
doctormo	OK (this is implimetation detail), the client does have the configration for the server in a nice xml file, it has the servers public key which is used to confirm that the server is who it says it is.	17:07
doctormo	This I think is what you mean	17:08
cjwatson	doctormo: from what I recall I think you described this as being by xmpp but I am honestly not sure	17:08
* ogra finds the words "nice" and "xml file" in one sentence disputable :)		17:08
* cjwatson waves the "distraction" flag again		17:09
doctormo	cjwatson: So if the server becomes evil, the public key in the config is invalid and potentially evil?	17:09
cjwatson	doctormo: correct	17:09
doctormo	right	17:09
doctormo	So far we're only using that key for the ssh connection, we're not using it for xmpp which just connects using dns only. not very secure as it doesn't certify the server (afaik)	17:10
cjwatson	yes, that's horrible	17:10
cjwatson	no secure protocol may rely only on DNS	17:11
doctormo	As for public key updating... I'll have to think about the problem	17:11
doctormo	colin if you know of an existing solution, do tell	17:12
cjwatson	my suggestion would be that the server public key should reside in a package and only ever be updated out of band (i.e. by package updates, thus transferring the problem to that of archive signatures); furthermore, in order to ensure that clients are updated as quickly as possible after a compromise, there should be a way for the client to check whether newer versions of itself are available with newer keys, and refuse to run i	17:13
cjwatson	or something along those lines	17:13
cjwatson	if xmpp relies on DNS for authentication of remote identity, I think you should rethink your use of that problem	17:14
leftyfb	compromised server + customers broken package management = no support tool	17:14
cjwatson	err ... of that protocol	17:14
cjwatson	leftyfb: yes	17:14
leftyfb	and if this were to get into the main repositories, updating keys would be dependent on how quick canonical is with pushing the updates	17:14
cjwatson	yes	17:15
cjwatson	though not just Canonical	17:15
doctormo	cjwatson: I agree with your idea, I believe xmpp can be made to check validity of the server more rigerously	17:16
hunger	leftyfb: You do not want to have your own package repos for this? Is everybody supposed to get the same config (== end up on the same server)?	17:16
doctormo	hunger: indeed, very good question +1	17:16
hunger	Or will you modify the config for the users your company wants to support?	17:16
cjwatson	I think it is probably a good idea for commercial support offerings to run a separate server, or deliver separate configuration in some other way	17:17
doctormo	There is the possibility of having a number of servers available, both LoCo, canonical offical support maybe even system76 available from ubuntu repos and the tool could let the user decide	17:17
hunger	I really do not see the need for such a package in a distribution... Maybe in some enterprisy thingy with support contracts, etc.	17:18
hunger	"Community support" with access to the system in question does smell too much like inviting random idiots from the net to break install troyans to me.	17:19
hunger	Maybe that is just me... but I doubt it.	17:20
leftyfb	what about having a list of of server to join for remote support. The servers would be the different LoCo's willing to provide support, possibly Canonical, system76, Dell, etc	17:20
doctormo	hunger: that is a concern i have, I imagen the good name of a LoCo being the basis for community support. Those who lead such groups would have to be trusted to only allow trusted people in, as above PGP signed keys and CoC would be a good start	17:20
hunger	doctormo: LoCo? CoC? Sorry, my english sucks:-(	17:21
ogra	hunger, local communities	17:21
ogra	hunger, coc = code of conduct ... dude you hang around in this channel since how many years ?	17:22
leftyfb	LoCo - Local Community CoC = Code of Conduct which all official ubuntu members need to agree to and sign	17:22
hunger	Well, in a support forum you can not post responses that will do bad-stuff since everybody can see it and will tell you.	17:22
hunger	With some single guy messing with your system via SSH: Who is ever to know?	17:23
doctormo	hunger: yes, there is an audit, but ultimatly root access is root access. If someone intentionally or mistakenly hurts a machine then it's the group that must make amends.	17:23
hunger	doctormo: Audit?	17:24
