FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Ubuntu > Ubuntu Masters Of The Universe

 
 
LinkBack Thread Tools
 
Old 01-14-2009, 12:39 PM
Jonathan Davies
 
Default Launchpadlib support in Ubuntu Developer Tools

Hey folks,

thekorn and I have been working on getting python-launchpadlib support
to the Ubuntu Developer Tools package.

So far, we've added support for the bug reporting; for example, sync
requests with the --lp flag will use the launchpadlib API to file the
bugs. But I hope to port more things across, as things get added to
the API.

All one needs is a LP token authenticated and have it written to
~/.lp_credentials.txt . I've written how one can go about doing this,
in the examples section of the manage-credentials manpage.

The support is available in the latest Jaunty packages (0.52), however
these should be installable on Intrepid.

Please report all bugs you find to the usual place at:

https://bugs.launchpad.net/ubuntu/+source/ubuntu-dev-tools/

Cheers,
Jonathan

--
Ubuntu-motu mailing list
Ubuntu-motu@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-motu
 
Old 01-14-2009, 12:39 PM
Jonathan Davies
 
Default Launchpadlib support in Ubuntu Developer Tools

Hey folks,

thekorn and I have been working on getting python-launchpadlib support
to the Ubuntu Developer Tools package.

So far, we've added support for the bug reporting; for example, sync
requests with the --lp flag will use the launchpadlib API to file the
bugs. But I hope to port more things across, as things get added to
the API.

All one needs is a LP token authenticated and have it written to
~/.lp_credentials.txt . I've written how one can go about doing this,
in the examples section of the manage-credentials manpage.

The support is available in the latest Jaunty packages (0.52), however
these should be installable on Intrepid.

Please report all bugs you find to the usual place at:

https://bugs.launchpad.net/ubuntu/+source/ubuntu-dev-tools/

Cheers,
Jonathan

--
ubuntu-devel mailing list
ubuntu-devel@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
 
Old 01-14-2009, 12:49 PM
James Westby
 
Default Launchpadlib support in Ubuntu Developer Tools

On Wed, 2009-01-14 at 14:39 +0100, Jonathan Davies wrote:
> Hey folks,
>
> thekorn and I have been working on getting python-launchpadlib support
> to the Ubuntu Developer Tools package.

Thanks for working on this.

> So far, we've added support for the bug reporting; for example, sync
> requests with the --lp flag will use the launchpadlib API to file the
> bugs. But I hope to port more things across, as things get added to
> the API.
>
> All one needs is a LP token authenticated and have it written to
> ~/.lp_credentials.txt . I've written how one can go about doing this,
> in the examples section of the manage-credentials manpage.

Shouldn't ~/.cache/lp_credentials.txt be used to fit in with the
freedesktop naming scheme? Isn't the name a bit generic? I have lp
credentials for many different things.

What happens if the user doesn't have credentials set up? Does the tool
ask them to run manage-credentials?

Also, has there been any thought to allowing different credentials for
different tools? requestsync obviously needs write access, but not to
private data, other tools won't need write access, and some may need
access to private data. Should we allow splitting of credentials so
that this can be controlled?

Thanks,

James


--
Ubuntu-motu mailing list
Ubuntu-motu@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-motu
 
Old 01-14-2009, 12:49 PM
James Westby
 
Default Launchpadlib support in Ubuntu Developer Tools

On Wed, 2009-01-14 at 14:39 +0100, Jonathan Davies wrote:
> Hey folks,
>
> thekorn and I have been working on getting python-launchpadlib support
> to the Ubuntu Developer Tools package.

Thanks for working on this.

> So far, we've added support for the bug reporting; for example, sync
> requests with the --lp flag will use the launchpadlib API to file the
> bugs. But I hope to port more things across, as things get added to
> the API.
>
> All one needs is a LP token authenticated and have it written to
> ~/.lp_credentials.txt . I've written how one can go about doing this,
> in the examples section of the manage-credentials manpage.

Shouldn't ~/.cache/lp_credentials.txt be used to fit in with the
freedesktop naming scheme? Isn't the name a bit generic? I have lp
credentials for many different things.

What happens if the user doesn't have credentials set up? Does the tool
ask them to run manage-credentials?

Also, has there been any thought to allowing different credentials for
different tools? requestsync obviously needs write access, but not to
private data, other tools won't need write access, and some may need
access to private data. Should we allow splitting of credentials so
that this can be controlled?

Thanks,

James


--
ubuntu-devel mailing list
ubuntu-devel@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
 
Old 01-14-2009, 01:54 PM
Jonathan Davies
 
Default Launchpadlib support in Ubuntu Developer Tools

* James Westby (jw+debian@jameswestby.net) wrote:
> > All one needs is a LP token authenticated and have it written to
> > ~/.lp_credentials.txt . I've written how one can go about doing this,
> > in the examples section of the manage-credentials manpage.
>
> Shouldn't ~/.cache/lp_credentials.txt be used to fit in with the
> freedesktop naming scheme? Isn't the name a bit generic? I have lp
> credentials for many different things.

