/srv/irclogs.ubuntu.com/2019/06/28/#ubuntu-devel.txt

kyrofasarnold, alright, done, any chance you'd be willing to sponsor it for us?00:16
sarnoldkyrofa: sorry, I'm not a coredev :(00:18
Unit193python-pygraphviz is in universe.00:21
sarnoldoh! so motu would suffice?00:22
sarnold(which, alas, I am also not, but that's probably a larger poool :)00:22
Unit193Yes sir.00:23
=== pieq__ is now known as pieq
Unit193Is there anything preventing someone sync'ing libjson-c from experimental?04:42
tsimonq2Unit193: .04:45
tsimonq2When are you going to become a Core Developer, again? :P04:45
Unit193Why would I?  I like the fringe packages. :304:45
tsimonq2¯\_(ツ)_/¯04:45
Unit193(Read: I'm only looking into this because of 'sway')04:45
tsimonq2OOOOOH04:45
tsimonq2What's the progress on that?04:46
tsimonq2A little birdie tells me someone is interested in starting an Ubuntu Sway flavor.04:46
Unit193depwait on json-c .13 :P04:46
tsimonq2:P04:46
Unit193Urgh, not another...04:46
wxlyour what hurts?04:46
tsimonq2Unit193: Between Ubuntu Sway, Ubuntu Cinnamon, and Ubuntu Unity, I wonder if someone is already betting who actually pulls through first. :P04:49
tsimonq2(All three of those are currently in some stage of "in the works.")04:49
tsimonq2Now, if we had an active TB that could actually process a flavor application...04:49
* tsimonq2 runs04:49
Unit193Who's behind them?04:50
tsimonq2Unit193: Oh look, your binaries are in the NEW queue.04:50
tsimonq2Ubuntu Unity has... Khurshid Alam? I'm not sure who else. Ubuntu Cinnamon is by someone I was told I should meet when I went to SELF but never got the chance to, so *shrug*. Ubuntu Sway is a few flavor folks.04:52
* tsimonq2 glares at bashfulrobot 04:53
tsimonq2:P04:53
wxli'd be interested in trying a sway flavor actually04:54
tsimonq2wxl: That makes four existing flavor people interested.04:55
Unit193Right, so reading proposed migration output...04:55
wxloh yeah and i'm starting a fbui flavor.04:55
tsimonq2Unit193: Oh?04:55
Unit193skipped: elogind (0, 5, 11) got: 7+0: a-1:a-4:a-0:i-0:p-0:s-2 * arm64: elogind, libelogind-dev, libelogind0, libpam-elogind04:56
tsimonq2Actually, that's a good point that I should add to the wiki page.04:56
Unit193Going to guess it's installability issues, which yeah that's sort of expected in Ubuntu since there's no systemd alternative.04:56
tsimonq2Yeah, even on notest.04:57
tsimonq2Hm.04:57
Unit193Which if sway depends on that...Hrm!04:57
tsimonq2Oh, well, I wonder why I thought that in the first place, since it wouldn't show as a candidate anyway if autopkgtests didn't pass.04:57
tsimonq2Unit193: It does?04:57
tsimonq2Wat?04:57
Unit193    - Make build-deps libsystemd-dev and libelogind-dev alternatives   So we'll want the new sway, good.04:58
tsimonq2  * libelogind0 is ABI compatible with libsystemd0 so conflict, replace and04:58
tsimonq2    provide libsystemd0 (=${source:Upstream-Version}), and also install04:59
tsimonq2Wait... wat?04:59
tsimonq2    libsystemd.so symlinks (Closes: #923244).04:59
Unit193...You understand the point of elogind, yes?04:59
tsimonq2I actually don't. To Google I go.04:59
Unit193To replace sytemd's logind, so one can have gnome or other such things on a sysvinit/openrc system.05:00
tsimonq2Elogind has been developed for use in GuixSD, the OS distribution of GNU Guix.05:01
tsimonq2Hmm.05:01
tsimonq2Okay.05:01
tsimonq2Unit193: So you're telling me that sway depends on this thing?05:01
* wxl blinks05:02
tsimonq2Oh.05:02
tsimonq2No, I'm glad it isn't.05:02
tsimonq2I guess they just want it to work in Devuan? :P05:02
Unit193https://sources.debian.org/src/sway/1.1.1-1/meson.build/#L55 well it *has* support.05:03
