[00:10] <wgrant> Mmmm, readable loggerhead
[00:10] <wgrant> A nice change.
[00:11] <StevenK> I did wonder if a NDT would update loggerhead
[00:11] <wgrant> Still needs to be degnomed a bit more
[00:11] <wgrant> But much better
[00:41] <poolie> is it just me or does the 'add an attachment' link on bugs now lose the text you already entered?
[00:44] <lifeless> wallyworld_: yes
[00:45] <wallyworld_> lifeless: cool. cause i was thinking we would have a standard set of helpers to do the equivalent of out standard tal formatters for person etc
[00:46] <lifeless> you'd probably use partials for that
[00:46]  * wallyworld_ hasn't read the doco yet
[00:46] <lifeless> helpers should be used when you need host language logic
[00:46] <lifeless> partials should be used when you want to reuse a template elsewhere
[00:46] <wallyworld_> ok
[00:47] <lifeless> {{> person assignee}
[00:47] <lifeless> for instance
[00:47] <wallyworld_> i am thinking about the +sharing view
[00:47] <lifeless> bah, }} at the end, but you get the idea
[00:47] <wallyworld_> for now, i might just hard code the formatting
[00:47] <lifeless> {{> <partialname> <contextpath>}}
[00:48] <wallyworld_> lifeless: is it on anyone's todo list to do the handlebars bundling?
[00:49] <lifeless> so, handlebars is in yui3.5
[00:49] <lifeless> I imagine rick or deryck are likely to step up and do that
[00:49] <StevenK> Blocked on combo loader
[00:49] <wallyworld_> ah, cool. but i guess we need something to use till then, or we can wait
[00:49] <lifeless> indeed
[00:49] <lifeless> you can use mustache now (and pystache || pybars on the server)
[00:50] <wallyworld_> it's just prototyping atm so will do
[00:51] <lifeless> pystache has some wtf's apparently :) - pybars is in the download cache, if you wanted to play with it and tell me what you think
[00:51] <wallyworld_> lifeless: i was looking to do the rendering on the client
[00:51] <lifeless> wallyworld_: oh sure
[00:52] <wallyworld_> lifeless: still, server side vs client side rendering is something that needs some thought etc
[00:52] <wallyworld_> one argument is that all rendering should be done client side
[00:52] <wallyworld_> after getting json data from the server
[00:52] <StevenK> wgrant: Is qas's database back to FK goodness?
[00:53] <wallyworld_> s/from the server/using the api
[00:54] <lifeless> wallyworld_: you have been following the thread on that right ?
[00:55] <wgrant> StevenK: No
[00:55] <lifeless> wallyworld_: there is a proposed standard for us
[00:55] <wgrant> StevenK: Hopefully tonight.
[00:55] <wallyworld_> lifeless: i was about to re-read it, i think it was advocating getting as much stuff from the api as possible
[01:07] <lifeless> if you use innerHTML with something containing a script section, does that script section run ?
[01:11] <wallyworld_> lifeless: don't think so, not in a consistent and portable way
[01:12] <wallyworld_> lifeless: if you need it i would claim the design is broken
[01:12] <lifeless> wallyworld_: its the reverse, I'm assessing some security risks
[01:13] <wallyworld_> in our stuff?
[01:13] <lifeless> it would terrify me if it worked ever
[01:13] <wallyworld_> it can be made to work
[01:13] <wallyworld_> for not in a portable way afaik
[01:13] <lifeless> if it ever works, thats sufficiently terrifying
[01:14] <wallyworld_> lifeless: one example, possibly old, for ie, you can mark a script tag with DEFER and it will execute when set vua innerhtml
[01:15] <wallyworld_> not sure if that's still the case, ymmv etc
[01:15] <wallyworld_> what i'm saying is people have found ways to do it i think
[01:17] <lifeless> sure
[01:17] <lifeless> -> it means folk /wanting/ it to work can probably do so, but folk can't (and shouldn't rely on it just working
[01:17] <wallyworld_> yes
[01:17] <wallyworld_> and we should actively discourage/forbid it :-)
[01:18] <wgrant> lifeless: How is that terrifying?
