Items we will be discussing:
- Review ACTION points from previous meeting.
- State of the specifications.
- Discussion about openldap 2.4.9 for 8.04.1.
Ubuntu Server Blog - MathiasGug
- Server survey: Plan B discussion
- Open Discussion
- Agree on next meeting date and time.
State of specifications
mathiaz reminded that the deadline for specifications is tomorrow (Thursday, June 5th) and that the approver should be set to dendrobates in LP. ScottK and neallmcb wondered if there was a list of blueprints targeted for intrepid somewhere. dendrobates said that such a list would be available next week under the ubuntu-server launchpad blueprints. Once the list is finalized mathiaz will add them to the Ubuntu Server Team Roadmap.
Openldap 2.4.9 for 8.04.1
zul raised the issue of uploading openldap 2.4.9 to hardy as an SRU. 2.4.9 fixes a number of bugs after 2.4.7 was released (113 Fixed upstream bugs between 2.4.7 to 2.4.9). Moreover syncrepl is not usable in 2.4.7 and upstream advised us to not use 2.4.7 during UDS. slangasek stated that he would like to be able to weigh how many of these changes are critical, user-affecting bugs vs. fixes we could live without that may carry regressions. zul volunteered to classify the bugs to have a better view of what types of fixes have been included in 2.4.9 (syncrepl fixes, crashers, etc...). mathiaz and jdstrand also suggested to run the built-in test suite to catch regressions.
ACTION: zul to break down the list of bugs fixed in 2.4.9 by categories (syncrepl, crashers, etc...) and upload his package to his ppa.
Ubuntu Server Blog
mathiaz announced that he created an Ubuntu Server Blog as per the discussion during the Ubuntu Server community session at UDS. ScottK asked whether others developers would be able to contribute. mathiaz said he hoped so in the mid-term. But first he'd like to figure out an editorial policy.
There were some suggestions about the type of content that should end up on the blog:
- minutes of the Server Team meeting.
- updates on development work posted by developers.
- demystify discussions that we all understand but leave our user-base with questions.
owh suggested that people can post contribution somewhere, that would then be reviewed before landing on the blog. mathiaz stated that such contributions and other suggestions about the Blog editorial policy should be emailed to him.
Webmin and ebox discussion on ubuntu-user
owh reported that there were some discussions on ubuntu-user about webmin and ebox. He asked why the Ubuntu Server team doesn't recommend webmin. mathiaz answered that webmin gives to much power to the target users and tends to break existing configurations. webmin is a web front end to edit configuration files. nealmcb added that ebox has a higher-level notion of what the user is probably trying to do, rather than being closely tied to config file syntax.
kees verified the new version of Limesurvey: unfortunately not all issues that he reported have been solved (or correctly solved) in the latest version. After some discussions, it was decided to run limesurvey on an isolated server hosted on the Ubuntu infrastructure.
Agree on next meeting date and time
mathiaz sent out a new proposal for the meeting. It was decided to move the meeting to Tuesday at 15:00 UTC.
Next meeting will be on Tuesday, June 10th at 15:00 UTC in #ubuntu-meeting.
[22:01] <mathiaz> #startmeeting [22:01] <MootBot> Meeting started at 16:02. The chair is mathiaz. [22:01] <MootBot> Commands Available: [TOPIC], [IDEA], [ACTION], [AGREED], [LINK], [VOTE] [22:01] * nealmcb cheers [22:01] <mathiaz> Today's agenda: https://wiki.ubuntu.com/ServerTeam/Meeting#preview [22:02] <mathiaz> Last meeting notes: https://wiki.ubuntu.com/MeetingLogs/Server/20080528 [22:02] <soren> mathiaz: Er, yeah, that's what I meant. It now works. It's been around for a few weeks, but they fixed it during last night's TB meeting. [22:02] <mathiaz> I don't see any outstanding action points from last meeting [22:03] * nealmcb cheers for Seeker` [22:03] <Seeker`> nijaba: :) [22:03] <Seeker`> sorry, nealmcb :D [22:03] <Seeker`> Mootbot logs wont be instantly accessible due to webhost problems [22:04] <nealmcb> Seeker`: nijaba deserves some smiles also [22:04] <Seeker`> heh [22:04] <mathiaz> So let's move on to the next topic [22:04] <mathiaz> [TOPIC] # [22:04] <MootBot> New Topic: # [22:04] <mathiaz> State of the specifications. [22:04] <mathiaz> [TOPIC] State of the specifications. [22:04] <MootBot> New Topic: State of the specifications. [22:04] <lukehasnoname> haha [22:04] <Seeker`> if you send an email to email@example.com after the meeting with the contact details of someone, I'll try to get the logs to you [22:04] <soren> :) [22:04] <mathiaz> so the deadline for specification writing is tomorrow [22:05] <mathiaz> Spec approver should be set to dendrobates [22:05] <mathiaz> and if ubuntu-server could be subscribed, it will also help. [22:06] <ScottK> Is there a handy public list of what's already written? [22:06] <mathiaz> Once they're approved we can put them on the ServerTeam Roadmap [22:06] <mathiaz> ScottK: not really - the closest would be https://blueprints.launchpad.net/~ubuntu-server/ [22:07] * soren sneaks onto launchpad and registers at least one spec which he forgot.. :( [22:07] <mathiaz> this is why subscribing ubuntu-server to the blueprint would help [22:07] * soren hopes noone will notice [22:07] <mathiaz> but it's still a bit of a mess [22:07] <kirkland> mathiaz: ScottK: perhaps those involving dendrobates? https://blueprints.edge.launchpad.net/~dendrobates [22:07] <dendrobates> don't worry it will be all cleaned up. [22:07] <mathiaz> dendrobates: any opinion on this ? as you're the approver [22:08] * ScottK wants to make sure he can check and see if his pet project is missing/needing more work. [22:08] <mathiaz> ScottK: have you written up about the mail changes you'd talked about at UDS ? [22:08] <ScottK> No. [22:08] <dendrobates> we will have a final list of things that we are targeting for intrepid next week. [22:08] * ScottK was hoping someone else had. [22:09] <mathiaz> ScottK: I remember talking with ivoks about some changes we'd like to make [22:09] <dendrobates> also the specs do not have to be perfect we can fix them. [22:09] <mathiaz> ScottK: and it seems that you had the same ideas [22:09] <ScottK> And siretart had some excellent suggestions on mechanizing the process. [22:09] <dendrobates> And there will be a few that magically apear at the last minute after some internal discussions. [22:10] <nealmcb> dendrobates: will we be able to see blueprints for server for each release (e.g. review hardy server-related specs, and also see intrepid), or only some notion of "current" ones? [22:10] <Koon> mathiaz: since I don't have one to write, I'll proofread the already published tomorrow morning [22:11] <mathiaz> Koon: aren't you supposed to be on the J2EE spec ? [22:11] * nealmcb still wants to be able to see intreped blueprints on the intrepid page, as well as server-related blueprints [22:11] <mathiaz> nealmcb: I'm not sure that LP can do that [22:12] <dendrobates> I am not a master at launchpad, for it's ways are mysterious. [22:12] <Koon> mathiaz: dendrobates said he would handle this one... and we don't really have a solution to propose at that point ? [22:12] <Koon> dendrobates: or did I miss something ? [22:13] * nealmcb looks at an empty page at https://blueprints.edge.launchpad.net/sprints/uds-intrepid - sigh [22:13] <mathiaz> nealmcb: that's over IIRC [22:13] <dendrobates> nealmcb: you don't have the magic glasses that make text appear? [22:13] <nealmcb> I'm just suggesting that having easier collaboration based on being able to track specs in different ways would be to our benefit.... [22:13] <mathiaz> anyway - once we have a list of spec, I'll add them to the ServerTeam Roadmap so that we can discuss the progress during the ServerTeam meeting [22:14] <mathiaz> Let's move to the next topic [22:14] <dendrobates> nealmcb: agreed [22:14] <mathiaz> [TOPIC] # [22:14] <mathiaz> Discussion about openldap 2.4.9 for 8.04.1. [22:14] <MootBot> New Topic: # [22:14] <mathiaz> [TOPIC] Discussion about openldap 2.4.9 for 8.04.1. [22:14] <MootBot> New Topic: Discussion about openldap 2.4.9 for 8.04.1. [22:14] <nealmcb> and cross-team fertilization and publication of spec ideas would be helpful [22:14] <ScottK> For the mail server stuff I've started an exploration of FAI and the bits we'd need to get it moving. Just need to find time to invest in it. [22:14] <zul> hello, so I propose that we stick openldap 2.4.9 into 8.04.1 [22:14] <danshearer> does spec == blueprint? [22:15] <zul> The reasons are simple: [22:15] <ScottK> danshearer: Yes. [22:15] <zul> - Already merged openldap for intrepid. [22:15] <zul> - Been testing it for the past couple of days havent seen a regression. [22:15] <zul> - Ran the ubuntu-qa testsuite against it. [22:15] <zul> - Fixes a number of bugs after 2.4.7 released (113 Fixed upstream bugs between 2.4.7 to 2.4.9) - http://www.pastebin.ca/1038577 [22:15] <zul> - Launchpad bugs fixed #218734, #227187 [22:15] <zul> - However, still needs patches backported from HEAD. [22:15] <zul> - syncrepl not usuable in 2.4.7 [22:15] <zul> - Upstream recommended us not to use 2.4.7 at UDS. [22:15] <mathiaz> zul: any point to wait for 2.4.10 ? [22:15] <jdstrand> zul: how many patches from HEAD remain? [22:16] <zul> mathiaz: they are still testing it so I dont know if it will get into intrepid in time for 8.04.1 [22:16] <zul> jdstrand: 4 small patches [22:16] <jdstrand> mathiaz: I think .10 will be too close to 8.04.1 for adequate testing, but I could be wrong [22:16] <danshearer> zul: ran the OL testsuite too? (excuse me Chuck, I don't know you, this is probably old hat...) [22:16] <slangasek> you're already on borrowed time for getting 2.4.9 into 8.04.1 [22:16] <zul> danshearer: no the ubuntu-qa test suite [22:16] <zul> hi slangasek [22:17] <slangasek> so if you decide you want this, the upload needs to be happening this week [22:17] <kirkland> danshearer: subtle difference, blueprint = status tracking mechanism in Launchpad, which corresponds to a spec = detailed design document in the wiki [22:17] <danshearer> syncrepl is a big deal [22:17] <zul> slangasek: Im already sitting on the upload I wanted a general consensus first [22:17] <jdstrand> zul: see build_testing/openldap/README.make_test in qa-regression-testing for using openldap's internal build suite [22:17] <mathiaz> slangasek: would the changelog fit the SRU critiria ? [22:17] <zul> jdstrand: ah ok I can try that as well thanks [22:18] <danshearer> jdstrand: right. if we ask upstream for something that'll be the first question back. [22:18] <slangasek> mathiaz: are you asking about the upstream changelog? I haven't seen it myself yet, got a handy link? [22:18] <zul> I have already seen complaints about syncrepl in bug reports at least [22:18] <mathiaz> slangasek: http://www.pastebin.ca/1038577 [22:18] <danshearer> with syncrepl, that gives one more service where Ubuntu can say "we have active-active failover". [22:19] <jdstrand> I think it would be fantastic if some people in #ubuntu-server could test .9 as soon as possible [22:19] <sommer> is there a list of things to test? [22:19] <sommer> or is that explained in the make file you mentioned [22:20] <zul> sommer: Launchpad bugs #218734, #227187 for one [22:20] <jdstrand> sommer: I was talking about just using zul's packages [22:20] <sommer> jdstrand: ah, okay [22:20] <jdstrand> in production if possible [22:20] <ubottu> Launchpad bug 218734 in openldap2.3 "(ITS#5527) slapd segfaults when using dynlist" [Undecided,Confirmed] https://launchpad.net/bugs/218734 [22:20] <ubottu> Launchpad bug 227187 in ubuntu "Hardy nags" [Undecided,Invalid] https://launchpad.net/bugs/227187 [22:20] <jdstrand> sommer: zul can handle the build tests [22:20] <dendrobates> danshearer: I don't care about new features. I care about the 100 or so bug fixess that Howard said would be diffucult or impossible to back port. [22:20] <sommer> cool, I'll take a look at the bugs this evening [22:21] <zul> dendrobates: and I looked at that route and my jaw dropped as well :) [22:21] <mathiaz> zul: have you 2.4.9 package for hardy in your ppa (or somewhere else) ? [22:22] <slangasek> mathiaz: with suitable testing it looks like it may be acceptable. Are there a subset of these fixes that have been identified as critical for 8.04.1? [22:22] <zul> mathiaz: I have it locally I just had to make one change to the build-deps for hardy [22:22] <zul> slangasek: I would say the syncrepl issues [22:22] <slangasek> zul: so everything prefixed as "syncrepl"? :) [22:22] <zul> mathiaz: but I can upload to my ppa first [22:22] <zul> slangasek: pretty much :) [22:22] <mathiaz> zul: yeah - that would help in testing [22:22] <slangasek> I would like to be able to weigh how many of these changes are critical, user-affecting bugs vs. fixes we could live without that may carry regressions [22:23] <zul> mathiaz: ok [22:23] <zul> slangasek: so go through the bug tracker and evaluate them? [22:24] <slangasek> zul: well, I mean identifying which of the many bugs in this changelog are the ones driving this SRU request [22:24] <mathiaz> how could the bug be classified ? [22:24] <jdstrand> slangasek: is your thinking that maybe there are only 10 of the 100 that we really need for hardy, and those 10 may not be hard to backport to .7? [22:24] <slangasek> rather than a global "look, they're all bugfixes", which doesn't give me a good way to weigh the risk against the benefit [22:24] <slangasek> jdstrand: that's an option that should be kept on the table, yes [22:25] <zul> slangasek: I would say the ones that the dynlist one and the syncrepl I havent checked the forums though [22:25] <mathiaz> It seems that there is a whole set of bugs about syncrep [22:25] <mathiaz> which is broken in 2.4.7 according to upstream [22:25] <slangasek> and if it's a bad idea to do backporting, then someone can smack me and say that :) [22:25] <mathiaz> and then there are some crashed [22:25] <mathiaz> crashers [22:25] <slangasek> right [22:26] <mathiaz> so if we could classify which bugs are syncrepl related, which once are crashers [22:26] <mathiaz> and document that in a bug, would that help in the SRU process ? [22:26] <slangasek> yes [22:27] <zul> I can do that [22:27] <mathiaz> zul: ok - could you also check that tests are working correctly ? [22:27] <zul> mathiaz: sure [22:27] <mathiaz> zul: the current build process doesn't run make test [22:27] <zul> mathiaz: correct [22:28] <mathiaz> zul: but making sure it doesn't break would also help in the SRU process IMO [22:28] <zul> mathiaz: gotcha, as a side note 2.4.9 has already been uploaded to my ppa [22:28] <slangasek> I think we have some XFAILs with the current make test, which prevented it from being enabled [22:28] <mathiaz> [ACTION] zul to break down the list of bugs fixed in 2.4.9 by categories (syncrepl, crashers, etc...) [22:28] <MootBot> ACTION received: zul to break down the list of bugs fixed in 2.4.9 by categories (syncrepl, crashers, etc...) [22:29] <jdstrand> zul: it would be useful to compare the build tests of .7 and .9 [22:29] <zul> jdstrand: ok will do [22:29] <jdstrand> zul: like slangasek said, hardy has some known failures, so we are most interested in not introducing more [22:29] <mathiaz> slangasek: and the deadline for getting it included in 8.04.1 is friday ? [22:30] <ogra> it was last friday actually :) [22:30] <lukehasnoname> rofl [22:30] <ogra> it is extended already [22:30] <soren> Er... So why is the point release scheduled for July 10th on https://wiki.ubuntu.com/IntrepidReleaseSchedule ? [22:31] <jdstrand> sommer: openssl [22:31] <jdstrand> soren: ^ [22:31] <soren> i thought the deadline this week was for targeting stuff for the point release, and then the actual deadline for getting it in was significantly later? [22:31] <Keybuk> soren: it's proposed, reather than scheduled? [22:31] <soren> Keybuk: Point. [22:32] <lukehasnoname> HardyReleaseSchedule says July 3rd [22:32] <lukehasnoname> er, https://wiki.ubuntu.com/HardyReleaseSchedule [22:32] <soren> Keybuk: I'm not sure what you're implying, though (if anything)? [22:33] <Keybuk> soren: I'm not implying anything [22:33] <soren> That it might be even later? Or that it could be any time at all, including July 10th? [22:33] <Keybuk> I have no idea when 8.04.1 is ;) [22:33] <soren> Keybuk: Ok :) [22:33] <Keybuk> I've just seen three different dates [22:33] <Keybuk> so don't necessarily believe that one [22:33] <Keybuk> slangasek will _definitely_ know when 8.04.1 is :) [22:34] <soren> Maybe iz sekrit? [22:34] <mathiaz> ok - let's move on as zul has taken up the task of providing more information about this. [22:35] <dendrobates> here here, [22:35] <owh> dendrobates: Where? [22:35] <Koon> there. [22:35] <jdstrand> there --> [22:35] <mathiaz> [TOPIC] Ubuntu Server Blog [22:35] <MootBot> New Topic: Ubuntu Server Blog [22:35] <kirkland> we're now a Dr. Suess poem [22:36] <sommer> heh [22:36] <mathiaz> As discussed during last UDS, soren dendrobates and I promised to blog more often [22:36] <mathiaz> so I've created an Ubuntu Server Blog - http://ubuntuserver.wordpress.com/ [22:36] <soren> You lucky people! [22:36] <slangasek> soren: if you're talking about getting things included in the point release, those need to land in -updates well before the July 10 deadline, because we have to roll & validate CD images [22:36] <soren> slangasek: Sure, sure. [22:37] <mathiaz> I still need to fix planet.ubuntu.com to show it [22:37] <slangasek> s/deadline/release date/ [22:37] <ScottK> mathiaz: Are other developers able to contribute to the blog? [22:37] <mathiaz> ScottK: in the mid term, I hope to [22:37] <slangasek> now OTOH, if you don't need it to be part of .1, then you don't have a deadline either :) [22:37] <mathiaz> ScottK: but first, I'd like to figure out the editorial policy [22:38] <mathiaz> What kind of content will go there [22:38] <mathiaz> I'm planning to publish the minutes of the meeting there [22:38] <zul> obviously not pictures of monkeys...*cough* soren *cough* [22:38] <ScottK> mathiaz: OK, but I think limiting an Ubuntu server blog to Canonical employees is not a good message. [22:38] <owh> mathiaz: That policy will depend on what you want it to do and whom you want the audience to be I suspect. [22:38] <soren> slangasek: The main question was whether the deadline this week was for targeting things for a release that would happen much later or for actually getting the stuff into said release. [22:38] <nijaba> mathiaz: aren't the minutes publically avail on the wiki already?? [22:38] <mathiaz> owh: exactly - this still needs to be figured out [22:38] <slangasek> soren: for getting stuff into that release [22:39] <mathiaz> nijaba: yes they are - just another channel to push them [22:39] <soren> slangasek: Oh. Ok. [22:39] <mathiaz> ScottK: I really hope that every one in the Ubuntu Server team will be able to blog there [22:39] <nijaba> mathiaz: I don't see any gain in duplication. I'd think that having a pointer to them would be enough [22:39] <nealmcb> does planet ubuntu have ways of marking sub-channels? [22:39] <lukehasnoname> Do Canonical employees have an official blog link? [22:39] * ScottK \o/ - The missing 'J' key is back on his laptop. [22:39] <mathiaz> ScottK: We'd just have to figure out what type of content goes there [22:40] <owh> mathiaz: I agree with nijaba on the duplication side of things. [22:40] <nealmcb> I'd probably prefer to blog from my own site, but would like to see appropriate posts available via e.g. tags at planet.ubuntu [22:40] <mathiaz> nijaba: yes - I'll link there - I only write stuff once [22:40] <mathiaz> nijaba: but publish it in different channels [22:40] <ScottK> mathiaz: I think if you write a 2 sentence mission statement and then give developers access it'll be fine (plus select others). [22:41] <owh> ScottK: How do you plan to "select others"? [22:41] <nealmcb> maybe like a "planet ubuntu server" to go with the others there [22:41] <nijaba> mathiaz: I would think it is a great place for dev to comment their advance on their tasks [22:41] <mathiaz> nijaba: correct - that's what I'd like to see as the content [22:41] <owh> Even for those who have meeting action points to put updates forward. [22:41] <mathiaz> I don't think post about how-tos would be acceptable. [22:42] <nealmcb> ... but I don't know if those show up in planet.ubuntu.com also, or what - I'll look more into it [22:42] <dendrobates> mathiaz: I am not sure I see the reasoning for separating out the server blogs from the Planet. [22:42] <mathiaz> dendrobates: I haven't suggested - nealmcb is [22:42] <nealmcb> "others" could just be like with planet.ubuntu - all "members" [22:42] <owh> Under blogger anyone can send an email to a 'sekrit' address which a moderator can choose to publish. Perhaps any member of the ubuntu-server team should be able to submit a post. [22:43] <dendrobates> why not just have individual server team members blog to the planet? Or are you just trying to make it easier for them to do so? [22:43] <ogra> just set up planet.server.ubuntu.com :) and devs can add their feeds to both if you want specific server blogs in one space [22:43] <mathiaz> owh: that's another option - may be I'll refine the policy once submitted content is available [22:44] <Koon> dendrobates: a common blog is ncie for those who can't commit to one article per week [22:44] <Koon> nice, even. [22:44] <nijaba> ogra; isn't that what tagging is for? [22:44] <owh> ogra: I think the idea is "the voice of ubuntu-server", rather than the voice of John Bob. [22:44] <mathiaz> dendrobates: I'm more thinking about the google team blogs [22:45] <mathiaz> dendrobates: that's a useful place to go to if you wanna follow the hapenings of a specific google product [22:45] * nealmcb needs to figure out why pidgin is hanging and crashing - related to pulse-audio and remote sound servers? [22:45] <ogra> nijaba, not sure how well planet handles that [22:45] <ScottK> owh: I think it's pretty clear who is contributing. [22:45] <nealmcb> https://wiki.ubuntu.com/PlanetUbuntu [22:45] <ogra> bu you need a separate aggregarot in any case i think [22:45] <nealmcb> permission via launchpad and bzr... [22:46] <ogra> *aggregator [22:46] <owh> I agree, the blog could "demistify" discussions that we all understand but leave our user-base with questions. Like, why kvm and not Xen, and another webmin vs ebox, etc. [22:46] <lukehasnoname> Yes, why not Xen? >_> [22:46] <mathiaz> so it seems that a editirial policy needs to be figured out before other post can be published [22:46] <lukehasnoname> *answer me later on that, seriously* [22:47] <nijaba> owh: see, you already have a couple blog entry to write ;) [22:47] <soren> lukehasnoname: Don't get me started... :) [22:47] <ScottK> mathiaz: I think the most critical policy decision that will need to be made is if it's permissable to mention related commercial services. [22:47] <owh> nijaba: ROTFL [22:47] <owh> ScottK: What kind of services were you thinking of? [22:48] <mathiaz> So for now on, I'll be the only one to post there - once I've figured out what type of post goes there, I'll open up the blog to others [22:48] <owh> mathiaz: Perhaps you could open that up to include posts submitted to you via email. [22:48] <mathiaz> If someone has suggestion wrt to the policy or an idea for a post, contact me [22:49] <danshearer> lukehasnoname: pls excuse me, but I'm not sure how serious that question actually was. Within the server team is this settled? [22:49] <mathiaz> we'll figure out if it's worth putting there [22:49] <nijaba> danshearer: I confirm that IT IS [22:49] <lukehasnoname> I do believe we need some sort of blog or forum for "pop" discussion, recurring topics like popular software, GUI discussions, high level stuff [22:49] <mathiaz> I'll probably have a better idea of the issues once contributions arrive. [22:49] <zul> lukehasnoname: ubuntuforums [22:49] <lukehasnoname> danshearer: It is serious, I got your earlier msg, but let's not discuss it right now, here. I have to leave work soon anyway. Email me if you wish. [22:49] <owh> mathiaz: Yeah, I don't think there is any point in having posts about the weather and pizza, but more "meta" submissions. [22:49] <soren> danshearer: What is? That KVM is the good stuff and Xen not so much? [22:50] <ScottK> owh: Any. Ubuntu Server is a FOSS product, not a commercial one. [22:50] <lukehasnoname> zul: Ya, uf, but how many people in the real dev team/Canonical acutally browse that? they stick to the mailing list [22:50] <owh> ScottK: Sure, but people have to eat as well. [22:50] <mathiaz> Ok - so let's move on [22:50] <danshearer> I'm more asking to what extent the pros and cons of this have been aired. [22:50] <ogra> ScottK, and ? [22:50] <ScottK> Personally, I think it's OK, but it should be decided. I'd be against Canonical gets to announce their commercial stuff and others don't. [22:51] <danshearer> Within the Server team, and what forum would be best for trying to summarise these issues. [22:51] <ogra> ScottK, why shouldnt people blog about cool new commercial services ... as long as they tell its commercial [22:51] <ScottK> ogra: I believe they should. [22:51] <mathiaz> [TOPIC] Webmin and ebox discussion on ubuntu-user [22:51] <MootBot> New Topic: Webmin and ebox discussion on ubuntu-user [22:51] <danshearer> Don't want to distract the meeting. But if gobby.ubuntu worked I'd start one now. It certainly isn't a simple question. [22:51] <mathiaz> owh ? [22:51] <owh> Yeah [22:51] <ogra> ScottK, ah, then i misunderstood [22:51] <owh> A question was asked in ubuntu-users@ about ebox vs. webmin: https://lists.ubuntu.com/archives/ubuntu-users/2008-May/147651.html [22:51] <slangasek> ogra: I believe he said that it shouldn't be a channel that's exclusively for Canonical's use, not that people shouldn't blog [22:51] <owh> I towed the "company line" as I understand it and indicated that webmin was removed from Ubuntu and Debian because it does not handle configuration files as we do. [22:51] <ScottK> ogra: I just want a clear policy up front. [22:51] <owh> There was comment that ebox stores all configuration files inside its own directory and also that a new version of webmin was available - including Debian packages. [22:51] <ogra> right [22:51] <owh> The discussions I've looked at since indicate a genuine confusion and many are still recommending webmin over ebox. [22:52] <owh> Thus I committed to asking here in the meeting for further comment and enlightenment - herewith. [22:52] <ScottK> Webmin has always built .deb packages you could get off their web site. [22:52] <owh> Our blog could help here :) [22:52] <soren> danshearer: gobby.ubuntu.com works fine.. And there's already a document about it from UDS in Boston. Anyhow, let's discuss this elsewhere. [22:52] <dendrobates> this meeting is falling apart. What is our current topic. [22:52] <ScottK> [TOPIC] Webmin and ebox discussion on ubuntu-user [22:52] <lukehasnoname> I believe that whatever we do, there needs to be SOME sort of remote, all-in-one, graphical admin tool [22:53] <nealmcb> owh: good summary. mathiaz and I have yet to find a good current "smoking gun" indicating a problem with config files and webmin [22:53] <ScottK> I think that's agreed. [22:53] <owh> And I believe I have the floor. [22:53] <ScottK> nealmcb: I've seen it break postfix configs. I think I pointed that example out to you before. [22:53] <dendrobates> mathiaz: move on please! [22:53] <lukehasnoname> ESPECIALLY one that can be installed from tasksel, like LAMP, Mail, SSH, etc. This is where Ubuntu is one step above the rest. [22:53] <owh> The issue in debian appears to be this: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=343897 [22:53] <ubottu> Debian bug 343897 in ftp.debian.org "ftp.debian.org: Please remove all webmin related packages" [Wishlist,Closed] [22:53] <nealmcb> ScottK: is that a current problem, or something from a while ago? [22:54] <owh> Which indicates that the maintainer has been struggling a long time to package webmin sensibly. [22:54] <ScottK> nealmcb: Within the last year IIRC. [22:54] <nealmcb> see also https://answers.edge.launchpad.net/ubuntu/+question/2873 [22:54] <owh> The debian bug I showed was posted on Sunday, 18 December 2005 [22:54] <mathiaz> owh: so nealmcb and I looked into that a couple of week ago [22:55] <owh> Excellent, what was the outcome? [22:55] <mathiaz> owh: from my point of view, webmin gives to much power to the target users [22:55] <mathiaz> owh: they can easily shoot themselves and break their configuration [22:55] <nealmcb> ScottK: was that a bug in webmin, or a problem that is fundamental to webmin but not ebox, or a difficulty with any config system? [22:55] <mathiaz> owh: and then unable to repair their configuration [22:55] <ScottK> nealmcb: I've got no idea. [22:56] <mathiaz> owh: webmin is a web front end to edit configuration files [22:56] <owh> mathiaz: But couldn't you say the same for ssh and vi? [22:56] <mathiaz> owh: if you've figured out every option in webmin you can use ssh and vi [22:56] <owh> mathiaz: What I mean is that if you break it, you get to keep both parts. [22:56] <nealmcb> one thing we generally like about ebox is that it has a higher-level notion of what the user is probably trying to do, rather than being closely tied to config file syntax [22:56] <ogra> owh, thats not really ubuntu [22:56] <mathiaz> owh: exactly - the issue IMO is with the target audience [22:57] <owh> nealmcb: But feedback seems to be that ebox stores stuff in its own structure and doesn't use or reuse the configurations. [22:57] <owh> mathiaz: Excellent, now we're getting somewhere. [22:57] <nealmcb> but I think it would help to have more folks review ebox carefully and help keep it on track. I think functional, safe gui management is very important to ubuntu server [22:57] <mathiaz> owh: yes - ebox has the same problem [22:57] * lukehasnoname will install Ubuntu server on a spare box and try out ebox asap [22:57] <mathiaz> owh: but it gives less power to the end user [22:58] <ogra> it provides lead socks for the feet :) [22:58] <owh> So, let me get this straight. Webmin works, but it can bork stuff seriously. Ebox has a meta-view of the GUI and it's not yet finished. === ubottu changed the topic of #ubuntu-meeting to: Current meeting: Kubuntu Team | Calendar: http://fridge.ubuntu.com/event | Logs: https://wiki.ubuntu.com/MeetingLogs/ | 05 Jun 01:00 UTC: Americas Ubuntu Membership Approval Board | 05 Jun 13:00 UTC: Desktop Team | 05 Jun 20:00 UTC: Security Team | 07 Jun 21:00 UTC: Marketing Team [22:59] <lukehasnoname> ubottu: no sir [22:59] <owh> So as ubuntu-server we decided that we need to help our users - isn't that a slippy-slope to "bob" the paperclip? [22:59] <ubottu> Factoid no sir not found [22:59] <mathiaz> Riddell: is the Kubuntu meeting now ? [22:59] <ScottK> Looks like our time is about expired and there is another meeting. [22:59] <nealmcb> owh: I'd like more folks to try both of them and document what they see. I see this fitting back into our "strategy" discussion also [22:59] <owh> nealmcb: I agree. [22:59] <ogra> owh, i think the better term is "do it right" [23:00] <owh> ogra: That is a helpful way of looking at it, thanks. [23:00] * owh is done with topic. [23:00] <ogra> which webmin surely doesnt and ebox isnt doing *yet* [23:00] <mathiaz> owh: great - thanks for the question [23:00] <owh> ogra: Ah, but there are developers for that :) [23:00] <lukehasnoname> Gentlemen, I must go home from work now, but I'll be continuing some of these topics on the ubuntu-server mailing list. [23:00] <ogra> owh, indeed :) [23:00] <mathiaz> [TOPIC] Limesurvey [23:00] <MootBot> New Topic: Limesurvey [23:00] <lukehasnoname> lively discussion [23:01] <nijaba> Kees verified the new version of Limesurvey: unfortunately not all issues that he reported have been solved (or correctly solved) in the latest version... [23:01] <mathiaz> nijaba: ^^ ? [23:01] <nijaba> As we are clearly running out of time, here are a few possibilities: [23:01] <nijaba> 1/ run it on proprietary software Canonical has paid for (would not be running on ubuntu.com, has a limited feature set compared to limesurvey) [23:01] <Riddell> mathiaz: yes [23:01] <nijaba> 2/ run it on survey monkey (would not be on ubuntu.com, not fully evaluated) [23:01] * nealmcb looks forward to at least learning lukehasnoname's email addr :) [23:01] <ScottK> mathiaz: How about move to #ubuntu-server [23:01] <mathiaz> ScottK: right - let's move to #ubuntu-server [23:01] <lukehasnoname> firstname.lastname@example.org [23:01] <mathiaz> nijaba: and all -> #ubuntu-server [23:02] <mathiaz> #endmeeting [23:02] <MootBot> Meeting finished at 17:03.
Discussion moved to #ubuntu-server
[23:01] <nijaba> Kees verified the new version of Limesurvey: unfortunately not all issues that he reported have been solved (or correctly solved) in the latest version... [23:02] <nijaba> As we are clearly running out of time, here are a few possibilities: [23:02] <nijaba> 1/ run it on proprietary software Canonical has paid for (would not be running on ubuntu.com, has a limited feature set compared to limesurvey) [23:02] <nijaba> 2/ run it on survey monkey (would not be on ubuntu.com, not fully evaluated) [23:02] <nijaba> 3/ run limesurvey on an isolated server I would rent for the occasion (with a few calculated risk that kees could help me identify) [23:02] <nijaba> 4/ See with elmo if it possible to run limesurvey on an isolated server [23:02] <nijaba> (or other proposals I may not have not thought about). [23:02] <nijaba> Note that 1 and 2 would cause us to post the logic and retest everything. [23:02] <nealmcb> (note - we're continuing the conversation from #ubuntu-meeting....) [23:03] <kees> there's a lot of code in limesurvey, much of it intertwined with SQL, so getting it all sorted will take a while, I think. [23:03] <kees> the places where it can be abused are relatively small, though [23:03] <kees> but they're not zero [23:04] <kees> which is why I'm still not able to recommend it. (sorry, I know that's a bit troublesome) [23:04] <jdstrand> kees: sorry that I am not up to date on limesurvey-- but does it use something like adodb? [23:05] <nijaba> jdstrand: yes, mostly [23:05] <kees> it does, but not in a reliably safe way [23:05] <kees> too much of things like: [23:05] <kees> tkquery = "SELECT COUNT(*) FROM ".db_table_name('tokens_'.$surveyid)." WHERE token='".db_quote($token)."' AND (completed = 'N' or [23:05] <owh> Crap [23:05] <kees> and db_quote adds quotes [23:05] <kees> so you get WHERE token=''$token'' oops [23:05] <jdstrand> hmmm... [23:05] <owh> kees: And that's in production? Yuk [23:06] <kees> I'd like to see proper WHERE token=? .... execute($query, @args) etc [23:06] <kees> and then there is at least 1 scary looking eval that comes from the database: [23:06] <owh> kees: What language is it written in? [23:06] <kees> if (eval('if (trim($cfieldname)'. $row['method'].' trim($cvalue)) return true; else return false;')) [23:06] <nijaba> PHP [23:06] <kees> owh: PHP [23:07] <owh> Crap, I can't even hide. Have you got a list of issues kees? [23:07] <jdstrand> eek [23:07] <kees> anyway, the eval risks seem to require either an evil admin, SQL injections, or both. but it's hard to audit due to the heavy use of globals, SQL strings, etc [23:07] * danshearer is away: moving computers [23:08] <nijaba> kees: but if admin is limited to trusted individuals, is the risk fading? [23:08] <kees> owh: my recommendations remain the same as the original email I sent. if I itemized the lines that needed fixing, it might take days [23:08] <kees> nijaba: yeah, but again, if SQL injections are possible, a random user could potentially make themselves an admin, etc. [23:08] <kees> it's all unlikely, but imaginable [23:09] <nijaba> kees: oh, you mean you found SLQ injections in the user part? [23:09] <owh> kees: I didn't see the original email, but I'm an experienced PHP developer. If I spend two days cleaning it up will that get us there, or is it going to be a waste of time? [23:09] <kees> and since the code isn't consistent with its SQL usage and the global vars, and alternating sanitization, it's very hard to be sure without really really careful examination of every line, which makes it also fragile for future updates [23:09] <nijaba> owh: limesurvey is 12Mo [23:09] <owh> nijaba: Surely that is not all PHP code. [23:10] <kees> $ find . -type f -name '*.php' | xargs wc -l [23:10] <kees> ... [23:10] <nijaba> owh: there is a LOT of code, trust me, or have a look at it [23:10] <kees> 136754 total [23:10] <kees> (though that includes the many embedded modules) [23:10] * owh stops contemplating working on it for two days. [23:11] <soren> whuh...? [23:11] <owh> To me that indicates that nijaba's option 3 and 4 are out. [23:11] <kees> owh: I think it's possible to fix it, yes. It just requires redesigning how SQL it used and being more careful with output [23:11] <jdstrand> it embeds adodb and others? [23:11] <kees> they're already on their way to fix it, it's just not really done yet [23:11] <nijaba> jdstrand: yes [23:11] <owh> kees: Yes, but fixing it won't likely be in time for our survey to be useful. [23:11] <nijaba> jdstrand: but I have "fixed" that in my package [23:12] <kees> owh: that might be true yeah. options 3 and 4 seem reasonable since it would isolate the risks, and the risks are in the "unlikely" category. [23:12] <ajmitch> kees: sounds like a bit of a nightmare [23:12] <owh> kees: Other than that the database can be compromised, cleared, altered and the results becoming meaningless, yes :) [23:12] <kees> ajmitch: I'm seen much worse. limesurvey is certainly working to be safe. they're just not all the way there yet. [23:13] <kees> owh: right, vandalism may be possible. but again, I think it's an unlikely situation (but not impossible) [23:13] <owh> kees: Can we mitigate, by doing database replication/backups? [23:13] <kees> owh: probably possible. just more admin work. [23:14] <owh> I think that the risks don't outweigh the benefits. [23:14] * kees leaves that up to nijaba and elmo [23:14] <kees> I'm just giving my opinion on the code safety. :) [23:14] <nijaba> elmo: really your call: do we go to option 1 or 2? [23:15] <elmo> (1) and (2) are proprietary and/or survey monkey? [23:15] <nijaba> elmo: yes [23:15] <owh> If we're going to redo it, I'd go for option 1 - it's in-house. [23:15] <nijaba> elmo: my worst fear would be for the data to be stolen [23:16] <elmo> err, I'm confused are you asking 'should we do option (1, 2) or something else' or 'should we do option (1) or option (2)? [23:16] <elmo> 'cos if you're not running survey software on my servers, it's not really my (professional ;-) business :) [23:16] <nijaba> elmo: I am asking you if we should rule out option 1 and 4 [23:16] <nijaba> sorry 3 and 4 [23:16] <elmo> right, wel [23:17] <elmo> argh, I don't really know [23:17] <elmo> if a) you guys genuinely think upstream are making progress and it will one day be a sane codebase [23:18] <elmo> and b) you're super keen to get whatever offers limesurvey offers you and benefit from whatever work you've put into it [23:18] <elmo> then, we can run it, I guess [23:18] <kees> I don't think it'll be fixed within the year unless someone is dedicated to doing the redesign. [23:18] <nijaba> kees: can we rule out the possibility for the data to be stolen? only vandalize at worst? [23:18] <elmo> (but all things being equal, I'd rather not ) [23:18] <jdstrand> well, there is an assumption in 1 and 2 that it is actually better than limesurvey-- I don't know any of it, but am not sure that assumption is true [23:18] <kees> nijaba: I can't say we can rule it out, no. [23:18] <nijaba> jdstrand: good point [23:19] <owh> jdstrand: I did consider that also, which is why I lean toward option 1. [23:19] <kees> nijaba: if one can inject, one can likely extract. and if they actually gain shell access, game over for data [23:19] <nijaba> owh: sure, security by obfuscation? [23:19] <owh> nijaba: No, security by hitting the supplier. [23:19] <nijaba> :) [23:19] <jdstrand> nijaba: I guess with adodb it doesn't care if it's mysql or postgresql? [23:20] <nijaba> jdstrand: normally not, but not tested with pgsql === danshearer1 is now known as danshearer [23:20] <jdstrand> kees: well, if we run it on an isolated surver with mysql, then we have apparmor [23:20] <jdstrand> (on hardy) [23:20] <jdstrand> I think that would pretty well mitigate non-db access [23:20] <kees> jdstrand: it could -- just more admin work. [23:21] <nijaba> kees: not really, the profile is there already [23:21] * nealmcb agrees with jdstrand - who knows how secure the proprietary option is (what is it?) or surveymonkey [23:21] <owh> Also, from memory you can log all MySQL queries to syslog. [23:21] <jdstrand> nijaba: more work because of the isolated server [23:21] <kees> nijaba: well, isolating the web server really. [23:21] <nijaba> jdstrand: my plan was to run it in a KVM... [23:22] <nijaba> I mean, for option 3 [23:24] <owh> If we can mitigate access and we can log all queries, are we not able to roll? [23:25] <nijaba> elmo: given that the survey should only run for a couple month this round, I'd be ok to go for option 3 and take the admin on my shoulders if you want. Would you be ok to moint some serversurvey.ubuntu.com record to it? [23:25] <nijaba> point, too [23:26] <elmo> nijaba: the loco server debacle showed us that if it has the ubuntu name outsourcing doesn't help us PR wise [23:26] * kees has to go afk, back in a bit. [23:26] <elmo> if we're going to do this, I'd rather it be (4) than (3) [23:27] <nijaba> elmo: right. and your feeling on 4 at this point (and we'll close the subject after that). [23:27] <elmo> nijaba: hasn't really changed from what I said before. if (a) and (b) are true, we can do it [23:28] <nijaba> elmo: I beleive they are. owh, do you agree on (b)? [23:28] <owh> nijaba: Depends on what I'm agreeing to putting in. [23:29] <nijaba> b) you're super keen to get whatever offers limesurvey offers you and benefit from whatever work you've put into it [23:29] <nijaba> owh: pasting from elmo ^^ [23:29] <owh> nijaba: I understood that, what I mean is, what expectations does ubuntu-server - ie, you - have that I do with/to limesurvey? [23:30] <nijaba> limesurvey itself: not much [23:30] <nijaba> the test we have done on the survey we prepared: a lot [23:30] <nijaba> and you were a big part of that [23:30] <nijaba> together with faulkes- [23:30] <owh> WFM [23:31] <owh> nijaba: If you turn on the General Query Log: http://dev.mysql.com/doc/refman/5.1/en/query-log.html on the database - log to a remote syslog server, then we can rebuild if the shit hits the fan. [23:31] <nijaba> elmo: I think we have a plan, then [23:32] <owh> Excellent, next topic :) [23:32] <mathiaz> so the plan is: 18:02 < nijaba> 4/ See with elmo if it possible to run limesurvey on an isolated server [23:33] <mathiaz> ? [23:33] <nijaba> mathiaz: yep [23:33] <mathiaz> nijaba: ok - great ! [23:33] <mathiaz> I think we running late [23:33] <nijaba> elmo and I will work out the details in the next few days, I guess [23:33] <mathiaz> and most of the people are not around anymore - so last topic: [23:33] <owh> mathiaz: Only 33 minutes thus far :) [23:33] <mathiaz> # [23:33] <mathiaz> Agree on next meeting date and time. [23:34] <nijaba> 15:00 UTC next week? [23:34] <nealmcb> (tuesday?) [23:34] <owh> Yeah, saw the post to the list, what day did you say again? [23:34] <mathiaz> tuesday [23:34] <mathiaz> works for me [23:34] <owh> I'll have to have a nanna-nap before the meeting :) [23:34] <nealmcb> works for me [23:35] <mathiaz> excellent - so next meeting: next tuesday, 15:00 UTC in #ubuntu-meeting [23:35] <nijaba> owh; we'll sponsor an ubuntu pillow then ;) [23:35] <owh> nijaba: Excellent, email it to me :) [23:35] <InsomniaCity> owh: so what happened about your ex-client with the ssh vulnerability? [23:35] <nijaba> owh: sure thing [23:35] <owh> nijaba: If you know which exact version of limesurvey you're going to run, and you can send me kees' comments, I can have a look at the code. [23:36] <owh> InsomniaCity: I sent a security notice and heard nothing. I sent several to other clients and fixed theirs. [23:36] <InsomniaCity> owh: I thought it'd be a non-issue :) [23:36] <nijaba> owh: thanks for the offer [23:36] <owh> InsomniaCity: At least I can look in the mirror and sleep well. [23:37] <InsomniaCity> yup [23:37] <owh> nijaba: Sure. [23:37] <owh> InsomniaCity: I'm glad I asked though. It helped formulate a plan - so thanks for your input at the time. [23:37] * nijaba need to go get some sleep. Thanks everyone! [23:37] <InsomniaCity> owh: np :) [23:37] <owh> Thanks mathiaz for chairing another wonderful meeting. [23:37] <nijaba> and thanks to mathiaz for hosting the meeting once more [23:38] <owh> #endmeeting :)