tsimonq2I wonder what went through Drew's mind to do that.05:04
Unit193Why not?05:04
Unit193Seems like a good thing to do.05:05
tsimonq2I'm just wondering why. :)05:05
wxlhttps://files.devuan.org/devuan_ascii/Release_notes.txt flavors are (consolekit + slim) + (XFCE|MATE) || (elogind + lightdm) + (Cinnamon|KDE|LXQt)05:06
Unit193That's like wondering why one would support logind..05:06
wxlalmost exactly05:06
Unit193Anyway, doesn't matter.  Things are sync'd.05:06
tsimonq2Ohhh, it just clicked to me that it's drop-in for their use case.05:07
tsimonq2Okay, that's cool.05:07
wxlthe sleeper has awakened05:07
tsimonq2There, added update_output_notest.txt to ProposedMigration.05:12
Unit193Wasn't there an openbox style Wayland compositor?05:26
=== mwhudson_ is now known as mwhudson
rbalintseb128, i'm -1 about nagging uploaders about infra issues, too, but this is not the sru team's fault, the infra should retry automatically09:09
seb128rbalint, right, fair enough09:10
rbasakseb128: I agree it's tedious to drive SRUs because of the false postiive autopkgtests09:52
=== ricab is now known as ricab|bbl
rbasakseb128: but I don't think it makes sense for the process to require that the limited-in-size SRU team do that driving when any uploader can do it. It'd be more efficient if everyone pitched in.09:52
rbasakseb128: separately, if we can figure out how to reduce the false positives, that'd be good too :)09:53
seb128rbasak, well, I know that some uploaders get confused on what to do when the test failures is an infra issue and just do nothing and then the SRU sits there for ages09:53
seb128indeed09:53
rbasaksil2100, seb128: I suggest a tag that means "autopkgtest results have false positives"09:54
rbasakThe notification could ask the uploader to tag if they've checked, and we could have the pending-sru report mark the autopkgtest faiilures green or something like that.09:55
rbasakThen uploaders will know what to do and the SRU team can focus on the ones that have been looked at first.09:55
seb128yeah, that would be better/less confusing I think09:57
sil2100rbasak: might be a possibility09:57
sil2100Anyway, even without the bug notification, in most cases people would anyway 'be confused' if they checked the autopkgtest failures, which we expect them to do09:57
LaneyThat indicator-session case from yesterday passed once the kernel had fully published out, by the way.09:57
sil2100As I said, nothing changed in the process or anything, we always expected people to look at autopkgtest results of their SRUs09:58
rbasakYes - adding the notification hasn't made anything worse IMHO.09:58
seb128Laney, you mean gnome-settings-daemon?09:58
LaneyThat was the trigger.09:58
seb128ah, right09:58
seb128crap, I did a test retry09:58
seb128thx awesome bar to completing to the retry url for me :/09:59
=== ricab|bbl is now known as ricab
ahasenackxnox: I've been testing apache2 with client cert auth following the openssl 1.1.1 update12:19
ahasenackI don't have a conclusion yet, but I've been finding some things12:19
ahasenackfor example, in disco, it doesn't even establish a connection, because browsers try tls 1.3, and that fails with this errror in the logs:12:19
ahasenack[Thu Jun 27 20:55:43.549681 2019] [ssl:error] [pid 2620:tid 140250923878144] [client 10.0.100.1:60000] AH10129: verify client post handshake, referer: https://bionic-apache-client-cert.lxd/12:20
ahasenack[Thu Jun 27 20:55:43.549715 2019] [ssl:error] [pid 2620:tid 140250923878144] [client 10.0.100.1:60000] AH10158: cannot perform post-handshake authentication, referer: https://bionic-apache-client-cert.lxd/12:20
