[12:23] <bac> thanks gmb.  fwiw i had tried using person_logged_in and got other issues.  i'll have a look at your branch.
[12:26] <bac> gmb: my problem was i tried using person_logged_in and then passing the principal to create_initialized_view -- you must do both
[12:37] <gary_poster> bac, feature_flag issue is dealt with?  danilos has OCR today, so if you are close to working on the client branch, we should maybe plan for a handoff on danilos' current task, at least if he is not finished by his EoD
[12:41] <danilos> gary_poster, hi, I hope I'll get this done before our meeting even with OCR
[12:41] <gary_poster> cool danilos, np then
[12:43] <bac> gary_poster: yes, i understand now how to get the tests working.  it is now a matter of replicating them across pillars
[12:43] <gary_poster> bac, awesome
[12:43] <bac> several hours work, at least
[12:43] <gary_poster> bac, is there anything that we can share?
[12:43] <bac> gary_poster: may be more trouble than worth
[12:44] <gary_poster> ok bac.  Please keep it in mind in case you discover something that might change your mind
[12:44] <bac> will do
[12:44] <gary_poster> cool
[12:59] <gmb> bac: Glad I could help.
[13:16] <gary_poster> benji, fwiw added another card to FW 2 that you can move to when done with your current bug
[13:16] <gary_poster> probably should be fixed before merging
[13:16] <benji> k
[13:16] <gary_poster> I might take it myself if I get to it
[13:28] <gary_poster> bac, benji, danilos, gmb, mumble/kanban in 2
[13:28] <bac> ok
[13:28] <gmb> ack
[13:29] <gary_poster> someone, what is the easy way to get a url to an object in a differnt pillar than the one you are in now?  There must be an easy way, and I may even have known it at some point...
[13:30] <gmb> gary_poster: You mean a different rootsite? (e.g. code, bugs, answers, etc.)
[13:31] <bac> gary_poster: e.g.  return urlappend(canonical_url(self.context, rootsite='feeds'),
[13:44] <gary_poster> thanks, gmb, btw
[13:44] <gary_poster> for answer :-)
[13:44] <gmb> np
[13:54] <danilos> "subscribe to bug mail" link on lp.dev/firefox has stopped working for me with latest accordionoverlay branch
[13:54] <danilos> is this known or not?
[13:56] <gary_poster> danilos: you need to turn on feature flag.  one sec, will get detail...
[13:56] <danilos> aah
[13:57] <gary_poster> benji, I think that bug is just adding "escape" into a magic point within "render_filter_name" yeah?
[13:57] <gary_poster> advanced-structural-subscriptions.enabled	default	10	on
[13:57] <gary_poster> danilos ^
[13:57] <gary_poster> https://launchpad.dev/+feature-rules
[13:57] <benji> gary_poster: yep; I bet http://developer.yahoo.com/yui/3/api/Escape.html will work
[13:58] <gary_poster> foo.bar@canonical.com has privs
[13:58] <danilos> gary_poster, cool, thanks
[13:58] <gary_poster> danilos, np
[13:58] <gary_poster> benji, cool. I wonder what the diff between that and javascript escape is
[13:58] <gary_poster> but anyway
[13:58] <gary_poster> run with the YUI version :-)
[13:59] <benji> actually, Gavin just noted on a related bug (740096) that using Y.Node instead of strings of HTML would fix/avoid this class of problem, so I'm going to try that
[14:00] <gary_poster> ah cool
[14:01] <gary_poster> bug 740096
[14:01] <gary_poster> oh mup, you're never there when I want you
[14:01] <benji> xss vulnerability in new bug subscription overlay; https://bugs.launchpad.net/launchpad/+bug/740640
[14:01] <benji> oops, wrong one
[14:01] <benji> when updating a code build recipe json returned isn't escaped; https://bugs.launchpad.net/launchpad/+bug/740096
[14:03] <gary_poster> yeah, thank you. https://launchpad.net/bugs/BUG_NUMBER is almost but not quite as fast as mup.
[14:06] <benji> I have a Firefox bookmarklet that lets me type "bug NUMBER" and it takes me to the bug.
[14:13] <gary_poster> ah, nicer
[14:14] <gary_poster> chrome really is noticeably faster for me though.  :-/ FF 4 is better but still there's an appreciable difference.
