14:05:49 #startmeeting naked ping 14:05:50 Meeting started Mon Dec 12 14:05:49 2016 UTC. The chair is mvollmer. Information about MeetBot at http://wiki.debian.org/MeetBot. 14:05:50 Useful Commands: #action #agreed #halp #info #idea #link #topic. 14:05:50 The meeting name has been set to 'naked_ping' 14:06:05 #topic Agenda 14:06:08 .hello mvo 14:06:10 mvollmer: mvo 'Marius Vollmer' 14:06:34 .hello dperpeet 14:06:34 dperpeet: dperpeet 'None' 14:06:45 1 tests failed - http://fedorapeople.org/groups/cockpit/logs/master-5c863e2b-verify-fedora-atomic/log.html 14:07:19 .hello stefw 14:07:20 stefw: stefw 'Stef Walter' 14:07:30 .hello larsu 14:07:31 larsu: larsu 'Lars Karlitski' 14:09:54 do we have topics? 14:10:39 * ram disks on Ubuntu 14:11:16 * Authorization for privileged actions 14:11:30 * Remaining translations work 14:13:33 alright 14:13:40 #topic ram disks on Ubuntu 14:14:12 the storage page on ubuntu shows dozens of inactive loopback devices and small ram disks 14:14:28 this is unlike any other OS we support, I think 14:14:50 normally, inactive loop devices don't exist at all, I think 14:15:01 anyway, they can be filtered out 14:15:16 ram disks are different, they actually work 14:15:31 except that the udev rules skip them 14:15:50 so udisks2/storaged will not tell us what is in them 14:15:57 which makes them also useless in the UI 14:16:15 i made a PR for storaged to set the IGNORE hint for them 14:16:33 does anyone know anything about these ram disk things? 14:16:50 the internet says to use tmpfs instead 14:17:12 I could ask pitti 14:17:50 eot :-) 14:18:08 #topic Authorization for privileged actions 14:18:41 The next release of Cockpit will require that you check a box before logging into the system 14:18:45 if you would like to perform privileged actions. 14:19:05 The privilege escalation logic still uses the same mechanisms before, although that will change shortly after the next release. 14:19:18 but root is still root, right? 14:19:21 yup 14:19:34 This workflow means that we model the Linux privilege model better 14:19:43 essentially we automatically do a sudo for you if you check the box 14:20:04 In addition, not yet implemented, reprompting for passwords after the fact. 14:20:30 Again, that'll be future work. Where likely you can click a button within Cockpit to get such a prompt ... i doubt we'll interrupt your work randomly to prompt. 14:20:49 There are two remaining pull requests that should get in before the release 14:20:57 which help the API of things merged recently to be solid: 14:21:05 https://github.com/cockpit-project/cockpit/pull/5545 14:21:06 stefw, could you explain why we change our approach here? 14:21:10 https://github.com/cockpit-project/cockpit/pull/5548 14:21:39 I tried to "reinvent" the way reauthorization happened in Linux API services ... years ago ... by implementing something alternate in Cockpit. 14:21:53 I didn't have the time or energy to actually finish the massive amount of work that this entails. 14:21:57 the pam module? 14:22:01 yup 14:22:02 as seen here: 14:22:12 https://github.com/cockpit-project/cockpit/blob/master/doc/reauthorize.md 14:22:38 So given that I/we haven't been able to change Linux in this respect (yet?) ... 14:22:57 ... we need to instead model the fact that Cockpit is a real Linux session, and deal with the realities of real Linux sessions. 14:23:35 in the future if we do actually make reworking of privilege escalation in a Linux session happen in a better way, then we can obviously have Cockpit model that 14:23:51 The current Linux model is: 14:23:56 1. log into a system as non-root 14:24:12 2. use sudo and/or polkit to escalate privileges as permitted 14:24:36 These changes reflect that model, but allow both steps to be collapsed into if desired. 14:24:55 In other words, the second step can automatically happen right after authentication if desired. 14:25:07 the user who logs in indicates this desire by checking the box 14:25:11 * stefw gets a screenshot 14:25:52 https://cloud.githubusercontent.com/assets/795070/20791780/0524cd4a-b7bf-11e6-9a56-ebeeb876a0d0.png 14:25:56 does that make sense? 14:25:58 so there is only a single cockpit-bridge process, and it is either privileged, or not? 14:26:16 when the user has become privileged, there is usually a second bridge process 14:26:18 this has not changed. 14:26:22 nor will that change 14:26:24 okay 14:26:49 but when the checkbox is checked, all channels get { superuser: true } by default? 