[02:35] <tomreyn> hmm, is it a known bug that launchpadlibrarian.net would return user uploaded plain text content as text/html content-type?  https://launchpadlibrarian.net/461085327/syslog
[04:58] <alkisg> Hello, my builds at https://code.launchpad.net/~epoptes/+recipe/epoptes-stable fail with "You are in 'detached HEAD' state."
[04:58] <alkisg> Is this a launchpad issue, should I just retry later, or is it something on my side?
[05:00] <alkisg> Hmm I wonder if it's related to tagging... "error: Entry 'debian/changelog' overlaps with 'debian/changelog'.  Cannot bind."
[05:03] <alkisg> Oh sorry my bad, I forgot to update the epoptes-stable recipe after merging debian into master, I only updated the epoptes-proposed recipe
[18:27] <wgrant> tomreyn: It will return the content type specified in the upload. That's why it's on its own domain, with only public content.
[18:53] <tomreyn> a separate domain certainly breaks most attack vectors there. phishing remains possible.
[18:55] <tomreyn> i.e. think forged sso login page.
[18:58] <tomreyn> actually this reminds me of bug 1835964 (which i admit is really quite irrelevant nowadays)
[18:58] <ubot5> bug 1835964 in Launchpad itself "Prevent XSS due to MIME Type Sniffing bugs in old Internet Explorer" [Low,Triaged] https://launchpad.net/bugs/1835964
[19:19] <wgrant> tomreyn: We don't consider phishing on an alternate domain like that to be an interesting attack vector.
[19:19] <wgrant> It's a compromise, like services like GitHub Pages, for example.
[19:19] <wgrant> Alternate 2LD
[19:21] <tomreyn> wgrant: i see where you'Re coming from there. github pages is limited in what you can push to it, though, and i assume it would not be easy to host a forged github login page there.
[19:23] <tomreyn> i.e. you can only push to it through their trimmed down jekyll fork.
[19:25] <wgrant> I don't think those restrictions manage to prevent any meaningful class of attacks.
[19:25] <wgrant> But I haven't looked in a while.
[19:26] <tomreyn> i haven't tried to find out. it's also probably outside the scope of their bug bounty for the same reasons you provided.
[19:26] <tomreyn> would you consider it abusive if i uploaded an (intentionally broken) proof of concept to show it to you or to link to it in a bug report?
[19:26] <wgrant> No. It's been done before. But we would be very unlikely to consider it a valid bug.
[19:27] <wgrant> We are entirely aware of this attack vector, so demonstrating it isn't useful, but also not forbidden.
[19:27] <wgrant> Anyway, I need to get on a plane.
[19:28] <tomreyn> okay, then there's no use in posting it other than increasing the risk of those who shouldn't becoming aware of it. have a good flight.
[19:39] <wgrant> (slow boarding is slow. Looks to me like you can still push arbitrary content to GitHub Pages. Doesn't even have to run through Jekyll)
[19:49] <tomreyn> oh, really, i wasn't aware, never tried.
[19:54] <tomreyn> and apprently it's "we don'T care what you put there" mode in github.io's case: https://securityheaders.com/?q=https%3A%2F%2Fsha-mbles.github.io