ahasenack[Thu Jun 27 20:55:43.549732 2019] [ssl:error] [pid 2620:tid 140250923878144] SSL Library Error: error:14268117:SSL routines:SSL_verify_client_post_handshake:extension not received12:20
rbasakahasenack: sounds like we should bump it to Critical?12:20
ahasenackI googled that extension, firefox seems to have it in some version, and chrome/chromium hasn't implemented it yet12:20
ahasenackrbasak: I just want to be sure my setup is ok first, client cert auth is messy to setup and prone to errors12:20
ahasenackI tried disco thinking it would be my good case, but it failed there too. I wanted to try xenial now12:21
rbasakAh12:21
rbasakSomehow I missed that it was limited to client cert auth only, sorry.12:21
maswanwe run on client cert auth all over at $work, and as of today everything is horribly slow :/12:21
ahasenackon tls v1.2, bionic, I get the same error as reported in https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/183303912:21
ubottuLaunchpad bug 1833039 in openssl (Ubuntu) "18.04/Apache2: rejecting client initiated renegotiation due to openssl 1.1.1" [Undecided,Confirmed]12:21
ahasenackmaswan: that's the bug above, a long timeout12:22
ahasenackrbasak: there is also something about mod reqtimeout, which we have set to 20s, I think the timeouts are related to that kicking in. I tried disabling it, but then the connection never times out12:22
ahasenacksomething else to investigate12:22
maswanyeah, our wiki maintainer already found that bug, and luckily it's almost weekend here and we hope for better times after the weekend. :)12:23
ahasenackthe upstream commit pointed at in the bug talks about tls v1.3 only:     mod_ssl: disable check for client initiated renegotiations with TLS 1.3.12:23
ahasenackbut we are seeing the timeouts with 1.212:23
ahasenackI think there are many things going on and we need to separate them12:23
ahasenackfirst, I don't think apache in bionic has tls v1.3 support12:24
maswanhm. it's 1.2 here, at least when it finally manages to connect and load12:24
parideahasenack, so in your setup it just fails, no long waits12:33
ahasenacknot what I said12:33
xnoxahasenack:  ouch12:33
* paride re-reads12:33
ahasenackin disco it fails, because tls 1.3 is negotiated, but apache complains the browser lacks a certain extension12:33
ahasenackI found bugs about that in firefox and chromium12:33
ahasenackin bionic I reproduce the timeout12:35
ahasenackand I think modrequesttimeout is playing a role here, maybe even helping, I'm not sure yet12:35
parideahasenack, and in disco there is no fallback to tls1.2, if I get it right12:36
ahasenackfor client cert auth, nope12:36
ahasenackthe upstream bugs need a closer inspection (firefox, chromium). There was one for apache too, when it was thought it was an apache bug, but apparently that was closed as invalid (that one I didn't even skim yet)12:37
parideahasenack, I wonder if changing the MinProtocol / MaxProtocol options in /etc/ssl/openssl.conf would have an effect in this case12:40
ahasenackapache has settings for that12:41
ahasenackI mean, if you are thinking about a workaround, it could be set in apache, if there is one12:42
ahasenackI'm not clear on the renegotiation feature, if it's allowed or not12:42
ahasenackopenssl's s_client can trigger a renegotiation, via the R key after the connection is established, and it's refused all the time by the server12:42
ahasenackI'm not sure yet what's the expected behavior12:42
ahasenackthese are my raw test setup instructions: http://paste.ubuntu.com/p/2fTg2yM2Ht/12:45
=== ricab_ is now known as ricab
xnoxahasenack:  paride: so upstream have refactored SSLVerifyCLient processing inside location stanzas14:18
xnoxahasenack:  paride: due to observed brokeness.14:18