doctormo	hunger: nothing fancy, the ~/bash_history is sent to the server after disconnect. it could be removed if someone was malicious though.	17:24
leftyfb	again, who's to say a Microsoft support employee isn't going wipe your "My Documents" folder when he's doing remote support?	17:24
leftyfb	This is the nature of remote support	17:25
leftyfb	you assume the helper is to be trusted	17:25
leftyfb	there's no way to ensure it	17:25
doctormo	hunger: the only real barriers we can put in place are organisational, not technical	17:25
cjwatson	with a Microsoft support employee, you have a contractual relationship and can at the very least prove which legal entity was responsible for the breach	17:25
hunger	leftyfb: Sure, but with a MS support guy there is a company that gives its (good?) name and says "that guy will not mess up your system". And you can sue them if they misbehave;-)	17:25
cjwatson	this environment is different because it's quite possible you won't even know whom to prosecute under the Computer Misuse Act	17:26
cjwatson	which lays the server operator open to subpoenas for logs, etc.	17:26
doctormo	cjwatson: not a problem, subpoenas aren't always a bad thing	17:26
cjwatson	right, but I think it's important to bear in mind that "make amends" may be a little more than "we're sorry, we won't do it again"	17:27
cjwatson	the system has to be designed up-front to avoid problems	17:27
doctormo	cjwatson: i agree, it may be "get sued into bancrupsey"	17:27
hunger	doctormo: They do cause work that somebody has to do:-)	17:27
cjwatson	I liked the sound of a system that could only offer certain predefined classes of information on request	17:27
cjwatson	that's a lot better than "some guy gets a root shell by ssh"	17:27
hunger	doctormo: And that work will end up on the server admin's desk...	17:27
cjwatson	~/.bash_history> unset HISTFILE; do malicious things	17:28
doctormo	cjwatson: It isn't some guy though, it's a person the server knows, who has a signed PGP key and who the server operators personally know.	17:28
cjwatson	I'd suggest keeping a connection trace instead	17:28
doctormo	cjwatson: I never found out how to do that, that was my first thought	17:28
cjwatson	personally know> that wasn't clear to me from the above. You mean somebody whom the server operators have met?	17:28
doctormo	cjwatson: yes	17:29
doctormo	But again, that is organisational	17:29
cjwatson	that doesn't sound like it will scale as people want	17:29
cjwatson	which means there'll be pressure to breach that	17:29
hunger	cjwatson: That is not a good idea either! Think what kind of info might end up in such a trace. Having that stored on the server does not sound too good an idea.	17:29
doctormo	cjwatson: I know, but it's important to organise the organisational scalling too	17:29
hunger	cjwatson: Plus the SSH connection is encrypted and not visible to the server anyway.	17:30
doctormo	hunger: the ssh is a double hop through the server	17:30
doctormo	couldn't the server trace from there?	17:30
hunger	doctormo: So I can put arbitrary info into any currently running ssh session streams if I gain access to the server?	17:31
cjwatson	hunger: logging just the supporter->client side of the exchange (and not client->supporter) wouldn't reveal anything private	17:31
cjwatson	or at least is unlikely to	17:31
doctormo	hunger: not sure, maybe	17:32
hunger	doctormo: No, from what I understand the supporter logs directly into SSH on the users box (going through port forwarded to the server).	17:32
cjwatson	hunger: port-forwarding on the server => server can snoop	17:32
cjwatson	actually, no, I suppose that isn't true	17:32
hunger	cjwatson: It can snoop an SSH stream...	17:32
cjwatson	yeah, end-to-end encrypted	17:32
hunger	cjwatson: Not very informative;-)	17:33
cjwatson	hunger: however, the client software could report a trace of what the supporter asked it to do	17:33
cjwatson	(obviously you can't trust a malicious supporter to do so)	17:33
hunger	So logging needs to be done either by the supporters system or by the users system. Both are under the control of the supporter...	17:33
cjwatson	that could still be nobbled by the supporter, but it would raise the bar, particularly if it were done immediately rather than at the end of the session	17:34
doctormo	hunger: at the moment it's set up so the supporter logs onto the server, then logs into a localhost port to log into the tunnel to the client	17:34
cjwatson	if it were done immediately, then the last thing in the trace would be <supporter nobbles reporting software> which would be a big alarm bell in itself	17:34
cjwatson	provided that you report all commands before execution	17:34
* ogra wonders if the landscape team couldnt give some hints on secure connecting remotely		17:35
hunger	cjwatson: SSH can force commands to execute... you could have that forward the commands back to the server before handing it to a shell.	17:35
hunger	s/SSH/sshd/	17:35
cjwatson	hunger: there's no obvious reason to do this by ssh alone. It should be something richer on the client side that can receive a command format, report them, and execute them as appropriate.	17:36
cjwatson	hunger: (p.s. I maintain our openssh packages)	17:36
doctormo	cjwatson: that would be interesting	17:36
hunger	cjwatson: Something we have not considered is that the supporter could set up SSH tunnels, bypassing your firewall configuration.	17:36
cjwatson	hunger: which is yet another reason allowing the supporter to execute arbitrary commands is an unwise design	17:37
cjwatson	DDTT	17:37
doctormo	cjwatson: although more alarm bells	17:37
hunger	So he can even attack the system or others...	17:37
Hobbsee	cjwatson: DDTT?	17:37
cjwatson	don't do that, then	17:37
leftyfb	If we aren't trusting the supporter, then this tool is useless	17:38
cjwatson	leftyfb: that's not true at all	17:38
doctormo	leftyfb: you just have to be able to catch supporters that go bad, auditing is good for that.	17:38
cjwatson	the supporter can be given the ability to ask for certain information and get it automatically, and then recommend certain courses of action under the control of the user	17:38
cjwatson	it's not an all-or-nothing thing, and presenting it as such is harmful	17:39
leftyfb	I need this tool for root ssh access to my customer box's when they have problems. Without this, I won't be using this tool. Simple as that.	17:39
cjwatson	leftyfb: so make the tool flexible enough that it can offer that to you where you have a contractual relationship with the customer, but don't turn that on for general user support over the Internet	17:39
doctormo	leftyfb: no reason it can't do both, if the server doesn't have ssh support, the client won't allow ssh	17:39
cjwatson	leftyfb: you don't have to make your requirements mandatory in the tool as a whole	17:40
hunger	leftyfb: I think it is a great tool for a company/customer relationship. I just do not think community support with root access is a good idea.	17:40
andrew___	It sounds like you guys are coming at this problem from different directions. doctormo and leftyfb are starting with tech support for friends and scaling up, cjwatson is looking at a way of automating/real-timing some of the work of the Ubuntu forums.	17:41
doctormo	andrew___: both doable using the existing tool	17:41
leftyfb	we need to start small to support customers we have now	17:42
doctormo	cjwatson: I've organised the support tool so that commands can be added on quite easily.	17:42
cjwatson	andrew___: that's not an accurate representation of my position, FWIW	17:42
andrew___	cjwatson, what would be more accurate?	17:42
hunger	andrew___: I don't need such a tool to support friends and get supported by them. krfb is great for that:-)	17:42
cjwatson	andrew___: I have nothing to do with the forums; my interest is in ensuring a secure design for any software that is offered to users of Ubuntu	17:42
andrew___	cjwatson: Fair enough.	17:43
cjwatson	(and, FWIW, I would rather have no software than insecure software in this case; although I accept that it is a significant requirement and I suspect it can be made acceptably secure with some effort)	17:43
doctormo	cjwatson: and I thank you for your help.	17:43
leftyfb	hunger: the biggest advantage of this tool I see is not needing to open up ports on their firewall/router	17:43
leftyfb	cjwatson: i'm of the opposite opinion	17:43
cjwatson	leftyfb: that's fair enough, but part of my job is ensuring high standards of software in Ubuntu	17:44
hunger	leftyfb: Sure. But I can do that when I set up a system:-)	17:44
cjwatson	leftyfb: you are (obviously) entitled to do whatever you like within your customer relationships	17:44
leftyfb	hunger: i prefer not to poke holes in the customers network	17:44
hunger	leftyfb: In a commercial setting you will have a hard time to sell a firewall-bypass-tool.	17:45
