Wednesday, 2009-03-11

nathanyit appears there have been some bogus vhost requests00:00
nathanythat have probably sent 500s00:00
nathanyof course, rdfa.info and translate are both fucked as well according to nagios, so it's not all cc.engine00:00
nathanyit appears the vhost info is getting urlencoded00:01
nkinkadeI know ... and rdfa.info is where I'm looking now.00:02
nkinkadeI wasn't trying to single out cc.engine, but 3/5 of the problems are cc.engine related, so I thought it was a good place to look around.00:03
nkinkadepaulproteus: is LicenseChooser.js hosted off a8 in any way?00:05
paulproteusI think it's on the api-dot domain, right?00:05
paulproteuswhich is on a800:06
* paulproteus checks the samples00:06
nkinkadeSomeone wrote in saying that " We have a license chooser and display user control based on your java script project.  I'm not a developer so I do not have access into the code and API calls that are failing.  I can't get you the details until later."00:06
paulproteushttp://labs.creativecommons.org/demos/jswidget/tags/0.95/example_web_app/with-seed-without-jurisdiction.html works fine and <script src>s in LicenseChooser.js off api-dot00:06
paulproteusThat's likely the reason.00:06
nkinkadepaulproteus: What's the specific URL that might be failing?00:07
paulproteushttp://api.creativecommons.org/jswidget/tags/0.95/complete.js?locale=en_US&jurisdictions=disabled00:09
paulproteusBut it works00:09
paulproteusgoing off irc for ca. 30m00:09
nathanynkinkade: did they give the URL of their site so we could look @ that?00:10
nathany(i wonder if it was just due to the downtime of a8?)00:10
nkinkadenathany: I asked for a URL and the above was his reply.00:11
nkinkadeI suspect his reply came before the API was fully functional again.00:12
nathanyyeah... if the demo seems to be working, i guess write back and let him know we had some downtime around an upgrade00:12
nathanyask if it's still having problem00:12
nkinkadenathany: I also just found out that the CC Planet requires python2.4 because rdfadict isn't installed for 2.500:12
nkinkadenathany: I asked.00:12
nathanynkinkade: cool (re: asking)00:12
nathanynkinkade: well we could install rdfadict for python2.500:13
nkinkadenathany: What's the method for that again?00:13
paulproteusI imagine so.00:13
nkinkadeeasy_install?00:13
nathanyif that's installed for 2.500:15
*** lotia has joined #cc00:15
nathanywhat box is that again?00:16
nathanynkinkade: a8?00:16
nkinkadenathany: $ sudo easy_install rdfadict00:16
nathanyright00:16
nkinkadeThat *seems* to have done it.  Yeah, a8.00:16
nkinkadeI saw references to installing things in 2.5.00:17
nathanyyou can do easy_install-2.5 (or -2.4) if you want a specific python version00:17
nathanynkinkade: i have to run home... be back online soon (hopefully)00:17
nkinkadenathany: Cool.00:18
nkinkadeI think things have settled.  Just a matter of getting those last few sites working Nagios.00:18
nkinkadeThanks for you help.00:18
*** nathany has quit IRC00:34
*** jgay has joined #cc00:35
*** lotia_ has joined #cc01:01
*** lotia has quit IRC01:02
*** nathany has joined #cc01:07
*** tanjir has joined #cc01:08
paulproteusnathany, rehi01:14
paulproteusEditing this screencast never was fun, but it'll be nice to have it be over.01:14
*** grue_ has joined #cc01:17
*** grue has quit IRC01:18
*** grue has joined #cc01:18
*** grue has quit IRC01:19
nathanypaulproteus: heh01:25
nathanyyeah, it'll be good to have it done01:26
paulproteusThis is the one where in the first take, the staging server didn't have fr_CA show up at all and totally ruined my demo.01:26
paulproteusBoo frickin' hoo.01:26
nathanyheh01:26
paulproteusAnyway, back to Audacity.01:26
nathanyok, i'm off for 60-90 min01:26
nathanyttyl01:26
*** nathany has quit IRC01:26
paulproteusttyl01:26
*** Bovinity has quit IRC01:31
*** Bovinity has joined #cc02:03
*** mecredis has joined #cc02:12
*** K`Tetch has quit IRC02:39
*** K`Tetch has joined #cc02:47
*** K`Tetch has quit IRC02:56
*** mlinksva has quit IRC02:59
*** K`Tetch has joined #cc03:02
*** mecredis has quit IRC03:15
*** jgay has quit IRC03:18
*** nkinkade has quit IRC03:26
*** mecredis has joined #cc03:28
*** mecredis has quit IRC03:51
*** nathany has joined #cc03:53
*** johndoigiii_ has quit IRC05:04
*** [mharrison] has joined #cc05:21
*** tanjir has quit IRC05:32
*** parkerhiggins has quit IRC05:58
isforinsects?def isforinsects06:11
