[07:44:26] GitLab maintenance is starting now [07:45:39] 10GitLab (Project Migration), 10collaboration-services: Migrate SRE repositories to GitLab - operations/debs - https://phabricator.wikimedia.org/T341991 (10fgiunchedi) [07:46:22] 10GitLab (Project Migration), 10collaboration-services: Migrate SRE repositories to GitLab - operations/debs - https://phabricator.wikimedia.org/T341991 (10fgiunchedi) [07:51:11] 10GitLab (Project Migration), 10collaboration-services: Migrate SRE repositories to GitLab - operations/software - https://phabricator.wikimedia.org/T341504 (10fgiunchedi) [07:57:14] Maintenance done. [08:28:57] 10GitLab (CI & Job Runners), 10Patch-For-Review, 10Release-Engineering-Team (Escape Goats🐐): Replace deprecated `CI_JOB_JWT` CI variable in Kokkuri - https://phabricator.wikimedia.org/T337474 (10CodeReviewBot) jnuche merged https://gitlab.wikimedia.org/repos/releng/reggie/-/merge_requests/74 add support for... [08:52:15] 10GitLab (CI & Job Runners), 10Patch-For-Review, 10Release-Engineering-Team (Escape Goats🐐): Replace deprecated `CI_JOB_JWT` CI variable in Kokkuri - https://phabricator.wikimedia.org/T337474 (10CodeReviewBot) jnuche merged https://gitlab.wikimedia.org/repos/releng/gitlab-cloud-runner/-/merge_requests/242 S... [10:21:09] 10GitLab (Project Migration), 10collaboration-services: Migrate SRE repositories to GitLab - operations/debs - https://phabricator.wikimedia.org/T341991 (10LSobanski) [10:24:54] 10GitLab (Project Migration), 10collaboration-services: Migrate SRE repositories to GitLab - operations/software - https://phabricator.wikimedia.org/T341504 (10LSobanski) [10:28:52] 10GitLab (Project Migration), 10collaboration-services: Migrate SRE repositories to GitLab - operations/debs - https://phabricator.wikimedia.org/T341991 (10LSobanski) [10:36:41] 10GitLab (Project Migration), 10collaboration-services: Migrate SRE repositories to GitLab - https://phabricator.wikimedia.org/T341468 (10LSobanski) [11:31:53] 10GitLab (CI & Job Runners), 10Patch-For-Review, 10Release-Engineering-Team (Escape Goats🐐): Report failures to docpub users - https://phabricator.wikimedia.org/T343222 (10CodeReviewBot) jnuche merged https://gitlab.wikimedia.org/repos/releng/docpub/-/merge_requests/8 send triggerer's email to Jenkins job [11:39:44] 10GitLab (CI & Job Runners), 10Patch-For-Review, 10Release-Engineering-Team (Escape Goats🐐): Report failures to docpub users - https://phabricator.wikimedia.org/T343222 (10CodeReviewBot) jnuche merged https://gitlab.wikimedia.org/repos/releng/jenkins-deploy/-/merge_requests/35 docpub: notify first build fai... [12:48:12] 10GitLab (CI & Job Runners), 10Release-Engineering-Team (Escape Goats🐐): Report failures to docpub users - https://phabricator.wikimedia.org/T343222 (10jnuche) 05Open→03Resolved [14:49:17] 10GitLab (Auth & Access), 10Release-Engineering-Team, 10collaboration-services, 10Patch-For-Review, 10User-brennen: Create bot to sync LDAP groups with related GitLab groups - https://phabricator.wikimedia.org/T319211 (10Jelto) I checked the users in https://gitlab-replica.wikimedia.org/groups/repos/medi... [14:55:19] 10GitLab (CI & Job Runners), 10Patch-For-Review, 10Release-Engineering-Team (Escape Goats🐐): Replace deprecated `CI_JOB_JWT` CI variable in Kokkuri - https://phabricator.wikimedia.org/T337474 (10CodeReviewBot) jnuche opened https://gitlab.wikimedia.org/repos/releng/gitlab-cloud-runner/-/merge_requests/248 e... [15:58:17] 10Gitlab-Application-Security-Pipeline, 10Security Team AppSec, 10Security-Team, 10SecTeam-Processed, 10Security: Address issues within certain Gitlab CI security templates - https://phabricator.wikimedia.org/T338034 (10sbassett) [16:03:29] 10GitLab (Integrations), 10Phabricator, 10Release-Engineering-Team (Escape Goats🐐): Get GitLab to render `T{\d}+` in MR overviews, comments, etc. as links to Phabricator - https://phabricator.wikimedia.org/T337570 (10dduvall) p:05Triage→03Medium