[00:00] <wgrant> It should be on all pages relating to the project, really.
[00:00] <wgrant> But yes, particularly a big warning on the code pages.
[00:00] <sinzui> I could do as bugs has done (though correctly) to ensure apps do not work until someone enables them and state clearly who they represent
[00:00] <wgrant> But branches are useful regardless.
[00:01] <wgrant> They just need to be clearly unofficial.
[00:01] <sinzui> Since We have competing communities, I feel pretty powerless to make everyone happy.
[00:01] <sinzui> So the code team could make the code pages clear
[00:01] <wgrant> LP is the only project hosting site that I know of that requires placeholder registration. It needs to go out of its way to do it right.
[00:02] <sinzui> I know. I feel it is wrong that I am working on this
[00:03] <sinzui> I an need to go thought 100s (and I really wish that number was an exaggeration) of bugs in all the apps to see what services users are trying to enable or configure, how every step fails. And these bugs are ancient
[00:03] <wgrant> Launchpad already gives lots of projects enough reasons not to use it.
[00:04] <wgrant> Let's not get people angry with it before they even start using it.
[00:04] <sinzui> please help me then. where will people *see* this message?
[00:05] <wgrant> code.launchpad.net/gedit, at least.
[00:05] <sinzui> What is the message? what does it mean by not official?
[00:05] <wgrant> launchpad.net/gedit needs it to be obvious too.
[00:05] <wgrant> But ideally it should be in the header.
[00:05] <sinzui> Those are code teams pages
[00:05] <wgrant> Yes, and this is a Launchpad-wide problem.
[00:05] <poolie> it seems reasonable to me to show a header across all those pages saying "gedit's real home page is at http://blah (tell me more)"
[00:06] <wgrant> Right, something like that.
[00:06] <wgrant> And the name in the header could be something like "gedit in Launchpad"
[00:06] <wgrant> With poolie's suggestion.
[00:06] <wgrant> To indicate that this isn't really it.
[00:07] <wgrant> But, well, this is probably why we have UI designers.
[00:07] <sinzui> AI approved the reuse of the Involvement portlet so that code was always used. I could put text back on the overview page, but where? what message? The user is trying to take an action and I do not know where he is looking on to inform him this project officially uses lp hosting
[00:08] <poolie> sinzui, i think probably every page under that project
[00:08] <wgrant> On every page, yes, but probably also an obvious warning in an extra portlet at the top of the project index.
[00:08] <poolie> also the "tell me more" gives us a chance to explain
[00:08] <poolie> why we have this page here at all
[00:08] <poolie> and what you can do with it
[00:08] <sinzui> Actually, I think the issue is really about the reverse situation as you suggested. The page should state *where the code is officially hosted*. This is the same stupid problem with bugs, where I can tell Lp where bugs are tracked, but LP will never tell anyone else what I said
[00:09] <wgrant> This sound related to the "let me point the app tabs to other URLs" suggestion that pops up every so often.
[00:09] <sinzui> The home page is a poor argument. Lp does not want to host any project's home page. There are all hosted some where else.
[00:11] <poolie> s/home page/official site
[00:11] <sinzui> wgrant, I think it is. I think for example I can have two community doing support. With using Lp Answers, and the upstream community using a mailing list. For the good off all other users/communities, Lp should state the situation and the someone make a choice
[00:11] <poolie> ah
[00:12] <wgrant> sinzui: Who is someone?
[00:12] <poolie> it's a bit like the way facebook has pages about people who don't use facebook
[00:12] <poolie> famous people at least
[00:12] <poolie> some find it a bit creepy
[00:12] <sinzui> I should be able to choose how I want support and the community I contact
[00:12] <poolie> they may be doing better than launchpad at at least making it clear the actual person isn't there
[00:13] <wgrant> sinzui: The user shouldn't able to; the project owner should.
[00:14] <sinzui> I am not sure any owner has more authority than any other community.
[00:14] <wgrant> The owner must be able to tell Launchpad what to do.
[00:15] <sinzui> poolie, I do believe no service should be enabled until someone states they are using it.
[00:16] <poolie> it depends what you mean
[00:16] <sinzui> So I cannot use answers to support a project? Why can I not have Lp branches because a project uses gnome git?
[00:17] <poolie> ah
[00:17] <poolie> i think we should just make the context clear
[00:17] <wgrant> sinzui: You can't use Answers to support a project if you are some random, no.
[00:17] <sinzui> I do not think there is a on/off. There is several states (hence my suggestion of an enum) that allows Lp to help multiple communities share projects
[00:18] <sinzui> Well I can be an answer contact for any project
[00:20] <wgrant> You can't be.
[00:20] <wgrant> LP exists to serve the project.
[00:20] <sinzui> No it does not
[00:20] <wgrant> If the project's owners do not want LP to do something, it should not do it.
[00:20] <sinzui> that is a common mist conception. Lp could never host all the project that produce code that make up Ubuntu
[00:21] <sinzui> Lp exists to help communities share information, and to lower the barrier of controbution
[00:22] <jelmer> wgrant: Why is it an issue for Launchpad but not for e.g. sites like ohloh that also just track projects?
[00:22] <wgrant> jelmer: Does Ohloh provide services like this?
[00:23] <sinzui> GNOME should not need to require zeitgeist to abandon Lp merge proposals. GNOME should be happy to know that Lp can help them with their own project dependencies. Lp should provide GNOME with excellent data about bugs and fixes.
[00:23] <jelmer> wgrant: yes, it allows users to post reviews of projects as well as mirroring the downloads for projects, project description, vcs locations
[00:23] <wgrant> jelmer: It allows one to link to external download pages, and just displays the real VCS location. That sounds reasonable enough.
