[00:44] -queuebot:#ubuntu-release- Unapproved: gtksourceview2 (zesty-proposed/universe) [2.10.5-2ubuntu2 => 2.10.5-2ubuntu3] (ubuntu-desktop)
[02:33] <handsome_feng> Hi, Could someone there can help check the two update request: bug: #1677432 bug: #1677157 Thank you!
[04:56] -queuebot:#ubuntu-release- Unapproved: ubuntukylin-theme (zesty-proposed/universe) [1.6.2 => 1.7.0] (ubuntukylin)
[05:01] -queuebot:#ubuntu-release- Unapproved: ubuntukylin-wallpapers (zesty-proposed/universe) [16.10.1 => 17.04.0] (ubuntukylin)
[05:04] -queuebot:#ubuntu-release- Unapproved: rpi.gpio (zesty-proposed/universe) [0.6.3-1 => 0.6.3-1ubuntu1] (no packageset)
[05:04] -queuebot:#ubuntu-release- Unapproved: accepted rpi.gpio [source] (zesty-proposed) [0.6.3-1ubuntu1]
[05:08] -queuebot:#ubuntu-release- New binary: rpi.gpio [arm64] (zesty-proposed/universe) [0.6.3-1ubuntu1] (no packageset)
[05:09] -queuebot:#ubuntu-release- New binary: rpi.gpio [armhf] (zesty-proposed/universe) [0.6.3-1ubuntu1] (no packageset)
[05:43] -queuebot:#ubuntu-release- Unapproved: squid3 (zesty-proposed/main) [3.5.23-1ubuntu1 => 3.5.23-1ubuntu2] (ubuntu-server)
[07:43] <Saviq> hi all, could someone please approve the packages coming from https://bileto.ubuntu.com/#/ticket/2626? thanks!
[07:54] -queuebot:#ubuntu-release- Unapproved: imagemagick (zesty-proposed/main) [8:6.9.7.0+dfsg-2ubuntu1 => 8:6.9.7.4+dfsg-2ubuntu1] (desktop-core, ubuntu-server)
[07:58] -queuebot:#ubuntu-release- Unapproved: kdevelop (zesty-proposed/universe) [4:5.0.4-0ubuntu1 => 4:5.0.4-0ubuntu2] (kubuntu, ubuntu-desktop)
[08:04] -queuebot:#ubuntu-release- Unapproved: mate-control-center (zesty-proposed/universe) [1.18.0-0ubuntu1 => 1.18.0-0ubuntu2] (ubuntu-mate, ubuntukylin)
[08:06] <tjaalton> Laney: added debug notes on #1671799
[08:06] <tjaalton> bug #1671799
[08:13] <LocutusOfBorg> hello release team, feature request: is it possible when receiving the "your package is stuck in proposed since foo days", to have also the changelog of the latest upload attached? this way I can understand if this was a transition, a no change rebuild, or a bad merge
[08:32] -queuebot:#ubuntu-release- Unapproved: brisk-menu (zesty-proposed/universe) [0.3.0-0ubuntu1 => 0.3.5-0ubuntu1] (ubuntu-mate)
[08:38] -queuebot:#ubuntu-release- Unapproved: mate-themes (zesty-proposed/universe) [3.22.7-0ubuntu1 => 3.22.8-0ubuntu1] (ubuntu-mate)
[08:41] <LocutusOfBorg> (I can open a bug if needed, just I don't know where that service is located)
[09:28] -queuebot:#ubuntu-release- Unapproved: unity-greeter-session-broadcast (zesty-proposed/main) [0.1+14.10.20140601-0ubuntu4 => 0.1+14.10.20140601-0ubuntu5] (ubuntu-desktop)
[09:46] -queuebot:#ubuntu-release- Unapproved: aethercast (zesty-proposed/universe) [0.1+16.10.20160808-0ubuntu4 => 0.1+17.04.20170328.1-0ubuntu1] (no packageset) (sync)
[09:46] -queuebot:#ubuntu-release- Unapproved: accepted aethercast [sync] (zesty-proposed) [0.1+17.04.20170328.1-0ubuntu1]
[10:50] -queuebot:#ubuntu-release- Unapproved: bluez (xenial-proposed/main) [5.37-0ubuntu5 => 5.37-0ubuntu6] (ubuntu-desktop)
[11:24] -queuebot:#ubuntu-release- New: accepted ldns [amd64] (zesty-proposed) [1.7.0-1ubuntu1]
[11:24] -queuebot:#ubuntu-release- New: accepted ldns [armhf] (zesty-proposed) [1.7.0-1ubuntu1]
[11:24] -queuebot:#ubuntu-release- New: accepted ldns [ppc64el] (zesty-proposed) [1.7.0-1ubuntu1]
[11:24] -queuebot:#ubuntu-release- New: accepted ldns [arm64] (zesty-proposed) [1.7.0-1ubuntu1]
[11:24] -queuebot:#ubuntu-release- New: accepted ldns [s390x] (zesty-proposed) [1.7.0-1ubuntu1]
[11:24] -queuebot:#ubuntu-release- New: accepted ldns [i386] (zesty-proposed) [1.7.0-1ubuntu1]
[12:08] <cpaelzer> Hi, could one please reject squid3 3.5.23-1ubuntu2 from zesty unapproved queue?
