RenatoSilvaany suggestion about the merge question? Should I create anotehr branch or just update the one merged and propose it again?00:01
lifelessRenatoSilva: going back to the 'why keypair' question00:02
wgrantAha, somebody who knows!00:02
lifelesshttps gives a halfduplex connection00:02
lifelessssh gives a full duplex connection which can be more powerufl00:02
lifelesshistorically we started with just sftp00:02
lifelessand no write-over-http support at all00:03
wgrantLP has no write-over-http even now.00:03
LaibschHi, not sure this is the best channel, but packages.ubuntu.com is down00:03
lifelesswgrant: it doesn't, but the bzr client does now00:03
wgrantLaibsch: Try #canonical-sysadmin00:03
wgrantlifeless: Right.00:03
lifelessnow, we could have done password auth over sftp00:03
lifelessbut that meant letting one server in the dc get the password out of the db; prior to the time we were designing *no* servers ever get the password once its set00:04
RenatoSilvalifeless: you mean ssh is more performatic than https, right?00:04
lifelessRenatoSilva: very much so00:04
lifelessthis isn't set in stone; I'm sure that it can be revisited. OTOH hand it works pretty well at the moment and is a well known protocol amongst open source developers.00:05
RenatoSilvalifeless: so that was my doubt, it's not because of key-pair-is-more-secure-than-website's-password, just because of performance, right?00:06
lifelesskey-pair isn't intrinsically more secure; key-pair is rather like OAuth in fact00:06
lifelessin that you setup credentials that are attached to your account for programs to use00:07
lifelessthere is one way in which key-pair is more secure, which is that it can't be brute forced as easily as password systems00:08
wgrantlifeless: It's a lot harder to brute-force a private key.00:08
RenatoSilvakey-pair is not more secure _in launchpad_ right? because they's protected by a single lp password. By more secure I mean it's almost impossible to guess your private key00:08
wgrantAnd I can easily revoke a single keypair without disrupting all of my things that log into Launchpad.00:08
lifelessbut given we use passphrase authentication on the website, its hard to argue that other parts of the system should be held to a higher standard00:08
wgrantRenatoSilva: Well, bruteforcing your Launchpad password over HTTPS is probably impractical too, if only because the web UI is *so damn slow to respond*.00:09
lifelesswgrant: Thats more to do with the separate set of credentials aspect00:09
ajmitchat least GPG keys require validation from launchpad for you to attach them to your account00:09
wgrantlifeless: That's what I meant.00:09
lifelessRenatoSilva: it *is* more secure in launchpad00:09
wgrantajmitch: Only to an address on the key, not one of your existing addresses, IIRC>00:09
ajmitchwgrant: ah well00:09
lifelessRenatoSilva: unless you mean 'if the password is compromised the list of keys can be altered'00:10
RenatoSilvawgrant: maybe you don't need a brute-force attack to find out website's password00:10
RenatoSilvawgrant: it's essentially fragile compared to the private pey00:10
wgrantRenatoSilva: Right.00:10
wgrantI'm not quite sure how LP has got away with this, given the immense power that some Launchpad accounts wield.00:11
RenatoSilvalifeless: unless you mean 'if the password is compromised the list of keys can be altered' ---> yes that's what I mean00:12
lifelessso, yes thats a vulnerability00:12
lifelessits the key exchange vulnerability in fact00:12
wgrantThe most sane fix I can think of is to require all Launchpad authentication token changes (passwords, OpenPGP, SSH) to require OpenPGP-signed confirmation.00:14
RenatoSilvalifeless: people may think, "oh I'm using ssh key pair authentication, really nice, no one will guess my private key". However it's a false sense of security, because that super-powerfull private key is protected by a simple common password.00:14
lifelessRenatoSilva: uhm00:14
lifelessRenatoSilva: lp doesn't hold the private key00:15
lifelessRenatoSilva: if the lp password is guessed, the private key is *still* secure00:15
RenatoSilvalifeless: I know00:15
wgrantlifeless: They don't have to. They can replace it.00:15
lifelesswgrant: yes, I know, see above.00:15
RenatoSilvalifeless: I mean the authentication00:15
lifelessRenatoSilva: I think its important that all credentials are protected appropriately00:16
lifelesssame goes for OAuth etc00:16
RenatoSilvalifeless: people may think "impersonating me in Launchpad is as hard as guessing my private key", but it's not. It's as easy as guessing website password.00:16
lifelessRenatoSilva: thats true, they may think that. Do you have evidence that they do?00:17
lifelessRenatoSilva: I doubt that they do, because they still use a password to login to the website00:18
RenatoSilvalifeless: I thought that that's why an ssh key pair is required, because is more secure than single passwords. Then I thought a bit more and came here to ask you :)00:21
RenatoSilvalifeless: I wonder what launchpad's wiki stands about it tough00:21
RenatoSilvawgrant: I don't think it would be a full solution, but Launchpad could send a confirmation email when altering the keys...00:23
sridlaunchpad is not loading at all on Opera. is this a known issue?00:23
wgrantRenatoSilva: An unauthenticated confirmation email is almost useless.00:24
RenatoSilvawgrant: so that someone would need to get not only lp password but the one from your email00:24
RenatoSilvawgrant:  An unauthenticated confirmation email is almost useless. --> ?00:25
wgrantRenatoSilva: Not cryptographically authenticated, that is.00:25
RenatoSilvawgrant: you mean to ensure that it was lp who sent the confirmation email?00:26
wgrantRenatoSilva: No - to ensure it was the user who received it.00:26
RenatoSilvawgrant: sorry I don't get what you mean00:27
wgrantRenatoSilva: The confirmation email needs to be sent encrypted, or it's easily interceptible in transit.00:27
RenatoSilvawgrant: you mean to avoid someone else reading the email?00:27
lifelesswgrant: I don't think it would matter if someone saw 'your keys have been changed'00:29
lifelesswgrant: an attacker that can prevent mail delivery would just block all encrypted mail from lp00:29
wgrantlifeless: Of course - that's why the email has a confirmation link.00:29
lifelessRenatoSilva: I think lp could increase its documentation about this on the person edit page perhaps00:30
lifelesswgrant: once someone has your password and your email, they are you, unless we build the whole system out of gpg00:30
