[07:39:20] <gehel>	 pfischer: I see you can log into the bastions. Can you check if you can log into one of our elasticsearch servers? For example elastic1100.eqiad.wmnet ?
[08:24:08] <pfischer>	 gehel: I’m being prompted for a password which doesn’t seem right as ~/.ssh/config configures ProxyJump and IdentifyFile for *.wmnet
[09:38:03] <gehel>	 pfischer: sorry, way in a meeting. I'll head out for lunch in a few minutes. Let's check this afternoon!
[09:38:43] <gehel>	 s/way/was/
[09:38:47] <gehel>	 lunch + errand
[09:48:32] <addshore>	 dcausse: bz2 shaves another 35GB off the JNL, resulting in a 306GB file
[09:57:57] <dcausse>	 addshore: nice! the ttl dataset is ~100Gb I'm sure many will prefer to download a dataset 3times bigger but save weeks of import time!
[09:58:46] <dcausse>	 lunch
[11:24:31] <pfischer>	 lunch
[12:56:29] <inflatador>	 greetings
[12:56:37] <dcausse>	 o/
[12:57:13] <inflatador>	 <o/
[13:01:33] <inflatador>	 "We've" been tagged on https://phabricator.wikimedia.org/T317187 , looks like they think "our" patches could be contributing to slowdowns 
[13:06:54] <dcausse>	 ok commenting
[14:54:20] <ebernhardson>	 \o
[14:59:33] <gehel>	 @all: office hours starting in a minute in https://meet.google.com/vgj-bbeb-uyi
[14:59:43] <gehel>	 etherpad available at https://etherpad.wikimedia.org/p/Search_Platform_Office_Hours
[16:57:03] <inflatador>	 lunch, back in ~45-1h
[18:34:27] * ebernhardson wonders if this will cause issues for POST's to wcqs (but more rarely now), RFC 2616, Section 10.3.8: f the 307 status code is received in response to a request other than GET or HEAD, the user agent MUST NOT automatically redirect the request unless it can be confirmed by the user, since this might change the conditions under which the request was issued.
[18:35:14] <ebernhardson>	 since i couldn't figure out how to have nginx, as the proxy, run the 307 internally and move the Set-Cookie header from the 307 response into the final response
[18:43:05] <inflatador>	 interesting, is that for all 3xx or just 307 specifically?
[18:44:52] <ebernhardson>	 10.3.8 is specifically the 307 temporary redirect section of the rfc (the http 1.1 spec).  301 has similar text: If the 301 status code is received in response to a request other than GET or HEAD, the user agent MUST NOT automatically redirect the request unless it can be confirmed by the user, since this might change the conditions under which the request was issued.
[18:45:12] <ebernhardson>	 302 also has similar text
[18:48:05] <inflatador>	 I guess that's reasonable enough
[18:49:27] <ebernhardson>	 perhaps oddly, i don't think browsers do that. When we issue a 307 the browser happily re-POST's the same content to the directed to url.  But python's urllib2 (i'm trying to put together examples in php/python/nodejs for making wcqs requests) follows the rfc 
[18:49:47] <inflatador>	 maybe it's obvious, but what would cause us to emit a 307 in response to a POST?
[18:50:34] <ebernhardson>	 and annoyingly it doesn't store the cookies from the 307 into the cookiejar, it seems the HTTPError gets thrown before cookie processing making the code a bit gnarly.  I suppose i could do the example code with a library that acts more like a browser, but i was trying to do stdlib only
[20:16:05] * ebernhardson suspects wcqs sessions still expire after 1 day :S
[20:33:15] <inflatador>	 Still feeling the COVID...taking the rest of the day off, see y'all tomorrow
[21:08:50] <ebernhardson>	 meh, yeah i'm fairly certain (without exact proof of a session actually expiring in testing, will find out in a day) that wcqs sessions will still expire after a day. If we want something longer we likely need to use a typical database connection and not a wrapper like kask
[21:09:56] <ebernhardson>	 or we could do something sillier like switch JWT libraries to something that supports JWE (encryption), store the access token secret in the JWE, and use that to re-check with mediawiki once in awhile
[21:10:25] <ebernhardson>	 avoiding kask entirely and essentially using mediawiki's database store of the oauth token as our "session"
[21:11:55] <ebernhardson>	 the JWE's would have to have no direct expiration though....overall this whole auth scheme is meh :(
[21:18:10] <ebernhardson>	 i suppose i need to better understand oauth, it's not clear if the access token + access token secret is usable without the consumer secret.  If the secret is unusable without the consumer secret (to sign the overall request) maybe we can be simpler
[21:34:25] <ebernhardson>	 so per the spec, consumer secret + access token secret are both necessary to generate the signature for a request. But it says both values must be treated as passwords and protected