[00:05] <funta> :)
[00:11] <funta> folks is it secure to use apt-get install as root?
[00:12] <teward> funta: is it secure to run `sudo apt-get update` or `sudo apt-get install` as a non-root user with sudo access?
[00:12] <funta> hmmm
[00:12] <funta> yes
[00:12] <teward> funta: the bigger security question is "Is it secure to use the root user instead of a non-root user"
[00:13] <teward> (this is why `sudo` actually exists)
[00:13] <funta> use means operate via putty?
[00:13] <funta> for example
[00:13] <teward> mhm
[00:13] <funta> if I set root login to no password and using key only?
[00:13] <funta> is thats fine?
[00:13] <funta> *that
[00:13] <teward> you missed my point
[00:13] <funta> yes
[00:13] <funta> as it not obvious to me
[00:14] <funta> when I install stuff as root something is not good?
[00:14] <teward> funta: is it safe to use the root user irregardless of authentication requirements in place of a non-root, unprivileged user, who can sometimes run some commands using `sudo`
[00:14] <funta> yes
[00:14] <funta> seems so
[00:14] <teward> funta: `apt-get install` will only run with superuser access and work, i.e. `sudo apt-get install` or just `apt-get install` as root.  That answers your initial question.  I would suggest DISABLING the root user, though, and just use `sudo` from a user with sudo access
[00:15] <funta> ok so totally disable root?
[00:16] <funta> when use apt-get where does it install stuff it compiles? /usr something?
[00:16] <funta> if its usr/bin all users can access
[00:18] <funta> lol i am using windows mostly yet I understand linux too
[00:20] <funta> ok sudo usermod -p '!' root ?
[00:20] <funta> thats the one?
[00:26] <funta> ok
[00:26] <funta> done
[00:27] <funta> is there some easy way to propagate existing server to new one?
[00:27] <funta> like ruby setup, some apps
[06:22] <lordievader> Good morning.
[08:44] <thresh> thanks for whoever pushed the updated ubuntu amis to ec2.
[08:44] <thresh> although bash in there lacks the Recent Fixes
[08:45] <thresh> 4.3-7ubuntu1.3 vs 4.3-7ubuntu1.4, but I guess will be updated as well?
[09:48] <rbasak> jamespage: please could you subscribe ~ubuntu-server to src:bcache-tools?
[09:49] <jamespage> rbasak, done
[09:49] <rbasak> Ta!
[11:03] <pmatulis> morning
[11:21] <blackyboy> Hi everyone i want to redierct http to https and if some one access in mysite.com it want to forward to www.mysite.com this both want to be done for my domain but i have done the mysite.com to www.mysite.com but i cant redirect my http to https if i enable the virtual host redirect rule for http to https page not getting loaded.  im using apache2 in ubuntu server 14.04LTS here is my virtualhost entry in pastebin http://paste.ubuntu.com/8454609/
[11:22] <rbasak> jpds_: any news on bug 1330504 please?
[11:23] <jpds_> rbasak: Got held up by other things last week.
[11:23] <jpds_> rbasak: But I've not forgotten about it.
[12:24] <YamakasY> is it possible to reunt a trusty upgrade ?
[12:24] <YamakasY> something went wrong
[12:24] <YamakasY> *rerun
[12:30] <cfhowlett> YamakasY, what went wrong?
[12:30] <cfhowlett> !details | YamakasY,
[12:34] <jamespage> coreycb, zul: so all of the oslo updates we did last week are blocked by bug 1371620
[12:34] <jamespage> needs a pick of this patch: https://github.com/openstack/keystone/commit/7dfccb705ac9c0cbcd7394bf37b356d84dbaa0ba.patch
[12:37] <jamespage> zul, I'm assuming you are re-working the flex package based on cjwatsons feedback right?
[12:38] <zul> jamespage:  yes and yes
[12:38] <jamespage> zul, are you dealing with keystone as well or do you need coreycb or I to parallize that for you?
[12:39] <jamespage> that was bad spelling
[12:39] <patdk-wk> YamakasY, normally, rerun, is just to do apt-get dist-upgrade
[12:40] <zul> jamespage:  get corey to do that please, more packaging familarily for him would be awesome
[12:41] <jamespage> coreycb, you OK todo that? I can review and sponsor; also we need to re-enable the keystone test suite
[12:43] <zul> jamespage:  i was looking at the keystone test suite on friday we need to sync python-pysaml2 from debian and MIR it
[12:43] <zul> coreycb:  ^^^
[12:44] <jamespage> zul, is it just pysaml2?