a:03dduvall [16:29:02] 10GitLab (Integrations), 10Phabricator, 10Release-Engineering-Team (Escape Goats🐐): Get GitLab to render `T{\d}+` in MR overviews, comments, etc. as links to Phabricator - https://phabricator.wikimedia.org/T337570 (10dduvall) >>! In T337570#8883694, @bd808 wrote: > A potential solution would be to work upstr... [16:49:55] 10GitLab (Integrations), 10Phabricator, 10Release-Engineering-Team (Escape Goats🐐): Get GitLab to render `T{\d}+` in MR overviews, comments, etc. as links to Phabricator - https://phabricator.wikimedia.org/T337570 (10bd808) >>! In T337570#8883712, @Aklapper wrote: > After [removing Phabricator code, metrics,... [18:26:35] 10GitLab (CI & Job Runners), 10Patch-For-Review, 10Release-Engineering-Team (Escape Goats🐐): Replace deprecated `CI_JOB_JWT` CI variable in Kokkuri - https://phabricator.wikimedia.org/T337474 (10CodeReviewBot) jnuche opened https://gitlab.wikimedia.org/repos/releng/kokkuri/-/merge_requests/83 jwt: support b... [18:36:08] 10GitLab (CI & Job Runners), 10Patch-For-Review, 10Release-Engineering-Team (Escape Goats🐐): Replace deprecated `CI_JOB_JWT` CI variable in Kokkuri - https://phabricator.wikimedia.org/T337474 (10CodeReviewBot) jnuche merged https://gitlab.wikimedia.org/repos/releng/kokkuri/-/merge_requests/83 jwt: support b... [21:06:59] noted a change in behavior from gitlab's oidc change: https://phabricator.wikimedia.org/T320390#9067911 [21:07:18] 10GitLab (Auth & Access), 10CAS-SSO, 10Infrastructure-Foundations, 10SRE, and 4 others: migrate gitlab away from the CAS protocol - https://phabricator.wikimedia.org/T320390 (10thcipriani) Noticed today that display names changed to using `cn` instead of `uid` (discussed back in {T288392}): {F37163889 siz... [21:08:16] i'm not totally clear if this actually changes display name, or just something the underlying auth is keying on [21:08:29] so for: https://gitlab.wikimedia.org/brennen [21:08:44] i see my cn as a display name, and uid is the username that shows up in e.g. urls [21:09:16] i just created https://gitlab.wikimedia.org/randojr a few minutes ago and behavior seems the same [21:09:39] I think it is only the external auth key that changed. https://gitlab.wikimedia.org/pepepiton is my example of a user that has only had OIDC [21:09:49] (e.g. "Rando McRandomface Jr" shows up on the profile, but username is randojr.) [21:09:49] it must be using cn as a lookup for OIDC since: T343485 [21:09:50] T343485: Striker's GitLab account lookup (and creation?) broken as a result of ODIC migration - https://phabricator.wikimedia.org/T343485 [21:11:37] bd808: yeah, that seems right. [21:11:48] thcipriani: Striker is doing an explicit lookup by provider id (currently set to "cas3") and uid. That looks like it now needs to change to "openid_connect" and cn. The uid->cn foreign key change is the thing that surprised me. [21:12:27] and seems like it should probably change back from our discussion, although i don't quite have a model in my head of what it would break. [21:13:11] cn could get weird over time, especially when we finally get to the point of making Developer accounts attributes of SUL accounts where the cn could follow global renames. [21:13:12] well, if it changed back, I'd guess we have to update all the database fields that were created when folks used oidc tsince the switchover [21:13:36] (maybe?) [21:13:45] maybe? or would it just be another identity? [21:14:10] Not being able to rename the cn of a Developer account is an issue we have today because Gerrit at some point started keying on cn internally too. [21:14:53] ^ there is some strange bug in gerrit that took me forever to figure out since my cn == my uid (because I followed onboarding instructions poorly) [21:15:17] there are a lot of people who have the same [21:15:34] which tends to make for some confusion. a lot depends on what era of onboarding docs and so forth. [21:15:56] (brb.) [21:16:46] (this