*** Bovinity has quit IRC07:02
*** sama has joined #cc07:59
*** nathany has quit IRC08:18
*** UncleCJ2_ has quit IRC09:36
*** UncleCJ2_ has joined #cc10:02
*** sama has quit IRC10:03
*** UncleCJ2__ has joined #cc10:03
*** sama has joined #cc10:23
*** UncleCJ2_ has quit IRC10:24
*** UncleCJ2__ is now known as UncleCJ210:41
*** K`Tetch has quit IRC12:00
*** nathany has joined #cc12:54
*** parkerhiggins has joined #cc13:08
*** kreynen has joined #cc13:16
*** UncleCJ2 has quit IRC13:32
*** UncleCJ2_ has joined #cc13:49
*** nathany has quit IRC13:53
*** johndoigiii has joined #cc14:16
*** johndoigiii_ has joined #cc14:21
*** lotia_ has quit IRC14:30
*** UncleCJ2_ has quit IRC14:32
*** nkinkade has joined #cc14:37
*** johndoigiii has quit IRC14:41
*** keksschaf has joined #cc14:47
*** mlinksva has joined #cc14:55
*** mlinksva has quit IRC15:03
*** nathany has joined #cc15:08
*** jgay has joined #cc15:11
*** kreynen has quit IRC15:11
*** K`Tetch has joined #cc15:22
*** lotia has joined #cc15:26
*** UncleCJ2_ has joined #cc15:27
nkinkadepaulproteus: Do you find it spurious that the Nagios check_http plugin automatically appends :80 to the end of the Host: HTTP header?15:33
nathanynkinkade: he's on his way to ETech right now, not sure he'll see it until he gets there15:34
nathanyis that the cause of the nagios weirdness from yesterday?15:34
nkinkadeDebian has a custom patch, but it propagates this behavior: http://patch-tracking.debian.net/patch/series/view/nagios-plugins/1.4.12-5/41_check_http_fix_http_header.dpatch15:34
nathanybtw, the license engine on a5 is the new buildout15:34
nkinkadenathany: It has something to do with that, but I'm not quite sure why it only affects rdfa.info and a couple others.15:34
nathanyit seems to be running ok but i need to add an init script15:34
nathanyhrm15:34
nathanythat is weird15:34
nkinkadeAny ideas?15:34
nathanyas to whether it's spurious or not?15:35
nathanynot sure, to be honest15:35
nathanydoes it screw with Varnish to have :80 there? (since we do the hostname based dispatching)15:36
nkinkadeNo, the problem happens when I go right to port 8080 as well.15:36
*** johndoigiii has joined #cc15:36
nkinkadeSo, it's something weird with Apache, HTTP, and the check_http plugin.15:36
nathanyhrm15:36
nathanyso what does it do that's unexpected when the port is appended?15:37
nkinkadenathany: http://pastebin.com/d30c49a4615:39
nathanynkinkade: interesting15:39
nkinkadeI'm not sure why Apache redirects only for rdfa.info and not all the other vhosts.15:39
nathanyi mean, it does make a certain amount of sense for Apache to say "uh, the 80 isn't needed, thanks", but it's weird it's just for rdfa.info15:40
nkinkadeOh, and removing that :80 from the request also fixes /license and /licenses15:40
nathanyyou mean in the nagios test?15:40
nkinkadeRight.  That's what confuses me.15:40
nkinkadenathany: Yeah.15:40
nkinkadeI can manually run check_http ... it's a binary.15:40
nkinkadeAnd when I specify a "Host:" header on my own, without the :80, then they work ... but it also reverts to HTTP/1.0 for some reason.15:41
nkinkadeI admit I don't know much about the HTTP protocol.15:41
nathanywell that fits with the error we were seeing in z3.log yesterday that was complaining about the vhost formatting15:41
nathanysince it uses colons to separate things, the extra port probably got added in there confusing it15:42
nathanydoes check_http have a flag to force it to 1.0? maybe it's a "feature" of 1.1?15:42
nathany(i'm totally grasping @ straws)15:42
nkinkadeSeems that it's valid to append the port: http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.2315:44
nathanynkinkade: is 9080 open to the outside world on a7 or a5?15:45
nathanyi guess it is on a5, huh15:45
nathanyi wonder if we make the request to 9080 directly if we can see what we get15:45
nathany(logging into the nagios box)15:45
*** johndoigiii_ has quit IRC15:45
nathanynkinkade: where does check_http live?15:45
nkinkade /usr/lib/nagios/plugins/check_http15:46
nkinkadenathany: And for reference, this command works: /usr/lib/nagios/plugins/check_http -k "Host: rdfa.info" -I 64.34.161.33 -s "RDFa"15:47
nkinkadeThis one does not: /usr/lib/nagios/plugins/check_http -H rdfa.info -I 64.34.161.33 -s "RDFa"15:47
nathany-s checks for a string?15:47
nkinkadeYeah.15:47
*** TRD has joined #cc15:49
nathanynkinkade: so i think part of this might be varnish15:49
nathanyone sec, let me pastebin15:49
nathanynkinkade:  http://pastebin.com/m901cfff15:50
nkinkadenathany: Good point.15:51
nathanynkinkade: so i'm fairly certain varnish is to blame for the zope related stuff15:52