cjwatson	leftyfb: but, when it gets offered to all Ubuntu users, it comes within my purview	17:45
cjwatson	(among others)	17:45
leftyfb	hunger: gotomypc, logmein, teamviewer	17:45
hunger	leftyfb: I found it much easier to ask them to open a port which is then documented in their security documentation than to "sneak in" some piece of software.	17:46
doctormo	leftyfb: there is no reason why we can't have the more advanced features enabled by us personally or by some simple option. Normal internet wide servers wouldn't do ssh but our own would.	17:46
hunger	leftyfb: Maybe we are talking about different kinds of customers here:-)	17:46
doctormo	hunger: It's not sneaking in,	17:47
ogra	there are many corporate environments where you cant get more than http and mail protocols through the firewall by policy and getting another port open can take you months to get approval fro from all parties involved	17:47
hunger	doctormo: If it is not approved by the IT department and documented in the security guidelines, then it is sneaking in.	17:47
hunger	ogra: Sure. But it can get you kicked out of the company if you get caught going round the firewall, too.	17:48
ogra	judging from myself, thats actually the majority of companies i have worked for doing it in such a way	17:48
hunger	doctormo: Well, that tool is probably not targeted at companies with a IT department anyway.	17:48
* hunger has to run.		17:49
ogra	run hunger run	17:49
ogra	:)	17:49
doctormo	ogra: remind me, were you at UDS "Boston"?	17:50
ogra	doctormo, yep., i think we met outside several times	17:50
doctormo	I think so too	17:50
ogra	you're the one from the local loco, right ?	17:50
* ogra refines to typo the name of the state he cant pronounce either :)		17:51
doctormo	Yes, Ubuntu-US-MA this might explain the development	17:51
ogra	ah, right there is an abbreviation i forgot :)	17:52
Amaranth	Massachusetts	17:52
ogra	Amaranth, :P	17:52
* Amaranth used spell check		17:52
ogra	i still cant pronounce it without getting knots in my tongue :)	17:53
LaserJock	hah	17:53
LaserJock	ogra: I feel the same about many German city names ;-)	17:53
doctormo	You get used to the spelling after a while	17:54
ogra	Amaranth, oh, while you are here, i put willow on the uds agenda :)	17:54
* Amaranth runs		17:54
doctormo	ogra: we were talking at uds about dohickey and hardware tools	17:54
ogra	LaserJock, yeah, understandable ... my hometown is easy though	17:54
ogra	doctormo, ah, yeah, cr3 is doing all that now	17:54
andrew___	Since there's a lull in the other debate, cjwatson: how come sshd allows password authentication by default?	17:55
andrew___	(I asked this in launchpad, but since you're here...)	17:55
doctormo	ogra: I thought canonical had dropped hardware information projects? I assume this because I heard nothing from anyone.	17:56
ogra	doctormo, we have a new tool that hooks in with LP now	17:56
ogra	hwtest-gtk	17:57
ogra	(had to look that up)	17:57
sladen	it died because nobody would share the data from the project	17:57
ogra	sladen, its still ongoing	17:58
ogra	just not 100% finished afaik	17:58
sladen	s/died/has not achieved its full potential/	17:58
doctormo	ogra: forgive me if i'm not hurt by being left out.	17:58
cjwatson	andrew___: well, it's the upstream default as well. I tend to think that it's sufficiently useful in many environments to be left on by default, though I'm not surprised by people turning it off	18:01
andrew___	Isn't it a serious security issue though? It's alright for upstream, because OBSD users can be trusted not to use abc123 as a password ;)	18:03
cr3	doctormo: hiya, how's it been since last uds?	18:03
cr3	ogra: thanks for pimping my wares :)	18:04
ogra	:)	18:04
Hobbsee	andrew___: if they're that stupid and install an ssh server with such a p/w, don't they deserve to be rooted?	18:04
doctormo	cr3: Busy, very busy.	18:05
andrew___	Hobbsee: not if Ubuntu is supposed to be Linux for human beings, no.	18:05
cjwatson	andrew___: well, considering that we don't install an SSH server by default, it hasn't particularly worried me	18:05
mjg59	andrew___: There's no default username, and there's no default password	18:05
Hobbsee	andrew___: then remove all their input devices.	18:05
cjwatson	it was perhaps more of an issue when we did	18:06
doctormo	cr3: I was just talking to ogra about how I've not had any emails from you guys about hardware information and detection.	18:06
cjwatson	anyway, got to go ...	18:06
andrew___	Bye - thanks.	18:06