one is the gerrit one https://phabricator.wikimedia.org/T225308 ) [21:18:02] mooeypoo's uid is the best example of crappy Developer account onboarding instructions in the past. I will leave finding it as an exercise for the reader. [21:19:20] wtf [21:19:54] how did it end with that one? [21:20:35] She didn't understand the prompts when she was signing up for the account before her GSoC (Outreachy?) internship [21:21:34] and there was no review by anyone, apparently [21:21:44] Mooeypoo's experience there was actually one of my pitch cases for building Striker initially [21:22:13] Platonides: well, no because Wikitech is a self-serve account creation portal [21:23:00] yes, but there's an approval step for cloud access [21:23:17] or whatever she needed the account for [21:23:58] sure, but I don't think we have ever rejected anyone for having a funny shell name. :) [21:25:23] well, that one asked for a bit of guidance :P [21:29:59] 10GitLab (Auth & Access), 10CAS-SSO, 10Infrastructure-Foundations, 10SRE, and 4 others: migrate gitlab away from the CAS protocol - https://phabricator.wikimedia.org/T320390 (10bd808) >>! In T320390#9067911, @thcipriani wrote: > Noticed today that display names changed to using `cn` instead of `uid` (discu... [21:47:20] dancy: do you still think that we should try to change the OIDC provider's identifier to uid? I'm trying to code changes for Striker so that it is just a config change to toggle between them, but I also am going to want to backfill OIDC rows for everyone in the system so I don't have to add a support of multiple providers on the Striker side. [21:47:46] "to toggle between them" == uid & cn [21:49:32] [21:55:58] bd808: s/GitHub/GitLab/ in https://phabricator.wikimedia.org/T320390#9067931 [21:56:15] lol. fixing [21:56:18] my current answer to your question is: I don't know and I barely understand how any of this stuff works. [21:56:59] dancy: that is a fair answer to give :) [21:58:55] My current belief is that either `cn` and `uid` should be fine as the foreign identifier, but in the long term I believe that `cn` is a more unstable primary key than `uid`. [21:59:22] Agreed. [22:02:19] the uid should be stable [22:03:26] Both are stable today, but only because we stopped allowing Developer account renames because Gerrit made it close to impossible to do well. [22:04:39] uid is likely to remain stable because of the association of Developer accounts with unix users in CLoud VPS and the complications of changing shellnames there. [22:08:58] while i echo dancy's "barely understand how any of this stuff works" (and strongly suspect i understand it less than dancy), from what i can tell +1 to long-term uid seems most stable. [22:09:11] Someday I would like to be able to fix T.heresNoTime and t.aavi's Developer account display names to match their preferred values. [22:09:56] Let's all be randomly generated numbers and be done with it. [22:10:04] yeah, it seems best to not further enmesh cn with barbed wire & duct tape. [22:10:26] you know, if i can remember my icq number like 27 years later... [22:10:31] dancy: have you heard the story of the origin of "bd808" :) [22:10:45] I don't think I have! [22:11:30] It was my InterNIC handle assigned in 1993 when I first became a domain contact. I was the 808th user in the system with the initials B.D. [22:11:50] aaah, nice. InterNIC.. it was a simpler time. [22:14:25] It sounds like dancy, brennen, and I are in agreement about uid. Can one of y'all add a summary on T320390 of our reasoning about uid stability? Then maybe j.elto can work out how to do the needful tomorrow. [22:14:26] T320390: migrate gitlab away from the CAS protocol - https://phabricator.wikimedia.org/T320390 [22:14:43] yeah, i'll type something up. [22:14:55] a room full of heros :) [22:16:31] dancy: in fact, the ids in your government-issued documents (whatever they are in your country) look quite similar to randomly