[12:08] <cpaelzer> While technically correct on the work with Debian we spottet some licence things that should be sorted out before.
[12:08] <apw> cpaelzer, looking
[12:10] -queuebot:#ubuntu-release- Unapproved: rejected squid3 [source] (zesty-proposed) [3.5.23-1ubuntu2]
[12:14] <cpaelzer> thanks apw
[13:24] <smoser> hey. can someone NACK a cloud-init upload for me ?
[13:24] <smoser> the one in the queue is missing a bug reference.
[13:25] <Saviq> hi release team, any chance of approving the packages synced from this silo https://launchpad.net/~ci-train-ppa-service/+archive/ubuntu/2626/+packages?field.series_filter=zesty ?
[13:25] -queuebot:#ubuntu-release- Unapproved: parallax (zesty-proposed/universe) [1.0.1-2 => 1.0.1-3] (no packageset) (sync)
[13:27] -queuebot:#ubuntu-release- Unapproved: accepted parallax [sync] (zesty-proposed) [1.0.1-3]
[14:22] <apw> smoser: looking
[14:31] -queuebot:#ubuntu-release- Unapproved: rejected cloud-init [source] (zesty-proposed) [0.7.9-82-g0e2030ca-0ubuntu1]
[14:47] -queuebot:#ubuntu-release- Unapproved: cloud-init (zesty-proposed/main) [0.7.9-77-g4a2b2f87-0ubuntu1 => 0.7.9-82-g0e2030ca-0ubuntu1] (edubuntu, ubuntu-cloud, ubuntu-server)
[14:58] -queuebot:#ubuntu-release- Unapproved: vulkan (zesty-proposed/universe) [1.0.42.0+dfsg1-1 => 1.0.42.0+dfsg1-1ubuntu1] (no packageset)
[14:59] -queuebot:#ubuntu-release- Unapproved: accepted vulkan [source] (zesty-proposed) [1.0.42.0+dfsg1-1ubuntu1]
[15:02] -queuebot:#ubuntu-release- Unapproved: python-xkcd (zesty-proposed/universe) [2.4.1-1 => 2.4.2-1] (no packageset) (sync)
[15:02] -queuebot:#ubuntu-release- Unapproved: accepted python-xkcd [sync] (zesty-proposed) [2.4.2-1]
[15:13] <rbasak> Do I need an FFe to drop something from a seed?
[15:13] <rbasak> bug 1667195
[15:13] -queuebot:#ubuntu-release- Unapproved: lttng-modules (xenial-proposed/universe) [2.8.0-1ubuntu1~16.04.1 => 2.8.0-1ubuntu1~16.04.2] (no packageset)
[15:13] <rbasak> If unsure, can a release team member give me an ack on it at least please?
[15:21] <rbasak> 16:15 <jbicha> my opinion is that since it wasn't shipped but only listed as "supported" that it wouldn't need a FFe
[15:21] <rbasak> 16:15 <rbasak> Good point. It wouldn't make any changes to an image.
[15:21] <rbasak> So I did it.
[15:22] <flexiondotorg> Ubuntu MATE would like to run a testathon this weekend, we've got a few packages pending, could someone eye them over please?
[15:22] <flexiondotorg> brisk-menu, mate-menu, mate-control-center, ubuntu-mate-artwork, mate-themes
[15:50] <maclin> hi, release team,  Ubuntu Kylin image building was failed yesterday. The build log shows there was a conflict of dependencies:   "libmagickwand-6.q16-2 : Depends: imagemagick-6-common (= 8:6.9.6.6+dfsg-1ubuntu3) but 8:6.9.7.0+dfsg-2ubuntu1 is to be installed"  Could someone help to check the problem?
[15:55] <maclin> This package was not directly depend by our packages. There were only some "oxideqt" related packages update  yesterday, but we can't confirm the relation.  So I am afraid other image building may face this problem today?
