/srv/irclogs.ubuntu.com/2011/03/09/#ubuntu-motu.txt

psusican you connect a glib signal directly to a dbus signal, or do you have to set up a proxy object and a callback function to raise the signal in the gobject when the dbus object signals?01:21
c2tarunbug 216301 shows that fix is released in debian, but rmadison is not detecting elog into debian.03:58
ubottuLaunchpad bug 216301 in elog (Ubuntu Hardy) "[CVE-2008-0444, CVE-2008-0445] XSS and DoS" [High,Confirmed] https://launchpad.net/bugs/21630103:58
c2tarunwhy so?03:58
=== Amaranth_ is now known as Amaranth
micahgc2tarun: it was removed from debian almost 3 years ago04:19
Mase_wkheh04:19
c2tarunmicahg: can you tell me some security bugs on which I can work on?04:20
micahgc2tarun: anything here: http://people.canonical.com/~ubuntu-security/cve/universe04:21
c2tarunmicahg: I need a bit help on this, are you free for a moment?04:42
micahgc2tarun: in a bit, working on something ATM04:42
c2tarunmicahg: sure :) can you please ping me when you are free I am waiting04:43
micahgc2tarun: go ahead05:05
c2tarunmicahg: I want to work on some security bugs, but dont know how to start, I read the manual pages and found that there are some CVE issues which raise the security threat in bugs, My question is how can I start working on a security bug?05:06
micahgc2tarun: pick a package, pick a release, try to find the patches for the CVEs and create a debdiff05:07
c2tarunmicahg: suppose I pick a this package http://people.canonical.com/~ubuntu-security/cve/pkg/sql-ledger.html , how can i look for the patch?05:08
micahgc2tarun: each CVE should list an upstream bug and/or an upstream commit, find the upstream commit and/or a patch with the fix in Debian and prepare a debdiff with the fixes for Ubuntu with a changelog like here: https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation05:10
micahgc2tarun: I can't walk through a lot of stuff tonight, maybe another night, you can also ask in #ubuntu-hardened for security stuff05:11
c2tarunmicahg: thanks :)05:12
c2tarunmicahg: I failed to find any patch or upstream commit for the package I selected, may b I dont know where to, can you please help.05:42
micahgc2tarun: try another package would be my suggestion ATM05:43
c2tarunmicahg: I tried this one also http://people.canonical.com/~ubuntu-security/cve/pkg/flatnuke.html but failed to find05:45
* micahg never heard of these packages05:45
micahgc2tarun: you want to try phpmyadmin lucid?05:46
micahgit's kinda crazy for a first time though05:47
c2tarunmicahg: oh... there is a patch :)05:47
micahgc2tarun: there are lots of patches :)05:47
* micahg has about 20 sitting on his machine waiting to make a debdiff...05:48
c2tarunmicahg: all 20 are from that same canonica CVE bug tracker?05:48
micahgc2tarun: no, those 20 are from 1 upstream advisory05:49
micahgc2tarun: yes, they're all listed on teh CVE tracker05:49
micahgthere are about 8 advisories w/patches, some of the patches are in the maverick package05:49
c2tarunmicahg: in that phpmyadmin whenever I am opening any patch I am getting XML parsing error05:50
micahgc2tarun: someone else will have to help here, I can't do this tonight05:50
c2tarunok, so should I ask in ubuntu-hardened?05:51
micahgc2tarun: sure05:52
c2tarunmicahg: thanks for help :)05:52
geserc2tarun: you pinged me yesterday, is the question resolved?08:17
c2tarungeser: yup :) thanks for replying08:22
dholbachgood morning08:33
gesergood morning dholbach08:49
dholbachhi geser08:50
iulianMorning dholbach, geser.09:31
dholbachhey iulian09:32
iulianHow's it going?09:33
=== Guest79780 is now known as Kmos
dholbachiulian, good good - how are you?09:54
iuliandholbach: Not bad, I'm trying to wake myself up.  I've just had a couple of hours of sleep last night.09:59
dholbachgood luck with that :)09:59
iulianHeh. :)09:59
jfiHello, if someone at the time to sponsor it, bug 731832 is trivial and I have attached a debdiff for the fix. Anyway, that's a low importance one.10:05
ubottuLaunchpad bug 731832 in dee (Ubuntu) "Comma at end of enumerator list" [Low,New] https://launchpad.net/bugs/73183210:05
geserjfi: I see that the Ubuntu task is "Fix committed". Where was it committed?10:56
jfigeser, yes, it appears that somebody has commited a fix, but I don't have enough knowledge of launchpad to know where exactly it has been comited. Anyway it seems that the project is using bzr for the code.10:58
geserjfi: please also add "(LP: #731832)" to your debian/changelog entry to auto-close the bug upon upload (the brackets are optional)10:59
jfigeser: you mean for the debdiff that I have attached to the bug report?11:00
geserjfi: yes (generally speaking)11:01
jfigeser: ok, I am going to upload a new debdiff, thanks for the information.11:02
geserI'll ask seb128 (who set the bug to Fix Committed) about the current status11:02
geserjfi: your patch will get uploaded as part of the weekly dx updates tomorrow, so nothing has to be done on your part anymore (just wait :) )11:06
jfigeser, nice! thanks!11:07
geserjfi: for your next fix: if you want attention from sponsors subscribe "ubuntu-sponsors" to the bug you want sponsored (see https://wiki.ubuntu.com/SponsorshipProcess)11:10
jfigeser, ok11:13
=== ogra is now known as Guest90542
=== Guest90542 is now known as ogra_
=== ogra_ is now known as ogra
=== andreas__ is now known as ahasenack
micahg\sh: did you see the security advisory for zf16:07
c2tarunI am trying to link bug 732064 with debian bug 617529 but getting error. Can anyone please help?16:24
ubottuLaunchpad bug 732064 in ckermit (Ubuntu) "Package ckermit_211-15 failed to build from source with "ld --as-needed" option" [Undecided,Confirmed] https://launchpad.net/bugs/73206416:24
ubottuDebian bug 617529 in ckermit "Package ckermit_211-15 failed to build from source with "ld --as-needed" option" [Normal,Open] http://bugs.debian.org/61752916:24
Ampelbeinc2tarun: what error do you get?16:27
c2tarunAmpelbein: There is no project in Launchpad named "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=617529". Please search for it as it may be registered with a different name.16:27
Ampelbeinc2tarun: you have to click on 'Also affects Distribution' then select debian from the drop-down list.16:28
\shmicahg: yes16:31
micahg\sh: are you preparing updates?16:31
\shmicahg: you mean security updates? when I find the time, sure, but regarding my actual work I think I have to find someone who is doing the security updates16:33
micahg\sh: I was referring to debdiffs for any previous releases that might need them :)16:34
\shmicahg: yeah, that means security updates :) I don't know when I have the time for it to extract the patch and provide debdiffs (via security pocket)16:39
micahg\sh: ok, idk when I'll have time either16:40
kklimondadebfx: is the current Gtk+ view in Qt the best we can get?17:48
geserdoes somebody know if a sync request with a binary package rename needs a FFe?17:49
kklimondadebfx: "current Gtk+ look & feel" event17:49
kklimondaeven*17:49
bdrungtumbleweed: do you got the debian-devel mail about "new scripts and patches for devscripts". would you volunteer to maintain the python scripts if they moved from u-d-t to devscripts?18:03
c2taruncan anyone help me with this error http://paste.kde.org/6936/ I was trying to pull a source code.18:04
geserc2tarun: can you please paste the ownership and permissions of /home/tarun/.launchpadlib?18:05
c2tarungeser: there is no such file18:06
tumbleweedbdrung: just read it18:07
tumbleweedbdrung: yeah I'd help maintain them18:09
c2tarungeser: very sorry I thought it was a file and not a folder, drwx------  3 root  root   4096 Mar  9 09:10 .launchpadlib here is the permissions18:09
bdrungtumbleweed: thx, i'll respond to the mailing list later today offering us two to maintain the python scripts18:10
geserc2tarun: looks like you a script created it which got run as root, chown the directory to your user to fix it (sudo chown tarun:tarun ~/.launchpadlib)18:11
tumbleweedbdrung: cool18:11
c2tarungeser: fixed :) thanks18:12
=== vish is now known as evilvish
debfxkklimonda: yes, assuming it correctly uses qgtkstyle18:40
kklimondadebfx: hmm.. even the simplest button looks different. I was under the impression that Qt uses Gtk+ widgets completely (i.e. for the button it displays GtkButton with the set text, and mnemonics) and it doesn't seem to be the case.18:53
directhextoolkits pretending to be other toolkits always feel alien18:53
directhexhell, firefox and openoffice on ubuntu feel alien18:53
kklimondadirecthex: sure, but I've hoped that the difference comes mostly from the fact that you create one gui for three platforms, and that if you work with Linux in mind you could create something closely following the look and feel of Gtk+.18:55
kklimondaand it's close.. just not close enough - it leaves this nagging feeling in the back of my head, that something isn't completely right.18:56
directhexkklimonda, even if you emulate gtk's widgets 100%, the HIG for apps differs18:56
kklimondadirecthex: yes, but I've hard idea to follow GNOME HIG in Qt18:56
debfxafaik qgtkstyle uses native gtk widgets18:57
kklimondadebfx: it seems to be using gtk widgets' style18:58
kklimondathey do link with gtk+ and create gtk widgets - but they don't look and feel like gtk widgets. So I assume that they just take style from buttons and still paint their own widgets using this style.18:59
=== sebner_ is now known as sebner
ari-tczewDaviey: please don't write about updated maintainer field in d/changelog.20:32
sorenIt really doesn't matter.20:33
Davieyari-tczew, uh?20:33
ari-tczewDaviey: https://launchpad.net/ubuntu/+source/tomcat6/6.0.28-10ubuntu120:34
ari-tczewsoren: it's wrong with policy.20:34
sorenWhich policy forbids it?20:34
Davieyari-tczew, url please20:35
ari-tczewDaviey: I don't have anything which could tell it 100%, http://people.canonical.com/~cjwatson/ubuntu-policy/policy.html/ch-source.html#s-dpkgchangelog20:42
Davieyari-tczew, that seems to make no reference to it :/20:43
ari-tczewDaviey: In general, we keep the information in d/changelog only which mean remaining changes which are blocking sync.20:43
Davieyari-tczew, Where did you hear/read it was against policy, because that is /totally/ new to me20:43
ari-tczewDaviey: a lot of times20:43
ari-tczewherer20:44
ari-tczewhere *20:44
Davieyari-tczew, Well i can see your point, but i disagree..20:44
ari-tczewDaviey: why?20:44
ari-tczewis it really urgent information to keep in d/changelog?20:44
Davieyari-tczew, it's something which has changed....20:44
sorenIs it really so bad to put it there that you think it's necessary to complain when people do?20:44
ari-tczewDaviey: but it doesn't block sync20:44
Davieyari-tczew, In a package lifecycle from diverging from Debian it should only be there ONCE... it's not like it's excess noise.20:45
ari-tczewsoren: I don't say it's bad. Just telling it's not necessary and I discourage to using it next time.20:45
Davieyari-tczew, Please find something documented.20:45
ari-tczewDaviey: I have to ask cjwatson, he has got policy.20:45
sorenI agree it's rather useless information. Making that change is required by policy, but if people want to write in in the changelog, I don't care.20:46
sorenCertainly not enough to be confrontational about it.20:47
Davieyari-tczew, so if it's things purely blocking sync, if i cherry pick a patch from a debian package... but don't want the whole thing (think post feature freeze), what do you sugest the changelog entry is?20:47
ari-tczewsoren: I like when everything is done perfect. <320:47