So far the tool looks for:

1) See if a $LPCREDENTIALS variable has been set and use that file,
2) If there is a lp_credentials.txt file in the current directory,
3) A default path (in this case ~/.cache/lp_credentials.txt).

For all the files it finds; it searches through them until it finds the
right consumer key for a token and uses that for authentication
(ubuntu-dev-tools for requestsync, for example).

As for the generic part, I was going along with the old ~/.lpcookie.txt.
However I agree that moving it to ~/.cache would be better.

> What happens if the user doesn't have credentials set up? Does the tool
> ask them to run manage-credentials?

I've improved the error message so that it asks people to see the
manage-credentials manpage.

> Also, has there been any thought to allowing different credentials for
> different tools? requestsync obviously needs write access, but not to
> private data, other tools won't need write access, and some may need
> access to private data.

I think that having just write access to public data would be enough for u-d-t.
However people can create new tokens with m-c if they need it.

> Should we allow splitting of credentials so that this can be controlled?

I could change it so that the consumer key specified in the options, is used
to save the tokens to ~/.cache/lp_credentials/$key.txt.

Jonathan
--
Ubuntu - Linux for human beings | www.ubuntu.com

--
Ubuntu-motu mailing list
Ubuntu-motu@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-motu
 
Old 01-14-2009, 01:54 PM
Jonathan Davies
 
Default Launchpadlib support in Ubuntu Developer Tools

* James Westby (jw+debian@jameswestby.net) wrote:
> > All one needs is a LP token authenticated and have it written to
> > ~/.lp_credentials.txt . I've written how one can go about doing this,
> > in the examples section of the manage-credentials manpage.
>
> Shouldn't ~/.cache/lp_credentials.txt be used to fit in with the
> freedesktop naming scheme? Isn't the name a bit generic? I have lp
> credentials for many different things.

So far the tool looks for:

1) See if a $LPCREDENTIALS variable has been set and use that file,
2) If there is a lp_credentials.txt file in the current directory,
3) A default path (in this case ~/.cache/lp_credentials.txt).

For all the files it finds; it searches through them until it finds the
right consumer key for a token and uses that for authentication
(ubuntu-dev-tools for requestsync, for example).

As for the generic part, I was going along with the old ~/.lpcookie.txt.
However I agree that moving it to ~/.cache would be better.

> What happens if the user doesn't have credentials set up? Does the tool
> ask them to run manage-credentials?

I've improved the error message so that it asks people to see the
manage-credentials manpage.

> Also, has there been any thought to allowing different credentials for
> different tools? requestsync obviously needs write access, but not to
> private data, other tools won't need write access, and some may need
> access to private data.

I think that having just write access to public data would be enough for u-d-t.
However people can create new tokens with m-c if they need it.

> Should we allow splitting of credentials so that this can be controlled?

I could change it so that the consumer key specified in the options, is used
to save the tokens to ~/.cache/lp_credentials/$key.txt.

Jonathan
--
Ubuntu - Linux for human beings | www.ubuntu.com

--
ubuntu-devel mailing list
ubuntu-devel@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
 
Old 01-14-2009, 02:43 PM
James Westby
 
Default Launchpadlib support in Ubuntu Developer Tools

On Wed, 2009-01-14 at 14:54 +0000, Jonathan Davies wrote:
> So far the tool looks for:
>
> 1) See if a $LPCREDENTIALS variable has been set and use that file,
> 2) If there is a lp_credentials.txt file in the current directory,
> 3) A default path (in this case ~/.cache/lp_credentials.txt).
>
> For all the files it finds; it searches through them until it finds the
> right consumer key for a token and uses that for authentication
> (ubuntu-dev-tools for requestsync, for example).

Ok, thanks.

I hadn't realised you could store more than one set of credentials in
a file.

> > What happens if the user doesn't have credentials set up? Does the tool
> > ask them to run manage-credentials?
>
> I've improved the error message so that it asks people to see the
> manage-credentials manpage.

Thanks.

> > Also, has there been any thought to allowing different credentials for
> > different tools? requestsync obviously needs write access, but not to
> > private data, other tools won't need write access, and some may need
> > access to private data.
>
> I think that having just write access to public data would be enough for u-d-t.
> However people can create new tokens with m-c if they need it.

On the principle of least privilege if something doesn't need write
access then it shouldn't be given write access.

I agree that private data probably doesn't need to be accessed by
things currently in ubuntu-dev-tools, but I don't think that will always
be true.

For instance lpmadison will be able to query PPAs (because you only
need about 4 extra lines of code to do so), and being able to
interrogate any private PPAs you have will be useful for some.

I agree that you can create new tokens, but could we perhaps make the
experience a bit slicker? For instance if

~/.cache/lp_credentials/<script-name>.txt

exists then use that. If not then fall back to the general ones. If I
want finer grained control then I would be expected to use the
environment variable.

The script will know whether it needs write access, so perhaps if
it does it could look for "ubuntu-dev-tools-write" or similar.