[16:02] <maclin> If this is a problem only affecting Ubuntu Kylin, could someone help to confirm it?  thanks :)
[16:03] <nacc> maclin: it might be from the transition as we finally got imagemagick migrated yesterday and there was a ABI bump
[16:08] <nacc> maclin: ah i see, i think we need to do some NBS cleanup too
[16:10] <maclin> nacc,  is there anything we have to change?
[16:11] <nacc> maclin: no i think it's my cleanup to resolve
[16:12] <maclin> nacc, I got it, thanks:)
[16:15] <nacc> maclin: can you paste me a link to the build log?
[16:15] <maclin> https://launchpadlibrarian.net/313471764/buildlog_ubuntu_zesty_amd64_ubuntukylin_BUILDING.txt.gz
[16:16] <nacc> maclin: thanks!
[16:16] <nacc> maclin: probably need to some no change rebuilds as well
[16:16] <nacc> maclin: will work on that now
[16:21] <maclin> nacc: ok, we will wait for the new image tomorrow, thanks:)
[16:27] <nacc> slangasek: confused by something: http://people.canonical.com/~ubuntu-archive/nbs.html says sunflow and usbview depend on specific older binaries, but looking at those packages, i don't see the deps? What am I missig?
[16:48] <infinity> nacc: Probably dependencies on virtual packages.
[16:49] <infinity> nacc: Also, it's referring to build-depends, not depends.
[16:50] <nacc> infinity: "Packages which depend on NBS packages" refers to build depends?
[16:50] <infinity> nacc: And, indeed, sunflow build-depends on libmagickcore-6.q16-2-extra
[16:50] <infinity> nacc: It does, if you read the whole line. :P
[16:51] <bdmurray> infinity: I typed the wrong i package name and released initramfs-tools for trusty. Can anything be done?
[16:51] <infinity> nacc: The last column helpfully tells you which arch's binaries have the issue.  When it's build-depends instead of binary, it says "build".
[16:51] <nacc> infinity: ah i see it now!
[16:51] <nacc> infinity: sorry for the noise, will fix
[16:52] <bdmurray> infinity: its verified but has linux-lts autopkgtest failures
[16:52] <infinity> bdmurray: Like, JUST now?
[16:52] <bdmurray> infinity: yes JUST now
[16:52] <infinity> Yeah, we can just delete it.  It hasn't published yet.
[16:52] <infinity> And then copy the old version back.
[16:52] <infinity> I'll sort that.
[16:53] <bdmurray> Great, thanks.
[16:53] <infinity> bdmurray: Although, the linux autopkgtest failures, do they really have anything to do with initramfs-tools?  They're not exactly known for their stability.
[16:54] <bdmurray> infinity: I didn't look at them so can't say
[16:54] <bdmurray> they certainly do look flakey
[16:54] <infinity> I'm more inclined to say "hey kernel people, fix your tests" than hold off the SRU indefinitely. :P
[16:54] <infinity> I'll spot check a few of these before I do the delete and copy thing.
[16:55] <infinity> Oh, in fact, these are failing for entirely other reasons.
[16:55] <infinity> So, yeah.
[16:56] <infinity> bdmurray: Not reverting.
[16:56] <bdmurray> infinity: okay
[16:56] <infinity> bdmurray: I'll have some chats at the kernel sprint next week about how we can get a green baseline on all these kernel tests.
[16:56] <bdmurray> where's that?
[16:56] <infinity> (And then maybe actually implement the results of said chats)
[16:56] <infinity> Londres.
[17:03] -queuebot:#ubuntu-release- Unapproved: libdrm (zesty-proposed/main) [2.4.75-2 => 2.4.76-1] (core, xorg) (sync)
[17:04] <infinity> nacc: Were/are you driving this imagemagick transition?
[17:05] <nacc> infinity: yeah i suppose so
[17:05] <nacc> infinity: by virtue of keeping it migrating recently
[17:06] <infinity> nacc: Pretty sure that https://bugs.launchpad.net/ubuntu/+source/jxrlib/+bug/1666687 isn't going to get resolved by release, so that Recommends should drop to a Suggests, IMO.
[17:06] <nacc> infinity: ack, on my list too
[17:06] <nacc> infinity: i plan on uploading those three after breakfast :)
[17:07] <infinity> nacc: Arguably, it should be a suggests anyway, and the code should actually TEST for the binary and suggest installing libjxr-tools, rather than just throwing ugly errors.
[17:07] <nacc> infinity: ack
[17:11] <infinity> nacc: Or, to be more verbose about my reasoning there, the fact that it throws hard errors makes it a Depends, per policy, not Recommends.  If it didn't throw errors, it would be a Suggests, because one would only call it a Recommends if a major/common use-case of imagemagick was converting that specific file type, which seems like quite a stretch to argue.
[17:11] <infinity> nacc: But, for now, an incorrect Suggests will do, unless you have the time to also fix the hard error.
[17:12] <nacc> infinity: yep, understood -- i think there are a number of things like this in the imagemagick code. I will take a look but probably just drop it to a suggests for  now
[17:12]  * infinity nods.
[17:16] <infinity> Also, the docs depending on some random JS library is kinda fun.  But if that's a hard dep for a good reason, we can just blacklist the docs from main.
[17:16] <infinity> nacc: ^-- Lemme know on that score, and I'll adjust the seeds if appropriate.
[17:20] <nacc> infinity: will do
[17:21] -queuebot:#ubuntu-release- Unapproved: usbview (zesty-proposed/universe) [2.0-21-g6fe2f4f-1 => 2.0-21-g6fe2f4f-1ubuntu1] (no packageset)
[17:21] <slangasek> infinity: tzdata required->important as discussed
[17:21] -queuebot:#ubuntu-release- Unapproved: accepted usbview [source] (zesty-proposed) [2.0-21-g6fe2f4f-1ubuntu1]
[17:22] <infinity> slangasek: Fun, fnu.
[17:22] <infinity> fnu!
[17:24] <infinity> slangasek: Thanks for changing the archive as well this time. ;)
[17:25] -queuebot:#ubuntu-release- Unapproved: sunflow (zesty-proposed/universe) [0.07.2.svn396+dfsg-14 => 0.07.2.svn396+dfsg-14ubuntu1] (no packageset)
[17:26] -queuebot:#ubuntu-release- Unapproved: accepted sunflow [source] (zesty-proposed) [0.07.2.svn396+dfsg-14ubuntu1]
[17:39] <nacc> infinity: can you reject the imagemagick in the unapproved queue? then i'll upload the same version with the fixed component mismatch
[17:39] <flexiondotorg> infinity Any chance I can ask for some reviews of zesty uploads?
[17:40] <flexiondotorg> Would like to get the last bits in for an Ubuntu MATE testathon this weekend.
[17:40] <flexiondotorg> ubuntu-mate-artwork, brisk-menu, mate-menu, mate-control-center, mate-themes
[17:51] <infinity> nacc: Oh just upload ubuntu2 with your changes, so you're not mangling history?
[17:51] <infinity> nacc: s/Oh/Or/
[17:51] <nacc> infinity: yeah i'm happy to do that too
[17:51] <nacc> infinity: will upload shortly then
[17:51] <infinity> nacc: Yeah. Just grab the one from the queue and build on it.
[17:52] <infinity> flexiondotorg: The queue will be empty by my EOD, either by accepting or rejecting.
[17:52] <infinity> flexiondotorg: History went wonky in mate-menu.  Expected?
[17:53] <flexiondotorg> infinity I'm checking mate-menu...
[17:53] <infinity> flexiondotorg: http://launchpadlibrarian.net/313265955/mate-menu_17.04.2-0ubuntu2_17.04.3-0ubuntu1.diff.gz
[17:54] <nacc> infinity: oh i see the docs reference, sorry -- will examine it now
[17:54] <flexiondotorg> infinity wtf. Reject that, their is a glitch in the matrix. I'll upload a replacement promptly.
[17:54] <infinity> flexiondotorg: heh.
[17:54] <flexiondotorg> *there even
[17:55] -queuebot:#ubuntu-release- Unapproved: rejected mate-menu [source] (zesty-proposed) [17.04.3-0ubuntu1]
[17:56] <infinity> dput needs an eliza frontend that goes something like "Did you debdiff before you uploaded?" (response) "And how did that make you feel?"
[17:57] <infinity> "I'm not sure what you mean by 'Just upload the friggin package, can you elaborate?"
[17:57] <infinity> s/package/package'/
[18:00] <nacc> infinity: it would appear the doc dep is a real one, rather than using the version bundled with the source so i think a blacklist may be appropriate
[18:00] <nacc> infinity: would you like a bug filed to refer to?
[18:03] <wxl> infinity: s/\(package\)/\1'/ would have been shorter ;)
[18:03] <infinity> nacc: Nah, I'll just refer to the MIR.
[18:03] <nacc> infinity: ok, thanks
[18:03] <infinity> wxl: My regular expressions in IRC are usually written for readability, not length.
[18:04] <wxl> infinity: well you get points for that :)
[18:04] <flexiondotorg> infinity Thanks for the reject, correct upload for mate-menu incoming.
