[01:53] <tsimonq2> So is it intentional that I can't clone bzr branches from https but I can from http?
[01:54] <wgrant> tsimonq2: Yes. It's recommended to use bzr+ssh.
[01:54] <wgrant> HTTPS is supported for git, but the only secure option for bzr is bzr+ssh
[01:54] <tsimonq2> Alright.
[01:55] <tsimonq2> wgrant: See the discussion in #ubuntu-release for why I ask, interesting case :)
[13:39] <rbasak> cjwatson: we're downloading Sources files to work out what source packages exist and what component they're in for mass import purposes (allowing us to ramp up, etc). But these are plain HTTP downloads. Do you have any opinion on whether and how we should validate the downloads? Eg. if we verify gpg signatures, then what keyrings can we use, given we are also pulling historical series?
[13:39] <rbasak> At the moment I think we're only looking at active Ubuntu series and sid, but eventually we'll need to expand that.
[13:40] <rbasak> Or is this overkill? If we're just getting source package names and component names and then hitting Launchpad securely, then we can only be DoS'd I think maybe.
[13:40] <cjwatson> rbasak: The two "Ubuntu Archive Automatic Signing Key" keys in /usr/share/keyrings/ubuntu-archive-keyring.gpg are the only ones that have ever been used to sign the archive.
[13:41] <cjwatson> I'd verify using those.
[13:41] <rbasak> Thanks. Do you happen to know about Debian?
[13:42] <cjwatson> A much larger set.  A current debian-archive-keyring package goes back a fair way at least
[13:42] <cjwatson> You might have to basically union all the debian-archive-keyring versions you can find
[13:42] <rbasak> OK. Is there any tooling we could use to help with the validation?
[13:42] <rbasak> Something easier than setting up chdist would be nice :)
[13:42] <cjwatson> /usr/share/keyrings/debian-archive-removed-keys.gpg goes back to 2004
[13:43] <cjwatson> Not sure, sorry
[13:43] <rbasak> OK. Thanks!
[15:17] <ricotz> cjwatson, hi, is it possible to treat the pending firefox 58 beta builds like the 57.0.4 security builds? they also target "spectre" -- https://launchpad.net/%7Emozillateam/+archive/ubuntu/firefox-next/+packages
[15:41] <Merlijn_S> FYI: I came here to ask if the build farm is disabled. The topic answered my question but are you aware that `launchpad.net/builders` reports 0 disabled, 198 available?
[15:41] <teward> "198 available build machines, 0 disabled and 81 building of a total of 198 registered."
[15:41] <teward> Merlijn_S: i fail to see what's wrong here?
[15:42] <Merlijn_S> Topic is
[15:42] <Merlijn_S> > Build farm disabled for maintenance; no ETA yet
[15:42] <teward> they can put that back to the way it was, but it *looks* like it's 'up'?
[15:43] <Merlijn_S> All my builds are estimated to complete in 1 hour. If I schedule a build, the estimated complete time just keeps incrementing every x minutes
[15:44] <Merlijn_S> Ex: https://code.launchpad.net/~communitheme/+archive/ubuntu/ppa/+recipebuild/1513026
[15:44] <teward> build priority impacts this
[15:44] <Merlijn_S> and https://code.launchpad.net/~communitheme/+archive/ubuntu/ppa/+recipebuild/1513080
[15:45] <acheronuk> sysadmin said yesterday they were putting the builders on 'manual'
[15:45] <teward> acheronuk: are they still on manual?
[15:45] <acheronuk> if you look at what is building, it's archive test rebuild backlog, and security team builds
[15:46] <acheronuk> so I would guess they ahve been judged to be safe
[15:46] <acheronuk> other stuff still seems on hold
[15:47] <acheronuk> cjwatson wgrant: correct?
[15:51] <acheronuk> I could be wrong :P
[15:51] <acheronuk> weird that the test rebuilds now have a priority of > 100,000
[15:51] <acheronuk> normally they are tiny or -ve
[15:53] <acheronuk> maybe giving the canonical stuff stupidly high scores was the best way to selectively re-enable?
[15:53]  * acheronuk shrugs
[15:59] <dobey> i think only trusted things are allowed to build right now
[15:59] <acheronuk> yes. whatever way that is being done, I would say so
[15:59] <dobey> ie PPAs are untrusted
[16:00] <Merlijn_S> ok, thanks for the explanation
[16:01] <Merlijn_S> Is there any place where I can receive updates on the state?
