wgrantIt should be on all pages relating to the project, really.00:00
wgrantBut yes, particularly a big warning on the code pages.00:00
sinzuiI could do as bugs has done (though correctly) to ensure apps do not work until someone enables them and state clearly who they represent00:00
wgrantBut branches are useful regardless.00:00
wgrantThey just need to be clearly unofficial.00:01
sinzuiSince We have competing communities, I feel pretty powerless to make everyone happy.00:01
sinzuiSo the code team could make the code pages clear00:01
wgrantLP is the only project hosting site that I know of that requires placeholder registration. It needs to go out of its way to do it right.00:01
sinzuiI know. I feel it is wrong that I am working on this00:02
sinzuiI an need to go thought 100s (and I really wish that number was an exaggeration) of bugs in all the apps to see what services users are trying to enable or configure, how every step fails. And these bugs are ancient00:03
wgrantLaunchpad already gives lots of projects enough reasons not to use it.00:03
wgrantLet's not get people angry with it before they even start using it.00:04
sinzuiplease help me then. where will people *see* this message?00:04
wgrantcode.launchpad.net/gedit, at least.00:05
sinzuiWhat is the message? what does it mean by not official?00:05
wgrantlaunchpad.net/gedit needs it to be obvious too.00:05
wgrantBut ideally it should be in the header.00:05
sinzuiThose are code teams pages00:05
wgrantYes, and this is a Launchpad-wide problem.00:05
poolieit seems reasonable to me to show a header across all those pages saying "gedit's real home page is at http://blah (tell me more)"00:05
wgrantRight, something like that.00:06
wgrantAnd the name in the header could be something like "gedit in Launchpad"00:06
wgrantWith poolie's suggestion.00:06
wgrantTo indicate that this isn't really it.00:06
wgrantBut, well, this is probably why we have UI designers.00:07
sinzuiAI approved the reuse of the Involvement portlet so that code was always used. I could put text back on the overview page, but where? what message? The user is trying to take an action and I do not know where he is looking on to inform him this project officially uses lp hosting00:07
pooliesinzui, i think probably every page under that project00:08
wgrantOn every page, yes, but probably also an obvious warning in an extra portlet at the top of the project index.00:08
pooliealso the "tell me more" gives us a chance to explain00:08
pooliewhy we have this page here at all00:08
poolieand what you can do with it00:08
sinzuiActually, I think the issue is really about the reverse situation as you suggested. The page should state *where the code is officially hosted*. This is the same stupid problem with bugs, where I can tell Lp where bugs are tracked, but LP will never tell anyone else what I said00:08
wgrantThis sound related to the "let me point the app tabs to other URLs" suggestion that pops up every so often.00:09
sinzuiThe home page is a poor argument. Lp does not want to host any project's home page. There are all hosted some where else.00:09
poolies/home page/official site00:11
sinzuiwgrant, I think it is. I think for example I can have two community doing support. With using Lp Answers, and the upstream community using a mailing list. For the good off all other users/communities, Lp should state the situation and the someone make a choice00:11
wgrantsinzui: Who is someone?00:12
poolieit's a bit like the way facebook has pages about people who don't use facebook00:12
pooliefamous people at least00:12
pooliesome find it a bit creepy00:12
sinzuiI should be able to choose how I want support and the community I contact00:12
pooliethey may be doing better than launchpad at at least making it clear the actual person isn't there00:12
wgrantsinzui: The user shouldn't able to; the project owner should.00:13
sinzuiI am not sure any owner has more authority than any other community.00:14
wgrantThe owner must be able to tell Launchpad what to do.00:14
sinzuipoolie, I do believe no service should be enabled until someone states they are using it.00:15
poolieit depends what you mean00:16
sinzuiSo I cannot use answers to support a project? Why can I not have Lp branches because a project uses gnome git?00:16
pooliei think we should just make the context clear00:17
wgrantsinzui: You can't use Answers to support a project if you are some random, no.00:17
sinzuiI do not think there is a on/off. There is several states (hence my suggestion of an enum) that allows Lp to help multiple communities share projects00:17
sinzuiWell I can be an answer contact for any project00:18
wgrantYou can't be.00:20
wgrantLP exists to serve the project.00:20
sinzuiNo it does not00:20
wgrantIf the project's owners do not want LP to do something, it should not do it.00:20
sinzuithat is a common mist conception. Lp could never host all the project that produce code that make up Ubuntu00:20
sinzuiLp exists to help communities share information, and to lower the barrier of controbution00:21
jelmerwgrant: Why is it an issue for Launchpad but not for e.g. sites like ohloh that also just track projects?00:22
wgrantjelmer: Does Ohloh provide services like this?00:22
sinzuiGNOME should not need to require zeitgeist to abandon Lp merge proposals. GNOME should be happy to know that Lp can help them with their own project dependencies. Lp should provide GNOME with excellent data about bugs and fixes.00:23
jelmerwgrant: yes, it allows users to post reviews of projects as well as mirroring the downloads for projects, project description, vcs locations00:23
wgrantjelmer: It allows one to link to external download pages, and just displays the real VCS location. That sounds reasonable enough.00:23
wgrantAnd presumably the owner can tell it not to link to an external download page.00:24
sinzuiI would be happier if it were easier to see real VCS information. I have more than a 1000 projects that need love00:24
wgrantWhereas they can't tell Launchpad to not accept questions from people.00:24
jelmerwgrant: I think the main problem is the perception that Launchpad is a project-endorsed resource00:26
wgrantjelmer: Right.00:26
wgrantOhloh exists solely as a secondary resource.00:27
jelmerright, and everybody regards it as that, wheras most people seem to think of Launchpad as a hosting site, not as a free software project tracker00:27
wgrantWell, most people think of Launchpad as the site that hosts Ubuntu.00:28
jelmerif we can make it clearer when a project is just tracked by lp and not hosted on lp I think this would be less of a problem.00:28
sinzuiIt is bot binary though00:29
sinzuia project can use git hub for hosting, but still use Lp MPs00:29
wgrantThat's a very strange use case.00:30
lifelessor be on gnome.org and use mps :P00:30
lifelesswgrant: not at all00:30
wgrantlifeless' case sounds more reasonable.00:30
lifelessfolk are doing it in fact00:31
wgrantBut I guess they are similar.00:31
maxbthumper: hi00:31
wgrantIf a little concerning.00:31
thumpermaxb: hi00:31
thumpermaxb: I've updated the vcs-imports celeb permissions00:31
thumpermaxb: are you interested in helping qa?00:32
thumpermaxb: I could add you to the team, and you could make sure you can't do non-import related bits00:32
thumpermaxb: as long as you don't use production :)00:32
maxbdid you want to do it now? i can grab a computer00:33
maxb(i'm on an android phone at prrsent)00:34
jelmersinzui: btw, the "Configure project branch" link is really nice00:34
thumperjelmer, sinzui: my frustration with that is that it isn't used consistently00:34
thumpermaxb: I could add you to the team and you could look tomorrow if you like00:35
jelmersinzui: it saves quite a few roundtrips when registering a new upstream project00:35
thumperalthough I tried to import a subversion branch as a bazaar branch by mistake00:35
jelmerthumper: there  being multiple forms for setting up a project branch you mean?00:36
* thumper nods00:36
thumperI'd like to take the guts of that same page and have a single page for registering a new branch00:36
maxbthumper: i can have a quick look now and explore more exhaustively tomorrow00:37
thumperit also doesn't use the same permissions / widget checks as the official import page00:37
maxblaptop is booting00:37
jelmerthumper: we also have all the infrastructure to just detect what type of vcs is present at a remote URL, it'd be nice to simplify the UI00:39
thumperjelmer: that would be nice00:39
thumpermaxb: you should be in the team now00:40
maxbIIRC the key things to look at were the new-project workflow, and the code import machines.00:42
thumpersomething like that00:42
thumpermaxb: actually I should have just added you on staging :)00:43
thumpermaxb: as you could at least try to tweak the machine settings there00:43
thumpermaxb: you are now in the vcs-imports team on staging00:44
* thumper checks that the right revno is on staging00:44
thumpermaxb: staging should be good to play with00:45
thumpermaxb: you can try anything there :)00:45
maxbor rather, on staging I can't try to tweak the machine settings, so I infer your branches have landed there already00:48
=== matsubara-afk is now known as matsubara
maxbIt all looks as expected - the one thing I haven't done yet is verify that I don't have any boxes I shouldn't in the new project workflow00:49
maxband I've now done that on staging00:55
maxbModulo the essential trickyness of QA-ing a negative, I'd say it's all fine00:57
maxbErm, pear's /home/importd/.bazaar/subversion.conf is apparently broken: http://launchpadlibrarian.net/49455906/maxb-guice-trunk.log00:59
maxbthe same failure is apparent in other branches when imported on pear01:00
wgrantYeah, it does that sometimes.01:00
wgrantHappens sometimes with concurrent bzr-svn imports.01:00
maxbDo we need act-of-losa to get it fixed?01:04
maxbthumper: OK, I'd say QA complete - did you want to deactivate me from ~vcs-imports pending an official ratification of it being ready for community members, or shall I start reviewing imports from time to time?01:09
lifelessmaxb: if you're on staging, then you're not activated on prod anyway01:40
thumperlifeless: I added him on prod too :)01:43
pooliefirst off, thanks for commenting02:30
ScottKBTW, it would be nice if non-developers could subscribe to LP wiki pages.02:30
pooliethere had been a bit of silence aside from vague 'that sounds nice'02:30
poolieah is this the 'action not allowed'?02:30
pooliethat's a bug02:30
thumperlifeless: did you end up testing those merge proposal changes you did early in the cycle?02:30
ScottKpoolie: Yes.  action not allowed.02:30
thumperlifeless: I'd just like to sign off the qa02:30
* poolie looks02:30
pooliescottk, https://bugs.launchpad.net/bugs/586601 has a workaround too02:31
ScottKpoolie: In any case, what I read in the bug and the wiki page is very concerning.02:31
mupBug #586601: dev wiki toolbar has 'subscribe user' but not plain 'subscribe' <Launchpad Development Wiki Moin theme:New> <https://launchpad.net/bugs/586601>02:31
ScottKOK.  Thanks.02:31
ScottKSubscribed now.  Thanks.02:32
thumperpoolie: https://lp-oops.canonical.com/oops.py/?oopsid=1612BM102:32
thumperpoolie: that is (one of) the branch mail job that had memory issues02:33
ScottKAlso, I'm somewhat laggy at the moment, so if I don't reply, it's not because I'm ignoring you.02:33
thumperpoolie: it is the kernel02:33
thumperpoolie: lp:~vcs-imports/linux/trunk02:33
pooliescottk, let's try to unpack "to mean anything positive"02:33
pooliei don't assume it means the user specifically authenticated that message02:34
pooliein the sense that typing a gpg passphrase could mean "yes really"02:34
ScottKIf you allow the message to do anything that requires authentication, you have.02:34
pooliei do think it means we can be incrementally more sure that the message comes from who it claims to come from02:34
pooliewould you agree?02:34
ScottKIt means you can be sure it came from the domain it purports to come from, but it tells you nothing about the user.02:35
lifelessthumper: sign off on it02:35
thumperlifeless: ok02:35
lifelessthumper: it doesn't matter if its right or wrong, until we do the other things you wanted, we're not using the queue stuff anyhow02:35
lifelessthumper: at your request :)02:35
* thumper nods02:35
ScottKThe only way to believe it says anything about the user is to believe in implementation details of proprietary webmail services that you really have no insight into and even if they actually do what you think, could change without warning.02:36
poolieno, nothing about this is specific to proprietary webmail02:36
lifelessthumper: that said, I'm entirely confident of my changes anyway, as they a) have tests and b) weren't at the UI layer.02:36
thumperlifeless: ok02:37
poolieok, so are you talking about a case like this:02:37
ScottKpoolie: Implementation details of the sender.  The ones mentioned are proprietary (mostly) webmail providers.02:37
lifelessthumper: its not in the risk sector for me02:37
pooliethey're just examples02:37
poolieanyhow, so a case like this: smtp.canonical.com lets employees connect over port 529 authenticate and send mail; but it doesn't check that the mail they send is from the user they authenticated as02:38
ScottKRight.  That's pretty typical.02:38
poolietherefore i can get a mail signed that claims to be from joe@canonical.com02:38
ScottKAll you really know is that it passed through smtp.canonical.com and they signed it.02:39
poolieok, interesting02:39
ScottKDKIM very explicitly makes no assurance that the From address is in any way valid or correct.02:39
ScottKJust that since the header is signed, it didn't get modified in transit.02:39
pooliei understand that this is up to their local policy02:40
poolieit would be a bit weird for them to just sign all outgoing mail02:40
pooliebut perhaps that really is a typical deployment02:41
poolieespecially if it's just stuck in front of an existing server02:41
ScottKNow you may do a security analysis and determine that for some actions (maybe bug status), that is sufficient status.  The action is reversable and doesn't really hurt, but you have to recognize that you don't really know who sent the mail.02:41
thumperScottK: I don't think we want to do that type of check02:41
thumperScottK: in fact we do allow that for unsigned email02:41
poolieso there are hints in the rfc02:41
thumperScottK: things like general comments02:41
poolieand i'll refrain from quoting it, but it does say that they would authenticate the submitter before signing it02:42
ScottKIn fact, if you get a dkim signed mail d=kitterman.com and From scott@kitterman.com, I really did send it or I have a bad bug, but I've gone beyond what is typical and there's no way to know I've done it.02:42
ScottKYes, but what does authenticate the sender mean?02:42
ScottKTypically it means that the sender is an authorized user of the MTA.02:42
pooliei assume that means username/password or similar authentication of the smtp submission02:42
lifelessthumper: we do ?!02:42
ScottKpoolie: Yes.02:42
thumperlifeless: yes02:42
lifelessthumper: I get mail rejected when I try to do status changes without signing it..02:43
thumpercommenting doesn't require signed email02:43
thumperlifeless: status changes do require signing02:43
thumpera plain comment doesn't02:43
poolieyes, as does filing a new bug02:43
lifelessthumper: so the thing you replied two was about bug status02:44
lifelessthumper: you can see my confusion02:44
thumperwhat I was referring to was: we already have a distinction02:44
pooliethumper, that oops would be good to file a bug about02:44
thumperbetween trusted and weakly authenticated02:44
thumperI don't think we want another in the middle02:45
poolieme either02:45
pooliethe question here is whether dkim-signed mail can be treated as 'adequately authenticated'02:45
pooliefor things like changing bug statuses etc02:45
poolieif there are a non-negligible number of domains that will sign any mail sent through them02:46
pooliethen it may not wokr02:46
thumperI can set up any number of identites with fastmail02:47
thumperwill it sign all of them?02:47
ScottKSo you can see the concern I expressed in the bug?02:47
pooliethe question is will fastmail let me send mail that pretends to be tim?02:47
pooliethat would be pretty damn weird if it did02:47
poolieScottK, is that the only concern?02:47
ScottKThat's the most important one.02:47
thumperthat is the sort of answer we should get before enabling it02:48
poolieso we could have a whitelist02:48
ScottKI think an implementation that depends on polling commercial email services and asking the internals of their implementation details is not a really great idea.02:48
poolieor we could get this from adsp, though i haven't looked into that much02:49
pooliewhy do you say 'internals'?02:49
poolieit doesn't really matter how it's implemented02:49
ScottKYou need to know if they allow cross user forgery.02:49
ScottKThat restriction is an internal implementation issue for them.02:49
ScottKThere's no protocol basis for discovering it.02:49
ScottKI can tell you from experience with SPF and DKIM deployments that senders routinely deploy this stuff and barely understand it.02:50
poolieif somebody decided to turn on dkim signing in ubuntu, would it be likely to allow cross-user forgery?02:50
ScottKCurrently Ubuntu developers have the ability to send mail through fiordland at least to Launchpad.  I don't know what checks they have in place.02:51
ScottKAt least you've got the data in Launchpad accounts to know what users should use what email addresses, but how you link that up to an SMTP time user authentication, I'm not sure.02:52
pooliei think you have a really good point that this will probably be deployed badly02:52
pooliebut ... if cross-02:52
pooliecross-user forgery is common, it seems to substantially defeat the point of dkim02:52
ScottKIt depends.02:52
pooliefor example they talk a lot about showing a signed From address to the user as authentic02:52
poolieor trustwotrhy02:52
spivIn the case of webmail providers, you arguably need to know if they have if they have CSRF flaws etc.  Or more simply you need to know the user hasn't leaked their password accidentally... you can't require absolute trust, because nothing is absolutely trustworthy.02:52
ScottKThe more common use is to use the d= domain as an input token to a reputation system.02:53
ScottKSo over time you can measure which domains tend to send good mail and which one tend to send bad mail so you can treat them differently.02:53
wgrantspiv: But if you can't trust the webmail providers, they can already reset your Launchpad password.02:53
ScottKIn that case, you don't really care about cross-user forgery.02:54
ScottKYou only really care if you try to believe the from address is somehow validated.02:54
ScottKIt may be, it may not, but it's no part of DKIM to say.02:54
ScottKAll DKIM can tell you about the from address is it wasn't altered in transit.02:55
ScottKIt was, in fact, contentious in the working group whether or not to require from be signed.02:57
ScottKFor this exact reason, people would read too much into it.02:57
pooliei see it is required02:57
ScottKIn the end, it's required to be signed only because it's a required part of the message body.02:57
ScottKThe fact that it's signed, is helpful for the policy component, ADSP, that was developed after the base DKIM signing spec.02:58
poolieproposition: a signature by kitterman.com on "From: scott@kitterman.com" indicates kittermain.com asserts this message is from scott@kitterman.com02:58
poolieyou don't think that's true?02:58
ScottKIt asserts it's signed by kitterman.com and kitterman.com takes responsibility for it.02:58
ScottKIf it verifies, you can also trust the signed parts of the message were not modified in transit.02:59
=== matsubara is now known as matsubara-afk
pooliebut "takes responsibility for it" only in the sense of "takes responsibility for it not being spam" not "takes responsibility for it not being forged"?03:02
ScottKTakes responsibility so that you can blame it (in a reputation sense) if it's "bad".03:05
poolieok, so i see your point03:06
pooliebut the rfc really does seem to allude to a larger scope than that03:06
ScottKIt is of two minds about it.03:06
pooliemm, i understand it may be contentious03:06
ScottKIn the end, that's all it really does, but there are lots of entities that want to use the DKIM domain as an input to secret sauce reputation systems.03:07
pooliethere are specific examples saying that a from field signed by the relevant domain may be trusted03:07
poolieit may be the deployment is so bad this doesn't work03:07
pooliewhich would be kind of sad considering how long this has been in coming and how new it now is03:07
ScottKI think for applications where domain level information is sufficient, it has a lot of potential.03:13
ScottKUnfortunately, in the LP case, you need more granularity than it can provide.03:13
lifelesscan't they sign the From: field?03:13
wgrantThe difficulty is that most implementations do not verify that the authenticated sender is authorized to send using a particular address.03:14
pooliewell, citation needed for 'most'03:14
pooliebut it's certainly possible some don't03:15
wgrantThe common documented Ubuntu setups don't.03:15
lifelesswgrant: do they claim that they do though?03:15
ScottKlifeless: Signing From just means it wasn't modified in transit.03:15
wgrantlifeless: How do we tell?03:15
lifelesswgrant: is From signed, no ?03:16
wgrantlifeless: Heh, no.03:16
ScottKActually you can't actually tell if they claim it's valid.03:16
lifelesslets assume we could tell, what header would we use in launchpad to associate the mail with the account03:16
ScottKIf you're talking DKIM, you're talking body From.03:19
ScottKDKIM is silent on envelope identities.03:19
lifelessand do servers routinely sign body From without sender verification ?03:20
ScottKThere's no requirement in the RFC for it.03:20
ScottKOr to put it slightly differently ....03:20
ScottKThe senders are verified, but generally they are verified to be authorized users of the MTA, not generally that they are specificaly authorized to use the From they are using.03:21
lifelessare they able to sign the mail as being from their domain *without* signing body From ?03:21
ScottKNo.  Signing from is required because it's a mandatory part of the message.03:21
lifelessso we're screwed03:21
ScottKI think DKIM verification is not suitable for applications where you need to have some assurance that you have mail from a specific user.03:22
lifelessanyone doing DKIM as a 'this isn't spam' effort is indistinguishable from someone doing DKIM with user granularity03:22
wgrantWell, someone could define another standard for a signed header that verifies From. But surely such a thing already exists.03:22
ScottKThe D in DKIM stands for Domain for a reason.03:22
lifelessScottK: some domains may be good enough to use03:22
ScottKwgrant: Yes, for this application you use GPG or S/MIME.03:22
pooliei thought this was part of the point of DKIM beyond SPF03:22
ScottKlifeless: How would you know?03:22
pooliegiven there is an exposure03:22
lifelessScottK: we could ask them03:23
pooliedoes this actually matter03:23
lifelessScottK: they could tell us03:23
pooliehow many important users send mail from servers that allow spoofing03:23
ScottKlifeless: My experience is a lot of providers wouldn't give you an answer you can rely on.03:23
poolieand how bad is it if their mail is spoofed03:23
poolieone could already cause a lot of trouble by forging unsigned mail03:23
wgrantStatus changes are reasonably trusted at the moment.03:24
wgrantAnd used for workflow things in Ubuntu.03:24
ScottKpoolie: I don't think DKIM 'goes beyond' SPF, it tells you a similar thing about a different identity.03:24
ScottKIf you have a message where Mail From and From are the same (this is the 80% case) then an SPF pass and a valid DKIM signature tell you about the same thing.03:25
ScottKThe difference between what they tell you is for most purposes not important.03:25
lifelesswgrant: so, if we turned on DKIM for providers that say 'we do per-user authentication on our submission port'03:27
lifelesswgrant: would that really decrease the workflow trust?03:28
ScottKlifeless: You need to be very careful and specific about how you ask that question.03:28
lifelessScottK: agreed03:28
ScottKAlso I'm reasonably certain a significant fraction of the Yes answers you get would be wrong somehow.03:28
lifelessScottK: 'the body from header in mail from our servers is restricted to addresses the sender can receive at by submission-time authentication'03:28
ScottKI'm continually stunned at how shallow people's understanding of these technologies they are deploying is.03:29
lifelessScottK: where they are wrong, we disable DKIM for that domain again.03:29
ScottKlifeless: To the extent you know.03:29
lifelessScottK: that is also a limitation on gpg03:29
ScottKLess so.03:29
lifelessScottK: I don't see that it is knowable in either case.03:29
lifelessand in both cases, when we have reason to doubt, we can disable it.03:30
ScottKSo let's say you go down this path ....03:30
ScottKI'm kitterman.com and I want you to trust my DKIM signature.  How do I sign up?03:30
ScottKAre you going to allow anyone to play that makes the correct assertions or is this just for the big boys?03:31
lifelessfirst cut, lets say there is a DKIM page on dev.launchpad.net, it could say 'file a ticket in answers'03:31
lifelessScottK: Myself, I'd let anyone that comes along, makes [minor] personal contact and asserts that they do the right thing.03:31
ScottKSo there is an admin cost here.03:32
lifelessand have a CHR accessible list to enable.disable folk03:32
lifelessScottK: as a start03:32
lifelessScottK: if it works well, make signup straight forward, with admins to disable and re-enable disabled domains.03:32
ScottKThen there's the case of a provider (like say yahoo.com) that doesn't really care about LP and DKIM, but may have a small fraction of their users that do.03:32
lifelessbut thats more up front dev when we don't know if it will be a) popular b) work well c) not be a screaming mess03:32
lifelessScottK: so, if we believe they dtrt (e.g. by testing ourselves), we could turn it on.03:33
ScottKYou won't get a Yahoo dev filing tickets on launchpad.03:33
lifelessScottK: or we could say 'really please tell us' - and I'm positive we can track the right person at yahoo down.03:33
poolieso this doesn't seem that different in principle from a mail domain that allows any user to read any other user's mailbox03:33
ScottKpoolie: Except it's a lot more common.03:34
ScottKHistorically "is an authorized user" was enough of a check.03:34
poolieprobably signing messages at all is still uncommon03:34
lifelesscommercial domain providers have a vested interest in avoiding forgery sent through their servers03:34
pooliei don't know what fraction of deployed instances are borken03:34
pooliebut i should probably believe you if you say it's high03:35
ScottKNow you also want people to check is an authorized user of the MTA and that they are using an identity they are authorized to use.03:35
lifelesshome and small business less so, because its not representing multiple entities03:35
lifelessISP's may be a very grey area.03:35
poolieone would think that isps probably block outgoing forgeries03:35
pooliebut probably not all do03:35
ScottKPart of the problem was that before email authentication, there was very little value in doing cross-user forger, so it doesn't happen much.03:36
ScottKAs soon as DKIM or SPF pass starts to mean something, then it's an attack that has value.03:36
poolieso how about deploying this and not trusting the results, just logging them03:36
pooliebut it's an attack that can potentially be fixed reasonably easily03:36
mwhudsoni thought the main thrust of this work was aimed at a particular domain that starts with 'g'03:36
ScottKIf you're in a position to know about it.03:37
poolieyeah, and that's the other thing03:37
pooliewhitelisting about 5 domains will help a lot of people03:37
lifelessmwhudson: its a particular provider that we know does DKIM, and supplies some vast fraction of LP user accoun email addresses03:37
mwhudsonlifeless: right03:37
pooliethen we can consider kitterman.com etc case by case03:37
lifelessmwhudson: but its not the only very popular one ;)03:37
ScottKpoolie: I'd also consider SPF pass for a domain the same as a DKIM signature.03:38
poolieand the largest senders are probably reasonably likely to get it right03:38
mwhudsonlifeless: it's by far the most popular though03:38
poolieSPF is an interesting thought experiment03:38
mwhudsoni guess there's the apps-for-domains issue too, that kinds of messes things03:38
pooliemwhudson, do you mean mwhudson.com being hosted by google?03:39
ScottKpoolie: Fundamentally a DKIM signature just tells you that the message passed through an MTA authorized by the domain owner and that it hasn't been modified in transit.03:39
mwhudsonpoolie: right03:39
pooliethis can be accommodated by dkim, but it's not done at the moment03:39
ScottKSPF tells you the first part, but not the second.03:39
ScottKIn transit modification is not a major risk on direct point to point transmissions.03:40
pooliethere's another difference which is that dkim seems just easier to implement later in the pipeline03:40
pooliewhen we're examining a queued mail03:40
lifelessmwhudson: yes, I want apps-for-domains too03:40
poolieperhaps not substantially, but parsing the headers to work out when it went into our trusted network seems a bit messy03:40
ScottKYou'd want to implement SPF checking in the border MTA and then consume with the SPF recieved or Authentication Results header later.03:40
ScottKSpamassassin does this quite well.03:41
poolieso in principle, if i sent mail direct from my ip to launchpad i think it would be ok to trust it for, say, voting on merge proposals03:41
ScottKIt's far more reliable than trying to grovel the connecting IP address out of the recieved headers later.03:41
poolieby analogy i would be pretty happy to do that over http and it's just a bug that's not supported at the moment03:41
poolienow eventually you could say there are some operations which should require really strong authentication03:42
pooliebut i think that's a different issue03:42
wgrantMerging code is not something that requires strong authentication?03:42
lifelesswgrant: voting != setting merge proposal status03:43
pooliewell, to be pedantic, i said voting03:43
wgrantBut that's meant to change.03:43
lifelesswgrant: voting is an input into someone setting the proposal status, and I'd want strong auth for making something mergable, but not for rejecting/needs-fixing etc03:43
pooliebut, what level of trust is needed to merge code?03:43
wgrantAlthough it was apparently vetoed for reasons that are not completely obvious to me.03:43
poolienot to put words in his mouth, but elmo commented on this that the current authentication is not unimpeachably high03:44
wgrantNo, the current authentication is crap.03:44
wgrantDoesn't mean we need to pull it down further.03:44
pooliein that people have long-lived sessions or stored passwords on their laptop, etc03:44
lifelessso, how much? enough that *something* the user knows must be used.03:44
lifelessor *has*03:44
pooliewgrant, if i have a strongly authenticated connection to gmail03:45
pooliei think i'd be happy to proxy that trust through to launchpad03:45
pooliethere is a chain there03:46
ScottKpoolie: You would also do well to support opportunistic TLS on your MX as well.  That can be useful too.03:48
poolieon launchpad's incoming mx?03:48
ScottKThat helps reduce in transit visibility.03:48
pooliethat would be nice03:48
ScottKi.e. mx.canonical.com.03:49
ScottKI just checked and you don't.03:49
lifelessis it trivial ?03:49
ScottKAt least in postfix.03:49
ScottKIf you start trying to do certificate verification, it gets hard.03:49
ScottKBut that's overkill.03:50
ScottK(most MTA TLS certs are self-signed anyway)03:50
ScottKThat would be a relatively easy win for increasing the reliablity of the trust path.03:50
ScottKhttps://docs.google.com/viewer?url=http://www.bits.org/downloads/Publications%2520Page/BITSSecureEmailFINALAPRIL1507.pdf is germane.03:51
ScottK(that's the US financial industry best practices document for this area)03:52
poolieok, so, thanks very much for the background on this03:52
pooliei was reading wg mail threads03:52
poolieand people do seem to be of at least two minds03:53
pooliei would like to continue to push this patch for inclusion03:54
pooliewith the addition of a whitelist of domains where it's acceptable03:54
poolieso we fix the big N03:54
poolieand we can at least log and see how many pass or fail and why03:54
pooliei should do some real work now :)03:55
ScottKpoolie: OK.  I'd also encourage you to consider using SPF similarly.  It's more widely deployed and should be pretty reliable for your use case.03:56
pooliethanks very much for the feedback03:56
pooliealthough it violates my cherished preconceptions i appreciate it :)03:57
ScottKIt's also well supported in Ubuntu.  I made sure.03:57
pooliei might file a bug about opportunistic incoming tls03:57
ScottKSPF is clearly a gross hack, but it's a useful one.03:57
ScottKpoolie: One other thing, the bug you filed on python-dkim, would you please include message samples that demonstrate the problem.03:58
pooliemy launchpad mp demonstrates the problem in its tests03:59
pooliethere are no real tests in dkim.py03:59
pooliei will separate an example out03:59
poolieok, https://bugs.edge.launchpad.net/launchpad/+bug/588105 additional comments welcome04:01
mupBug #588105: launchpad incoming mx.canonical.com should support opportunistic TLS <Launchpad itself:New> <https://launchpad.net/bugs/588105>04:01
pooliein a way it's good it's non-canonical staff doing the security review of it04:02
=== almaisan-away is now known as al-maisan
adeuringgood morning08:18
deryckMorning, all.11:01
=== matsubara-afk is now known as matsubara
=== Ursinha_ is now known as Ursinha
=== NCommand1r is now known as mcasadevall
deryckgmb, concerning bug 570222.... if you cannot reproduce and gary_poster says a 2.6 builder is coming, perhaps we should wait and see when the builder gets going?14:06
mupBug #570222: checkwatches blows up when using XML-RPC on Python 2.6 <story-reliable-bug-syncing> <Launchpad Bugs:In Progress by gmb> <https://launchpad.net/bugs/570222>14:06
gmbderyck, Yeah, I think that's a good plan. Also, this is another one in the 'record-which-bugtrackers-have-plugins/api' column; known which bug trackers to test against (other than gnome-bugs) would have made this a lot easier to work on.14:08
deryckgmb, yeah, good point.  We don't have an open bug about that yet do we?14:09
gary_posterderyck, gmb, it is RT 39005 FWIW14:09
gmbderyck, Don't know; I'll check14:09
gmbgary_poster, Thanks14:09
gmbderyck, Filed as 58828714:15
gmbbug 588287, that is...14:15
mupBug #588287: Launchpad should record which bugtrackers have plugins / api <bugwatch> <Launchpad Bugs:Triaged> <https://launchpad.net/bugs/588287>14:15
deryckgmb, great.  Thanks, man!14:16
maxbthumper: (repeat question from yesterday) Hi, now that QA's done, do you want to remove my ~vcs-imports membership pending a ratification of it being ready for community members, or am I clear to actually review imports?14:27
=== henninge_ is now known as henninge
=== mcasadevall is now known as NCommander
gmbderyck, What's dhrb?14:46
deryckgmb, deryck-hodge-real-bug :-)14:47
gmbderyck, Nice.14:47
deryckgmb, just a shorthand for a quick-hit bugs list.  Something better than the gobby doc.14:47
marsjml, ping, have some time for a question or two about subunit in the test infrastructure, and bug 587886?15:14
mupBug #587886: ec2 test mail reports SUCCESS when the suite fails <build-infrastructure> <Launchpad Foundations:Triaged by mars> <https://launchpad.net/bugs/587886>15:14
jmlmars, sure, I have just a little time15:15
marsjml, mumble?15:15
jmlmars, I'm not set up for that right now, sorry15:15
jmlmars, IRC though.15:15
marsjml, ok15:15
=== deryck is now known as deryck[lunch]
=== Ursinha is now known as Ursinha-lunch
=== gary_poster is now known as gary-lunch
=== deryck[lunch] is now known as deryck
marsrockstar or abentley, ping17:15
rockstarmars, hi17:15
=== salgado is now known as salgado-lunch
marshi rockstar17:16
marsrockstar, I have a hung ec2 windmill test here, and there is a coincidental intermittent failure in test_branchcollection, and also a hang in the branch-related windmill tests17:17
marsrockstar, here, I'll post the log17:17
marsrockstar, check the end of this log: http://pastebin.ubuntu.com/442864/17:17
