=== wallyworld_ changed the topic of #launchpad-dev to: https://dev.launchpad.net/ | On call reviewer:wallyworld | Firefighting: - | Critical bugtasks: 4*10^2
wgrantMmmm, readable loggerhead00:10
wgrantA nice change.00:10
StevenKI did wonder if a NDT would update loggerhead00:11
wgrantStill needs to be degnomed a bit more00:11
wgrantBut much better00:11
poolieis it just me or does the 'add an attachment' link on bugs now lose the text you already entered?00:41
lifelesswallyworld_: yes00:44
wallyworld_lifeless: cool. cause i was thinking we would have a standard set of helpers to do the equivalent of out standard tal formatters for person etc00:45
lifelessyou'd probably use partials for that00:46
* wallyworld_ hasn't read the doco yet00:46
lifelesshelpers should be used when you need host language logic00:46
lifelesspartials should be used when you want to reuse a template elsewhere00:46
lifeless{{> person assignee}00:47
lifelessfor instance00:47
wallyworld_i am thinking about the +sharing view00:47
lifelessbah, }} at the end, but you get the idea00:47
wallyworld_for now, i might just hard code the formatting00:47
lifeless{{> <partialname> <contextpath>}}00:47
wallyworld_lifeless: is it on anyone's todo list to do the handlebars bundling?00:48
lifelessso, handlebars is in yui3.500:49
lifelessI imagine rick or deryck are likely to step up and do that00:49
StevenKBlocked on combo loader00:49
wallyworld_ah, cool. but i guess we need something to use till then, or we can wait00:49
lifelessyou can use mustache now (and pystache || pybars on the server)00:49
wallyworld_it's just prototyping atm so will do00:50
lifelesspystache has some wtf's apparently :) - pybars is in the download cache, if you wanted to play with it and tell me what you think00:51
wallyworld_lifeless: i was looking to do the rendering on the client00:51
lifelesswallyworld_: oh sure00:51
wallyworld_lifeless: still, server side vs client side rendering is something that needs some thought etc00:52
wallyworld_one argument is that all rendering should be done client side00:52
wallyworld_after getting json data from the server00:52
StevenKwgrant: Is qas's database back to FK goodness?00:52
wallyworld_s/from the server/using the api00:53
lifelesswallyworld_: you have been following the thread on that right ?00:54
wgrantStevenK: No00:55
lifelesswallyworld_: there is a proposed standard for us00:55
wgrantStevenK: Hopefully tonight.00:55
wallyworld_lifeless: i was about to re-read it, i think it was advocating getting as much stuff from the api as possible00:55
lifelessif you use innerHTML with something containing a script section, does that script section run ?01:07
wallyworld_lifeless: don't think so, not in a consistent and portable way01:11
wallyworld_lifeless: if you need it i would claim the design is broken01:12
lifelesswallyworld_: its the reverse, I'm assessing some security risks01:12
wallyworld_in our stuff?01:13
lifelessit would terrify me if it worked ever01:13
wallyworld_it can be made to work01:13
wallyworld_for not in a portable way afaik01:13
lifelessif it ever works, thats sufficiently terrifying01:13
wallyworld_lifeless: one example, possibly old, for ie, you can mark a script tag with DEFER and it will execute when set vua innerhtml01:14
wallyworld_not sure if that's still the case, ymmv etc01:15
wallyworld_what i'm saying is people have found ways to do it i think01:15
lifeless-> it means folk /wanting/ it to work can probably do so, but folk can't (and shouldn't rely on it just working01:17
wallyworld_and we should actively discourage/forbid it :-)01:17
wgrantlifeless: How is that terrifying?01:18
lifelessit also means that folk which want to us js to customise delivered html to another site, can't reliably do so (and those sites would be crazy to accept it)01:18
lifelesswgrant: its off-site js all over again01:18
wgrant...., yes that's why you don't use innerHTML01:18
wgrant<script> blocks not running is not a security feature.01:18
