Wednesday, 2018-03-14

fungii'm at a computer where i can more easily test it out. i'll give it a try at reproducing now00:07
fungino luck00:08
fungifresh browser session: created tab A to storyboard (not logged in)00:08
fungicreated tab B to storyboard, then logged in00:09
fungiwent back to tab A and refreshed. now shows logged in00:09
fungicreated tab C to storyboard. it's already logged in00:09
fungiclosed all tabs and exited browser00:09
fungistarted browser again and created a new tab A to storyboard. it's already logged in00:10
fungicorvus: this is with firefox-esr 52.6.000:12
*** jamesmcarthur has quit IRC00:12
*** jamesmcarthur has joined #storyboard00:17
*** jamesmcarthur has quit IRC00:31
*** jamesmcarthur has joined #storyboard01:41
*** jamesmcarthur has quit IRC01:46
*** jamesmcarthur has joined #storyboard02:13
*** jamesmcarthur has quit IRC03:17
*** udesale has joined #storyboard04:05
*** udesale_ has joined #storyboard09:27
*** udesale__ has joined #storyboard09:29
*** udesale has quit IRC09:29
* SotK also observes the behaviour as described by fungi on various versions of Chrome and Firefox09:30
*** udesale_ has quit IRC09:32
*** tosky has joined #storyboard09:41
*** tellesnobrega has quit IRC11:13
*** tellesnobrega has joined #storyboard11:39
*** udesale__ has quit IRC11:45
*** jamesmca_ has joined #storyboard13:29
*** jdandrea_ has quit IRC13:35
*** jdandrea has joined #storyboard13:36
*** jamesmca_ is now known as jamesmcarthur_13:56
fungi#success Release management has moved their task tracking to!/project_group/73 (including importing all existing reno bugs from Launchpad)14:34
openstackstatusfungi: Added success to Success page (
*** udesale has joined #storyboard16:20
*** udesale has quit IRC16:26
*** tosky has quit IRC16:53
*** jamesmcarthur_ has quit IRC17:32
*** jamesmcarthur has joined #storyboard17:36
*** jamesmcarthur has quit IRC17:40
*** jamesmcarthur has joined #storyboard17:42
diablo_rojoWoot woot!18:01
diablo_rojoSotK, fungi meeting time?18:02
fungilooks like it18:02
fungier, no18:02
fungiit's supposed to start at 19:00 utc18:02
persiaUTC is UTC.  Ignore selected north american governments that make things hard.18:02
fungiit is currently ~18:00 utc so still an hour to go18:03
diablo_rojoStupid google not updating calendar events..18:03
fungiitym updating calendar events it shouldn't have?18:03
persiadiablo_rojo: It turns out it isn't google's fault: the problem is the underlying standard, which sets events in terms of offset from UTC, rather than statutory timezone.18:03
fungii suppose it depends on whether you consider following daylight savings time changes to be "changing" or "staying the same"18:04
* persia thanks mordred for pointing out that it wasn't that the calendar software was buggy, but that the basic problem wasn't solved by the specs18:04
persiafungi: tzdata has values that allow each meeting to be configured to make each of those choices independently, but this is hard, and apparently didn't exist when early internet timezone specifications were defined (e.g. 03:05+0:900)18:05
fungii've found keeping my calendar in utc helps, and that way i just have to remember to adjust tz-specific recurring meetings at dst boundaries18:05
diablo_rojoAny new meeting I need to add to calendar I set in Iceland timezone (so that it basically equates to UTC)18:05
fungisilly they don't just let you pick "utc"18:06
persiaSome software does, some doesn't.  Sadly, not everyone considers the tzdata list authoritative.18:06
diablo_rojofungi, agreed18:06
corvusokay, so if this wasn't weird enough already -- somebody just sent me a link to a worklist, and i clicked it in my terminal, and it opened in a new tab in my browser and i was logged in.18:51
corvusi then open another new tab, go to sb.o.o, and i'm not logged in there.18:52
corvusi open a new tab and paste the url into the bar, and i'm not logged in.18:52
persiaDo you have aggressive caching in your browser, or are you victim to a MITM attack?  I once in a while see that sort of thing in Chrome, but usually am either logged in or not.18:54
corvusi'll grant that this sounds a lot like firefox is just being weird, but also, it's probably worth noting that i don't think many sites use local storage for auth tokens.  i think it's more generally accepted that exiting a browser should log a user out of sites, which contraindicates local storage.18:54
persiaI have not observed the behavior with Firefox.18:55
corvuspersia: when i inspect the local storage contents for the tabs, i see that the not-logged-in tabs have no token info.  i feel like that probably discounts MITM, but i can't say that for certain because i do not understand the mechanism that storyboard uses to manipulate local storage contents.18:55
persiaI also do not.  I have seen similar behaviors with entirety different stacks and transparent proxies, hence raising the possibility (as https solves most transparent proxy problems).18:57
corvusi have no *known* mitm system.  :)18:58
SotK*now* it is meeting time :)18:59
diablo_rojoSotK, :)19:00
openstackgerritMerged openstack/boartty master: Remove archived lanes and worklist items
openstackgerritMerged openstack/boartty master: Display story access level
*** jamesmcarthur has quit IRC19:52
*** jamesmcarthur has joined #storyboard19:53
diablo_rojoSotK, fungi- starting etherpad:
diablo_rojoGoing to track down what all we need in the proposal20:01
*** jamesmcarthur has quit IRC20:09
diablo_rojoSotK, you need to sign up to be a mentor here to co mentor:
diablo_rojofungi too if you can20:11
fungicorvus: is it possible you have some setting/extension which is forcing all tabs into "incognito" mode and preventing them from sharing data?20:12
corvusfungi: not that i'm aware of, but i can try disabling the only (adblocking) extension i have20:14
fungii'm using privacy badger with fairly default configuration20:15
fungiand it hasn't seemed to trigger the behavior you're observing20:16
corvusdisabling the ad blocker didn't have an effect20:16
corvusokay, creating an entirely new profile does cause it to work.20:17
corvusi've gone through and re-enabled all the settings i care about.  still works.20:23
corvusi guess i'll export/import bookmarks, and that's my new profile. :|20:23
diablo_rojoSotK, filled in the questions we need to answer from the form20:23
fungicorvus: would be interesting to find out what setting (if it was a setting?) broke it, but i suppose that's academic at this point20:23
corvusfungi: i agree, which is why i manually mirrored all the settings i know about, to no effect...20:24
corvusmaybe i should check about:config and see if there's any weirdness there20:24
corvusokay, probably because i've carried this profile around for 400 years, there are thousands of "modified" settings in about:config.  so scratch that.20:26
corvusi'm sure one of them is the culprit.  :)20:26
*** jamesmcarthur has joined #storyboard20:27
*** jamesmca_ has joined #storyboard20:29
*** jamesmcarthur has quit IRC20:29
fungiyeah, i'm in desperate need of recreating my ff profile too, i expect20:30
fungiit's only a matter of time before i experience similar sorts of strangeness20:31
corvuswhat's the story on attachments to stories?  are we in favor, or opposed?  :)20:36
fungii think the reality was somewhere in between, but i don't recall it coming back up for discussion in a year or two20:50
diablo_rojoSotK, running out of steam, perhaps you can help me out with the last question? Maybe we should narrow the scope a bit?20:52
corvuswhy can't i use a * in a comment?20:53
corvusoh wait, it's a /* that didn't work... here, let me put a comment on a test story20:54
corvushere we go:!/story/200167520:57
corvus*/* is the issue20:57
corvusit appears to turn into some sort of extra-slanted slash20:58
fungi*foo* gets interpreted as italicization/emphasis20:59
fungii guess20:59
corvusoh, that's an italic slash?20:59
fungiseems likely20:59
corvuswell, it turned my comment about a really subtle path issue into gibberish :(21:00
corvusi guess i'll rewrite it with lots of ```21:00
fungia checkbox to disable markdown parsing might be nice21:00
corvusthe markdown parsing happens on display though21:01
corvus(so an option would require the user to realize they were missing information, and then check the box to retrieve it)21:02
persiaI'm hugely opposed to attachments on stories, and willing to argue it at length.  That said, I've done so lots of times, and people keep wanting it, and so I would only argue against, rather than try to block, and implementation at this point.21:06
persiaBasically, in most cases it should be possible to store things somewhere else, and then link to them.21:06
corvuspersia: i'm not in an arguing mood, and i'm short on time, so that's 2 reasons i won't write a patch to implement it.  mostly curious since right now, if we had them, i would use them.  i figured someone else would ask at some point.21:07
corvuslet me un-privatize a story to show you why21:08
persiacorvus: You and I have a common lack of mood today :)21:08
persiaMy arguments are mostly that for most projects, there are lots of better ways to store things, and for many of the details, I think the project is better served by external hosting (e.g. write a test case, submit a DNM change, link to the log).  Also, for one of the early adopters of storyboard, there were issues with storage hosting (but they don't use it anymore, so it matters less).21:09
corvuspersia: here's our trial of using storyboard for security issues:!/story/200165621:10
persiaThat makes perfect sense.21:11
persiaIn my ideal world, which I would have argued for more passionately a few years ago, that would be implemented with embargo features in the patch tracker (e.g. gerrit).21:11
persiaWe don't happen to live in that world, and as a result, you have significantly reduced my level of interest in blocking attachments.21:12
corvusyeah, we'd all love that, but the gerrit folks have indicated it's like NP-hard or something.  :)21:12
persiaOne of the most convincing architectures I have heard was to have SB have a facility to store attachments in an arbitrary remote object store, and then have a pass through mechanism to deliver them to the client, rather than storing as a blob in the DB or needing to store local files.21:13
corvusthat sounds good21:13
