Re: Point of reviews
On Fri, May 23, 2014 at 12:01:43PM -0400, Scott Kitterman wrote: On Friday, May 23, 2014 19:54:05 Dmitry Shachnev wrote: Does this mean that anyone can bypass the NEW queue by uploading a package to any PPA and then copying it using copy-package? If yes, then I would consider it a security hole. This is https://bugs.launchpad.net/launchpad/+bug/993120. I think I've finally figured out how to fix this without blocking on more fundamental redesign work, so I'm working on this now. Particularly since the list of people that can upload to the relevant PPAs is not constrained to Ubuntu developers. It not only can bypass New, it can bypass all the normal sponsorship process. I raised this in a discussion today about the CI Airline (which will be replacing CI Train soon), requesting that we make sure that the Airline uses LP's checkUpload method to ensure that every change it lands has been reviewed by (at least) somebody who can upload the package in question; in my mind that makes it equivalent to a fancy sponsorship system for this purpose. This is on the to-do list for the Airline now, if I'm reading the task list correctly. -- Colin Watson [cjwat...@ubuntu.com] -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Re: Point of reviews
On Thursday, May 29, 2014 14:48:24 Colin Watson wrote: On Fri, May 23, 2014 at 12:01:43PM -0400, Scott Kitterman wrote: On Friday, May 23, 2014 19:54:05 Dmitry Shachnev wrote: Does this mean that anyone can bypass the NEW queue by uploading a package to any PPA and then copying it using copy-package? If yes, then I would consider it a security hole. This is https://bugs.launchpad.net/launchpad/+bug/993120. I think I've finally figured out how to fix this without blocking on more fundamental redesign work, so I'm working on this now. Particularly since the list of people that can upload to the relevant PPAs is not constrained to Ubuntu developers. It not only can bypass New, it can bypass all the normal sponsorship process. I raised this in a discussion today about the CI Airline (which will be replacing CI Train soon), requesting that we make sure that the Airline uses LP's checkUpload method to ensure that every change it lands has been reviewed by (at least) somebody who can upload the package in question; in my mind that makes it equivalent to a fancy sponsorship system for this purpose. This is on the to-do list for the Airline now, if I'm reading the task list correctly. Thanks for working on this. It seems to me the key control point is whatever controls if something is eligible to go into the archive. If that's a review, then what you're suggesting seems spot on. Scott K -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Point of reviews, was Fwd: Re: [Merge] lp:~timo-jyrinki/kubuntu-packaging/qtdeclarative-opensource-src_fixpkgname into lp:~kubuntu-packagers/kubuntu-packaging/qtdeclarative-opensource-src
If you look at this merge proposal, it was disapproved with a suggestion that it was premature. Despite that, it got released and into the archive anyway. So what's the point of review? If the result of a negative review is Oh, we ignored you, we'll override the disapproval and merge anyway. Why even bother? Just merge whatever you feel like. I'm starting to think Canonical's Qt5 stack should go in it's own namespace separate from the one used by Debian/Kubuntu as was discussed at the last vUDS. I don't sense much interest in collaboration. Scott K -- Forwarded Message -- Subject: Re: [Merge] lp:~timo-jyrinki/kubuntu-packaging/qtdeclarative- opensource-src_fixpkgname into lp:~kubuntu-packagers/kubuntu- packaging/qtdeclarative-opensource-src Date: Friday, May 23, 2014, 06:20:27 From: Timo Jyrinki timo.jyri...@canonical.com To: Timo Jyrinki timo.jyri...@canonical.com This was released, and accepted during the night, so I'm going to approve this for merging anyhow. We try to be as quick as possible with Qt 5.3. -- https://code.launchpad.net/~timo-jyrinki/kubuntu-packaging/qtdeclarative-opensource-src_fixpkgname/+merge/220601 You are reviewing the proposed merge of lp:~timo-jyrinki/kubuntu- packaging/qtdeclarative-opensource-src_fixpkgname into lp:~kubuntu- packagers/kubuntu-packaging/qtdeclarative-opensource-src. - -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Re: Point of reviews
2014-05-23 14:41 GMT+02:00 Scott Kitterman ubu...@kitterman.com: If you look at this merge proposal, it was disapproved with a suggestion that it was premature. Despite that, it got released and into the archive anyway. So what's the point of review? I'm not sure if you noticed the timeline, but it got released before the reviews. Had I read negative reviews before I hit the publish button in CI Train, I wouldn't have released it. I didn't wait long with this trivial typo fix since I haven't been expecting reviews (I noticed a change earlier this week when I was preparing qtpim). I've largely worked alone on the Ubuntu side with some awesome help from other developers working on Ubuntu Phone and mitya57 regarding Qt 5 and the syncing with Debian. Just let me know eg. on IRC if you want to start working on anything related to Qt 5.3.0 packaging so that I can double-check everything I have currently brewing is committed to some bzr branch. I first did a quick but ugly PPA build (https://launchpad.net/~canonical-qt5-edgers/+archive/qt5-beta2) and I'm now slowly working on a tests enabled, symbols updated versions in parallel. That will also need to be readjusted later at minimum to sync with Debian. The final Qt 5.3.0 landing should also be prepared by doing archive quality uploads to a CI Train silo, so that it can be fully tested and then published as a whole. As Ubuntu Phone is not just ramping up but doing daily releases, it's important not to disturb this process. The silos work neatly in this regard, since they also allow syncing packages from Debian to the PPA from where the whole set of tested components is then synced to archives. I'm starting to think Canonical's Qt5 stack should go in it's own namespace separate from the one used by Debian/Kubuntu as was discussed at the last vUDS. I don't sense much interest in collaboration. The Qt5 was originally put to under ~kubuntu-packagers even though it was only used by Ubuntu so that it could be worked on in co-operation in the long term more easily. Co-operation has in my opinion worked nicely with anyone who has been willing to contribute to the packaging work. Obviously with Ubuntu as the almost sole user of Qt 5 so far it has been largely people working on Ubuntu Phone, but that's changing now. -Timo -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Re: Point of reviews
On Friday, May 23, 2014 15:47:33 Timo Jyrinki wrote: 2014-05-23 14:41 GMT+02:00 Scott Kitterman ubu...@kitterman.com: If you look at this merge proposal, it was disapproved with a suggestion that it was premature. Despite that, it got released and into the archive anyway. So what's the point of review? I'm not sure if you noticed the timeline, but it got released before the reviews. Had I read negative reviews before I hit the publish button in CI Train, I wouldn't have released it. No. I hadn't noticed. This was pointed out to me on IRC also. I didn't wait long with this trivial typo fix since I haven't been expecting reviews (I noticed a change earlier this week when I was preparing qtpim). I've largely worked alone on the Ubuntu side with some awesome help from other developers working on Ubuntu Phone and mitya57 regarding Qt 5 and the syncing with Debian. The other thing I didn't know is that CI train uploads bypass the New queue in Ubuntu. That made my comment irrelevant anyway. This is a bug that REALLY needs fixing. Since CI train packages are mostly Ubuntu specific (Qt5 is somewhat unique in this regard), I'd suggest those need review in New much more than the 75% of our packages we get from Debian unmodified that have already been through New there. As discussed at the last vUDS, this is the first cycle where there are other Kubuntu packages using Qt5, so you should definitely expect more interest from Kubuntu developers. Just let me know eg. on IRC if you want to start working on anything related to Qt 5.3.0 packaging so that I can double-check everything I have currently brewing is committed to some bzr branch. I first did a quick but ugly PPA build (https://launchpad.net/~canonical-qt5-edgers/+archive/qt5-beta2) and I'm now slowly working on a tests enabled, symbols updated versions in parallel. That will also need to be readjusted later at minimum to sync with Debian. The final Qt 5.3.0 landing should also be prepared by doing archive quality uploads to a CI Train silo, so that it can be fully tested and then published as a whole. As Ubuntu Phone is not just ramping up but doing daily releases, it's important not to disturb this process. The silos work neatly in this regard, since they also allow syncing packages from Debian to the PPA from where the whole set of tested components is then synced to archives. The whole phone thing is why we got blocked before. Kubuntu is currently blocked on lack of 5.3.0, so we need to move forward. As discussed at the last vUDS, if that's a problem for phone, they need to make their own packages of an older version and use them. I'm starting to think Canonical's Qt5 stack should go in it's own namespace separate from the one used by Debian/Kubuntu as was discussed at the last vUDS. I don't sense much interest in collaboration. The Qt5 was originally put to under ~kubuntu-packagers even though it was only used by Ubuntu so that it could be worked on in co-operation in the long term more easily. Co-operation has in my opinion worked nicely with anyone who has been willing to contribute to the packaging work. Obviously with Ubuntu as the almost sole user of Qt 5 so far it has been largely people working on Ubuntu Phone, but that's changing now. Obviously I was missing some data when I made this assertion. I've been following Qt5 packaging in Debian pretty closely. I think focusing on helping lisandro get good 5.3.0 packages in experimental and merging from there is what we should be doing. If we have archive quality packages, they should get uploaded to the archive. CI train is causing more trouble than it's worth for these packages. Scott K -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Re: Point of reviews
Le 23/05/2014 16:35, Scott Kitterman a écrit : The other thing I didn't know is that CI train uploads bypass the New queue in Ubuntu. That made my comment irrelevant anyway. This is a bug that REALLY needs fixing. Since CI train packages are mostly Ubuntu specific (Qt5 is somewhat unique in this regard), I'd suggest those need review in New much more than the 75% of our packages we get from Debian unmodified that have already been through New there. This is the case since we had daily release and it's a bug/feature in Launchpad itself. This has been discussed multiple times at UDS and vUDS. It's exactly the reason why that every packaging changes are halting publication (in daily release previously, and now, in CI Train) and someone with the proper rights (uploads rights or archive admins, depending on the process) are reviewing the packaging diff before pushing the publication button. Cheers, Didier -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Re: Point of reviews
On Friday, May 23, 2014 17:27:12 Didier Roche wrote: Le 23/05/2014 16:35, Scott Kitterman a écrit : The other thing I didn't know is that CI train uploads bypass the New queue in Ubuntu. That made my comment irrelevant anyway. This is a bug that REALLY needs fixing. Since CI train packages are mostly Ubuntu specific (Qt5 is somewhat unique in this regard), I'd suggest those need review in New much more than the 75% of our packages we get from Debian unmodified that have already been through New there. This is the case since we had daily release and it's a bug/feature in Launchpad itself. This has been discussed multiple times at UDS and vUDS. It's exactly the reason why that every packaging changes are halting publication (in daily release previously, and now, in CI Train) and someone with the proper rights (uploads rights or archive admins, depending on the process) are reviewing the packaging diff before pushing the publication button. Did an archive admin review the upload that kicked off this discussion before it was released to the archive? Scott K -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Re: Point of reviews
Le 23/05/2014 17:34, Scott Kitterman a écrit : On Friday, May 23, 2014 17:27:12 Didier Roche wrote: Le 23/05/2014 16:35, Scott Kitterman a écrit : The other thing I didn't know is that CI train uploads bypass the New queue in Ubuntu. That made my comment irrelevant anyway. This is a bug that REALLY needs fixing. Since CI train packages are mostly Ubuntu specific (Qt5 is somewhat unique in this regard), I'd suggest those need review in New much more than the 75% of our packages we get from Debian unmodified that have already been through New there. This is the case since we had daily release and it's a bug/feature in Launchpad itself. This has been discussed multiple times at UDS and vUDS. It's exactly the reason why that every packaging changes are halting publication (in daily release previously, and now, in CI Train) and someone with the proper rights (uploads rights or archive admins, depending on the process) are reviewing the packaging diff before pushing the publication button. Did an archive admin review the upload that kicked off this discussion before it was released to the archive? I guess Robru did that as part of the process (as he seems to be the one publishing it), Robert? -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Re: Point of reviews
