| fungi | i'm at a computer where i can more easily test it out. i'll give it a try at reproducing now | 00:07 |
|---|---|---|
| fungi | no luck | 00:08 |
| fungi | fresh browser session: created tab A to storyboard (not logged in) | 00:08 |
| fungi | created tab B to storyboard, then logged in | 00:09 |
| fungi | went back to tab A and refreshed. now shows logged in | 00:09 |
| fungi | created tab C to storyboard. it's already logged in | 00:09 |
| fungi | closed all tabs and exited browser | 00:09 |
| fungi | started browser again and created a new tab A to storyboard. it's already logged in | 00:10 |
| fungi | corvus: this is with firefox-esr 52.6.0 | 00:12 |
| *** jamesmcarthur has quit IRC | 00:12 | |
| *** jamesmcarthur has joined #storyboard | 00:17 | |
| *** jamesmcarthur has quit IRC | 00:31 | |
| *** jamesmcarthur has joined #storyboard | 01:41 | |
| *** jamesmcarthur has quit IRC | 01:46 | |
| *** jamesmcarthur has joined #storyboard | 02:13 | |
| *** jamesmcarthur has quit IRC | 03:17 | |
| *** udesale has joined #storyboard | 04:05 | |
| *** udesale_ has joined #storyboard | 09:27 | |
| *** udesale__ has joined #storyboard | 09:29 | |
| *** udesale has quit IRC | 09:29 | |
| * SotK also observes the behaviour as described by fungi on various versions of Chrome and Firefox | 09:30 | |
| *** udesale_ has quit IRC | 09:32 | |
| *** tosky has joined #storyboard | 09:41 | |
| *** tellesnobrega has quit IRC | 11:13 | |
| *** tellesnobrega has joined #storyboard | 11:39 | |
| *** udesale__ has quit IRC | 11:45 | |
| *** jamesmca_ has joined #storyboard | 13:29 | |
| *** jdandrea_ has quit IRC | 13:35 | |
| *** jdandrea has joined #storyboard | 13:36 | |
| *** jamesmca_ is now known as jamesmcarthur_ | 13:56 | |
| fungi | #success Release management has moved their task tracking to https://storyboard.openstack.org/#!/project_group/73 (including importing all existing reno bugs from Launchpad) | 14:34 |
| openstackstatus | fungi: Added success to Success page (https://wiki.openstack.org/wiki/Successes) | 14:34 |
| SotK | \o/ | 14:36 |
| *** udesale has joined #storyboard | 16:20 | |
| *** udesale has quit IRC | 16:26 | |
| *** tosky has quit IRC | 16:53 | |
| *** jamesmcarthur_ has quit IRC | 17:32 | |
| *** jamesmcarthur has joined #storyboard | 17:36 | |
| *** jamesmcarthur has quit IRC | 17:40 | |
| *** jamesmcarthur has joined #storyboard | 17:42 | |
| diablo_rojo | Woot woot! | 18:01 |
| diablo_rojo | SotK, fungi meeting time? | 18:02 |
| fungi | looks like it | 18:02 |
| fungi | er, no | 18:02 |
| fungi | it's supposed to start at 19:00 utc | 18:02 |
| persia | UTC is UTC. Ignore selected north american governments that make things hard. | 18:02 |
| fungi | it is currently ~18:00 utc so still an hour to go | 18:03 |
| diablo_rojo | Stupid google not updating calendar events.. | 18:03 |
| fungi | itym updating calendar events it shouldn't have? | 18:03 |
| persia | diablo_rojo: It turns out it isn't google's fault: the problem is the underlying standard, which sets events in terms of offset from UTC, rather than statutory timezone. | 18:03 |
| fungi | i suppose it depends on whether you consider following daylight savings time changes to be "changing" or "staying the same" | 18:04 |
| * persia thanks mordred for pointing out that it wasn't that the calendar software was buggy, but that the basic problem wasn't solved by the specs | 18:04 | |
| persia | fungi: tzdata has values that allow each meeting to be configured to make each of those choices independently, but this is hard, and apparently didn't exist when early internet timezone specifications were defined (e.g. 03:05+0:900) | 18:05 |
| fungi | i've found keeping my calendar in utc helps, and that way i just have to remember to adjust tz-specific recurring meetings at dst boundaries | 18:05 |
| diablo_rojo | Any new meeting I need to add to calendar I set in Iceland timezone (so that it basically equates to UTC) | 18:05 |
| fungi | silly they don't just let you pick "utc" | 18:06 |
| persia | Some software does, some doesn't. Sadly, not everyone considers the tzdata list authoritative. | 18:06 |
| diablo_rojo | fungi, agreed | 18:06 |
| corvus | okay, so if this wasn't weird enough already -- somebody just sent me a link to a worklist, and i clicked it in my terminal, and it opened in a new tab in my browser and i was logged in. | 18:51 |
| corvus | i then open another new tab, go to sb.o.o, and i'm not logged in there. | 18:52 |
