sts-sponsors team mailing list archive

[Matthew Ruffell <matthew.ruffell@xxxxxxxxxxxxx>]

Hello Lukasz,

Happy New Year to you also.

Yes, thank you for re-releasing the sssd, adcli and the fixed cyrus-sasl2
packages to -updates. I have let my customers know they are available.

For 2), feel free to wait a week before copying them to -security if you like.
My customers will be able to use them from -updates for the time being.

Again, I'm sorry for causing trouble with the regression in the first place, and
I have spent some time over the break reflecting on things I could have done to
find the regression before it got released and caused problems.

Thank you for all your help.

Thanks,
Matthew

On Fri, Jan 8, 2021 at 12:06 AM Lukasz Zemczak
<lukasz.zemczak@xxxxxxxxxxxxx> wrote:
>
> Hey Matthew!
>
> Happy New Year! I have just started my first SRU shift and now I will
> proceed rolling out the updates to -updates and -security. My plan is:
> 1) Today releasing all the staged adcli and sssd updates into -updates
> + the cyrus-sasl2 package for bionic
> 2) All the updates should be -security enabled, but to make sure there
> are no incidents this time, I'll only copy them into -security on
> Monday after baking in -updates for a few days
>
> Cheers,
>
> On Thu, 10 Dec 2020 at 05:38, Matthew Ruffell
> <matthew.ruffell@xxxxxxxxxxxxx> wrote:
> >
> > Hi Lukasz,
> >
> > I think you understand the plan correctly. Here it is in bullet points:
> >
> > 1) Re-instate Bionic sssd 1.16.1-1ubuntu1.7 and Focal sssd
> > 2.2.3-3ubuntu0.1 to -updates.
> >
> > Their [what could go wrong] still holds, as their changes are behind an opt-in
> > configuration file option, and it has been tested by me, the customer, and the
> > original bug reporter. Unlikely to cause regressions, and if they do, they will
> > be opt in via intentional configuration file change.
> >
> > 2) Re-instate Groovy adcli 0.9.0-1ubuntu1.2 to -updates.
> >
> > Changes to adcli on Groovy are minimal, and will not cause any problems.
> >
> > 3) Build (likely in special security ppa), and accept cyrus-sasl2
> > upload to bionic-proposed.
> >
> > We need to start the ball rolling on fixing the root cause, which is the bad
> > GSS-SPNEGO implementation in Bionic.
> >
> > 4) Delete adcli 0.8.2-1ubuntu2 from bionic-proposed upload queue.
> >
> > It is likely a bit late for a revert package now, affected users would have
> > downgraded to adcli from -release. We will push for a fix instead.
> >
> > 5) Go with option one from the previous email, build, and accept adcli
> > 0.8.2-1ubuntu2.1 to bionic-proposed.
> >
> > This builds on 0.8.2-1ubuntu1 with the SRU changes, and depends on the fixed
> > cyrus-sasl2 package.
> >
> > https://bugs.launchpad.net/ubuntu/+source/adcli/+bug/1906627/+attachment/5441872/+files/lp1906627_adcli_option_one.debdiff
> >
> > 6) Although adcli for Focal should be safe for release, we will play it safe,
> > and only release it when adcli for Bionic is ready.
> >
> > 7) I will re-test and verify adcli on both Bionic and Focal, as well as test
> > and verify cyrus-sasl2. I will also get the customer to perform some testing.
> >
> > 8) Once all testing has been completed, we will release adcli for Bionic and
> > Focal and cyrus-sasl2 to -updates.
> >
> > I hope this action plan is okay. Feel free to ask for clarifications before we
> > put the plan into action.
> >
> > Thanks,
> > Matthew
> >
> > On Thu, Dec 10, 2020 at 5:29 AM Lukasz Zemczak
> > <lukasz.zemczak@xxxxxxxxxxxxx> wrote:
> > >
> > > Ok, thanks for the clarification!
> > >
> > > So, if I understand correctly, we should reinstate the reverted sssd
> > > for all the series, and adcli for focal and groovy? Then for bionic
> > > accept the cyrus-sasl2 upload + possibly an adcli with the changes
> > > that were reverted? I suppose adcli would need a breaks statement in
> > > that case.
> > >
> > > Anyway, I'm around if any SRU reviews or package copying is needed.
> > > Let me reach out to Eric.
> > >
> > > Cheers,
> > >
> > > On Wed, 9 Dec 2020 at 05:13, Matthew Ruffell
> > > <matthew.ruffell@xxxxxxxxxxxxx> wrote:
> > > >
> > > > > Ok, so there was a LOT happening in this thread, so I'd use some quick summary.
> > > > > Since what I'd like to know:
> > > >
> > > > > 1) Does this cyrus-sasl2 fix both the adcli and sssd regressions?
> > > > > Since we reverted both as people were reporting regressions first for sssd
> > > > > and then for adcli - not sure which one was the actual cause of it though
> > > >
> > > > The cyrus-sasl2 fix fixes the adcli regression, due to adcli changing to using
> > > > GSS-SPNEGO by default, which was broken.
> > > >
> > > > sssd never had a regression in the first place, due to the changes having
> > > > nothing to do with GSS-SPNEGO.
> > > >
> > > > The confusion with sssd came from confused users who did not know that adcli
> > > > is the program under the hood of realm, and thought that sssd had broken, when
> > > > in reality, it was adcli.
> > > >
> > > > > 2) Does it need fixing for all the stable series where we updated adcli and
> > > > > (additionally) sssd?
> > > >
> > > > cyrus-sasl2 is only broken in Bionic. Focal onward already have the patch and
> > > > work fine.
> > > >
> > > > Let me know if you have any more questions, happy to answer.
> > > >
> > > > Thanks,
> > > > Matthew
> > > >
> > > > On Tue, Dec 8, 2020 at 4:57 PM Matthew Ruffell
> > > > <matthew.ruffell@xxxxxxxxxxxxx> wrote:
> > > > >
> > > > > Hello Eric and Lukasz,
> > > > >
> > > > > I have created new debdiffs for adcli. Please review and also sponsor one
> > > > > of them to -proposed.
> > > > >
> > > > > Since there are multiple versions of adcli floating around I made two debdiffs.
> > > > >
> > > > > Please choose the one most convenient / cleanest to apply.
> > > > >
> > > > > The first simply builds ontop of 0.8.2-1ubuntu1 currently in -proposed, and is
> > > > > the version pull-lp-source pulls down. It simply adds the dependency
> > > > > to the fixed
> > > > > libsasl2-modules-gssapi-mit package with a greater than or equal to
> > > > > relationship.
> > > > >
> > > > > Use of this debdiff requires 0.8.2-1ubuntu2 to be deleted from the upload queue,
> > > > > and treated as 0.8.2-1ubuntu2 never existed.
> > > > >
> > > > > https://bugs.launchpad.net/ubuntu/+source/adcli/+bug/1906627/+attachment/5441872/+files/lp1906627_adcli_option_one.debdiff
> > > > >
> > > > > Option two builds upon 0.8.2-1ubuntu2, and re-applies all of the --use-ldaps
> > > > > patches from the previous SRU which 0.8.2-1ubuntu2 reverts. It also adds the
> > > > > dependency to the fixed libsasl2-modules-gssapi-mit package with a
> > > > > greater than
> > > > > or equal to relationship.
> > > > >
> > > > > https://bugs.launchpad.net/ubuntu/+source/adcli/+bug/1906627/+attachment/5441873/+files/lp1906627_adcli_option_two.debdiff
> > > > >
> > > > > My preference is for option one, but use whatever is required. I only made both
> > > > > of these to lower round trip time due to timezones if you don't like the option
> > > > > one idea.
> > > > >
> > > > > Thanks,
> > > > > Matthew
> > > > >
> > > > > On Mon, Dec 7, 2020 at 3:25 PM Matthew Ruffell
> > > > > <matthew.ruffell@xxxxxxxxxxxxx> wrote:
> > > > > >
> > > > > > Hi Eric, Lukasz,
> > > > > >
> > > > > > Please review and potentially sponsor the cyrus-sasl2 debdff attached
> > > > > > to LP1906627.
> > > > > >
> > > > > > [1] https://bugs.launchpad.net/ubuntu/+source/adcli/+bug/1906627
> > > > > >
> > > > > > It fixes the root cause of the GSS-SPNEGO implementation being incompatible with
> > > > > > Microsoft's implementation in Active Directory.
> > > > > >
> > > > > > If you are still planning to re-release adcli and sssd to -security, then you
> > > > > > should also build cyrus-sasl2 in the same way:
> > > > > >
> > > > > > https://launchpad.net/~ci-train-ppa-service/+archive/ubuntu/4336/+packages
> > > > > >
> > > > > > Again, I am sorry for causing the regression and these patches should fix the
> > > > > > underlying cause.
> > > > > >
> > > > > > Thanks,
> > > > > > Matthew
> > >
> > >
> > >
> > > --
> > > Łukasz 'sil2100' Zemczak
> > >  Foundations Team
> > >  lukasz.zemczak@xxxxxxxxxxxxx
> > >  www.canonical.com
>
>
>
> --
> Łukasz 'sil2100' Zemczak
>  Foundations Team
>  lukasz.zemczak@xxxxxxxxxxxxx
>  www.canonical.com