wgrantIt's just because of how things work01:18
wgrantYou can still use onclick/onhover etc to execute code01:18
wgrantinnerHTML is in no way safe to use with untrusted data.01:18
lifelessI know01:19
lifelessI wasn't thinking it was, I was seeking confirmation that it wasn't01:19
* wallyworld_ wishes we didn't use innerHTML so often in our code01:19
lifelessso onlick/onhover etc events *will* run ? With frame and frameset being gone in html5...01:19
wgrantIf you're using innerHTML in your code, you are doing it wrong.01:19
wgrantlifeless: Yes01:19
wallyworld_wgrant:  s/are/were01:19
wgrantwallyworld_: Hm?01:20
lifelesswallyworld_: tense mismatch there01:20
wallyworld_we don't do it anymore i don't think, what's there is mostly lazrjs stuff01:20
wgrantwallyworld_: That code is still doing it wrong.01:20
wallyworld_yes, not disagreeing01:20
wgrantlifeless: HTML5 still has iframe, doesn't it?01:20
wallyworld_just saying it's legacy and we don't do it for new code01:20
lifelessah indeed, missed that01:20
wgrantAnd nobody real has used a frameset for a long time.01:21
* wgrant has never understood why HTML5 doesn't make XHTML mandatory :(01:22
lifelessbecause then they would have N+1 problems :P01:22
lifelessiframe execution context is that of the originating server IIRC, so thats somewhat sane01:23
wgrantlifeless: Yes01:23
wgrantNo non-infrastructure code is permitted to use innerHTML.01:23
wgrantAnd infrastructure code that uses it will be looked at with great scrutiny.01:23
wgrantAnd anybody who uses innerHTML will be slapped, hard :)01:23
wgrantlifeless: HTML5 still permits crap like unquoted attributes, implicit empty elements, etc.01:25
wgrantThat helps *noone*.01:25
StevenKBah. +36/-3601:32
StevenKI think I've fixed all the failures in bugs at least01:33
lifelesswgrant: so, what does mustache use ;)01:38
lifeless https://github.com/amoffat/pbs#readme01:49
lifelessanyone here played more than trivially with juju ?01:52
StevenKwgrant: Is there a bug for this IBug leaking?01:55
StevenKwgrant: And can I have that API URL you used yesterday so I can see what .dev against this branch gives.01:56
wgrantStevenK: Just look at the duplicate_of of a dupe of a private bug.01:56
wgrantlifeless: Does mustache use anything?01:57
wgrantlifeless: It generates HTML01:57
wgrantIt doesn't inject it AFAIK01:57
StevenKwgrant: I was talking about the API URL you gave me to show me just how much IBug leaks.01:58
wgrant15:53:30 < wgrant> Grab https://bugs.qastaging.launchpad.net/api/devel/bugs/718213/duplicate_of?ws.accept=application/json as anonymous01:58
_mup_Bug #718213: Can't access due to content. <Internet Archive - Tech Support:New> < https://launchpad.net/bugs/718213 >01:58
StevenKRight, so to test on .dev I need to make a private bug, and have a public one as a duplicate of it, and then massage that URL against the public bug?01:59
wgrantEnsuring that you can't see the private bug.02:00
StevenKWaiting to see if I've fixed all the -m bugs failures first02:00
lifelesswgrant: so, if someone *uses* mustache, how do they expose their html?02:01
wgrantlifeless: Probably using their framework's methods that are similar to innerHTML.02:01
wgrantWhich will internally use innerHTML.02:02
wgrantAnd are pretty much as unsafe.02:02
wgrantBut this would normally be encapsulated in your infrastructure.02:02
wgrantYou're unlikely to be rendering templates directly in your day-to-day JS.02:02
lifelessgary_poster: https://github.com/amoffat/pbs#readme might be interesting for setuplxc02:07
wgrantlifeless: That looks like a really good way to be vulnerable.02:08
gary_posterlifeless, looks fun.  More magical than I'm interested in atm, but maybe my tastes will change. :-)02:12
lifelesselmo pointed me at it when looking at the setuplxc ticket02:17
huwshimiwallyworld_: Hi, on lp.net the "affects me" selection dialogue looks like it might have been affected by your changes to add the descriptions to bug statuses...03:25
huwshimi(I'm not sure if this is some kind of feature flag fallout)03:26
wallyworld_huwshimi: the empty span?03:26
huwshimiwallyworld_: Yea, there's an extra empty row after the title03:27
wallyworld_could be a side effect of choicesource widget changes03:27
wallyworld_i'll file a bug etc03:28
huwshimiwallyworld_: Thanks :)03:33
wallyworld_np, thanks for letting me know03:33
huwshimiwallyworld_: I'm a little preoccupied otherwise I would have filed a bug myself :)03:35
StevenKHmmm, it still returns 37 things03:51
StevenKI was expecting less03:53
wgrantStevenK: The API? It replaces forbidden things with the redacted tag03:55
wgrantRather than omitting them.03:55
StevenKwgrant: Ah, so it's going to continue to return 37 things, but a lot more will be redacted?03:57
StevenKBleh, okay.03:59
* StevenK pushes up this branch03:59
wallyworldwgrant: what were your thoughts on bulk insert returning entire instantiated objects just to get the ids?04:00
wgrantwallyworld: Fixed.04:01
wallyworldok, cool. thanks04:01
wgrantwallyworld: I considered doing that initially, but decided it wasn't worth it. But you convinced me.04:01
wgrantThere's now get_objects and get_primary_keys args04:01
wgrantmutually exclusive.04:01
wallyworldnp. i just saw the mp->approved and didn't realise you had changed to code04:01
StevenKIs there a bug for IBug being leaky?04:03
wgrantDon't think so.04:04
StevenKwgrant: prod-revnos is AssertionErroring04:05
wgrantI blame acamar04:05
StevenKI thought you might04:05
* wgrant waits for openid...04:06
wgrant'tis an awful, awful script.04:06
wgrantssh: connect to host acamar port 22: Connection refused04:07
wgrantBut it's meant to handle that.04:07
StevenKRefused is a bit harsh04:08
wgrantIt's because it was crashing the script.04:08
wgrantThe deploymgr revno check thing doesn't log at the start of its run, only at the end.04:08
wgrantSo I split the log based on the final line, which isn't there04:09
wgrantShould work next hour.04:09
StevenKBug 94004404:10
_mup_Bug #940044: IBug is leaky as a rusty sieve <disclosure> <Launchpad itself:Triaged> < https://launchpad.net/bugs/940044 >04:11
StevenKwallyworld: O hai, Mr OCR.04:11
wallyworldhas review for me?04:12
StevenKLurch: https://code.launchpad.net/~stevenk/launchpad/less-bug-leakage/+merge/9449504:12
StevenKPity wgrant won't get that joke04:12
wallyworldyou rang?04:12
wgrantHa ha04:13
wallyworldStevenK: lines 22,23 - why not use rSP there also?04:17
wallyworldalso 84,8504:18
wgrantrSP 4 eva04:18
StevenKBecause I didn't want to overuse it04:19
wallyworldin tests, to get data needed to run the test, i think it's ok04:19
wgrantAgreed, in those contexts it makes sense.04:19
wgrantAnd it's much faster.04:19
wallyworldand more consistent with 1. the changes in this mp and 2. other usages in factory04:20
wgrantI'm pleasantly surprised there's so little fallout.04:22
StevenKwallyworld: Okay, I've made that change locally04:22
wgrantIt won't be quite so easy when it comes to private projects in a couple of months :(04:22
StevenKwgrant: I'm pleasantly surprised you're happy with my changes. :-P04:24
wgrantI am usually happy with good changes :P04:24
wallyworldStevenK: r=meeeeeeee04:24
StevenKwallyworld: Pushing up the rSP change04:24
StevenKI'm happy the branch ends up as +37/-4204:25
wgrantMore likely to be Unity.04:30
StevenKTrue, but I can hope.04:31
StevenKI think I may have to switch to making fun of dodo users, rather than TPG users.04:31
wgrantwebservice tests are slow :(04:31
StevenKwgrant: Can haz pointer to IBug traversal?04:32
wgrantBugTargetTraversalMixin for one.04:32
StevenKThere's more than one? I am disappoint.04:33
wgrantYeah, that's +bug04:33
wgrant /bugs is somewhere else, probably MaloneApplicationNavigation04:34
wgrantNow, the question we must all ask ourselves eventually.04:48
wgrantWill Unity crash before I open my third terminal this time...04:48
wgrantApparently not.04:49
* StevenK tries to figure out where BugTargetTraversalMixin is tested04:58
StevenKlib/lp/bugs/browser/tests/test_bugtask_navigation.py lies, that is testing MaloneApplicationNavigation04:58
wallyworldStevenK: it was unity / compiz. been quite bad last couple of days :-(05:01
=== almaisan-away is now known as al-maisan
* wallyworld does school run05:01
=== al-maisan is now known as almaisan-away
* StevenK blinks05:29
StevenKAssertionError: Name "+bug/16" is not registered as a view or navigation step for "Product" on "bugs".05:29
wallyworldwgrant: my new services branch which merged earlier today will conflict with your mp06:21
wallyworldyou will want to merge trunk if you haven't already done so06:22
wallyworldand rename the InformationVisibility enum in the services test06:22
wgrantwallyworld: Ah, I think I was one rev behind that.06:25
* wgrant fixes.06:25
wallyworldwgrant: why are there bulk insert changes for eg BinaryPackagePublishingHistory in the mp?06:25
wallyworldnot related to the core work in the mp06:26
wgrantwallyworld: Ah, I guess I forgot to set the prereq.06:26
* wgrant fixes.06:26
wallyworldthanks :-)06:26
wgranthttps://code.launchpad.net/~wgrant/launchpad/multipolicy-3/+merge/94501 will hopefully be better06:27
* wallyworld looks06:29
wallyworldah 600 lines smaller :-)06:29
wgrantInformationVisibilityPolicy replaced.06:33
wallyworldwgrant: the IAccessXXX interfaces and attributes are very light on doc strings06:35
wgrantIndeed. You probably want some.06:35
wallyworldyes please, not just for me necessarily06:35
wallyworldsince this is new for everyone outside purple, feel free to be verbose :-)06:36
=== almaisan-away is now known as al-maisan
=== al-maisan is now known as almaisan-away
=== wallyworld changed the topic of #launchpad-dev to: https://dev.launchpad.net/ | On call reviewer: - | Firefighting: - | Critical bugtasks: 4*10^2
adeuringgood morning08:55
=== almaisan-away is now known as al-maisan
=== adeuring changed the topic of #launchpad-dev to: https://dev.launchpad.net/ | On call reviewer: adeuring | Firefighting: - | Critical bugtasks: 4*10^2
=== al-maisan is now known as almaisan-away
=== matsubara-afk is now known as matsubara
=== danhg_ is now known as danhg
=== bac changed the topic of #launchpad-dev to: https://dev.launchpad.net/ | On call reviewer: adeuring,bac | Firefighting: - | Critical bugtasks: 4*10^2
bacgood morning abel.  much going on today?12:29
czajkowskifor launchpad mailing lists, is there a way to see who is a moderator on a ml or is it just the team owner who can see it ?12:51
wgrantczajkowski: The team admins are the moderators.12:52
czajkowskiwgrant: thats what I thought12:52
=== almaisan-away is now known as al-maisan
adeuringmorning bac, quiet day so far.13:08
bacadeuring: cool.  i think i'll tackle william's MP shortly13:09
bacadeuring: heads up -- i'll be out for the next three fridays.13:09
adeuringbac: ok, thanks for the warning ;)13:13
=== Ursinha_ is now known as Guest31670
deryckMorning, all.14:01
czajkowskideryck: hello how is the wife is she feeling better?14:02
deryckczajkowski, yes, much better14:06
abentleyadeuring: Good morning.14:10
adeuringmorning abentley14:10
abentleyadeuring: How's it going?14:10
adeuringabentley: fine, though I haven't yet done much on the card you created yesterday14:12
abentleyadeuring: Cool.14:12
deryckadeuring, /extras/talk.google.com/orange-standup14:33
deryckadeuring, sorry, https://plus.google.com/hangouts/extras/talk.google.com/orange-standup14:33
jtvflacoste: allenap, rvba & I were discussing the naming scheme for Maas API versions.  What would you prefer — "v1", or "1.0", or …?14:47
flacostejtv: blue14:47
jtvfrankban: Come on, help us a bit here, this is our copout plan.  :-)14:47
jtvAhem.  I meant flacoste.14:47
flacosteyou are not the first to make the association :-)14:48
flacostethen use 2314:48
flacosteand power of 23 from then on14:48
jtvflacoste: just thinking because of the long-term implications, you might have some grand standard scheme.14:48
jtvUniformity and all that.14:48
flacoste1.0 is fine14:48
jtvSince we're a fun company of individuals.14:48
flacostesimilar to what we do in lp14:48
rvba/api/v1.0/ then?14:49
jtvSee, that wasn't so hard.  Ask the Boss Engineering works.  :)14:49
rvbaor /v1.0/api ?14:49
jtvrvba: definitely /api/ first.14:49
jtvOr we'll be inviting an unholy mess of paths.14:49
rvbaNot what twitter does fwiw. Nor http://musicsearch.ubuntu.com/.14:49
rvbaOk, twitter uses api.twitter.com ;)14:50
jtvThat makes all the difference.  We on the other hand have a bunch of path trees on one hostname.14:56
rvbaTrue,  /api/1.0/ it is then.14:59
salgadobac, adeuring, I've just added a small one for review :)15:06
adeuringsalgado: I'll look15:06
salgadothanks adeuring!15:13
=== salgado is now known as salgado-lunch
abentleyadeuring: can we chat about the jobs stuff?15:32
adeuringabentley: give me 10 minutes or so, I'm just finishing a review15:32
abentleyadeuring: cool.15:32
=== matsubara is now known as matsubara-lunch
adeuringsalgado-lunch: r=me, some minor nitpicks15:42
adeuringabentley: mumble?15:43
abentleyadeuring: sure.15:43
=== al-maisan is now known as almaisan-away
=== salgado-lunch is now known as salgado
=== danhg_ is now known as danhg
=== Ursinha_ is now known as Guest56087
=== matsubara-lunch is now known as matsubara
sinzuibac: adeuring: Do either of you have time to review https://code.launchpad.net/~sinzui/launchpad/error-pages/+merge/94574 <-there are a lot of find and replace changes in it16:33
bacsinzui: i can16:33
salgadoadeuring, thanks for the review; I've done the changes you suggested and it'd be great if you could land it for me16:45
adeuringsalgado: sure, I'll land it16:54
salgadoadeuring, oh, should I create a bug and link to that so that we can track its qa-untestability or can we just tag the commit as qa-untestable?17:01
adeuringsalgado: right, good idea17:01
salgadooh, hmm. I can no longer assign bugs to arbitrary people?17:08
=== deryck is now known as deryck[lunch]
=== deryck[lunch] is now known as deryck
abentleyderyck: I'm trying to follow https://dev.launchpad.net/EC2Test but the instructions for getting the access credentials don't look right.  Should I be doing something with "Key Pairs"?19:31
derycklet me look....19:31
abentleyderyck: I think I found it.  Got confused because there was no "Account" link.19:34
deryckabentley, yeah, so I do have my credentials in ~/.ec2/aws_id19:34
deryckabentley, but not sure if the how to about getting those is still right. it's been awhile since I did it.19:34
flacostebac: didn't you report a bug similar to bug 939910 in the past?19:46
_mup_Bug #939910: Need to export entry in version "beta" but it's only needed for "devel"  <lazr.restful:Triaged> < https://launchpad.net/bugs/939910 >19:46
bacflacoste: yes, i believe i did19:47
bacflacoste: but i don't see it19:48
flacosteah i know!19:49
flacostefrom IProcessorFamily!19:50
flacostederyck: any news on bug 829074?19:53
_mup_Bug #829074: Show bugs that are not known to affect "official" upstream <bugs> <escalated> <qa-ok> <Launchpad itself:Fix Released by adeuring> < https://launchpad.net/bugs/829074 >19:53
deryckgah.  Forgot to ask again this morning.19:53
deryckflacoste, I'll check with bryce myself now.19:53
deryckflacoste, issue is fixed, stakeholders happy. :)20:13
flacostederyck: you can drop the follow-up from your board :-)20:13
derycklot good that did me. :)20:13
deryckflacoste, what follow up, I don't see it.  or you mean the bug abel was working on?20:23
flacostederyck: yes, the one where you had concerns with the additoinal maintenance costs20:23
deryckflacoste, gotchas.  got it.20:23
=== matsubara is now known as matsubara-afk
=== bac changed the topic of #launchpad-dev to: https://dev.launchpad.net/ | On call reviewer: - | Firefighting: - | Critical bugtasks: 4*10^2
=== almaisan-away is now known as al-maisan
=== al-maisan is now known as almaisan-away
=== _thumper_ is now known as thumper

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!