Davieybecause that situation does not block a sync.20:47
ari-tczewDaviey: I don't understand your question. don't you know how describe it in d/changelog?20:48
Davieyari-tczew, Let me try again...20:48
DavieyDebian unstable has a new upload, fixing super-awesome-thing.patch....20:49
ari-tczew* debian/patches/XXXX.patch: fix blah blah blah (LP: #xxxx, Closes: #XXX)20:49
DavieyBut also lots of new features20:49
DavieyNow, this patch is cherry picked, unedited from debian.20:49
DavieyI ONLY want that one patch, not the rest of the changes.20:49
ari-tczewyes20:49
ari-tczewso do it20:49
DavieyThrefore, it's not a sync blocker next cycle20:49
ari-tczewwith *ubuntu1 upload20:50
DavieyTherefore, by your defintion - it doesn't need a changelog entry.20:50
ari-tczewDaviey: you don't understand me20:50
ari-tczewit blocks sync20:50
Davieyari-tczew, no - i think you missunderstand me.20:50
sorenIt doesn't block sync. The change he made is in the Debian version, so a sync would include it.20:50
Davieyd/changelog is /purely/ sync blockers, when people are decided in the next cycle to sync or merge, right?20:50
Daviey^^ That is how i understood your defintion.20:51
ari-tczewDaviey: look, QA changes like update maintainer or Vcs fields can be dropped for sync.20:51
Davieyagreed.20:51
ari-tczewpatch of course, but it needs to be described20:51
ari-tczewin d/changelog20:51
DavieySo can my cherry picked patch, super-awesome.patch20:51
ari-tczewupdate-maintainer doesn't20:51
Davieyari-tczew, as i said, this issue is pretty much resolved if you can find /any/ documentation that states we have policy describing this.20:53
geserDaviey: see the last sentence of http://people.canonical.com/~cjwatson/ubuntu-policy/policy.html/ch-binary.html#s3.320:54
geserabout the documentation of Maintainer changes20:55
ari-tczewthanks geser20:55
Davieygeser, Okay, that does confirm it.  I don't agree with it, considering it should only happen once in a lifecycle - but if that is what is stated, ok.20:57
DavieyI'd like to know when that was approved, as it's *very* common for people to note that change.20:57
ari-tczewDaviey: I think a lot of developers know this one, looking on their uploads. ;-)20:58
ScottKDaviey: It's been a couple of years.20:58
geserDaviey: it was mentioned on the ubuntu-devel mailing list or even ubuntu-devel-announce, let me try to find it20:58
sorenupdate-maintainer was updated to stop mentioning it in 2008.20:58
DavieyThat is interesting... /me is tempted to do some grep to look at stats.20:58
ari-tczewThis is an example when I'm afraid of giving core-dev for non expierenced Canonical staff.20:59
Davieyari-tczew, dude... back off.20:59
soren*sigh*20:59
ScottKari-tczew: That's really out of line.  An extra changelog entry is not ideal, but it has exactly zero affect on anything the user sees or does.21:01
ari-tczewScottK: I wrote example.21:01
ari-tczewsmall example, right21:02
ari-tczewand nothing terrible21:02
ScottKari-tczew: It's not an example of the kind at all.21:02
sorenI've been core-dev for years and was MOTU for years before that and was developing on Ubuntu for years before that. I still make mistakes.21:02
sorenWe're not robots.21:02
sorenDoesn't many any of us is any less suited to be core-dev.21:02
geserDaviey: a reference to the change I could find is https://lists.ubuntu.com/archives/ubuntu-devel/2008-October/026623.html21:02
* ari-tczew no? looking sometimes on people character here, I think so21:03
highvoltagesoren++ (any human will make mistakes)21:03
sorenIf being core-dev meant you had to be infallible, there'd be exactly 0 core-devs and we'd get nothing at all done.21:03
Davieygeser, "There is no need" is not exactly the same as TB resolution on policy change.21:04
ari-tczewScottK: I mean cases when people not very familiar with policies gain full upload access.21:05
