[10:31] <solderfumes> Hello Launchpad Admins! I'm getting certificate errors when trying to connect to https://ppa.launchpad.org
[10:31] <solderfumes> The certificate that is served is valid for private-ppa.launchpad.net
[10:31] <solderfumes> ^ it's https://ppa.launchpad.net
[10:54] <cjwatson> solderfumes: ppa.launchpad.net only supports HTTP.  The fact that it responds at all on HTTPS is a coincidence.
[10:54] <cjwatson> solderfumes: We'd like to support HTTPS for public PPAs on general principles (and there's a bug report for that), but in order to do that without risking the integrity of launchpad.net session cookies we need to first move it to some other hostname.
[10:55] <solderfumes> hmmm, then I have mistaken the cause of the error
[10:56] <cjwatson> The error is in attempting to use https://ppa.launchpad.net at all :-)
[10:56] <solderfumes> I have SSL issues adding a ppa using `add-apt-repository`, 
[10:56] <cjwatson> (as opposed to http://ppa.launchpad.net)
[10:57] <cjwatson> add-apt-repository doesn't normally attempt to use https://ppa.launchpad.net, because if it did it would break for everybody ...
[10:57] <cjwatson> Are you sure you don't have some local modifications to add-apt-repository, or something else you're doing afterwards?
[10:57] <solderfumes> of course, in that case the error is not related to https://ppa.launchpad.net
[10:58] <cjwatson> Perhaps you could step back and show a transcript of the error you started from?
[10:58] <cjwatson> (and what commands you entered to provoke it)
[11:00] <solderfumes> what's a good place to drop blocks of text these days?
[11:01] <solderfumes> adding a ppa:
[11:01] <solderfumes> https://hastebin.com/gayitakari.sh
[11:01] <cjwatson> paste.ubuntu.com is often used around here, but whatever
[11:02] <solderfumes> Trying to get the anbox snap also has me issues? https://hastebin.com/ocajomomep.sh
[11:02] <cjwatson> So the TLS issue here is going to be on api.launchpad.net
[11:02] <cjwatson> But it looks like your system has problems with the Let's Encrypt cert chain
[11:02] <solderfumes> oohhh wait, part of the Let'sEncrypt chain just expired
[11:03] <cjwatson> Or are you missing a root cert?
[11:04] <solderfumes> My `ca-certificates` is up to date, so I'm wondering what's wrong
[11:04] <cjwatson> Try 'dpkg-reconfigure ca-certificates' and make sure you have the relevant roots
[11:04] <cjwatson> ISRG Root X1
[11:06] <solderfumes> All right, that fixed it. I don't remember editing any of the root certs.
[11:06] <cjwatson> Especially if you have "Trust new certificates from certificate authorities?" set to something other than the default of yes
[11:06] <cjwatson> It's possible you told your system at some point in the past not to trust new CA certificates until manually confirmed, and so it didn't add newish ones like ISRG Root X1
[11:07] <cjwatson> (newish = 2015, but still)
[11:09] <solderfumes> I greatly appreciate the help, even though this was definitely user error, and not a launchpad issue. I didn't even know ca-certificates had an interactive configuration screen, let alone remember setting it not to trust the new roots.
[11:14] <cjwatson> No problem - it's the sort of thing that's moderately obvious once you know about it but completely opaque if you don't
[11:14] <cjwatson> A bit like C++ compilers.  You made a one-character mistake, here, have a 500-line error message
[15:07] <diddledani> cjwatson: I'm not sure I understand the reasoning there about exposing session cookies to ppa.launchpad.net being bad - there's no user-submitted code execution on that url so it doesn't matter that the session cookie is shared, IMO
[15:09] <diddledani> but if it is still considered bad then we can rewrite the cookies to have a specific hostname instead of a wildcard and create a cookie for each subdomain that needs it on login (all set at once still like it currently works just with namespaces)
[15:10] <cjwatson> diddledani: https://bugs.launchpad.net/launchpad/+bug/1473091
[15:11] <cjwatson> You might think there's no user-submitted code execution, and it might be true, but it's difficult to prove
[15:11] <cjwatson> And using a specific hostname doesn't work because of LP's vhosts
[15:12] <cjwatson> We have gone round and round on this quite a few times, it's not clear we need to go round again
[15:12] <diddledani> well, what avenues are there for submitting serverside code or browser javascript to that url?
[15:13] <cjwatson> Users can put arbitrary files on ppa.launchpad.net via custom uploads, and all it would take would be a bug in the HTTP header setup for it to end up being executable by browsers
[15:17] <diddledani> about the specific hostname cookie I meant set multiple cookies at once, one per subdomain that should have access to the session - i.e. not wildcard
[15:25] <diddledani> I see the issue you linked is 6 years old already.. if I put effort into it, what needs doing to get this over the line?
[15:26] <cjwatson> Firstly, we still need to send a launchpad.net cookie, and AIUI some versions of some browsers aren't as strict as you might hope about host-only cookies.  Secondly, an attacker with control of a page on a subdomain can set cookies for the domain, so somebody with control of a browser-executed page on ppa.launchpad.net could set cookies for launchpad.net, resulting in various possible attacks.
[15:27] <diddledani> ok, I see your reasoning. what can I do to help?
[15:27] <cjwatson> I'm not sure whether there's much that somebody outside Canonical can do to make progress on that bug right now.  We need to get a suitable domain and start switching over to it.  At some point it may be helpful for people to work on the long tail of things that refer to ppa.launchpad.net once an alternative exists.
[15:28] <diddledani> the fact that it has laid dormant for 6 years though suggests that nobody in canonical wants to fix it.
[15:28] <cjwatson> Bad inference
[15:28] <diddledani> yes, but that is still the inference
[15:29] <cjwatson> wgrant and I talked about it a couple of years ago and agreed to go for ppa.launchpadcontent.net (I think - unfortunately I don't seem to have written the agreement down anywhere) - it's just not quite made it to the top of to-do lists
[15:30] <cjwatson> For the record I'm basically not going to engage with "this is old so you obviously don't care" types of arguments because if I did I'd never get anything done
[15:31] <diddledani> I didn't say you don't care, I said you have no motivation to fix it - being not at the top of a todo list counts as no motivation because the todo list isn't motivating you because it's not at the top
[15:32] <cjwatson> This isn't going anywhere
[15:32] <diddledani> I'm not moaning, I really do want to help.
[15:32] <diddledani> but you're telling me only canonical can do something about it, and canonical aren't doing anything about it
[15:33] <cjwatson> wgrant: Can you confirm my recollection of ppa.launchpadcontent.net as the agreed domain, and then I can at least get the RT ticket ball rolling?
[15:34] <cjwatson> (We talked about it in Frankfurt, I think, and then the pandemic happened)
[15:34]  * diddledani pokes the panama with a pokey stick. damned bugs getting everywhere ;-p
[15:39] <cjwatson> Problem with having discussions in person is that they less reliably get into my notes doc ...
[15:40] <diddledani> I fell that!
[15:40] <diddledani> feel*
[15:40] <diddledani> I am terribad at writing notes
[16:10] <tomwardill> cjwatson: fwiw, I can confirm that's what we said about the PPA url.
[16:11] <diddledani> \o/
[16:11] <tomwardill> and yeah, I think it was Frankfurt
[16:11] <diddledani> jetsetter ;-p
[16:11] <diddledani> s*
[16:25] <cjwatson> tomwardill: ah, thanks (and hello)
[16:25] <tomwardill> hi! :)
[16:46] <cjwatson> Filed https://portal.admin.canonical.com/C133313 (internal link only) asking for domain registration
[17:19] <diddledani> thanks, cjwatson 
[17:23] <Mc> Hi! I keep getting timeouts when launchpad tries to fetch code from gitlab ( https://code.launchpad.net/~inkscape.dev/inkscape/+git/inkscape ) - is there a way to get around this ? Thanks :)
[17:52] <sarnold> "Last successful import was 18 seconds ago. " hah
[17:57] <sarnold> a bunch died in compressing objects. I wonder how much longer was left, and I wonder if future runs would have run to completion within the hour if the previous run had run to completion..
[17:57] <sarnold> is there a chance these would become more reliable and finish in under a hour more reliably if the timeout were raised, so more of them could finish at all?
[18:35] <Mc> I guess