xnoxahasenack:  paride: i don't think that's in any release.14:19
ahasenackxnox: are you saying this in response to my comment about things working if I move that outside of a location block?14:19
xnoxahasenack:  paride: shall we try capping apache2 to tlsv1.2 for now, across the board, until we can get new apache upstream release which is actually compatible and performance with tlsv1.314:19
ahasenackxnox: I don't think capping to 1.2 fixes it. That's in fact where I see the problem14:20
xnoxahasenack:  yes, moving things outside of the block fixes things. but existing deployments will not change their apache config.14:20
xnoxahasenack:  SIGH14:20
ahasenacktls 1.3 has another issue with browser support, that post-auth handshake situation14:20
xnoxahasenack:  it seems like we are about to do a quite a fat apache2 update of core & mod_ssl then14:20
ahasenackthat we can "fix" by capping to 1.214:20
xnoxahasenack:  right, so capping would fix that bit only, but not everything.14:20
ahasenackthe timeout is still there14:21
xnoxyes, timeout  / long delay got fixed in the refactor patch series14:21
xnoxahasenack:  what about eoan? i guess it's also still broken?14:21
ahasenackxnox: in this bug the commenter says it's fixed: https://bz.apache.org/bugzilla/show_bug.cgi?id=62691#c514:21
ubottubz.apache.org bug 62691 in mod_ssl "OpenSSL 1.1.1 and client-certificate renegotiation causes 1 minute delay" [Normal,Resolved: fixed]14:21
xnoxyeap that.14:21
ahasenackthe 1.3 patch is fully in 2.4.3914:21
ahasenackwhich we don't have in eoan, because of the dbeian freeze14:22
xnoxwhen i looked at backporting that, to bionic it looked akward.14:22
ahasenackI was just discussing this with the team this week, if we should go ahead of debian for some packages14:22
xnoxahasenack:  it's not unusual for us to do that during a freeze.14:22
xnoxahasenack:  and/or ask debian to upload things into experimental for us to merge/sync from14:22
ahasenackxnox: I haven't tried eoan. I stopped at disco while still trying to understand the issues at play, differenciating the timeout from the tls v1.3 post-auth handshake issue14:23
ahasenackdisco+ can be tested if we disable tls 1.314:24
ahasenackI can do that14:24
ahasenackjust need to be careful, I'm trying multiple things at the same time14:24
ahasenackand certificate auth quickly gets messy14:24
xnoxindeed14:24
parideahasenack, true; I'm trying to replicate your setup from the pastebin14:25
ahasenackyeah, it's a bit raw14:25
ahasenackthe reqtimeout change, for example,14:25
ahasenackwith that  module disabled, the connection doesn't complete, it stays stuck14:26
ahasenackand I saw in another comment in one of these multiple bugs that 2.4.39 has an extra setting in that module specifically for ssl handshakes14:26
ahasenackwhich one user was hoping to use as a workaround14:26
xnoxhmmmm14:27
xnoxahasenack:  rebuild apache against openssl 1.0.214:27
ahasenackhmmm14:33
ahasenacknot wanting to get hopes up14:33
ahasenackbut I think I found a patch that worked14:33
tewardxnox: fwiw14:33
tewardhttps://bugs.launchpad.net/ubuntu/+source/kopano-webapp/+bug/183405214:33
ubottuLaunchpad bug 1834052 in kopano-webapp (Ubuntu) "autopkgtest failures: Chromium-Related in Tests" [Medium,In progress]14:33
tewardregarding the badtest14:33
ahasenackhttps://github.com/apache/httpd/commit/bbedd8b80e50647e09f2937455cc57565d94a84414:33
tewardxnox: just to mention i noticed the same problem when nginx got stuck as well14:34
tewardi've asked in -release for it to either be ignored or badtested several times with E:NoResponse14:34
ahasenackyea, that patch worked14:37