persiaActually doing that was considered a chunk of work, and I argued folk out of it at the time, but I think SotK was involved in that design effort, and may be able to share more details of the kind of thing that would work.21:13
*** clarkb has joined #storyboard21:14
corvusclarkb and i have noticed we're not getting emails on private stories...21:14
persiaInteresting.  Do you get emails on public stories?21:14
clarkbI do start to get notifications once the story is made public21:14
clarkb(in fact I get an email for the state transition to public)21:14
corvusis that intentional?  or maybe just not implemented because someone needs to write a check to filter down the subscribers?21:14
persiaI would expect it has to do with how permissions are checked by the notification engine, but unfortunately have to go stand at a stand, so can't verify at the moment.21:15
* corvus assumes lemonade stand21:15
persiaI strongly suspect it is not implemented because it is hard to determine the relevant permissions, rather than being an intentional security implementation, although I'm not authoritative.21:15
persiacollaborate project stand in an expo hall: I wish we had lemonade, really :)21:16
clarkbThe particular concern here is that it would make it easy to ignore responsible disclosures via private stories in storyboard21:16
clarkbwould basically force us to poll storyboard to make sure people aren't getting ignored21:17
persiaI agree it is a bug.21:17
persiaEmail is not secure at all (plaintext, etc.) , but way better than lack of vulnerability reports.21:18
clarkbwell and even if it was just bug foo updated without the actual content that would probably be good enough?21:19
clarkbbasically something to tell you there is work over in storyboard to be done21:19
persiaOoh, excellent suggestion21:19
corvusyeah, that wfm.  i mean, i want the actual comment most of the time, but i can accept just a 'ping' if folks are worried about transport security21:20
corvus(...on private stories)21:20
*** jamesmca_ has quit IRC21:45
persiaHrm.  I haven't spent much time looking at notifications and event plugins, which leaves me confused when I try to look now.21:47
persiaIt seems that filtering happens before the event propagates to anything that actually sends notices.  I'm not sure if this is oversight (in that the event plugins were just missed when permissioning was added), or intentional (although I think it is important to at least send "Private story <link> changed").21:48
persiaI suspect a real answer requires someone in a timezone where it is late at this point.21:49
SotKsorry, I got distracted from here22:19
SotKthere are no emails from private stories because we didn't want to disclose the existence of private stories, and the emails are currently implemented as a daemon which listens to rabbitmq to detect events, so supporting emails for private stories would currently require publishing the update event to rabbitmq22:22
clarkbSotK: that is an internal queue though right? or would we have to assume that something other than the service and its admins would be able to see that?22:24
SotKit is currently internal, though I believe there was/is an intention to switch to mqtt and add it to firehose.o.o22:25
SotKdiablo_rojo: I think narrowing the scope will make that last part easier to write22:30
*** jamesmcarthur has joined #storyboard22:40
diablo_rojoSotK, yeah thats kind of what I was thinking.. Maybe pick one project they could do for webclient, one they could do for storyboard and one they could do for the pythonclient22:41
SotKyep, that makes sense to me22:45
SotKI will try to think of some things22:45
*** jamesmcarthur has quit IRC22:45
diablo_rojoSotK, cool. I will too.22:49
diablo_rojoWould be great if we can get this done and sent in and get an intern :)22:49
corvusSotK, clarkb: notification about private stories is so important i feel like it should drive the requirements around notification.  to me, that implies that the path from event generation to sending email must be trusted, which, if we want to stick with the current architecture, means that anything which exposes the internal events must be responsible for filtering them for access.  so a future mqtt22:51
corvusreporter must filter private stories appropriately (just as the email sender must).22:51
diablo_rojoSounds like sahara is interested in migrating like long as gets merged before then23:04
corvusSotK: reading the code, i can't figure out why private stories aren't sending email23:04
corvusSotK: do you have any hints?23:04
corvus(like, i think api/v1/ calls db/api/ to create an event and that gets passed off to the event publisher so it should go to rabbitmq)23:05
SotKcorvus: yeah, looking at the code it appears my memory was entirely incorrect and actually there is just a bug (probably somewhere in subscription_get_all_subscriber_ids at a guess)23:17
corvusoh! that makes me feel better :)23:19
SotKI shall try to find some time to investigate soon23:21
*** jamesmcarthur has joined #storyboard23:36
openstackgerritJames E. Blair proposed openstack-infra/storyboard master: WIP: test subscribers and permissions
corvusSotK: i attempted to make a test, but have run into test-framework issues.  that's as far as i got ^23:57

Generated by 2.15.3 by Marius Gedminas - find it at!