[12:44] <zul> jamespage:  i believe so
[12:55] <jamespage> coreycb, zul: pysaml2 would also require MIR's of:
[12:55] <jamespage>  * python-repoze.who binary and source package is in universe
[12:55] <jamespage>  * xmlsec1 binary and source package is in universe
[12:56] <zul> jamespage:  ok maybe we can get away with it
[12:56] <jamespage> zul, its only a test-requirement
[12:56] <zul> jamespage:  right...lets see if we can skip the tests then
[12:56] <jamespage> zul, so we could skip those tests for this cycle, and MIR early next
[12:56] <zul> jamespage:  +1
[12:56] <jamespage> zul, lets make that upstreamable - like qpid in oslo.messaging
[12:57] <zul> jamespage:  ok want me to do it?
[12:57] <jamespage> zul, thinking
[12:57] <jamespage> zul, no - leave it for corey or me - you focus on flex
[12:57] <zul> k
[13:25] <mdev> "Bismillah writes Google security researcher Michael 'lcamtuf' Zalewski says he's discovered a new remote code execution vulnerability in the Bash parser (CVE-2014-6278) that is essentially equivalent to the original Shellshock bug, and trival to exploit."
[13:25] <mdev> anyone looking into this?
[13:26] <jamespage> coreycb, whilst my test env rebuilds, taking a look at keystone
[13:28] <jamespage> hazmat, waiting on a release team ack for https://bugs.launchpad.net/ubuntu/+source/websocket-client/+bug/1374335
[13:29] <gnuoy> jamespage, with regards to https://code.launchpad.net/~gnuoy/nova/bug1314677/+merge/236321 , can point 1 follow shortly or will you block on it?
[13:30] <jamespage> gnuoy, as it takes like 30 seconds todo point 1) yes I would block
[13:30] <gnuoy> ack
[13:30] <jamespage> if you do it that way you can just use the patch from the upstream review for your packaging patch and forget about DEp-5
[13:31] <hazmat> jamespage, awesome.. going to do a minor future compatibility fix for jujuclient as their changing some behavior incompatibily in trunk and release (0.18.5)
[13:31] <jamespage> lifeless, is there any way to make testr a little more friendly in the event of a missing import somewhere in a test codebase?
[13:31] <mdeslaur> mdev: this update mitigates that CVE: http://www.ubuntu.com/usn/usn-2364-1/
[13:32] <jamespage> lifeless, we hit this quite frequently during dev cycles as new deps are introduced and it would be nice if testr could identify thse
[13:37] <patdk-wk> mdev heh?
[13:38] <patdk-wk> mdev equiv to the origional? it's a stack issue, and the linking lib doesn't allow it to do any harm, other than to yourself
[13:38] <patdk-wk> and the last patch that went in, fixed it so that issue can't be triggered anymore, possible yes, but it's fixed before it gets there now
[14:04] <coreycb> jamespage, thanks!
[14:06] <jrgifford> Quick question - is a question about linaro on-topic here?
[14:07] <rbasak> jrgifford: depends on the question I guess.
[14:07] <rbasak> jrgifford: there are also the #linaro and #linaro-enterprise channels which might be relevant.
[14:07] <jrgifford> http://askubuntu.com/questions/530114/upgrading-ubuntu-13-09-to-13-10-for-lts
[14:08] <jrgifford> I'm trying to figure out where to route that question on stackexchange.
[14:08] <jrgifford> seems on-topic, but also doesn't seem on-topic.
[14:08] <jrgifford> Would that question be on-topic *here*?
[14:08] <jrgifford> (If it was asked here directly)
[14:08] <rbasak> I would recommend re-installing rather than upgrading.
[14:09] <rbasak> See http://askubuntu.com/questions/91815/how-to-install-software-or-upgrade-from-old-unsupported-release if you have to upgrade though.
[14:09] <rbasak> Your issue is that your system appears to be based on Raring, which is EOL.
[14:09] <jrgifford> Right, but that's not my question ;)
[14:09] <jrgifford> My question is "Is this a Linaro-specific question, or is it a Ubuntu question?"
[14:10] <jamespage> rbasak, looking at the failing DEP-8 mysql-5.6 tests:
[14:10] <jamespage> Failing test(s): main.ctype_uca main.mysqlhotcopy_archive main.mysqlhotcopy_myisam
[14:10] <rbasak> Technically, it's a Linaro-specific question, since Linaro/13.09 was done outside of Ubuntu.
[14:10] <jamespage> I think I fixed the hotcopy ones in mysql-5.5 already
[14:10] <rbasak> But we are friendly enough that it doesn't have to matter :)
[14:10] <jrgifford> rbasak: thanks, that's what I wanted to know.
[14:10] <jamespage> they require writable /usr/lib or something
[14:11] <rbasak> jamespage: can we punt those upstream?
[14:11] <coreycb> jamespage, anything else need work, how about pysaml2?
[14:11] <jamespage> rbasak, maybe
[14:12] <jamespage> coreycb, I think it would be good to get pysaml2 into universe this cycle - it will still need a FFe for the sync from debian
[14:12] <jamespage> coreycb, please feel free to request!
[14:12] <jamespage> if it lands we can add it to the suggests of python-keystone
[14:12] <YamakasY> patdk-wk: did a reinstall
[14:13] <coreycb> jamespage, Ok, I'll do that
[14:13] <jamespage> coreycb, ta!
[14:25] <mndo> hi, I am having problems with bridge networking from a host (trusty) to the guest (also truty, using virtio the guest does not even detect a link and with other drivers it detects the link but there's no connectivity
[14:26] <mndo> any ideas?
[14:26] <mndo> I am using the same config I have on another hosts
[14:33] <jamespage> hazmat, did you get your zmq test cases proposed?
[14:37] <jamespage> coreycb, zul: OK _ keystone fixed up
[14:38] <zul> jamespage:  cool
[14:38] <coreycb> jamespage, ok - I opened bug 1375289
[14:38] <zul> jamespage:  just fixing flex with what i have in my ppa
[14:39] <jamespage> coreycb, thanks
[14:39] <jamespage> coreycb, "OpenStack Keystone's test suite depends on python-pysaml2." well thats true but thats not why we want it
[14:40] <jamespage> we can ignore pysaml2 in the context of the test suite; this is to allow users to feature preview the federation aspect of keystone, without doing another MIR this late in cycle.
[14:40] <jamespage> it reflects the amount of testing we have done of it == zero
[14:42] <coreycb> jamespage, ok thanks I'll update it
[14:42] <jamespage> coreycb, thanks - I'll confirm it once you have  :-)
[15:02] <jamespage> zul, python-eventlet (>= 0.15.1)
[15:02] <jamespage> how important? might take a look
[15:03] <zul> jamespage:  in the requirements repo?
[15:03] <zul> jamespage:  makes me nervous
[15:07] <jamespage> zul, indeed - https://github.com/eventlet/eventlet/issues/122
[15:07] <jamespage> 15.1 appears to have some issues
[15:07] <jamespage> zul, the bump was only for ironic and paramiko ssh handling
[15:08] <zul> jamespage:  then we should be ok
[15:08] <jamespage> adam_g, how critical was the eventlet version bump for ironic? I might try cherry pick the commits we need ontop of 0.13 if its super criticial
[15:10] <zul> hallyn:  so wanna package libvirt 1.2.9? ;)
[15:26] <smb> zul, Just keep in mind that I'll bring my bean-filled whack bonk to the next sprint if you silently drop my patches again. ;-P
[15:27] <zul> smb: too late to merge :)
[15:28] <smb> Lucky you. :)
[15:43] <jamespage> coreycb, can you take a look at mterry's feedback on https://bugs.launchpad.net/ubuntu/+source/python-django-pyscss/+bug/1370452 please
[15:44] <coreycb> jamespage, yep
[15:44] <jamespage> coreycb, thanks
[15:47] <coreycb> jamespage, any tips on getting re "unexpected upstream changes" with python-pysnmp2?
[15:48] <jamespage> coreycb, hmm
[15:48] <jamespage> coreycb, are you working from the branch or from a raw source package?
[15:49] <coreycb> jamespage, lp:debian/python-pysnmp2
[15:49] <jamespage> coreycb, I'm not seeing that
[15:50] <coreycb> jamespage, hmm
[15:54] <Delemas> Anyone know if the current Trusty bash is immune to CVE-2014-6277 and CVE-2014-6278? The Ubuntu web pages I can find say no. Redhat says they are already patched for those.
[15:55] <Delemas> Basically I'm wondering if this also applies to the existing bash patches Ubuntu is using: "Yes, that is one of the CVEs that Red Hat builds are already immune to, by virtue of moving the function exports out of the regular variable namespace."
[15:59] <RoyK> Delemas: http://paste.ubuntu.com/8459566/
[15:59] <coreycb> jamespage,  pull-debian-source FTW!
[16:06] <Delemas> RoyK: Those are listing the other three CVEs which I know are patched...
[16:06] <ianward> Does anyone know if new EC2 AMIs will be created for http://www.ubuntu.com/usn/usn-2364-1/ ?
[16:07] <RoyK> Delemas: erm - how many others are there?
[16:07] <Delemas> There are two which I referenced which I'm trying to figure out whether we are already immune.
[16:08] <Delemas> This shows them as needs-triage/needed but I'm not sure if they are accurate: http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-6277.html http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-6278.html
[16:08]  * RoyK somewhat reflects over the fact that the pronunciation of 'bash' is similar to the norweigan 'bæsj', meaning 'feces' :P
[16:11] <Delemas> Think I just answered my own question. Both are mitigated by existing patches. It is weird those pages say they are already fixed but then list status as needs-triage and needed.
[17:40] <adam_g> jamespage, it was pretty high, this was the bug that prompted it: https://bugs.launchpad.net/ironic/+bug/1321787
[17:41] <adam_g> jamespage, this was the patch that fixed it, https://github.com/eventlet/eventlet/commit/da87716714689894f23d0db7b003f26d97031e83 tho i think a subsequent patch may be required as well
[19:34] <genii> Dows anyone know where I can find the MD5 for ubuntu-14.04.1-server-i386.iso ?
[19:35] <sarnold> genii: http://cdimage.ubuntu.com/releases/14.04.1/release/SHA256SUMS and .gpg
[19:35] <genii> sarnold: Thanks
[19:35] <sarnold> genii: and MD5SUMS if you really want those :)
[19:36] <genii> sarnold: i386 is not listed there
[19:37] <sarnold> genii: interesting, I hadn't even noticed that the i386 images aren't there...
[19:39] <lifeless> jamespage: yes, its awaiting review in http://bugs.python.org/issue19746
[19:39] <lifeless> jamespage: right now the behaviour you should be seeing is the failed imports listed
[19:40] <lifeless> jamespage: that patch will make it possible to show the actual exception as well
[20:00] <bastidrazor> where does 14.04 keep it's motd information? i have a custom motd i would like displayed on login
[20:01] <sarnold> bastidrazor: see update-motd(5) for details
[20:02] <bastidrazor> sarnold: nice. i knew it had been moved a few years back. thanks
[20:03] <genii> Bah, from 3 different i386 images now I'm getting same error of "could not open builtin file '/lib/modules/3.13.0-32-generic/modules.builtin.bin'" .
[20:08] <rostam> hi I am using ubuntu 14.04. Have a question on 'tc' utility, could it rate limit at millisecond range, like 50kb per 10ms ? thx
[20:10] <sarnold> rostam: probably not.
[20:11] <rostam> sarnold, is there a good source of info on tc I can read other than man pages...
[20:12] <sarnold> rostam: http://lartc.org/lartc.html#LARTC.QDISC
[20:12] <sarnold> rostam: good luck :)
[20:12] <rostam> sarnold, thanks so much.
[20:15] <genii> Hm, I've got identical symptoms as bug 1371386
[20:18] <jamespage> lifeless, awesome
[20:19] <lifeless> jamespage: what symptoms are you seeing today? it may indicate you have old testr in the archive ..
[20:20] <jamespage> lifeless, here's and example - https://launchpadlibrarian.net/184677391/buildlog_ubuntu-utopic-i386.keystone_1%3A2014.2~b3-0ubuntu1_UPLOADING.txt.gz
[20:20] <jamespage> 0.0.18 of testrepository right now
[20:23] <lifeless> thats two releases stale
[20:24] <lifeless> yeah, you'll get much nicer output if you update the testrepository package
[20:24] <lifeless> jamespage: that bug was fixed march 3rd
[20:34] <user123323> What are good ways to measure the time taken for a server failover? (eg: 2 Servers with HAProxy LB, when one server goes down, the LB could redirect the connections to the 2nd one)
[20:34] <user123323> 2 servers and one LB*
[20:47] <qman__> Is shellshock patched in 13.10? I'm not seeing it in the security advisories
[20:49] <qman__> Oh, its already EOL, nevermind
[20:49] <qman__> That was short
[20:56] <lordievader> qman__: Was about to say that. 13.10 was the first with a 9 month support period.
[21:01] <qman__> Vendors building images with non-LTS versions are so frustrating
[21:05] <qman__> Down to 26 unpatched servers, 7 of which are ubuntu, all EOL versions
[21:11] <patdk-wk> qman__, not bad,
[21:34] <genii> Odd. That error I'm having is linked somehow to network discovery. If network setup is skipped the rest of the install goes fine.
[22:04] <hallyn> zul: btw i assume you were joking about merging 1.2.9 :)
[22:28] <jamespage> lifeless, ack - I'll take a look tomorrow
[22:29] <zul> hallamigo:  i was
[22:31] <zul> hallyn: i was totally serious ;)