ahasenackxnox: paride: https://github.com/apache/httpd/commit/bbedd8b80e50647e09f2937455cc57565d94a84414:37
ahasenackI'll ask for people to test the ppa I have14:37
ahasenackhttps://launchpad.net/~ahasenack/+archive/ubuntu/apache2-client-cert-183303914:38
parideahasenack, the description and comments sound very promising14:38
ahasenackit fixed my test case at least14:39
ahasenacktried multiple times: package from distro, fail/timeout; upgrade to ppa, works14:39
xnoxahasenack:  that looks ok14:45
xnoxahasenack:  but please test it in all apache mode.14:46
ahasenackwhich modes do you mean?14:46
xnoxahasenack:  i.e. forking / threading / blocking / non-blocking "worker" engine stuff. => not sure about terminology, but does that make any sense at all?14:46
ahasenackah, mpm14:46
ahasenackgiven the setup intructions I have, I could even add a dep8 test for this probably, but that would take more time14:47
xnoxahasenack:  there are cases where unsetting auto_retry may result in things not consumed right (hang) if the app doesn't know how to handle the SSL read/write_more_wanted error codes.14:47
ahasenackwell, that is committed upstream already14:47
xnoxahasenack:  just restart the server locally with one vs the other engine. should be good enough.14:47
ahasenackI could check if there were follow-up commits14:47
xnoxahasenack:  true, just thinking if it has more commit deps or follow-ups => yes that.14:48
ahasenackok14:48
xnox(you are on track there)14:48
ahasenackmaybe it's not even the auto-retry that fixed it, the other bit of that commit looks suspiscious14:49
ahasenack" For OpenSSL >=1.1.1, turn on client cert support "14:49
ahasenackthe autoretry could be specific to tls v1.314:49
ahasenackanyway14:50
tewardxnox: do we want to push any Ubuntu level changes to fix the tests in kopano-webapp so we don't need to badtest it? oSoMoN did some debugging and found it's specifically due to passing a log-path arg to chromedriver (and snap isolation being the problem)14:53
tewardrather than just badtesting the tests14:53
tewardat least, until Debian does something about the test ( oSoMoN made a Pull Req in Debian to fix the test, but Debian is frozen so...)14:53
xnoxteward:  if there is a fix, i'm happy to upload it into ubuntu.15:11
xnoxteward:  link?15:11
tewardxnox: https://salsa.debian.org/giraffe-team/kopano-webapp/merge_requests/1/diffs15:12
tewardit requires alteration to d/tests/test_webapp.py15:12
tewardbut just adjusting the service_args15:12
tewardauthor is oSoMoN15:12
xnoxack15:12
tewardxnox: I can push it in also (yay for coredev) but wanted to check BEFORE making any changes15:12
xnoxahasenack:  yeah that other bit, is weird.15:12
xnoxteward:  it looks harmless, go for it.15:13
tewardack15:13
teward.. bleh where'd i put the code...15:13
xnoxteward:  as long as, like we don't collect the log from that path. Or like we assert on stderr and without the log, it will start producing stderr.15:13
teward... oh that's right it was in my tmpfs *derp*15:13
tewardxnox: AFAICT that's not even a retrievable artifact after autopkgtests have run15:13
tewardmy guess is it'll spit out to stdout/stderr15:13
tewardbut oSoMoN would have details there15:14
Laneytest it yourself15:14
tewardxnox: that is, however, the reason chromedriver is crashing15:14
Laneydon't blindly upload15:14
tewardLaney: i am testing it - slowly ;)15:14
* teward is currently stuck in a "Downloading files" state15:14
* Laney sends some bandwidth over in the post15:19
Laneywould be good if the installing snap stage showed progress15:22
tewardindeed15:23
tewardLaney: i'm running the autopkgtest locally, it's slow only because of the Internet being stupid.15:23
