JanCaaronprisk[m]: using sudo with apt source results in the downloaded files having the wrong owner though01:46
JanCso that doesn't seem like a good idea01:46
JanCit's fine as a workaround for now, I guess, but...01:47
sarnoldif your users aren't going to steal your token and use it elsewhere, you could set the files world readable01:48
sarnoldthen any user could apt source01:48
JanCif all related infrastructure supports that (and doesn't revert the permissions on updates/changes or whatever)02:09
ViatonWidz[m]<JanC> "it's fine as a workaround for..." <- chmod 640 90ubuntu-advantage02:10
ViatonWidz[m]chgrp adm 90ubuntu-advantage02:10
ViatonWidz[m]make sure you're in adm group02:10
ViatonWidz[m]apt source <packagename> No sudo!02:10
JanCViatonWidz[m]: but will that survive upgrades of whatever package drops that file there?02:13
ViatonWidz[m]Debian policy is for modified config files in /etc/ to remain unchanged during updates.02:16
ViatonWidz[m]you can reinstall the ubuntu-advantage-tools package to verify02:16
sarnoldperhaps the pro tool would reset the owners/permissions if you eneable or disable other services02:16
ViatonWidz[m]SERVICE          ENTITLED  STATUS    DESCRIPTION... (full message at <https://libera.ems.host/_matrix/media/v3/download/libera.chat/1eea7701118c5c5b1116f91c3dfdb1fba19fdcc2>)02:21
sarnoldlivepatch won't modify that file02:22
sarnoldnote the week old timestamp :)02:22
sarnoldlivepatch is installed via a snap, and then it downloads kernel modules itself02:22
ViatonWidz[m]why would livepatch modify an auth file? It's the uaclient that created and touches. And enabling the livepatch service didn't modify the file at all. But as I mentioned to JanC, reinstalling the ubuntu-advantage-tools package also doesn't alter it. 02:26
sarnoldhmm, maybe I misunderstood what you're trying to say02:27
sarnoldif you want to see if the pro command will modify the owner, group, or permissions of the apt configuration file that pro added, test via modifying the esm-apps or esm-infra service02:28
sarnoldthose actually use apt02:28
JanCit's not only what happens now, but also what will happen in the future  :)02:28
sarnoldif you find a way to test that, please let me know :)02:29
JanCif the goal is to make that official, better add test cases for it  :)02:29
JanCto make sure that any changes to all these tools in the future won't mess with ownership/permissions (or even make those proposed changes the default?)02:30
ViatonWidz[m]OOOOh it did! it did change the perm back to 0600. 02:32
ViatonWidz[m]Bad pro violating Debian policy like that! But I'm not gonna disable the services anytime soon so I'm not sure when I'd run into that issue.02:32
sarnoldwe discussed making the more open permissions the default and decided against it; we can't assume that every user on everybody's system can be trusted with the tokens02:32
JanCsarnold: but with group permissions that could work02:33
sarnoldJanC: maybe; it's a change from 'adm can read logs' to 'adm can read logs and also use up your machine licenses'02:33
sarnoldmaybe the logs already have the token? hah02:34
JanCit could be another group if necessary02:34
JanC(you could reuse the sudo group, as those people get access to it anyway, but that seems semantically wrong)02:36
JanCor alternatively APT could somehow be allowed to read it even when not run as root (or it could call sudo itself only to read that file but not to download?)02:40
sarnoldstrong NACK on that one :)02:40
sarnoldpicking groups is just bikeshedding, everybody loves a good bikeshedding02:40
JanCnot having all of APT run as root would actually be a security improvement in itself too  :)02:42
sarnoldsure, that's why it uses _apt to download files, if it can02:42
JanCmaybe that all just needs to be improved then  :)02:44
JanCbut that would be a major change to apt, I suppose02:44
sarnoldI've been begging for a rust rewrite for a few years02:44
JanCrust wouldn't exactly fix all the possible issues02:45
sarnoldbut it'd do wonders for the 30-year-old C++ish code02:45
=== Zesues9 is now known as Zesues
lotuspsychjegood morning06:30
gonixwhere is mr cola? lol06:54
gonixhi lotuspsychje.06:54
lotuspsychjemorning gonix 06:54
=== EriC^ is now known as EriC^^
wezEvening lotuspsychje!12:28

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!