lifelesswgrant: which would make it extremely hard to use00:31
wgrantlifeless: Which was exactly why I suggested we build the whole system out of GPG...00:31
wgrantlifeless: Well, the current situation is completely unacceptable.00:31
lifelesswgrant: it is?00:31
wgrantlifeless: Given the privileges that several community accounts have acquired over the past 18 months, yes.00:32
wgrantAnd some other issues.00:32
lifelessI'm sorry, I'm completely failing to track the logic chain from 'allows password authentication' to 'it is unacceptable that people in the community can have lots of access'00:32
RenatoSilvawell, even your OpenPGP keys are protected by a single password right?00:33
lifelessNote that most (all?) of the largest web services around use password authentication00:33
wgrantlifeless: No other well-known web service allows one to push out software to millions of machines within hours, with the click of a button.00:34
wgrant(well, it requires a key too, but that's easy now)00:34
lifelesswgrant: oauth key?00:35
wgrantlifeless: OpenPGP key, to upload the package.00:35
RenatoSilvalifeless: I think the point is: your password is the only thing protecting your lauchpad account. The SSH keys are just for convenience, for use in bzr+ssh because it is faster than https00:35
wgrantBut that requirement will go away soon.00:35
lifelessRenatoSilva: wgrant is talking about a whole other things now00:36
wgrantlifeless: It's very much related - all of these credentials are protected solely by a password.00:36
wgrantBut yes, it has drifted.00:36
lifelesswgrant: to be precise, the selection of credentials are protected by a password.00:36
lifelesswgrant: I suggest precision, because pgp keys and ssh keys are *not at risk*.00:37
wgrantlifeless: Right.00:37
lifelessand if folk get confused and start to think they are, the conversation will be muddy00:37
lifelessso lets examine the basis of soyuz and gpg stuff00:37
lifelesswe don't require a web of trust; rather we require one working email account00:38
lifelessand a gpg key for that account00:38
lifelessever since soyuz was created this has been the case; and adding a mail account with gpg key has been easily doable if you compromise the password00:40
wgrantBut there were previously barriers which meant that just getting access to a Launchpad account or OpenPGP key were not fatal.00:41
lifelesswgrant: there were?00:41
lifelesswgrant: are you referring to needing shell access to a dc machine to do archive admin?00:41
wgrantlifeless: There were. Only the development series can be uploaded to directly. That mitigates a lot of the damage, although it's still pretty awful.00:41
wgrantAny other series has to go through the queue, which was previously administrable only with shell access.00:42
lifelessso now lets compare the access levels00:45
lifelessssh keys are protected by a passphrase, but you need physical access to attempt attack00:45
lifelesse.g. UDS00:45
lifelessditto gpg keys00:45
sridhmm, launchpad form POST is screwed up. some fields are not saved at all. (or, is it my browser fooling?)00:46
lifelessOTOH lp passphrases are on the web, but arguably we can do a better job of detecting attacks00:46
lifelesssrid: what page?00:46
wgrantlifeless: LP accounts are also accessible with one of several cookies.00:46
sridlifeless: bug page. I changed importance from 'Undecided' to 'Low' (along with other changes), but the importance field was not changed at all. (browser -- safari on macosx)00:46
lifeless(an offline dictionary attack on your gpg keys are not accessible)00:46
lifelesswgrant: currently, the cookies are end to end encrypted00:47
lifelesswgrant: but I'm guessing you're arguing that physical access may permit copying a cookie00:47
lifelesssrid: try refereshing it?00:47
wgrantlifeless: Physical access makes that easy, yes. But there are others ways.00:48
wgrantPractical ways.00:48
sridhmm. didn't. will try next time.00:48
sridbut this is not supposed to be cached. damn.00:48
sridbesides, why would one field have old values .. while others not. strange indeed.00:48
lifelesswgrant: I may be missing something, but https <-> https means you need either a xss attack (and we're very vigilant about those), or physical access to the source or target00:48
wgrantsrid: Some browsers do strange things with caching form values.00:48
lifelesssrid: we use AJAX00:49
lifelesssrid: for an increasing number of things00:49
wgrantlifeless: There are other ways. People do not protect their cookies well.00:50
wgrantIt is entirely the user's fault, but it still happens.00:50
Davieylifeless: MITM is still viable with https <-> https.00:51
RenatoSilvaI just don't see many sense of the ssh keys, it would be better if you could just type your password in bzr+ssh00:51
RenatoSilva*sense on00:52
lifelessRenatoSilva: ssh is much more convenient00:52
lifelessRenatoSilva: it allows cron jobs and other things without putting my password in plain text00:52
wgrantIt means I can keep my Launchpad password off all those remote machines entirely.00:53
RenatoSilvalifeless: I mean the authentication, ok use ssh for transport, but use your lp password to authenticate instead of a key pair. I don't know if the ssh protocol allows you to do this tough.00:53
lifelessRenatoSilva: I know wha you meant00:54
RenatoSilvalifeless: isn't your private key kept plain-text in memory anyway?00:54
lifelessRenatoSilva: no, its not.00:54
lifelessdepending on your config00:54
lifelessat worst its protected and locked to prevent paging to swapfile00:55
lifelessyou can also have multiple keys, one per machine00:55
RenatoSilvathe same could be done with lp password00:55
lifelessit could00:55
wgrantIt's also only there for a tiny period, and an SSH key is a lot less powerful than your Launchpad password.00:55
lifelesshowever passwords are bruteforcale00:56
lifelessand theres no need for that when the password prompt can be done locally on the users machine using keys00:56
micahglifeless: that depends on what safeguards are built in to whatever you're logging in to00:56
lifelessmicahg: whether it can be successfully bf'd - yes.00:57
lifelesswhether you allow the possibility - no00:57
lifelessand whether we need to deal with people trying - no00:57
lifelessand whether the owner of the credentials is inconvenienced when someone is trying - no00:57
micahglifeless: the possibility depends on the safeguards00:57
lifelessmaybe I can put it this way:00:58
lifelesskeys: very small surface area. passwords: large surface area00:58
RenatoSilvalifeless: bzr could act as a browser, you log in to lp site, then every time bzr sends a request, lp site checks if the mentioned user is authenticated00:58
lifelesscan you put a lot of effort in and get maybe the same thing with passwords? yes. But why would you give yourself that headache.00:59
lifelessRenatoSilva: thats roughly what oauth is00:59
lifelessRenatoSilva: however, what compelling advantage does that have over ssh?00:59
lifelessRenatoSilva: oauth00:59
RenatoSilvalifeless: the advantage of not using a non-sense key pair01:00
RenatoSilvalifeless: non sense in the sense of security01:00
lifelesswgrant: I'd be delighted to talk about your concerns more, but this forum is going sideways too often01:00
lifelesswgrant: perhaps drop me a mail01:00
wgrantlifeless: It is. OK.01:00
RenatoSilvagoogle oauth01:00
lifelessRenatoSilva: we discussed the security aspects earlier; you're recapping the prior conversation or something. ssh keys are demonstrably more secure than passphrases.01:01
lifelesstheir lower bound is approximately the same as the upper bound you can reach with passphrases01:01
lifelessand yes, the vulnerability of passphrases does allow the key list to be changed01:01
lifelessthat isn't a reason to use a weaker auth for another component01:01
RenatoSilvacompromise website pwd is a disaster anyway, so let's stand this will never happen. Now add to this scenario the ssh key. If you somehow get the private key, you can push code to lp as if you were the owner of the key. Now imagine there's no ssh key, you need to type lp password (like bzr is a browser using https only for auth). As previously standed, the password is never compromised. Therefore it is more secure :)01:09
wgrantRenatoSilva: But the password *is* compromisable, and LP authentication will hopefully be stronger than just password auth eventually. There's no point reducing SSH security to the current awful state of web auth.01:11
micahgwhich is the appropriate project for filing a request regarding blueprints01:14
wgrantmicahg: blueprint01:14
RenatoSilvawgrant: compromise website pwd is a disaster _anyway_, so _let's stand_ this will never happen01:15
lifelessRenatoSilva: do you mean 'the website password database being exposed'?01:15
spmRenatoSilva: err what? that's *not* how you do risk analysis.01:16
wgrantRenatoSilva: But the website password can and will be compromised. It won't be so much of a disaster when there is additional protection in front of auth settings.01:16
lifelessRenatoSilva: or 'a single account being compromised'?01:16
RenatoSilvassh keys act as a "second" password with less privileges, but protected by the first password. Two passwords are two ways of impersonating you in some level. And that "second" credential _is protected by the first one_, which means that compromising the first password is the same as compromising the second. So losting the master password is a disaster _anyway_, with or without shh keys. The difference is that with ssh keys you open a second door to y01:17
lifelessRenatoSilva: if what you really mean is 'I don't like having to fiddle with ssh keys', then I suggest you file a bug asking to make that easier to work with.01:17
RenatoSilvalifeless: I don't want anything. I'm just talking at a bazaar.01:20
lifelessyou seem to be arguing a particular case though. LP *wants* to support multiple credentials for people, because that meets some very important use cases, such as running programs without disclosing the users primary credentials.01:21
lifelessThe use case you are arguing for, of using passwords for things other than access to the website is *not desirable* in launchpad, because its less secure.01:21
lifelessIt's less secure because it leads to the users credentials being stored in plaintext across multiple machines01:22
RenatoSilvaplaintext even if bzr acts as browser?01:23
micahglifeless: are you assuming passwords are stored in plain text?01:23
RenatoSilvathat is bzr connects through https with lp, then sends the typed password and starts a session with the website01:24
wgrantRenatoSilva: As lifeless said, that's basically what OAuth does.01:24
lifelessmicahg: that is the proposition being argued01:24
lifelessRenatoSilva: that doesn't work from cron01:24
RenatoSilvathen when you run bzr <command> it first checks if you're authenticated in the website, if so then it performs the actual operation through bzr+ssh01:24
lifelessRenatoSilva: unless the password is stored01:25
micahghmm, maybe I shouldn't jump in in the middle, but that seems disasterous01:25
lifelessmicahg: I agree completely.01:25
micahgI don't store passwords in cleartext anywhere if I can avoid it01:25
micahgI think I'll stay out of this though01:25
lifelessthis is what alternate credentials are for01:25
lifelessoauth is a key based system01:25
lifelessas is ssh01:25
lifelessand gpg01:25
lifelessthe specifics are different in each case01:26
micahgsorry, I'll back out of this discussion01:26
RenatoSilvalifeless: ok cron is a problem is this case01:26
micahgtoo much to do01:26
RenatoSilvalifeless: if you're not using cron and other automated stuff, then IMHO I'd preffer typing my password (only one door)01:29
RenatoSilvalifeless: I'm just saying my opinion, I'm not telling that lp should do this or that01:29
lifelessRenatoSilva: you can have the same password on your ssh keys as you do for lp, or no password at all if you trust that noone else has physical access to your machine01:32
lifelessRenatoSilva: I think it would be ok to *allow* the use of passphrases for bzr+ssh://bazaar.l.n/01:33
lifelessin fact, I filed a but about that some time back01:33
kub1is keyserver.ubuntu.com down??? Will you please check right now? Thx. I haven´t been able to access it ever - meaning for the past 18 hours.  I´d greatly appreciate data if it is working, so i´d know if the problem is with it, or at my end. Thanks, & awaiting your confirmation...01:35
wgrantlifeless: ubuntu-dev-tools developers were recently forbidden from allowing users to enter their Launchpad passwords into anything other than their web browser.01:35
wgrantkub1: It's not.01:35
RenatoSilvalifeless: I don't know how secure is a password/phrase encryption algorithm. I mean, wouldn't it be easy (or not that hard) if you get local access to the private key file, to decrypt it using brute force attack?01:35
wgrantkub1: As I suggested earlier, you're very probably behind a restrictive firewall.01:36
wgrantkub1: I believe TCP port 11371 is the one in question.01:36
wgrantRenatoSilva: It's of course possible to brute-force the passphrase on a key if you have the key.01:37
lifelesswgrant: ah yes; its a social defense.01:37
lifelesswgrant: so that we can tell people 'never put your password in except on the website'01:37
wgrantlifeless: Yep.01:37
wgrantNot unreasonable.01:38
lifelessRenatoSilva: the way passphrases work is that they are transformed into a symmetric key and used to decrypt the stored ssh keys01:38
lifelessRenatoSilva: they are reasonably secure as long as they aren't machine guessable01:39
RenatoSilvawgrant: possible but easy, hard? if is possible and very easy, then why put a passphrase on the private key? I imagine it is not that easy, I just don't know _how much_ secure. I couldn't find docs in the web about it01:39
RenatoSilvalifeless: I need to read more to learn how this kind of encryption works and how much secure it is exactly...01:41
wgrantRenatoSilva: It's just boring old brute force. Difficulty revolves entirely around the complexity of your passphrase.01:42
lifelessand local physical access :P01:43
wgrantThat too.01:43
spma gun to the head is a very effective 'brute force' password cracker01:44
lifelessit also breaks gpg etc ;P01:45
RenatoSilvaI have branch X merged with branch Y. I have branch Y locally, then I add a new revision and push to branch _X_, I thought this would lead to a branch conflict, but it didn't. It was like branch X was totally overwritten by branch Y...01:45
RenatoSilvawgrant: so that a good passphrase is as secure as e.g. RSA itself? I mean, not even all computers in the world could decrypt the private key by brute-force attack, just like it can't be done with RSA-encrypted messages.01:48
wgrantRenatoSilva: It all depends on the complexity of the passphrase.01:49
spmRenatoSilva: I think you're missing the point. if decryption is $$$, then I (the attacker) will find a more cost effective way to access your data. Hopefully comiserate with the value of your data. eg Hold a gun to your head. think *outside* the square.01:49
lifelesswhere is that xkcd when you need it01:50
wgrantlifeless: I was looking for that one :(01:50
RenatoSilvaspm: I'm not reffering to other ways of getting access. Putting a shotgun in your head is _obviously_ a good way01:51
spmheh. was a common problem in my defence security days - crypto folk get so caught up in their magic, they forget that to someone who has root access on the servers on either end of the secured pipe, that said pipe is irrelevant.01:52
spmRenatoSilva: that you aren't referring to other ways is the problem. they're *ALL* related. you can't simply ignore those bits you don't care about.01:52
RenatoSilvaspm: I can't?01:53
RenatoSilvaspm: so if I want to specifically study brute-force attack01:53
RenatoSilvaspm: forget it01:53
spmRenatoSilva: bit hard to forget it - been doing it security gumpf for waaaay too long ;-)01:54
RenatoSilvaspm: I asked a technical specific question01:54
RenatoSilvaspm: wgrant: so that a good passphrase is as secure as e.g. RSA itself? I mean, not even all computers in the world could decrypt the private key by brute-force attack, just like it can't be done with RSA-encrypted messages01:54
spmRenatoSilva: sure. and that's the problem. you're focusing on one specific part. you can't do that. ever. it's just one issue in thousands.01:55
RenatoSilvaspm: it's a technical question, I'm not talking about security in general01:55
wgrantRenatoSilva: Your definition of 'good' is probably wrong.01:55
RenatoSilvaspm: problem???01:55
RenatoSilvaspm: ??????????01:55
RenatoSilvawgrant: I didn't even defined 'good'01:55
wgrantRenatoSilva: I know.01:55
spmRenatoSilva: you're trying to argue if XYZ is secure or not. irrelevant. I'd attack a weaker point.01:55
wgrantBut any definition you could come up with is wrong.01:55
RenatoSilvaspm: argue?01:56
RenatoSilvaspm: it's just a question01:56
spmdiscuss/ whatever :-)01:56
kub1I am unable to access keyserver.ubuntu.com through my isp, & someone just checked & told me it is working cause they can access it.  My isp blocks most ports except for http.  Is there any way i can get the key through https?, and manually add it to the appropriate apt control file?01:56
kub1How do i access it via a proxy site?  which proxy site?01:56
RenatoSilvaspm: I'm interested in how password-based encryption works. that's it01:57
RenatoSilvawgrant: ok, I'm just curious about _how much_ secure they are ^01:58
lifelessRenatoSilva: generally the passphrase is hashed, often with a salt, and the hash is the actual key01:58
RenatoSilvawgrant: understand how it works etc01:58
wgrantRenatoSilva: As secure or insecure as you want.01:58
RenatoSilvawgrant: by secure I mean technically01:58
wgrantFor your average passphrase, incredibly insecure.01:58
wgrantRenatoSilva: So do I.01:58
lifelessdepending on what you're encrypting that then becomes the source for a psuedo OTP01:58
spmRenatoSilva: "how much secure" is the wrong question :-) secure for what purpose. eg a MS-DOS PC can be secure enough to hold TopSecret information. see?01:58
RenatoSilvalifeless: oh hashes....02:00
RenatoSilvaspm: I just mean understand all the theory behind it. Of course you can use very bad RSA key pair, and you can use a shortgun, social engineering etc. but that's not what I meant02:04
nivekc1hello, i have a problem with launchpad and would appreciate some assistance.. I created an account some time ago and i know the email address i used but do no know the password i used.. the email is no longer active so i cant log into it to reset my launchpad password.. the reason i want to login is to remove or edit my account since when i google my screen name my last name shows up in the first hit and i don't like that at all. If there is some way i c04:19
mwhudsonnivekc1: you got cut off there04:23
mwhudsonnivekc1: but i suggest you email feedback@launchpad.net with the details04:24
nivekc1mwhudson what do you mean by cutoff04:24
nivekc1my post was as follows: hello, i have a problem with launchpad and would appreciate some assistance.. I created an account some time ago and i know the email address i used but do no know the password i used.. the email is no longer active so i cant log into it to reset my launchpad password.. the reason i want to login is to remove or edit my account since when i google my screen name my last name shows up in the first hit and i don't like that at all. 04:25
mwhudsonnivekc1: irc limits the length of messages04:26
=== Edwin is now known as Guest46485
pooliespm, are you back?04:57
spmpoolie: yup04:57
pooliespm, bug 253788 is bugging me04:58
ubottuLaunchpad bug 253788 in malone "Bug mail should use my verbose_bugnotifications, not the team's" [Undecided,Triaged] https://launchpad.net/bugs/25378804:58
spmpun intended?04:58
poolieit sounds like there's an option in the db for which there's no ui to turn it off04:58
poolieare you able to see this in the db? could you in principle turn it off for ~bzr and ~bzr-core?05:00
spmpoolie: could be, it's not like we have any shortage of those. /bitter_and_twisted. ping gmb directly perhaps? he may be able to let us know what to zot. ??05:00
spmpoolie: no idea. would barely even hesitate to guess.05:00
pooliek, i'll open a question05:01
spmin principle tho. if such does exist, and we get a more or less ok that it's safe and sane from gmb, I have no problem toggling accordingly - so long as we get the sql to do so. I'm reluctant to just tweak stuff in the DB with zero idea of the consequences of doing so.05:03
lifelessspm: live life!05:03
spmheh. something like that. :-)05:03
wgrantYou could safely enough check that ~bzr-core's verbose_bugnotifications is true, though...05:04
poolieyeah, that would help05:04
pooliegood idea05:04
pooliei filed https://answers.edge.launchpad.net/malone/+question/7682505:05
pooliei agree with waiting for guidance from the malone team but just having a peak as wgrant says would be nice05:05
wgrantCertainly, flicking the switch without confirmation from a Bugs person is probably not a good idea.05:06
wgrantWe've not even had a Bugs person confirm that my suspicion was right, although it makes sense.05:07
spmpoolie: select verbose_bugnotifications from person where name='bzr-core'; ==> 't'. no idea what that means tho.05:10
pooliek thanks05:10
pooliethat seems to confirm william's theory05:10
pooliet meaning true05:11
spmfwiw, your settings is 'f' - so yeah true false sounds good05:11
wgrantAha, so some part of Launchpad does make sense.05:11
lifelessyou have no idea ;P05:11
spmwgrant: NO! it's lies!!!!05:11
wgrantspm: What's wrong with edge? It hasn't updated in like three days.05:44
wgrantWhich is annoying lots of people, as a core Soyuz API is broken.05:44
spmwgrant: the updates have been stopped05:44
wgrantIs this for the same reason that staging's build broke around the same time, or something else?05:45
spmnot sure. I was away all last week, so only have sketchy details at this stage05:46
spmaiui, we're waiting on a CP'd fix from last week to land in stable - then edge can be updated again05:47
spm... which far as I can see, hasn't landed yet.05:49
=== thumper_laptop is now known as thumper
=== ircd is now known as Guest18724
micahgwgrant: it seems that attachments can exists for longer than 24 hours after being deleted07:27
wgrantmicahg: Disappointing. You might have to ask a Bugs person later.07:28
noodles775wgrant: were you able to view the screenshots linked from bug 386355 as well (I know it requires LP auth, but not sure what the restrictions there are... I was hoping it allows any LP user)08:43
ubottuLaunchpad bug 386355 in soyuz "Archive 'subscription' terminology is confusing" [Medium,In progress] https://launchpad.net/bugs/38635508:43
wgrantnoodles775: Waiting for it to load, but I'm guessing it's devpad? That requires one to be a Canonicalite.08:45
wgrantAh, chinstrap. No access to that.08:46
noodles775wgrant: I specifically put it on chinstrap...08:46
noodles775thinking that would allow access... uploading 5 images to the bug generates lots of spam.08:46
mwhudsonnoodles775: you can upload to rookery which is the same machine as people.ubuntu.com08:53
noodles775mwhudson: Ah, great thanks!08:54
=== ripps_ is now known as ripps
wgrant"Optional notes about this access" seems wrong.09:02
wgrantAnd Person:+archivesubscriptions seems like it should have the PPA name linked, rather than an additional "(i) View" link.09:04
noodles775wgrant: do you mean the link from the email should go directly to the subscription?09:10
noodles775If so, it "would be difficult"... (the initial 'view' link is actually a submit button that posts a form, as it's creating the pwd....09:11
wgrantAh, yes, I remember that now.09:11
noodles775but I agree, that would be better for the user (once we can collect stats some other way)09:12
wgrantIn the new access email, is the registrant referring to the subscription creator, or the archive owner?09:13
noodles775wgrant: the subscription creator (ie. an individual)09:16
noodles775(I think... quickly checking)09:16
wgrantWhy would I want to find out more about them?09:17
wgrantIt might be nice to tell me who they are, but I need to know the owner of the archive more.09:17
noodles775wgrant: in case you don't know who they are... click on their profile...09:18
wgrantA large majority of P3As will be owned by teams, I suspect. Your emails seem to be tailored to the case that the owner is an individual.09:19
noodles775wgrant: I don't think so... it's just trying to tell you *who* was responsible for creating your subscription...09:19
wgrantnoodles775: Why do I care about that?09:20
wgrantThey're probably not the engineer behind the software.09:20
noodles775wgrant: because you may not be able to view the owning team (could be private) or the ppa page itself.09:20
noodles775(and yes, we do want to reconcile these ;) ).09:21
noodles775So the person who added you is someone that you can contact if you've got questions about it.09:21
wgrantDo you have to confirm the subscription before you can see the PPA page?09:21
noodles775wgrant: even then you won't be able to see the PPA page unless you are a member of the owning team (currently)09:22
* wgrant cries.09:22
* noodles775 put his arm around wgrant in support.09:22
wgrantNow I see why it is how it is.09:22
wgrantBut... ew.09:22
noodles775As I said, we do want to reconcile these, but it's not trivial.09:22
wgrantSo private teams (not PMTs!) can have PPAs?09:24
noodles775wgrant: I don't know, all I know is that archive subscriptions currently have nothing to do with access to the PPA page.09:26
bigjoolsPMs can have PPAs09:26
bigjoolsPMTs cannot09:26
bigjoolsP3As I mean09:26
bigjoolsacronym overload09:27
wgrantI would have thought the opposite would make more sense.09:27
wgrantSo I can have a subscription to an archive in a person that doesn't exist?09:27
bigjoolsurgh I haven't woken up yet09:28
bigjoolslet me start again09:28
bigjoolsPrivate Teams can have Private PPAs09:28
bigjoolsPrivate Membership Teams cannot09:29
=== bigjools changed the topic of #launchpad to: https://launchpad.net/ | Help contact: bigjools | Join https://launchpad.net/~launchpad-users | Channel logs: http://irclogs.ubuntu.com | Open Sourcing: https://dev.launchpad.net/OpenSourcing
wgrantRight. Very odd, that is.09:30
wgrantIt really doesn't seem like a good idea to send out those emails with no information about the actual archive.09:30
james_whi all09:31
bigjoolshi there james_w09:31
noodles775wgrant: the name of the archive is included (always was in the subject, but now also in the body as per your recommendation)09:31
james_wI'm still getting the OOPS from getPublishedSources, has edge been updated since we spoke on Friday?09:31
wgrantedge updates have been disabled, apparently :(09:31
noodles775james_w: nope :/09:32
bigjoolsno :(09:32
bigjoolsit's a pain09:32
wgrantnoodles775: Right, but that doesn't give me much information.09:32
bigjoolsI am going to get my fix cherrypicked09:32
wgrantnoodles775: How do I verify who the owner is?09:32
wgrantI can't see that team.09:32
noodles775wgrant: no, but as much information as you can have about a private PPA right?09:32
noodles775(well, there are other public tid-bits I think, but nothing more relevant than the name)09:33
wgrantBut I have a subscription. Why can't I see the archive?09:33
noodles775wgrant: you have a subscription (or access) to download software from that archive...09:33
noodles775not necessarily to see the builds etc. for that archive.09:34
wgrantBut that is insane.09:34
noodles775Again, we do want to reconcile the two, but it's not straight-forward to do so (I've got a bug somewhere... one tick, then you can comment there :) ).09:35
bigjoolswgrant: why is it insane?09:38
noodles775wgrant: bug 33677909:38
ubottuLaunchpad bug 336779 in soyuz "ArchiveView permissions should use subscriptions" [Low,Triaged] https://launchpad.net/bugs/33677909:38
wgrantbigjools: What privileged information is there in a build log? As long as you're not leaking P3A buildd keys again...09:39
bigjoolswhy, as someone who wants to download software from your repo, would I want to look at your PPA index page?09:40
bigjoolsit's a developer page09:40
bigjoolsnot a user page09:40
wgrantSo I can see who is giving me this software.09:40
wgrantAnd what is available.09:40
bigjoolsyou get to download what you're told you can download09:41
wgrantAnd I'm expected to add this invisible archive to my sources.list?09:41
bigjoolsdepends how much you trust them09:41
wgrantTrust who?09:42
wgrantAll I know is whoever created my subscription.09:42
bigjoolsit's an interesting point09:43
wgrantWhat happens if I am evil, buy a P3A, and give it a display name the same as some other very popular one.09:45
wgrantI then fill it with malware of the purest variety.09:45
wgrantI then invite lots of people.09:45
wgrantHow do the users of the other one distinguish it from mine?09:46
bigjoolsI don't necessarily think the right answer is to let you see his ppa index page09:47
wgrantRight, it's possibly to see the team.09:47
wgrantBut that seems even less possible.09:47
bigjoolsit might help you, as someone who is technical enough to understand it09:47
wgrantWhere do I actually find my password? I have no access to a P3A, so I'm sort of guessing how things work.09:49
bigjoolsthe subscription page shows you when you get access09:50
* wgrant remembers and find the screenshots.09:50
bigjoolsI will give you access to soyuz team if you want09:50
wgrantThat would be even better.09:50
bigjoolsthe email is heading your way09:52
wgrantnoodles775: Um, the cancellation of access email links me to the PPA owner. Isn't that impossible?09:58
noodles775wgrant: not impossible, but might not be possible...10:01
wgrantnoodles775: Well, yes.10:01
noodles775bigjools: ^^^ perhaps we should use cancelled_by there.10:02
* noodles775 wonders if we should move this kind of conversation to lp-dev so lp stays a bit more friendly :)10:03
bigjoolsnoodles775: yes probably10:03
noodles775k. I'll include it in this change.10:03
bigjoolsI was thinking of -dev as well10:03
wgrantnoodles775: Oops, yes, we can do that now.10:03
qballhi I am getting this error when trying to import from git: http://launchpadlibrarian.net/28956734/gmpc-main-log.txt11:10
* bigjools looks11:10
bigjoolsqball: I think you need to file a bug about that11:11
mwhudsonah, i know that one11:11
bigjoolsaha code people are still awake11:11
mwhudsonqball: i need to kill the import and restart it11:12
qballmwhudson: I clicked restart when I did this..11:12
bigjoolsmwhudson: is it a bug or something else CHR people need to be aware of?11:12
huatsdoes anyone can help me to understand why something builds fine on my ppa and not on my local pbuilder ?11:13
mwhudsonqball: a more comprehensive restart than that :)11:13
qballhow do I do that11:13
mwhudsonqball: you don't; i do11:14
qballowh ok11:14
bigjoolshuats: not really a question for this channel, but paste me your output and I will take a look11:14
* qball busy :(11:14
mwhudsonbigjools: we should fix all branches that have this problem11:14
mwhudsonqball: np, it's our bug!11:14
* qball should not do multiple things11:14
huatsbigjools: hum the output from my pbuilder ?11:14
mwhudsonqball: i've restarted the import now11:14
bigjoolshuats: yes please11:14
qballmwhudson: thanks!11:14
mwhudsonqball: should be ready in a few minutes11:14
bigjoolsmwhudson: is there a bug open?11:14
mwhudsonqball: https://code.edge.launchpad.net/~vcs-imports/gmpc/main, you might want to subscribe11:15
mwhudsonbigjools: no11:15
huatsbigjools: in fact I'd like to figure out if it is related to sbuild vs pbuilder...11:15
huatsbigjools: I am pasting the outputs11:15
mwhudsonbigjools: i should spend a while with spm fixing this tomorrow11:15
bigjoolsmwhudson: ok.11:16
* mwhudson writes this down on a piece of paper11:16
bigjoolsor better, file a bug ;)11:16
mwhudsonnot sure that's better, but it probably is11:16
qballanother question, is it possible to (if code is in launchpad bzr natively) to "auto commit" translations?11:21
qballhttps://edge.launchpad.net/gpx-viewer I would like todo that for this project11:21
mwhudsoni believe that's very much in progress11:23
mwhudson(but could be wrong)11:23
qballowh last question, I made tags (in gpx-viewer) for releases..  but they don't show up under code?11:23
qballwhat is the best (visible) way to mark release then?11:24
