sts-sponsors team mailing list archive

[Matthew Ruffell <matthew.ruffell@xxxxxxxxxxxxx>]

Hi Lukasz,

I think you understand the plan correctly. Here it is in bullet points:

1) Re-instate Bionic sssd 1.16.1-1ubuntu1.7 and Focal sssd
2.2.3-3ubuntu0.1 to -updates.

Their [what could go wrong] still holds, as their changes are behind an opt-in
configuration file option, and it has been tested by me, the customer, and the
original bug reporter. Unlikely to cause regressions, and if they do, they will
be opt in via intentional configuration file change.

2) Re-instate Groovy adcli 0.9.0-1ubuntu1.2 to -updates.

Changes to adcli on Groovy are minimal, and will not cause any problems.

3) Build (likely in special security ppa), and accept cyrus-sasl2
upload to bionic-proposed.

We need to start the ball rolling on fixing the root cause, which is the bad
GSS-SPNEGO implementation in Bionic.

4) Delete adcli 0.8.2-1ubuntu2 from bionic-proposed upload queue.

It is likely a bit late for a revert package now, affected users would have
downgraded to adcli from -release. We will push for a fix instead.

5) Go with option one from the previous email, build, and accept adcli
0.8.2-1ubuntu2.1 to bionic-proposed.

This builds on 0.8.2-1ubuntu1 with the SRU changes, and depends on the fixed
cyrus-sasl2 package.

https://bugs.launchpad.net/ubuntu/+source/adcli/+bug/1906627/+attachment/5441872/+files/lp1906627_adcli_option_one.debdiff

6) Although adcli for Focal should be safe for release, we will play it safe,
and only release it when adcli for Bionic is ready.

7) I will re-test and verify adcli on both Bionic and Focal, as well as test
and verify cyrus-sasl2. I will also get the customer to perform some testing.

8) Once all testing has been completed, we will release adcli for Bionic and
Focal and cyrus-sasl2 to -updates.

I hope this action plan is okay. Feel free to ask for clarifications before we
put the plan into action.

Thanks,
Matthew

On Thu, Dec 10, 2020 at 5:29 AM Lukasz Zemczak
<lukasz.zemczak@xxxxxxxxxxxxx> wrote:
>
> Ok, thanks for the clarification!
>
> So, if I understand correctly, we should reinstate the reverted sssd
> for all the series, and adcli for focal and groovy? Then for bionic
> accept the cyrus-sasl2 upload + possibly an adcli with the changes
> that were reverted? I suppose adcli would need a breaks statement in
> that case.
>
> Anyway, I'm around if any SRU reviews or package copying is needed.
> Let me reach out to Eric.
>
> Cheers,
>
> On Wed, 9 Dec 2020 at 05:13, Matthew Ruffell
> <matthew.ruffell@xxxxxxxxxxxxx> wrote:
> >
> > > Ok, so there was a LOT happening in this thread, so I'd use some quick summary.
> > > Since what I'd like to know:
> >
> > > 1) Does this cyrus-sasl2 fix both the adcli and sssd regressions?
> > > Since we reverted both as people were reporting regressions first for sssd
> > > and then for adcli - not sure which one was the actual cause of it though
> >
> > The cyrus-sasl2 fix fixes the adcli regression, due to adcli changing to using
> > GSS-SPNEGO by default, which was broken.
> >
> > sssd never had a regression in the first place, due to the changes having
> > nothing to do with GSS-SPNEGO.
> >
> > The confusion with sssd came from confused users who did not know that adcli
> > is the program under the hood of realm, and thought that sssd had broken, when
> > in reality, it was adcli.
> >
> > > 2) Does it need fixing for all the stable series where we updated adcli and
> > > (additionally) sssd?
> >
> > cyrus-sasl2 is only broken in Bionic. Focal onward already have the patch and
> > work fine.
> >
> > Let me know if you have any more questions, happy to answer.
> >
> > Thanks,
> > Matthew
> >
> > On Tue, Dec 8, 2020 at 4:57 PM Matthew Ruffell
> > <matthew.ruffell@xxxxxxxxxxxxx> wrote:
> > >
> > > Hello Eric and Lukasz,
> > >
> > > I have created new debdiffs for adcli. Please review and also sponsor one
> > > of them to -proposed.
> > >
> > > Since there are multiple versions of adcli floating around I made two debdiffs.
> > >
> > > Please choose the one most convenient / cleanest to apply.
> > >
> > > The first simply builds ontop of 0.8.2-1ubuntu1 currently in -proposed, and is
> > > the version pull-lp-source pulls down. It simply adds the dependency
> > > to the fixed
> > > libsasl2-modules-gssapi-mit package with a greater than or equal to
> > > relationship.
> > >
> > > Use of this debdiff requires 0.8.2-1ubuntu2 to be deleted from the upload queue,
> > > and treated as 0.8.2-1ubuntu2 never existed.
> > >
> > > https://bugs.launchpad.net/ubuntu/+source/adcli/+bug/1906627/+attachment/5441872/+files/lp1906627_adcli_option_one.debdiff
> > >
> > > Option two builds upon 0.8.2-1ubuntu2, and re-applies all of the --use-ldaps
> > > patches from the previous SRU which 0.8.2-1ubuntu2 reverts. It also adds the
> > > dependency to the fixed libsasl2-modules-gssapi-mit package with a
> > > greater than
> > > or equal to relationship.
> > >
> > > https://bugs.launchpad.net/ubuntu/+source/adcli/+bug/1906627/+attachment/5441873/+files/lp1906627_adcli_option_two.debdiff
> > >
> > > My preference is for option one, but use whatever is required. I only made both
> > > of these to lower round trip time due to timezones if you don't like the option
> > > one idea.
> > >
> > > Thanks,
> > > Matthew
> > >
> > > On Mon, Dec 7, 2020 at 3:25 PM Matthew Ruffell
> > > <matthew.ruffell@xxxxxxxxxxxxx> wrote:
> > > >
> > > > Hi Eric, Lukasz,
> > > >
> > > > Please review and potentially sponsor the cyrus-sasl2 debdff attached
> > > > to LP1906627.
> > > >
> > > > [1] https://bugs.launchpad.net/ubuntu/+source/adcli/+bug/1906627
> > > >
> > > > It fixes the root cause of the GSS-SPNEGO implementation being incompatible with
> > > > Microsoft's implementation in Active Directory.
> > > >
> > > > If you are still planning to re-release adcli and sssd to -security, then you
> > > > should also build cyrus-sasl2 in the same way:
> > > >
> > > > https://launchpad.net/~ci-train-ppa-service/+archive/ubuntu/4336/+packages
> > > >
> > > > Again, I am sorry for causing the regression and these patches should fix the
> > > > underlying cause.
> > > >
> > > > Thanks,
> > > > Matthew
>
>
>
> --
> Łukasz 'sil2100' Zemczak
>  Foundations Team
>  lukasz.zemczak@xxxxxxxxxxxxx
>  www.canonical.com