generated numbers [22:17:23] Generated on a computer from the 70s [22:17:52] I think they are just sequential numbers out of some distributed ranges [22:19:12] a fun read, because i wondered about this not so long ago: https://en.wikipedia.org/wiki/Social_Security_number#Structure [22:19:19] (for some values of "fun".) [22:20:44] the security leak of "last 4" plus DOB and your address was always a fun SSN thing before 2011 [22:23:15] "what could go wrong with everyone using tax id numbers as a primary key for other things?" -- somebody who didn't think about it very long [22:23:52] it's funny that just a while ago, we were talking in another channel that Costa Rica has all this information public [22:24:18] based on the number and variety of entities that have demanded my SSN over the years, it kind of seems like "not thinking about it very long" is a defining characteristic of the people making these decisions. [22:24:23] you can lookup anyone by their number, or the number of someone by their name, and get information about DOB, parents, children... [22:27:29] voter registration data is maybe the closest analog leak to that in the US [22:29:27] $20 will get you the whole list in most states with name, address, party affiliation, sometimes birth year, occupation, voting history, ... [22:30:54] that seems crazy [22:31:24] we do have census lists for elections [22:32:06] 10GitLab (Auth & Access), 10CAS-SSO, 10Infrastructure-Foundations, 10SRE, and 4 others: migrate gitlab away from the CAS protocol - https://phabricator.wikimedia.org/T320390 (10brennen) To summarize discussion from Slack and libera.chat `#wikimedia-gitlab`: - Apart from T343485, we don't believe this has... [22:32:19] and it is shared with political parties so they can spam^W share their objectives with their voters (unless you opt-out) [22:32:24] for a while it was possible to query a lot of states' drivers license data just by knowing where to telnet. [22:32:53] but it is quite restricted how it can be used within legality [22:34:31] I did e-gov from '00-'06. There is a lot of data that you can get for close to free from most US states. The statutes typically specify that you only pay distribution costs. That was a lot of $$$ when things dumped to paper by default, but now that it is all electronic the prices are not a protection against abuse [22:35:02] ::nod:: [22:35:59] every time i go digging into what _can_ be found it seems like a lot of badness is prevented mostly by a) obscurity, and b) a thin layer of hoop-jumping. [22:36:36] brennen: did you need a tn3270 emulator too? That was the typical integration point for NIC's DL contracts in the olden days. [22:37:15] We used the "new fangled" technology of sftp in Idaho's system [22:37:19] a lot of things are prevented by those, I think [22:40:53] i mainly remember a friend who was doing some state contract work being like "hey telnet here" and i was just like holy shit, this can't really be _intentionally in the open_, can it? but it was sort of still the era of "well, you'd have to be on the internet and know how to do internet things..." [22:41:11] then too i suppose a lot of that stuff is technically in the public record. [22:49:18] Testing my Striker changes just got weird. My local keystone service (OpenStack IDP) is segfaulting. :/ [22:50:13] good times [22:51:12] It worked 6 weeks ago from the same docker image. I'm going to first apply the IT Crowd fix [22:51:51] no joy. blerg [23:29:47] The tagged container I picked is a "living" tag apparently. An image was re-upload over a prior version 20 hours ago. Tag history tracking at the repo doesn't show the prior tag, probably because the history is really just showing some metadata from the tagged images in the repo. [23:31:05] And it's looking like the crash bug is in the Apache or mod_uwsgi from the updated base image the Keystone image builds on. Why can't I have nice things? *sigh*