| corvus | i open a new tab and paste the url into the bar, and i'm not logged in. | 18:52 |
| persia | Do you have aggressive caching in your browser, or are you victim to a MITM attack? I once in a while see that sort of thing in Chrome, but usually am either logged in or not. | 18:54 |
| corvus | i'll grant that this sounds a lot like firefox is just being weird, but also, it's probably worth noting that i don't think many sites use local storage for auth tokens. i think it's more generally accepted that exiting a browser should log a user out of sites, which contraindicates local storage. | 18:54 |
| persia | I have not observed the behavior with Firefox. | 18:55 |
| corvus | persia: when i inspect the local storage contents for the tabs, i see that the not-logged-in tabs have no token info. i feel like that probably discounts MITM, but i can't say that for certain because i do not understand the mechanism that storyboard uses to manipulate local storage contents. | 18:55 |
| persia | I also do not. I have seen similar behaviors with entirety different stacks and transparent proxies, hence raising the possibility (as https solves most transparent proxy problems). | 18:57 |
| corvus | i have no *known* mitm system. :) | 18:58 |
| SotK | *now* it is meeting time :) | 18:59 |
| diablo_rojo | SotK, :) | 19:00 |
| openstackgerrit | Merged openstack/boartty master: Remove archived lanes and worklist items https://review.openstack.org/552714 | 19:00 |
| openstackgerrit | Merged openstack/boartty master: Display story access level https://review.openstack.org/552715 | 19:00 |
| *** jamesmcarthur has quit IRC | 19:52 | |
| *** jamesmcarthur has joined #storyboard | 19:53 | |
| diablo_rojo | SotK, fungi- starting etherpad: https://etherpad.openstack.org/p/sb_outreachy | 20:01 |
| diablo_rojo | Going to track down what all we need in the proposal | 20:01 |
| *** jamesmcarthur has quit IRC | 20:09 | |
| diablo_rojo | SotK, you need to sign up to be a mentor here to co mentor: https://www.outreachy.org/communities/cfp/ | 20:11 |
| diablo_rojo | fungi too if you can | 20:11 |
| fungi | corvus: is it possible you have some setting/extension which is forcing all tabs into "incognito" mode and preventing them from sharing data? | 20:12 |
| corvus | fungi: not that i'm aware of, but i can try disabling the only (adblocking) extension i have | 20:14 |
| fungi | i'm using privacy badger with fairly default configuration | 20:15 |
| fungi | and it hasn't seemed to trigger the behavior you're observing | 20:16 |
| corvus | disabling the ad blocker didn't have an effect | 20:16 |
| corvus | okay, creating an entirely new profile does cause it to work. | 20:17 |
| fungi | bizarre | 20:19 |
| corvus | i've gone through and re-enabled all the settings i care about. still works. | 20:23 |
| corvus | i guess i'll export/import bookmarks, and that's my new profile. :| | 20:23 |
| diablo_rojo | SotK, filled in the questions we need to answer from the form | 20:23 |
| fungi | corvus: would be interesting to find out what setting (if it was a setting?) broke it, but i suppose that's academic at this point | 20:23 |
| corvus | fungi: i agree, which is why i manually mirrored all the settings i know about, to no effect... | 20:24 |
| corvus | maybe i should check about:config and see if there's any weirdness there | 20:24 |
| corvus | okay, probably because i've carried this profile around for 400 years, there are thousands of "modified" settings in about:config. so scratch that. | 20:26 |
| corvus | i'm sure one of them is the culprit. :) | 20:26 |
| *** jamesmcarthur has joined #storyboard | 20:27 | |
| *** jamesmca_ has joined #storyboard | 20:29 | |
| *** jamesmcarthur has quit IRC | 20:29 | |
| fungi | yeah, i'm in desperate need of recreating my ff profile too, i expect | 20:30 |
| fungi | it's only a matter of time before i experience similar sorts of strangeness | 20:31 |
| corvus | what's the story on attachments to stories? are we in favor, or opposed? :) | 20:36 |
| fungi | i think the reality was somewhere in between, but i don't recall it coming back up for discussion in a year or two | 20:50 |
| diablo_rojo | SotK, running out of steam, perhaps you can help me out with the last question? Maybe we should narrow the scope a bit? | 20:52 |
| corvus | why can't i use a * in a comment? | 20:53 |
| corvus | oh wait, it's a /* that didn't work... here, let me put a comment on a test story | 20:54 |
| corvus | here we go: https://storyboard.openstack.org/#!/story/2001675 | 20:57 |
| corvus | */* is the issue | 20:57 |
| corvus | it appears to turn into some sort of extra-slanted slash | 20:58 |
| fungi | *foo* gets interpreted as italicization/emphasis | 20:59 |
| fungi | i guess | 20:59 |
| corvus | oh, that's an italic slash? | 20:59 |
| fungi | seems likely | 20:59 |
| corvus | well, it turned my comment about a really subtle path issue into gibberish :( | 21:00 |
| corvus | i guess i'll rewrite it with lots of ``` | 21:00 |
| fungi | a checkbox to disable markdown parsing might be nice | 21:00 |
| corvus | the markdown parsing happens on display though | 21:01 |
| corvus | (so an option would require the user to realize they were missing information, and then check the box to retrieve it) | 21:02 |
| persia | I'm hugely opposed to attachments on stories, and willing to argue it at length. That said, I've done so lots of times, and people keep wanting it, and so I would only argue against, rather than try to block, and implementation at this point. | 21:06 |
| persia | Basically, in most cases it should be possible to store things somewhere else, and then link to them. | 21:06 |
| corvus | persia: i'm not in an arguing mood, and i'm short on time, so that's 2 reasons i won't write a patch to implement it. mostly curious since right now, if we had them, i would use them. i figured someone else would ask at some point. | 21:07 |
| corvus | let me un-privatize a story to show you why | 21:08 |
| persia | corvus: You and I have a common lack of mood today :) | 21:08 |
| persia | My arguments are mostly that for most projects, there are lots of better ways to store things, and for many of the details, I think the project is better served by external hosting (e.g. write a test case, submit a DNM change, link to the log). Also, for one of the early adopters of storyboard, there were issues with storage hosting (but they don't use it anymore, so it matters less). | 21:09 |
| corvus | persia: here's our trial of using storyboard for security issues: https://storyboard.openstack.org/#!/story/2001656 | 21:10 |
| persia | That makes perfect sense. | 21:11 |
| persia | In my ideal world, which I would have argued for more passionately a few years ago, that would be implemented with embargo features in the patch tracker (e.g. gerrit). | 21:11 |
| persia | We don't happen to live in that world, and as a result, you have significantly reduced my level of interest in blocking attachments. | 21:12 |
| corvus | yeah, we'd all love that, but the gerrit folks have indicated it's like NP-hard or something. :) | 21:12 |
| persia | One of the most convincing architectures I have heard was to have SB have a facility to store attachments in an arbitrary remote object store, and then have a pass through mechanism to deliver them to the client, rather than storing as a blob in the DB or needing to store local files. | 21:13 |
| corvus | that sounds good | 21:13 |
| persia | Actually doing that was considered a chunk of work, and I argued folk out of it at the time, but I think SotK was involved in that design effort, and may be able to share more details of the kind of thing that would work. | 21:13 |
| *** clarkb has joined #storyboard | 21:14 | |
| corvus | clarkb and i have noticed we're not getting emails on private stories... | 21:14 |
| persia | Interesting. Do you get emails on public stories? | 21:14 |
| clarkb | I do start to get notifications once the story is made public | 21:14 |
| clarkb | (in fact I get an email for the state transition to public) | 21:14 |
| corvus | is that intentional? or maybe just not implemented because someone needs to write a check to filter down the subscribers? | 21:14 |
| persia | I would expect it has to do with how permissions are checked by the notification engine, but unfortunately have to go stand at a stand, so can't verify at the moment. | 21:15 |
| * corvus assumes lemonade stand | 21:15 | |
| persia | I strongly suspect it is not implemented because it is hard to determine the relevant permissions, rather than being an intentional security implementation, although I'm not authoritative. | 21:15 |
| persia | collaborate project stand in an expo hall: I wish we had lemonade, really :) | 21:16 |
| clarkb | The particular concern here is that it would make it easy to ignore responsible disclosures via private stories in storyboard | 21:16 |