[14:14] <gary_poster> as an aside about FF :-)
[14:30] <benji> gary_poster: the XSS bug is a bit bigger than just description; it could come from any of the values (if we allow HTML-like values in those fields); should I just do description now and file another bug to determine the scope of the problem/fix the others?
[14:31] <gary_poster> benji, fix that bug, land a branch so I can adjust my code to deal with the change :-P , and add a new card for the other fields and start on that.
[14:31] <gary_poster> no need for a bug IMO
[14:31] <benji> cool
[14:31] <gary_poster> lemme know when it is landed please
[14:32] <benji> k
[14:38] <bac> gary_poster: got a sec?
[14:38] <gary_poster> sure bac
[14:39] <bac> gary_poster: mumbe
[14:39] <bac> l
[14:46] <benji> gary_poster: the XSS problem is even deeper than that, I believe this is really a bug in lazr.restful; investigating now.  I've tried to come up with a hacky solution but can't think of one.  On the other hand, the only change we should have to make to the branch is to use a newer lazr.restful once I fix this.
[14:49] <gary_poster> benji, sounds scary in terms of backwards compatibility
[14:49] <benji> gary_poster: I take it back; the bug is definately in LP; I think I can have a fix shortly.
[14:49] <gary_poster> cool
[14:49] <gary_poster> bac, this is interesting from LEP:
[14:49] <gary_poster> bdmurray: gary_poster: looking again I think bug supervisors can structurally subscribe to distro bugs if a bug supervisor is set
[14:49] <gary_poster> bdmurray: gary_poster: at least that is the way it was when I wrote it
[14:49] <gary_poster> gary_poster: bdmurray, oh? I'm afraid I'm not even sure how bug supervisors fit into it
[14:49] <gary_poster> bdmurray: gary_poster: its only for distributions with bug supervisors set that structural subscriptions are restricted for and they are restricted to the members of the bug supervisor team
[14:50] <gary_poster> bac, so it seems that distributions do not generically enable this functionality, but it is enabled selectively for certain users
[14:51] <gary_poster> if you need more details we will probably have to turn to a bugs team expert
[14:51] <bac> gary_poster: then we may be in good shape, sort of
[14:51] <gary_poster> ok cool
[14:51] <bac> that explains why i don't see it on the bug page
[14:51] <bac> it'll take some finagling to get it to show up properly on the overview page under those conditions
[14:51] <gary_poster> ok
[15:07]  * gary_poster has landed two small branches to ~yellow.  I'd like to make another small change, but that will wait for the XSS work.
[15:30] <gary_poster> bac, did you want me to help?
[15:30] <bac> gary_poster: i do.  sorry for the delay.
[15:30] <gary_poster> np
[15:34] <gary_poster> If you are doing a punchlist item that is supposed to go into the mongo branch and therefore not go through the usual review/landing process, please feel free to use the new "completed punchlist items" column
[15:34] <gary_poster> I should have added that sooner; I forget how mutable the kanban board is
[15:34] <benji> ok, I need a consult; I must be doing something wrong with 740640.  What's happening is that the JSON representation of the bug filters is inserted into a script tag at the bottom of the page.  If the description contains </script><script>DO BAD THINGS</script> then bad things are done...
[15:34] <gary_poster> We'll remove those as soon as we land the mongo branches
[15:35] <benji> ...I expected wrapping the JSON in a CDATA and/or HTML comment would fix that, but it doesn't.
[15:35] <gary_poster> ok, first thought
[15:35] <benji> An we can't just escape the whole string because that will lead to HTML-escaped data getting into the DB (not the right thing to do).