[00:24] <wgrant> And presumably the owner can tell it not to link to an external download page.
[00:24] <sinzui> I would be happier if it were easier to see real VCS information. I have more than a 1000 projects that need love
[00:24] <wgrant> Whereas they can't tell Launchpad to not accept questions from people.
[00:26] <jelmer> wgrant: I think the main problem is the perception that Launchpad is a project-endorsed resource
[00:26] <wgrant> jelmer: Right.
[00:27] <wgrant> Ohloh exists solely as a secondary resource.
[00:27] <jelmer> right, and everybody regards it as that, wheras most people seem to think of Launchpad as a hosting site, not as a free software project tracker
[00:28] <wgrant> Well, most people think of Launchpad as the site that hosts Ubuntu.
[00:28] <jelmer> if we can make it clearer when a project is just tracked by lp and not hosted on lp I think this would be less of a problem.
[00:28] <wgrant> Exactly!
[00:29] <sinzui> It is bot binary though
[00:29] <sinzui> not
[00:29] <sinzui> a project can use git hub for hosting, but still use Lp MPs
[00:30] <wgrant> That's a very strange use case.
[00:30] <lifeless> or be on gnome.org and use mps :P
[00:30] <lifeless> wgrant: not at all
[00:30] <wgrant> lifeless' case sounds more reasonable.
[00:31] <lifeless> folk are doing it in fact
[00:31] <wgrant> But I guess they are similar.
[00:31] <maxb> thumper: hi
[00:31] <wgrant> If a little concerning.
[00:31] <thumper> maxb: hi
[00:31] <thumper> maxb: I've updated the vcs-imports celeb permissions
[00:32] <thumper> maxb: are you interested in helping qa?
[00:32] <thumper> maxb: I could add you to the team, and you could make sure you can't do non-import related bits
[00:32] <thumper> maxb: as long as you don't use production :)
[00:32] <maxb> heh
[00:33] <maxb> did you want to do it now? i can grab a computer
[00:34] <maxb> (i'm on an android phone at prrsent)
[00:34] <jelmer> sinzui: btw, the "Configure project branch" link is really nice
[00:34] <thumper> jelmer, sinzui: my frustration with that is that it isn't used consistently
[00:35] <thumper> maxb: I could add you to the team and you could look tomorrow if you like
[00:35] <jelmer> sinzui: it saves quite a few roundtrips when registering a new upstream project
[00:35] <thumper> although I tried to import a subversion branch as a bazaar branch by mistake
[00:36] <jelmer> thumper: there  being multiple forms for setting up a project branch you mean?
[00:36]  * thumper nods
[00:36] <thumper> I'd like to take the guts of that same page and have a single page for registering a new branch
[00:37] <maxb> thumper: i can have a quick look now and explore more exhaustively tomorrow
[00:37] <thumper> it also doesn't use the same permissions / widget checks as the official import page
[00:37] <maxb> laptop is booting
[00:39] <jelmer> thumper: we also have all the infrastructure to just detect what type of vcs is present at a remote URL, it'd be nice to simplify the UI
[00:39] <thumper> jelmer: that would be nice
[00:40] <thumper> maxb: you should be in the team now
[00:42] <maxb> IIRC the key things to look at were the new-project workflow, and the code import machines.
[00:42] <thumper> something like that
[00:43] <thumper> maxb: actually I should have just added you on staging :)
[00:43] <thumper> maxb: as you could at least try to tweak the machine settings there
[00:44] <thumper> maxb: you are now in the vcs-imports team on staging
[00:44]  * thumper checks that the right revno is on staging
[00:45] <thumper> maxb: staging should be good to play with
[00:45] <thumper> maxb: you can try anything there :)
[00:48] <maxb> or rather, on staging I can't try to tweak the machine settings, so I infer your branches have landed there already
[00:49] <maxb> It all looks as expected - the one thing I haven't done yet is verify that I don't have any boxes I shouldn't in the new project workflow
[00:55] <maxb> and I've now done that on staging
[00:57] <maxb> Modulo the essential trickyness of QA-ing a negative, I'd say it's all fine
[00:59] <maxb> Erm, pear's /home/importd/.bazaar/subversion.conf is apparently broken: http://launchpadlibrarian.net/49455906/maxb-guice-trunk.log
[01:00] <maxb> the same failure is apparent in other branches when imported on pear
[01:00] <wgrant> Yeah, it does that sometimes.
[01:00] <wgrant> Happens sometimes with concurrent bzr-svn imports.
[01:04] <maxb> Do we need act-of-losa to get it fixed?
[01:04] <mwhudson> yes
[01:09] <maxb> thumper: OK, I'd say QA complete - did you want to deactivate me from ~vcs-imports pending an official ratification of it being ready for community members, or shall I start reviewing imports from time to time?
[01:40] <lifeless> maxb: if you're on staging, then you're not activated on prod anyway
[01:43] <thumper> lifeless: I added him on prod too :)
[02:29] <poolie> hey
[02:29] <ScottK> Hello
[02:30] <poolie> first off, thanks for commenting
[02:30] <ScottK> BTW, it would be nice if non-developers could subscribe to LP wiki pages.
[02:30] <poolie> there had been a bit of silence aside from vague 'that sounds nice'
[02:30] <poolie> ah is this the 'action not allowed'?
[02:30] <poolie> that's a bug
[02:30] <thumper> lifeless: did you end up testing those merge proposal changes you did early in the cycle?
[02:30] <ScottK> poolie: Yes.  action not allowed.