tewardit's the uplink speed here there's a lot of visitors on site too so it breaks things.  and apparently my LXD image for Eoan autopkgtests is broken soooo..... i'mma have to rebuild it.15:25
* teward rebuilds the LXD image15:25
* teward runs the autopkgtest15:27
Laneyyou might have some trouble installing the snap there15:28
Laney(that's the armhf problem)15:28
tewardLaney: amd64 can install it fine15:30
tewardmy infra's amd6415:30
tewardthe amd64 failure is due to log-path and snap confining15:30
Laneyit is not an arch problem, it is a VM vs LXD problem15:30
tewardLaney: well SO FAR I haven't had the issue in my local snaps15:30
tewards/snaps/LXD tests15:30
Laneyit's possible to have lxd containers which can install snaps, sure15:31
Laneythe ones we have for autopkgtest can't, though15:31
tewardright but i'm talking for my local tests, not the ones in use on the autopkgtest env.15:31
tewardif we can pass the amd64/i386 tests we can badtest the armhf still15:31
tewardTHAT i already asked for :p15:31
LaneyI said might15:31
tewardand got E:NoReply in -release15:31
Laneyand that badtest is already there15:32
oSoMoNteward, it's likely that without a --log-file parameter, the --verbose switch to chromedriver will make it write to stderr, but that should be fine because the autopkgtest already has the allow-stderr restriction15:34
tewardoSoMoN: indeed.15:35
oSoMoNhttps://sites.google.com/a/chromium.org/chromedriver/logging confirms it will write to stderr15:35
tewardi don't have a VM to autopkgtest with damn snaps.15:35
tewarddoes autopkgtest have a vmware hook for creating VMs for testing? just curious15:36
tewardi have VMware Workstation on this system which is why I ask :|15:36
Laneynein15:39
tewardmeh qemu it is then.15:40
* teward installs into the system15:40
tewardat least i have a local archive mirror so it will do THAT part fast heh15:40
Laneyteward: oSoMoN: It's still failing for me fwiw https://paste.ubuntu.com/p/GJJPNB3BwR/15:48
tewardLaney: *with* the patch?15:48
Laneyyes15:48
tewardoSoMoN: sounds like it's still fubar.15:48
oSoMoNmeh15:49
tewardstill going to get my Eoan qemu autopkgtest env set up15:49
Laneysorry :(15:49
tewardbut it's slowwwwwwwwwww (56% of 500MB and I'm jacked right into the network)15:49
oSoMoNLaney, passing here, in an eoan amd64 VM15:57
Laneyrun it with autopkgtest, that's what I've been doing15:57
oSoMoNyes, I’ve run it with autopkgtest -B . -- null15:57
oSoMoNverified failing without the patch, and passing with it15:57
Laney...15:58
LaneyI mean it fails15:58
Laneytry the qemu runner15:58
Laneyautopkgtest --output-dir out2 --shell-fail --timeout-copy=6000 --apt-upgrade kopano-webapp_3.5.6+dfsg1-1ubuntu1.dsc  -- qemu --ram-size=8192 ../reallytemp/autopkgtest-eoan-amd64.img15:58
oSoMoNgotta go now, family waiting for me, but please keep me posted (comments on the bug), thanks!15:59
tewardLaney: i'll do so as soon as this thing finishes building the image.  It's sit on libc6 triggers :|16:03
=== ShibaInu is now known as Shibe
LocutusOfBorghello xnox, can I fix borgbackup please?16:56
ahasenackxnox: confirmed disco works with client cert auth with no timeouts if I disable tlsv1.3 in the vhost (SSLProtocol all -SSLv3 -TLSv1.3). With TLSv1.3 I get17:03
ahasenackout of the box, I get https://pastebin.ubuntu.com/p/XdWq2xzq7Z/ (out of the box we have tlsv1.3 enabled)17:03
ahasenackso that will need a different fix, even if it's disabling tlsv1.317:03
ahasenackFF needs release 68 to work as far as I can tell, we are at 6717:04
=== ricab is now known as ricab|bbl
=== ricab|bbl is now known as ricab
=== Wryhder is now known as Lucas_Gray

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!