13:03:01 <mvollmer> #startmeeting weekly meeting
13:03:01 <zodbot> Meeting started Mon May 23 13:03:01 2016 UTC.  The chair is mvollmer. Information about MeetBot at http://wiki.debian.org/MeetBot.
13:03:01 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic.
13:03:01 <zodbot> The meeting name has been set to 'weekly_meeting'
13:03:09 <mvollmer> .hello mvo
13:03:10 <zodbot> mvollmer: mvo 'Marius Vollmer' <marius.vollmer@gmail.com>
13:03:20 <dperpeet> .hello dperpeet
13:03:20 <zodbot> dperpeet: dperpeet 'None' <dperpeet@redhat.com>
13:04:16 <andreasn> .hello andreasn
13:04:18 <zodbot> andreasn: andreasn 'Andreas Nilsson' <anilsson@redhat.com>
13:04:34 <andreasn> sorry for being a tad late. I was picking up UX books at a library here
13:05:37 <mvollmer> that's a good reason! :-)
13:05:55 <mvollmer> but you will have to show proof, of course.
13:06:03 <mvollmer> #topic Agenda
13:06:10 <dperpeet> * gsoc
13:06:18 <andreasn> * selinux
13:08:14 <mvollmer> alright
13:08:26 <mvollmer> #topic gsoc
13:08:54 <dperpeet> the official coding period has started
13:09:02 <dperpeet> welcome to week #1, harish__
13:09:47 <andreasn> welcome!
13:09:48 <dperpeet> it looks like we will be doing this without major systemd changes :)
13:10:18 <dperpeet> unless harish__ has anything to add, that's it from my side
13:10:36 <petervo> i think he missed most of that
13:10:42 <dperpeet> probably
13:10:45 <dperpeet> too many underscores now for me
13:11:13 <dperpeet> harish___, anything you'd like to add to starting the first official week of coding? gsoc 2016
13:11:54 <harish___> yea
13:12:33 <harish___> i think of completing the playground app soon
13:12:39 <SpaceInvaders> stefw:  console logon screen -- meaning from the main console after boot completes.  I posted, here:  https://github.com/cockpit-project/cockpit/commit/e97eec6c487636e00a0af53d26106e81ac8d070d
13:13:12 <dperpeet> ok, sounds good
13:13:19 <harish___> and then we can integrate that into cockpit
13:13:32 <dperpeet> I think it would be nice to aim for a work-in-progress pull request
13:13:40 <dperpeet> that's a branch of the cockpit code
13:13:58 <harish___> oh i get it.
13:14:07 <harish___> i will do that
13:14:14 <dperpeet> great, thanks!
13:14:29 <harish___> dperpeet most of the work left now is
13:14:48 <github> [cockpit] mvollmer pushed 1 new commit to master: https://git.io/vrVGv
13:14:48 <github> cockpit/master 46ff687 Stef Walter: test: Fix check-storage-mdraid race with broad selector...
13:15:17 <harish___> developing the section beneath the repeat part
13:15:21 <harish___> in https://trello.com/c/1B2lZViZ/74-timers-and-cron
13:15:51 <dperpeet> I think it would be nice to show general functionality first
13:16:01 <dperpeet> so maybe just one line, et cetera
13:16:20 <dperpeet> but we can discuss that in more detail later
13:16:28 <harish___> okay. u mean to see if it sets timers right?
13:16:55 <dperpeet> yes
13:17:07 <harish___> yea fine
13:17:49 <dperpeet> mvollmer, I think we've reached end of topic
13:17:59 <harish___> yea. thats it from me
13:18:18 <mvollmer> ok!
13:18:24 <mvollmer> #topic selinux
13:18:37 <SpaceInvaders> hi!
13:18:43 <SpaceInvaders> isn't selinux fun! :-)
13:19:16 <dperpeet> yes it is! that's we have a pull request with some new fun stuff
13:19:17 <dperpeet> https://github.com/cockpit-project/cockpit/pull/4431
13:19:20 <dperpeet> e.g. delete alerts
13:19:33 <dperpeet> setroubleshoot has extended its api, and this pr makes use of most of that
13:19:43 <dperpeet> there are a few issues to discuss
13:20:04 <andreasn> I have a mockup for setting permissive vs enforced mode https://raw.githubusercontent.com/cockpit-project/cockpit-design/master/selinux-troubleshooting/selinux-v5.png
13:20:38 <dperpeet> one: it uses dbus introspection to figure out if it's dealing with an older api version, this is temporary and should go away once all the systems we support are new enough
13:20:51 <dperpeet> thanks andreasn
13:21:07 <dperpeet> that's the second issue: we've put some thought into visualizing the selinux operating mode
13:21:16 <dperpeet> and even toggling between enforcing / permissive
13:21:32 <dperpeet> it won't allow a switch between enabled / disabled, since that requires a reboot to take effect
13:21:44 <dperpeet> and shouldn't be too accessible, in my opinion...
13:22:10 <dperpeet> the goal here is to make selinux a bit less mysterious to some, and more accessible for everyone :)
13:22:25 <dperpeet> third and last issue is the fact that we depend on setroubleshoot for this
13:22:45 <dperpeet> if we want to work with selinux on debian for example, this won't work right now
13:22:57 <dperpeet> there were a few discussions in #selinux about this
13:23:06 <andreasn> debian doesn't have setrobleshootd?
13:23:15 <dperpeet> no
13:23:24 <dperpeet> and one option would be to split out the audit plugin from setroubleshootd
13:23:38 <dperpeet> so let me know if anyone has a vested interest in this
13:23:44 <dperpeet> for now I'm happy with leaving things as they are
13:24:05 <dperpeet> since the setroubleshoot team did a nice job of making all this consumable in cockpit
13:24:25 <andreasn> is packaging setroubleshootd an option?
13:24:28 <dperpeet> from what I understand, the other paths to the same data rely a lot on system configuration
13:24:35 <dperpeet> not sure, probably not
13:24:54 <dperpeet> it'd require some effort and would probably feel wrong ideologically to some
13:24:56 <dperpeet> :)
13:25:00 <mvollmer> is there anything fundamental that prevents settroubleshootd from being in debian?
13:25:01 <andreasn> does it degenerate nicley? how does the selinux page look on debian?
13:25:23 <dperpeet> most arguments I heard were that setroubleshootd is very fedora/rhel/centos specific
13:25:30 <dperpeet> regarding selinux policies
13:25:41 <dperpeet> andreasn, it won't be installed
13:26:08 <andreasn> ah, ok
13:26:22 <dperpeet> mvollmer, it would probably make the most sense to separate viewing events from solving issues
13:26:30 <dperpeet> but I see that outside of Cockpit's scope right now
13:26:37 <mvollmer> yep
13:26:50 <dperpeet> the mechanisms are all in place
13:27:00 <dperpeet> so if anyone wants to add another data source, I'm happy to review pull requests
13:27:16 <dperpeet> end of topic from my end
13:28:28 <mvollmer> alright
13:28:41 <mvollmer> #topic other stuff
13:28:53 <SpaceInvaders> FYI
13:29:05 <SpaceInvaders> your guide specifically says it covers this ("TCP Port and Address") but then doesn't mention exactly *how* for the address.  It just skips it--ref:  http://cockpit-project.org/guide/latest/listen.html
13:29:23 <SpaceInvaders> and
13:29:40 <SpaceInvaders> My console prompt says "Admin Console: https://MyPublicIP:9090 or https://MyPublicIPv4:9090" and I need to change it to 192.168.1.1 (because it's displaying the wrong nic detail/address)
13:30:12 <mvollmer> SpaceInvaders, could you file an issue for this?
13:30:37 <mvollmer> You want to change the listen address of the cockpit webserver, right?
13:31:12 <mvollmer> Or do you want to change the console prompt?
13:31:16 <SpaceInvaders> I reported it here - https://github.com/cockpit-project/cockpit/commit/e97eec6c487636e00a0af53d26106e81ac8d070d
13:31:51 <petervo> i think we are a little unclear on what text you are expecting to change
13:31:51 <SpaceInvaders> Docs are missing "LiveStream=address:port" and console display prompt (for logon) does not appear to update
13:32:04 <petervo> could you include a screen shot
13:33:03 <SpaceInvaders> console display logon prompt?  Where it says "Admin Console: https://yourip:9090 or https:yourIPv6:9090/
13:33:09 <SpaceInvaders> and let me check on a screenshot
13:34:33 <dperpeet> I want to briefly discuss the toggle button, once this topic is through
13:35:13 <SpaceInvaders> Yes.  thank  you!
13:35:17 <mvollmer> SpaceInvaders, I added a comment: https://github.com/cockpit-project/cockpit/commit/e97eec6c487636e00a0af53d26106e81ac8d070d#commitcomment-17579201
13:35:27 <mvollmer> hopefully that helps
13:35:45 <mvollmer> but /etc/issue doesn't pay attention to the cockpit config at all, unfortunately.