[02:30] <thumper> lifeless: I'd just like to sign off the qa
[02:30]  * poolie looks
[02:31] <poolie> scottk, https://bugs.launchpad.net/bugs/586601 has a workaround too
[02:31] <ScottK> poolie: In any case, what I read in the bug and the wiki page is very concerning.
[02:31] <mup> Bug #586601: dev wiki toolbar has 'subscribe user' but not plain 'subscribe' <Launchpad Development Wiki Moin theme:New> <https://launchpad.net/bugs/586601>
[02:31] <ScottK> OK.  Thanks.
[02:32] <poolie> so
[02:32] <ScottK> Subscribed now.  Thanks.
[02:32] <thumper> poolie: https://lp-oops.canonical.com/oops.py/?oopsid=1612BM1
[02:33] <thumper> poolie: that is (one of) the branch mail job that had memory issues
[02:33] <ScottK> Also, I'm somewhat laggy at the moment, so if I don't reply, it's not because I'm ignoring you.
[02:33] <thumper> poolie: it is the kernel
[02:33] <thumper> poolie: lp:~vcs-imports/linux/trunk
[02:33] <poolie> scottk, let's try to unpack "to mean anything positive"
[02:34] <poolie> i don't assume it means the user specifically authenticated that message
[02:34] <poolie> in the sense that typing a gpg passphrase could mean "yes really"
[02:34] <ScottK> If you allow the message to do anything that requires authentication, you have.
[02:34] <poolie> i do think it means we can be incrementally more sure that the message comes from who it claims to come from
[02:34] <poolie> would you agree?
[02:34] <ScottK> No.
[02:35] <ScottK> It means you can be sure it came from the domain it purports to come from, but it tells you nothing about the user.
[02:35] <lifeless> thumper: sign off on it
[02:35] <thumper> lifeless: ok
[02:35] <lifeless> thumper: it doesn't matter if its right or wrong, until we do the other things you wanted, we're not using the queue stuff anyhow
[02:35] <lifeless> thumper: at your request :)
[02:35]  * thumper nods
[02:35] <thumper> :)
[02:36] <ScottK> The only way to believe it says anything about the user is to believe in implementation details of proprietary webmail services that you really have no insight into and even if they actually do what you think, could change without warning.
[02:36] <poolie> no, nothing about this is specific to proprietary webmail
[02:36] <lifeless> thumper: that said, I'm entirely confident of my changes anyway, as they a) have tests and b) weren't at the UI layer.
[02:37] <thumper> lifeless: ok
[02:37] <poolie> ok, so are you talking about a case like this:
[02:37] <ScottK> poolie: Implementation details of the sender.  The ones mentioned are proprietary (mostly) webmail providers.
[02:37] <lifeless> thumper: its not in the risk sector for me
[02:37] <poolie> they're just examples
[02:37] <ScottK> OK.
[02:38] <poolie> anyhow, so a case like this: smtp.canonical.com lets employees connect over port 529 authenticate and send mail; but it doesn't check that the mail they send is from the user they authenticated as
[02:38] <ScottK> Right.  That's pretty typical.
[02:38] <poolie> therefore i can get a mail signed that claims to be from joe@canonical.com
[02:39] <ScottK> All you really know is that it passed through smtp.canonical.com and they signed it.
[02:39] <poolie> ok, interesting
[02:39] <ScottK> DKIM very explicitly makes no assurance that the From address is in any way valid or correct.
[02:39] <ScottK> Just that since the header is signed, it didn't get modified in transit.
[02:40] <poolie> hm
[02:40] <poolie> i understand that this is up to their local policy
[02:40] <poolie> it would be a bit weird for them to just sign all outgoing mail
[02:41] <poolie> but perhaps that really is a typical deployment
[02:41] <poolie> especially if it's just stuck in front of an existing server
[02:41] <ScottK> Now you may do a security analysis and determine that for some actions (maybe bug status), that is sufficient status.  The action is reversable and doesn't really hurt, but you have to recognize that you don't really know who sent the mail.
[02:41] <ScottK> Yes.
[02:41] <thumper> ScottK: I don't think we want to do that type of check
[02:41] <thumper> ScottK: in fact we do allow that for unsigned email
[02:41] <poolie> so there are hints in the rfc
[02:41] <thumper> ScottK: things like general comments
[02:42] <poolie> and i'll refrain from quoting it, but it does say that they would authenticate the submitter before signing it
[02:42] <ScottK> In fact, if you get a dkim signed mail d=kitterman.com and From scott@kitterman.com, I really did send it or I have a bad bug, but I've gone beyond what is typical and there's no way to know I've done it.
[02:42] <ScottK> Yes, but what does authenticate the sender mean?
[02:42] <ScottK> Typically it means that the sender is an authorized user of the MTA.
[02:42] <poolie> i assume that means username/password or similar authentication of the smtp submission
[02:42] <lifeless> thumper: we do ?!
[02:42] <ScottK> poolie: Yes.
[02:42] <thumper> lifeless: yes
[02:43] <lifeless> thumper: I get mail rejected when I try to do status changes without signing it..
[02:43] <thumper> commenting doesn't require signed email
[02:43] <thumper> lifeless: status changes do require signing
[02:43] <thumper> a plain comment doesn't
[02:43] <poolie> yes, as does filing a new bug
[02:44] <lifeless> thumper: so the thing you replied two was about bug status
[02:44] <lifeless> thumper: you can see my confusion
[02:44] <thumper> what I was referring to was: we already have a distinction
[02:44] <poolie> thumper, that oops would be good to file a bug about
[02:44] <thumper> between trusted and weakly authenticated
[02:45] <thumper> I don't think we want another in the middle
[02:45] <poolie> me either
[02:45] <poolie> the question here is whether dkim-signed mail can be treated as 'adequately authenticated'
[02:45] <poolie> for things like changing bug statuses etc
[02:46] <thumper> well...
[02:46] <poolie> if there are a non-negligible number of domains that will sign any mail sent through them
[02:46] <poolie> then it may not wokr
[02:47] <thumper> I can set up any number of identites with fastmail
[02:47] <thumper> will it sign all of them?
[02:47] <ScottK> So you can see the concern I expressed in the bug?
[02:47] <poolie> the question is will fastmail let me send mail that pretends to be tim?
[02:47] <poolie> that would be pretty damn weird if it did
[02:47] <poolie> ScottK, is that the only concern?
[02:47] <ScottK> That's the most important one.
[02:48] <thumper> that is the sort of answer we should get before enabling it
[02:48] <poolie> so we could have a whitelist
[02:48] <ScottK> I think an implementation that depends on polling commercial email services and asking the internals of their implementation details is not a really great idea.
[02:49] <poolie> or we could get this from adsp, though i haven't looked into that much
[02:49] <poolie> why do you say 'internals'?
[02:49] <poolie> it doesn't really matter how it's implemented
[02:49] <ScottK> You need to know if they allow cross user forgery.
[02:49] <poolie> right
[02:49] <ScottK> That restriction is an internal implementation issue for them.
[02:49] <ScottK> There's no protocol basis for discovering it.
[02:50] <ScottK> I can tell you from experience with SPF and DKIM deployments that senders routinely deploy this stuff and barely understand it.
[02:50] <poolie> if somebody decided to turn on dkim signing in ubuntu, would it be likely to allow cross-user forgery?
[02:51] <ScottK> Currently Ubuntu developers have the ability to send mail through fiordland at least to Launchpad.  I don't know what checks they have in place.
[02:52] <ScottK> At least you've got the data in Launchpad accounts to know what users should use what email addresses, but how you link that up to an SMTP time user authentication, I'm not sure.
[02:52] <poolie> i think you have a really good point that this will probably be deployed badly
[02:52] <poolie> but ... if cross-
[02:52] <poolie> cross-user forgery is common, it seems to substantially defeat the point of dkim
[02:52] <ScottK> It depends.
[02:52] <poolie> for example they talk a lot about showing a signed From address to the user as authentic
[02:52] <poolie> or trustwotrhy
[02:52] <spiv> In the case of webmail providers, you arguably need to know if they have if they have CSRF flaws etc.  Or more simply you need to know the user hasn't leaked their password accidentally... you can't require absolute trust, because nothing is absolutely trustworthy.
[02:53] <ScottK> The more common use is to use the d= domain as an input token to a reputation system.
[02:53] <ScottK> So over time you can measure which domains tend to send good mail and which one tend to send bad mail so you can treat them differently.
[02:53] <wgrant> spiv: But if you can't trust the webmail providers, they can already reset your Launchpad password.
[02:54] <ScottK> In that case, you don't really care about cross-user forgery.
[02:54] <ScottK> You only really care if you try to believe the from address is somehow validated.
[02:54] <ScottK> It may be, it may not, but it's no part of DKIM to say.
[02:54] <poolie> ah
[02:55] <ScottK> All DKIM can tell you about the from address is it wasn't altered in transit.
[02:57] <ScottK> It was, in fact, contentious in the working group whether or not to require from be signed.
[02:57] <ScottK> For this exact reason, people would read too much into it.
[02:57] <poolie> i see it is required
[02:57] <ScottK> In the end, it's required to be signed only because it's a required part of the message body.
[02:58] <ScottK> The fact that it's signed, is helpful for the policy component, ADSP, that was developed after the base DKIM signing spec.
[02:58] <poolie> proposition: a signature by kitterman.com on "From: scott@kitterman.com" indicates kittermain.com asserts this message is from scott@kitterman.com
[02:58] <poolie> you don't think that's true?
[02:58] <ScottK> No.
[02:58] <ScottK> It asserts it's signed by kitterman.com and kitterman.com takes responsibility for it.
[02:59] <ScottK> If it verifies, you can also trust the signed parts of the message were not modified in transit.
[03:02] <poolie> but "takes responsibility for it" only in the sense of "takes responsibility for it not being spam" not "takes responsibility for it not being forged"?
[03:05] <ScottK> Takes responsibility so that you can blame it (in a reputation sense) if it's "bad".
[03:06] <poolie> ok, so i see your point
[03:06] <poolie> but the rfc really does seem to allude to a larger scope than that
[03:06] <ScottK> It is of two minds about it.
[03:06] <poolie> mm, i understand it may be contentious
[03:07] <ScottK> In the end, that's all it really does, but there are lots of entities that want to use the DKIM domain as an input to secret sauce reputation systems.
[03:07] <poolie> there are specific examples saying that a from field signed by the relevant domain may be trusted
[03:07] <poolie> it may be the deployment is so bad this doesn't work
[03:07] <poolie> which would be kind of sad considering how long this has been in coming and how new it now is
[03:13] <ScottK> I think for applications where domain level information is sufficient, it has a lot of potential.
[03:13] <poolie> ok
[03:13] <ScottK> Unfortunately, in the LP case, you need more granularity than it can provide.
[03:13] <lifeless> can't they sign the From: field?
[03:14] <wgrant> The difficulty is that most implementations do not verify that the authenticated sender is authorized to send using a particular address.
[03:14] <poolie> well, citation needed for 'most'
[03:15] <poolie> but it's certainly possible some don't
[03:15] <wgrant> The common documented Ubuntu setups don't.
[03:15] <lifeless> wgrant: do they claim that they do though?
[03:15] <ScottK> lifeless: Signing From just means it wasn't modified in transit.
[03:15] <wgrant> lifeless: How do we tell?
[03:16] <lifeless> wgrant: is From signed, no ?
[03:16] <wgrant> lifeless: Heh, no.
[03:16] <ScottK> Actually you can't actually tell if they claim it's valid.
[03:16] <lifeless> lets assume we could tell, what header would we use in launchpad to associate the mail with the account
[03:19] <lifeless> ?
[03:19] <ScottK> If you're talking DKIM, you're talking body From.
[03:19] <ScottK> DKIM is silent on envelope identities.
[03:20] <lifeless> and do servers routinely sign body From without sender verification ?
[03:20] <ScottK> There's no requirement in the RFC for it.
[03:20] <ScottK> Or to put it slightly differently ....
[03:21] <ScottK> The senders are verified, but generally they are verified to be authorized users of the MTA, not generally that they are specificaly authorized to use the From they are using.
[03:21] <lifeless> are they able to sign the mail as being from their domain *without* signing body From ?
[03:21] <ScottK> No.  Signing from is required because it's a mandatory part of the message.
[03:21] <lifeless> ok
[03:21] <lifeless> so we're screwed
[03:22] <poolie> well
[03:22] <ScottK> I think DKIM verification is not suitable for applications where you need to have some assurance that you have mail from a specific user.
[03:22] <lifeless> anyone doing DKIM as a 'this isn't spam' effort is indistinguishable from someone doing DKIM with user granularity
[03:22] <wgrant> Well, someone could define another standard for a signed header that verifies From. But surely such a thing already exists.
[03:22] <ScottK> The D in DKIM stands for Domain for a reason.
[03:22] <lifeless> ScottK: some domains may be good enough to use
[03:22] <ScottK> wgrant: Yes, for this application you use GPG or S/MIME.
[03:22] <poolie> i thought this was part of the point of DKIM beyond SPF
[03:22] <poolie> well
[03:22] <ScottK> lifeless: How would you know?
[03:22] <poolie> given there is an exposure
[03:23] <lifeless> ScottK: we could ask them
[03:23] <poolie> does this actually matter
[03:23] <lifeless> ScottK: they could tell us
[03:23] <poolie> how many important users send mail from servers that allow spoofing
[03:23] <ScottK> lifeless: My experience is a lot of providers wouldn't give you an answer you can rely on.
[03:23] <poolie> and how bad is it if their mail is spoofed
[03:23] <poolie> one could already cause a lot of trouble by forging unsigned mail
[03:24] <wgrant> Status changes are reasonably trusted at the moment.
[03:24] <wgrant> And used for workflow things in Ubuntu.
[03:24] <ScottK> poolie: I don't think DKIM 'goes beyond' SPF, it tells you a similar thing about a different identity.
[03:25] <ScottK> If you have a message where Mail From and From are the same (this is the 80% case) then an SPF pass and a valid DKIM signature tell you about the same thing.
[03:25] <ScottK> The difference between what they tell you is for most purposes not important.
[03:27] <lifeless> wgrant: so, if we turned on DKIM for providers that say 'we do per-user authentication on our submission port'
[03:28] <lifeless> wgrant: would that really decrease the workflow trust?
[03:28] <ScottK> lifeless: You need to be very careful and specific about how you ask that question.
[03:28] <lifeless> ScottK: agreed
[03:28] <ScottK> Also I'm reasonably certain a significant fraction of the Yes answers you get would be wrong somehow.
[03:28] <lifeless> ScottK: 'the body from header in mail from our servers is restricted to addresses the sender can receive at by submission-time authentication'
[03:29] <ScottK> I'm continually stunned at how shallow people's understanding of these technologies they are deploying is.
[03:29] <lifeless> ScottK: where they are wrong, we disable DKIM for that domain again.
[03:29] <ScottK> lifeless: To the extent you know.
[03:29] <lifeless> ScottK: that is also a limitation on gpg
[03:29] <ScottK> Less so.
[03:29] <lifeless> ScottK: I don't see that it is knowable in either case.
[03:30] <lifeless> and in both cases, when we have reason to doubt, we can disable it.
[03:30] <ScottK> So let's say you go down this path ....
[03:30] <ScottK> I'm kitterman.com and I want you to trust my DKIM signature.  How do I sign up?
[03:31] <ScottK> Are you going to allow anyone to play that makes the correct assertions or is this just for the big boys?
[03:31] <lifeless> first cut, lets say there is a DKIM page on dev.launchpad.net, it could say 'file a ticket in answers'
[03:31] <lifeless> ScottK: Myself, I'd let anyone that comes along, makes [minor] personal contact and asserts that they do the right thing.
[03:32] <ScottK> So there is an admin cost here.
[03:32] <lifeless> and have a CHR accessible list to enable.disable folk
[03:32] <lifeless> ScottK: as a start
[03:32] <lifeless> ScottK: if it works well, make signup straight forward, with admins to disable and re-enable disabled domains.
[03:32] <ScottK> Then there's the case of a provider (like say yahoo.com) that doesn't really care about LP and DKIM, but may have a small fraction of their users that do.
[03:32] <lifeless> but thats more up front dev when we don't know if it will be a) popular b) work well c) not be a screaming mess
[03:33] <poolie> mm
[03:33] <lifeless> ScottK: so, if we believe they dtrt (e.g. by testing ourselves), we could turn it on.
[03:33] <ScottK> You won't get a Yahoo dev filing tickets on launchpad.
[03:33] <lifeless> ScottK: or we could say 'really please tell us' - and I'm positive we can track the right person at yahoo down.