[15:36] <gary_poster> we should disallow funky characters in the names
[15:36] <gary_poster> we do that elsewhere AFAIK
[15:36] <gary_poster> and should do it here for simplicity
[15:36] <gary_poster> that seems to solve the problem quickly and reasonably
[15:38] <benji> gary_poster: yeah, it's reasonable for the short term, but I feel bad leaving it this way in general; we're going to keep getting outselves into this situation and there seems to be a central place to fix it
[15:38] <gary_poster> I wonder if the policy is the right way to fix it thoug
[15:38] <gary_poster> h
[15:38] <gary_poster> you bring up good concerns about escaping
[15:39] <gary_poster> I suppose you could say lazr.restful escapes on the way out and unescapes coming back in
[15:39] <gary_poster> but that's going to be pretty hairy to incorporate is my guess
[15:39] <gary_poster> because nothing expexts the unescaping ATM
[15:39] <gary_poster> expects
[15:39] <gary_poster> even if this were isolated to just the JS bits
[15:40] <benji> right; I have a strong gut feeling that there is a right way to do this that won't affect existing code, but I don't know what it is right now
[15:41] <gary_poster> I don't see it either.  Other problematic variations:
[15:42] <benji> regarding disallowing funky characters: it seems to me that we need to do that at PATCH time, not in the JS (otherwise people can use the web service directly to inject their XSS attack)
[15:42] <gary_poster> lazr.restful (or whatever machinery does this thing for the response cache) pukes if it gets a string that is not safe to put in the browser, unless there is some gesture to escape it.
[15:42] <gary_poster> disallowing funky characters: this needs to be in the server
[15:43] <gary_poster> and then needs validation on the clientside of a similar sort to the thing that we need for tags
[15:44] <gary_poster> so I agree, the only thing in the JS is code to make the error friendly
[15:44] <gary_poster> disallowing funky characters happens in the DB for tags, I've heard
[15:45] <gary_poster> Going that deep is appropriate here too if there is precedence, in fact
[15:45] <gary_poster> Also note that we only render to the page what the server gives us.  When we do a patch, the server gives us back the new representation, and that's what we render
[15:46] <benji> How much time pressure are we under for this fix?  I don't think adding a "be sure strings are browser-safe" to lazr.restful is the right thing to do, but don't know how long it will take to figure out the right thing.
[15:46] <benji> yeah, doing tag-like, DB-level string safety checks might be the best short term thing we can do
[15:47] <gary_poster> benji, yes.  This is what I'd like:
[15:47] <gary_poster> 1) DB-level string safety checks
[15:47] <gary_poster> 2)  JS-level friendliness about it all
[15:48] <bac> gary_poster: email sent
[15:48] <bac> with tasks.  let me know if it doesn't make sense
[15:48] <gary_poster> 3) A bug about the larger problem, if you like.  As I said, my current feeling is that the answer is to typically not allow XSS-type charecters in fields.  I suppose lazr.restful could try to enforce that, but I don't love it
[15:48] <gary_poster> benji, done.
[15:48] <gary_poster> bac, thanks, will read.
[15:49] <benji> gary_poster: sounds good; I'll work on 1 and 2 now (well, and after lunch)
[15:49] <gary_poster> benji, cool
[15:58] <danilos> bac, gary_poster: error handling being pushed right now
[15:59] <danilos> bac, gary_poster: and now done, it should be in ~yellow/launchpad/accordionoverlay
[16:02] <bac> danilos: great
[16:02] <gary_poster> awesome danilos, thanks
[16:11] <bac> gary_poster: ping me before you tackle any of those items
[16:11] <gary_poster> bac, will do.  Branch is built now, and I'm wrapping something else up.  I might have questions for you in just a sec (though if you are going to lunch np)
[16:11] <bac> eating in
[16:12] <gary_poster> k
[16:15] <gary_poster> (pushed another small branch)
[16:16] <danilos> gary_poster, I am looking into lowercase tags stuff, should I switch to something else to help out instead?
[16:17] <gary_poster> danilos, you have about 1:45 left, yeah?
[16:17] <gary_poster> or just :45?
[16:17] <danilos> gary_poster, something like 1h, yeah, but all of tomorrow morning as well :)
[16:18] <gary_poster> danilos, heh, sure.  weellll...benji, you around, by chance?
[16:18] <danilos> gary_poster, there are also small bits like "Unsubscribe" not showing any progress UI and things like that
[16:19] <gary_poster> danilos, please add cards for stuff you see like that
[16:19] <danilos> gary_poster, right, I'll do that
[16:19] <benji> gary_poster: kinda ;)
[16:19] <gary_poster> benji :-) is there anything danilos can do for your task, or should he and I find something else?