[01:18] <lifeless> it also means that folk which want to us js to customise delivered html to another site, can't reliably do so (and those sites would be crazy to accept it)
[01:18] <lifeless> wgrant: its off-site js all over again
[01:18] <wgrant> ...., yes that's why you don't use innerHTML
 blocks not running is not a security feature.
[01:18] <wgrant> It's just because of how things work
[01:18] <wgrant> You can still use onclick/onhover etc to execute code
[01:18] <wgrant> innerHTML is in no way safe to use with untrusted data.
[01:19] <lifeless> I know
[01:19] <lifeless> I wasn't thinking it was, I was seeking confirmation that it wasn't
[01:19]  * wallyworld_ wishes we didn't use innerHTML so often in our code
[01:19] <lifeless> so onlick/onhover etc events *will* run ? With frame and frameset being gone in html5...
[01:19] <wgrant> If you're using innerHTML in your code, you are doing it wrong.
[01:19] <wgrant> lifeless: Yes
[01:19] <wallyworld_> wgrant:  s/are/were
[01:20] <wgrant> wallyworld_: Hm?
[01:20] <lifeless> wallyworld_: tense mismatch there
[01:20] <wallyworld_> we don't do it anymore i don't think, what's there is mostly lazrjs stuff
[01:20] <wgrant> wallyworld_: That code is still doing it wrong.
[01:20] <wallyworld_> yes, not disagreeing
[01:20] <wgrant> lifeless: HTML5 still has iframe, doesn't it?
[01:20] <wallyworld_> just saying it's legacy and we don't do it for new code
[01:20] <lifeless> ah indeed, missed that
[01:21] <wgrant> And nobody real has used a frameset for a long time.
[01:22]  * wgrant has never understood why HTML5 doesn't make XHTML mandatory :(
[01:22] <lifeless> because then they would have N+1 problems :P
[01:22] <lifeless> anyhoo
[01:23] <lifeless> iframe execution context is that of the originating server IIRC, so thats somewhat sane
[01:23] <lifeless> bbiab
[01:23] <wgrant> lifeless: Yes
[01:23] <wgrant> No non-infrastructure code is permitted to use innerHTML.
[01:23] <wgrant> And infrastructure code that uses it will be looked at with great scrutiny.
[01:23] <wgrant> And anybody who uses innerHTML will be slapped, hard :)
[01:25] <wgrant> lifeless: HTML5 still permits crap like unquoted attributes, implicit empty elements, etc.
[01:25] <wgrant> That helps *noone*.
[01:32] <StevenK> Bah. +36/-36
[01:33] <StevenK> I think I've fixed all the failures in bugs at least
[01:38] <lifeless> wgrant: so, what does mustache use ;)
[01:49] <lifeless>  https://github.com/amoffat/pbs#readme
[01:52] <lifeless> anyone here played more than trivially with juju ?
[01:55] <StevenK> wgrant: Is there a bug for this IBug leaking?
[01:56] <StevenK> wgrant: And can I have that API URL you used yesterday so I can see what .dev against this branch gives.
[01:56] <wgrant> StevenK: Just look at the duplicate_of of a dupe of a private bug.
[01:57] <wgrant> lifeless: Does mustache use anything?
[01:57] <wgrant> lifeless: It generates HTML
[01:57] <wgrant> It doesn't inject it AFAIK
[01:58] <StevenK> wgrant: I was talking about the API URL you gave me to show me just how much IBug leaks.
[01:58] <wgrant> 15:53:30 < wgrant> Grab https://bugs.qastaging.launchpad.net/api/devel/bugs/718213/duplicate_of?ws.accept=application/json as anonymous
[01:58] <_mup_> Bug #718213: Can't access due to content. <Internet Archive - Tech Support:New> < https://launchpad.net/bugs/718213 >
[01:59] <StevenK> Right, so to test on .dev I need to make a private bug, and have a public one as a duplicate of it, and then massage that URL against the public bug?
[02:00] <wgrant> Yep
[02:00] <wgrant> Ensuring that you can't see the private bug.
[02:00] <StevenK> Right
[02:00] <StevenK> Waiting to see if I've fixed all the -m bugs failures first
[02:01] <lifeless> wgrant: so, if someone *uses* mustache, how do they expose their html?
[02:01] <wgrant> lifeless: Probably using their framework's methods that are similar to innerHTML.
[02:02] <wgrant> Which will internally use innerHTML.
[02:02] <wgrant> And are pretty much as unsafe.
[02:02] <lifeless> tada
[02:02] <wgrant> But this would normally be encapsulated in your infrastructure.
[02:02] <wgrant> You're unlikely to be rendering templates directly in your day-to-day JS.
[02:05] <wgrant> https://code.launchpad.net/~wgrant/launchpad/bulk-insert-errywhere/+merge/94490
[02:07] <lifeless> gary_poster: https://github.com/amoffat/pbs#readme might be interesting for setuplxc
[02:08] <wgrant> lifeless: That looks like a really good way to be vulnerable.
[02:12] <gary_poster> lifeless, looks fun.  More magical than I'm interested in atm, but maybe my tastes will change. :-)
[02:17] <lifeless> :)
[02:17] <lifeless> elmo pointed me at it when looking at the setuplxc ticket
[02:18] <gary_poster> heh
[03:25] <huwshimi> wallyworld_: Hi, on lp.net the "affects me" selection dialogue looks like it might have been affected by your changes to add the descriptions to bug statuses...
[03:26] <huwshimi> (I'm not sure if this is some kind of feature flag fallout)
[03:26] <wallyworld_> huwshimi: the empty span?
[03:27] <huwshimi> wallyworld_: Yea, there's an extra empty row after the title
[03:27] <wallyworld_> could be a side effect of choicesource widget changes
[03:28] <wallyworld_> i'll file a bug etc
[03:33] <huwshimi> wallyworld_: Thanks :)
[03:33] <wallyworld_> np, thanks for letting me know
[03:35] <huwshimi> wallyworld_: I'm a little preoccupied otherwise I would have filed a bug myself :)
[03:35] <wallyworld_> np
[03:51] <StevenK> Hmmm, it still returns 37 things
[03:53] <StevenK> I was expecting less
[03:55] <wgrant> StevenK: The API? It replaces forbidden things with the redacted tag
[03:55] <wgrant> Rather than omitting them.
[03:57] <StevenK> wgrant: Ah, so it's going to continue to return 37 things, but a lot more will be redacted?
[03:58] <wgrant> Yes
[03:59] <StevenK> Bleh, okay.
[03:59]  * StevenK pushes up this branch
[04:00] <wallyworld> wgrant: what were your thoughts on bulk insert returning entire instantiated objects just to get the ids?
[04:01] <wgrant> wallyworld: Fixed.
[04:01] <wallyworld> ok, cool. thanks
[04:01] <wgrant> wallyworld: I considered doing that initially, but decided it wasn't worth it. But you convinced me.
[04:01] <wgrant> There's now get_objects and get_primary_keys args
[04:01] <wgrant> mutually exclusive.
[04:01] <wallyworld> np. i just saw the mp->approved and didn't realise you had changed to code
[04:02] <wgrant> Heh
[04:03] <StevenK> Is there a bug for IBug being leaky?
[04:04] <wgrant> Don't think so.
[04:05] <StevenK> wgrant: prod-revnos is AssertionErroring
[04:05] <wgrant> I blame acamar
[04:05] <StevenK> Haha
[04:05] <StevenK> I thought you might
[04:06]  * wgrant waits for openid...