[03:33] <poolie> so this doesn't seem that different in principle from a mail domain that allows any user to read any other user's mailbox
[03:34] <ScottK> poolie: Except it's a lot more common.
[03:34] <poolie> exactly
[03:34] <ScottK> Historically "is an authorized user" was enough of a check.
[03:34] <poolie> well
[03:34] <poolie> probably signing messages at all is still uncommon
[03:34] <lifeless> commercial domain providers have a vested interest in avoiding forgery sent through their servers
[03:34] <poolie> i don't know what fraction of deployed instances are borken
[03:35] <poolie> but i should probably believe you if you say it's high
[03:35] <ScottK> Now you also want people to check is an authorized user of the MTA and that they are using an identity they are authorized to use.
[03:35] <lifeless> home and small business less so, because its not representing multiple entities
[03:35] <lifeless> ISP's may be a very grey area.
[03:35] <poolie> one would think that isps probably block outgoing forgeries
[03:35] <poolie> but probably not all do
[03:36] <ScottK> Part of the problem was that before email authentication, there was very little value in doing cross-user forger, so it doesn't happen much.
[03:36] <ScottK> As soon as DKIM or SPF pass starts to mean something, then it's an attack that has value.
[03:36] <poolie> so how about deploying this and not trusting the results, just logging them
[03:36] <poolie> right
[03:36] <poolie> but it's an attack that can potentially be fixed reasonably easily
[03:36] <mwhudson> i thought the main thrust of this work was aimed at a particular domain that starts with 'g'
[03:37] <ScottK> If you're in a position to know about it.
[03:37] <poolie> yeah, and that's the other thing
[03:37] <poolie> whitelisting about 5 domains will help a lot of people
[03:37] <lifeless> mwhudson: its a particular provider that we know does DKIM, and supplies some vast fraction of LP user accoun email addresses
[03:37] <mwhudson> lifeless: right
[03:37] <poolie> then we can consider kitterman.com etc case by case
[03:37] <lifeless> mwhudson: but its not the only very popular one ;)
[03:38] <ScottK> poolie: I'd also consider SPF pass for a domain the same as a DKIM signature.
[03:38] <poolie> and the largest senders are probably reasonably likely to get it right
[03:38] <ScottK> Eventually.
[03:38] <mwhudson> lifeless: it's by far the most popular though
[03:38] <poolie> SPF is an interesting thought experiment
[03:38] <mwhudson> i guess there's the apps-for-domains issue too, that kinds of messes things
[03:39] <poolie> mwhudson, do you mean mwhudson.com being hosted by google?
[03:39] <ScottK> poolie: Fundamentally a DKIM signature just tells you that the message passed through an MTA authorized by the domain owner and that it hasn't been modified in transit.
[03:39] <mwhudson> poolie: right
[03:39] <poolie> this can be accommodated by dkim, but it's not done at the moment
[03:39] <ScottK> SPF tells you the first part, but not the second.
[03:40] <ScottK> In transit modification is not a major risk on direct point to point transmissions.
[03:40] <poolie> there's another difference which is that dkim seems just easier to implement later in the pipeline
[03:40] <poolie> when we're examining a queued mail
[03:40] <lifeless> mwhudson: yes, I want apps-for-domains too
[03:40] <poolie> perhaps not substantially, but parsing the headers to work out when it went into our trusted network seems a bit messy
[03:40] <ScottK> You'd want to implement SPF checking in the border MTA and then consume with the SPF recieved or Authentication Results header later.
[03:40] <poolie> right
[03:41] <ScottK> Spamassassin does this quite well.
[03:41] <poolie> so in principle, if i sent mail direct from my ip to launchpad i think it would be ok to trust it for, say, voting on merge proposals
[03:41] <ScottK> It's far more reliable than trying to grovel the connecting IP address out of the recieved headers later.
[03:41] <poolie> by analogy i would be pretty happy to do that over http and it's just a bug that's not supported at the moment
[03:42] <poolie> now eventually you could say there are some operations which should require really strong authentication
[03:42] <poolie> but i think that's a different issue
[03:42] <wgrant> Merging code is not something that requires strong authentication?
[03:43] <lifeless> wgrant: voting != setting merge proposal status
[03:43] <poolie> well, to be pedantic, i said voting
[03:43] <wgrant> True.
[03:43] <wgrant> But that's meant to change.
[03:43] <lifeless> wgrant: voting is an input into someone setting the proposal status, and I'd want strong auth for making something mergable, but not for rejecting/needs-fixing etc
[03:43] <poolie> but, what level of trust is needed to merge code?
[03:43] <wgrant> Although it was apparently vetoed for reasons that are not completely obvious to me.
[03:44] <poolie> not to put words in his mouth, but elmo commented on this that the current authentication is not unimpeachably high
[03:44] <wgrant> No, the current authentication is crap.
[03:44] <wgrant> Doesn't mean we need to pull it down further.
[03:44] <poolie> in that people have long-lived sessions or stored passwords on their laptop, etc
[03:44] <lifeless> so, how much? enough that *something* the user knows must be used.
[03:44] <lifeless> or *has*
[03:45] <poolie> wgrant, if i have a strongly authenticated connection to gmail
[03:45] <poolie> i think i'd be happy to proxy that trust through to launchpad
[03:46] <poolie> there is a chain there
[03:48] <ScottK> poolie: You would also do well to support opportunistic TLS on your MX as well.  That can be useful too.
[03:48] <poolie> on launchpad's incoming mx?
[03:48] <ScottK> That helps reduce in transit visibility.
[03:48] <ScottK> Yes.
[03:48] <poolie> that would be nice
[03:49] <ScottK> i.e. mx.canonical.com.
[03:49] <ScottK> I just checked and you don't.
[03:49] <lifeless> is it trivial ?
[03:49] <ScottK> Yes.
[03:49] <ScottK> At least in postfix.
[03:49] <ScottK> If you start trying to do certificate verification, it gets hard.
[03:50] <ScottK> But that's overkill.
[03:50] <ScottK> (most MTA TLS certs are self-signed anyway)
[03:50] <ScottK> That would be a relatively easy win for increasing the reliablity of the trust path.
[03:51] <ScottK> https://docs.google.com/viewer?url=http://www.bits.org/downloads/Publications%2520Page/BITSSecureEmailFINALAPRIL1507.pdf is germane.
[03:52] <ScottK> (that's the US financial industry best practices document for this area)
[03:52] <poolie> ok, so, thanks very much for the background on this
[03:52] <poolie> i was reading wg mail threads
[03:53] <poolie> and people do seem to be of at least two minds
[03:53] <poolie> so
[03:54] <poolie> i would like to continue to push this patch for inclusion
[03:54] <poolie> with the addition of a whitelist of domains where it's acceptable
[03:54] <poolie> so we fix the big N
[03:54] <poolie> and we can at least log and see how many pass or fail and why
[03:55] <poolie> i should do some real work now :)
[03:56] <ScottK> poolie: OK.  I'd also encourage you to consider using SPF similarly.  It's more widely deployed and should be pretty reliable for your use case.
[03:56] <poolie> ok
[03:56] <poolie> thanks very much for the feedback
[03:57] <poolie> although it violates my cherished preconceptions i appreciate it :)
[03:57] <ScottK> It's also well supported in Ubuntu.  I made sure.
[03:57] <ScottK> Certainly.
[03:57] <poolie> i might file a bug about opportunistic incoming tls
[03:57] <ScottK> SPF is clearly a gross hack, but it's a useful one.
[03:58] <ScottK> poolie: One other thing, the bug you filed on python-dkim, would you please include message samples that demonstrate the problem.
[03:59] <poolie> ok
[03:59] <poolie> my launchpad mp demonstrates the problem in its tests
[03:59] <poolie> there are no real tests in dkim.py
[03:59] <poolie> i will separate an example out
[04:00] <ScottK> Thanks.
[04:01] <poolie> ok, https://bugs.edge.launchpad.net/launchpad/+bug/588105 additional comments welcome
[04:01] <mup> Bug #588105: launchpad incoming mx.canonical.com should support opportunistic TLS <Launchpad itself:New> <https://launchpad.net/bugs/588105>
[04:02] <poolie> in a way it's good it's non-canonical staff doing the security review of it
[04:02] <poolie> s/it/this
[08:18] <adeuring> good morning
[11:01] <deryck> Morning, all.
[14:06] <deryck> gmb, concerning bug 570222.... if you cannot reproduce and gary_poster says a 2.6 builder is coming, perhaps we should wait and see when the builder gets going?
[14:06] <mup> Bug #570222: checkwatches blows up when using XML-RPC on Python 2.6 <story-reliable-bug-syncing> <Launchpad Bugs:In Progress by gmb> <https://launchpad.net/bugs/570222>
[14:08] <gmb> deryck, Yeah, I think that's a good plan. Also, this is another one in the 'record-which-bugtrackers-have-plugins/api' column; known which bug trackers to test against (other than gnome-bugs) would have made this a lot easier to work on.
[14:09] <deryck> gmb, yeah, good point.  We don't have an open bug about that yet do we?
[14:09] <gary_poster> deryck, gmb, it is RT 39005 FWIW
[14:09] <gmb> deryck, Don't know; I'll check
[14:09] <gmb> gary_poster, Thanks
[14:10] <gary_poster> np
[14:15] <gmb> deryck, Filed as 588287
[14:15] <gmb> bug 588287, that is...
[14:15] <mup> Bug #588287: Launchpad should record which bugtrackers have plugins / api <bugwatch> <Launchpad Bugs:Triaged> <https://launchpad.net/bugs/588287>
[14:16] <deryck> gmb, great.  Thanks, man!
[14:27] <maxb> thumper: (repeat question from yesterday) Hi, now that QA's done, do you want to remove my ~vcs-imports membership pending a ratification of it being ready for community members, or am I clear to actually review imports?
[14:46] <gmb> deryck, What's dhrb?
[14:47] <deryck> gmb, deryck-hodge-real-bug :-)
[14:47] <gmb> deryck, Nice.
[14:47] <deryck> gmb, just a shorthand for a quick-hit bugs list.  Something better than the gobby doc.
[15:14] <mars> jml, ping, have some time for a question or two about subunit in the test infrastructure, and bug 587886?
[15:14] <mup> Bug #587886: ec2 test mail reports SUCCESS when the suite fails <build-infrastructure> <Launchpad Foundations:Triaged by mars> <https://launchpad.net/bugs/587886>
[15:15] <jml> mars, sure, I have just a little time
[15:15] <mars> jml, mumble?
[15:15] <jml> mars, I'm not set up for that right now, sorry
[15:15] <jml> mars, IRC though.
[15:15] <mars> jml, ok
[17:15] <mars> rockstar or abentley, ping
[17:15] <rockstar> mars, hi
[17:16] <mars> hi rockstar
[17:17] <mars> rockstar, I have a hung ec2 windmill test here, and there is a coincidental intermittent failure in test_branchcollection, and also a hang in the branch-related windmill tests
[17:17] <mars> rockstar, here, I'll post the log
[17:17] <mars> rockstar, check the end of this log: http://pastebin.ubuntu.com/442864/
[17:17] <rockstar> mars, I think I've seen the branchcollection failure before, but I thought that got fixed.