[16:20] <benji> gary_poster: well, now that we've identified a course of action, he could persue it; I haven't yet done much discovery on how the tag spellings are enforced
[16:22] <gary_poster> ack benji.  I'll give danilos some options and I'll include that as one of 'em.  I'll let you know on the kanban board and here and stuff.  Thanks
[16:22] <benji> k
[16:22]  * benji returns to making patty melts.
[16:22] <gary_poster> :-)
[16:23] <gary_poster> So, danilos, here are good cards
[16:23] <gary_poster> 740640, FW 2.  Task is to enforce no-scary-XSS-characters in the DB, and figure out a pretty way to display that
[16:23] <gary_poster> That fits in nicely with the tags one
[16:23] <gary_poster> because they are pretty similar
[16:24] <gary_poster> So you could take those two
[16:24] <gary_poster> Or...
[16:24] <gary_poster> You could take 739141 in Quick Jobs
[16:24] <gary_poster> Or...
[16:25] <gary_poster> you could take one of the two bottom cards in FW 1:
[16:25] <gary_poster> Team subscriptions should support a personal opt-out feature, exposed on edit page and unsub-in-anger page
[16:25] <gary_poster> or
[16:25] <gmb> gary_poster: r=me with a couple of tweaks.
[16:25] <gmb> \0\
[16:25] <gmb> Hah.
[16:25] <gmb> It was so hard to review I broke my arm.
[16:25] <gary_poster> I thought it was [gmb covers his ears in pain]
[16:25] <gary_poster> :-)
[16:25] <gmb> :)
[16:25] <gary_poster> great thanks gmb!
[16:25] <gmb> np
[16:25] <gary_poster> danilos: last one: Structural subscription edit/delete page should also allow adds
[16:26] <gmb> I'm going to go and get a very large cup of tea now.
[16:26] <danilos> re 740640, "enforce no-scary-XSS-chars in the DB" means basically entire 740640?
[16:26]  * gmb knows this was just a warm up for the client-side work.
[16:26] <gary_poster> gmb, :-)
[16:27] <gary_poster> danilos, I don't understand question.  740640 means minimally the DB stuff, and I'd like to include JS-prettification too (of a similar sort to the tag approach, whatever that will be).
[16:29] <danilos> gary_poster, right, so my question is: should I consider it a single task, or two separate tasks?
[16:30] <gary_poster> danilos, ok.  up to you.  I won't consider it done (i.e., something we can forget about) until both aspects are done, but we can arrange that a variety of ways.
[16:31] <danilos> gary_poster, right, sounds good
[16:31] <danilos> benji, so it's ok to take the card away from you? :)
[16:31] <gary_poster> cool, danilos.  benji is mking patty melts, don't bother him, it's a dangerous operation. ;-)  He volunteered the idea, so I think it's alright
[16:32] <danilos> heh, ok
[16:32]  * benji runs away from the melted cheese explosion.
[16:33] <gary_poster> :-)
[16:45] <danilos> gary_poster, oh, on the topic of JS prettification, I don't really see what needs doing if we just want to escape stuff so it works
[16:45] <danilos> (works == avoids XSS)
[16:47] <gary_poster> danilos, here's the story.  it's just like with tags.  Let's say I want to make a name that has some unacceptable characters in it (e.g., "importance >= high")
[16:47] <gary_poster> should we communicate that nicely?
[16:48] <gary_poster> or will your new error handling be nice enough that everything will just work?  I suspect that the error communication might need work, but maybe not
[16:48] <danilos> gary_poster, so do we have a rule that some characters are unacceptable? in cases like this (XSS attack protection), that's best done with a white list, but white listing means we also stop people from using all alphabets of the world
[16:50] <gary_poster> danilos, if I were doing it, I probably would have done it with a blacklist, excluding characters that are escaped for HTML.  I agree that a whitelist would be safer.  What do you think?
[16:52] <danilos> gary_poster, well, I wouldn't "exclude" anything, I'd just escape it where appropriate so it never gets executed; I agree that's the least safe of the options (iow, it's easiest to break it), but it does have the benefit of allowing people to have subscriptions named "<important>" if they want to, which would make it much easier to filter on than say just "important"
[16:52] <danilos> gary_poster, or, your example
[16:54] <gary_poster> danilos, the problem is that the values are dumped into the page by lazr.restful with automation.  Changing that behavior is not something that I want to commission right now.
