[00:44] -queuebot:#ubuntu-release- Unapproved: gtksourceview2 (zesty-proposed/universe) [2.10.5-2ubuntu2 => 2.10.5-2ubuntu3] (ubuntu-desktop) [02:33] Hi, Could someone there can help check the two update request: bug: #1677432 bug: #1677157 Thank you! [02:33] bug 1677432 in ubuntukylin-wallpapers (Ubuntu) "[FFe] Update ubuntukylin-wallpapers to 17.04.0" [Undecided,New] https://launchpad.net/bugs/1677432 [02:33] bug 1677157 in ubuntukylin-theme (Ubuntu) "[FFe] Update ubuntukylin-theme to 1.7.0" [Undecided,New] https://launchpad.net/bugs/1677157 === salem_ is now known as _salem === Guest76522 is now known as valorie [04:56] -queuebot:#ubuntu-release- Unapproved: ubuntukylin-theme (zesty-proposed/universe) [1.6.2 => 1.7.0] (ubuntukylin) [05:01] -queuebot:#ubuntu-release- Unapproved: ubuntukylin-wallpapers (zesty-proposed/universe) [16.10.1 => 17.04.0] (ubuntukylin) [05:04] -queuebot:#ubuntu-release- Unapproved: rpi.gpio (zesty-proposed/universe) [0.6.3-1 => 0.6.3-1ubuntu1] (no packageset) [05:04] -queuebot:#ubuntu-release- Unapproved: accepted rpi.gpio [source] (zesty-proposed) [0.6.3-1ubuntu1] [05:08] -queuebot:#ubuntu-release- New binary: rpi.gpio [arm64] (zesty-proposed/universe) [0.6.3-1ubuntu1] (no packageset) [05:09] -queuebot:#ubuntu-release- New binary: rpi.gpio [armhf] (zesty-proposed/universe) [0.6.3-1ubuntu1] (no packageset) [05:43] -queuebot:#ubuntu-release- Unapproved: squid3 (zesty-proposed/main) [3.5.23-1ubuntu1 => 3.5.23-1ubuntu2] (ubuntu-server) === agateau_ is now known as agateau === maclin1 is now known as maclin [07:43] hi all, could someone please approve the packages coming from https://bileto.ubuntu.com/#/ticket/2626? thanks! [07:54] -queuebot:#ubuntu-release- Unapproved: imagemagick (zesty-proposed/main) [8:6.9.7.0+dfsg-2ubuntu1 => 8:6.9.7.4+dfsg-2ubuntu1] (desktop-core, ubuntu-server) [07:58] -queuebot:#ubuntu-release- Unapproved: kdevelop (zesty-proposed/universe) [4:5.0.4-0ubuntu1 => 4:5.0.4-0ubuntu2] (kubuntu, ubuntu-desktop) [08:04] -queuebot:#ubuntu-release- Unapproved: mate-control-center (zesty-proposed/universe) [1.18.0-0ubuntu1 => 1.18.0-0ubuntu2] (ubuntu-mate, ubuntukylin) [08:06] Laney: added debug notes on #1671799 [08:06] bug #1671799 [08:06] bug 1671799 in xorg-server (Ubuntu) "FFe: xserver 1.19.3" [Undecided,Confirmed] https://launchpad.net/bugs/1671799 [08:13] hello release team, feature request: is it possible when receiving the "your package is stuck in proposed since foo days", to have also the changelog of the latest upload attached? this way I can understand if this was a transition, a no change rebuild, or a bad merge [08:32] -queuebot:#ubuntu-release- Unapproved: brisk-menu (zesty-proposed/universe) [0.3.0-0ubuntu1 => 0.3.5-0ubuntu1] (ubuntu-mate) [08:38] -queuebot:#ubuntu-release- Unapproved: mate-themes (zesty-proposed/universe) [3.22.7-0ubuntu1 => 3.22.8-0ubuntu1] (ubuntu-mate) [08:41] (I can open a bug if needed, just I don't know where that service is located) [09:28] -queuebot:#ubuntu-release- Unapproved: unity-greeter-session-broadcast (zesty-proposed/main) [0.1+14.10.20140601-0ubuntu4 => 0.1+14.10.20140601-0ubuntu5] (ubuntu-desktop) [09:46] -queuebot:#ubuntu-release- Unapproved: aethercast (zesty-proposed/universe) [0.1+16.10.20160808-0ubuntu4 => 0.1+17.04.20170328.1-0ubuntu1] (no packageset) (sync) [09:46] -queuebot:#ubuntu-release- Unapproved: accepted aethercast [sync] (zesty-proposed) [0.1+17.04.20170328.1-0ubuntu1] [10:50] -queuebot:#ubuntu-release- Unapproved: bluez (xenial-proposed/main) [5.37-0ubuntu5 => 5.37-0ubuntu6] (ubuntu-desktop) [11:24] -queuebot:#ubuntu-release- New: accepted ldns [amd64] (zesty-proposed) [1.7.0-1ubuntu1] [11:24] -queuebot:#ubuntu-release- New: accepted ldns [armhf] (zesty-proposed) [1.7.0-1ubuntu1] [11:24] -queuebot:#ubuntu-release- New: accepted