=== BrAsS_mOnKeY is now known as william
dokonacc: are you handling php and the 7.2 transition? if not. please point somebody else to it ... looking at component mismatches proposed: libsodium needs a bug subscriber, dh-php a MIR, argon2 as well05:44
dokoplus xml205:47
dokorbalint: flash-kernel merge: mtd-utils probably needs a MIR05:49
dokojamespage: pycryptodome and pysmi need a MIR (dep of python-pysnmp4, openstack maintained)05:51
dokojuliank: lvm2 merge: thin-provisioning-tools needs a MIR, or recommends dropped to suggests05:53
dokoxnox: libzstd needs a MIR (for new btrfs-progs)05:55
dokojuliank: please see http://people.canonical.com/~ubuntu-archive/proposed-migration/update_excuses.html for cryptsetup (unsatisfiable Depends)06:20
dokotsimonq2: libindi is stuck in proposed06:46
Unit193doko: I'd presume you saw Debian #888531 and https://wiki.debian.org/Teams/Ruby/ruby2.5?  (Including the test rebuild results.)06:50
ubottuDebian bug 888531 in release.debian.org "transition: ruby2.5" [Normal,Open] http://bugs.debian.org/88853106:50
dokoUnit193: and?06:51
Unit193You expressed interest.  Good then.06:52
dokoUnit193: it's scheduled for demotion06:58
Unit193Ah, that works too.06:58
dokoginggs: gazebo ftbfs (unstable as well)07:10
juliankdoko: lvm2 ok, well, britney does not care, so I did not see that. cryptsetup hopefully sorts itself out once argon2 is MIRed and lvm2 is migrated.07:14
dokojuliank: you see that in component mismatches proposed07:15
dokosomebody has to write the argon2 MIR, either foundations, or server07:15
juliankdoko: The argon2 MIR is at security review already :)07:16
dokoahh, ok. do they know? ubuntu-mir is not subscribed to the bug07:16
juliankSure they are07:17
ubottuLaunchpad bug 1746047 in argon2 (Ubuntu) "[MIR] argon2" [Undecided,In progress]07:17
juliank"Notified of all changes MIR approval team"07:17
dokohmm, http://people.canonical.com/~ubuntu-archive/component-mismatches-proposed.txt doesn't show the subscription07:18
juliankand cyphermox did the review and reassigned to ubuntu-security07:18
juliankdoko: It's older than the MIR I think07:18
juliankbug is 17:16, mismatches 12:2407:20
dokolooks like it's out-of-date07:20
ginggsdoko: ok, i'll look07:35
juliankdoko: fixed lvm2. (I think it might be worth considering MIRing thin-provisioning-tools given that missing it could make your system unbootable if you use a cache LV, but um, let's worry about that later)07:40
juliankmaybe it should just be made a bit smarter and refuse to generate cache LVs without them installed.07:43
cpaelzerxnox: we talked about lp 1744328 / debian 888764 - I'm kind of blocked on this, but unless Debian says yes I'd at least have a 2nd opinion to take it as Ubuntu Delta08:24
ubottuLaunchpad bug 1744328 in nss (Ubuntu) "libfreebl3.so should be public, not in the nss subdir" [Undecided,New] https://launchpad.net/bugs/174432808:24
ubottuDebian bug 888764 in nss "libfreebl3.so should be public, not in the nss subdir" [Normal,Open] http://bugs.debian.org/88876408:24
xnoxdoko, tah08:28
tjaaltoncpaelzer: mike won't accept anything that upstream hasn't marked public :/08:35
tjaaltoni've fought things like https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=855879 for years08:35
ubottuDebian bug 855879 in libnss3-dev "Please add blapi.h to libnss3-dev" [Normal,Open]08:35
tjaaltonwhich I need for nss-pam which is needed for certmonger to be useful08:36
cpaelzerthanks for the info tjaalton08:36
tjaaltoneven looped in redhat folks08:36
cpaelzerI'm leaning towards adding that as a delta then, but would be pleased if a few people could ack on it08:36
cpaelzerI might prepare a proper MP for an Ubuntu Delta on it and add you and xnox to comment there08:37
* cpaelzer is fully reading tjaalton's example bug now ...08:37
tjaaltonwas thinking if bringing this up on CTTE would be warranted or not08:38
cpaelzersorry tjaalton - abbreviation overload - CTTE ?08:42
tjaaltondebian technical committee08:42
cpaelzerI like your patch to 85587908:43
cpaelzeralthough reading all that makes me feel bad08:44
cpaelzermaybe a combined version that would make the .so's accesible (for cases like mine) and the .a files (as suggested by you) would be the best08:46
xnoxcpaelzer, hm..... surely all you need is a one line to create a symlink in like debian/libfoo.links and that's it, no?08:59
xnoxcpaelzer, and just upload that into ubuntu direct.08:59
cpaelzerI know what I need :-) I just want to have a few acks on the way I do it :-)08:59
xnoxcpaelzer, (possibly with dh-exec if you need DEB_HOST_MULTIARCH location)08:59
cpaelzerand after reading into all of tjaalton it might be the time to do a more generic overhaul09:00
cpaelzerxnox: but I hear you are not opposed to making the libs accessible - that was the important pre-check09:00
cpaelzerslangasek: pointed me to "talk to xnox on this" - that is what I'm doing :-)09:00
tjaaltonthe new pkg for nss-pem can be added later09:01
cpaelzertjaalton: ok so you have time to escalate this to Debian and back for nss-pem then?09:02
cpaelzerok then I might really only change the .so's being a less invasive change09:02
tjaaltonfiled the ITP for nss-pem09:02
tjaaltonsee what happens09:02
cpaelzerthanks, it still was very very sueful to get all that context on this09:03
cpaelzeruseful even09:03
xnoxcpaelzer, i don't think it is a good idea to create a new package, i don't think changing library location is ok, i think symlink is fine to satisfy everything you want, there is no need for new source or binary packages.09:03
cpaelzeryep, after the last few minutes of discussion here I'm agreeing to that xnox09:04
xnoxtsimonq2, i made a huge mistake of uploading nodejs tweak =/ the amount of autopkgtests is humongous09:44
dokotsimonq2: does kubuntu care about qdigidoc? https://launchpad.net/ubuntu/+source/qdigidoc/0.4.1-0ubuntu209:48
dokothat seems to be out-of-date since 201209:48
dokocjwatson: are you ok with temoting tickcount?09:50
cjwatsondoko: yes09:51
cjwatsondoko: I have a todo item to remove our use of it entirely (we need a sort of partial replacement, but can't continue using interpreter ticks)09:51
dokook, unseeding then09:52
cjwatsondoko: in general it doesn't make sense for python-* to be seeded on Launchpad's behalf any more.  Since ~2009 we've only used a relatively small number of system-packaged Python packages, and mostly use buildout (until end of last year) / pip (now)09:53
cjwatsondoko: python-tickcount was an exception to that, but as I think I mentioned on the bug, if necessary we could keep it in our deployment PPA anyway09:54
dokook. I'll just demote, don't remove it yet09:59
xnoxdoko, do we have a place to document / record 32-bit only issues that I have to dig/hunt to solve? e.g. I'm currently looking at i386 and i386+armhf only adt failures triggered by openssl upload.10:03
dokoxnox: no, not afaik10:04
dokobesides the i386 float stuff probably10:04
cpaelzerlinks/dh-exec doesn't like me :-/11:40
cpaelzerhas someone an example of dh-exec in .links to create multiarch links?11:40
=== zyga-ubu1tu is now known as zyga
xnoxcpaelzer, is the .links file executable?11:43
xnoxcpaelzer, does it have dh-exec shebang?11:43
xnoxcpaelzer, or can you push your repository somewhere for me to check it?11:44
cpaelzerit is just me never using it that way - I iterated a bit but it keeps failing with11:44
cpaelzerdh_link: symlink(nss/libfreebl3.so, debian/libnss3/usr/lib/${DEB_HOST_MULTIARCH}/) failed: No such file or directory11:44
cpaelzerI'm sure I do something wrong, but without an example to check against it is stupid iterating through trial-and-error11:45
cpaelzerI'm in a chroot of an sbuild and can tweak it11:45
cpaelzeratm it is like11:45
cpaelzerand files relative to the build are like11:46
cpaelzerI (currently) assume it doesn't have the variable exported or something like it11:46
xnoxcpaelzer, there should never be leading '/' in any of these files11:46
xnoxit should be executable11:46
cpaelzerI tihnk I had all variations of this :-/11:46
xnoxthus something like:11:46
xnoxhorum =/11:47
xnoxcpaelzer, and it should be full paths before and after....11:48
cpaelzeroh that I never tried11:48
xnoxusr/lib/${DEB_HOST_MULTIARCH}/nss/libfreebl3.so usr/lib/${DEB_HOST_MULTIARCH}/libfreebl3.so11:48
xnoxi think, yet manual has leading slashes in examples.11:48
cpaelzerit also is the variable11:48
cpaelzeronly when I drop the var I get to the "is a directory" error11:49
cpaelzerwhich is about the filename on the second argument as you just said11:49
cpaelzerso "usr/lib/x86_64-linux-gnu/nss/libfreebl3.so usr/lib/x86_64-linux-gnu/libfreebl3.so" works11:50
cpaelzernow I need to find what I miss to get the variable resolved11:50
cpaelzerI had $() and ${} and tried on exporting the variable11:50
xnoxinclude /usr/share/dpkg/default.mk on top of debian/rules?11:50
cpaelzerhave it working now11:51
cpaelzerit was the full path incl file on the second argument11:51
cpaelzerjust when variables are used the error without it is way off11:51
xnoxwhoop whoop11:51
cpaelzerthanks xnox, now all that back into proper packaging for another full try :-)11:51
cpaelzer(we should have more of you)11:52
dokoohh no, I can't stand more noise ;p11:54
cpaelzerxnox: grml - we only made it 75% - it now links to a literal ./debian/libnss3/usr/lib/${DEB_HOST_MULTIARCH}/libfreebl3.so :-)12:15
xnoxcpaelzer, as per $ man dh-exec-subst it says ${DEB_HOST_MULTIARCH} will be substituited....12:17
cpaelzeryes, but it is not :-/12:18
cpaelzermabye it only calls plain dh-links in my case12:18
cpaelzerthat is how it seems to me atm12:18
cjwatsoncpaelzer: what's your debhelper compat level?12:19
cjwatsonok, 9 should work12:19
cjwatsoncpaelzer: how about your source format?12:19
cpaelzer3.0 (quilt)12:19
cpaelzernothing too special on any of that12:20
cjwatsoncan I see the source package?12:20
cpaelzersure it is essentially pull-lp-source nss + experimenting with debian/libnss3.links as http://paste.ubuntu.com/26488955/12:21
xnoxcpaelzer, you have dh-exec as build-dependency right?12:21
cpaelzerI've had it12:21
cjwatsonideally I'd like to see your actual .dsc + extra files12:21
cjwatsonespecially the .debian.tar.*12:21
xnoxcpaelzer, scp it to people.canonical.com?12:22
Laneythe file is executable?12:22
cpaelzerexecutable - yes12:22
cpaelzerI'll upload and share a link12:22
cpaelzerI put all in a tarball at http://people.canonical.com/~paelzer/nss-links-multiarch.tgz12:29
cpaelzerI realized I had it not executable in the packaging yet (only per chmod in the sbuild chroot)12:30
cpaelzerso I cahnged that as well and am currently rebuilding12:30
cpaelzerI'll ping if this (as in the tarball) is still failing me on the rebuild12:30
cpaelzernice - it really was the +x permissions before buildpackage12:39
cpaelzerI'll save all that as big learning experience12:39
cpaelzerthanks for your patience Laney, cjwatson and xnox12:39
cpaelzerit now worked (breaking things post dh_link due to that, but worked)12:40
cjwatsonexecutable in the packaging> yep, that was why I wanted to check the .debian.tar.* :-)12:40
cpaelzerthe follow on fallout is interesting12:42
cpaelzerdh-exec creates debian/tmp (as th emanpages tells me)12:42
* Laney has been there before12:42
cpaelzerand until now the d/rules had mkdir debian/tmp (without -p)12:42
Laneyforgetting to commit the mode change and being surprised when it didn't survive gbp buildpackage -S or something like that12:42
jbichadoko: LP: #1745634 would make it easier for me to try to demote xterm to universe13:21
ubottuLaunchpad bug 1745634 in ubuntu-meta (Ubuntu) "Demote idle to universe" [Undecided,New] https://launchpad.net/bugs/174563413:21
dokojbicha: yeah, probably worth doing that13:28
jbichadoko: cool. Could you unseed it or comment on the bug if you'd prefer I do it?13:45
tjaaltonslangasek: hi, finally wrote a small patch to pam-auth-update to fix https://bugs.launchpad.net/ubuntu/+source/pam/+bug/119271913:51
ubottuLaunchpad bug 1192719 in pam (Ubuntu) "[pam-auth-update] add support for enabling non-default configs" [Wishlist,Confirmed]13:51
dokoxnox: are you undoing my libp11 no-change uploads?15:00
xnoxdoko, ..... libp11 was not rebuild against openssl1.1.0 because we don't have that... thus p11 3 abi is a lie.15:01
xnoxdoko, we need to redo those uploads, properly, to rebuild that 3 abi, against the right openssl.15:02
dokoyes, seen that now. will you do, or should I?15:05
xnoxdoko, either or. as you wish. I was planning to do the unwind.15:08
dokoxnox: ok, please do15:08
=== zyga_ is now known as zyga
naccdoko: yes16:19
naccdoko: (re: php7.2)16:22
naccdoko: i'll be promoting it to main once i get it all fixed up, just like we did 7.1 previously, and removing 7.1 from the archive16:23
dokonacc: well, write the MIRs first ...16:24
naccdoko: yep16:25
naccdoko: to be clear the dh-php one is already resolved, just hasn't been caught up it seems (dh-php is only a suggests)16:28
tsimonq2doko: I'm aware.17:22
tsimonq2xnox: nodejs> ack :( thanks for telling me17:23
naccdoko: afaict, argon2 is not related to php?17:27
tsimonq2doko: I think at this point if it's KDE 4 or Qt 4 and you can handle rdeps, take it out17:27
tsimonq2I wonder if Bileto access could be reconsidered now that all PPA arches are unblocked.17:53
tsimonq2Maybe allow ~ubuntu-dev access or something :)17:53
tsimonq2I have access to do Qt transitions but I know it would be really useful to use with other Ubuntu Developers (with upload access)17:54
tsimonq2I might start a discussion on ubuntu-devel unless it's decided here :)17:56
naccdoko: ok, we've subscribed ubuntu-server to libsodium; is that enough to re-main it, once necessary?17:57
ginggsdoko: gazebo and cyphesis-cpp uploaded, i think tinyxml2 will migrate if you rm openmw:arm6417:57
dokomwhudson: why is golang-1.8-go still in main?18:43
dokoginggs: done18:47
ginggsflexiondotorg: would you add Conflicts: telegram-desktop to your telegram PPA packages please?  It would prevent future bugs like LP: #174070818:49
ubottuLaunchpad bug 1740708 in telegram-desktop (Ubuntu) "package telegram-desktop 1.1.23-1 failed to install/upgrade: trying to overwrite '/usr/share/applications/telegramdesktop.desktop', which is also in package telegram 1.1.23-1~artful1.0" [Undecided,Invalid] https://launchpad.net/bugs/174070818:49
ginggsdoko: ta!18:49
flexiondotorgginggs: OK18:49
ginggsflexiondotorg: ta!18:50
slangasekinfinity, kees, mdeslaur, stgraber: TB meeting in 7?19:53
mwhudsondoko: dunno, shouldn't be afaik20:04
juliankcjwatson: I'm looking at archivepublisher now to see where changes would be needed for valid-until support. It does not seem _that_ difficult. Basically we add the field for all -updates, -security releases; and add the release files to the set that needs updates if it's older than a week.20:16
juliank(and make validity 2 weeks)20:17
juliankold releases might be tricky20:18
julianknot sure20:18
juliankor, rather then looking at the age of the release file, we open it and check that valid-until does not expire for more than a week20:19
juliankI guess it needs a flag in the model somewhere that tells it "Valid-Until" is allowed20:20
juliankwell "needs"20:21
juliankLP takes a while to branch :D20:50
juliankcjwatson: That is, https://paste.ubuntu.com/26491551/ or https://code.launchpad.net/~juliank/launchpad/valid-until21:17
juliankI have not run any tests yet...21:17
juliankupdate: http://paste.ubuntu.com/26491574/21:22
juliankforgot initialize...: http://paste.ubuntu.com/26491591/21:25
julianknow it needs tests and some testing21:26
juliankbut I think the idea is clear.21:26
juliankugh, should have posted in #launchpad21:26
* juliank moves to #launchpad-dev21:27
* tsimonq2 is curious about what Valid-Until support means and what the use case would be21:32
cjwatsonjuliank: something like that is probably a good start (note that when the bug was just filed it would have been a *lot* harder, because the ability to write just the Release file wasn't really there), but it'll need extensive tests21:40
juliankcjwatson: I also posted in #launchpad-dev now, so we can follow up there if needed :)21:41
slangasektsimonq2: if you know that your archive is periodically republished, then including in the signed data that a given archive state is invalid after a given date prevents a silent replay attack22:18
cjwatson(assuming reasonably synced clocks etc.)22:23
julianktsimonq2: To further comment, you can prevent what you could call update starvation. That is, for -updates, currently you can feed apt an old archive state all the time, and it says "oh fine, no updates".22:36
tsimonq2slangasek: Hm ok, interesting.22:42
tsimonq2juliank: So then what will apt do in the case of an old archive state?22:42
julianktsimonq2: If the archive is not valid anymore it will give you an error if you update22:43
julianktsimonq2: You can easily try that yourself in a Debian chroot, just set the clock backward :D22:43
tsimonq2juliank: heh OK :)22:43
tsimonq2juliank: What if I just have an outdated archive mirror that's *purposely* set that way for some reason? (obviously not in prod but for testing) Will I be able to override this in sources.list the same sort of way I override untrusted entries?22:44
julianktsimonq2: You can set check-valid-until to no22:45
juliankyou can also configure valid-until-{min,max}22:45
juliankthese are in seconds, BTW22:46
tsimonq2Could you give an example (or a manual I can RTFM on)?22:46
julianktsimonq2: It's all documented in sources.list, but no excamples in there I guess22:47
julianktsimonq2: in the manpage, that is22:47
julianktsimonq2: This feature is over 6 years old already22:47
tsimonq2juliank: oh hah, TIL22:47
julianktsimonq2: Here's the LP bug from 2011: https://bugs.launchpad.net/launchpad/+bug/71653522:48
ubottuLaunchpad bug 716535 in Launchpad itself "Please support Valid-Until in release files for security.ubuntu.com" [Low,In progress]22:48
tsimonq2juliank: subbed, thanks22:49
Unit193http://snapshot.debian.org/ also notes the use of check-valid-until.22:50
tsimonq2Oh, right. Interesting.22:54
julianktsimonq2: It's a bit inconvenient in some use cases with historical distros, but it's a huge security improvement IMO23:03
tsimonq2:D right23:15

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!