[17:18] <mars> rockstar, ok, may be a stale branch doing it?
[17:18] <rockstar> mars, no idea.  I'm not sure what I'm supposed to discern from this though.
[17:20] <mars> rockstar, actually, hold on a minute or two, the other two instances have hung as well - need to see if it is the same test that died
[17:21] <rockstar> mars, truthfully, if I were looking into the ec2 hangs, I'd look at the differences between the buildbot instances (where we don't have the hang) and our ec2 test instances.
[17:22] <mars> rockstar, true, haven't thought of that.  I'm tackling it from this perspective since I have also been messing around with the test_on_merge.py code
[17:22] <rockstar> mars, okay.
[17:27] <maxb> https://bugs.edge.launchpad.net/launchpad-code/+bug/327126, linked from https://dev.launchpad.net/ReviewingCodeImports, is private. I wonder if someone could assess whether it needs to be private?
[17:28] <mars> rockstar, ok, looks like that intermittent test failure may not be the source.  The other branch hung for some other reason.
[17:28] <rockstar> mars, cool.
[17:28] <mars> rockstar, and the third branch passed everything just fine :/
[17:28] <rockstar> mars, yeah, ec2 is becoming less and less reliable.
[17:36] <mars> HA!
[17:37] <mars> File "/var/launchpad/tmp/eggs/zope.testing-3.9.4-py2.5.egg/zope/testing/testrunner/runner.py", line 587, in resume_tests
[17:37] <mars>     time.sleep(0.01) # Keep the loop from being too tight.
[17:37] <mars> TypeError: unbound method exit_with_atexit_handlers() must be called with TwistedLayer instance as first argument (got int instance instead)
[17:37] <mars> I have no idea what that error means yet
[17:38] <mars> but I managed to capture it when killing off the hung ec2 testrunner.
[17:42] <mars> rockstar, this is frustrating because I can see what is failing: I am getting a partial traceback on the console.  But the rest of the traceback is being held by the subprocess and Python buffers, so killing the process wipes those buffers out.
[17:44] <rockstar> mars, so there's a twisted issue?  I'm not very good at debugging Twisted stuff, but I bet jml is.  :)
[17:44] <rockstar> (He knows a little bit about Twisted)
[17:45] <mars> rockstar, might be twisted.  Looking at the log, that may just be an error with the process shutdown, and unrelated to the original suite hang.
[17:46] <rockstar> mars, maybe, but maybe if you fix that, you'll get a better traceback.
[18:09] <mthaddon> maxb: howdy - have a few moments to talk about lucid launchpad-dependencies?
[18:09] <maxb> sure
[18:09] <mthaddon> maxb: so it seems the only package we're missing is spidermonkey-bin, which I've been told is in the xulrunner source package in the PPA?
[18:10] <maxb> erm... define missing?
[18:10] <mthaddon> (missing from stock lucid, that is, if you ignore python2.5)
[18:10] <maxb> oh, right
[18:10] <maxb> yes
[18:10] <maxb> erm, and postgres-8.3
[18:10] <mthaddon> maxb: but there's a xulrunner package in stock lucid - so it doesn't include the spidermonkey-bin we need?
[18:10] <maxb> That is correct
[18:10] <mthaddon> yeah, and if you change postgres 8.3 -> 8.4
[18:11] <mthaddon> maxb: ok, cool thx
[18:11] <maxb> The ubuntu mozilla team chose to not package spidermonkey because of upstream's refusal to maintain a stable ABI
[18:11] <mthaddon> maxb: I think that's all I need for now - I'll let you know if I need more info
[20:44] <maxb> www.launchpad.net..... ewww :-)
[21:13] <mars> EdwinGrubbs or bac, quick question: how do I run the all-in-one JavaScript unit test suite?  Is there a wiki page with instructions?
[21:31] <EdwinGrubbs> mars:  ./bin/test -vv -t test_yuitests
[21:32] <mars> EdwinGrubbs, thanks
[21:34] <EdwinGrubbs> mars: look at lib/lp/registry/windmill/tests/test_yuitests.py    Each lib/lp/*/windmill directory needs one of these files to run tests found in lib/lp/*/javascript/tests
[22:50] <thumper> maxb: still around?
[22:53] <maxb> hi
[22:56] <maxb> (thumper)
[22:57] <thumper> maxb: I think you are fine to garden imports
[22:57] <thumper> maxb: the permissions that are on edge will be on production within a day
[22:57] <thumper> maxb: I see that you've already been doing some, so that's cool
[22:58] <maxb> I hit the retry button on all the ones that pear's glitch broke
[22:58] <maxb> A question that I had - when an import goes to Failed because the upstream server has gone away, should it then be set Invalid, to get it out of the Failed list?
[23:03] <lifeless> maxb: disabled I should think
[23:04] <maxb> Do vcs imports have a disabled status?
[23:04] <lifeless> they certainly used to :P
[23:04] <lifeless> flag, not status
[23:07] <maxb> oh... 'suspend' ?
[23:13] <maxb> Would someone be able to review bug 327126 and see if it actually needs to be private?
[23:13] <maxb> It is referenced on dev.lp.net/ReviewingCodeImports, but I can't access it
[23:15] <mwhudson> maxb: i'll subscribe you
[23:16] <mwhudson> maxb: done
[23:21] <maxb> thanks
[23:23] <thumper> maxb: suspended seems reasonable I guess
[23:23] <mwhudson> yes, i think suspended makes sense for the place to put imports we'll never want to look at again