huatsbigjools: http://paste.ubuntu.com/216813/11:24
wgranthuats: Run away.11:24
wgrantVery, very fast.11:25
wgrantThis is maxima!11:25
bigjoolsheh :)11:25
huatsso ?11:25
wgrantWe've tried to get that to build with gcl for a year now.11:25
huatswgrant: ok I was not aware of that :)11:25
huatsyou should comment the bugs ;)11:25
wgrantI thought I had.11:25
huatsmay be I haven't seen your comment :)11:25
wgrantBut you say you managed to get it to build locally?11:26
bigjoolsmake[2]: *** [gcl-depends.mk] Segmentation fault11:26
huatswgrant: actually not11:26
wgrantbigjools: Eeeehyes. It doesn't do it in Debian, and we can't work out what's wrong.11:26
huatswgrant: it builds fine on LP butnot on my pbuilder11:26
bigjoolswgrant: but he said it built in a ppa ...11:26
bigjoolshuats: which series, karmic?11:26
wgrantIt didn't build for me in sbuild a month or two ago.11:26
huatshave a look at https://edge.launchpad.net/~christophe.sauthier/+archive/ppa11:27
qballmwhudson: imported correctly, thanks11:27
mwhudsonqball: woo11:27
bigjoolshuats: what series are you building on with pbuilder?11:27
huatsbigjools: I have tried both karmic and jaunty for the same result11:27
mwhudsonqball: now, will a subsequent import work?11:28
mwhudsonthat was the problem before11:28
qballlet me try11:28
mwhudsonqball: yes, hooray11:28
qballneat,t hanks11:29
mwhudsonbigjools: i filed https://bugs.edge.launchpad.net/launchpad-code/+bug/398722, thanks for the prod11:30
ubottuUbuntu bug 398722 in launchpad-code "fix branches damaged by non-preservation of git.db files" [High,Triaged]11:30
bigjoolsmwhudson: don't mention it, thanks :)11:31
flixrhi, can I drop a VCS import somehow and reset it with a new one?11:32
huatswgrant: actually it says seg fault11:32
huatsbut when I run it step by step11:33
huatsI get : http://paste.ubuntu.com/216816/11:33
huatsdon't know if it helps...11:33
bigjoolsflixr: you would need to file a question and someone can do that for you (the question verifies your identity)11:34
flixrbigjools, I already did that: https://answers.edge.launchpad.net/launchpad-code/+question/7449111:35
flixrbut then it was suggested that I can do that by myself11:35
bigjoolslet me check11:36
bigjoolsmwhudson: is that possible? --^11:36
wgrantA user can request a new one, but not delete an old one.11:37
flixrright, that's what I though11:38
bigjoolsmwhudson: it's assigned to you, I'll just leave you with it then11:39
mwhudsonflixr: i requested a new import: https://code.edge.launchpad.net/~vcs-imports/paparazzi/trunk11:39
flixrgreat, thanks a lot!11:39
mwhudsonsorry this took so long to sort out11:40
flixrno worries11:41
Nafallothat has to be an application to control remote cameras!11:41
Nafallolike the small spy cameras...11:41
=== bigjools changed the topic of #launchpad to: https://launchpad.net/ | Help contact: bigjools (at lunch) | Join https://launchpad.net/~launchpad-users | Channel logs: http://irclogs.ubuntu.com | Open Sourcing: https://dev.launchpad.net/OpenSourcing
fta2while discussing with some upstream, we were wondering how accurate the popcon stats are. some say there's a factor 10, i really doubt it. could we use launchpad data to check that? i mean, using a well kwnow PPA, if popcon says 5000, and lp stats 50000, that would confirm the factor 10.13:01
=== rmcbride_ is now known as rmcbride
VK7HSEis there a known time delay from when a source file is uploaded ? as when I run uscan the current source that I have just uploaded isn't picked up ?13:55
=== bigjools changed the topic of #launchpad to: https://launchpad.net/ | Help contact: bigjools | Join https://launchpad.net/~launchpad-users | Channel logs: http://irclogs.ubuntu.com | Open Sourcing: https://dev.launchpad.net/OpenSourcing
bigjoolsVK7HSE: yes, the scanner runs about every 5 minutes13:56
VK7HSEAhh cool thanks...13:57
* VK7HSE needs to be more patient !!!13:57
=== flacoste_lunch is now known as flacoste
huatswgrant: i just did the merge for maxima (and build it on my ppa) : works great.... So I'll upload it like this in universe....14:14
=== Kangarooo1 is now known as Kangarooo
geserbigjools: do you know if updating edge will be enabled soon again?15:58
bigjoolsgeser: we're working on it right now15:58
bigjoolsthere was a problem15:58
=== fjlacoste is now known as flacoste
=== deryck is now known as deryck[lunch]
=== salgado is now known as salgado-lunch
=== matsubara is now known as matsubara-lunch
=== kiko is now known as kiko-fud
=== maxb_ is now known as maxb
=== bigjools changed the topic of #launchpad to: https://launchpad.net/ | Help contact: - | Join https://launchpad.net/~launchpad-users | Channel logs: http://irclogs.ubuntu.com | Open Sourcing: https://dev.launchpad.net/OpenSourcing
micahgping sinzui17:22
sinzuihi micahg17:22
micahghi sinzui17:22
micahgI was looking at bug 7389017:22
ubottuLaunchpad bug 73890 in blueprint "Show diff of whiteboard changes in e-mail notifications" [Undecided,Won't fix] https://launchpad.net/bugs/7389017:22
micahgis it still the intention to remove the whiteboards17:23
micahgwill it be replaced with something more trackable?17:23
=== deryck[lunch] is now known as deryck
sinzuiblueprints should have comments like bugs17:23
micahgwith a master description as well?17:23
micahgok, is there a master bug I can subscribe to?17:25
* sinzui looks17:25
sinzuimicahg: bug 4969817:28
ubottuLaunchpad bug 49698 in blueprint "specifications should allow comments" [Low,Triaged] https://launchpad.net/bugs/4969817:28
micahgI have a comment about comments17:29
micahgThere should be a way to lock a spec so only approved people can comment17:30
micahgotherwise it might get out of hand17:30
micahgwould that be a new bug17:30
micahgor a comment on this one?17:30
sinzuimicahg: I don't think we would implement that or accept someone's submission for that. We allow everyone to comment on bugs and questions17:31
micahgor and edit on the whiteboard17:31
sinzuimicahg: There is a feature I want o implement that makes comments for trusted project members very visible17:31
sinzuis/for trusted/from trusted/17:31
micahgI guesss as long as tehre's a changelog or we're e-mailed a changelog of changes to the master description, it would be ok17:33
micahgI just don' tlike the idea of a spec being hijacked17:33
sinzuimicahg: right. We need better activity reporting in launchpad17:33
=== dpm is now known as dpm-afk
sinzuimicahg: That has yet to be seen as an issue. Ubuntu  is massive, and they have not reported a problem with this17:34