14:26:53 no 14:27:14 "superuser: true" works when the checkbox is checked ... and the user can escalate privileges 14:27:23 if the checkbox is not checked ... and the user is not already root 14:27:29 right, isee 14:27:32 then "superuser: true" will fail with access-denied 14:28:40 the checkbox choice is remembered between logins 14:28:56 so the same browser used against the same host will preserve the checkbox state 14:29:00 all of this is already merged 14:29:09 but two further pull requests help solidify this work into an API stable state 14:29:15 * stefw has to go in 1 minute ... 14:29:28 thanks for the explanation! 14:29:31 both pull requests are marked with priority in github 14:29:46 i'm reviewing and will merge soon hopefully 14:30:15 awesome. thank you. 14:32:05 okay, next? 14:32:18 ahh, that's also stefw... 14:32:54 let's just talk about translations a bit 14:33:07 #topic Translations 14:33:32 so keeping translations complete is hard 14:33:38 how do we do it? :-) 14:33:54 strict code review? 14:34:25 we have fixed the machinery a couple of times 14:34:34 but then it has rotted away again, I guess 14:34:52 can we make some automated tests for the bare minimals? 14:35:11 well we have tests 14:35:14 mvollmer, we have a test 14:35:18 ahh, cool 14:35:28 a big problem before was that we introduced new javascript frameworks 14:35:47 without sorting out how translations would happen 14:36:09 and then because they weren't work there, we sort of ignored problems elsewhere as well 14:36:45 yeah 14:36:50 having regular contributors who care about a non english language is really helpful for this 14:37:10 vanloswang on github has helped alot 14:37:28 with finding what's missing 14:38:26 [cockpit] mvollmer pushed 1 new commit to master: https://git.io/v16ee 14:38:26 cockpit/master 88a6171 cockpituous: Image refresh for fedora-24... 14:38:33 petervo, do you know what work still remains? 14:38:56 no i don't, i was interested in what that was 14:39:12 okay 14:39:17 maybe to do with supporting multiple releases? 14:39:26 idk 14:39:36 sorry, I didn't realize stef had to go and messed up the schedule, I guess 14:39:45 mvollmer, https://trello.com/c/Eut2LIkk/111-epic-translations 14:40:05 or did you mean the agenda? 14:40:08 very good 14:40:18 ah login screen 14:41:04 packaging is quite fundamental 14:41:45 yeah, the question is how we do that properly across distros 14:41:47 yeah, they are packaged now but always all together 14:42:26 [cockpit] mvollmer opened pull request #5581: test: Handle dynamic storage content rows better (master...storaged-dont-race-the-rows) https://git.io/v16eM 14:42:41 okay, we will see what stefw has in mind 14:42:47 hi i'm back 14:43:21 so my basic agenda topic was to say that the translations are mostly done, but there are two areas where they are incomplete 14:43:22 alright 14:43:29 1. the login screen 14:43:39 2. splitting translations among packages installed on different schedules 14:44:00 For the login screen petervo has suggested a solution, which could work. 14:44:16 For the split of translations we don't have ideas or work done there yet. 14:44:27 right now everything is in the shell component 14:44:40 and each language is a single file, right? 14:44:44 and so if a later version of (lets say) the ostree package is installed ... then the translations will be missed 14:44:46 mvollmer, yes 14:45:08 so we need a solution that is performant (not another 15 HTTP requests) ... but still able to be split up somehow 14:45:23 right 14:45:41 could manifests bring their own translations inline, for example? 14:45:48 like *.desktop files 14:46:05 yes there are solutions like that 14:46:31 i'm not sure we have to decide the final solution here ... unless someone has an idea and wants to run with it :) 14:49:46 so translations would always be bundled with the code, right? 14:50:07 and we would always install all languages 14:50:35 I wouldn't necessarily say that 14:50:51 but for now that seems the most practical solution 14:51:33 but I guess some translation is always better than none 14:51:40 it's also what everyone else is doing, right? 14:54:11 I believe it is a common solution, yes 14:55:04 okay, looks like we are done 14:55:13 #topic Open floor 14:55:55 dperpeet, i like that point 14:56:10 if we can choose a translations-per-package solution that doesn't involve stable aPI 14:56:16 then we can be pragmatic and change it later 14:56:25 yes, I agre 14:56:27 agree 14:57:01 we might want to share common translations between packages 14:57:11 but that should happen at build time or translation time 15:00:33 mvollmer, indeed 15:00:40 msgfilter FTW 15:00:44 that's the easy part, in fact 15:00:46 especially at build time 15:00:58 we already split our translations 15:01:22 for example we only inlcude in our binary gettext mo files the translations used by cockpit-ws 15:01:33 and we don't include those messages in our frontend javascript based po files 15:03:55 okay, all done? 15:04:01 yes, i think so 15:04:04 thanks everyone! 15:04:08 #endmeeting