Hey Matthew! Happy New Year! I have just started my first SRU shift and now I will proceed rolling out the updates to -updates and -security. My plan is: 1) Today releasing all the staged adcli and sssd updates into -updates + the cyrus-sasl2 package for bionic 2) All the updates should be -security enabled, but to make sure there are no incidents this time, I'll only copy them into -security on Monday after baking in -updates for a few days
Cheers, On Thu, 10 Dec 2020 at 05:38, Matthew Ruffell <[email protected]> wrote: > > Hi Lukasz, > > I think you understand the plan correctly. Here it is in bullet points: > > 1) Re-instate Bionic sssd 1.16.1-1ubuntu1.7 and Focal sssd > 2.2.3-3ubuntu0.1 to -updates. > > Their [what could go wrong] still holds, as their changes are behind an opt-in > configuration file option, and it has been tested by me, the customer, and the > original bug reporter. Unlikely to cause regressions, and if they do, they > will > be opt in via intentional configuration file change. > > 2) Re-instate Groovy adcli 0.9.0-1ubuntu1.2 to -updates. > > Changes to adcli on Groovy are minimal, and will not cause any problems. > > 3) Build (likely in special security ppa), and accept cyrus-sasl2 > upload to bionic-proposed. > > We need to start the ball rolling on fixing the root cause, which is the bad > GSS-SPNEGO implementation in Bionic. > > 4) Delete adcli 0.8.2-1ubuntu2 from bionic-proposed upload queue. > > It is likely a bit late for a revert package now, affected users would have > downgraded to adcli from -release. We will push for a fix instead. > > 5) Go with option one from the previous email, build, and accept adcli > 0.8.2-1ubuntu2.1 to bionic-proposed. > > This builds on 0.8.2-1ubuntu1 with the SRU changes, and depends on the fixed > cyrus-sasl2 package. > > https://bugs.launchpad.net/ubuntu/+source/adcli/+bug/1906627/+attachment/5441872/+files/lp1906627_adcli_option_one.debdiff > > 6) Although adcli for Focal should be safe for release, we will play it safe, > and only release it when adcli for Bionic is ready. > > 7) I will re-test and verify adcli on both Bionic and Focal, as well as test > and verify cyrus-sasl2. I will also get the customer to perform some testing. > > 8) Once all testing has been completed, we will release adcli for Bionic and > Focal and cyrus-sasl2 to -updates. > > I hope this action plan is okay. Feel free to ask for clarifications before we > put the plan into action. > > Thanks, > Matthew > > On Thu, Dec 10, 2020 at 5:29 AM Lukasz Zemczak > <[email protected]> wrote: > > > > Ok, thanks for the clarification! > > > > So, if I understand correctly, we should reinstate the reverted sssd > > for all the series, and adcli for focal and groovy? Then for bionic > > accept the cyrus-sasl2 upload + possibly an adcli with the changes > > that were reverted? I suppose adcli would need a breaks statement in > > that case. > > > > Anyway, I'm around if any SRU reviews or package copying is needed. > > Let me reach out to Eric. > > > > Cheers, > > > > On Wed, 9 Dec 2020 at 05:13, Matthew Ruffell > > <[email protected]> wrote: > > > > > > > Ok, so there was a LOT happening in this thread, so I'd use some quick > > > > summary. > > > > Since what I'd like to know: > > > > > > > 1) Does this cyrus-sasl2 fix both the adcli and sssd regressions? > > > > Since we reverted both as people were reporting regressions first for > > > > sssd > > > > and then for adcli - not sure which one was the actual cause of it > > > > though > > > > > > The cyrus-sasl2 fix fixes the adcli regression, due to adcli changing to > > > using > > > GSS-SPNEGO by default, which was broken. > > > > > > sssd never had a regression in the first place, due to the changes having > > > nothing to do with GSS-SPNEGO. > > > > > > The confusion with sssd came from confused users who did not know that > > > adcli > > > is the program under the hood of realm, and thought that sssd had broken, > > > when > > > in reality, it was adcli. > > > > > > > 2) Does it need fixing for all the stable series where we updated adcli > > > > and > > > > (additionally) sssd? > > > > > > cyrus-sasl2 is only broken in Bionic. Focal onward already have the patch > > > and > > > work fine. > > > > > > Let me know if you have any more questions, happy to answer. > > > > > > Thanks, > > > Matthew > > > > > > On Tue, Dec 8, 2020 at 4:57 PM Matthew Ruffell > > > <[email protected]> wrote: > > > > > > > > Hello Eric and Lukasz, > > > > > > > > I have created new debdiffs for adcli. Please review and also sponsor > > > > one > > > > of them to -proposed. > > > > > > > > Since there are multiple versions of adcli floating around I made two > > > > debdiffs. > > > > > > > > Please choose the one most convenient / cleanest to apply. > > > > > > > > The first simply builds ontop of 0.8.2-1ubuntu1 currently in -proposed, > > > > and is > > > > the version pull-lp-source pulls down. It simply adds the dependency > > > > to the fixed > > > > libsasl2-modules-gssapi-mit package with a greater than or equal to > > > > relationship. > > > > > > > > Use of this debdiff requires 0.8.2-1ubuntu2 to be deleted from the > > > > upload queue, > > > > and treated as 0.8.2-1ubuntu2 never existed. > > > > > > > > https://bugs.launchpad.net/ubuntu/+source/adcli/+bug/1906627/+attachment/5441872/+files/lp1906627_adcli_option_one.debdiff > > > > > > > > Option two builds upon 0.8.2-1ubuntu2, and re-applies all of the > > > > --use-ldaps > > > > patches from the previous SRU which 0.8.2-1ubuntu2 reverts. It also > > > > adds the > > > > dependency to the fixed libsasl2-modules-gssapi-mit package with a > > > > greater than > > > > or equal to relationship. > > > > > > > > https://bugs.launchpad.net/ubuntu/+source/adcli/+bug/1906627/+attachment/5441873/+files/lp1906627_adcli_option_two.debdiff > > > > > > > > My preference is for option one, but use whatever is required. I only > > > > made both > > > > of these to lower round trip time due to timezones if you don't like > > > > the option > > > > one idea. > > > > > > > > Thanks, > > > > Matthew > > > > > > > > On Mon, Dec 7, 2020 at 3:25 PM Matthew Ruffell > > > > <[email protected]> wrote: > > > > > > > > > > Hi Eric, Lukasz, > > > > > > > > > > Please review and potentially sponsor the cyrus-sasl2 debdff attached > > > > > to LP1906627. > > > > > > > > > > [1] https://bugs.launchpad.net/ubuntu/+source/adcli/+bug/1906627 > > > > > > > > > > It fixes the root cause of the GSS-SPNEGO implementation being > > > > > incompatible with > > > > > Microsoft's implementation in Active Directory. > > > > > > > > > > If you are still planning to re-release adcli and sssd to -security, > > > > > then you > > > > > should also build cyrus-sasl2 in the same way: > > > > > > > > > > https://launchpad.net/~ci-train-ppa-service/+archive/ubuntu/4336/+packages > > > > > > > > > > Again, I am sorry for causing the regression and these patches should > > > > > fix the > > > > > underlying cause. > > > > > > > > > > Thanks, > > > > > Matthew > > > > > > > > -- > > Łukasz 'sil2100' Zemczak > > Foundations Team > > [email protected] > > www.canonical.com -- Łukasz 'sil2100' Zemczak Foundations Team [email protected] www.canonical.com -- Mailing list: https://launchpad.net/~sts-sponsors Post to : [email protected] Unsubscribe : https://launchpad.net/~sts-sponsors More help : https://help.launchpad.net/ListHelp