ldns [ppc64el] (zesty-proposed) [1.7.0-1ubuntu1] [11:24] -queuebot:#ubuntu-release- New: accepted ldns [arm64] (zesty-proposed) [1.7.0-1ubuntu1] [11:24] -queuebot:#ubuntu-release- New: accepted ldns [s390x] (zesty-proposed) [1.7.0-1ubuntu1] [11:24] -queuebot:#ubuntu-release- New: accepted ldns [i386] (zesty-proposed) [1.7.0-1ubuntu1] [12:08] Hi, could one please reject squid3 3.5.23-1ubuntu2 from zesty unapproved queue? [12:08] While technically correct on the work with Debian we spottet some licence things that should be sorted out before. [12:08] cpaelzer, looking [12:10] -queuebot:#ubuntu-release- Unapproved: rejected squid3 [source] (zesty-proposed) [3.5.23-1ubuntu2] [12:14] thanks apw === _salem is now known as salem_ [13:24] hey. can someone NACK a cloud-init upload for me ? [13:24] the one in the queue is missing a bug reference. [13:25] hi release team, any chance of approving the packages synced from this silo https://launchpad.net/~ci-train-ppa-service/+archive/ubuntu/2626/+packages?field.series_filter=zesty ? [13:25] -queuebot:#ubuntu-release- Unapproved: parallax (zesty-proposed/universe) [1.0.1-2 => 1.0.1-3] (no packageset) (sync) [13:27] -queuebot:#ubuntu-release- Unapproved: accepted parallax [sync] (zesty-proposed) [1.0.1-3] === jjohansen1 is now known as jj-cloaked === jj-cloaked is now known as jjohansen [14:22] smoser: looking [14:31] -queuebot:#ubuntu-release- Unapproved: rejected cloud-init [source] (zesty-proposed) [0.7.9-82-g0e2030ca-0ubuntu1] [14:47] -queuebot:#ubuntu-release- Unapproved: cloud-init (zesty-proposed/main) [0.7.9-77-g4a2b2f87-0ubuntu1 => 0.7.9-82-g0e2030ca-0ubuntu1] (edubuntu, ubuntu-cloud, ubuntu-server) [14:58] -queuebot:#ubuntu-release- Unapproved: vulkan (zesty-proposed/universe) [1.0.42.0+dfsg1-1 => 1.0.42.0+dfsg1-1ubuntu1] (no packageset) [14:59] -queuebot:#ubuntu-release- Unapproved: accepted vulkan [source] (zesty-proposed) [1.0.42.0+dfsg1-1ubuntu1] [15:02] -queuebot:#ubuntu-release- Unapproved: python-xkcd (zesty-proposed/universe) [2.4.1-1 => 2.4.2-1] (no packageset) (sync) [15:02] -queuebot:#ubuntu-release- Unapproved: accepted python-xkcd [sync] (zesty-proposed) [2.4.2-1] [15:13] Do I need an FFe to drop something from a seed? [15:13] bug 1667195 [15:13] bug 1667195 in mdbtools (Ubuntu) "Drop mdbtools-gmdb from main" [Undecided,New] https://launchpad.net/bugs/1667195 [15:13] -queuebot:#ubuntu-release- Unapproved: lttng-modules (xenial-proposed/universe) [2.8.0-1ubuntu1~16.04.1 => 2.8.0-1ubuntu1~16.04.2] (no packageset) [15:13] If unsure, can a release team member give me an ack on it at least please? [15:21] 16:15 my opinion is that since it wasn't shipped but only listed as "supported" that it wouldn't need a FFe [15:21] 16:15 Good point. It wouldn't make any changes to an image. [15:21] So I did it. [15:22] Ubuntu MATE would like to run a testathon this weekend, we've got a few packages pending, could someone eye them over please? [15:22] brisk-menu, mate-menu, mate-control-center, ubuntu-mate-artwork, mate-themes [15:50] hi, release team, Ubuntu Kylin image building was failed yesterday. The build log shows there was a conflict of dependencies: "libmagickwand-6.q16-2 : Depends: imagemagick-6-common (= 8:6.9.6.6+dfsg-1ubuntu3) but 8:6.9.7.0+dfsg-2ubuntu1 is to be installed" Could someone help to check the problem? [15:55] This package was not directly depend by our packages. There were only some "oxideqt" related packages update yesterday, but we can't confirm the relation. So I am afraid other image building may face this problem today? [16:02] If this is a problem only affecting Ubuntu Kylin, could someone help to confirm it? thanks :) [16:03] maclin: it might be from the transition as we finally got imagemagick migrated yesterday and there was a ABI bump [16:08] maclin: ah i see, i think we need to do some NBS cleanup too [16:10] nacc, is there anything we have to change? [16:11] maclin: no i think it's my cleanup to resolve [16:12] nacc, I got it, thanks:) [16:15] maclin: can you paste me a link to the build log? [16:15] https://launchpadlibrarian.net/313471764/buildlog_ubuntu_zesty_amd64_ubuntukylin_BUILDING.txt.gz [16:16] maclin: thanks! [16:16] maclin: probably need to some no change rebuilds as well [16:16] maclin: will work on that now [16:21] nacc: ok, we will wait for the new image tomorrow, thanks:) [16:27] slangasek: confused by something: http://people.canonical.com/~ubuntu-archive/nbs.html says sunflow and usbview depend on specific older binaries, but looking at those packages, i don't see the deps? What am I missig? [16:48] nacc: Probably dependencies on virtual packages. [16:49] nacc: Also, it's referring to build-depends, not depends. [16:50] infinity: "Packages which depend on NBS packages" refers to build depends? [16:50] nacc: And, indeed, sunflow build-depends on libmagickcore-6.q16-2-extra [16:50] nacc: It does, if you read the whole line. :P [16:51] infinity: I typed the wrong i package name and released initramfs-tools for trusty. Can anything be done? [16:51] nacc: The last column helpfully tells you which arch's binaries have the issue. When it's build-depends instead of binary, it says "build". [16:51] infinity: ah i see it now! [16:51] infinity: sorry for the noise, will fix [16:52] infinity: its verified but has linux-lts autopkgtest failures [16:52] bdmurray: Like, JUST now? [16:52] infinity: yes JUST now [16:52] Yeah, we can just delete it. It hasn't published yet. [16:52] And then copy the old version back. [16:52] I'll sort that. [16:53] Great, thanks. [16:53] bdmurray: Although, the linux autopkgtest failures, do they really have anything to do with initramfs-tools? They're not exactly known for their stability. [16:54] infinity: I didn't look at them so can't say [16:54] they certainly do look flakey [16:54] I'm more inclined to say "hey kernel people, fix your tests" than hold off the SRU indefinitely. :P [16:54] I'll spot check a few of these before I do the delete and copy thing. [16:55] Oh, in fact, these are failing for entirely other reasons. [16:55] So, yeah. [16:56] bdmurray: Not reverting. [16:56] infinity: okay [16:56] bdmurray: I'll have some chats at the kernel sprint next week about how we can get a green baseline on all these kernel tests. [16:56] where's that? [16:56] (And then maybe actually implement the results of said chats) [16:56] Londres. [17:03] -queuebot:#ubuntu-release- Unapproved: libdrm (zesty-proposed/main) [2.4.75-2 => 2.4.76-1] (core, xorg) (sync) [17:04] nacc: Were/are you driving this imagemagick transition? [17:05] infinity: yeah i suppose so [17:05] infinity: by virtue of keeping it migrating recently [17:06] nacc: Pretty sure that https://bugs.launchpad.net/ubuntu/+source/jxrlib/+bug/1666687 isn't going to get resolved by release, so that Recommends should drop to a Suggests, IMO. [17:06] Ubuntu bug 1666687 in jxrlib (Ubuntu) "[MIR] jxrlib" [Undecided,Incomplete] [17:06] infinity: ack, on my list too [17:06] infinity: i plan on uploading those three after breakfast :) [17:07] nacc: Arguably, it should be a suggests anyway, and the code should actually TEST for the binary and suggest installing libjxr-tools, rather than just throwing ugly errors. [17:07] infinity: ack [17:11] nacc: Or, to be more verbose about my reasoning there, the fact that it throws hard errors makes it a Depends, per policy, not Recommends. If it didn't throw errors, it would be a Suggests, because one would only call it a Recommends if a major/common use-case of imagemagick was converting that specific file type, which seems like quite a stretch to argue. [17:11] nacc: But, for now, an incorrect Suggests will do, unless you have the time to also fix the hard error. [17:12] infinity: yep, understood -- i think there are a number of things like this in the imagemagick code. I will take a look but probably just drop it to a suggests for now [17:12] * infinity nods. [17:16] Also, the docs depending on some random JS library is kinda fun. But if that's a hard dep for a good reason, we can just blacklist the docs from main. [17:16] nacc: ^-- Lemme know on that score, and I'll adjust the seeds if appropriate. [17:20] infinity: will do [17:21] -queuebot:#ubuntu-release- Unapproved: usbview (zesty-proposed/universe) [2.0-21-g6fe2f4f-1 => 2.0-21-g6fe2f4f-1ubuntu1] (no packageset) [17:21] infinity: tzdata required->important as discussed [17:21] -queuebot:#ubuntu-release- Unapproved: accepted usbview [source] (zesty-proposed) [2.0-21-g6fe2f4f-1ubuntu1] [17:22] slangasek: Fun, fnu. [17:22] fnu! [17:24] slangasek: Thanks for changing the archive as well this time. ;) [17:25] -queuebot:#ubuntu-release- Unapproved: sunflow (zesty-proposed/universe) [0.07.2.svn396+dfsg-14 => 0.07.2.svn396+dfsg-14ubuntu1] (no packageset) [17:26] -queuebot:#ubuntu-release- Unapproved: accepted sunflow [source] (zesty-proposed) [0.07.2.svn396+dfsg-14ubuntu1] [17:39] infinity: can you reject the imagemagick in the unapproved queue? then i'll upload the same version with the fixed component mismatch [17:39] infinity Any chance I can ask for some reviews of zesty uploads? [17:40] Would like to get the last bits in for an Ubuntu MATE testathon this weekend. [17:40] ubuntu-mate-artwork, brisk-menu, mate-menu, mate-control-center, mate-themes [17:51] nacc: Oh just upload ubuntu2 with your changes, so you're not mangling history? [17:51] nacc: s/Oh/Or/ [17:51] infinity: yeah i'm happy to do that too [17:51] infinity: will upload shortly then [17:51] nacc: Yeah. Just grab the one from the queue and build on it. [17:52] flexiondotorg: The queue will be empty by my EOD, either by accepting or rejecting. [17:52] flexiondotorg: History went wonky in mate-menu. Expected? [17:53] infinity I'm checking mate-menu... [17:53] flexiondotorg: http://launchpadlibrarian.net/313265955/mate-menu_17.04.2-0ubuntu2_17.04.3-0ubuntu1.diff.gz [17:54] infinity: oh i see the docs reference, sorry -- will examine it now [17:54] infinity wtf. Reject that, their is a glitch in the matrix. I'll upload a replacement promptly. [17:54] flexiondotorg: heh. [17:54] *there even [17:55] -queuebot:#ubuntu-release- Unapproved: rejected mate-menu [source] (zesty-proposed) [17.04.3-0ubuntu1] [17:56] dput needs an eliza frontend that goes something like "Did you debdiff before you uploaded?" (response) "And how did that make you feel?" [17:57] "I'm not sure what you mean by 'Just upload the friggin package, can you elaborate?" [17:57] s/package/package'/ === pete-woods_ is now known as pete-woods [18:00] infinity: it would appear the doc dep is a real one, rather than using the version bundled with the source so i think a blacklist may be appropriate [18:00] infinity: would you like a bug filed to refer to? [18:03] infinity: s/\(package\)/\1'/ would have been shorter ;) [18:03] nacc: Nah, I'll just refer to the MIR. [18:03] infinity: ok, thanks [18:03] wxl: My regular expressions in IRC are usually written for readability, not length. [18:04] infinity: well you get points for that :) [18:04] infinity Thanks for the reject, correct upload for mate-menu incoming. [18:04] -queuebot:#ubuntu-release- Unapproved: mate-menu (zesty-proposed/universe) [17.04.2-0ubuntu2 => 17.04.3-0ubuntu1] (ubuntu-mate) [18:14] -queuebot:#ubuntu-release- Unapproved: imagemagick (zesty-proposed/main) [8:6.9.7.0+dfsg-2ubuntu1 => 8:6.9.7.4+dfsg-2ubuntu2] (desktop-core, ubuntu-server) [18:37] nacc: Err, why did you change the previous changelog entry? [18:38] nacc: Or was it a lie that it was locutusofborg's upload, and you're correcting that? :P [18:39] infinity: um, strange [18:39] so i also uploaded 8:6.9.7.4+dfsg-2ubuntu1 to the queue [18:39] nacc: Not the one I downloaded from the queue... [18:39] Oh! [18:39] You both uploaded one. [18:39] infinity: right, i didn't realize it had been superseded [18:40] well 'superseded' :) [18:40] infinity: totally my fault, as i thought it was my upload that i was looking for the ubuntu1 [18:40] Okay, to be fair, they're basically identical. [18:40] yeah, contentfully the same [18:40] infinity: you can reject and i can refresh from the queue [18:40] nacc: Nah, all good. [18:40] infinity: ok, sorry about that! [18:40] nacc: Your upload beat his. So, if it wasn't a freeze, you would have won. :P [18:41] heh [18:41] nacc: queue fetch just got me the newer one. [18:41] also, mine closes the bug filed for the FFe :) [18:41] nacc: Not that it'll make a big difference (since the bug has no imagemagick task), but his bug ref with the intentional parse error is more correct for referencing a bug, rather than closing it. [18:41] nacc: (The MIR bug, not the FFe bug) [18:43] -queuebot:#ubuntu-release- Unapproved: rejected imagemagick [source] (zesty-proposed) [8:6.9.7.4+dfsg-2ubuntu1] [18:43] -queuebot:#ubuntu-release- Unapproved: accepted imagemagick [source] (zesty-proposed) [8:6.9.7.4+dfsg-2ubuntu2] [18:43] -queuebot:#ubuntu-release- Unapproved: rejected imagemagick [source] (zesty-proposed) [8:6.9.7.4+dfsg-2ubuntu1] [18:44] infinity: ah yes, sorry about that! [18:51] infinity: regardless, sorry for the noise with all that [19:15] slangasek, infinity: Laney seems absent, so could you check if my analysis of the onscripter test failures are enough to let xserver enter zesty https://bugs.launchpad.net/ubuntu/+source/xorg-server/+bug/1671799/comments/37 [19:15] Ubuntu bug 1671799 in xorg-server (Ubuntu) "FFe: xserver 1.19.3" [Undecided,Confirmed] [19:18] tjaalton: Any idea what's up with the yorick/s390x regression? [19:19] infinity: no.. not the most important platform for X anyway [19:19] No, but regressions still point to bugs somewhere. [19:20] I don't know how to debug that one [19:20] xnox: ^ [19:23] tjaalton: As for your onscripter analysis, it sort of creates more questions than it answers. [19:23] tjaalton: I was hoping it was a simple "qemu sucks, and we're detecting CPU features that get masked" bug, but your indication that it works from other shells in the same VM throws that out. [19:27] error: ("/usr/lib/powerpc64le-linux-gnu/ada/adalib/gmpada/gnu_multiple_precision.ali" is obsolete and read-only) [19:27] doko: ^-- Are we supposed to be doing gnat transitions of some sort, and did we fail to do one properly? [19:29] new xorg would be nice [19:31] infinity: yeah it's a weird issue.. real hw is fine, lxc is fine [19:34] hi release team, can we please have the packages from this silo https://bileto.ubuntu.com/#/ticket/2626 approved to zesty? [19:34] tjaalton: On a hunch, does "kvm -cpu host" work? I mean, that might confirm my original claim, though makes your findings even more bizarre. :P [19:38] Saviq: I'll have a look at that bunch after lunch. [19:40] infinity, thanks [19:42] infinity: what exactly do you mean? running just that does run qemu but doesn't boot anything [19:43] oh you mean running the qemu image with host cpu model? [19:43] tjaalton: I mean using "-cpu host" as the cpu spec for the test, rather than whatever the default is. [19:44] got it, trying.. [19:59] infinity: heh, I get a segfault instead [19:59] (EE) Floating point exception at address 0x7fdb9a9e2d19 [19:59] this is from swrast_dri.so [20:00] so now Xvfb crashes [20:03] I'll try again after dist-upgrade.. [20:04] had to use another instance that has working network [20:29] right, fails the same way after upgrade, so -cpu host didn't change anything [20:51] -queuebot:#ubuntu-release- Unapproved: cloud-init (zesty-proposed/main) [0.7.9-77-g4a2b2f87-0ubuntu1 => 0.7.9-87-gd23543eb-0ubuntu1] (edubuntu, ubuntu-cloud, ubuntu-server) === salem_ is now known as _salem [21:21] infinity: i think the imagemagick packages that are NBS can all be removed now [21:22] and looks like once the tests finish the component-mismatch should go away [21:31] -queuebot:#ubuntu-release- Unapproved: accepted qtmir-gles [sync] (zesty-proposed) [0.5.1+17.04.20170328-0ubuntu1] [21:31] -queuebot:#ubuntu-release- Unapproved: accepted qtubuntu-gles [sync] (zesty-proposed) [0.64+17.04.20170328.1-0ubuntu1] [21:31] -queuebot:#ubuntu-release- Unapproved: accepted unity8 [sync] (zesty-proposed) [8.15+17.04.20170328.3-0ubuntu1] [21:31] -queuebot:#ubuntu-release- Unapproved: accepted qtmir [sync] (zesty-proposed) [0.5.1+17.04.20170328-0ubuntu1] [21:31] -queuebot:#ubuntu-release- Unapproved: accepted qtubuntu [sync] (zesty-proposed) [0.64+17.04.20170328.1-0ubuntu1] [21:32] infinity, apw: so I want to give you both a heads-up regarding a discussion cyphermox and I are having about how to make available a grub that enforces kernel signatures, before we're ready to turn that on for the distro as a whole [21:32] -queuebot:#ubuntu-release- Unapproved: accepted libertine [sync] (zesty-proposed) [1.7.1+17.04.20170328-0ubuntu1] [21:32] -queuebot:#ubuntu-release- Unapproved: accepted ubuntu-app-launch [sync] (zesty-proposed) [0.11+17.04.20170328-0ubuntu1] [21:33] infinity, apw: we /could/ be ready to turn it on for the distro as a whole, except that I think we need some upgrade logic around detecting systems where the currently-configured kernel is not signed and warn instead of leaving the system unbootable. :P [21:33] slangasek: sounds like a great idea [21:34] s/upgrade logic/preinst logic/ [21:34] So, how are we going to prevent people from shooting themselves in the foot by removing linux-signed? [21:35] Other than going back in time and agreeing that linux-signed is a silly idea, and linux-image should just be signed by default. :P [21:35] infinity, apw: so of the many options on the table, we think that the most straightforward option that gives us what we need - namely, *a* signed (with Ubuntu key) grub.efi that doesn't allow fallback to unsigned kernels, that we can put in a gadget snap for a customer (doesn't need to be in a grub-signed .deb at the moment) is to just build two grub.efi, one with the linux module, one without, [21:35] and let them be accepted into the archive [21:36] slangasek: Sure, seems reasonable. Put them both in the efi tarball, sign both, but have grub-signed pick up the non-enforcing one. [21:36] slangasek: Which, if you name the new one something else, happens by default. [21:36] UX for the one without the 'linux' grub module is probably going to be a weird 'missing module' message rather than a 'security failed' message, but we mostly don't care for the present use case, because this is for a product that's SB-enforcing and anybody managing to point grub at an unsigned kernel can keep both pieces anyway [21:37] infinity: could we use a provides: kernel-signed to ensure you have at least one bootable kernel [21:37] and the policy of this new binary isn't special, it's the next step along our path of turning on enforcement, we're just not ready to do it yet [21:37] slangasek: So, I might be unfamiliar with the process here, but why remove a module? Isn't there just an "enforce or not" option at build time? [21:37] so I don't feel like we're signing an artifact we shouldn't be [21:38] infinity: we would have to build the grub source twice with different patches; there's no build time flag in the patchset [21:38] oh [21:38] shoot [21:38] You're building it twice anyway, no? [21:38] infinity: the idea would be we wouldn't need to build it twice, only run the build-efi-image script twice [21:38] not twice for efi. [21:38] Or just linking it twice, I guess. But same-same, it's just machine time. [21:39] slangasek: not even run build-efi-image twice, I can just add a grub-mkimage. [21:39] right [21:39] it's very nearly a one-liner. [21:39] infinity: setting aside the implementation details of how this gets done in the grub package - no objections to having two signed .efi binaries for grub starting now-ish in zesty? [21:40] slangasek: Nope. [21:40] and yes, the fact that you can currently get your signed kernel removed on a SB system and be none the wiser is something we also need to tackle [21:40] slangasek: Perfectly fine with that idea, so long as the one we're shipping in grub-signed doesn't regress in any way. [21:40] ack [21:41] infinity: the grub$arch.efi we ship would be exactly as it was, untouched. I'd add a "enfore_grubx64.efi" or something like that [21:41] apw: Depending on kernels works really poorly, which is why we almost always try to avoid it. [21:41] cyphermox: *nod* [21:41] cyphermox: Well, surely not exactly, as it sounds like there's patches involved here. [21:42] infinity: nah, I think I can circumvent that [21:42] ie. removing the 'linux' module breaks the fallback to loading unsigned. [21:42] Maybe it would help if I knew what "remove the linux module" actually means. [21:42] (if it works) [21:42] grub is modular, every command (or nearly) is a "module" [21:42] Sure, I know that. [21:43] obviously, this is what I'm about to test [21:43] But the implication here is that the efi module requires SB chaining, while the linux module doesn't, and it's that fallback we currently rely on? [21:43] infinity: would it serve us well to switch linux-image to install signed [21:43] apw: Yes, that's what we should have done years ago. [21:43] apw: But we never got around to implementing our discussions. [21:44] on everything, now in advance [21:44] infinity: yeah, currently if linuxefi fails to validate the signature, it silently goes to start the kernel using the 'linux' command. [21:44] apw: Basically, we should do what Ben was doing, where the buildds upload foo-unsigned.deb, and then we package it as foo.deb. [21:44] so if they upgrade it gets reinstalled [21:44] apw: The inverse of the current status quo. [21:44] we can likely retrofit that [21:44] discussion for now+4? [21:45] apw: Sure, we can. The only problem is that old kernels won't have it. So, if we intend to enforce in old stables, we'll still need to think of a way forward. But maybe just a preinst guard and grub that just refuses to upgrade unless you're on a kernel that's packaged the New Way would suffice, cause once you're on that track, accidentally removing your signed kernel is kinda a "duh, don't do that" thing, instead of an honest mistake. [21:46] apw: Discussion for the sprint, but probably we should carve out some pair programming time to *implement* at the sprint. Given we've discussed this literally for years, more talk won't help us much. ;) [21:47] apw: Err, of course, the immediate path forward, if we were in a hurry, is much simpler. Given we rely on meta for upgrades anyway (derp), we should just make linux-image point to linux-signed. [21:48] apw: It's not like anyone will get an upgrade to a new packaging method without meta installed anyway, so... [21:49] I really wish I could understant the paranoia that originally led to us thinking there was a reason to have an unsigned option. [21:49] Other than for testing, I suppose. [21:49] apw: So, yeah. linux-image-flavour Depends linux-signed-image-flavour, done. [21:49] apw: Much simpler than reworking all the packaging. :P [21:49] (Throw an [amd64] in there) [21:51] apw: Belt and bracers that with linux-image-$abi-flavour Depends linux-signed-image-$abi-flavour, and even people who install individual linux-image packages can't screw themselves. [21:51] The latter would actually remove the need for the former. [21:51] And the linux-signed metas could just go away. [21:51] Oh. But that has a chicken and egg issue where you (incorrectly) build-depend on linux-image to create linux-signed. ;) [21:51] Meh. [21:52] apw: Okay, shutting up. Put it on the agenda for next week please. [21:52] cyphermox: hurr, not building in the 'linux' module means we also don't have the 'linux' command; makes our grub.cfgs a bit broken [21:52] doh. [21:52] alias linux linuxefi? [21:52] Doubt that grub.cfg allows aliases, mind you. :P [21:52] that sounds like something requiring a change to grub.cfg also :) [21:53] we *can* work around that by changing grub.cfg [21:53] but that means it's not just a drop-in replacement [21:53] Well, that could go in grub.d, if it was a thing. [21:53] ... not on ubuntu-core [21:53] infinity: yep [21:53] Heh. Right. [21:57] cyphermox: BUILD_PACKAGES += grub-efi-enforce, REAL_PACKAGES += grub-efi-enforce, and add configure and build stamps, applying patchset in the latter? [21:59] Perhaps after copying the source around, so you can (a) avoid parallelism issues with applying a patch mid-build and (b) rm -rf the patched source when done with it. [22:02] or I could maybe cheat and really alias linux to linuxefi in the binary itself. [22:08] infinity: so then you're build-time-applying patches in a 3.0 (quilt) package, WIN :) [22:26] slangasek: Hey, what could possibly go wrong? [22:56] -queuebot:#ubuntu-release- Unapproved: clutter-gst-3.0 (zesty-proposed/main) [3.0.22-1 => 3.0.24-1] (kubuntu, ubuntu-desktop) (sync) === Guest86599 is now known as RAOF [23:08] -queuebot:#ubuntu-release- Unapproved: accepted multipath-tools [source] (yakkety-proposed) [0.5.0+git1.656f8865-5ubuntu7.3] [23:11] -queuebot:#ubuntu-release- Unapproved: ubuntu-docs (zesty-proposed/main) [17.04.2 => 17.04.3] (personal-gunnarhj, ubuntu-desktop) [23:12] -queuebot:#ubuntu-release- Unapproved: accepted multipath-tools [source] (xenial-proposed) [0.5.0+git1.656f8865-5ubuntu2.5] [23:21] -queuebot:#ubuntu-release- Unapproved: accepted dnsmasq [source] (yakkety-proposed) [2.76-4ubuntu0.1] [23:22] -queuebot:#ubuntu-release- Unapproved: accepted dnsmasq [source] (xenial-proposed) [2.75-1ubuntu0.16.04.2] [23:29] -queuebot:#ubuntu-release- Unapproved: accepted sane-backends [source] (yakkety-proposed) [1.0.25+git20150528-1ubuntu2.16.10.1] [23:31] -queuebot:#ubuntu-release- Unapproved: accepted sane-backends [source] (xenial-proposed) [1.0.25+git20150528-1ubuntu2.16.04.1] [23:35] -queuebot:#ubuntu-release- Unapproved: accepted rabbitmq-server [source] (yakkety-proposed) [3.5.7-1ubuntu0.16.10.1] [23:36] -queuebot:#ubuntu-release- Unapproved: accepted rabbitmq-server [source] (xenial-proposed) [3.5.7-1ubuntu0.16.04.1] [23:38] -queuebot:#ubuntu-release- Unapproved: imagemagick (zesty-proposed/main) [8:6.9.7.4+dfsg-2ubuntu2 => 8:6.9.7.4+dfsg-2ubuntu3] (desktop-core, ubuntu-server) [23:39] infinity: urgh, sorry, i missed one more component mismatch for the libjxr-tools change (another binary package from src:imagemagick). Just uploaded ubuntu3 --^ [23:48] -queuebot:#ubuntu-release- Unapproved: asterisk (xenial-proposed/universe) [1:13.1.0~dfsg-1.1ubuntu4 => 1:13.1.0~dfsg-1.1ubuntu4.1] (no packageset) [23:56] -queuebot:#ubuntu-release- Unapproved: accepted nfs-utils [source] (yakkety-proposed) [1:1.2.8-9.2ubuntu1.1] [23:57] -queuebot:#ubuntu-release- Unapproved: accepted nfs-utils [source] (xenial-proposed) [1:1.2.8-9ubuntu12.1]