nathanyi think it's mangling the URL for virtual hosting in a way zope doesn't understand15:52
nathanynkinkade: of course, i'm not sure what to do about it15:53
nkinkadenathany: That makes sense.  It may be passing the :80 in with the hostname.15:53
*** lotia has quit IRC15:53
nathanyright15:54
nkinkadeOne way around that would be to use  a regex to match req.http.host15:54
nathanyto split out the port portion?15:55
nkinkadeMaybe.15:55
*** UncleCJ2_ has quit IRC15:55
nathanynkinkade: so it seems like we've figured out half the problem, but not the 301 part15:57
nathanyyou said the 301 stuff happens whether you hit 80 or 8080, right?15:57
nkinkadenathany: Right.  Varnish doesn't seem to be causing the issue with Pootle either.15:58
nathanyweird15:58
nkinkadeYeah, 80, 8080, it's the same.15:58
nathanyis the pootle issue the same as the rdfa.info one/15:58
nkinkadeBut if Varnish is mangling URL to cc.engine when the request host contains :<port>, then that is a larger problem.15:59
nkinkadeI'll investigate.15:59
nathanyok... i need to prep for a call16:00
*** UncleCJ2_ has joined #cc16:13
*** UncleCJ2_ has quit IRC16:18
*** Bovinity has joined #cc16:19
*** mlinksva has joined #cc16:23
paulproteusMorning, nkinkade16:26
paulproteusThat idea from Nagios should be fine; http://whatever.com:80/ should be the same as http://whatever.com/ (I *think*, this is a part of HTTP I don't know super well).16:26
paulproteusOh HAH whatever.com:8080:808016:26
*** lotia has joined #cc16:33
*** Bovinity has joined #cc16:33
*** parkerhiggins has quit IRC16:35
*** UncleCJ2_ has joined #cc16:37
paulproteusMorning Bovinity.16:37
paulproteusYou at ETech?16:37
paulproteusJoi's up now.16:37
paulproteusHe's talking about The Stack, but I don't see any pancakes.16:38
paulproteus"Where the friction is, is the lawyers."16:40
*** tvol has joined #CC16:41
paulproteusYargh, the point of RDFa isn't that "license information is important enough to be part of HTML" but that "extensible metadata choices should be made by the producers of web content, not the standards designers."16:45
nathanysigh.16:51
nathanyat least he didn't call it "a different kind of drm" (again)16:51
paulproteusI'm writing a note and CC:ing cc-tab, fwiw.16:52
nathanygreat16:52
nathany(not sure who's on cc-tab these days, so not sure how useful that is, but whatev)16:53
paulproteus(I figure it's you and Ben at least, and that's the important thing)16:53
nathanypaulproteus: i *think* I'm on it :)16:54
nathany(but i'm honestly not 100% sure)16:54
paulproteusIcey.16:54
paulproteusWell, since you're the Chief Technical Dude, you perhaps ought to.16:54
nathanylol16:55
nathanyi'm pretty sure i am... i guess i'll go double check since my brain isn't particularly suited to other tasks this morning16:55
nathanypaulproteus: i am; as are you and nkinkade :)16:56
paulproteusYay (-:16:57
nathany(and various and sundry board members)16:57
paulproteuseer, /me fears lambasting joi in front of boardies16:57
nkinkadenathany: And on that same point, I assume you are also getting these cc-metadata moderator messages?16:57
paulproteusmm, cc meat data16:58
nathanyyes. i was hoping they'd just go away :)16:58
nathanyi'll log in now16:58
* paulproteus just CC:s ML, BA, NY16:58
paulproteusCC BY OM FG16:59
nathanypaulproteus: and the deprecated variant: CC BY-Z-OM-FG17:00
paulproteusCC Zero was originally called CC Zomfg.17:01
nathanyGod i wish i'd thought of that when writing the code17:02
paulproteusActually Zomfg was the joke name.17:03
paulproteusCC Zomfg was the original name.17:03
paulproteuser17:03
paulproteusCC Zomg was the original name.17:03
paulproteusCC Zero was what we renamed it; conveniently it's the same length, so we could just binary-patch the .pyc files.17:03
paulproteus(We lost the source and decompyle doesn't work against more recent versions of Python.)17:03
nathanyheh17:05
paulproteusLook, I made Indonesian! http://translate.creativecommons.org/id/17:11
paulproteusAnd it starts off at 0% because I copied en, and en has no values now.17:11
paulproteusCloser now to sanity.17:11
paulproteus(-:17:11
paulproteusBTW, SoC this year?17:14
paulproteusI also love how people call us "the Creative Commons Foundation."17:15
*** K`Tetch has quit IRC17:16
*** johndoigiii has quit IRC17:18
*** sama has quit IRC17:24
*** K`Tetch has joined #cc17:24
nathanypaulproteus: yes, i need to do the application17:26
nathanyiirc it's due end of week17:26
paulproteusCool17:26
nkinkadenathany: For rdfa.info turns out is was Wordpress doing the redirect.17:39
nathanynkinkade: weird17:39
nkinkadeIt wasn't happening on the other WP installs because I have installed a plugin to disable "canonical" redirects.17:39
nkinkadeThat sucks.17:39
nathanyyeah17:39
nathanyi'd like to suggest just writing the test the way that works, if possible (specifying the host header); so long as we get back the result it shouldn't matter, right?17:40
nathanyand the fact that it's just that one vhost doesn't make me very inclined to sink tons of time into patching WP (Since I'm guessing there's "a reason" for it :) )17:40
nkinkadehttp://translate.creativecommons.org:8017:41
nathany?17:41
nkinkadenathany: There is no patching needed here.  There is a WP plugin that disabled that spurious behavior.17:42
nathanyah, awesome17:42
nkinkadeAnd I've installed it on rdfa.info.  It has been installed on the other wikis for over a year, probably.17:42
nkinkadeSorry, the other WP installs.17:42
nkinkadeBut interested behavior from that link above, no?17:42
nathanynkinkade: you mean that it redirects?17:43
nkinkadepaulproteus: What do you make of that translate link above?17:43
nkinkadeIt's faking Pootle out, I believe.17:43
nathanynkinkade: you mean that it redirects to http://translate.creativecommons.org ?17:44
nkinkadenathany: I don't    think it's redirecting even.17:44
nkinkadeTry http://translate.creativecommons.org:808017:44
nathanyoh17:44
nathanyi see, Fx must have "fixed" the link for me when i clicked it17:44
nathanyweird that you get the directory index17:44
nathanylike, totally weird17:44
nkinkadeVery strange.17:45
nkinkadeI can only image that Pootle is thrown off by the :<port>17:45
nkinkadeSo much so that it returns a directory listing instead of some HTML.17:45
nkinkadeOr useful, HTML, that is.17:45
*** robmyers has joined #cc17:46
nathanynkinkade: but that's not pootle returning that index, it's apache17:46
nathanynkinkade: do we do vhost switching in varnish for translate?17:47
nathanyi'm guessing it's the same as the zope problem -- it's passing in the port number, which confuses varnish's req.url matching17:47
nkinkadenathany: Varnish does touch those.17:47
nkinkadeIt must be bypassing Varnish and hitting some old Apache configurations.17:48
nathanyright17:48
*** lotia has quit IRC17:48
*** johndoigiii has joined #cc17:49
nkinkadeChanging Varnish rule to  (req.http.host ~ "^translate.creativecommons.org") fixed it.17:51
nathanyawesome17:51
nkinkadeBefore it was == (and minus the ^)17:51
nkinkadeOkay, 2 down, cc.engine to go.17:51
nathanynkinkade: let me know if you want an extra set of eyes/frontal lobes on that17:52
nkinkadenathany: I may ping you when I come up with some.  Just to verify what I do.17:53
nathanysure17:53
nkinkadenathany: In the Varnish config on a7 there is:  ( req.url ~ "^/(license|characteristic)/" )17:54
nkinkadeShould that be:  ( req.url ~ "^/(license|characteristic)/?" )17:54
nkinkade(with or without trailing slash)17:54
nathanyno, i think it's fine the way it is17:54
nathanywe redirect /license to /license/17:54
nathany(which we really want to enforce since some things uses relative URLs for better or for worse)17:55
nathanyand /characteristic is old and lame17:55
nathany(but still used, of course)17:55
*** mlinksva has quit IRC17:56
nkinkadepaulproteus: On a7 in my home directory there is a directory called easy-ssh-keys.  Does that ring a bell with you?17:59
nkinkadeIt looks like you may have put that there: http://code.creativecommons.org/svnroot/hooks/update-staging-i18n.sh18:00
nkinkadeBut just checking, because it startled me.18:01
johndoigiiinathany: hey, I have a quick question about CC Net https issue18:04
nathanysure18:05
nathanyjohndoigiii: shoot18:05
johndoigiiiin the issue listing, you say "When rendering the profile, if the request is made over HTTP, no OpenID header information will be included"18:05
johndoigiiiare we display HTTP requests then?18:05
johndoigiiiwe to*18:05
johndoigiiijust without the openid info?18:05
johndoigiiithis confused me because currently all requests are forwards to https anyway18:06
nathanyjohndoigiii: to be honest i'm not sure; it's been a while since i thought about that18:06
nathanyright18:06
nathanyi can't remember if the thought was:18:06
nathanya) serve both, or18:06
nathanyb) still redirect but try to detect if it started as https18:07
nathany(or not)18:07
nathanyi *think* we were thinking (b)... i think that because18:08
nathanyfor existing users we still want to do the redirection and support OpenID URLs that have http:// in them18:08
johndoigiiihmm okay, well the way I approached this way to redirect all to https within django, but check for the case where a user might be trying to identify with openid, http://pastebin.com/m416880e618:08
nathanyand we certainly want to do that over https18:08
johndoigiiisorry my english is god awful today18:09
nathanyjohndoigiii: that's an interesting start18:09
nathany(no problem, i'm running on < 4 hours sleep)18:09
johndoigiiiyikes18:09
nathanyjohndoigiii: thinking... on sec18:10
johndoigiiinathany:  NP18:10
*** mlinksva has joined #cc18:11
*** bse has joined #cc18:11
nathanyjohndoigiii: oh, so that only does the check if they're viewing their profile?18:11
nathanyah, i see18:12
johndoigiiiyes18:12
paulproteushttp://www.bofhcam.org/co-larters/snooping-email/index.html18:12
paulproteusnkinkade, Yes, it does18:12
paulproteusI added easy-ssh-keys so that I could easily do 'svn update' as your UID but use the keys in that dir.18:12
paulproteusi.e., in case your SSH key in your home is locked with a passphrase18:12
nkinkadeWhich is it.18:12
nkinkadeWhich it is, I mean.18:12
* paulproteus nods, I never checked.18:13
nathanyjohndoigiii: so i don't think that's quite right18:13
paulproteusbse, http://www.bofhcam.org/co-larters/snooping-email/index.html18:13
paulproteus(pardon the repeat)18:13
nathanyit looks like that wouldn't allow any http:// access to the profile page, but would to other pages18:13
nathanyright?18:13
nathanyer, no18:13
johndoigiiino18:13
nathanynevermind, it redirects other pages to https, but doesn't redirect profiles18:13
paulproteushttp://www.bofhcam.org/co-larters/why-you-cant/index.html is great too.18:13
johndoigiiinathany: no http anywhere, but if they http to view_profile then it just notifies them of whats going on18:14
johndoigiiiwe can change this to the view_profile with a more descriptive message, but I am just trying to map out this logic correctly18:14
nathanyjohndoigiii: right; i assume the bare return on line 25 is spurious? presumably if they're a "legacy" user they get redirected anyway with some warning?18:14
johndoigiiinathany: correct18:15
*** stevel has joined #cc18:15
nathanyjohndoigiii: and profile.redirect_https implies that they *can not* get openid requests originating on http, right?18:16
johndoigiiinathany: yes, I see my flaw, 1 sec18:17
nathanyjohndoigiii: i have a suggestion and you should feel free to tell me it's stupid18:17
johndoigiiihaha okay?18:18
nathanyinstead of doing the check here and incurring the extra hit, what if we set up either apache or django (with middleware like this) to add a query string flag that says "this started as http"18:18
nathanyso http://cc.net/nathan would redirect to https://cc.net/nathan?s=0 (or something very short)18:19
nathanywell, i don't 100% love that either18:19
johndoigiiiyeah18:19
nathanypaulproteus: are you busy or can you lend a few cycles to thinking about this?18:19
paulproteusnathany, Hi, sure, sup?18:19
johndoigiiiwell my first approach was to append a param in the kwargs of all view requests that had a flag like "ssl" = True18:20
* paulproteus scrolls18:20
nathanypaulproteus: see issue http://code.creativecommons.org/issues/issue9418:20
nathanyfor context18:20
nathanyi think the question before us is how we detect that a request originated as http and was redirected, right johndoigiii?18:20
paulproteusYou could set this in the cookie / session instead.18:20
nathanymaybe that's django middleware, as johndoigiii started18:20
paulproteusAnd you could even clear the "started as insecure" flag when you display a message about it.18:21
johndoigiiiyes that is the question18:21
nathanypaulproteus: which you'd want to do18:21
* paulproteus nods18:21
nathany(clear it, since only the first request would be vulnerable)18:21
paulproteusI would do it in the session. Is there a reason to do otherwise?18:21
nathanyprobably not; we already use the session store18:22
nathanyso the sslmiddleware would: see a request that18:22
nathanyis non-SSL, set the "insecure" session flag and redirect it18:22
paulproteusYup, that's a good plan in a low-complexity-of-engineering sense.18:23
nathanyof course, this requires a db hit for every request and clearing the flag18:23
paulproteusSessions are in the DB?18:23
paulproteusYou could just use a cookie instead if you'd rather be DB-free.18:23
nathany(in every view? or is there response middleware we could use to clear it on non-redirect responses, johndoigiii)18:23
nathanypaulproteus: i'm not 100% sure now that i think about it18:23
nathanymy head hurts :)18:23
paulproteus(There are still a bunch of attacks: someone doing a MITM can just proxy HTTP to the HTTPS site, and the user would never notice. And then there's the lovely iframe session cookie stealing attack, though I'd have to read up about that. But those are mostly off-topic; we can improve this particular issue and consider those later.)18:24
nathanypaulproteus: right, but the idea is that you couldn't mitm it for new users because we wouldn't support open id requests that originated as http18:25
*** lotia has joined #cc18:25
johndoigiiinathany: what role would apache play then?18:25
paulproteus(if an active attacker is proxying HTTP to HTTPS, then we see an HTTPS request)18:25
nathanyjohndoigiii: it would pass every http and https request into django18:25
johndoigiiishould we still plan on django handling all?18:25
johndoigiiiok18:25
paulproteus(might still be decent to ignore these parentheses things)18:25
paulproteus(nathany, Wait, maybe I agree with you, I need to think about it.)18:26
nkinkadenathany:  The issues with Nagios are fixed.  Just FYI I had to wrap each redirect to the cc.engine backend in a conditional that checks to see if req.http.host has :<port> appended, and if so, then use a modified URL to the cc.engine.18:26
nathanypaulproteus: yes, but that means the user would have entered http://foo as their open id which we'd reject as an invalid identifier18:26
nkinkadeIt's just as well that this happened because it revealed a bug in our setup.18:26
nathanyjohndoigiii: so we'd have a request middleware which would see if it's http and if so, set the session flag and redirect18:26
johndoigiiiokay18:26
nathanyjohndoigiii: and then we'd have a corresponding response middleware that looks clears the flag if it's not a redirection response18:27
nathanypaulproteus: does that combination sound sane?18:27
nathanythe only thing i don't like is that this means every user (not just logged in ones) get sessions, but i suppose we'll deal18:27
nathanypremature optimization being the root of all evil and all that18:27
nathanynkinkade: glad to hear that :)18:27
paulproteusOnly non-SSL users get sessions.18:28
paulproteusBut yeah, I think it's a good setup.18:28
nkinkadeBut, nathany, it seems to me that it'd be cleaner if that could be handled on the Zope side of things ... were that possible, and not hard to implement.18:29
nathanyjohndoigiii: does this make sense to you? we can then do conditionals in different places based on the session rendering18:29
johndoigiiinathany: yes this makes sense, so if the session flag is set have conditions in the template that will prevent the openid header information from displaying?18:30
nathanyright18:30
nathanywe'll also check the profile when we do the openid auth to make sure they're allowed to "claim" an http:// id18:30
johndoigiiiand if they're not?18:31
nathanybut we can cross that bridge when we come to it -- that code's a little messy so i can help18:31
johndoigiiiok18:31
nathanyso if they're a new member and they're trying to auth as http:// we reject it and say "not allowed to use that id"18:31
johndoigiiiok18:31
nathanyif they're "legacy" we let it through18:31
nathanyi think those are the two points of contact we need to worry about18:31
johndoigiiialright, that sounds good18:32
johndoigiiilet me see what I can iron out before our call18:32
nathanyawesome18:33
mlinksvapaulproteus, Bovinity i am getting up now, will be back. i am too lazy to open my mouth18:43
paulproteus<3, Mike18:49
nathanydo i want to know?18:59
nathanypaulproteus, mlinksva^^ ?18:59
bsehe was sitting with us18:59
nathanyah18:59
nathanyi didn't know if there was something awful he might have opened his mouth about18:59
nathany(it's conceivable ;) )18:59
bsethe dullness of this right now is kinda awful19:00
*** bse is now known as bovinity_19:00
*** mlinksva has quit IRC19:08
*** johndoigiii_ has joined #cc19:12
*** johndoigiii has quit IRC19:19
*** johndoigiii has joined #cc19:29
*** UncleCJ2_ has quit IRC19:47
*** johndoigiii_ has quit IRC19:47
nathanyjohndoigiii: you may be interested in this since you're on OS X http://gitx.frim.nl/19:48
johndoigiiinathany: thx, this looks pretty good19:49
nathanysure19:49
*** Xarthok has joined #cc19:51
*** Xarthok has left #cc19:51
*** UncleCJ2_ has joined #cc20:05
nkinkadeAn info@ email had this elegant bit: "To wax mildly grandiose for a moment,"20:11
nathanynkinkade: fine, but just for a moment ;)20:12
nathanypaulproteus: can you go to http://socghop.appspot.com/ and sign up for an account, ping me with your "link id"20:12
nathany(i thought the web app couldn't get worse; I was wrong)20:12
nkinkadeI  wax grossly grandiose from time to time, but not often mildly.20:12
nathanynkinkade: and often not for just a moment ;)20:13
nkinkadeThat, too.20:14
nathany:)20:14
nathanypaulproteus: did i lend you my headset long ago or did i lose it elsewhere?20:24
*** UncleCJ2_ has quit IRC20:24
nathanynkinkade: johndoigiii paulproteus do you guys want to try skype for our call or should we use the conf line?20:26
mattlpaulproteus: say no to skype :)20:27
nkinkadeShall we try Ekiga again?!20:27
nkinkadeIt was so close last time.20:27
nkinkademattl: I don't think you have to worry about that.  I get the feeling that paulproteus wouldn't touch Skype with a 10 foot pole.20:27
nathanynkinkade: i'm fine with that but johndoigiii is on a mac20:28
nkinkadeBut I will say that Skype works well out-of-the-box, and that in itself has value.20:28
nathanydo you know of easy instructions?20:28
nathany(for interop)20:28
nkinkadenathany: xmeeting20:28
nkinkadejohndoigiii: I think xmeeting for the Mac is compatible with Ekiga ... in fact I've used it before with my father.20:29
nkinkadeWell, he used xmeeting and I Ekiga ... worked great.20:29
nkinkadehttp://xmeeting.sourceforge.net/pages/index.php20:29
nathanynkinkade: i'm fine trying that... i forget how we do conference20:29
nathanyoh, right20:30
nkinkadenathany: The setup with the mic and speakers in the conference room was quite nice.20:30
johndoigiiinathany: hey sorry, stepped away for a sec20:30
nathanyno problem20:30
nathanyyou up for experimenting with ekiga/xmeeting?20:30
johndoigiiiyeah definitely20:31
nkinkadeOne computer in the conference room connects the mic and speakers, and also connects to Ekiga or Skype.20:31
nathanynkinkade: does he just get a sip account from ekiga.net?20:31
nkinkadenathany: Yeah.20:31
nkinkadejohndoigiii: http://ekiga.net20:31
johndoigiiii'm outside at a coffee shop due to my internet service ending at home20:31
johndoigiiiprepping for my move :)20:31
mattlwhere are you moving?20:31
nathanyjohndoigiii: cool20:32
johndoigiiisausalito20:32
nathanynkinkade: wanna dial into the room and see if the basics are working?20:32
nkinkadeSausalito!20:32
nkinkadeI thought about moving there.20:32
johndoigiiinkinkade: yup, I cant wait20:32
nathanynkinkade: i can hear you20:33
nkinkadeI had people tell me that taking the ferry in each day was quite nice.20:33
nathanynot sure what's going on20:33
nathanythe mic doesn't show any pick up...20:33
nathanyone sec20:33
nkinkadejohndoigiii: Where you at with xmeeting and ekiga.net20:36
*** [mharrison] has quit IRC20:36
johndoigiiiinstalling xmeeting20:36
nkinkadeCool.20:36
*** TRD has quit IRC20:40
johndoigiiihmm, I dont know if the NAT for the public wifi I am on will work20:41
nathanyjohndoigiii: i didn't do anything to route past our NAT here... i guess we can give it a shot20:41
nathanyjohndoigiii: if it doesn't work we can fall back to the conference line20:42
nathanyi don't have the brain power for a long call today :)20:42
johndoigiiiyeah, well during setup of xmeeting it warned me of a possible incompatibility with the NAT and now I cant get it to connect20:42
nkinkadejohndoigiii: Is there any setup for STUN in xmeeting?20:42
nathanyah20:42
nathanyok20:42
johndoigiiilol, well let me try to connect to another network real quick and try that20:42
johndoigiiinkinkade: yes there is20:43
nkinkadejohndoigiii: I think there are other clients compatible with Ekiga ...20:43
nkinkadehttp://wiki.ekiga.org/index.php/Which_programs_work_with_Ekiga_%3F20:44
johndoigiiiI can try gizmo20:44
johndoigiiiyeah20:44
paulproteusnkinkade, nathany: We do tech chat at 2, right?20:45
nathanypaulproteus: 130 :) but at this rate it may be 220:45
paulproteusI'm at this lovely conference still, and I don't have a way to charge my phone. (I could probably take Bovinity's though.)20:45
paulproteusOkay, cool.20:45
nathanypaulproteus: we're on ekiga20:45
paulproteusOh, okay.20:46
nathany(or trying to be)20:46
paulproteus...but I left your headset at home, oops.20:46
paulproteus(which answers the above question)20:46
nathanypaulproteus: AH HA! so that's where it is ;)20:46
nathanyjohndoigiii: if you don't mind trying gizmo that'd be cool just so we know what works20:46
nathanyotherwise we'll fall back to the conf line20:46
paulproteusI am so infuriated by STUN.20:46
paulproteusI haven't tested if ICE does better NAT traversal.20:46
johndoigiiinathany: installing now20:47
nathanyINFURIATED! I say!20:47
paulproteusHonestly, people, this is just a matter of making basic network attack software an IETF standard.20:47
johndoigiiinathany: ....well downloading20:47
nathany:)20:47
paulproteusSkype does it and calls it Skype.20:47
nathanyi don't really know what that means20:47
paulproteusWell, NAT piercing to some people is "omg an attack on the corporate firewall".20:48
paulproteusBut F that, we have to destroy NAT.20:48
paulproteusWhatever it takes.20:48
paulproteusEvery day we lose, the Internet becomes less end-to-end.20:48
paulproteusSTUN does a bad job of it, and so Ekiga users suffer.20:48
paulproteusSkype does a good job of it, and Skype users are happy and live the end-to-end dream.20:49
paulproteusThey're also hacked by Chinese, but that's neither here nor there.20:49
nathanypaulproteus: as is fcgi ;)20:50
johndoigiii....still downloading gizmo....20:50
* paulproteus giggles about Chinese Fast CGI.20:50
paulproteusSkype is hacked by Chinese in a bad way, but mod_fcgid is hacked by Chinese in a good way.20:51
paulproteusWho knew that was even possible!?20:51
nathanywho knew indeed20:51
paulproteusAnyway, should I try Ekiga, or Gizmo, or what?20:51
nathanyi'll leave it up to you and johndoigiii20:52
nathanyi have zero preference20:52
paulproteusI'll try Ekiga right now for no particular reason.20:52
paulproteusWho knows if STUN will work?20:52
paulproteusFrickin' A, I just need to get my laptop a global VPN'd IP.20:53
johndoigiiiI just tried STUN with XMeeting20:53
paulproteusBut that's decadence not everyone can afford.20:53
nathanypaulproteus: 1st World Problems20:53
paulproteusI seem to have STUN'd into Ekiga fine.20:54
paulproteusUnfortunately the room is loud.20:54
paulproteusI'll see where I can go.20:54
*** ronfo has joined #cc20:54
paulproteusYay, great success.20:55
paulproteusI say I prefer Ekiga since it just worked and I'm not very interested in fiddling.20:56
*** ronfo has quit IRC20:58
nkinkadehttp://creativecommons.org/licenses/by/3.0/hk/20:58
*** lotia has quit IRC20:59
nathanynkinkade: can you still hear me?21:00
nkinkadenathany: Can you not hear me?21:00
nkinkade I hear you.21:00
nathanyno, i can't21:00
nkinkadeNot sure what happened?21:00
nathanyi'll redial21:00
nkinkadeLet me poke around.21:00
nathanynkinkade: can you hear me?21:01
nathanyugh21:01
nkinkadeNo.21:01
nathanynkinkade: can you try dis/re-connecting21:01
nkinkadeDoing that now.21:01
nathanyjohndoigiii: if you get things configured, join us, otherwise i'll call you directly shortly if that's ok with you21:02
johndoigiiiyeah thats fine, I'd like to figure this out for future ref so I'm gonna keep working on it21:02
nathanyabsolutely21:02
bovinity_nathany: is the office empty?21:03
nathanynearly21:03
nathanybovinity: jane and allison are here21:04
bovinity_i'm heading back21:04
*** johndoigiii_ has joined #cc21:06
*** johndoigiii has quit IRC21:09
*** bovinity_ has quit IRC21:09
paulproteusnkinkade, closed? http://code.creativecommons.org/issues/issue21321:09
paulproteusBovinity, wait21:09
paulproteusfor me21:09
paulproteusd'oh21:09
paulproteushold on21:09
johndoigiii_I dont know if there is any way around a symmetric nat21:21
*** UncleCJ2_ has joined #cc21:22
johndoigiii_is the host still 5016060@ekiga.net?21:23
paulproteusTurns out much "symmetric" NAT (like Linux netfilter) isn't entirely symmetric, I hear from NAT piercers.21:23
paulproteusYup21:23
nathanyjohndoigiii_: yes21:23
nathanyjohndoigiii_: did you manage to get it figured out?21:24
johndoigiii_no, I can't get it to resolve the NAT21:24
nathanyjohndoigiii_: ok, we're wrapping up21:24
nathanyone sec21:24
johndoigiii_alrighty21:25
paulproteusNAT, destroyer of the Internet.21:25
paulproteus"It can be that easy when you break the Internet."21:26
paulproteusDon't mind me, I'm just an old curmudgeon.21:26
*** UncleCJ2_ has quit IRC21:42
*** nathany has quit IRC21:46
*** lotia has joined #cc21:49
*** User788 has joined #cc21:57
*** User788 has quit IRC22:00
*** johndoigiii_ has quit IRC22:02
*** tvol has quit IRC22:10
*** bse has joined #cc22:18
ianwellerhttps://secure.wikimedia.org/wikipedia/commons/wiki/Template:Bjarki <-- nice license. :/22:37
*** robmyers has quit IRC22:51
*** lotia has quit IRC22:57
*** UncleCJ2_ has joined #cc23:04
*** kreynen_ has joined #cc23:16
kreynen_seen Asheesh23:17
*** kreynen_ has quit IRC23:23
paulproteuskreynn... bye23:26
*** [mharrison] has joined #cc23:39

Generated by irclog2html.py 2.6 by Marius Gedminas - find it at mg.pov.lt!