oem-meta-packageset-sync broken and spamming devel-permissions@

Steve Langasek steve.langasek at ubuntu.com
Fri Mar 10 16:36:41 UTC 2023 

Apologies, what happened here is that ubuntu-archive-toolbox had broken mail
delivery, and in the process of fixing that IS changed the canonical
hostname, which affected the scripts' abilities to resolve their
credentials.  So the act of fixing mail delivery also resulted in a huge
flood of error mail to be delivered!

And unfortunately I was not available to investigate this at the time the
mail change was made.

The credentials lookup has been fixed now to match the hostname, so you
should be able to un-blacklist ubuntu-archive-toolbox.internal and be
receiving only legitimate emails again.

On Fri, Mar 10, 2023 at 03:48:30PM +0000, Robie Basak wrote:
> Documentation link:
> https://wiki.ubuntu.com/DeveloperMembershipBoard/KnowledgeBase#Canonical_OEM_metapackage_packageset
> 
> devel-permissions@ is being spammed every few minutes with this, so I've
> taken the following emergency actions:
> 
> 1) I've attempted to filter all emails from
> root at ubuntu-archive-toolbox.internal from reaching devel-permissions@
> using the list admin tools.
> 
> 2) Since the agreement is that the DMB (via devel-permissions@) is
> notified of all changes to the canonical-oem-metapackages packagesets
> and that will no longer work, I attempted to temporarily change the
> owner of these packagesets to ~techboard to effectively disable the
> broken script being able to take any action until such notifications are
> fixed again. However, this didn't work since (I assume) I'm not a member
> of ~ubuntu-archive and to change the owner would need the person making
> the change to be a member of both teams.
> 
> 3) So instead I temporarily disabled the _effect_ of the packagesets by
> removing ~canonical-oem-metapackage-uploaders from the packageset ACLs,
> which I do have permission to do.

Ok, please revert this.

> So right now the entire mechanism is temporarily disabled.
> 
> Could someone in ~ubuntu-archive please:
> 
> 1) Fix the script to make it work again (presumably, reauth it).
> 
> 2) Adjust the script so that reports of changes still go to the DMB as
> agreed, but failures get notified to people who can fix it, rather than
> spamming the DMB who cannot.

These emails are sent via cron. You either get all of them, or none of them.
ubuntu-archive runs this script but does not own it and I am not committing
to implementing mail handling in it.  If someone else does so, I will gladly
deploy the update.

> Once done we can undo the temporarily disablements I described above.
> 
> Thanks!
> 
> Robie
> 
> On Fri, Mar 10, 2023 at 01:15:03PM +0000, Cron Daemon wrote:
> > The authorization page:
> >  (https://launchpad.net/+authorize-token?oauth_token=cfGWvrRnDPJ1QrTbZPlK&allow_permission=DESKTOP_INTEGRATION)
> > should be opening in your browser. Use your browser to authorize
> > this program to access Launchpad on your behalf.
> > Waiting to hear from Launchpad about your decision...
> > Traceback (most recent call last):
> >   File "/home/ubuntu-archive/oem-meta-packageset-sync/oem-meta-packageset-sync", line 177, in <module>
> >     main()
> >   File "/home/ubuntu-archive/oem-meta-packageset-sync/oem-meta-packageset-sync", line 168, in main
> >     sync = OEMMetaPackagesetSync()
> >   File "/home/ubuntu-archive/oem-meta-packageset-sync/oem-meta-packageset-sync", line 62, in __init__
> >     self.lp = Launchpad.login_with("oem-generate", "production", "devel")
> >   File "/usr/lib/python3/dist-packages/launchpadlib/launchpad.py", line 564, in login_with
> >     return cls._authorize_token_and_login(
> >   File "/usr/lib/python3/dist-packages/launchpadlib/launchpad.py", line 375, in _authorize_token_and_login
> >     credentials = authorization_engine(credentials, credential_store)
> >   File "/usr/lib/python3/dist-packages/launchpadlib/credentials.py", line 600, in __call__
> >     self.make_end_user_authorize_token(credentials, request_token_string)
> >   File "/usr/lib/python3/dist-packages/launchpadlib/credentials.py", line 692, in make_end_user_authorize_token
> >     self.wait_for_end_user_authorization(credentials)
> >   File "/usr/lib/python3/dist-packages/launchpadlib/credentials.py", line 775, in wait_for_end_user_authorization
> >     raise TokenAuthorizationTimedOut(
> > launchpadlib.credentials.TokenAuthorizationTimedOut: Timed out after 900 seconds.
> > 
> > -- 
> > Devel-permissions mailing list
> > Devel-permissions at lists.ubuntu.com
> > Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/devel-permissions



> -- 
> Ubuntu-release mailing list
> Ubuntu-release at lists.ubuntu.com
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-release


-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                   https://www.debian.org/
slangasek at ubuntu.com                                     vorlon at debian.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/devel-permissions/attachments/20230310/c3b24ce6/attachment-0001.sig>

More information about the Devel-permissions mailing list