[16:54] <gary_poster> Moreover, we have multiple examples of precedence in LP for this exclusion pattern
[16:55] <danilos> gary_poster, oh, that does sound sucky...
[16:56] <danilos> gary_poster, and did you mean a precedent?
[16:56] <gary_poster> yeah danilos.  ...I actually don't know for sure if I can use precedence in that way :-P
[16:57] <gary_poster> I could have said "multiple precidents" I guess :-)
[16:57] <danilos> heh, yeah
[16:57] <gary_poster> precedents
[16:57] <gary_poster> presidents!
[16:57] <danilos> oh, we've got Putin in Belgrade today, it was a mess getting around the city, half of the streets closed
[16:57] <gary_poster> oh, I bet
[16:58] <danilos> just like it was 6 months ago when we had Hilary Clinton
[16:58] <danilos> it's especially nice since my office is right across the street from the national parliament
[16:58] <danilos> anywaaay
[16:58] <gary_poster> I guess it makes sense that she would get similar treatment
[16:59] <gary_poster> secretary of state is pretty high up
[16:59] <gary_poster> but not as much as pres, of course
[16:59] <danilos> Putin is a prime minister now, I think
[17:00] <danilos> though, not really sure what to do with the XSS stuff; so, basically, your suggestion is to *disallow* all HTML code and alert user of the fact?
[17:00] <gary_poster> yeah
[17:00] <gary_poster> just like with tags
[17:03] <bac> gary_poster: https://bugs.launchpad.net/launchpad/+bug/412178
[17:03] <_mup_> Bug #412178: Link to subscribe to a project group's bugmail should be on the bugs facet <confusing-ui> <lp-bugs> <ui> <Launchpad itself:Triaged> < https://launchpad.net/bugs/412178 >
[17:04] <gary_poster> bac, so yay?
[17:05] <bac> gary_poster: there is discussion in the bug about where to put the link
[17:05] <gary_poster> ah, k
[17:05] <bac> it is confusing b/c someone put it there anyway:  https://bugs.launchpad.net/bazaar
[17:05] <bac> it is in an odd place
[17:05] <bac> if i can make it work, i'll just keep it in the same odd place for now
[17:06]  * benji looks at the board for another task.
[17:07] <benji> Oh, I was supposed to talk to Leonard again, I'll do that first.
[17:07] <gary_poster> benji, ok, then see the list of things I offered to danilos
[17:07] <benji> k
[17:08] <gary_poster> Team subscriptions should support a personal opt-out feature, exposed on edit page and unsub-in-anger page is a good one, and...
[17:08] <gary_poster> Structural subscription edit/delete page should also allow adds
[17:09] <gary_poster> bac, putting it in a non-weird place is harder?  I.e., like the main page?
[17:09] <gary_poster> Or just needs more thinking?
[17:09] <bac> gary_poster: more thinking.  probably should just create an actions portlet like other pages
[17:10] <bac> but, that's the kind of thing that would possibly give curtis fits -- hard to tell
[17:10] <gary_poster> bac, actions portlet seemed like a reasonable/"obvious" solution to me.  Maybe give Curtis the option, then?
[17:10] <gary_poster> we are on team lead call right now
[17:11] <gary_poster> and he is leader
[17:11] <bac> ok
[17:11] <bac> gary_poster: if i can make it work in the current place i'd like to defer any redesign until all other pillars work
[17:11] <gary_poster> bac, ok, will defer to you.
[17:14] <gary_poster> bac, I tried to look at the tests; I didn't quite understand how to do them yet, but I only stared at them briefly.  I've had a lot of interruptions, and now I want to get the small changes to the server branch done and sent to ec2 (where I suspect there will be problems) after the team lead call before I restart trying to share the task with you.
[17:35] <benji> gary_poster: unless you have another preference, I'll pick 739141 back up
[17:35] <gary_poster> benji, cool
[18:03] <gary_poster> gmb, I don't understand your last comment, actually.  You want a newline somewhere around
[18:03] <gary_poster> 601	+            required=False))
[18:03] <gary_poster> 602	+    @call_with(subscribed_by=REQUEST_USER)
[18:03] <gary_poster> but that kind of export annotation is all over the file without newlines
[18:03] <gary_poster> and they all are pertinent to the method that eventually shows up
[18:04] <gary_poster> so I'm not even quite sure which newline is pertinent.
[18:05] <gary_poster> (i.e., before the @call_with line or after)
[18:05] <gary_poster> I'm guessing before
[18:09] <gary_poster> I'm taking a late lunch.  Back in a abit
[18:31] <bac> gary_poster: here are the changes required to support project groups: http://pastebin.ubuntu.com/584427/
[18:31] <bac> i've pushed them to  lp:~bac/launchpad/yellow-accordionoverlay
[18:44] <gmb> gary_poster: Ah, I've made the mistake of thinking that the @call_with is the start of a new decorator stack for a new method. So ignore that.
[19:00] <gary_poster> cool gmb thanks
[19:02] <gary_poster> how much of that is boilerplate, bac?
[19:03] <bac> gary_poster: 68%
[19:03] <gary_poster> :-)
[19:03] <gary_poster> ok
[19:03] <bac> project group is oh so special
[19:03] <bac> just like everything else
[19:03] <gary_poster> heh
[19:03] <bac> gary_poster: we have a problem with some of the "hand constructed" links
[19:04] <bac> they are wrapped as a <tr>.  i had to mark the <tr> as the menu link so that both the text and icon are clickable
[19:04] <gary_poster> Ah I think I understand.
[19:04] <bac> but in doing so, the js-action class is not being properly displayed as green
[19:04] <gary_poster> :-/
[19:04] <gary_poster> can we change in CSS safely, or not so much?
[19:05] <bac> i haven't looked yet.
[19:05] <gary_poster> k
[19:06] <bac> gary_poster: i am going to work on productseries
[19:08] <gary_poster> ok
[19:32] <gary_poster> benji, I'd like to delegate to you :-P .  On the team lead call, in the context of anoter XSS problem, I mentioned the issues you unearthed about lazr.restful and XSS.  Francis asked me to write an email about the issues to start a conversation about the lazr.restful aspects of this.  (Other people may be bringing up XSS but with a different focus.)
[19:32] <gary_poster> I think you'd be a better person to write that email, to be sent to launchpad-dev.  Ideally it would be done before next Wednesday.  You up for that?  If so, I'll add a "quick job" card.
[19:33] <benji> gary_poster: yep, sounds good
[19:33] <gary_poster> cool thank you
[19:33] <benji> with any luck my pending_notifications will have figured it out by then
[19:37] <benji> heh; pending_notifications was supposed to be my subconscious; maybe that means something
[19:49] <gary_poster> lol
[19:50] <gary_poster> bac, I am going to try distributionsourcepackage for lack of any better ideas
[19:51] <bac> ok
[20:18] <gary_poster> bac, is there a reason why you did """def xsubscribe(self):" instead of deleting the subscribe method?
[20:18] <gary_poster> Or, when should I do that?
[20:18] <bac> gary_poster: debug issue. merge again
[20:18] <gary_poster> bac, ack thanks
[20:22] <bac> gary_poster: i've hit a snag testing product series
[20:23] <bac> it was done very similarly to the others.  but in the page template the feature flag is never set.  vexing.
[20:23] <gary_poster> :-/
[20:27] <gary_poster> bac, I'd help if I could.  If I get to the end of mine and you are still stuck I'll stare at it with you.
[20:28] <bac> deal
[20:40] <gary_poster> bac, I have three menus that I changed in the code to conditionally show the new add form, but I can only find two of them throught the UI.  Do you have any strategies to know what is being added where?
[20:40] <bac> gary_poster: three?  what are they?
[20:40] <bac> usually there is just an overview menu and a bugs menu
[20:41] <gary_poster> DistributionSourcePackageOverviewMenu
[20:41] <gary_poster> DistributionSourcePackageBugsMenu
[20:41] <gary_poster> DistributionSourcePackageActionMenu
[20:41] <gary_poster> all three of them had "subscribe"
[20:41] <gary_poster> I guess I grep for the associated interfaces...
[20:42] <gary_poster> ok maybe not
[20:43] <bac> gary_poster: congratulations.  it looks like you found a non-standard one too!