[04:06] <wgrant> 'tis an awful, awful script.
[04:07] <wgrant> ssh: connect to host acamar port 22: Connection refused
[04:07] <wgrant> But it's meant to handle that.
[04:08] <StevenK> Refused is a bit harsh
[04:08] <wgrant> Ah
[04:08] <wgrant> It's because it was crashing the script.
[04:08] <wgrant> The deploymgr revno check thing doesn't log at the start of its run, only at the end.
[04:09] <wgrant> So I split the log based on the final line, which isn't there
[04:09] <wgrant> Should work next hour.
[04:10] <StevenK> Bug 940044
[04:11] <_mup_> Bug #940044: IBug is leaky as a rusty sieve <disclosure> <Launchpad itself:Triaged> < https://launchpad.net/bugs/940044 >
[04:11] <StevenK> wallyworld: O hai, Mr OCR.
[04:11] <wallyworld> yeeees?
[04:12] <wallyworld> has review for me?
[04:12] <StevenK> Lurch: https://code.launchpad.net/~stevenk/launchpad/less-bug-leakage/+merge/94495
[04:12] <StevenK> Pity wgrant won't get that joke
[04:12] <wallyworld> you rang?
[04:13] <StevenK> ;-)
[04:13] <wgrant> Ha ha
[04:17] <wallyworld> StevenK: lines 22,23 - why not use rSP there also?
[04:18] <wallyworld> also 84,85
[04:18] <wgrant> rSP 4 eva
[04:19] <StevenK> Because I didn't want to overuse it
[04:19] <wallyworld> in tests, to get data needed to run the test, i think it's ok
[04:19] <wgrant> Agreed, in those contexts it makes sense.
[04:19] <wgrant> And it's much faster.
[04:20] <wallyworld> and more consistent with 1. the changes in this mp and 2. other usages in factory
[04:22] <wgrant> I'm pleasantly surprised there's so little fallout.
[04:22] <StevenK> wallyworld: Okay, I've made that change locally
[04:22] <wgrant> It won't be quite so easy when it comes to private projects in a couple of months :(
[04:24] <StevenK> wgrant: I'm pleasantly surprised you're happy with my changes. :-P
[04:24] <wgrant> I am usually happy with good changes :P
[04:24] <wallyworld> StevenK: r=meeeeeeee
[04:24] <StevenK> wallyworld: Pushing up the rSP change
[04:25] <StevenK> I'm happy the branch ends up as +37/-42
[04:28] <lifeless> \o/
[04:29] <StevenK> loltpg
[04:30] <lifeless> oh?
[04:30] <wgrant> More likely to be Unity.
[04:31] <StevenK> True, but I can hope.
[04:31] <StevenK> I think I may have to switch to making fun of dodo users, rather than TPG users.
[04:31] <wgrant> webservice tests are slow :(
[04:32] <StevenK> wgrant: Can haz pointer to IBug traversal?
[04:32] <wgrant> BugTargetTraversalMixin for one.
[04:33] <StevenK> There's more than one? I am disappoint.
[04:33] <wgrant> Yeah, that's +bug
[04:34] <wgrant>  /bugs is somewhere else, probably MaloneApplicationNavigation
[04:48] <wgrant> Now, the question we must all ask ourselves eventually.
[04:48] <wgrant> Will Unity crash before I open my third terminal this time...
[04:49] <wgrant> Apparently not.
[04:49] <StevenK> Haha
[04:58]  * StevenK tries to figure out where BugTargetTraversalMixin is tested
[04:58] <StevenK> lib/lp/bugs/browser/tests/test_bugtask_navigation.py lies, that is testing MaloneApplicationNavigation
[05:01] <wallyworld> StevenK: it was unity / compiz. been quite bad last couple of days :-(
[05:01]  * wallyworld does school run
[05:29]  * StevenK blinks
[05:29] <StevenK> AssertionError: Name "+bug/16" is not registered as a view or navigation step for "Product" on "bugs".
