sts-sponsors team mailing list archive

[Lukasz Zemczak <lukasz.zemczak@xxxxxxxxxxxxx>]

Hey Matthew!

Happy New Year! I have just started my first SRU shift and now I will
proceed rolling out the updates to -updates and -security. My plan is:
1) Today releasing all the staged adcli and sssd updates into -updates
+ the cyrus-sasl2 package for bionic
2) All the updates should be -security enabled, but to make sure there
are no incidents this time, I'll only copy them into -security on
Monday after baking in -updates for a few days

Cheers,

On Thu, 10 Dec 2020 at 05:38, Matthew Ruffell
<matthew.ruffell@xxxxxxxxxxxxx> wrote:
>
> Hi Lukasz,
>
> I think you understand the plan correctly. Here it is in bullet points:
>
> 1) Re-instate Bionic sssd 1.16.1-1ubuntu1.7 and Focal sssd
> 2.2.3-3ubuntu0.1 to -updates.
>
> Their [what could go wrong] still holds, as their changes are behind an opt-in
> configuration file option, and it has been tested by me, the customer, and the
> original bug reporter. Unlikely to cause regressions, and if they do, they will
> be opt in via intentional configuration file change.
>
> 2) Re-instate Groovy adcli 0.9.0-1ubuntu1.2 to -updates.
>
> Changes to adcli on Groovy are minimal, and will not cause any problems.
>
> 3) Build (likely in special security ppa), and accept cyrus-sasl2
> upload to bionic-proposed.
>
> We need to start the ball rolling on fixing the root cause, which is the bad
> GSS-SPNEGO implementation in Bionic.
>
> 4) Delete adcli 0.8.2-1ubuntu2 from bionic-proposed upload queue.
>
> It is likely a bit late for a revert package now, affected users would have
> downgraded to adcli from -release. We will push for a fix instead.
>
> 5) Go with option one from the previous email, build, and accept adcli
> 0.8.2-1ubuntu2.1 to bionic-proposed.
>
> This builds on 0.8.2-1ubuntu1 with the SRU changes, and depends on the fixed
> cyrus-sasl2 package.
>
> https://bugs.launchpad.net/ubuntu/+source/adcli/+bug/1906627/+attachment/5441872/+files/lp1906627_adcli_option_one.debdiff
>
> 6) Although adcli for Focal should be safe for release, we will play it safe,
> and only release it when adcli for Bionic is ready.
>
> 7) I will re-test and verify adcli on both Bionic and Focal, as well as test
> and verify cyrus-sasl2. I will also get the customer to perform some testing.
>
> 8) Once all testing has been completed, we will release adcli for Bionic and
> Focal and cyrus-sasl2 to -updates.
>
> I hope this action plan is okay. Feel free to ask for clarifications before we
> put the plan into action.
>
> Thanks,
> Matthew
>
> On Thu, Dec 10, 2020 at 5:29 AM Lukasz Zemczak
> <lukasz.zemczak@xxxxxxxxxxxxx> wrote:
> >
> > Ok, thanks for the clarification!
> >
> > So, if I understand correctly, we should reinstate the reverted sssd
> > for all the series, and adcli for focal and groovy? Then for bionic
> > accept the cyrus-sasl2 upload + possibly an adcli with the changes
> > that were reverted? I suppose adcli would need a breaks statement in
> > that case.
> >
> > Anyway, I'm around if any SRU reviews or package copying is needed.
> > Let me reach out to Eric.
> >
> > Cheers,
> >
> > On Wed, 9 Dec 2020 at 05:13, Matthew Ruffell
> > <matthew.ruffell@xxxxxxxxxxxxx> wrote:
> > >
> > > > Ok, so there was a LOT happening in this thread, so I'd use some quick summary.
> > > > Since what I'd like to know:
> > >
> > > > 1) Does this cyrus-sasl2 fix both the adcli and sssd regressions?
> > > > Since we reverted both as people were reporting regressions first for sssd
> > > > and then for adcli - not sure which one was the actual cause of it though
> > >
> > > The cyrus-sasl2 fix fixes the adcli regression, due to adcli changing to using
> > > GSS-SPNEGO by default, which was broken.
> > >
> > > sssd never had a regression in the first place, due to the changes having
> > > nothing to do with GSS-SPNEGO.
> > >
> > > The confusion with sssd came from confused users who did not know that adcli
> > > is the program under the hood of realm, and thought that sssd had broken, when
> > > in reality, it was adcli.
> > >
> > > > 2) Does it need fixing for all the stable series where we updated adcli and
> > > > (additionally) sssd?
> > >
> > > cyrus-sasl2 is only broken in Bionic. Focal onward already have the patch and
> > > work fine.
> > >
> > > Let me know if you have any more questions, happy to answer.
> > >
> > > Thanks,
> > > Matthew
> > >
> > > On Tue, Dec 8, 2020 at 4:57 PM Matthew Ruffell
> > > <matthew.ruffell@xxxxxxxxxxxxx> wrote:
> > > >
> > > > Hello Eric and Lukasz,
> > > >
> > > > I have created new debdiffs for adcli. Please review and also sponsor one
> > > > of them to -proposed.
> > > >
> > > > Since there are multiple versions of adcli floating around I made two debdiffs.
> > > >
> > > > Please choose the one most convenient / cleanest to apply.
> > > >
> > > > The first simply builds ontop of 0.8.2-1ubuntu1 currently in -proposed, and is
> > > > the version pull-lp-source pulls down. It simply adds the dependency
> > > > to the fixed
> > > > libsasl2-modules-gssapi-mit package with a greater than or equal to
> > > > relationship.
> > > >
> > > > Use of this debdiff requires 0.8.2-1ubuntu2 to be deleted from the upload queue,
> > > > and treated as 0.8.2-1ubuntu2 never existed.
> > > >
> > > > https://bugs.launchpad.net/ubuntu/+source/adcli/+bug/1906627/+attachment/5441872/+files/lp1906627_adcli_option_one.debdiff
> > > >
> > > > Option two builds upon 0.8.2-1ubuntu2, and re-applies all of the --use-ldaps
> > > > patches from the previous SRU which 0.8.2-1ubuntu2 reverts. It also adds the
> > > > dependency to the fixed libsasl2-modules-gssapi-mit package with a
> > > > greater than
> > > > or equal to relationship.
> > > >
> > > > https://bugs.launchpad.net/ubuntu/+source/adcli/+bug/1906627/+attachment/5441873/+files/lp1906627_adcli_option_two.debdiff
> > > >
> > > > My preference is for option one, but use whatever is required. I only made both
> > > > of these to lower round trip time due to timezones if you don't like the option
> > > > one idea.
> > > >
> > > > Thanks,
> > > > Matthew
> > > >
> > > > On Mon, Dec 7, 2020 at 3:25 PM Matthew Ruffell
> > > > <matthew.ruffell@xxxxxxxxxxxxx> wrote:
> > > > >
> > > > > Hi Eric, Lukasz,
> > > > >
> > > > > Please review and potentially sponsor the cyrus-sasl2 debdff attached
> > > > > to LP1906627.
> > > > >
> > > > > [1] https://bugs.launchpad.net/ubuntu/+source/adcli/+bug/1906627
> > > > >
> > > > > It fixes the root cause of the GSS-SPNEGO implementation being incompatible with
> > > > > Microsoft's implementation in Active Directory.
> > > > >
> > > > > If you are still planning to re-release adcli and sssd to -security, then you
> > > > > should also build cyrus-sasl2 in the same way:
> > > > >
> > > > > https://launchpad.net/~ci-train-ppa-service/+archive/ubuntu/4336/+packages
> > > > >
> > > > > Again, I am sorry for causing the regression and these patches should fix the
> > > > > underlying cause.
> > > > >
> > > > > Thanks,
> > > > > Matthew
> >
> >
> >
> > --
> > Łukasz 'sil2100' Zemczak
> >  Foundations Team
> >  lukasz.zemczak@xxxxxxxxxxxxx
> >  www.canonical.com



-- 
Łukasz 'sil2100' Zemczak
 Foundations Team
 lukasz.zemczak@xxxxxxxxxxxxx
 www.canonical.com