[00:01] any suggestion about the merge question? Should I create anotehr branch or just update the one merged and propose it again? [00:02] RenatoSilva: going back to the 'why keypair' question [00:02] Aha, somebody who knows! [00:02] https gives a halfduplex connection [00:02] ssh gives a full duplex connection which can be more powerufl [00:02] also [00:02] historically we started with just sftp [00:03] and no write-over-http support at all [00:03] LP has no write-over-http even now. [00:03] Hi, not sure this is the best channel, but packages.ubuntu.com is down [00:03] wgrant: it doesn't, but the bzr client does now [00:03] Laibsch: Try #canonical-sysadmin [00:03] lifeless: Right. [00:03] now, we could have done password auth over sftp [00:04] but that meant letting one server in the dc get the password out of the db; prior to the time we were designing *no* servers ever get the password once its set [00:04] lifeless: you mean ssh is more performatic than https, right? [00:04] RenatoSilva: very much so [00:05] this isn't set in stone; I'm sure that it can be revisited. OTOH hand it works pretty well at the moment and is a well known protocol amongst open source developers. [00:06] lifeless: so that was my doubt, it's not because of key-pair-is-more-secure-than-website's-password, just because of performance, right? [00:06] key-pair isn't intrinsically more secure; key-pair is rather like OAuth in fact [00:07] in that you setup credentials that are attached to your account for programs to use [00:08] there is one way in which key-pair is more secure, which is that it can't be brute forced as easily as password systems [00:08] lifeless: It's a lot harder to brute-force a private key. [00:08] Right. [00:08] key-pair is not more secure _in launchpad_ right? because they's protected by a single lp password. By more secure I mean it's almost impossible to guess your private key [00:08] And I can easily revoke a single keypair without disrupting all of my things that log into Launchpad. [00:08] but given we use passphrase authentication on the website, its hard to argue that other parts of the system should be held to a higher standard [00:09] RenatoSilva: Well, bruteforcing your Launchpad password over HTTPS is probably impractical too, if only because the web UI is *so damn slow to respond*. [00:09] wgrant: Thats more to do with the separate set of credentials aspect [00:09] at least GPG keys require validation from launchpad for you to attach them to your account [00:09] lifeless: That's what I meant. [00:09] RenatoSilva: it *is* more secure in launchpad [00:09] ajmitch: Only to an address on the key, not one of your existing addresses, IIRC> [00:09] wgrant: ah well [00:10] RenatoSilva: unless you mean 'if the password is compromised the list of keys can be altered' [00:10] wgrant: maybe you don't need a brute-force attack to find out website's password [00:10] wgrant: it's essentially fragile compared to the private pey [00:10] key [00:10] RenatoSilva: Right. [00:11] I'm not quite sure how LP has got away with this, given the immense power that some Launchpad accounts wield. [00:12] lifeless: unless you mean 'if the password is compromised the list of keys can be altered' ---> yes that's what I mean [00:12] so, yes thats a vulnerability [00:12] its the key exchange vulnerability in fact [00:14] The most sane fix I can think of is to require all Launchpad authentication token changes (passwords, OpenPGP, SSH) to require OpenPGP-signed confirmation. [00:14] lifeless: people may think, "oh I'm using ssh key pair authentication, really nice, no one will guess my private key". However it's a false sense of security, because that super-powerfull private key is protected by a simple common password. [00:14] RenatoSilva: uhm [00:15] RenatoSilva: lp doesn't hold the private key [00:15] RenatoSilva: if the lp password is guessed, the private key is *still* secure [00:15] lifeless: I know [00:15] lifeless: They don't have to. They can replace it. [00:15] wgrant: yes, I know, see above. [00:15] lifeless: I mean the authentication [00:16] RenatoSilva: I think its important that all credentials are protected appropriately [00:16] same goes for OAuth etc [00:16] lifeless: people may think "impersonating me in Launchpad is as hard as guessing my private key", but it's not. It's as easy as guessing website password. [00:17] RenatoSilva: thats true, they may think that. Do you have evidence that they do? [00:18] RenatoSilva: I doubt that they do, because they still use a password to login to the website [00:21] lifeless: I thought that that's why an ssh key pair is required, because is more secure than single passwords. Then I thought a bit more and came here to ask you :) [00:21] lifeless: I wonder what launchpad's wiki stands about it tough [00:23] wgrant: I don't think it would be a full solution, but Launchpad could send a confirmation email when altering the keys... [00:23] launchpad is not loading at all on Opera. is this a known issue? [00:24] RenatoSilva: An unauthenticated confirmation email is almost useless. [00:24] wgrant: so that someone would need to get not only lp password but the one from your email [00:25] wgrant: An unauthenticated confirmation email is almost useless. --> ? [00:25] RenatoSilva: Not cryptographically authenticated, that is. [00:26] wgrant: you mean to ensure that it was lp who sent the confirmation email? [00:26] RenatoSilva: No - to ensure it was the user who received it. [00:27] wgrant: sorry I don't get what you mean [00:27] RenatoSilva: The confirmation email needs to be sent encrypted, or it's easily interceptible in transit. [00:27] wgrant: you mean to avoid someone else reading the email? [00:27] Yes [00:27] k [00:28] ok [00:29] wgrant: I don't think it would matter if someone saw 'your keys have been changed' [00:29] wgrant: an attacker that can prevent mail delivery would just block all encrypted mail from lp [00:29] lifeless: Of course - that's why the email has a confirmation link. [00:30] RenatoSilva: I think lp could increase its documentation about this on the person edit page perhaps [00:30] wgrant: once someone has your password and your email, they are you, unless we build the whole system out of gpg [00:31] wgrant: which would make it extremely hard to use [00:31] lifeless: Which was exactly why I suggested we build the whole system out of GPG... [00:31] lifeless: Well, the current situation is completely unacceptable. [00:31] wgrant: it is? [00:32] lifeless: Given the privileges that several community accounts have acquired over the past 18 months, yes. [00:32] And some other issues. [00:32] I'm sorry, I'm completely failing to track the logic chain from 'allows password authentication' to 'it is unacceptable that people in the community can have lots of access' [00:33] well, even your OpenPGP keys are protected by a single password right? [00:33] Note that most (all?) of the largest web services around use password authentication [00:34] lifeless: No other well-known web service allows one to push out software to millions of machines within hours, with the click of a button. [00:34] (well, it requires a key too, but that's easy now) [00:35] wgrant: oauth key? [00:35] lifeless: OpenPGP key, to upload the package. [00:35] lifeless: I think the point is: your password is the only thing protecting your lauchpad account. The SSH keys are just for convenience, for use in bzr+ssh because it is faster than https [00:35] But that requirement will go away soon. [00:36] RenatoSilva: wgrant is talking about a whole other things now [00:36] lifeless: It's very much related - all of these credentials are protected solely by a password. [00:36] But yes, it has drifted. [00:36] wgrant: to be precise, the selection of credentials are protected by a password. [00:37] wgrant: I suggest precision, because pgp keys and ssh keys are *not at risk*. [00:37] lifeless: Right. [00:37] and if folk get confused and start to think they are, the conversation will be muddy [00:37] so lets examine the basis of soyuz and gpg stuff [00:38] we don't require a web of trust; rather we require one working email account [00:38] and a gpg key for that account [00:40] ever since soyuz was created this has been the case; and adding a mail account with gpg key has been easily doable if you compromise the password [00:40] Right. [00:41] But there were previously barriers which meant that just getting access to a Launchpad account or OpenPGP key were not fatal. [00:41] wgrant: there were? [00:41] wgrant: are you referring to needing shell access to a dc machine to do archive admin? [00:41] lifeless: There were. Only the development series can be uploaded to directly. That mitigates a lot of the damage, although it's still pretty awful. [00:42] Any other series has to go through the queue, which was previously administrable only with shell access. [00:45] so now lets compare the access levels [00:45] ssh keys are protected by a passphrase, but you need physical access to attempt attack [00:45] e.g. UDS [00:45] ditto gpg keys [00:46] hmm, launchpad form POST is screwed up. some fields are not saved at all. (or, is it my browser fooling?) [00:46] OTOH lp passphrases are on the web, but arguably we can do a better job of detecting attacks [00:46] srid: what page? [00:46] lifeless: LP accounts are also accessible with one of several cookies. [00:46] lifeless: bug page. I changed importance from 'Undecided' to 'Low' (along with other changes), but the importance field was not changed at all. (browser -- safari on macosx) [00:46] (an offline dictionary attack on your gpg keys are not accessible) [00:47] wgrant: currently, the cookies are end to end encrypted [00:47] wgrant: but I'm guessing you're arguing that physical access may permit copying a cookie [00:47] srid: try refereshing it? [00:48] lifeless: Physical access makes that easy, yes. But there are others ways. [00:48] Practical ways. [00:48] hmm. didn't. will try next time. [00:48] but this is not supposed to be cached. damn. [00:48] besides, why would one field have old values .. while others not. strange indeed. [00:48] wgrant: I may be missing something, but https <-> https means you need either a xss attack (and we're very vigilant about those), or physical access to the source or target [00:48] srid: Some browsers do strange things with caching form values. [00:49] srid: we use AJAX [00:49] srid: for an increasing number of things [00:50] lifeless: There are other ways. People do not protect their cookies well. [00:50] It is entirely the user's fault, but it still happens. [00:51] lifeless: MITM is still viable with https <-> https. [00:51] I just don't see many sense of the ssh keys, it would be better if you could just type your password in bzr+ssh [00:52] *sense on [00:52] *much [00:52] RenatoSilva: ssh is much more convenient [00:52] RenatoSilva: it allows cron jobs and other things without putting my password in plain text [00:53] It means I can keep my Launchpad password off all those remote machines entirely. [00:53] lifeless: I mean the authentication, ok use ssh for transport, but use your lp password to authenticate instead of a key pair. I don't know if the ssh protocol allows you to do this tough. [00:54] RenatoSilva: I know wha you meant [00:54] lifeless: isn't your private key kept plain-text in memory anyway? [00:54] RenatoSilva: no, its not. [00:54] depending on your config [00:55] at worst its protected and locked to prevent paging to swapfile [00:55] you can also have multiple keys, one per machine [00:55] the same could be done with lp password [00:55] it could [00:55] It's also only there for a tiny period, and an SSH key is a lot less powerful than your Launchpad password. [00:56] however passwords are bruteforcale [00:56] and theres no need for that when the password prompt can be done locally on the users machine using keys [00:56] lifeless: that depends on what safeguards are built in to whatever you're logging in to [00:57] micahg: whether it can be successfully bf'd - yes. [00:57] whether you allow the possibility - no [00:57] and whether we need to deal with people trying - no [00:57] and whether the owner of the credentials is inconvenienced when someone is trying - no [00:57] lifeless: the possibility depends on the safeguards [00:58] maybe I can put it this way: [00:58] keys: very small surface area. passwords: large surface area [00:58] lifeless: bzr could act as a browser, you log in to lp site, then every time bzr sends a request, lp site checks if the mentioned user is authenticated [00:59] can you put a lot of effort in and get maybe the same thing with passwords? yes. But why would you give yourself that headache. [00:59] RenatoSilva: thats roughly what oauth is [00:59] RenatoSilva: however, what compelling advantage does that have over ssh? [00:59] oauth? [00:59] RenatoSilva: oauth [01:00] lifeless: the advantage of not using a non-sense key pair [01:00] lifeless: non sense in the sense of security [01:00] wgrant: I'd be delighted to talk about your concerns more, but this forum is going sideways too often [01:00] wgrant: perhaps drop me a mail [01:00] lifeless: It is. OK. [01:00] google oauth [01:01] RenatoSilva: we discussed the security aspects earlier; you're recapping the prior conversation or something. ssh keys are demonstrably more secure than passphrases. [01:01] their lower bound is approximately the same as the upper bound you can reach with passphrases [01:01] and yes, the vulnerability of passphrases does allow the key list to be changed [01:01] that isn't a reason to use a weaker auth for another component [01:03] . [01:09] compromise website pwd is a disaster anyway, so let's stand this will never happen. Now add to this scenario the ssh key. If you somehow get the private key, you can push code to lp as if you were the owner of the key. Now imagine there's no ssh key, you need to type lp password (like bzr is a browser using https only for auth). As previously standed, the password is never compromised. Therefore it is more secure :) [01:11] RenatoSilva: But the password *is* compromisable, and LP authentication will hopefully be stronger than just password auth eventually. There's no point reducing SSH security to the current awful state of web auth. [01:14] which is the appropriate project for filing a request regarding blueprints [01:14] micahg: blueprint [01:15] :) [01:15] wgrant: compromise website pwd is a disaster _anyway_, so _let's stand_ this will never happen [01:15] RenatoSilva: do you mean 'the website password database being exposed'? [01:16] RenatoSilva: err what? that's *not* how you do risk analysis. [01:16] RenatoSilva: But the website password can and will be compromised. It won't be so much of a disaster when there is additional protection in front of auth settings. [01:16] RenatoSilva: or 'a single account being compromised'? [01:17] ssh keys act as a "second" password with less privileges, but protected by the first password. Two passwords are two ways of impersonating you in some level. And that "second" credential _is protected by the first one_, which means that compromising the first password is the same as compromising the second. So losting the master password is a disaster _anyway_, with or without shh keys. The difference is that with ssh keys you open a second door to y [01:17] RenatoSilva: if what you really mean is 'I don't like having to fiddle with ssh keys', then I suggest you file a bug asking to make that easier to work with. [01:20] lifeless: I don't want anything. I'm just talking at a bazaar. [01:21] you seem to be arguing a particular case though. LP *wants* to support multiple credentials for people, because that meets some very important use cases, such as running programs without disclosing the users primary credentials. [01:21] The use case you are arguing for, of using passwords for things other than access to the website is *not desirable* in launchpad, because its less secure. [01:22] It's less secure because it leads to the users credentials being stored in plaintext across multiple machines [01:23] plaintext even if bzr acts as browser? [01:23] lifeless: are you assuming passwords are stored in plain text? [01:24] that is bzr connects through https with lp, then sends the typed password and starts a session with the website [01:24] RenatoSilva: As lifeless said, that's basically what OAuth does. [01:24] micahg: that is the proposition being argued [01:24] RenatoSilva: that doesn't work from cron [01:24] then when you run bzr it first checks if you're authenticated in the website, if so then it performs the actual operation through bzr+ssh [01:25] RenatoSilva: unless the password is stored [01:25] hmm, maybe I shouldn't jump in in the middle, but that seems disasterous [01:25] micahg: I agree completely. [01:25] I don't store passwords in cleartext anywhere if I can avoid it [01:25] exactly. [01:25] I think I'll stay out of this though [01:25] this is what alternate credentials are for [01:25] oauth is a key based system [01:25] as is ssh [01:25] and gpg [01:26] the specifics are different in each case [01:26] sorry, I'll back out of this discussion [01:26] lifeless: ok cron is a problem is this case [01:26] too much to do [01:29] lifeless: if you're not using cron and other automated stuff, then IMHO I'd preffer typing my password (only one door) [01:29] lifeless: I'm just saying my opinion, I'm not telling that lp should do this or that [01:32] RenatoSilva: you can have the same password on your ssh keys as you do for lp, or no password at all if you trust that noone else has physical access to your machine [01:33] RenatoSilva: I think it would be ok to *allow* the use of passphrases for bzr+ssh://bazaar.l.n/ [01:33] in fact, I filed a but about that some time back [01:35] is keyserver.ubuntu.com down??? Will you please check right now? Thx. I haven´t been able to access it ever - meaning for the past 18 hours. I´d greatly appreciate data if it is working, so i´d know if the problem is with it, or at my end. Thanks, & awaiting your confirmation... [01:35] lifeless: ubuntu-dev-tools developers were recently forbidden from allowing users to enter their Launchpad passwords into anything other than their web browser. [01:35] kub1: It's not. [01:35] lifeless: I don't know how secure is a password/phrase encryption algorithm. I mean, wouldn't it be easy (or not that hard) if you get local access to the private key file, to decrypt it using brute force attack? [01:36] kub1: As I suggested earlier, you're very probably behind a restrictive firewall. [01:36] kub1: I believe TCP port 11371 is the one in question. [01:36] s/phrase/phase-based [01:37] phrase [01:37] RenatoSilva: It's of course possible to brute-force the passphrase on a key if you have the key. [01:37] wgrant: ah yes; its a social defense. [01:37] wgrant: so that we can tell people 'never put your password in except on the website' [01:37] lifeless: Yep. [01:38] Not unreasonable. [01:38] RenatoSilva: the way passphrases work is that they are transformed into a symmetric key and used to decrypt the stored ssh keys [01:39] RenatoSilva: they are reasonably secure as long as they aren't machine guessable [01:39] wgrant: possible but easy, hard? if is possible and very easy, then why put a passphrase on the private key? I imagine it is not that easy, I just don't know _how much_ secure. I couldn't find docs in the web about it [01:41] lifeless: I need to read more to learn how this kind of encryption works and how much secure it is exactly... [01:42] RenatoSilva: It's just boring old brute force. Difficulty revolves entirely around the complexity of your passphrase. [01:43] and local physical access :P [01:43] That too. [01:44] a gun to the head is a very effective 'brute force' password cracker [01:44] indeed [01:45] it also breaks gpg etc ;P [01:45] :-) [01:45] I have branch X merged with branch Y. I have branch Y locally, then I add a new revision and push to branch _X_, I thought this would lead to a branch conflict, but it didn't. It was like branch X was totally overwritten by branch Y... [01:48] wgrant: so that a good passphrase is as secure as e.g. RSA itself? I mean, not even all computers in the world could decrypt the private key by brute-force attack, just like it can't be done with RSA-encrypted messages. [01:49] RenatoSilva: It all depends on the complexity of the passphrase. [01:49] RenatoSilva: I think you're missing the point. if decryption is $$$, then I (the attacker) will find a more cost effective way to access your data. Hopefully comiserate with the value of your data. eg Hold a gun to your head. think *outside* the square. [01:50] where is that xkcd when you need it [01:50] lifeless: I was looking for that one :( [01:51] http://xkcd.com/538 [01:51] spm: I'm not reffering to other ways of getting access. Putting a shotgun in your head is _obviously_ a good way [01:52] heh. was a common problem in my defence security days - crypto folk get so caught up in their magic, they forget that to someone who has root access on the servers on either end of the secured pipe, that said pipe is irrelevant. [01:52] RenatoSilva: that you aren't referring to other ways is the problem. they're *ALL* related. you can't simply ignore those bits you don't care about. [01:53] spm: I can't? [01:53] spm: so if I want to specifically study brute-force attack [01:53] spm: forget it [01:54] RenatoSilva: bit hard to forget it - been doing it security gumpf for waaaay too long ;-) [01:54] spm: I asked a technical specific question [01:54] spm: wgrant: so that a good passphrase is as secure as e.g. RSA itself? I mean, not even all computers in the world could decrypt the private key by brute-force attack, just like it can't be done with RSA-encrypted messages [01:55] RenatoSilva: sure. and that's the problem. you're focusing on one specific part. you can't do that. ever. it's just one issue in thousands. [01:55] spm: it's a technical question, I'm not talking about security in general [01:55] RenatoSilva: Your definition of 'good' is probably wrong. [01:55] spm: problem??? [01:55] spm: ?????????? [01:55] wgrant: I didn't even defined 'good' [01:55] define [01:55] RenatoSilva: I know. [01:55] RenatoSilva: you're trying to argue if XYZ is secure or not. irrelevant. I'd attack a weaker point. [01:55] But any definition you could come up with is wrong. [01:56] spm: argue? [01:56] spm: it's just a question [01:56] discuss/ whatever :-) [01:56] I am unable to access keyserver.ubuntu.com through my isp, & someone just checked & told me it is working cause they can access it. My isp blocks most ports except for http. Is there any way i can get the key through https?, and manually add it to the appropriate apt control file? [01:56] How do i access it via a proxy site? which proxy site? [01:57] spm: I'm interested in how password-based encryption works. that's it [01:58] wgrant: ok, I'm just curious about _how much_ secure they are ^ [01:58] RenatoSilva: generally the passphrase is hashed, often with a salt, and the hash is the actual key [01:58] wgrant: understand how it works etc [01:58] RenatoSilva: As secure or insecure as you want. [01:58] wgrant: by secure I mean technically [01:58] For your average passphrase, incredibly insecure. [01:58] RenatoSilva: So do I. [01:58] depending on what you're encrypting that then becomes the source for a psuedo OTP [01:58] RenatoSilva: "how much secure" is the wrong question :-) secure for what purpose. eg a MS-DOS PC can be secure enough to hold TopSecret information. see? [02:00] lifeless: oh hashes.... [02:04] spm: I just mean understand all the theory behind it. Of course you can use very bad RSA key pair, and you can use a shortgun, social engineering etc. but that's not what I meant [04:19] hello, i have a problem with launchpad and would appreciate some assistance.. I created an account some time ago and i know the email address i used but do no know the password i used.. the email is no longer active so i cant log into it to reset my launchpad password.. the reason i want to login is to remove or edit my account since when i google my screen name my last name shows up in the first hit and i don't like that at all. If there is some way i c [04:23] nivekc1: you got cut off there [04:24] nivekc1: but i suggest you email feedback@launchpad.net with the details [04:24] mwhudson what do you mean by cutoff [04:25] my post was as follows: hello, i have a problem with launchpad and would appreciate some assistance.. I created an account some time ago and i know the email address i used but do no know the password i used.. the email is no longer active so i cant log into it to reset my launchpad password.. the reason i want to login is to remove or edit my account since when i google my screen name my last name shows up in the first hit and i don't like that at all. [04:26] nivekc1: irc limits the length of messages === Edwin is now known as Guest46485 [04:57] spm, are you back? [04:57] poolie: yup [04:58] spm, bug 253788 is bugging me [04:58] Launchpad bug 253788 in malone "Bug mail should use my verbose_bugnotifications, not the team's" [Undecided,Triaged] https://launchpad.net/bugs/253788 [04:58] pun intended? [04:58] it sounds like there's an option in the db for which there's no ui to turn it off [04:58] mm [05:00] are you able to see this in the db? could you in principle turn it off for ~bzr and ~bzr-core? [05:00] poolie: could be, it's not like we have any shortage of those. /bitter_and_twisted. ping gmb directly perhaps? he may be able to let us know what to zot. ?? [05:00] poolie: no idea. would barely even hesitate to guess. [05:01] k, i'll open a question [05:03] in principle tho. if such does exist, and we get a more or less ok that it's safe and sane from gmb, I have no problem toggling accordingly - so long as we get the sql to do so. I'm reluctant to just tweak stuff in the DB with zero idea of the consequences of doing so. [05:03] spm: live life! [05:03] :) [05:03] heh. something like that. :-) [05:04] You could safely enough check that ~bzr-core's verbose_bugnotifications is true, though... [05:04] yeah, that would help [05:04] good idea [05:05] i filed https://answers.edge.launchpad.net/malone/+question/76825 [05:05] i agree with waiting for guidance from the malone team but just having a peak as wgrant says would be nice [05:06] Certainly, flicking the switch without confirmation from a Bugs person is probably not a good idea. [05:07] We've not even had a Bugs person confirm that my suspicion was right, although it makes sense. [05:10] poolie: select verbose_bugnotifications from person where name='bzr-core'; ==> 't'. no idea what that means tho. [05:10] k thanks [05:10] that seems to confirm william's theory [05:11] t meaning true [05:11] fwiw, your settings is 'f' - so yeah true false sounds good [05:11] Aha, so some part of Launchpad does make sense. [05:11] you have no idea ;P [05:11] wgrant: NO! it's lies!!!! [05:44] spm: What's wrong with edge? It hasn't updated in like three days. [05:44] Which is annoying lots of people, as a core Soyuz API is broken. [05:44] wgrant: the updates have been stopped [05:45] Is this for the same reason that staging's build broke around the same time, or something else? [05:46] not sure. I was away all last week, so only have sketchy details at this stage [05:46] Ah. [05:47] aiui, we're waiting on a CP'd fix from last week to land in stable - then edge can be updated again [05:49] ... which far as I can see, hasn't landed yet. [05:58] :( === thumper_laptop is now known as thumper === ircd is now known as Guest18724 [07:27] wgrant: it seems that attachments can exists for longer than 24 hours after being deleted [07:28] micahg: Disappointing. You might have to ask a Bugs person later. [08:43] wgrant: were you able to view the screenshots linked from bug 386355 as well (I know it requires LP auth, but not sure what the restrictions there are... I was hoping it allows any LP user) [08:43] Launchpad bug 386355 in soyuz "Archive 'subscription' terminology is confusing" [Medium,In progress] https://launchpad.net/bugs/386355 [08:45] noodles775: Waiting for it to load, but I'm guessing it's devpad? That requires one to be a Canonicalite. [08:46] Ah, chinstrap. No access to that. [08:46] wgrant: I specifically put it on chinstrap... [08:46] thinking that would allow access... uploading 5 images to the bug generates lots of spam. [08:46] Hmph. [08:53] noodles775: you can upload to rookery which is the same machine as people.ubuntu.com [08:54] mwhudson: Ah, great thanks! === ripps_ is now known as ripps [09:02] "Optional notes about this access" seems wrong. [09:04] And Person:+archivesubscriptions seems like it should have the PPA name linked, rather than an additional "(i) View" link. [09:10] wgrant: do you mean the link from the email should go directly to the subscription? [09:11] If so, it "would be difficult"... (the initial 'view' link is actually a submit button that posts a form, as it's creating the pwd.... [09:11] Ah, yes, I remember that now. [09:12] but I agree, that would be better for the user (once we can collect stats some other way) [09:13] In the new access email, is the registrant referring to the subscription creator, or the archive owner? [09:16] wgrant: the subscription creator (ie. an individual) [09:16] (I think... quickly checking) [09:16] yes. [09:17] Why would I want to find out more about them? [09:17] It might be nice to tell me who they are, but I need to know the owner of the archive more. [09:18] wgrant: in case you don't know who they are... click on their profile... [09:18] hmmm. [09:19] A large majority of P3As will be owned by teams, I suspect. Your emails seem to be tailored to the case that the owner is an individual. [09:19] wgrant: I don't think so... it's just trying to tell you *who* was responsible for creating your subscription... [09:20] noodles775: Why do I care about that? [09:20] They're probably not the engineer behind the software. [09:20] wgrant: because you may not be able to view the owning team (could be private) or the ppa page itself. [09:21] Argh. [09:21] (and yes, we do want to reconcile these ;) ). [09:21] So the person who added you is someone that you can contact if you've got questions about it. [09:21] Do you have to confirm the subscription before you can see the PPA page? [09:22] wgrant: even then you won't be able to see the PPA page unless you are a member of the owning team (currently) [09:22] * wgrant cries. [09:22] * noodles775 put his arm around wgrant in support. [09:22] Now I see why it is how it is. [09:22] But... ew. [09:22] As I said, we do want to reconcile these, but it's not trivial. [09:24] So private teams (not PMTs!) can have PPAs? [09:26] wgrant: I don't know, all I know is that archive subscriptions currently have nothing to do with access to the PPA page. [09:26] PMs can have PPAs [09:26] PMTs cannot [09:26] P3As I mean [09:27] acronym overload [09:27] I would have thought the opposite would make more sense. [09:27] So I can have a subscription to an archive in a person that doesn't exist? [09:28] urgh I haven't woken up yet [09:28] let me start again [09:28] Private Teams can have Private PPAs [09:29] Private Membership Teams