| infinity | Querying Debian BTS for reports on libprelude (source)... | 06:05 |
|---|---|---|
| infinity | Unable to connect to Debian BTS (error: "TypeError("fixer() missing 1 required positional argument: 'check_hostname'",)"); continue [y|N|?]? | 06:05 |
| infinity | doko, mwhudson: ^-- Does reportbug need a merge/fix for newer python bits? | 06:05 |
| === cpaelzer__ is now known as cpaelzer | ||
| doko | infinity: where do you see that? | 06:31 |
| mwhudson | infinity: well isn't that great | 07:25 |
| doko | coreycb: please could you have a look at the murano sync/merge and look at the autopkg test failures? | 08:34 |
| doko | coreycb: same for ironic, libcloud | 08:37 |
| doko | jamespage: ^^^ | 08:37 |
| handsome_feng | Hi, Does anyone know how to unpack and repack the initrd? cpio -idv < ../initrd.img only got a AuthenticAMD.bin; and 'dd if=initrd bs=xxxx | lz4 | cpio -tdv | head' didn't work too. | 10:08 |
| TJ- | handsome_feng: "unmkinitramfs" | 10:15 |
| seb128 | handsome_feng, unsure if that's still current/valid, but https://wiki.ubuntu.com/CustomizeLiveInitrd | 10:15 |
| TJ- | handsome_feng: you're dealing with an image that has an early-prefix for microcode on it | 10:15 |
| handsome_feng | TJ-, seb128 : Thanks! unmkinitramfs works and BTW the wiki page is out of date :) | 10:19 |
| seb128 | handsome_feng, would be nice to update it if you have some free cycle for that :) | 10:20 |
| TJ- | seb128: I've been waiting to do some Wiki editing but it seems to take an age to get approved to the wiki editors team | 10:21 |
| TJ- | by the time it gets approved I'll have forgotten what it was I intended to edit :) | 10:21 |
| seb128 | that seems suboptimal :/ | 10:21 |
| seb128 | unsure who can approve wiki editor nowadays | 10:22 |
| TJ- | oh yeah - malware at the target of some links | 10:22 |
| seb128 | ? | 10:22 |
| TJ- | domains expire/rot, get taken over by operators hosting malware payloads | 10:23 |
| seb128 | popey, ^ you might know who is approving wiki-editor membership? | 10:23 |
| seb128 | TJ-, right, I think I lack some context, why are you talking about that now? | 10:23 |
| TJ- | seb128: that's reminding me what I wanted to edit to fix; a user reported it in #ubuntu a couple weeks ago | 10:24 |
| seb128 | TJ-, I was just saying that I'm unsure who is reviewing the member-ship requests to approve them, so who to ping to help you getting edit rights | 10:24 |
| seb128 | let's see if popey can help | 10:24 |
| popey | seb128: i can do that | 10:26 |
| seb128 | popey, hey, ah nice :) | 10:26 |
| popey | done | 10:26 |
| seb128 | thx! | 10:26 |
| seb128 | TJ-, ^ | 10:26 |
| * TJ- does a happy dance :) | 10:27 | |
| handsome_feng | seb128: Sure, I will do it when I have time. :) | 10:27 |
| === cpaelzer__ is now known as cpaelzer | ||
| === cpaelzer__ is now known as cpaelzer | ||
| rbasak | vorlon: the git-ubuntu importer service won't restart because it is running on Xenial and using the ubuntu-keyring package, and the archive now has a signature for which it doesn't have a public key. I guess there are currently no plans to SRU updates to this package? | 12:35 |
| rbasak | I'm not sure how to handle this general case. | 12:36 |
| rbasak | ISTR there was some reason git-ubuntu needed every key used in Debian and Ubuntu ever. | 12:36 |
| rbasak | But I don't want to have to release upgrade the git-ubuntu importer service host every time there's a key rotation. | 12:37 |
| coreycb | doko: jamespage: i'll take a look at those. | 12:55 |
| coreycb | vorlon: thanks and no problem on the delay. there is charm support going on for octavia that ramped up recently and shined light on octavia-dashboard. | 12:57 |
| rbasak | "ISTR there was some reason git-ubuntu needed every key used in Debian and Ubuntu ever." -> Now I think about it, it might just be for all supported releases. | 13:07 |
| rbasak | ahasenack, cpaelzer: may I have your opinion please on my proposed approach in bug 1801725? This is for an upcoming fix to git-ubuntu, without which the importer service is down. | 13:36 |
| ubottu | bug 1801725 in usd-importer "Importer service fails to start due to missing public key" [Critical,Triaged] https://launchpad.net/bugs/1801725 | 13:36 |
| ahasenack | rbasak: wasn't something similar done already in e1b4cd8c9c488a0403f6efecd2cdf3748aa85963 for when bionic was released? | 13:43 |
| ahasenack | it links to https://bugs.launchpad.net/bugs/1752656 | 13:43 |
| ubottu | Launchpad bug 1752656 in ubuntu-keyring (Ubuntu) "Please SRU archive keyrings to older releases" [Undecided,New] | 13:43 |
| rbasak | ahasenack: aha. Perfect. Thanks! | 13:43 |
| rbasak | I guess I'm bumping those up then. | 13:43 |
| ahasenack | +1 | 13:44 |
| xnox | rbasak, ahasenack - please do not duplicate work w.r.t. 2018 key update only. irrespective of the acient bug asking for effectivly `sru everything all the time` | 13:54 |
| xnox | rbasak, also your guess is wrong =) | 13:55 |
| xnox | however, i was not planning to go further than bionic. because debootstrap in xenial is not good enough to bootstrap disco. | 13:55 |
| xnox | commented on https://bugs.launchpad.net/usd-importer/+bug/1801725 | 13:56 |
| ubottu | Launchpad bug 1801725 in usd-importer "Importer service fails to start due to missing public key" [Critical,Triaged] | 13:56 |
| xnox | rbasak, ahasenack - also it should be normal for only one signature out of the two valid.... that's why we have dual signing. | 13:56 |
| ahasenack | xnox: gpgv doesn't like it, exits status 2 | 13:58 |
| rbasak | xnox: "Thus imho this is a bug in the importer if it requires all keys." -> it's a problem with gpgv then. | 13:58 |
| rbasak | (or a feature request in gpgv at least) | 13:58 |
| xnox | rbasak, ahasenack - do you have the full cmdline you execute? and/or where is this code at? | 13:59 |
| xnox | i believe we managed to fix this right; using gpgv; for e.g. ubuntu-release-upgrader | 13:59 |
| rbasak | xnox: https://git.launchpad.net/usd-importer/tree/gitubuntu/apt_repo.py#n85 | 14:00 |
| xnox | rbasak, ahasenack - gpgv should be able to return signed output, which should be trustworthy, irrespective of errorcodes. Cause full untrusted stuff should return nothing in stdout. Or something along those lines. | 14:01 |
| xnox | thanks, let me check that out. | 14:01 |
| rbasak | xnox: and yeah, it's a wheel reinvention. Unfortuantely I couldn't find any library code that did this. | 14:01 |
| xnox | there is no library for gpg stuff, it sucks. | 14:01 |
| xnox | and the C embeded netgpg library i found in netbsd is very bad - leaky and not memory safe, thus one is stuck forking to gpg(v) | 14:02 |
| xnox | rbasak, love the comments there | 14:03 |
| rbasak | Thanks | 14:05 |
| rbasak | xnox: so the gpgv manpage (in Xenial at least) says: "The program returns 0 if everything is fine, 1 if at least one signature was bad, and other error codes for fatal errors." | 14:06 |
| xnox | yeah | 14:06 |
| rbasak | xnox: that makes me reluctant to treat non-zero as anything but "everything unverified". | 14:06 |
| ahasenack | rbasak: do you have gpgv complaining about trustedkeys.kbx too? https://pastebin.ubuntu.com/p/3RPK3F3MxT/ | 14:19 |