Le 23/05/2014 17:37, Didier Roche a écrit : Le 23/05/2014 17:34, Scott Kitterman a écrit : On Friday, May 23, 2014 17:27:12 Didier Roche wrote: Le 23/05/2014 16:35, Scott Kitterman a écrit : The other thing I didn't know is that CI train uploads bypass the New queue in Ubuntu. That made my comment irrelevant anyway. This is a bug that REALLY needs fixing. Since CI train packages are mostly Ubuntu specific (Qt5 is somewhat unique in this regard), I'd suggest those need review in New much more than the 75% of our packages we get from Debian unmodified that have already been through New there. This is the case since we had daily release and it's a bug/feature in Launchpad itself. This has been discussed multiple times at UDS and vUDS. It's exactly the reason why that every packaging changes are halting publication (in daily release previously, and now, in CI Train) and someone with the proper rights (uploads rights or archive admins, depending on the process) are reviewing the packaging diff before pushing the publication button. Did an archive admin review the upload that kicked off this discussion before it was released to the archive? I guess Robru did that as part of the process (as he seems to be the one publishing it), Robert? My mistake, actually, checking the logs, it was Timo publishing it. -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Re: Point of reviews
On Friday, May 23, 2014 17:39:23 Didier Roche wrote: Le 23/05/2014 17:37, Didier Roche a écrit : Le 23/05/2014 17:34, Scott Kitterman a écrit : On Friday, May 23, 2014 17:27:12 Didier Roche wrote: Le 23/05/2014 16:35, Scott Kitterman a écrit : The other thing I didn't know is that CI train uploads bypass the New queue in Ubuntu. That made my comment irrelevant anyway. This is a bug that REALLY needs fixing. Since CI train packages are mostly Ubuntu specific (Qt5 is somewhat unique in this regard), I'd suggest those need review in New much more than the 75% of our packages we get from Debian unmodified that have already been through New there. This is the case since we had daily release and it's a bug/feature in Launchpad itself. This has been discussed multiple times at UDS and vUDS. It's exactly the reason why that every packaging changes are halting publication (in daily release previously, and now, in CI Train) and someone with the proper rights (uploads rights or archive admins, depending on the process) are reviewing the packaging diff before pushing the publication button. Did an archive admin review the upload that kicked off this discussion before it was released to the archive? I guess Robru did that as part of the process (as he seems to be the one publishing it), Robert? My mistake, actually, checking the logs, it was Timo publishing it. This is the fundamental problem. For normal uploads this kind of review is enforced. For CI train, it's a matter of someone remembering. Scott K -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Re: Point of reviews
On Fri, May 23, 2014 at 7:27 PM, Didier Roche didro...@ubuntu.com wrote: Since CI train packages are mostly Ubuntu specific (Qt5 is somewhat unique in this regard), I'd suggest those need review in New much more than the 75% of our packages we get from Debian unmodified that have already been through New there. This is the case since we had daily release and it's a bug/feature in Launchpad itself. Does this mean that anyone can bypass the NEW queue by uploading a package to any PPA and then copying it using copy-package? If yes, then I would consider it a security hole. -- Dmitry Shachnev -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Re: Point of reviews
On Friday, May 23, 2014 19:54:05 Dmitry Shachnev wrote: On Fri, May 23, 2014 at 7:27 PM, Didier Roche didro...@ubuntu.com wrote: Since CI train packages are mostly Ubuntu specific (Qt5 is somewhat unique in this regard), I'd suggest those need review in New much more than the 75% of our packages we get from Debian unmodified that have already been through New there. This is the case since we had daily release and it's a bug/feature in Launchpad itself. Does this mean that anyone can bypass the NEW queue by uploading a package to any PPA and then copying it using copy-package? If yes, then I would consider it a security hole. Particularly since the list of people that can upload to the relevant PPAs is not constrained to Ubuntu developers. It not only can bypass New, it can bypass all the normal sponsorship process. Scott K -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Re: Point of reviews
On Fri, May 23, 2014 at 8:01 PM, Scott Kitterman ubu...@kitterman.com wrote: Particularly since the list of people that can upload to the relevant PPAs is not constrained to Ubuntu developers. No, I meant: is it possible to bypass the queue with only relevant PPAs or with any PPA? -- Dmitry Shachnev -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Re: Point of reviews
On Fri, May 23, 2014 at 12:01:43PM -0400, Scott Kitterman wrote: On Friday, May 23, 2014 19:54:05 Dmitry Shachnev wrote: On Fri, May 23, 2014 at 7:27 PM, Didier Roche didro...@ubuntu.com wrote: Since CI train packages are mostly Ubuntu specific (Qt5 is somewhat unique in this regard), I'd suggest those need review in New much more than the 75% of our packages we get from Debian unmodified that have already been through New there. This is the case since we had daily release and it's a bug/feature in Launchpad itself. Does this mean that anyone can bypass the NEW queue by uploading a package to any PPA and then copying it using copy-package? If yes, then I would consider it a security hole. Particularly since the list of people that can upload to the relevant PPAs is not constrained to Ubuntu developers. It not only can bypass New, it can bypass all the normal sponsorship process. Can someone lay this vulnerability out a bit more clearly from a security perspective? What are the relevant steps in the daily release process, who is involved at each step, how does this differ from going thru the NEW queue, what is the threat, what would an attack look like? Is it that a new set of people can actually get stuff into Ubuntu, or that the procedural guidlines that help the empowered people do security/quality revew are bypassed, or something else? What are proposed alternative processes, and how would they affect daily builds? Links to previous discussions (with good context if possible) would be great. Thanks, Neal McBurnett http://neal.mcburnett.org/ -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Re: Point of reviews
On Friday, May 23, 2014 20:14:57 Dmitry Shachnev wrote: On Fri, May 23, 2014 at 8:01 PM, Scott Kitterman ubu...@kitterman.com wrote: Particularly since the list of people that can upload to the relevant PPAs is not constrained to Ubuntu developers. No, I meant: is it possible to bypass the queue with only relevant PPAs or with any PPA? Only certain PPAs lead into the CI process which is where the bypass is. For PPAs generally, there is no review, nor should there be. They aren't part of Ubuntu and users get warnings about them being untrusted. Scott K -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Re: Point of reviews
On Fri, May 23, 2014 at 08:14:57PM +0400, Dmitry Shachnev wrote: On Fri, May 23, 2014 at 8:01 PM, Scott Kitterman ubu...@kitterman.com wrote: Particularly since the list of people that can upload to the relevant PPAs is not constrained to Ubuntu developers. No, I meant: is it possible to bypass the queue with only relevant PPAs or with any PPA? To skip binNEW entirely, you need a devirt PPA (building on the distro builders instead of the PPA builders) and have all architectures enabled. Otherwise the binary packages will get rebuilt post-copy and will hit the queue at that point. -- Stéphane Graber Ubuntu developer http://www.ubuntu.com signature.asc Description: Digital signature -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Re: Point of reviews
On Friday, May 23, 2014 12:23:50 Stéphane Graber wrote: On Fri, May 23, 2014 at 08:14:57PM +0400, Dmitry Shachnev wrote: On Fri, May 23, 2014 at 8:01 PM, Scott Kitterman ubu...@kitterman.com wrote: Particularly since the list of people that can upload to the relevant PPAs is not constrained to Ubuntu developers. No, I meant: is it possible to bypass the queue with only relevant PPAs or with any PPA? To skip binNEW entirely, you need a devirt PPA (building on the distro builders instead of the PPA builders) and have all architectures enabled. Otherwise the binary packages will get rebuilt post-copy and will hit the queue at that point. Which limits this to Canonical employees (as far as I know), but the decision to grant upload rights to the archive is supposed to be a community process delegated to the DMB, not an internal Canonical process. Scott K -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel