Re: Packagers - Flag day 2016 Important changes

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 12/13/2016 03:52 AM, Vít Ondruch wrote:
> 
> 
> Dne 12.12.2016 v 22:33 Kevin Fenzi napsal(a):
>> On Mon, 12 Dec 2016 10:53:39 +0100
>> Vít Ondruch <vondruch@xxxxxxxxxx> wrote:
>>
>>> So several questions:
...
>>
>> First, I'll note you don't need to get a new ticket every day, you can
>> just renew with 'kinit -R'.
> 
> Not sure what is the difference here, may be you want to explain.
> 

Well, this will depend on your behavior. If you reboot the machine every day,
then the default behavior of Kerberos in Fedora will not allow you to do `kinit
-R`. That's because we use the kernel keyring to store the credential caches and
they are wiped clean when the machine goes away.

If the machine has remained online, then the `kinit -R` basically means "If this
ticket is permitted to renew itself, do that", which will extend its usable
lifetime up to the maximum renewal lifetime (in Fedora's case, renewals are
permitted to extend the lifetime up to one week).


>>  I am not sure what env kinit needs, but you
>> may even be able to do this from a cron job. That will work for 1 week. 
> 
> Again, you imply some additional settings on me. There were not needed
> so far. I needed to call "fedora-packager-setup" every six months, that
> was it.
> 
> BTW you don't mention if the "fedora-packager-setup" is useful for
> something ATM.
> 
>>
>> As sgallagh noted downthread, gnome online accounts will hopefully
>> handle this for you soon as soon as that one bug is fixed.
> 
> That should be fixed prior such changes are pushed. If it is not, there
> should be at least somebody pushing this forward.
> 

It was an oversight, which I only discovered a few days before the flag day. A
patch was immediately worked up and was expected to be ready in time, which is
why I didn't suggest postponing the flag day.

Unfortunately, a discussion came up about whether the fix is happening in the
right component (realmd vs. gnome-online-accounts). It stalled out for a few
days, but I've now asked the maintainers to accept the band-aid patch for now,
so hopefully that will be cleared up very quickly.


>>  
>>
>> Finally, I'll note that these tickets are more powerfull than the old
>> certs. The certs controlled authentication to just koji and uploads,
>> while tickets allow you to login to almost all our web apps as well.
> 
> Once again, you make it sound like I dislike kerberos and hate this
> feature. But quite contrary, I believe that this is step in the right
> direction and I appreciate this change in general. Unfortunately,
> current status is far from ideal and the experience is worse then it
> used to be.
> 

To be fair, the old experience was that approximately every six months, users
would get a cryptic error message, email the devel@ list and be told via
institutional knowledge holders that they needed to get a new certificate. At
least in the case of Kerberos, the *reason* that things are failing is clearly
visible and easily searched.

Remember, you're a long-time contributor with access to knowledge about a
thousand finicky things. To you, all those silly workarounds are second nature,
and thus when they change, it's disruptive. From the perspective of improving
things long-term (and so that new users aren't out of their depth), sometimes we
have to make changes like this.

And yes, there are always bumps in the road. Any time you change a major
process, there will be issues you didn't expect or plan for. This would probably
have been mitigated if basically *anyone* besides Fedora Infra and myself had
bothered to beta-test the new Kerberos environment, but as with so many of our
Bodhi updates, they never actually get tested until they make it to the "stable"
repository.


Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux