1 2013-02-23T00:03:12 *** ronny
2 2013-02-23T04:20:57 *** puneet
3 2013-02-23T05:21:34 *** puneet
4 2013-02-23T05:38:36 *** puneet
5 2013-02-23T06:00:08 *** puneet
6 2013-02-23T06:39:35 *** ronny
7 2013-02-23T06:39:35 *** ronny
8 2013-02-23T13:47:29 <ThomasWaldmann> moin
9 2013-02-23T14:15:06 <ThomasWaldmann> http://www.youtube.com/watch?v=5bLmNN5mH-U
10 2013-02-23T14:16:49 * xiaq will give a talk on gsoc and moinmoin tomorrow :)
11 2013-02-23T14:18:46 <ThomasWaldmann> great :) where?
12 2013-02-23T14:21:34 <xiaq> ThomasWaldmann: in my Uni
13 2013-02-23T14:49:35 <xiaq> ThomasWaldmann: why didn't the "mount" idea work out?
14 2013-02-23T14:54:12 <xiaq> or another equivalent question: what can be implemented by means of namespace by not "directory" structure?
15 2013-02-23T15:00:00 <ThomasWaldmann> back then in brazil, we tried to get the router middleware right, but it simply was not possible to get it right.
16 2013-02-23T15:00:15 <ThomasWaldmann> (i don't remember too much details)
17 2013-02-23T15:00:53 <ThomasWaldmann> we found that namespaces is a simpler approach and can also be better integrated with interwiki map / link markup
18 2013-02-23T15:01:42 <xiaq> ThomasWaldmann: how is routing to different storage backends for different namespaces useful?
19 2013-02-23T15:02:29 <ThomasWaldmann> you can e.g. have that fileserver backend in one namespace, kind of like ftp
20 2013-02-23T15:03:37 <ThomasWaldmann> or maybe share users?
21 2013-02-23T15:03:54 <xiaq> ThomasWaldmann: that's neat
22 2013-02-23T15:04:46 *** RogerHaase
23 2013-02-23T15:08:38 <ThomasWaldmann> xiaq: iirc one issue was with items having multiple names. if routing depends on the name, then it could be ambiguous. as namespace is stored separately from names and there is only one namespace...
24 2013-02-23T15:10:22 <ThomasWaldmann> also, renaming of an item could get rather weird if you cross backends
25 2013-02-23T15:11:01 <xiaq> ThomasWaldmann: doesn't the same thing happen when you try to move items across namespace? :)
26 2013-02-23T15:11:21 <ThomasWaldmann> i guess we just won't support that
27 2013-02-23T15:11:52 <xiaq> ThomasWaldmann: ok :)
28 2013-02-23T15:29:30 *** puneet
29 2013-02-23T16:11:02 <ThomasWaldmann> SteveMcIntyre: awake again?
30 2013-02-23T16:12:06 <SteveMcIntyre> ThomasWaldmann: hey
31 2013-02-23T16:12:24 <SteveMcIntyre> yep, in the middle of doing CD builds for the Squeeze point release
32 2013-02-23T16:13:01 <ThomasWaldmann> ah, ok. waldi and me were discussing about wheezy moin yesterday.
33 2013-02-23T16:13:11 <SteveMcIntyre> yeah, saw that in scrollback
34 2013-02-23T16:13:23 <ThomasWaldmann> we think that it might be quite better just taking 1.9.7 release.
35 2013-02-23T16:13:31 <SteveMcIntyre> sorry, said hi last night and then got grabbed by my wife!
36 2013-02-23T16:13:51 <ThomasWaldmann> happens :D
37 2013-02-23T16:14:29 *** RogerHaase
38 2013-02-23T16:14:49 <SteveMcIntyre> I can see you'd like us to take 1.9.7, yeah
39 2013-02-23T16:14:52 *** RogerHaase
40 2013-02-23T16:15:03 <ThomasWaldmann> we looked at diffstat output and most files were only slightly changed. except some rss stuff and of course passlib / pw reset changes.
41 2013-02-23T16:15:24 <SteveMcIntyre> but I really don't believe the Debian release team will want to take big changes this close to release
42 2013-02-23T16:15:37 <ThomasWaldmann> the point is not just that it's better to support for us, but it is also better for debian users
43 2013-02-23T16:15:54 <ThomasWaldmann> reasons:
44 2013-02-23T16:16:26 <ThomasWaldmann> if we quickly create some patches now, the resulting code will be less tested than current repo code (or 1.9.6 if you just want to consider releases)
45 2013-02-23T16:17:43 <ThomasWaldmann> most of the changes are really bug fixes, see docs/CHANGES. most of the stuff that got in 1.9.6 and .7 were primarily caused be the security breach and wanting to be more secure and also helpful for admins that have to deal with such
46 2013-02-23T16:17:56 <ThomasWaldmann> s/be/by/
47 2013-02-23T16:18:37 <ThomasWaldmann> if you look at versions numbers of running wikis, it is easier to see what's fixed if the version number is like the official version with the fix
48 2013-02-23T16:19:10 <ThomasWaldmann> so if it is 1.9.4-debian, and SystemInfo tells 1.9.4, people might suspect the wiki is running vulnerable code
49 2013-02-23T16:19:26 <ThomasWaldmann> even if it was completely fixed and patched
50 2013-02-23T16:19:47 <SteveMcIntyre> that's a problem with people looking, we have a long-standing policy of taking small fixes for security etc.
51 2013-02-23T16:19:57 <SteveMcIntyre> I know where you're coming from, really!
52 2013-02-23T16:20:29 <ThomasWaldmann> also, it would reduce the amount of patches you have to maintain :)
53 2013-02-23T16:21:06 <ThomasWaldmann> our wiki farm is running repo code and quite some users already tested 1.9.6
54 2013-02-23T16:22:33 <ThomasWaldmann> 1.9.7 release is somehow pending, I just would like to do more practical testing of the resetpw code (but for that, i need to move our own wikis to a new server, that takes a bit of time)
55 2013-02-23T16:24:21 <waldi> well
56 2013-02-23T16:24:23 <waldi> 49 files changed, 643 insertions(+), 226 deletions(-)
57 2013-02-23T16:25:47 <SteveMcIntyre> waldi: from where to where?
58 2013-02-23T16:25:58 <waldi> nothing you can't get past the release team
59 2013-02-23T16:26:08 <waldi> 1.9.4 to 1.9.6
60 2013-02-23T16:26:52 <waldi> the effective patch will be smaller
61 2013-02-23T16:26:58 <SteveMcIntyre> 69 files changed, 899 insertions(+), 456 deletions(-)
62 2013-02-23T16:27:02 <SteveMcIntyre> is what I see from that
63 2013-02-23T16:27:09 <SteveMcIntyre> what are you filtering out?
64 2013-02-23T16:27:40 <ThomasWaldmann> btw debian/NEWS looks a bit outdated
65 2013-02-23T16:28:10 <SteveMcIntyre> ThomasWaldmann: ack, yes it is
66 2013-02-23T16:28:10 <waldi> MoinMoin/web/static/htdocs/applets/FCKeditor MoinMoin/i18n docs
67 2013-02-23T16:28:59 <waldi> the first is stripped, the second is translation and pretty much ignored, the last is docs and does not count
68 2013-02-23T16:29:03 <SteveMcIntyre> waldi: ok, that looks sane; I was filtering other bits but not the htdocs
69 2013-02-23T16:29:13 <ThomasWaldmann> btw, the python/psf wiki also runs repo code currently
70 2013-02-23T16:29:42 <ThomasWaldmann> but they would also rather like to run a release or even better a debian package
71 2013-02-23T16:29:51 <SteveMcIntyre> yes, I get that
72 2013-02-23T16:29:52 <waldi> SteveMcIntyre: the only problematic thing is the rss change
73 2013-02-23T16:31:02 <ThomasWaldmann> that was done quite a while ago. one issue was fixed after it.
74 2013-02-23T16:31:15 <ThomasWaldmann> so it either works now or not many people using it.
75 2013-02-23T16:31:54 <SteveMcIntyre> waldi: yeah, that's likely to be a problem
76 2013-02-23T16:33:03 <ThomasWaldmann> 6 patches of debian could get removed by just using uptodate code
77 2013-02-23T16:33:23 <SteveMcIntyre> ThomasWaldmann: true, but they're a known quantity for us already
78 2013-02-23T16:33:46 <SteveMcIntyre> we're being *very* conservative right now in the final release preparations
79 2013-02-23T16:33:50 <SteveMcIntyre> that's the issue
80 2013-02-23T16:35:37 <ThomasWaldmann> well, just imagine what a moin admin has to do if he takes 1.9.4-debian as it is now
81 2013-02-23T16:36:10 <ThomasWaldmann> assuming that he ran the debian moin package for >= 6m on the internet
82 2013-02-23T16:36:40 * ThomasWaldmann has prepared 2 wiki pages about that
83 2013-02-23T16:36:57 <ThomasWaldmann> currently they are acl protected, but if you want to read them, i can add you to acl
84 2013-02-23T16:37:21 <SteveMcIntyre> please do
85 2013-02-23T16:37:27 <ThomasWaldmann> but if you read the dsa / cve stuff and dealt with it yourself already, it's maybe mostly known
86 2013-02-23T16:37:35 <ThomasWaldmann> your wiki user name on moinmo.in?
87 2013-02-23T16:37:51 <waldi> right now i would take 1.9.6 und revert the rss changes. the changes are not unreasonable and two thirds of the changes are either regression or security fixes
88 2013-02-23T16:39:07 <ThomasWaldmann> waldi: did you review the diff of the rss changes?
89 2013-02-23T16:39:14 <SteveMcIntyre> ThomasWaldmann: SteveMcIntyre
90 2013-02-23T16:40:01 <SteveMcIntyre> ThomasWaldmann: that's the issue, to be honest - if people have already been using the Debian packages then any security damage is done
91 2013-02-23T16:40:32 <SteveMcIntyre> while I agree that the newer code is really good and useful, it's not critical for us
92 2013-02-23T16:41:11 <ThomasWaldmann> just that the same might happen again and the breach would be as serious as it was
93 2013-02-23T16:41:35 <ThomasWaldmann> also, without the new resetpw script, the admin has a lot to improvise to restore security
94 2013-02-23T16:41:48 <ThomasWaldmann> and most just won't
95 2013-02-23T16:41:52 <SteveMcIntyre> ack :-/
96 2013-02-23T16:42:09 <ThomasWaldmann> SteveMcIntyre: see RecentChanges, do you see the 2 last edits?
97 2013-02-23T16:42:15 <SteveMcIntyre> it wasn't that hard for us to do, but not everybody is as knowledgable
98 2013-02-23T16:42:18 <SteveMcIntyre> sec
99 2013-02-23T16:42:31 <SteveMcIntyre> yup
100 2013-02-23T16:42:35 <SteveMcIntyre> looking
101 2013-02-23T16:42:47 <ThomasWaldmann> the CVE is the specific stuff, the HowTo is kept rather generic
102 2013-02-23T16:43:20 <ThomasWaldmann> i want to replace the bunch of text on page SecurityFixes with links to those pages
103 2013-02-23T16:43:53 <SteveMcIntyre> right
104 2013-02-23T16:47:47 <ThomasWaldmann> i also put some stuff there btw: http://hg.moinmo.in/moin/1.9/file/51ea4cb7b390/docs/resetpw
105 2013-02-23T16:48:27 <SteveMcIntyre> yup, that's good :-)
106 2013-02-23T16:54:46 * ThomasWaldmann just added a bit to the cve page
107 2013-02-23T16:57:22 <ThomasWaldmann> btw, being conservative ranking:
108 2013-02-23T16:58:02 <ThomasWaldmann> not changing anything > using code that is in testing since weeks/months > doing fresh patches now (IMHO)
109 2013-02-23T16:59:13 <ThomasWaldmann> "in testing" not referring to debian, but in general
110 2013-02-23T17:01:43 <SteveMcIntyre> right
111 2013-02-23T17:01:57 <SteveMcIntyre> *but*
112 2013-02-23T17:02:30 <SteveMcIntyre> if your security-related changes are easily picked out without having to take *everything*, it's easier for people to swallow
113 2013-02-23T17:02:59 <SteveMcIntyre> i.e. without having to prepare new patches
114 2013-02-23T17:03:26 <ThomasWaldmann> the end result will be a new combination of changesets in any case
115 2013-02-23T17:03:58 <ThomasWaldmann> assuming that most stuff is rather separated, that must not be bad, but there's a little potential :)
116 2013-02-23T17:04:08 <SteveMcIntyre> yeah :-)
117 2013-02-23T17:04:40 <SteveMcIntyre> we understand each other fine here, I think
118 2013-02-23T17:04:49 <SteveMcIntyre> it's just the exact point of where to draw the line
119 2013-02-23T17:04:52 <ThomasWaldmann> also, e.g. that pw recovery form change
120 2013-02-23T17:05:35 <ThomasWaldmann> that's not a security fix, but the browser just took the wrong input field to "remember" the username/password, which is a pain for people using it
121 2013-02-23T17:06:01 <ThomasWaldmann> so there is a good reason to take other fixes also
122 2013-02-23T17:06:25 <ThomasWaldmann> (same for all those "crash" fixes)
123 2013-02-23T17:07:10 <ThomasWaldmann> if there would be agreement about that, it would be really only the rss feature changes left
124 2013-02-23T17:07:49 <ThomasWaldmann> which could either be reverse applied or just risked (as it is a non-critical thing anyway and not fresh code either)
125 2013-02-23T17:09:45 <ThomasWaldmann> SteveMcIntyre: ok, to make a long thing short: you are the maintainer, you have to decide. you can take waldi's opinion as a long-term debian maintainer and moin developer into consideration.
126 2013-02-23T17:10:21 <ThomasWaldmann> if the decision is made, i can help with anything that is moin-related
127 2013-02-23T17:10:36 <SteveMcIntyre> ok
128 2013-02-23T17:10:59 <SteveMcIntyre> I'm reading all the diffs now, so I can double-check I'm following it all
129 2013-02-23T17:11:12 <SteveMcIntyre> which will help when I come to work with the RT
130 2013-02-23T17:11:44 * ThomasWaldmann will have a look at the rss diff
131 2013-02-23T17:28:52 <ThomasWaldmann> a1054c9e7aae 7dce09f5edd4 468e63254a4a c98ec456e493(if applicable)
132 2013-02-23T17:29:13 <ThomasWaldmann> these are fix (not feature/refactor) rss changesets
133 2013-02-23T17:35:40 <dreimark> btw. it may be good to describe that the plugins dir must not have the same user as the content
134 2013-02-23T17:38:16 <ThomasWaldmann> you mean that the moin process user should not be able to write to the code locations (including plugin dirs)
135 2013-02-23T17:38:29 <dreimark> yes
136 2013-02-23T17:48:43 <SteveMcIntyre> definitely!
137 2013-02-23T17:49:03 <SteveMcIntyre> tbh, it's a good idea to separate privileges as much as you can
138 2013-02-23T17:51:08 *** dwcramer
139 2013-02-23T17:53:09 <ThomasWaldmann> SteveMcIntyre:
140 2013-02-23T17:53:09 <ThomasWaldmann> sug: python-gdchart Package not available
141 2013-02-23T17:53:36 <ThomasWaldmann> sug: python-xml Package not available
142 2013-02-23T17:54:20 <SteveMcIntyre> ack
143 2013-02-23T17:54:31 <SteveMcIntyre> they're old and were removed
144 2013-02-23T17:56:00 <ThomasWaldmann> gdchart can just be killed
145 2013-02-23T17:56:46 <ThomasWaldmann> about the python-xml stuff, I am not totally sure myself. it is also referenced at some places in docs/REQUIREMENTS
146 2013-02-23T18:00:34 <SteveMcIntyre> right
147 2013-02-23T18:00:45 <SteveMcIntyre> we've been using it for docbook IIRC
148 2013-02-23T18:05:38 <ThomasWaldmann> sug: python-4suite-xml Package not available
149 2013-02-23T18:06:12 <ThomasWaldmann> that is needed for docbook / xslt parser. but i have no idea whether it works with the package debian has for that.
150 2013-02-23T18:10:46 *** dwcramer
151 2013-02-23T18:12:45 <ThomasWaldmann> about python-xml: i suspect this dependency/suggestion can be dropped as we are using some not-stoneage python
152 2013-02-23T18:15:36 <ThomasWaldmann> eSyr-ng: eSyr: there? as you seem to be using rss stuff, I just wanted to ask if you ever had to do something special like installing python-xml or whether it "just worked" for you (taking the code from stdlib)
153 2013-02-23T18:19:22 <SteveMcIntyre> afk for a bit, testing installation CDs...
154 2013-02-23T18:29:24 <moinBot`> http://hg.moinmo.in/moin/1.9/rev/82ad863c255e 2013-02-23 Thomas Waldmann <tw AT waldmann-edv DOT de> clarify python-xml (pyxml) requirement
155 2013-02-23T18:29:58 <ThomasWaldmann> (hopefull more correct/helpful now)
156 2013-02-23T18:55:34 <eSyr> ThomasWaldmann: don't remember any need in installing additional packages to make RSS working.
157 2013-02-23T18:57:12 <ThomasWaldmann> ok
158 2013-02-23T19:49:41 *** puneet
159 2013-02-23T20:20:39 *** puneet
160 2013-02-23T23:31:00 *** RogerHaase
161 2013-02-23T23:34:41 *** ronny
162
