FourDollarsHow to remove the oem-priority bug_task from https://bugs.staging.launchpad.net/oem-priority/+bug/1900169 by Launchpad API?03:15
ubot5Ubuntu bug 1900169 in juju "Creating a controller leads to eternal hang (no timeout)" [Medium,Confirmed]03:15
FourDollarsI found bugtask.lp_delete() on http://bazaar.launchpad.net/~lazr-developers/launchpadlib/trunk/view/head:/contrib/delete_bugtasks.py.03:23
seb128hey there, I just did an upload to Ubuntu which got approved (it's showing in the queue, https://launchpad.net/ubuntu/groovy/+queue?queue_state=1&queue_text=) but I didn't get an email and the #ubuntu-release bot didn't notify about it either, so I was wondering if there is maybe an issue on the launchpad side with upload notifications?08:30
seb128it worked for other uploads, but langpacks are special to avoid spam right? said differently unping :-)09:26
cjwatsonI think there are some notification oddities around langpacks, yes09:27
cjwatsonOr more specifically around anything in Section: translations09:27
seb128cjwatson, thx09:30
=== cpaelzer__ is now known as cpaelzer
tomreyncjwatson, wgrant: recent chat from -hardened, just FYI: https://paste.ubuntu.com/p/zpdNwDr24B/15:33
cjwatsonWe're aware15:44
cjwatsonI agree we need to fix it, but it needs coordination with the client side too15:44
cjwatsonSince apt doesn't have a way to deal with its end of key rotation, so actually doing it would be very disruptive at the moment15:45
tomreyni agree it would be disruptive at the moment, as it would have been 5 years ago, when it was first pointed out on the bug tracker that "1024-bit RSA was deprecated years ago by NIST[1], Microsoft[2] and more recently by others[3]."15:47
cjwatsonThis is not likely to be a very productive discussion, I see15:48
tomreyni understand you cannot change apt, and it may require coordination if the discruption is to be prevented.15:48
tomreynmy intent was not to blame, but to point out that it's been a long time.15:48
cjwatsonI generally don't find pointing out the age of bug reports to be especially productive15:49
cjwatsonIt's always necessary to triage, and sometimes things slip through for one reason or another15:49
cjwatsonPerhaps the LP team can start a productive conversation with juliank at some point about what we'd need to do to make key rotation happen15:50
cjwatsonI would prefer it not to be now since I'm about an hour away from the end of my week15:50
juliankI'm on a break before a meeting about to hit my indoor cycling15:50
juliankI don't mind changing apt such that 3rd party repositories can do key rotations15:52
cjwatsonAnother thing we could possibly do to dodge the issue in the short term and deal with xnox's problem would be to adjust the way keys are reused between multiple PPAs owned by the same user; we could for example only reuse keys that meet current standards15:52
cjwatsonThat would probably be much easier and doable immediately, so I'll put that on my near-term to-do list15:53
juliankDon't reuse keys at all?15:53
juliankLike, add-apt-repository stores them per ppa anyway15:53
cjwatsonAlso a possibility15:53
cjwatsonBut I'd need to apply Chesterton's Fence15:53
cjwatson(i.e. the general principle that you should find out why it was that way before changing it)15:54
cjwatsonIt's possible it was just some kind of load concern in which case it's probably no longer an issue15:55
tomreynthe age of bug reports seem to matter (to me, anyways) when they have security impact and it means the window of opportunity for attacks on weak crypto extends, and the ease by which those can be carried out keeps decreasing (improved cryptoanalysis, new and more potent hardware).16:01
tomreyni really didn't mean to trigger bad feelings on this (it appears these were present previously, though). i really just would love to see this improve. so, if i may: pleeeease cooperate and see if you can contribute towards a way forward which will work for everyone (after compromising).16:01
cjwatsonBelieve me I have personally been working extremely hard to sort out various bits of our crypto - it's not something I discount16:14
cjwatsonI don't believe 1024-bit RSA has yet been successfully attacked directly, though I agree that it's looking shaky enough that the recommendations for a longer key length are very sensible16:17
cjwatsonSo my priority has been to deal with things that are worse than that16:17
cjwatsonE.g. at present addressing the issue brought up recently that our SSH endpoints don't implement the recent rsa-sha2-* extensions and so are effectively still using SHA-1 when RSA public keys are used16:18
cjwatson(As well as in parallel working on the complicated pile of stuff necessary to be able to support Ed25519)16:19
cjwatsonBeing humans with finite time this is the sort of prioritisation that we generally have to do, irrespective of the age of reports16:20
cjwatsonBut in this particular case there do seem to be things we can do to improve things relatively immediately without needing to get into complex coordination issues16:21
* cjwatson finds https://git.launchpad.net/launchpad/commit?id=9a31edbd8c8c34f39e06a13ccb0fd780cfd8cb10. The closest thing to a rationale there is "The *trust* belongs to the archive maintainer (owner) not the archive itself", which is technically true but the point that add-apt-repository stores them separately anyway stands; that was early in the evolution of PPAs so it seems reasonable to me to 16:24
* cjwatson override that decision16:24
cjwatson(And also, to clarify, I don't think there are any bad feelings between LP and apt.  It's just a somewhat tricky technical problem to solve)16:25
tomreynNo doubt there. It seems that not enough manpower has been going into maintaining the infrastrucutre, for years.16:40
cjwatsonThere was a period of a few years when it was severely understaffed, and we're doing a lot of catch-up from that.16:43
cjwatsonFor the last year or so we've had a proper team and development roadmap and such.16:43
cjwatsonBut obviously one can't just catch up instantly.16:45
tomreynoh nice, that's good news!16:45
tomreynwell, news to me, anyways :)16:46
cjwatsonA lot of the work involved here has been somewhat internal and maybe less visible, but aimed at lowering development friction - upgrading our internal infrastructure, library upgrades, training, distributing support duties, all that sort of thing16:47
Odd_BlokeI don't need it looked at specifically (I can just wait), but https://launchpad.net/~oddbloke/+archive/ubuntu/gh608/+build/20171641 has been uploading for ~40mins (and should be a handful of MB at most).  Just a heads-up in case there's something unexpected going on.17:56
cjwatsonOdd_Bloke: It's done now; nothing unexpected particularly, just a bit of a backlog and some large uploads (that queue is processed serially, unfortunately)19:05
cjwatsontomreyn,juliank: BTW you did manage to nerdsnipe me into putting together a patch for https://bugs.launchpad.net/launchpad/+bug/1700167 to not reuse keys just before going on holiday22:08
ubot5Ubuntu bug 1700167 in Launchpad itself "new PPAs are re-using old 1024-bit RSA signing keys" [High,In progress]22:08
sarnoldhaha :)22:09
sarnoldwow, that's almost all tests, except for a big hunk of code removal22:12
cjwatsonLaunchpad has a *lot* of tests so this isn't too uncommon22:13
cjwatsonAnd a lot of the really old code has tests written as horribly entangled doctests, so it can sometimes end up being quite involved to disentangle those22:14
sarnoldit certainly reminded me of the most recent launchpad merge request I read, which was something like 9722:17
sarnold97% tests :) heh22:17
cjwatsonMostly we like it that way22:18
cjwatsonI'd often like the tests to be better organised, but don't regret the proportion!22:19
sarnoldyeah, most people are dreaming they'd have more tests :)22:19
sarnolddreaming about a better way to arrange the tests.. well done :)22:20

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!