13:36:04 <mvollmer> it's only correct with the default config
13:36:07 <SpaceInvaders> That looks like it.  Thanks, mvollmer
13:36:09 <mvollmer> good point, though
13:36:18 <SpaceInvaders> I was wondering about exactly that
13:36:56 <mvollmer> maybe the pragmatic thing would be to add documentation to tell people to also update /etc/issue
13:37:08 <SpaceInvaders> It was painfully obvious as the result of building firewall under Fedora when it kept showing the external LAN as the Admin Console interface
13:37:27 <dperpeet> mvollmer, sounds reasonable
13:37:38 <SpaceInvaders> mvollmer can you also add the "LiveStream=address:port" format-info to the docs?
13:37:45 <SpaceInvaders> IMHO it's clearly missing
13:37:59 <SpaceInvaders> it says "Address" in the title but then never actually addresses "Address"
13:38:10 <SpaceInvaders> referring to: http://cockpit-project.org/guide/latest/listen.html
13:38:23 <mvollmer> SpaceInvaders, a mergable pull request goes a long way to help us with this... :-)
13:38:49 <SpaceInvaders> I'm happy to help!  What's a mergable pull request? :D
13:39:08 <SpaceInvaders> I see pull request on the site
13:39:13 <mvollmer> well, let's say a pull request is enough. :-)
13:39:27 <mvollmer> SpaceInvaders, yes
13:39:34 <SpaceInvaders> ah ok I'll fill out a pull request (and search 1st to see if there's a dup)
13:39:53 <mvollmer> alright, dperpeet and the toggle button
13:40:04 <SpaceInvaders> topic done thank you very much!!!!
13:40:16 <dperpeet> so, andreas posted on in his mockup, https://raw.githubusercontent.com/cockpit-project/cockpit-design/master/selinux-troubleshooting/selinux-v5.png
13:40:37 <dperpeet> maybe it's just me, but I find such binary switches a bit confusing
13:40:45 <dperpeet> because I never know which state is on, which is off
13:40:59 <dperpeet> I saw a slightly different styling here: http://www.bootstrap-switch.org/
13:41:15 <dperpeet> basically only show the "current state" as text
13:41:49 <dperpeet> I was wondering if this is something we should consider for cockpit / I should start discussing on patternfly
13:42:00 <dperpeet> if I'm the only one, I won't care enough to change it :)
13:42:22 <andreasn> I think this makes it a bit clearer indeed
13:42:41 <andreasn> the ones in GNOME works like this too
13:42:59 <andreasn> I'm not sure if any other patternfly projects use on/off
13:42:59 <mvollmer> with a toggle button, there is also the complication that the switching might fail
13:43:35 <dperpeet> hm
13:43:36 <mvollmer> i like what android does: it moves the knob into the "on" position (say) but it stays gray until the machine has actually been switched on
13:43:41 <mvollmer> and then it goes blue or something
13:43:48 <dperpeet> I just noticed
13:43:53 <andreasn> oh, it does exist in Patternfly https://www.patternfly.org/widgets/#bootstrap-switch
13:43:55 <dperpeet> https://www.patternfly.org/widgets/#button-groups  "Bootstrap Switch"
13:43:58 <andreasn> must have been added recently
13:44:06 <dperpeet> andreasn, exactly
13:44:13 <dperpeet> they made it nice now
13:44:26 <dperpeet> well, I'm for adopting that soon :)
13:44:31 <andreasn> does this depend on a massive javascript library?
13:44:38 <dperpeet> I certainly hope not
13:44:53 <andreasn> we can probably adapt it to work in a similar way if that is the case
13:45:04 <dperpeet> I think the only difference is to hide the inactive state text
13:45:13 <andreasn> and the animation
13:45:24 <andreasn> but that should be simple with some css
13:45:25 <dperpeet> sure, but we don't need that necessarily
13:45:31 <andreasn> I need to learn that anyway
13:45:43 <andreasn> at some point I feel
13:45:49 <dperpeet> I think it would be better to think about the point marius raised
13:45:56 <dperpeet> what if switching can block
13:46:12 <mvollmer> or fail
13:46:17 <dperpeet> should probably be disabled with a spinner
13:46:40 * larsu always thought switches are problematic for operations that might fail
13:46:42 <andreasn> if the switching fails, it feels natural that it goes back to it's original state and produce an error message
13:46:53 <dperpeet> I agree with larsu on that one
13:47:02 <dperpeet> if an action can fail, it might be better as a button
13:47:13 <dperpeet> flipping a switch should be simple
13:47:31 <larsu> why not a button "Always enforce Policy" / "Only log actions" ?
13:47:43 <dperpeet> oh, in the actual selinux case? why a button?
13:47:49 <andreasn> as a button group?
13:48:03 <larsu> I'd say just a button that changes text based on the current state
13:48:05 <dperpeet> for selinux I like the toggle
13:48:05 <mvollmer> i think the selinux button can not fail
13:48:08 <larsu> and inline the info text
13:48:18 <mvollmer> but we have on/off for network interfaces, for example
13:48:22 <dperpeet> that seems horrible, larsu
13:48:24 <andreasn> there are some different variants for it https://raw.githubusercontent.com/cockpit-project/cockpit-design/master/selinux-troubleshooting/modes.png
13:48:30 <larsu> dperpeet: why?
13:48:31 <dperpeet> a magic button with an unknown number of "states"
13:48:40 <dperpeet> the toggle is more discoverable
13:48:43 <dperpeet> here are your options
13:48:44 <andreasn> but the nice thing about the On/Off state is that it can express a recommendation
13:48:46 <larsu> err? Magic?
13:48:50 <larsu> it has a label..
13:48:52 <dperpeet> and a little box to explain the options
13:49:00 <larsu> andreasn: ah that's a good point
13:49:21 <dperpeet> larsu, with the button, where would you put the current state?
13:49:45 <dperpeet> andreasn, a button can do that, too: "turn off security", "remain secure"
13:50:12 <larsu> dperpeet: there's a lot of space for something like "SELinux is only logging actions right now, not preventing them" and then a button "Enforce Policy"
13:50:24 <larsu> no need for the info text
13:50:35 <larsu> but yeah, not a designer, just 2 cents
13:50:45 <dperpeet> but that still wouldn't tell me how many states there are
13:50:53 <dperpeet> or if I can switch back afterwards
13:50:54 <larsu> there's two?!
13:51:07 <dperpeet> how would someone new know that, from just seeing the button?
13:51:08 <larsu> the text and button change depending on the current state
13:51:18 <dperpeet> yeah, but you have to try that to know
13:51:28 <dperpeet> with the switch you know right away
13:51:35 <dperpeet> and the toggle implies that you can go back
13:51:41 <dperpeet> a button doesn't imply that
13:51:50 <larsu> to be honest, I don't know how anyone could be confused by that
13:52:05 <dperpeet> I could, when I was new to selinux
13:52:13 <dperpeet> how would I know if I can turn it back on without a reboot?
13:52:17 <andreasn> I would like to try this implementation in action and see how people react to it, and then it should be easy to switch to another variant of it if it doesn't work out
13:52:29 <dperpeet> yeah, we can offer both
13:52:31 <dperpeet> see what people like
13:52:48 <andreasn> the book with the Duck on it is excellent for deciding on these kinds of things
13:52:49 <dperpeet> it is a real action, so that speaks for a button
13:52:50 <larsu> ya, we should just try it out
13:52:59 <dperpeet> :)
13:53:18 <dperpeet> ok, thanks for the feedback
13:53:21 <andreasn> sorry, it also has a name http://designinginterfaces.com/
13:53:35 <dperpeet> second book reference today, andreasn
13:53:37 <andreasn> "The duck book"
13:54:29 <andreasn> this is the one I borrowed today. It seems really, really fun http://www.formsthatwork.com/
13:54:33 <larsu> I wonder how the duck relates to designing interfaces :)
13:55:26 <andreasn> this one is pretty good
13:55:28 <andreasn> http://ecx.images-amazon.com/images/I/81lEFz6urvL.jpg
13:55:32 <andreasn> it's like it's their names
13:55:41 <larsu> haha :)
13:55:58 <larsu> awwww look up there, an awk in the tree!
13:56:45 <andreasn> oh my https://lh3.googleusercontent.com/-QwpC6MChyXc/Ts7DiPGd3ZI/AAAAAAAADzI/18R2L3AgCsgcnUf6wbTgEC6zxOtAfTQKgCCo/fake%2Bsocial.jpg
13:57:19 <dperpeet> I think we've reached end of topic :)
13:57:28 <andreasn> yes
13:57:30 <andreasn> sorry
13:57:40 <andreasn> :)
13:58:04 <mvollmer> okay!
13:58:07 <mvollmer> thanks everyone!
13:58:10 <mvollmer> #endmeeting