| ahasenack | I got that on bionic | 14:19 |
| ahasenack | I do have the key 3B4FE6ACC0B21F32, just not 871920D1991BC93C | 14:20 |
| ahasenack | gpg (not gpgv) confirms that, and validates the signature made by 3B4FE6ACC0B21F32 | 14:20 |
| rbasak | ahasenack: no - I'm using --keyring= which I think overrides the default of looking in your ~/.gnupg | 14:22 |
| ahasenack | anyway passing it the right file via --keyring still returns 2, even though it then verifies one signature correctly | 14:22 |
| ahasenack | so "no public key" is treated more seriously than "invalid signature" perhaps | 14:23 |
| xnox | dunno, it seems to me that gpgv is completely broken. as it outputs cleartext, irrespective of signature validity. E.g. i clearsigned something with my own key; validating against archive-keyring; fails to validate any input, yet still spits out output. | 14:24 |
| xnox | not having any more luck with gpg --decrypt | 14:24 |
| cjwatson | no library> gpgme exists | 14:25 |
| cjwatson | (not *necessarily* recommending it, but in some contexts it can be helpful) | 14:25 |
| rbasak | cjwatson: I meant a library to verify the apt repository | 14:25 |
| cjwatson | I was replying to | 14:26 |
| cjwatson | 14:01 <xnox> there is no library for gpg stuff, it sucks. | 14:26 |
| rbasak | Ah | 14:26 |
| xnox | well, i do know about gpgme, but yeah i wouldn't call it a `useful` library =) cause it also does fork to gpg. So far i found forking gpg/gpgv by yourself easier. | 14:27 |
| xnox | and the netpgp was done in the context of no-forking allowed (for pid1) | 14:27 |
| xnox | granted, thankfully, never released that code. | 14:27 |
| xnox | the go openpgp library is quite good, for these things. | 14:27 |
| xnox | but it is in golang. | 14:28 |
| xnox | hm apt-key verify is just as broken. | 14:36 |
| Faux | It so is. | 14:38 |
| infinity | doko, mwhudson: I got that error from reportbug when running 'submittodebian' on disco. | 14:41 |
| xnox | juliank, how does apt deal with multi-signed apt archives? because e.g. apt-key verify isn't doing what i need/want. Or apt code parses the status-fd stuff? | 15:06 |
| xnox | juliank, i wonder if i can (re)use /usr/lib/apt/methods/gpgv somehow | 15:10 |
| TJ- | xnox: how much trouble do you want to go to? Because I've just tested a method locally of splitting the 2 signatures off, then reconstructing with 1 at a time, so gpgv can return 0 if 1 matches (so you'd just loop over each signature). | 15:28 |
| xnox | TJ-, well, i like the logic that is performed by /usr/lib/apt/methods/gpgv already and it matches what apt itself does. | 15:29 |
| juliank | xnox: yes, it does parsing, and maybe | 15:29 |
| juliank | I think the logic is in the library | 15:29 |
| xnox | TJ-, i wish that to be exposed, in some user-friendly format, perhaps injected to be used as the backend for $ apt-key verify | 15:29 |
| xnox | juliank, yeap, found it. It parses the logger/status-fd and correctly counts things as we need/want. | 15:30 |
| xnox | TJ-, ideally i would not want to do signature splitting. As parsing openpgp packets is error prone =/ | 15:30 |
| xnox | TJ-, also imho gpgv in these cases should be returning error code 1, not 2. | 15:31 |
| xnox | TJ-, i think i will file a gpg/gpgv bug; and also will file an apt bug, cause imho standard ubuntu system should have a gpgv like util out of the box for easy apt-key verification of stuff. | 15:31 |
| xnox | TJ-, if you pastebin your signature splitting code that should be doable too. | 15:32 |
| xnox | doable/nice | 15:32 |
| xnox | or update all the ubuntu-keyring everywhere.... | 15:33 |
| juliank | xnox: you could try to use apt-helper Download-File gpgv:$path too | 15:33 |
| juliank | Sans upper case | 15:33 |
| juliank | And with a destination filename | 15:33 |
| xnox | juliank, oooooh | 15:33 |
| juliank | I'm not sure what happens, but it's worth trying | 15:33 |
| xnox | juliank, i didn't find apt-helper yet =) i think this might be what i need. | 15:34 |
| juliank | /usr/lib/apt | 15:34 |
| TJ- | xnox: yes, I agree about returning 1 not 2 | 15:34 |
| xnox | juliank, cause by-hand Acquire-URI commands into the stdin of gpgv method were doing the right thing for me. | 15:34 |
| xnox | juliank, TJ- lunch first, then bugs. | 15:34 |
| TJ- | xnox: I've 1 last bit to fix-up, figuring out the CRC algorithm used on the signature block :) ... I used gpgsplit to break out the signatures | 15:35 |
| TJ- | xnox: I give up - no easy way with limited tooling to recreate the PGP signature CRC (and gpgv cannot be told --ignore-crc-error as gpg can) | 17:09 |
| xnox | =( | 17:10 |
| xnox | TJ-, parsing status-fd, and/or using the apt's gpgv method imho is the way to go. | 17:10 |
| xnox | this shall be the master bug to track this: https://bugs.launchpad.net/ubuntu/+source/ubuntu-release-upgrader/+bug/1801762 | 17:10 |
| ubottu | Launchpad bug 1801762 in ubuntu-release-upgrader (Ubuntu) "Dual-signed things should be easy to verify with one key" [Undecided,New] | 17:10 |
| TJ- | I fed the crc32 poly and init values into jacksum to recreate, but jacksum is quite heavy (being Java) | 17:10 |
| juliank | xnox: did you try the helper, does it work? /me curious | 17:47 |
| xnox | juliank, tried. did not do what i wanted =/ it either `downloads` files without any verification, or fails. | 17:48 |
| xnox | juliank, maybe i'm not using the right syntax. | 17:48 |
| xnox | juliank, timed-out trying to work out what it is doing. was going to strace it next. | 17:48 |
| xnox | maybe i needed to something like gpgv+file:// ?! | 17:49 |
| juliank | xnox: FWIW, one of src/dest is the keys, the other the data to check (in case of clearsigned, both are the same) | 17:54 |
| juliank | I think the destination is the key file | 17:56 |
| juliank | s/key/sig | 17:56 |
| * juliank disappears again, enough screen time for now :( | 17:59 | |
| TJ- | xnox: I've got a script that works - wraps gpgv. Any good to you? http://iam.tj/projects/ubuntu/gpgv-aptkeys | 18:20 |
| TJ- | xnox: grr, sent you the symlink version. Use this: http://iam.tj/projects/ubuntu/gpgv-multisig | 18:21 |
| rbasak | !dmb-ping | 19:01 |
| ubottu | cyphermox, jbicha, micahg, rbasak, sil2100, slashd, tsimonq2: DMB ping. | 19:01 |
| slashd | o/ | 19:18 |
| slashd | sorry we changed hours here | 19:18 |
| tsimonq2 | Hi | 19:42 |
| infinity | coreycb: That ironic update also claims to require python-scciclient>=0.8.0 ... we only have 0.6.1 | 19:50 |
| infinity | coreycb: Similar problem in cosmic, mind you, where it wanted 0.7.2 .. | 19:51 |
| infinity | coreycb: Might want to fix both those issues. | 19:53 |
| coreycb | infinity: ok will take a look, thanks for catching that | 19:54 |
| infinity | coreycb: The cosmic reqs might be a lie (but worth investigating if you need to fix something there or update scciclient or whatever), but the disco one looks legit. The do_async flag didn't exist before 8.0 | 19:55 |
| coreycb | infinity: can you reject that? I'd like to run dep8 tests and do this via bileto. | 19:57 |
| infinity | coreycb: Done. | 19:59 |
| coreycb | infinity: thanks | 19:59 |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!