geserDaviey: if you follow this thread to the third message, you will see the proposal for the change to the ubuntu-policy document21:05
ScottKari-tczew: I don't think that's a conclusion you can reasonably draw from this incident.21:06
Davieygeser, ack21:06
highvoltageari-tczew: I think the DMB would be quite offended at that statement, they take giving upload rights very seriously, and don't just hand out upload rights to Canonical staff if they didn'r already deserve it21:06
geserDaviey: I only want to point out, that this "no need to document it" is nothing new (didn't remember myself that it was that old already (Oct 2008))21:07
DavieyAt *no* point has my employer been part of my application.  I'm not entirely happy about it being mentioned like this.21:07
DavieyI am a Ubuntu Developer, Not a Canonical Developer.21:07
Davieygeser, Yeah.. I was wrong about that..  Although i do feel a little hard done by here, I am tempted to grep changelogs to show that a significant amount of people do this.21:08
sorenI think we'd be hard pressed to find a developer who remembered every tiny little bit of information in the policy anyway.21:08
* Daviey feels attacked, and that makes him sad.21:08
ScottKDaviey: It's not worth it.  Spend your time on something productive.21:09
highvoltageDaviey: you woulndn't even need to, https://launchpad.net/~davewalker/+related-software speaks for itself!21:10
ari-tczewDaviey: Don't mess your feeling by me. Really.21:12
ari-tczewDaviey: Sorry for bad feeling. I wanted to make it as usual discussion.21:13
Davieyari-tczew, you approached it very badly.21:14
DavieyEqually, I'm interested if you have been specifically following my work.21:14
DavieyI am interested why you added a comment, which mirrored exactly what i said on.21:14
Davieyhttps://code.launchpad.net/~brian-murray/ubuntu//ubuntu-geoip/fix-719324/+merge/5226821:14
ari-tczewDaviey: It doesn't exist.21:15
ari-tczewDaviey: IIRC it was on sponsors overview, so I left a comment. I think it's not prohibited.21:16
Davieyhttps://code.launchpad.net/~brian-murray/ubuntu/natty/ubuntu-geoip/fix-719324/+merge/5226821:16
ari-tczewDaviey: Do you think I'm spying you?21:16
Davieyari-tczew, It did make me wonder.21:16
cody-somervilleLets assume everyone is working in good faith please.21:16
ari-tczewDaviey: In ubuntu-geoip's case as I wrote, it was on sponsors overview, I left a comment.21:17
ari-tczewDaviey: About today's case - I check every upload when I look on https://launchpad.net/ubuntu/natty21:18
ari-tczewevery *last* upload21:18
cody-somervilleDaviey, FWIW, I believe ari-tczew when he says that. I've seen him make this comment to numerous individuals.21:18
ari-tczewcody-somerville: thanks for trust :)21:19
geserDaviey: that was meant to be "used" against you, just informational (at least from me). I forget some specifics sometimes too and have to ask others.21:26
gesers/was/wasn't/21:26
gesermy usual mistake: to think the "not" but not type it21:27
cody-somervilleari-tczew, On the same token, Daviey is core-dev and I trust him to make his changelogs useful. If he wants to include that bit of information, I'm fine with that. You're welcome to point out to people that they don't need to but I don't think it represents a serious lack of skill or experience. Its pedantic of you but thats your choice ;)21:28
ari-tczewcody-somerville: yea, it's nitpick21:30
cody-somervilleAnd I don't think 'nitpicks' are worth making the accusation that someone is not fit for core-dev, don't you agree? ;)21:33
ari-tczewcody-somerville: Agree. I apologized.21:37
cody-somervilleDaviey, Do you accept ari-tczew's apology? :)21:38
Davieycody-somerville, Yes.21:39
* Daviey is gonna get away from the computer for a bit.21:40
=== mok0_ is now known as mok0

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!