On 12/13/2016 03:52 AM, Vít Ondruch wrote: > > > Dne 12.12.2016 v 22:33 Kevin Fenzi napsal(a): >> On Mon, 12 Dec 2016 10:53:39 +0100 >> Vít Ondruch <vondruch@xxxxxxxxxx> wrote: >> >>> So several questions: ... >> >> First, I'll note you don't need to get a new ticket every day, you can >> just renew with 'kinit -R'. > > Not sure what is the difference here, may be you want to explain. > Well, this will depend on your behavior. If you reboot the machine every day, then the default behavior of Kerberos in Fedora will not allow you to do `kinit -R`. That's because we use the kernel keyring to store the credential caches and they are wiped clean when the machine goes away. If the machine has remained online, then the `kinit -R` basically means "If this ticket is permitted to renew itself, do that", which will extend its usable lifetime up to the maximum renewal lifetime (in Fedora's case, renewals are permitted to extend the lifetime up to one week). >> I am not sure what env kinit needs, but you >> may even be able to do this from a cron job. That will work for 1 week. > > Again, you imply some additional settings on me. There were not needed > so far. I needed to call "fedora-packager-setup" every six months, that > was it. > > BTW you don't mention if the "fedora-packager-setup" is useful for > something ATM. > >> >> As sgallagh noted downthread, gnome online accounts will hopefully >> handle this for you soon as soon as that one bug is fixed. > > That should be fixed prior such changes are pushed. If it is not, there > should be at least somebody pushing this forward. > It was an oversight, which I only discovered a few days before the flag day. A patch was immediately worked up and was expected to be ready in time, which is why I didn't suggest postponing the flag day. Unfortunately, a discussion came up about whether the fix is happening in the right component (realmd vs. gnome-online-accounts). It stalled out for a few days, but I've now asked the maintainers to accept the band-aid patch for now, so hopefully that will be cleared up very quickly. >> >> >> Finally, I'll note that these tickets are more powerfull than the old >> certs. The certs controlled authentication to just koji and uploads, >> while tickets allow you to login to almost all our web apps as well. > > Once again, you make it sound like I dislike kerberos and hate this > feature. But quite contrary, I believe that this is step in the right > direction and I appreciate this change in general. Unfortunately, > current status is far from ideal and the experience is worse then it > used to be. > To be fair, the old experience was that approximately every six months, users would get a cryptic error message, email the devel@ list and be told via institutional knowledge holders that they needed to get a new certificate. At least in the case of Kerberos, the *reason* that things are failing is clearly visible and easily searched. Remember, you're a long-time contributor with access to knowledge about a thousand finicky things. To you, all those silly workarounds are second nature, and thus when they change, it's disruptive. From the perspective of improving things long-term (and so that new users aren't out of their depth), sometimes we have to make changes like this. And yes, there are always bumps in the road. Any time you change a major process, there will be issues you didn't expect or plan for. This would probably have been mitigated if basically *anyone* besides Fedora Infra and myself had bothered to beta-test the new Kerberos environment, but as with so many of our Bodhi updates, they never actually get tested until they make it to the "stable" repository.
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