| clarkb | would basically force us to poll storyboard to make sure people aren't getting ignored | 21:17 |
| persia | I agree it is a bug. | 21:17 |
| persia | Email is not secure at all (plaintext, etc.) , but way better than lack of vulnerability reports. | 21:18 |
| clarkb | well and even if it was just bug foo updated without the actual content that would probably be good enough? | 21:19 |
| clarkb | basically something to tell you there is work over in storyboard to be done | 21:19 |
| persia | Ooh, excellent suggestion | 21:19 |
| corvus | yeah, that wfm. i mean, i want the actual comment most of the time, but i can accept just a 'ping' if folks are worried about transport security | 21:20 |
| corvus | (...on private stories) | 21:20 |
| *** jamesmca_ has quit IRC | 21:45 | |
| persia | Hrm. I haven't spent much time looking at notifications and event plugins, which leaves me confused when I try to look now. | 21:47 |
| persia | It seems that filtering happens before the event propagates to anything that actually sends notices. I'm not sure if this is oversight (in that the event plugins were just missed when permissioning was added), or intentional (although I think it is important to at least send "Private story <link> changed"). | 21:48 |
| persia | I suspect a real answer requires someone in a timezone where it is late at this point. | 21:49 |
| SotK | sorry, I got distracted from here | 22:19 |
| SotK | there are no emails from private stories because we didn't want to disclose the existence of private stories, and the emails are currently implemented as a daemon which listens to rabbitmq to detect events, so supporting emails for private stories would currently require publishing the update event to rabbitmq | 22:22 |
| clarkb | SotK: that is an internal queue though right? or would we have to assume that something other than the service and its admins would be able to see that? | 22:24 |
| SotK | it is currently internal, though I believe there was/is an intention to switch to mqtt and add it to firehose.o.o | 22:25 |
| SotK | diablo_rojo: I think narrowing the scope will make that last part easier to write | 22:30 |
| *** jamesmcarthur has joined #storyboard | 22:40 | |
| diablo_rojo | SotK, yeah thats kind of what I was thinking.. Maybe pick one project they could do for webclient, one they could do for storyboard and one they could do for the pythonclient | 22:41 |
| SotK | yep, that makes sense to me | 22:45 |
| SotK | I will try to think of some things | 22:45 |
| *** jamesmcarthur has quit IRC | 22:45 | |
| diablo_rojo | SotK, cool. I will too. | 22:49 |
| diablo_rojo | Would be great if we can get this done and sent in and get an intern :) | 22:49 |
| corvus | SotK, clarkb: notification about private stories is so important i feel like it should drive the requirements around notification. to me, that implies that the path from event generation to sending email must be trusted, which, if we want to stick with the current architecture, means that anything which exposes the internal events must be responsible for filtering them for access. so a future mqtt | 22:51 |
| corvus | reporter must filter private stories appropriately (just as the email sender must). | 22:51 |
| diablo_rojo | Sounds like sahara is interested in migrating like friday..so long as https://review.openstack.org/#/c/552651/ gets merged before then | 23:04 |
| corvus | SotK: reading the code, i can't figure out why private stories aren't sending email | 23:04 |
| corvus | SotK: do you have any hints? | 23:04 |
| corvus | (like, i think api/v1/stories.py calls db/api/timeline_events.py to create an event and that gets passed off to the event publisher so it should go to rabbitmq) | 23:05 |
| SotK | corvus: yeah, looking at the code it appears my memory was entirely incorrect and actually there is just a bug (probably somewhere in subscription_get_all_subscriber_ids at a guess) | 23:17 |
| corvus | oh! that makes me feel better :) | 23:19 |
| SotK | I shall try to find some time to investigate soon | 23:21 |
| *** jamesmcarthur has joined #storyboard | 23:36 | |
| openstackgerrit | James E. Blair proposed openstack-infra/storyboard master: WIP: test subscribers and permissions https://review.openstack.org/553102 | 23:57 |
| corvus | SotK: i attempted to make a test, but have run into test-framework issues. that's as far as i got ^ | 23:57 |
Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!