[18:04] -queuebot:#ubuntu-release- Unapproved: mate-menu (zesty-proposed/universe) [17.04.2-0ubuntu2 => 17.04.3-0ubuntu1] (ubuntu-mate)
[18:14] -queuebot:#ubuntu-release- Unapproved: imagemagick (zesty-proposed/main) [8:6.9.7.0+dfsg-2ubuntu1 => 8:6.9.7.4+dfsg-2ubuntu2] (desktop-core, ubuntu-server)
[18:37] <infinity> nacc: Err, why did you change the previous changelog entry?
[18:38] <infinity> nacc: Or was it a lie that it was locutusofborg's upload, and you're correcting that? :P
[18:39] <nacc> infinity: um, strange
[18:39] <nacc> so i also uploaded 8:6.9.7.4+dfsg-2ubuntu1 to the queue
[18:39] <infinity> nacc: Not the one I downloaded from the queue...
[18:39] <infinity> Oh!
[18:39] <infinity> You both uploaded one.
[18:39] <nacc> infinity: right, i didn't realize it had been superseded
[18:40] <nacc> well 'superseded' :)
[18:40] <nacc> infinity: totally my fault, as i thought it was my upload that i was looking for the ubuntu1
[18:40] <infinity> Okay, to be fair, they're basically identical.
[18:40] <nacc> yeah, contentfully the same
[18:40] <nacc> infinity: you can reject and i can refresh from the queue
[18:40] <infinity> nacc: Nah, all good.
[18:40] <nacc> infinity: ok, sorry about that!
[18:40] <infinity> nacc: Your upload beat his.  So, if it wasn't a freeze, you would have won. :P
[18:41] <nacc> heh
[18:41] <infinity> nacc: queue fetch just got me the newer one.
[18:41] <nacc> also, mine closes the bug filed for the FFe :)
[18:41] <infinity> nacc: Not that it'll make a big difference (since the bug has no imagemagick task), but his bug ref with the intentional parse error is more correct for referencing a bug, rather than closing it.
[18:41] <infinity> nacc: (The MIR bug, not the FFe bug)
[18:43] -queuebot:#ubuntu-release- Unapproved: rejected imagemagick [source] (zesty-proposed) [8:6.9.7.4+dfsg-2ubuntu1]
[18:43] -queuebot:#ubuntu-release- Unapproved: accepted imagemagick [source] (zesty-proposed) [8:6.9.7.4+dfsg-2ubuntu2]
[18:43] -queuebot:#ubuntu-release- Unapproved: rejected imagemagick [source] (zesty-proposed) [8:6.9.7.4+dfsg-2ubuntu1]
[18:44] <nacc> infinity: ah yes, sorry about that!
[18:51] <nacc> infinity: regardless, sorry for the noise with all that
[19:15] <tjaalton> slangasek, infinity: Laney seems absent, so could you check if my analysis of the onscripter test failures are enough to let xserver enter zesty https://bugs.launchpad.net/ubuntu/+source/xorg-server/+bug/1671799/comments/37
[19:18] <infinity> tjaalton: Any idea what's up with the yorick/s390x regression?
[19:19] <tjaalton> infinity: no.. not the most important platform for X anyway
[19:19] <infinity> No, but regressions still point to bugs somewhere.
[19:20] <tjaalton> I don't know how to debug that one
[19:20] <infinity> xnox: ^
[19:23] <infinity> tjaalton: As for your onscripter analysis, it sort of creates more questions than it answers.
[19:23] <infinity> tjaalton: I was hoping it was a simple "qemu sucks, and we're detecting CPU features that get masked" bug, but your indication that it works from other shells in the same VM throws that out.
[19:27] <infinity> error: ("/usr/lib/powerpc64le-linux-gnu/ada/adalib/gmpada/gnu_multiple_precision.ali" is obsolete and read-only)
[19:27] <infinity> doko: ^-- Are we supposed to be doing gnat transitions of some sort, and did we fail to do one properly?
[19:29] <wxl> new xorg would be nice
[19:31] <tjaalton> infinity: yeah it's a weird issue.. real hw is fine, lxc is fine
[19:34] <Saviq> hi release team, can we please have the packages from this silo https://bileto.ubuntu.com/#/ticket/2626 approved to zesty?
[19:34] <infinity> tjaalton: On a hunch, does "kvm -cpu host" work?  I mean, that might confirm my original claim, though makes your findings even more bizarre. :P
[19:38] <infinity> Saviq: I'll have a look at that bunch after lunch.
[19:40] <Saviq> infinity, thanks
[19:42] <tjaalton> infinity: what exactly do you mean? running just that does run qemu but doesn't boot anything
[19:43] <tjaalton> oh you mean running the qemu image with host cpu model?