micahgyes, but I don't think the blueprints are as highly used as the bug tracker17:35
sinzuiBug are and that is not a problem with bugs17:36
micahgright, but bugs are very targetted in scope17:36
sinzuiNor is it a problem with answers. In general, we do design for features that may not ever be needed17:36
micahgoccasionally we have people troll in bugs17:37
micahgbut whatever, that's fine17:37
micahgyou answered my original Q and I subscribed to the bug and blueprint17:37
micahgthanks sinzui17:37
=== salgado-lunch is now known as salgado
=== kiko-fud is now known as kiko
=== Kangarooo1 is now known as Kangarooo
=== Kangarooo2 is now known as Kangarooo
=== yofel_ is now known as yofel
=== magcius_ is now known as magcius
MT-Is anyone aware of an issue where I get getting duplicate email?18:55
=== micahg1 is now known as micahg
=== arianit_ is now known as arianit
=== jon is now known as Guest40234
SiDiHello. Does anyone know if there are irc commit bots that can watch changes on LP bzr branches ?20:52
racecar56anyone here?20:58
maxbracecar56: Just ask. If there's someone who's able to help, they'll answer,21:01
racecar56maxb: kk21:01
racecar56im going to make some modifications with kblocks (which is in kdegames), should i get the bzr version or the one you get with apt-get source? (i don't know if this is actually related to here...)21:02
racecar56the one from bzr is from launchpad but the apt-get source one is from the ubuntu repos21:02
maxb#launchpad is for Launchpad the service - for questions about projects that simply *use* Launchpad, use a project specific IRC channel.21:03
racecar56oh, then it's #ubuntu21:03
racecar56ill be there21:03
=== matsubara-lunch is now known as matsubara
=== Kangarooo1 is now known as Kangarooo
smo_hi, i created a ppa some days ago, yesterday i uploaded my packages, dput is ok.. but i still have the message , no packages in this ppa... and no dir in ppa.launchpad.net, our project is launchpad.net/ubukey, how can i know what s wrong please ?21:28
smo_oups, hi first ^^21:28
maxbsmo_: You should have received email confirmation after uploading packages21:34
maxbusually within 5 minutes of uploading21:35
maxbIf you receive no email at all the usual cause is either your uploaded .changes file was improperly signed, or you haven't bound the signing key to a launchpad account21:36
maxbeither of those problems stops launchpad being able to tell who did the upload, so it has no way to tell you about the problem21:37
aboSamoorI want to translate reddit, how can I do that using the launchpad facilities ?21:38
=== salgado is now known as salgado-afk
=== ripps_ is now known as ripps
=== MT- is now known as MTecknology
=== EdwinGrubbs_ is now known as EdwinGrubbs
=== MTecknology is now known as MT-
aboSamoorI want to mirror git repository but I get this message "This branch may be out of date, as Launchpad was not able to access it 18 minutes ago. (Not a branch: "http://code.reddit.com/repo/reddit.git/".) Launchpad will try again in 5 hours. If you have fixed the problem, please ask Launchpad to try again. "22:39
AnMasterhow do I change https://code.launchpad.net/~anmaster/cfunge/main to a hosted branch, my hosting went down forever.22:47
AnMasterI used mirrored before22:47
AnMastersame for all my other branches22:47
=== Edwin is now known as Guest3052
mwhudsonaboSamoor: did you request the import at https://code.edge.launchpad.net/+code-imports/+new23:05
aboSamoormwhudson, no23:06
mwhudsonaboSamoor: well you should have, i guess23:08
mwhudsonAnMaster: ask a question please23:08
AnMastermwhudson, in which project?23:08
mwhudsonAnMaster: launchpad-code23:08
aboSamoormwhudson, I think it is working, how should found that, it think it is not clear !23:08
mwhudsonaboSamoor: it's not very clear no,23:09
AnMastermwhudson, should I list the affected branches or?23:11
mwhudsonthat would be useful23:12
AnMastermwhudson, anyway there should be a way for users to convert them. :)23:12
mwhudsoni think there's already a bug for this23:12
AnMastermwhudson, https://answers.launchpad.net/launchpad-code/+question/7689723:13
* mwhudson on the phone now sorry23:14
qball"no you hang up"23:14
AnMasterno rush23:15
=== Edwin is now known as Guest72729
smo__i need help with ppa repository on launchpad please23:40
wgrantsmo__: What is the problem that you're having?23:40
smo__first, do i must sign my packages or not ?23:40
wgrantsmo__: You must sign anything that you upload, yes.23:41
smo__so it s maybe my problem23:41
smo__in my dput.cfg23:41
smo__i have allow_unsigned_uploads = 123:42
smo__so if packages are not signed, is it normalthat i still have the message : This PPA does not contain any packages yet. Find more information about how to upload packages in the PPA help page23:42
wgrantsmo__: If you uploaded something and didn't get an email saying it was accepted, I would indeed expect your PPA to say it didn't have any packages.23:44
smo__what s the validating process?23:45
wgrantAs maxb said earlier, you are not uploading to the right place, or you're not signing the package with a key that Launchpad knows about.23:45
smo__i created my key23:45
smo__it s on the lp servers23:45
wgrantHave you attached it to your Launchpad account?23:45
wgrantAnd did you sign the package?23:46
smo__no ^^23:46
smo__i m searching howto do that23:46
wgrantThere's your problem.23:46
wgrantdebsign blah_source.changes23:46
smo__the whole process is very complicated (for me)23:46
smo__so i sign the .changes .dsc .deb ....23:47
wgrantYou just debsign the .changes. It will do everything else for you.23:47
smo__have a fast exemple? (or i ll search np..)23:48
smo__gpg --sign-key keyID23:48
smo__gpg --sign-key F378FBB423:49
smo__for me , right ?23:49
wgrantI gave one above: 'debsign package_version_source.changes'23:49
smo__ok thx, i try23:49
smo__gpg: [stdin]: clearsign failed: la clé secrète n'est pas disponible23:50
smo__secret key not available23:50
=== Edwin is now known as Guest23169
wgrantsmo__: Your key obviously doesn't match the name in your package changelog. Give debsign your key id with '-kKEYID'23:52
smo__ok i try23:52
smo__Successfully signed dsc and changes files23:53
wgrantNow, try dputting!23:54
smo__it will overwrite ?23:54
wgrantThere's nothing there, so it doesn't have to.23:54
smo__Already uploaded to ppa on ppa.launchpad.net23:55
wgrantAh, that's a local thing. Give dput '-f'.23:55
smo__thx a lot ^^23:56
wgrantWe'll see in three minutes if it actually did work.23:57

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!