[20:43] <gary_poster> :-)
[20:45] <bac> gary_poster: a quick glance makes me think  DistributionSourcePackageActionMenu and Bugs are the two you want
[20:46] <bac> the OverviewMenu one is a NavigationMenu not an ApplicationMenu
[20:46] <gary_poster> bac, I have no clue about this stuff, but OverviewMenu had "subscribe" in it too...
[20:46] <bac> not that it means anything
[20:47] <bac> gary_poster: yeah, i see it
[20:47] <gary_poster> I don't know what the practical diff is between Nav menu and App menu
[20:47] <bac> gary_poster: but looking at https://launchpad.net/ubuntu/+source/live-boot i don't see anything to do with that menu
[20:47] <gary_poster> This may be my first exposure to the menu system, in fact
[20:47] <gary_poster> other than believing that I've heard Curtis did it
[20:50] <bac> gary_poster: the one you aren't using is used for the links following "This package has"
[20:50] <bac> it should not have a subscribe link in it, i'll bet
[20:51] <bac> gary_poster: does tal:condition="python:" do shortcutting?
[20:51] <bac> can i do tal:condition="python: False and something_that_doesnot_exist"
[20:51] <gary_poster> yes, I am pretty sure so, bac
[20:51] <bac> hmm
[20:51] <bac> i would've thought so too
[20:51] <gary_poster> course you should also be able to do
[20:52] <gary_poster> tal:condition="something_that_doesnot_exist|nothing"
[20:52] <bac> sure
[20:52] <gary_poster> shortcutting is not working?
[20:52] <bac> i actually have another condition that i replaced with False for the example
[20:52] <gary_poster> gotcha
[20:53] <gary_poster> bac, you said, "the one you aren't using is used for the links following "This package has"".  Teaching me to fish, how did you determine that?
[20:53] <bac> by looking at the links it defined and then scouring the page template
[20:54] <gary_poster> heh
[20:54] <gary_poster> the template or the rendered version?
[20:54] <bac> it is the one called view/overview.  the other's use is hidden behind the @@/global-actions
[20:54] <bac> it is WAY more confusing than is sane
[20:55] <bac> menuing is so complicate that i can't ferret out the essential bits from the stuff there only to drive you crazy
[20:56] <bac> i looked at the actual page template
[20:56] <gary_poster> gotcha
[21:03] <gary_poster> so I should try removing subscribe entirely and see what happens, maybe from DistributionSourcePackageActionMenu?  No, that's the one that's used on the right of the main page.  Ah, no it isn't, I see, it is registered against the view, and that's the view/menu you were talking about in the template!
[21:03] <gary_poster> ok...trying to understand where the overview is used now...
[21:03] <gary_poster> (So, yes, I think I should remove it from the ActionMenu, as you suggested initially)
[21:04] <gary_poster> argh!
[21:04] <gary_poster> except that doesn't make any sense!
[21:05] <gary_poster> the template is using open_questions and new_bugs for view:menu
[21:05] <gary_poster> oh, which are available off of DistributionSourcePackageLinksMixin, which is in fact mixed in...
[21:06] <gary_poster> so maybe the entire links collection on DistributionSourcePackageActionMenu is a red herring?
[21:06] <gary_poster> :-(
[21:08] <gary_poster> maybe used by ../templates/distributionsourcepackage-portlet-pub-details.pt ?
[21:08] <gary_poster> trying
[21:09] <gary_poster> no
[21:09] <gary_poster> I'm starting to think that all of the code on that menu class is a red herring
[21:10] <gary_poster> and the only thing it needs is the mixin and the interface declarations.  Going to try it
[21:12] <gary_poster> nope, that removes it from the right hand side :-/
[21:21] <bac> gary_poster: :(
[21:21] <bac> sorry, i wasn't following along at home.  looks entertaining, though
[21:21] <bac> so in my tests, if i get a view and render it to html and then print the html, i always see:
[21:22] <bac>  Features: {'malone.advanced-structural-subscriptions.enabled': None}
[21:22] <bac> regardless of the state of the feature flag i've set.
[21:22] <bac> i find this highly disconcerting
[21:23] <gary_poster> np.  experimentation has proved that (1) DistributionSourcePackageActionMenu's subscribe menu option is the one that is rendered for the overview page; (2) deleting DistributionSourcePackageOverviewMenu's subscribe menu option does not break anything I can see;
[21:23] <gary_poster> (3) deleting *all* links from DistributionSourcePackageOverviewMenu's  does break things; and (4) I don't know what's going on.
[21:23] <gary_poster> I'm going to try remove the other links that don't appear to be used in DistributionSourcePackageOverviewMenu.
[21:24] <gary_poster> well, on the bright side, for yours, you at least know that the feature flag is the problem, bac.  I'd suspect a rogue request replacing the one you think you are using...or Something Else.  Possibly alien in origin.
[21:24] <bac> EXCEPT, the tests behave as expected but for two
[21:25] <gary_poster> :-/
[21:25] <bac> so even though the state is printed as None in the summary, the value appears to be correct when evaluated
[21:25] <bac> figure that one out
[21:26]  * gary_poster whimpers
[21:26] <bac> i wonder if that message is using the db feature flag value and not the one from the fixture?
[21:26] <bac> how could that be?
[21:26] <bac> it can't
[21:26]  * bac tests anyway
[21:26] <gary_poster> k, 'caue I dunno
[21:26] <gary_poster> s
[21:31] <gary_poster> for my mystery, I am changing DistributionSourcePackageOverviewMenu's links = ['subscribe', 'publishinghistory', 'edit', 'new_bugs', 'open_questions']  to links = ['new_bugs', 'open_questions'].  That doesn't appear to change a darn thing.  Then I only change two menus, as I'd expect.
[21:32] <gary_poster> and now for the tests...
[21:33] <bac> gary, could you fix distributionsourcepackage-index.pt
[21:34] <bac> it has malone.advanced-structural-subscriptions.enabled
[21:34] <bac> no
[21:34] <gary_poster> ?
[21:34] <bac> it has           <div class="package-details"
[21:34] <bac>                tal:attributes="id string:pub${pubid}-container" />
[21:34] <bac> which is invalid html markup
[21:34] <bac> div cannot be self-closing
[21:34] <bac> safari just yelled at me
[21:35] <gary_poster> l
[21:35] <gary_poster> k
[21:35] <gary_poster> done
[21:46] <gary_poster> bac, if you have a second to glance over a diff, I will feel comfortable merging this.
[21:46] <gary_poster> http://pastebin.ubuntu.com/584506/
[21:46] <gary_poster> I disabled two of the tests
[21:46] <gary_poster> Because distribution source packages do not have owners AFAICT
[21:47] <bac> looks great gary
[21:47] <bac> er, gary_poster
[21:47] <gary_poster> cool thanks bac
[21:47] <gary_poster> I am pinged by gary too
[21:47] <bac> ok
[21:48] <gary_poster> thanks, will merge
[21:48] <bac> gary_poster: are you merging to the yellow branch?
[21:48] <gary_poster> oh, right
[21:48] <gary_poster> there's that
[21:48] <gary_poster> what do you want to do?
[21:48] <bac> gary_poster: why don't you push it and i'll merge into mine
[21:49] <gary_poster> ok
[21:49] <bac> or we could make a new branch on ~yellow
[21:49] <bac> just let me know
[21:49] <gary_poster> I suspect there will be a small conflict with your most recent changes; I'll merge that first
[21:49] <bac> ok
[21:49] <gary_poster> I'm happy either way
[21:50] <gary_poster> ah, no, I was up-to-date
[21:51] <bac> gary_poster: you should check this out from david siegel.  it's a pretty nice reminder to get up and walk around
[21:51] <bac> http://iamfutureproof.com/
[21:51] <bac> it shows i haven't taken a break in 2h29m
[21:51] <bac> so, time for a lap around the yard
[21:51] <gary_poster> cool, bac, thanks!  downloading
[21:53] <gary_poster> I pushed to lp:~yellow/launchpad/accordionoverlay-links bac
[21:54] <gary_poster> Then I did bzr pull --remember lp:~yellow/launchpad/accordionoverlay-links
[21:54] <gary_poster> so I'll pull from there from now on
[21:54] <gary_poster> bac, I'm sorry but I'm going to call it a day
[21:55] <gary_poster> I'll be ready to help out more tomorry morning
[21:55] <gary_poster> bye all