cannot === bigjools changed the topic of #launchpad to: https://launchpad.net/ | Help contact: bigjools | Join https://launchpad.net/~launchpad-users | Channel logs: http://irclogs.ubuntu.com | Open Sourcing: https://dev.launchpad.net/OpenSourcing [09:30] Right. Very odd, that is. [09:30] why? [09:30] It really doesn't seem like a good idea to send out those emails with no information about the actual archive. [09:31] hi all [09:31] hi there james_w [09:31] wgrant: the name of the archive is included (always was in the subject, but now also in the body as per your recommendation) [09:31] I'm still getting the OOPS from getPublishedSources, has edge been updated since we spoke on Friday? [09:31] edge updates have been disabled, apparently :( [09:32] james_w: nope :/ [09:32] no :( [09:32] damn [09:32] it's a pain [09:32] noodles775: Right, but that doesn't give me much information. [09:32] I am going to get my fix cherrypicked [09:32] noodles775: How do I verify who the owner is? [09:32] I can't see that team. [09:32] wgrant: no, but as much information as you can have about a private PPA right? [09:33] (well, there are other public tid-bits I think, but nothing more relevant than the name) [09:33] But I have a subscription. Why can't I see the archive? [09:33] wgrant: you have a subscription (or access) to download software from that archive... [09:34] not necessarily to see the builds etc. for that archive. [09:34] But that is insane. [09:35] Again, we do want to reconcile the two, but it's not straight-forward to do so (I've got a bug somewhere... one tick, then you can comment there :) ). [09:38] wgrant: why is it insane? [09:38] wgrant: bug 336779 [09:38] Launchpad bug 336779 in soyuz "ArchiveView permissions should use subscriptions" [Low,Triaged] https://launchpad.net/bugs/336779 [09:39] bigjools: What privileged information is there in a build log? As long as you're not leaking P3A buildd keys again... [09:40] why, as someone who wants to download software from your repo, would I want to look at your PPA index page? [09:40] it's a developer page [09:40] not a user page [09:40] So I can see who is giving me this software. [09:40] And what is available. [09:40] no [09:41] you get to download what you're told you can download [09:41] And I'm expected to add this invisible archive to my sources.list? [09:41] depends how much you trust them [09:42] Trust who? [09:42] All I know is whoever created my subscription. [09:43] it's an interesting point [09:45] What happens if I am evil, buy a P3A, and give it a display name the same as some other very popular one. [09:45] I then fill it with malware of the purest variety. [09:45] I then invite lots of people. [09:46] How do the users of the other one distinguish it from mine? [09:47] I don't necessarily think the right answer is to let you see his ppa index page [09:47] Right, it's possibly to see the team. [09:47] But that seems even less possible. [09:47] it might help you, as someone who is technical enough to understand it [09:49] Where do I actually find my password? I have no access to a P3A, so I'm sort of guessing how things work. [09:50] the subscription page shows you when you get access [09:50] * wgrant remembers and find the screenshots. [09:50] I will give you access to soyuz team if you want [09:50] That would be even better. [09:52] the email is heading your way [09:56] Hmm. [09:58] noodles775: Um, the cancellation of access email links me to the PPA owner. Isn't that impossible? [10:01] wgrant: not impossible, but might not be possible... [10:01] noodles775: Well, yes. [10:02] bigjools: ^^^ perhaps we should use cancelled_by there. [10:03] * noodles775 wonders if we should move this kind of conversation to lp-dev so lp stays a bit more friendly :) [10:03] noodles775: yes probably [10:03] k. I'll include it in this change. [10:03] I was thinking of -dev as well [10:03] noodles775: Oops, yes, we can do that now. [11:10] hi I am getting this error when trying to import from git: http://launchpadlibrarian.net/28956734/gmpc-main-log.txt [11:10] * bigjools looks [11:11] qball: I think you need to file a bug about that [11:11] ah, i know that one [11:11] aha code people are still awake [11:12] barely [11:12] qball: i need to kill the import and restart it [11:12] mwhudson: I clicked restart when I did this.. [11:12] mwhudson: is it a bug or something else CHR people need to be aware of? [11:13] does anyone can help me to understand why something builds fine on my ppa and not on my local pbuilder ? [11:13] qball: a more comprehensive restart than that :) [11:13] how do I do that [11:14] qball: you don't; i do [11:14] owh ok [11:14] sorry [11:14] huats: not really a question for this channel, but paste me your output and I will take a look [11:14] * qball busy :( [11:14] bigjools: we should fix all branches that have this problem [11:14] qball: np, it's our bug! [11:14] * qball should not do multiple things [11:14] bigjools: hum the output from my pbuilder ? [11:14] qball: i've restarted the import now [11:14] huats: yes please [11:14] mwhudson: thanks! [11:14] qball: should be ready in a few minutes [11:14] mwhudson: is there a bug open? [11:15] qball: https://code.edge.launchpad.net/~vcs-imports/gmpc/main, you might want to subscribe [11:15] bigjools: no [11:15] bigjools: in fact I'd like to figure out if it is related to sbuild vs pbuilder... [11:15] bigjools: I am pasting the outputs [11:15] bigjools: i should spend a while with spm fixing this tomorrow [11:16] mwhudson: ok. [11:16] * mwhudson writes this down on a piece of paper [11:16] or better, file a bug ;) [11:16] not sure that's better, but it probably is [11:21] another question, is it possible to (if code is in launchpad bzr natively) to "auto commit" translations? [11:21] https://edge.launchpad.net/gpx-viewer I would like todo that for this project [11:23] i believe that's very much in progress [11:23] (but could be wrong) [11:23] owh last question, I made tags (in gpx-viewer) for releases.. but they don't show up under code? [11:24] what is the best (visible) way to mark release then? [11:24] bigjools: http://paste.ubuntu.com/216813/ [11:24] huats: Run away. [11:25] Very, very fast. [11:25] This is maxima! [11:25] heh :) [11:25] so ? [11:25] :) [11:25] We've tried to get that to build with gcl for a year now. [11:25] wgrant: ok I was not aware of that :) [11:25] you should comment the bugs ;) [11:25] I thought I had. [11:25] may be I haven't seen your comment :) [11:26] But you say you managed to get it to build locally? [11:26] make[2]: *** [gcl-depends.mk] Segmentation fault [11:26] nice! [11:26] wgrant: actually not [11:26] bigjools: Eeeehyes. It doesn't do it in Debian, and we can't work out what's wrong. [11:26] wgrant: it builds fine on LP butnot on my pbuilder [11:26] wgrant: but he said it built in a ppa ... [11:26] Huh. [11:26] huats: which series, karmic? [11:26] It didn't build for me in sbuild a month or two ago. [11:27] have a look at https://edge.launchpad.net/~christophe.sauthier/+archive/ppa [11:27] mwhudson: imported correctly, thanks [11:27] qball: woo [11:27] huats: what series are you building on with pbuilder? [11:27] bigjools: I have tried both karmic and jaunty for the same result [11:27] weird! [11:28] qball: now, will a subsequent import work? [11:28] that was the problem before [11:28] let me try [11:28] qball: yes, hooray [11:29] neat,t hanks [11:30] bigjools: i filed https://bugs.edge.launchpad.net/launchpad-code/+bug/398722, thanks for the prod [11:30] Ubuntu bug 398722 in launchpad-code "fix branches damaged by non-preservation of git.db files" [High,Triaged] [11:31] mwhudson: don't mention it, thanks :) [11:32] hi, can I drop a VCS import somehow and reset it with a new one? [11:32] wgrant: actually it says seg fault [11:33] but when I run it step by step [11:33] I get : http://paste.ubuntu.com/216816/ [11:33] don't know if it helps... [11:34] flixr: you would need to file a question and someone can do that for you (the question verifies your identity) [11:35] bigjools, I already did that: https://answers.edge.launchpad.net/launchpad-code/+question/74491 [11:35] but then it was suggested that I can do that by myself [11:36] let me check [11:36] mwhudson: is that possible? --^ [11:37] A user can request a new one, but not delete an old one. [11:37] right [11:38] right, that's what I though [11:39] mwhudson: it's assigned to you, I'll just leave you with it then [11:39] flixr: i requested a new import: https://code.edge.launchpad.net/~vcs-imports/paparazzi/trunk [11:39] great, thanks a lot! [11:40] sorry this took so long to sort out [11:41] no worries [11:41] that has to be an application to control remote cameras! [11:41] like the small spy cameras... === bigjools changed the topic of #launchpad to: https://launchpad.net/ | Help contact: bigjools (at lunch) | Join https://launchpad.net/~launchpad-users | Channel logs: http://irclogs.ubuntu.com | Open Sourcing: https://dev.launchpad.net/OpenSourcing [13:01] while discussing with some upstream, we were wondering how accurate the popcon stats are. some say there's a factor 10, i really doubt it. could we use launchpad data to check that? i mean, using a well kwnow PPA, if popcon says 5000, and lp stats 50000, that would confirm the factor 10. === rmcbride_ is now known as rmcbride [13:55] is there a known time delay from when a source file is uploaded ? as when I run uscan the current source that I have just uploaded isn't picked up ? === bigjools changed the topic of #launchpad to: https://launchpad.net/ | Help contact: bigjools | Join https://launchpad.net/~launchpad-users | Channel logs: http://irclogs.ubuntu.com | Open Sourcing: https://dev.launchpad.net/OpenSourcing [13:56] VK7HSE: yes, the scanner runs about every 5 minutes [13:57] Ahh cool thanks... [13:57] * VK7HSE needs to be more patient !!! === flacoste_lunch is now known as flacoste [14:14] wgrant: i just did the merge for maxima (and build it on my ppa) : works great.... So I'll upload it like this in universe.... === Kangarooo1 is now known as Kangarooo [15:58] bigjools: do you know if updating edge will be enabled soon again? [15:58] geser: we're working on it right now [15:58] there was a problem === fjlacoste is now known as flacoste === deryck is now known as deryck[lunch] === salgado is now known as salgado-lunch === matsubara is now known as matsubara-lunch === kiko is now known as kiko-fud === maxb_ is now known as maxb === bigjools changed the topic of #launchpad to: https://launchpad.net/ | Help contact: - | Join https://launchpad.net/~launchpad-users | Channel logs: http://irclogs.ubuntu.com | Open Sourcing: https://dev.launchpad.net/OpenSourcing [17:22] ping sinzui [17:22] hi micahg [17:22] hi sinzui [17:22] I was looking at bug 73890 [17:22] Launchpad bug 73890 in blueprint "Show diff of whiteboard changes in e-mail notifications" [Undecided,Won't fix] https://launchpad.net/bugs/73890 [17:23] is it still the intention to remove the whiteboards [17:23] yes [17:23] will it be replaced with something more trackable? === deryck[lunch] is now known as deryck [17:23] blueprints should have comments like bugs [17:23] with a master description as well? [17:24] probably [17:25] ok, is there a master bug I can subscribe to? [17:25] * sinzui looks [17:28] micahg: bug 49698 [17:28] Launchpad bug 49698 in blueprint "specifications should allow comments" [Low,Triaged] https://launchpad.net/bugs/49698 [17:29] I have a comment about comments [17:30] There should be a way to lock a spec so only approved people can comment [17:30] otherwise it might get out of hand [17:30] would that be a new bug [17:30] or a comment on this one? [17:31] micahg: I don't think we would implement that or accept someone's submission for that. We allow everyone to comment on bugs and questions [17:31] or and edit on the whiteboard [17:31] micahg: There is a feature I want o implement that makes comments for trusted project members very visible [17:31] s/for trusted/from trusted/ [17:33] I guesss as long as tehre's a changelog or we're e-mailed a changelog of changes to the master description, it would be ok [17:33] I just don' tlike the idea of a spec being hijacked [17:33] micahg: right. We need better activity reporting in launchpad === dpm is now known as dpm-afk [17:34] micahg: That has yet to be seen as an issue. Ubuntu is massive, and they have not reported a problem with this [17:35] yes, but I don't think the blueprints are as highly used as the bug tracker [17:36] Bug are and that is not a problem with bugs [17:36] right, but bugs are very targetted in scope [17:36] Nor is it a problem with answers. In general, we do design for features that may not ever be needed [17:37] occasionally we have people troll in bugs [17:37] but whatever, that's fine [17:37] you answered my original Q and I subscribed to the bug and blueprint [17:37] thanks sinzui === salgado-lunch is now known as salgado === kiko-fud is now known as kiko === Kangarooo1 is now known as Kangarooo === Kangarooo2 is now known as Kangarooo === yofel_ is now known as yofel === magcius_ is now known as magcius [18:55] Is anyone aware of an issue where I get getting duplicate email? === micahg1 is now known as micahg === arianit_ is now known as arianit === jon is now known as Guest40234 [20:52] Hello. Does anyone know if there are irc commit bots that can watch changes on LP bzr branches ? [20:58] anyone here? [21:01] racecar56: Just ask. If there's someone who's able to help, they'll answer, [21:01] maxb: kk [21:02] im going to make some modifications with kblocks (which is in kdegames), should i get the bzr version or the one you get with apt-get source? (i don't know if this is actually related to here...) [21:02] the one from bzr is from launchpad but the apt-get source one is from the ubuntu repos [21:03] #launchpad is for Launchpad the service - for questions about projects that simply *use* Launchpad, use a project specific IRC channel. [21:03] oh, then it's #ubuntu [21:03] ill be there === matsubara-lunch is now known as matsubara === Kangarooo1 is now known as Kangarooo [21:28] hi, i created a ppa some days ago, yesterday i uploaded my packages, dput is ok.. but i still have the message , no packages in this ppa... and no dir in ppa.launchpad.net, our project is launchpad.net/ubukey, how can i know what s wrong please ? [21:28] oups, hi first ^^ [21:34] smo_: You should have received email confirmation after uploading packages [21:35] usually within 5 minutes of uploading [21:36] If you receive no email at all the usual cause is either your uploaded .changes file was improperly signed, or you haven't bound the signing key to a launchpad account [21:37] either of those problems stops launchpad being able to tell who did the upload, so it has no way to tell you about the problem [21:38] I want to translate reddit, how can I do that using the launchpad facilities ? === salgado is now known as salgado-afk === ripps_ is now known as ripps === MT- is now known as MTecknology === EdwinGrubbs_ is now known as EdwinGrubbs === MTecknology is now known as MT- [22:39] I want to mirror git repository but I get this message "This branch may be out of date, as Launchpad was not able to access it 18 minutes ago. (Not a branch: "http://code.reddit.com/repo/reddit.git/".) Launchpad will try again in 5 hours. If you have fixed the problem, please ask Launchpad to try again. " [22:47] how do I change https://code.launchpad.net/~anmaster/cfunge/main to a hosted branch, my hosting went down forever. [22:47] I used mirrored before [22:47] same for all my other branches === Edwin is now known as Guest3052 [23:05] aboSamoor: did you request the import at https://code.edge.launchpad.net/+code-imports/+new [23:05] ? [23:06] mwhudson, no [23:08] aboSamoor: well you should have, i guess [23:08] AnMaster: ask a question please [23:08] mwhudson, in which project? [23:08] AnMaster: launchpad-code [23:08] thanks [23:08] mwhudson, I think it is working, how should found that, it think it is not clear ! [23:09] aboSamoor: it's not very clear no, [23:11] mwhudson, should I list the affected branches or? [23:12] that would be useful [23:12] right [23:12] mwhudson, anyway there should be a way for users to convert them. :) [23:12] yes [23:12] i think there's already a bug for this [23:13] mwhudson, https://answers.launchpad.net/launchpad-code/+question/76897 [23:14] * mwhudson on the phone now sorry [23:14] "no you hang up" [23:15] no rush === Edwin is now known as Guest72729 [23:39] hi [23:40] i need help with ppa repository on launchpad please [23:40] smo__: What is the problem that you're having? [23:40] first, do i must sign my packages or not ? [23:41] smo__: You must sign anything that you upload, yes. [23:41] so it s maybe my problem [23:41] in my dput.cfg [23:42] i have allow_unsigned_uploads = 1 [23:42] so if packages are not signed, is it normalthat i still have the message : This PPA does not contain any packages yet. Find more information about how to upload packages in the PPA help page [23:42] ? [23:44] smo__: If you uploaded something and didn't get an email saying it was accepted, I would indeed expect your PPA to say it didn't have any packages. [23:45] what s the validating process? [23:45] As maxb said earlier, you are not uploading to the right place, or you're not signing the package with a key that Launchpad knows about. [23:45] i created my key [23:45] it s on the lp servers [23:45] Have you attached it to your Launchpad account? [23:45] yes [23:46] And did you sign the package? [23:46] no ^^ [23:46] i m searching howto do that [23:46] There's your problem. [23:46] debsign blah_source.changes [23:46] the whole process is very complicated (for me) [23:47] so i sign the .changes .dsc .deb .... [23:47] You just debsign the .changes. It will do everything else for you. [23:47] nice [23:48] have a fast exemple? (or i ll search np..) [23:48] gpg --sign-key keyID [23:49] gpg --sign-key F378FBB4 [23:49] for me , right ? [23:49] I gave one above: 'debsign package_version_source.changes' [23:49] ok thx, i try [23:50] gpg: [stdin]: clearsign failed: la clé secrète n'est pas disponible [23:50] secret key not available [23:50] ... === Edwin is now known as Guest23169 [23:52] smo__: Your key obviously doesn't match the name in your package changelog. Give debsign your key id with '-kKEYID' [23:52] ok i try [23:53] Successfully signed dsc and changes files [23:53] ^^ [23:54] Now, try dputting! [23:54] it will overwrite ? [23:54] There's nothing there, so it doesn't have to. [23:55] Already uploaded to ppa on ppa.launchpad.net [23:55] Ah, that's a local thing. Give dput '-f'. [23:56] nice [23:56] thx a lot ^^ [23:56] np [23:56] works [23:57] We'll see in three minutes if it actually did work.