Obviously this means more effort is required in setting up credentials,
so I'm not sure the last part is needed, but I think supporting
script-specific credentials like I mentioned above could be useful.

Thanks,

James



--
Ubuntu-motu mailing list
Ubuntu-motu@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-motu
 
Old 01-14-2009, 02:43 PM
James Westby
 
Default Launchpadlib support in Ubuntu Developer Tools

On Wed, 2009-01-14 at 14:54 +0000, Jonathan Davies wrote:
> So far the tool looks for:
>
> 1) See if a $LPCREDENTIALS variable has been set and use that file,
> 2) If there is a lp_credentials.txt file in the current directory,
> 3) A default path (in this case ~/.cache/lp_credentials.txt).
>
> For all the files it finds; it searches through them until it finds the
> right consumer key for a token and uses that for authentication
> (ubuntu-dev-tools for requestsync, for example).

Ok, thanks.

I hadn't realised you could store more than one set of credentials in
a file.

> > What happens if the user doesn't have credentials set up? Does the tool
> > ask them to run manage-credentials?
>
> I've improved the error message so that it asks people to see the
> manage-credentials manpage.

Thanks.

> > Also, has there been any thought to allowing different credentials for
> > different tools? requestsync obviously needs write access, but not to
> > private data, other tools won't need write access, and some may need
> > access to private data.
>
> I think that having just write access to public data would be enough for u-d-t.
> However people can create new tokens with m-c if they need it.

On the principle of least privilege if something doesn't need write
access then it shouldn't be given write access.

I agree that private data probably doesn't need to be accessed by
things currently in ubuntu-dev-tools, but I don't think that will always
be true.

For instance lpmadison will be able to query PPAs (because you only
need about 4 extra lines of code to do so), and being able to
interrogate any private PPAs you have will be useful for some.

I agree that you can create new tokens, but could we perhaps make the
experience a bit slicker? For instance if

~/.cache/lp_credentials/<script-name>.txt

exists then use that. If not then fall back to the general ones. If I
want finer grained control then I would be expected to use the
environment variable.

The script will know whether it needs write access, so perhaps if
it does it could look for "ubuntu-dev-tools-write" or similar.

Obviously this means more effort is required in setting up credentials,
so I'm not sure the last part is needed, but I think supporting
script-specific credentials like I mentioned above could be useful.

Thanks,

James



--
ubuntu-devel mailing list
ubuntu-devel@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
 
Old 01-14-2009, 05:58 PM
Kees Cook
 
Default Launchpadlib support in Ubuntu Developer Tools

On Wed, Jan 14, 2009 at 02:54:11PM +0000, Jonathan Davies wrote:
> I've improved the error message so that it asks people to see the
> manage-credentials manpage.

Please make sure that the tool that creates the credentials stores them in
a mode 0600 file. The API examples[1] do not mention this, and I think
it's an important bit of protection.

While playing with lplib for security team work, I took this a step
further and even make the directory unreadable. e.g.:

cachedir = os.path.expanduser('~/.launchpadlib/cache')
if not os.path.exists(cachedir):
os.makedirs(cachedir,0700)

credfile = os.path.expanduser('~/.launchpadlib/credentials')
try:
credentials = Credentials()
credentials.load(open(credfile))
launchpad = Launchpad(credentials, EDGE_SERVICE_ROOT, cachedir)
except:
launchpad = Launchpad.get_token_and_login(sys.argv[0], EDGE_SERVICE_ROOT, cachedir)


-Kees

[1] https://help.launchpad.net/API/launchpadlib

--
Kees Cook
Ubuntu Security Team

--
Ubuntu-motu mailing list
Ubuntu-motu@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-motu
 
Old 01-14-2009, 05:58 PM
Kees Cook
 
Default Launchpadlib support in Ubuntu Developer Tools

On Wed, Jan 14, 2009 at 02:54:11PM +0000, Jonathan Davies wrote:
> I've improved the error message so that it asks people to see the
> manage-credentials manpage.

Please make sure that the tool that creates the credentials stores them in
a mode 0600 file. The API examples[1] do not mention this, and I think
it's an important bit of protection.

While playing with lplib for security team work, I took this a step
further and even make the directory unreadable. e.g.:

cachedir = os.path.expanduser('~/.launchpadlib/cache')
if not os.path.exists(cachedir):
os.makedirs(cachedir,0700)

credfile = os.path.expanduser('~/.launchpadlib/credentials')
try:
credentials = Credentials()
credentials.load(open(credfile))
launchpad = Launchpad(credentials, EDGE_SERVICE_ROOT, cachedir)
except:
launchpad = Launchpad.get_token_and_login(sys.argv[0], EDGE_SERVICE_ROOT, cachedir)


-Kees

[1] https://help.launchpad.net/API/launchpadlib

--
Kees Cook
Ubuntu Security Team

--
ubuntu-devel mailing list
ubuntu-devel@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
 

Thread Tools




All times are GMT. The time now is 06:13 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org