cr3	doctormo: the limiting factor here is mostly on the launchpad side where additional hardware detection would not supported by the relaxng schema.	18:08
cr3	doctormo: I would like to see the schema eventually evolve to support more clever hardware detection such as done by dohickey, but Launchpad should first provide an interface for the existing schema before evolving it.	18:09
doctormo	cr3: launchpad may be the wrong place to create a schema, although I'm sure you'd disagree at this point. it's too late.	18:11
doctormo	when I get back to dohickey, I'll come calling and see what you've learned that I could aply	18:12
cr3	doctormo: it is necessary for the schema to be defined server side in order to provide a form of validation before storing the information in a database	18:12
cr3	doctormo: consider any rpc system for example, it is the server which enforces somekind of api in the form of a schema, dtd, idl, etc.	18:14
pitti	seb128: hah! I now got one common fakechroot error case fixated in a test case, and I can perfectly reproduce it on my desktop, without mixing different chroots, etc.	18:14
pitti	seb128: I was afraid that the combination of dapper system + gutsy chroot + hardy fakechroot mixed shlibs in a way to break this	18:15
cr3	doctormo: I don't quite see how this could be debated so, perhaps I misunderstand what you mean by: launchpad may be the wrong place to create a schema	18:15
cr3	doctormo: did you mean another server should be used for displaying hardware results to the community such as the dohickey server or the smolt server even?	18:16
andrew___	doctormo: About LoCoRemote, it's worth having a poke about at http://popcon.ubuntu.com/ to see what package people tend to have on their systems. For example, it looks like only about 20% of people have an SSH server already installed.	18:21
pitti	seb128: ah, and the test still succeeds in feisty and gutsy; that explains the regression in hardy; apparently hardy's rm uses a new stat()-like call which isn't recognized by hardy's fakechroot	18:26
andrew___	Speaking of popcon, does anyone know how there can be 541,530 submissions to popcon, only 540,735 of which had popularity-contest installed?	18:28
pitti	andrew___: apparently you can submit your system data several times?	18:29
ogra	it is an optional thing	18:29
ogra	so not really something to base actual statistics on	18:29
andrew___	Sure, but how do you submit data if you don't have the program to submit it?	18:29
pitti	andrew___: I mean, those wo do have it installed might have submitted more than once	18:30
andrew___	Yeah, but then popularity-contest would show up more than once.	18:30
andrew___	Maybe the other handful were installing popularity-contest from source or something.	18:31
* ogra tries to imagine a hand with 800 fingers		18:36
ogra	:)	18:37
andrew___	If two parties share a secret of, say, 10 or 20 characters, is there a security algorithm that could give you reasonable security for a few kilobytes of text, implementable in sed (or Perl with no modules)?	18:49
doctormo	cr3: What I meant was that the schema for hw information is not static, launchpad doesn't ahve the tools to deal with dynamic hardware schemas yet.	18:50
doctormo	andrew___: I wonder if it's worth having a seperate ssh package which is pre-configured for localhost, unsure of the solution with regards to sshd	18:52
andrew___	I'm not sure I follow - what would that involve?	18:53
awalton__	andrew___, depends on your definition of "reasonable."	18:56
andrew___	awalton__: unlikely to be cracked within 20 minutes? At a guess.	18:57
awalton__	but then again, perl is turing complete, even without its modules, so I guess the answer is "yes"	18:57
andrew___	True. Do you have any particular pointers for where I might look?	18:57
awalton__	google, wikipedia are often where I start.	18:58
ogra	andrew___, if you use ssh, then you surely have ssh-keygen installed?	18:58
awalton__	you could probably do a small blowfish implementaiton...	18:58
andrew___	ogra: if I've got SSH, I don't need to worry about such hacks :)	18:58
* andrew___ makes note to look for Blowfish implementations in Perl		18:59
andrew___	Basically, I'm browsing popcon and thinking that sed, perl and netcat are amazingly popular and can probably be convinced to work with just a binary...	19:01
awalton__	or if you want a really, really small implementation, something like xtea or RC4, but they're both substantially weaker :-/	19:01
andrew___	sed and netcat are even in /bin, so get around problems with /usr failing to mount.	19:01
andrew___	Not so much small as possible for me to verify (and write if absolutely necessary), given my lack of security training.	19:03
awalton__	is it even worth it though? does it matter?	19:04
andrew___	Depends how hard it is.	19:04
seb128	pitti: ah ok	19:05
pitti	seb128: currently digging in the fakechroot code to add an implementation for the missing newfstatat()	19:06
* seb128 hugs pitti, good work		19:06
andrew___	If I can put something together in an afternoon that's a guaranteed "download this and follow the instructions" solution for anything from a 90's NetBSD to a modern Leapord, I'd say yes :)	19:06
pitti	none of the new *at() functions are implemented :/ (http://lwn.net/Articles/164887/)	19:06
Riddell	doko: any idea what causes an error like this? http://paste.ubuntu.com/10990/	19:17
Riddell	doko: seems I have to add -ldl for some reason	19:23
lamont	mvo: is your util-linux change for #157763 something that should go in long-term upstream?	19:30
lamont	meh. no mvo	19:36
pitti	seb128: BANZAI!	19:37
jdong	is archive.u.c under stress? it's responding very slowly to me	19:59
pitti	yes, it is	20:00
pitti	both mirroring drescher (master archive) and downloading from it take ages	20:00
jdong	oh	20:00
cr3	doctormo: perhaps a schema allowing for dynamic data could be proposed for launchpad. any suggestions?	20:00
=== thegodfather is now known as fabbione
LaserJock	geeze, 2 times in 2 days I find a package I'm interested has been removed from Hardy :(	20:33
bimberi	hi LaserJock, which one? iirc qgis was the other.	20:36
Mithrandir	andrew___: look at http://www.cypherspace.org/adam/rsa/perl-dh.html to get a key exchange going, then you have a session key and can use that with regular crypto. I'd probably just use "openssl bf" or similar, though.	20:36
LaserJock	bimberi: ksynaptics	20:38
LaserJock	my touchpad has too many "features" on it that are very annoying so I was hoping to turn them off	20:39
LaserJock	I think I'll just do it in xorg.conf and see how that goes	20:40
* pitti uploads another fakechroot which now finally works again for hardy		21:20
pitti	\o/	21:20
pitti	bdmurray: ^ FYI, that means I can reactivate the retracers (will do tomorrow, too late now)	21:20
=== fta_ is now known as fta
bdmurray	pitti: sweet!	21:23
Caesar	pitti: so I've got various small bugfixes I'd like to get into hardy-proposed	21:34
Caesar	I presume I can't upload there because my key's not in the keyring, so I'll need sponsorship?	21:35
jdong	Caesar: main or universe? (make sure it meets SRU policy and follows the SRU process)	21:38
geser	Caesar: yes, you'll need sponsorship. Have you already an ACK from the (correct) SRU team?	21:39
jdong	even developers must get approval from the appropriate SRU approval team to ACK the request before uploading	21:39
doctormo	cr3: I thought you'd seen dohickey, next UDS in mountin view I'll have to show you how it works	21:42
Caesar	jdong, geser, where/how do I get SRU team blessing?	21:46
Caesar	Point me at docs, I'll go read	21:46
geser	Caesar: https://wiki.ubuntu.com/StableReleaseUpdates	21:47
Caesar	thnx	21:47
cr3	doctormo: you showed me dohickey in person and I took the time to look at the code on the client side. I have to admit I didn't look at the server side but, apparently, I'm missing out :) thanks for pointing this out	21:47
doctormo	cr3: It has a schema for dynamic data using data pathing	21:53
cjwatson	andrew___: I'd second Mithrandir's recommendation of something pre-cooked. Designing your own cryptosystem without security training is a really bad idea, and 20 characters => 160 bits => probably worthless for security purposes	22:36
andrew___	Yeah, that link is a good idea (thanks Mithrandir). Actually, I'm starting to think that it's better to use small, simple tools to make the whole "recovery from a nearly-broken system" idea redundant.	22:39
andrew___	Hence posting to ubuntu-devel-discuss about dealing with failed mounts.	22:40
* davidm is away: I'm busy		22:48
cjwatson	andrew___: to back up my "160-bit keys are worthless for security purposes" statement: I just tested msieve (http://www.boo.net/~jasonp/qs.html) on my laptop with a series of 160-bit numbers that were products of two random 80-bit primes. The mean time taken to factorise each was .67 seconds.	22:54
andrew___	Bearing in mind my lack of security training, does that mean that any amount of information that could usefully be transferred over the phone is only useful in the context of something like a password in an SSH session?	23:01
andrew___	(Where by "usefully transferred over the phone", I mean "dictated phonetically at one character per second for less than 30 seconds")	23:05
Mithrandir	andrew___: tbh, I'd recommend using SMS-es or a similar out-of-band medium for transferring a passkey, preferably with a very short time span (5 minutes)	23:16
Mithrandir	so you'd get an sms with "the server should tell you abcd1234 and you should tell it gargleblaster"	23:16
andrew___	That's still only 160 characters max. though?	23:17
Mithrandir	it's not foolproof, but it's probably one of the better key exchanges you can come up with today. It has a cost associated, but if you're in a business relationship, that should't be a problem.	23:17
Mithrandir	that doesn't really matter so much, since you'd need to make it short-lived and lock the password on three wrong tries	23:18
Mithrandir	of course, an attacker can continually request new passwords, but you might notice that your phone keeps getting new passcodes and then react on that.	23:18
Mithrandir	but then, I think this is a good idea, so find somebody smarter than me to poke holes in it and tell you on what points I'm wrong.	23:19
andrew___	Yeah, part of the reason I prefer an actual phone call is because you can at least verify that they sound like the right person.	23:20
Mithrandir	social engineering is typically quite easy, especially in a business situation.	23:20
andrew___	My personal interest is in tech support for friends. If I was looking at a business thing, the first thing I'd do would be to get them to pay for me to physically go there and set up a reasonably secure login.	23:21
Mithrandir	between friends, social engineering is harder, agreed.	23:22
Mithrandir	and between friends, well, I wouldn't want a bot to message me, since that probably meant the login was actually going through a third party I had no reason to trust.	23:23
Mithrandir	trust is bloody hard to manage and is not transitive, which makes this a problem.	23:23
andrew___	You're thinking of doctormo and leftyb, I'm looking at a completely different thing :)	23:23
Amaranth	hrm, i thought the bug squad had access to all ubuntu bugs	23:24
Mithrandir	Amaranth: not security ones, I'd have thunk.	23:25
Amaranth	security doesn't mean private though, apparently	23:25
Amaranth	although i guess if you set it private and security it might lock the bug squad out	23:25
Mithrandir	andrew___: true, but if you're serious about having some decent security in your system, sit down and make a design document explaining what and how and let people poke holes in it.	23:26
Mithrandir	after a few iterations, we might have something that none of us are clever enough to break, at least.	23:26
Mithrandir	and it's not the crypto that's going to be the hard part. It's the procedures, the social engineering and how your components fit together and managing trust between them.	23:27
andrew___	Sure - as soon as I can get to the end of a sentence without falling through eight of those holes.	23:27
mneptok	Amaranth: you won;t have access to private bugs of paid Canonical customers.	23:27
Mithrandir	mneptok!	23:27
mneptok	Mithrandir!	23:27
Mithrandir	mneptok: crazy man, how are things?	23:27
* mneptok spews ponmies and glitter		23:27
mneptok	*ponies	23:27
Amaranth	some guy is complaining about aptoncd but his bug report is private	23:28
mneptok	not too bad. the jbailey replacement has finally arrived. that's quite nice.	23:28
mneptok	Amaranth: bug#?	23:28
Amaranth	bug 221839	23:28
Mithrandir	mneptok: ah, sounds good, and about time	23:28
ubottu	Amaranth: Bug 221839 on http://launchpad.net/bugs/221839 is private	23:28
wgrant	Amaranth: Security issues are private by default.	23:29
mneptok	Amaranth: no access here, either. not private because of a paid relationship.	23:29
mneptok	Mithrandir: no kidding. it's been too long.	23:29
doctormo	andrew___: some completly different remote support tool using reverse ssh tunnels then	23:29
mneptok	Mithrandir: keeping busy? reporting to your parole officer as expected?	23:29
Mithrandir	mneptok: keeping busy, yes, lots of fun and learning, which is good.	23:30
Mithrandir	mneptok: billing customers is kinda weird, though. :-P Given that I didn't work in such a position at C	23:30
andrew___	doctormo: probably. as of right now, I'm still trying to work out what the actual missing pieces are in the puzzle.	23:30
Mithrandir	andrew___: do you have a document explaining what the problem you are trying to solve is?	23:31
doctormo	andrew___: the main parts? well I see people as a missing part, people that can be trusted. but this may not be the same as your problem.	23:31
Mithrandir	and some rough sketches of your approach to solving it?	23:31
Amaranth	wgrant: Yeah but some guy set a compiz bug as a security issue just because he wanted someone to look at it	23:31
Amaranth	That's when I noticed security didn't automatically mean private	23:32
andrew___	Mithrandir: short answer - nothing worth reading yet. As I say, I'm still getting my head around things.	23:34
Mithrandir	andrew___: ahkay. Once you have that, tell me and I'll be happy to see what holes I can poke in your solution. ;-)	23:34
andrew___	Thanks :)	23:34
andrew___	I suppose the basic problem I'm looking at is: someone you know has a system that doesn't work, and your phone number exists somewhere in the list of things ways they know how to fix computer problems. How do you get said friend's computer working?	23:36
Mithrandir	I would probably pull out my bike and bike over or ask them to bring the laptop to my place.	23:36
andrew___	Most of the people I know are not within biking distance :s	23:37
Mithrandir	hehe	23:37
andrew___	Plus, it's always been my opinion that Linux adoption is constrained mainly by the number of people in generation N that can be supported by the community from generations <N.	23:38
Mithrandir	conceivably, yes.	23:39
andrew___	Therefore, two key ways to increase the pace of Linux adoption are to reduce the support burden and increase the number of people that older generations can support.	23:39
lifeless	Mithrandir: in the deep of winter ? :)	23:39
Mithrandir	I think a solution using the telepathy framework and such might work well, but I'd start by having a good description of the problem and the requirements.	23:39
Mithrandir	lifeless: I live in Oslo, we don't get real winters any more. :-(	23:39
Mithrandir	lifeless: (yes, I bike the whole winter)	23:39
andrew___	I live in Britain. We don't get real winters, but we're starting to get real summers :s	23:40
lifeless	Mithrandir: I knew where you lived :), I didn't know the climate had changed so noticably for you.	23:40
Mithrandir	lifeless: well, it's more about being downtown, I think. I live basically at sea level about 1km from the ocean, so it doesn't get very cold for very long.	23:41
andrew___	What I'm thinking now is: there's lots that can be done with bullet-proofing the "mostly-broken" case. I've mentioned two of what I think are the biggest issues on the ML: half-installed packages and FSs that won't mount...	23:41
andrew___	There's plenty of work already done in the "mostly working" case, and I'm starting to think that we need existing solutions to be promoted, rather than the likes of me adding another voice to the cacophony.	23:43
andrew___	But what about the intermediate case? How common is it that someone will boot to a system that's not functional enough for Telepathy and friends, but too functional for automated special-case solutions?	23:44
Mithrandir	that's called "live CD", isn't it?	23:45
Mithrandir	and then have the support tools available from there and the "help from a friend" functionality available there	23:45
andrew___	Generally speaking, people with enough foresight to have a live CD lying about generally don't need my help :)	23:45
andrew___	Hmm.	23:46
andrew___	Should there be a recovery option to download and burn a live CD?	23:46
andrew___	From GRUB or similar?	23:47
Mithrandir	grub2 can give you netboot, and well, tftp can be routed, so theoretically you could boot over the internet	23:47
Mithrandir	it wouldn't be fast, though	23:47
Mithrandir	and would absolutely not be secure	23:48
andrew___	Yeah, and security becomes an issue again.	23:48
Nafallo	Mithrandir: wouldn't that depend on the speed of the connection? :-)	23:50
Mithrandir	Nafallo: no, it would probably more depend on the latency of the connection.	23:51
Nafallo	Mithrandir: point-to-point 10GbE wave? :-)	23:51
Mithrandir	Nafallo: most people don't have that at home though	23:51
Nafallo	Mithrandir: ...yet :-)	23:52
monic	can anyone tell me what is the graphics library people use for Ubuntu now; i gather it won't be SVGAlib	23:57

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!