[16:01] <dobey> you can follow the launchpad status account on twitter, or check the topic in here i guess
[16:02] <dobey> https://twitter.com/launchpadstatus/status/948688233029881856
[16:03] <Merlijn_S> thanks, didn't know about that :)
[16:03] <acheronuk> might not be quick to sort: https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SpectreAndMeltdown
[16:03] <acheronuk> that early disclosure 'bites'
[16:04] <teward> dobey: that's problematic for me, I have an nginx merge I need to build test.
[16:05] <teward> and i usually spin the multiarch build tests via PPA.  I presume it's nontrivial to permit a single thing to build then :/
[16:06] <dobey> teward: well i guess you can build locally with sbuild, or try to hunt down someone with privileges to maybe allow the build. but i'd suggest the people in that latter category would be better spending their time on the task at hand to get things back up and running
[16:06] <teward> dobey: the problem is the oddball archs
[16:06] <teward> sbuild isn't nice with some of the non-arm oddball archs, at least on my system
[16:07] <teward> i'll test locally and hope things don't explode when uploaded to -proposed
[16:07] <teward> i presume also that the proposed uploads (for, say, merges) are also on hold?
[16:07] <dobey> i think so
[16:07] <acheronuk> I would guess so
[16:07] <dobey> all i know is the world exploded
[16:08] <acheronuk> my last uploads to bionic are going no-where
[16:26] <cjwatson> ricotz: I think I'd need to consult on that, since they're non-Canonical uploaders
[16:27] <cjwatson> Merlijn_S: We basically put emergency measures in place so the UI isn't everything it could be
[16:28] <cjwatson> acheronuk: Manually scoring those up as a way to get them to build, yes; it's not that they're urgent, but they're low-risk and we might as well drain the queue while not much else is happening
[16:28] <acheronuk> makes sense :)
[16:28] <ricotz> cjwatson, i think you could consult chrisccoulson
[16:28] <teward> cjwatson: is there details on what exploded?
[16:29] <cjwatson> ricotz: Yeah, just did, will enable in a bit
[16:29] <cjwatson> teward: Well uhhhh you could consult pretty much any of the tech press
[16:29] <ricotz> cjwatson, thank you, firefox-trunk is basically the same if there are free cycles
[16:29] <teward> i'm more or less hunting context (if you mean Spectre and Meltdown, well, that's its own little beast)
[16:30] <teward> cjwatson: i'm a little late to catching up on things ;)
[16:30] <cjwatson> ricotz: I'd like to keep it to a minimum in terms of PPAs; firefox-trunk doesn't seem super-urgent for getting fixes out to users
[16:31] <ricotz> cjwatson, yeah, that is fine, the beta is far more used
[16:31] <dobey> teward: yeah, being able to exfiltate the signing keys from launchpad would not be a good thing
[16:31] <cjwatson> dobey: signing keys are not at risk
[16:32] <cjwatson> (but I'm not going to go into more detail)
[16:33] <cjwatson> ricotz: firefox-next should be building now/soon
[16:34] <ricotz> cjwatson, thank you
[18:02] <tsimonq2> cjwatson: Are livefses for e.g. Lubuntu dailies whitelisted?
[18:04] <tsimonq2> cjwatson: If not, would it be possible to do so, or should we consider dailies no-go for now?
[18:56] <cjwatson> tsimonq2: No-go for now, sorry.
[19:09] <tsimonq2> cjwatson: Alright, understandable, thanks
[19:49] <nacc> cjwatson: hey, so I finally heard back from the keyring folks re: https://github.com/jaraco/keyrings.alt/issues/23, which I think I was triggering with git-ubuntu's launchpadlib and the file keyring. It seems like the keyring backends, at least with Python3, are expecting a unicode string, not a base64 encoded string (a la credentials.py::KeyringCredentialStore.do_save(). Do you want a bug for that?
[20:24] <cjwatson> nacc: Didn't you already file one?  https://bugs.launchpad.net/launchpadlib/+bug/1685962
[20:26] <nacc> cjwatson: ah so i did! :)
[20:26] <nacc> cjwatson: sorry for the noise!
[20:26] <cjwatson> a cross-reference in that bug would be good though
[20:27] <nacc> cjwatson: yep, doing so now
[20:27] <cjwatson> I have the obvious patch in my working tree so can chase that up
[20:27] <nacc> cjwatson: thanks!
[20:57] <mitya57> nacc, cjwatson: there is also bug 1685547, maybe one of them should be marked as duplicate?
[21:16] <nacc> mitya57: thanks, definitely a dupe one way or the other
[21:16] <nacc> mitya57: sorry i did't see that one when i filed
[22:21] <mitya57> It is filed against a different project (Ubuntu vs launchpadlib) so no need to be sorry :)