[06:21] <wallyworld> wgrant: my new services branch which merged earlier today will conflict with your mp
[06:22] <wallyworld> you will want to merge trunk if you haven't already done so
[06:22] <wallyworld> and rename the InformationVisibility enum in the services test
[06:25] <wgrant> wallyworld: Ah, I think I was one rev behind that.
[06:25]  * wgrant fixes.
[06:25] <wallyworld> wgrant: why are there bulk insert changes for eg BinaryPackagePublishingHistory in the mp?
[06:26] <wallyworld> not related to the core work in the mp
[06:26] <wgrant> wallyworld: Ah, I guess I forgot to set the prereq.
[06:26]  * wgrant fixes.
[06:26] <wallyworld> thanks :-)
[06:27] <wgrant> https://code.launchpad.net/~wgrant/launchpad/multipolicy-3/+merge/94501 will hopefully be better
[06:29]  * wallyworld looks
[06:29] <wallyworld> ah 600 lines smaller :-)
[06:33] <wgrant> InformationVisibilityPolicy replaced.
[06:35] <wallyworld> wgrant: the IAccessXXX interfaces and attributes are very light on doc strings
[06:35] <wgrant> Indeed. You probably want some.
[06:35] <wallyworld> yes please, not just for me necessarily
[06:36] <wallyworld> since this is new for everyone outside purple, feel free to be verbose :-)
[08:55] <adeuring> good morning
[09:05] <mrevell> Hi
[12:29] <bac> good morning abel.  much going on today?
[12:51] <czajkowski> for launchpad mailing lists, is there a way to see who is a moderator on a ml or is it just the team owner who can see it ?
[12:52] <wgrant> czajkowski: The team admins are the moderators.
[12:52] <czajkowski> wgrant: thats what I thought
[12:52] <czajkowski> thanks
[13:08] <adeuring> morning bac, quiet day so far.
[13:09] <bac> adeuring: cool.  i think i'll tackle william's MP shortly
[13:09] <bac> adeuring: heads up -- i'll be out for the next three fridays.
[13:13] <adeuring> bac: ok, thanks for the warning ;)
[14:01] <deryck> Morning, all.
[14:02] <czajkowski> deryck: hello how is the wife is she feeling better?
[14:06] <deryck> czajkowski, yes, much better
[14:10] <abentley> adeuring: Good morning.
[14:10] <adeuring> morning abentley
[14:10] <abentley> adeuring: How's it going?
[14:12] <adeuring> abentley: fine, though I haven't yet done much on the card you created yesterday
[14:12] <abentley> adeuring: Cool.
[14:33] <deryck> adeuring, /extras/talk.google.com/orange-standup
[14:33] <deryck> adeuring, sorry, https://plus.google.com/hangouts/extras/talk.google.com/orange-standup
[14:47] <jtv> flacoste: allenap, rvba & I were discussing the naming scheme for Maas API versions.  What would you prefer — "v1", or "1.0", or …?
[14:47] <flacoste> jtv: blue
[14:47] <flacoste> :-)
[14:47] <jtv> frankban: Come on, help us a bit here, this is our copout plan.  :-)
[14:47] <jtv> Ahem.  I meant flacoste.
[14:48] <flacoste> you are not the first to make the association :-)
[14:48] <flacoste> then use 23
[14:48] <flacoste> and power of 23 from then on
[14:48] <jtv> flacoste: just thinking because of the long-term implications, you might have some grand standard scheme.
[14:48] <jtv> Uniformity and all that.
[14:48] <flacoste> 1.0 is fine
[14:48] <jtv> Since we're a fun company of individuals.
[14:48] <jtv> Thanks!
[14:48] <flacoste> similar to what we do in lp
[14:49] <rvba> /api/v1.0/ then?
[14:49] <jtv> See, that wasn't so hard.  Ask the Boss Engineering works.  :)
[14:49] <rvba> or /v1.0/api ?
[14:49] <jtv> rvba: definitely /api/ first.
[14:49] <jtv> Or we'll be inviting an unholy mess of paths.
[14:49] <rvba> Not what twitter does fwiw. Nor http://musicsearch.ubuntu.com/.
[14:50] <rvba> Ok, twitter uses api.twitter.com ;)
[14:56] <jtv> That makes all the difference.  We on the other hand have a bunch of path trees on one hostname.
[14:59] <rvba> True,  /api/1.0/ it is then.
[15:02] <jtv> \o/
[15:06] <salgado> bac, adeuring, I've just added a small one for review :)
[15:06] <adeuring> salgado: I'll look
[15:13] <salgado> thanks adeuring!
[15:32] <abentley> adeuring: can we chat about the jobs stuff?
[15:32] <adeuring> abentley: give me 10 minutes or so, I'm just finishing a review
[15:32] <abentley> adeuring: cool.
[15:42] <adeuring> salgado-lunch: r=me, some minor nitpicks
[15:43] <adeuring> abentley: mumble?
[15:43] <abentley> adeuring: sure.
[16:33] <sinzui> bac: adeuring: Do either of you have time to review https://code.launchpad.net/~sinzui/launchpad/error-pages/+merge/94574 <-there are a lot of find and replace changes in it
[16:33] <bac> sinzui: i can
[16:45] <salgado> adeuring, thanks for the review; I've done the changes you suggested and it'd be great if you could land it for me
[16:54] <adeuring> salgado: sure, I'll land it
[17:01] <salgado> adeuring, oh, should I create a bug and link to that so that we can track its qa-untestability or can we just tag the commit as qa-untestable?
[17:01] <adeuring> salgado: right, good idea
[17:08] <salgado> oh, hmm. I can no longer assign bugs to arbitrary people?
[19:31] <abentley> deryck: I'm trying to follow https://dev.launchpad.net/EC2Test but the instructions for getting the access credentials don't look right.  Should I be doing something with "Key Pairs"?
[19:31] <deryck> let me look....
[19:34] <abentley> deryck: I think I found it.  Got confused because there was no "Account" link.
[19:34] <deryck> abentley, yeah, so I do have my credentials in ~/.ec2/aws_id
[19:34] <deryck> abentley, but not sure if the how to about getting those is still right. it's been awhile since I did it.
[19:46] <flacoste> bac: didn't you report a bug similar to bug 939910 in the past?
[19:46] <_mup_> Bug #939910: Need to export entry in version "beta" but it's only needed for "devel"  <lazr.restful:Triaged> < https://launchpad.net/bugs/939910 >
[19:47] <bac> flacoste: yes, i believe i did
[19:48] <bac> flacoste: but i don't see it
[19:49] <flacoste> ah i know!
[19:50] <flacoste> bug=760849
[19:50] <flacoste> from IProcessorFamily!
[19:53] <flacoste> deryck: any news on bug 829074?
[19:53] <_mup_> Bug #829074: Show bugs that are not known to affect "official" upstream <bugs> <escalated> <qa-ok> <Launchpad itself:Fix Released by adeuring> < https://launchpad.net/bugs/829074 >
[19:53] <deryck> gah.  Forgot to ask again this morning.
[19:53] <deryck> flacoste, I'll check with bryce myself now.
[20:13] <deryck> flacoste, issue is fixed, stakeholders happy. :)
[20:13] <flacoste> awesome!
[20:13] <flacoste> deryck: you can drop the follow-up from your board :-)
[20:13] <deryck> ha
[20:13] <deryck> yeah
[20:13] <deryck> lot good that did me. :)
[20:23] <deryck> flacoste, what follow up, I don't see it.  or you mean the bug abel was working on?
[20:23] <flacoste> deryck: yes, the one where you had concerns with the additoinal maintenance costs
[20:23] <deryck> flacoste, gotchas.  got it.