[19:43] <infinity> tjaalton: I mean using "-cpu host" as the cpu spec for the test, rather than whatever the default is.
[19:44] <tjaalton> got it, trying..
[19:59] <tjaalton> infinity: heh, I get a segfault instead
[19:59] <tjaalton> (EE) Floating point exception at address 0x7fdb9a9e2d19
[19:59] <tjaalton> this is from swrast_dri.so
[20:00] <tjaalton> so now Xvfb crashes
[20:03] <tjaalton> I'll try again after dist-upgrade..
[20:04] <tjaalton> had to use another instance that has working network
[20:29] <tjaalton> right, fails the same way after upgrade, so -cpu host didn't change anything
[20:51] -queuebot:#ubuntu-release- Unapproved: cloud-init (zesty-proposed/main) [0.7.9-77-g4a2b2f87-0ubuntu1 => 0.7.9-87-gd23543eb-0ubuntu1] (edubuntu, ubuntu-cloud, ubuntu-server)
[21:21] <nacc> infinity: i think the imagemagick packages that are NBS can all be removed now
[21:22] <nacc> and looks like once the tests finish the component-mismatch should go away
[21:31] -queuebot:#ubuntu-release- Unapproved: accepted qtmir-gles [sync] (zesty-proposed) [0.5.1+17.04.20170328-0ubuntu1]
[21:31] -queuebot:#ubuntu-release- Unapproved: accepted qtubuntu-gles [sync] (zesty-proposed) [0.64+17.04.20170328.1-0ubuntu1]
[21:31] -queuebot:#ubuntu-release- Unapproved: accepted unity8 [sync] (zesty-proposed) [8.15+17.04.20170328.3-0ubuntu1]
[21:31] -queuebot:#ubuntu-release- Unapproved: accepted qtmir [sync] (zesty-proposed) [0.5.1+17.04.20170328-0ubuntu1]
[21:31] -queuebot:#ubuntu-release- Unapproved: accepted qtubuntu [sync] (zesty-proposed) [0.64+17.04.20170328.1-0ubuntu1]
[21:32] <slangasek> infinity, apw: so I want to give you both a heads-up regarding a discussion cyphermox and I are having about how to make available a grub that enforces kernel signatures, before we're ready to turn that on for the distro as a whole
[21:32] -queuebot:#ubuntu-release- Unapproved: accepted libertine [sync] (zesty-proposed) [1.7.1+17.04.20170328-0ubuntu1]
[21:32] -queuebot:#ubuntu-release- Unapproved: accepted ubuntu-app-launch [sync] (zesty-proposed) [0.11+17.04.20170328-0ubuntu1]
[21:33] <slangasek> infinity, apw: we /could/ be ready to turn it on for the distro as a whole, except that I think we need some upgrade logic around detecting systems where the currently-configured kernel is not signed and warn instead of leaving the system unbootable. :P
[21:33] <apw> slangasek: sounds like a great idea
[21:34] <infinity> s/upgrade logic/preinst logic/
[21:34] <infinity> So, how are we going to prevent people from shooting themselves in the foot by removing linux-signed?
[21:35] <infinity> Other than going back in time and agreeing that linux-signed is a silly idea, and linux-image should just be signed by default. :P
[21:35] <slangasek> infinity, apw: so of the many options on the table, we think that the most straightforward option that gives us what we need - namely, *a* signed (with Ubuntu key) grub.efi that doesn't allow fallback to unsigned kernels, that we can put in a gadget snap for a customer (doesn't need to be in a grub-signed .deb at the moment) is to just build two grub.efi, one with the linux module, one without,
[21:35] <slangasek> and let them be accepted into the archive
[21:36] <infinity> slangasek: Sure, seems reasonable.  Put them both in the efi tarball, sign both, but have grub-signed pick up the non-enforcing one.
[21:36] <infinity> slangasek: Which, if you name the new one something else, happens by default.
[21:36] <slangasek> UX for the one without the 'linux' grub module is probably going to be a weird 'missing module' message rather than a 'security failed' message, but we mostly don't care for the present use case, because this is for a product that's SB-enforcing and anybody managing to point grub at an unsigned kernel can keep both pieces anyway
[21:37] <apw> infinity: could we use a provides: kernel-signed to ensure you have at least one bootable kernel
[21:37] <slangasek> and the policy of this new binary isn't special, it's the next step along our path of turning on enforcement, we're just not ready to do it yet
[21:37] <infinity> slangasek: So, I might be unfamiliar with the process here, but why remove a module?  Isn't there just an "enforce or not" option at build time?
[21:37] <slangasek> so I don't feel like we're signing an artifact we shouldn't be
[21:38] <slangasek> infinity: we would have to build the grub source twice with different patches; there's no build time flag in the patchset
[21:38] <slangasek> oh
[21:38] <slangasek> shoot
[21:38] <infinity> You're building it twice anyway, no?
[21:38] <slangasek> infinity: the idea would be we wouldn't need to build it twice, only run the build-efi-image script twice
[21:38] <cyphermox> not twice for efi.
[21:38] <infinity> Or just linking it twice, I guess.  But same-same, it's just machine time.
[21:39] <cyphermox> slangasek: not even run build-efi-image twice, I can just add a grub-mkimage.
[21:39] <slangasek> right
[21:39] <cyphermox> it's very nearly a one-liner.
[21:39] <slangasek> infinity: setting aside the implementation details of how this gets done in the grub package - no objections to having two signed .efi binaries for grub starting now-ish in zesty?
[21:40] <infinity> slangasek: Nope.
[21:40] <slangasek> and yes, the fact that you can currently get your signed kernel removed on a SB system and be none the wiser is something we also need to tackle
[21:40] <infinity> slangasek: Perfectly fine with that idea, so long as the one we're shipping in grub-signed doesn't regress in any way.
[21:40] <slangasek> ack
[21:41] <cyphermox> infinity: the grub$arch.efi we ship would be exactly as it was, untouched. I'd add a "enfore_grubx64.efi" or something like that
[21:41] <infinity> apw: Depending on kernels works really poorly, which is why we almost always try to avoid it.
[21:41] <infinity> cyphermox: *nod*
[21:41] <infinity> cyphermox: Well, surely not exactly, as it sounds like there's patches involved here.
[21:42] <cyphermox> infinity: nah, I think I can circumvent that
[21:42] <cyphermox> ie. removing the 'linux' module breaks the fallback to loading unsigned.
[21:42] <infinity> Maybe it would help if I knew what "remove the linux module" actually means.
[21:42] <cyphermox> (if it works)
[21:42] <cyphermox> grub is modular, every command (or nearly) is a "module"
[21:42] <infinity> Sure, I know that.
[21:43] <cyphermox> obviously, this is what I'm about to test
[21:43] <infinity> But the implication here is that the efi module requires SB chaining, while the linux module doesn't, and it's that fallback we currently rely on?
[21:43] <apw> infinity: would it serve us well to switch linux-image to install signed
[21:43] <infinity> apw: Yes, that's what we should have done years ago.
[21:43] <infinity> apw: But we never got around to implementing our discussions.
[21:44] <apw> on everything, now in advance
[21:44] <cyphermox> infinity: yeah, currently if linuxefi fails to validate the signature, it silently goes to start the kernel using the 'linux' command.
[21:44] <infinity> apw: Basically, we should do what Ben was doing, where the buildds upload foo-unsigned.deb, and then we package it as foo.deb.
[21:44] <apw> so if they upgrade it gets reinstalled
[21:44] <infinity> apw: The inverse of the current status quo.
[21:44] <apw> we can likely retrofit that
[21:44] <apw> discussion for now+4?
[21:45] <infinity> apw: Sure, we can.  The only problem is that old kernels won't have it.  So, if we intend to enforce in old stables, we'll still need to think of a way forward.  But maybe just a preinst guard and grub that just refuses to upgrade unless you're on a kernel that's packaged the New Way would suffice, cause once you're on that track, accidentally removing your signed kernel is kinda a "duh, don't do that" thing, instead of an honest mistake.
[21:46] <infinity> apw: Discussion for the sprint, but probably we should carve out some pair programming time to *implement* at the sprint.  Given we've discussed this literally for years, more talk won't help us much. ;)
[21:47] <infinity> apw: Err, of course, the immediate path forward, if we were in a hurry, is much simpler.  Given we rely on meta for upgrades anyway (derp), we should just make linux-image point to linux-signed.
[21:48] <infinity> apw: It's not like anyone will get an upgrade to a new packaging method without meta installed anyway, so...
[21:49] <infinity> I really wish I could understant the paranoia that originally led to us thinking there was a reason to have an unsigned option.
[21:49] <infinity> Other than for testing, I suppose.
[21:49] <infinity> apw: So, yeah.  linux-image-flavour Depends linux-signed-image-flavour, done.
[21:49] <infinity> apw: Much simpler than reworking all the packaging. :P
[21:49] <infinity> (Throw an [amd64] in there)
[21:51] <infinity> apw: Belt and bracers that with linux-image-$abi-flavour Depends linux-signed-image-$abi-flavour, and even people who install individual linux-image packages can't screw themselves.
[21:51] <infinity> The latter would actually remove the need for the former.
[21:51] <infinity> And the linux-signed metas could just go away.
[21:51] <infinity> Oh.  But that has a chicken and egg issue where you (incorrectly) build-depend on linux-image to create linux-signed. ;)
[21:51] <infinity> Meh.
[21:52] <infinity> apw: Okay, shutting up.  Put it on the agenda for next week please.
[21:52] <slangasek> cyphermox: hurr, not building in the 'linux' module means we also don't have the 'linux' command; makes our grub.cfgs a bit broken
[21:52] <cyphermox> doh.
[21:52] <infinity> alias linux linuxefi?
[21:52] <infinity> Doubt that grub.cfg allows aliases, mind you. :P
[21:52] <slangasek> that sounds like something requiring a change to grub.cfg also :)
[21:53] <slangasek> we *can* work around that by changing grub.cfg
[21:53] <slangasek> but that means it's not just a drop-in replacement
[21:53] <infinity> Well, that could go in grub.d, if it was a thing.
[21:53] <slangasek> ... not on ubuntu-core
[21:53] <apw> infinity: yep
[21:53] <infinity> Heh.  Right.
[21:57] <infinity> cyphermox: BUILD_PACKAGES += grub-efi-enforce, REAL_PACKAGES += grub-efi-enforce, and add configure and build stamps, applying patchset in the latter?
[21:59] <infinity> Perhaps after copying the source around, so you can (a) avoid parallelism issues with applying a patch mid-build and (b) rm -rf the patched source when done with it.
[22:02] <cyphermox> or I could maybe cheat and really alias linux to linuxefi in the binary itself.
[22:08] <slangasek> infinity: so then you're build-time-applying patches in a 3.0 (quilt) package, WIN :)
[22:26] <infinity> slangasek: Hey, what could possibly go wrong?
[22:56] -queuebot:#ubuntu-release- Unapproved: clutter-gst-3.0 (zesty-proposed/main) [3.0.22-1 => 3.0.24-1] (kubuntu, ubuntu-desktop) (sync)
[23:08] -queuebot:#ubuntu-release- Unapproved: accepted multipath-tools [source] (yakkety-proposed) [0.5.0+git1.656f8865-5ubuntu7.3]
[23:11] -queuebot:#ubuntu-release- Unapproved: ubuntu-docs (zesty-proposed/main) [17.04.2 => 17.04.3] (personal-gunnarhj, ubuntu-desktop)
[23:12] -queuebot:#ubuntu-release- Unapproved: accepted multipath-tools [source] (xenial-proposed) [0.5.0+git1.656f8865-5ubuntu2.5]
[23:21] -queuebot:#ubuntu-release- Unapproved: accepted dnsmasq [source] (yakkety-proposed) [2.76-4ubuntu0.1]
[23:22] -queuebot:#ubuntu-release- Unapproved: accepted dnsmasq [source] (xenial-proposed) [2.75-1ubuntu0.16.04.2]
[23:29] -queuebot:#ubuntu-release- Unapproved: accepted sane-backends [source] (yakkety-proposed) [1.0.25+git20150528-1ubuntu2.16.10.1]
[23:31] -queuebot:#ubuntu-release- Unapproved: accepted sane-backends [source] (xenial-proposed) [1.0.25+git20150528-1ubuntu2.16.04.1]
[23:35] -queuebot:#ubuntu-release- Unapproved: accepted rabbitmq-server [source] (yakkety-proposed) [3.5.7-1ubuntu0.16.10.1]
[23:36] -queuebot:#ubuntu-release- Unapproved: accepted rabbitmq-server [source] (xenial-proposed) [3.5.7-1ubuntu0.16.04.1]
[23:38] -queuebot:#ubuntu-release- Unapproved: imagemagick (zesty-proposed/main) [8:6.9.7.4+dfsg-2ubuntu2 => 8:6.9.7.4+dfsg-2ubuntu3] (desktop-core, ubuntu-server)
[23:39] <nacc> infinity: urgh, sorry, i missed one more component mismatch for the libjxr-tools change (another binary package from src:imagemagick). Just uploaded ubuntu3 --^
[23:48] -queuebot:#ubuntu-release- Unapproved: asterisk (xenial-proposed/universe) [1:13.1.0~dfsg-1.1ubuntu4 => 1:13.1.0~dfsg-1.1ubuntu4.1] (no packageset)
[23:56] -queuebot:#ubuntu-release- Unapproved: accepted nfs-utils [source] (yakkety-proposed) [1:1.2.8-9.2ubuntu1.1]
[23:57] -queuebot:#ubuntu-release- Unapproved: accepted nfs-utils [source] (xenial-proposed) [1:1.2.8-9ubuntu12.1]