rockstarmars, I think I've seen the branchcollection failure before, but I thought that got fixed.17:17
marsrockstar, ok, may be a stale branch doing it?17:18
rockstarmars, no idea.  I'm not sure what I'm supposed to discern from this though.17:18
marsrockstar, actually, hold on a minute or two, the other two instances have hung as well - need to see if it is the same test that died17:20
rockstarmars, truthfully, if I were looking into the ec2 hangs, I'd look at the differences between the buildbot instances (where we don't have the hang) and our ec2 test instances.17:21
marsrockstar, true, haven't thought of that.  I'm tackling it from this perspective since I have also been messing around with the test_on_merge.py code17:22
rockstarmars, okay.17:22
maxbhttps://bugs.edge.launchpad.net/launchpad-code/+bug/327126, linked from https://dev.launchpad.net/ReviewingCodeImports, is private. I wonder if someone could assess whether it needs to be private?17:27
marsrockstar, ok, looks like that intermittent test failure may not be the source.  The other branch hung for some other reason.17:28
rockstarmars, cool.17:28
marsrockstar, and the third branch passed everything just fine :/17:28
rockstarmars, yeah, ec2 is becoming less and less reliable.17:28
=== matsubara is now known as matsubara-lunch
marsFile "/var/launchpad/tmp/eggs/zope.testing-3.9.4-py2.5.egg/zope/testing/testrunner/runner.py", line 587, in resume_tests17:37
mars    time.sleep(0.01) # Keep the loop from being too tight.17:37
marsTypeError: unbound method exit_with_atexit_handlers() must be called with TwistedLayer instance as first argument (got int instance instead)17:37
marsI have no idea what that error means yet17:37
marsbut I managed to capture it when killing off the hung ec2 testrunner.17:38
marsrockstar, this is frustrating because I can see what is failing: I am getting a partial traceback on the console.  But the rest of the traceback is being held by the subprocess and Python buffers, so killing the process wipes those buffers out.17:42
rockstarmars, so there's a twisted issue?  I'm not very good at debugging Twisted stuff, but I bet jml is.  :)17:44
rockstar(He knows a little bit about Twisted)17:44
marsrockstar, might be twisted.  Looking at the log, that may just be an error with the process shutdown, and unrelated to the original suite hang.17:45
rockstarmars, maybe, but maybe if you fix that, you'll get a better traceback.17:46
=== gary-lunch is now known as gary_poster
mthaddonmaxb: howdy - have a few moments to talk about lucid launchpad-dependencies?18:09
mthaddonmaxb: so it seems the only package we're missing is spidermonkey-bin, which I've been told is in the xulrunner source package in the PPA?18:09
maxberm... define missing?18:10
mthaddon(missing from stock lucid, that is, if you ignore python2.5)18:10
maxboh, right18:10
maxberm, and postgres-8.318:10
mthaddonmaxb: but there's a xulrunner package in stock lucid - so it doesn't include the spidermonkey-bin we need?18:10
maxbThat is correct18:10
mthaddonyeah, and if you change postgres 8.3 -> 8.418:10
mthaddonmaxb: ok, cool thx18:11
maxbThe ubuntu mozilla team chose to not package spidermonkey because of upstream's refusal to maintain a stable ABI18:11
mthaddonmaxb: I think that's all I need for now - I'll let you know if I need more info18:11
=== matsubara-lunch is now known as matsubara
=== salgado-lunch is now known as salgado
=== leonardr is now known as leonardr-afk
=== Ursinha-lunch is now known as Ursinha
=== sidnei_ is now known as sidnei
=== al-maisan is now known as almaisan-away
maxbwww.launchpad.net..... ewww :-)20:44
marsEdwinGrubbs or bac, quick question: how do I run the all-in-one JavaScript unit test suite?  Is there a wiki page with instructions?21:13
=== leonardr-afk is now known as leonardr
EdwinGrubbsmars:  ./bin/test -vv -t test_yuitests21:31
marsEdwinGrubbs, thanks21:32
EdwinGrubbsmars: look at lib/lp/registry/windmill/tests/test_yuitests.py    Each lib/lp/*/windmill directory needs one of these files to run tests found in lib/lp/*/javascript/tests21:34
=== matsubara is now known as matsubara-afk
thumpermaxb: still around?22:50
thumpermaxb: I think you are fine to garden imports22:57
thumpermaxb: the permissions that are on edge will be on production within a day22:57
thumpermaxb: I see that you've already been doing some, so that's cool22:57
maxbI hit the retry button on all the ones that pear's glitch broke22:58
maxbA question that I had - when an import goes to Failed because the upstream server has gone away, should it then be set Invalid, to get it out of the Failed list?22:58
lifelessmaxb: disabled I should think23:03
maxbDo vcs imports have a disabled status?23:04
lifelessthey certainly used to :P23:04
lifelessflag, not status23:04
maxboh... 'suspend' ?23:07
=== salgado is now known as salgado-afk
maxbWould someone be able to review bug 327126 and see if it actually needs to be private?23:13
maxbIt is referenced on dev.lp.net/ReviewingCodeImports, but I can't access it23:13
mwhudsonmaxb: i'll subscribe you23:15
mwhudsonmaxb: done23:16
thumpermaxb: suspended seems reasonable I guess23:23
mwhudsonyes, i think suspended makes sense for the place to put imports we'll never want to look at again23:23

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!