launchpadblog

Launchpad has supported building for riscv64 for a while, since it was a requirement to get Ubuntu’s riscv64 port going. We don’t actually have riscv64 hardware in our datacentre, since we’d need server-class hardware with the hypervisor extension and that’s still in its infancy; instead, we do full-system emulation of riscv64 on beefy amd64 hardware using qemu. This has worked well enough for a while, although it isn’t exactly fast.

The biggest problem with our setup wasn’t so much performance, though; it was that we were just using a bunch of manually-provisioned virtual machines, and they weren’t being reset to a clean state between builds. As a result, it would have been possible for a malicious build to compromise future builds on the same builder: it would only need a chroot or container escape. This violated our standard security model for builders, in which each build runs in an isolated ephemeral VM, and each VM is destroyed and restarted from a clean image at the end of every build. As a result, we had to limit the set of people who were allowed to have riscv64 builds on Launchpad, and we had to restrict things like snap recipes to only use very tightly-pinned parts from elsewhere on the internet (pinning is often a good idea anyway, but at an infrastructural level it isn’t something we need to require on other architectures).

We’ve wanted to bring this onto the same footing as our other architectures for some time. In Canonical’s most recent product development cycle, we worked with the OpenStack team to get riscv64 emulation support into nova, and installed a backport of this on our newest internal cloud region. This almost took care of the problem. However, Launchpad builder images start out as standard Ubuntu cloud images, which on riscv64 are only available from Ubuntu 22.04 LTS onwards; in testing 22.04-based VMs on other relatively slow architectures we already knew that we were seeing some mysterious hangs in snap recipe builds. Figuring this out blocked us for some time, and involved some pretty intensive debugging of the “strace absolutely everything in sight and see if anything sensible falls out” variety. We eventually narrowed this down to a LXD bug and were at least able to provide a workaround, at which point bringing up new builders was easy.

As a result, you can now enable riscv64 builds for yourself in your PPAs or snap recipes. Visit the PPA and follow the “Change details” link, or visit the snap recipe and follow the “Edit snap package” link; you’ll see a list of checkboxes under “Processors”, and you can enable or disable any that aren’t greyed out, including riscv64. This now means that all Ubuntu architectures are fully virtualized and unrestricted in Launchpad, making it easier for developers to experiment.

Since they were introduced in 2007, Launchpad’s Personal Package Archives (PPAs) have always been hosted on ppa.launchpad.net. This has generally worked well, but one significant snag became clear later on: it was difficult to add HTTPS support for PPAs due to the way that cookies work on the web.

Launchpad uses a cookie for your login session, which is of course security-critical, and because we use multiple domain names for the main web application (bugs.launchpad.net, code.launchpad.net, and so on), the session cookie domain has to be set to allow subdomains of launchpad.net. We set the “Secure” flag on session cookies to ensure that browsers only ever send them over HTTPS, as well as the “HttpOnly” flag to prevent direct access to it from JavaScript; but there are still ways in which arbitrary JS on an HTTPS subdomain of launchpad.net might be able to exfiltrate or abuse users’ session cookies. As a result, we can never allow any HTTPS subdomain of launchpad.net to publish completely user-generated HTML that we don’t process first.

We don’t currently know of a way to get ppa.launchpad.net to serve arbitrary HTML as Content-Type: text/html, but this is quite a brittle protection as there are certainly ways (used for things like installer uploads) to upload arbitrary files to ppa.launchpad.net under a user-controlled directory structure, and we don’t want the webapp’s security to depend on nobody figuring out how to convince a browser to interpret any of that as arbitrary HTML. The librarian is already on a separate launchpadlibrarian.net domain name for a similar reason.

To resolve this dilemma, we’ve added a new ppa.launchpadcontent.net domain name which supports both HTTP and HTTPS (and similarly private-ppa.launchpadcontent.net for private PPAs, which as before is HTTPS-only). add-apt-repository in Ubuntu 22.04 will use the new domain name by default.

The old names will carry on working indefinitely – we know they’re embedded in lots of configuration and scripts, and we have no inclination to break all of those – but we recommend moving to the new names where possible. ppa.launchpad.net will remain HTTP-only.

Some systems may need to be updated to support the new domain name, particularly things like HTTP(S) proxy configuration files and no_proxy environment variables.

On 2020-08-13, we deployed an update that caused users whose full names contain non-ASCII characters (which is of course very common) to be unable to log into Launchpad. We heard about this serious regression from users on 2020-08-17, and rolled out a fix on 2020-08-18. We’re sorry about this; it doesn’t meet the standards of both inclusion and quality that we set for ourselves. This post aims to explain what happened, technical details of why it happened, and the steps we’ve taken to avoid it happening again.

The From: addresses used by Launchpad’s bug notifications have changed, to improve the chances of our messages being delivered over modern internet email.

Launchpad sends a lot of email, most of which is the result of Launchpad users performing some kind of action. For example, when somebody adds a comment to a bug, Launchpad sends that comment by email to everyone who’s subscribed to the bug.

Most of Launchpad was designed in an earlier era of internet email. In that era, it was perfectly reasonable to take the attitude that we were sending email on behalf of the user – in effect, being a fancy mail user agent or perhaps a little like a mailing list – and so if we generated an email that’s a direct result of something that a user did and consisting mostly of text they wrote, it made sense to put their email address in the From: header. Reply-To: was set so that replies would normally go to the appropriate place (the bug, in the case of bug notifications), but if somebody wanted to go to a bit of effort to start a private side conversation then it was easy to do so; and if email clients had automatic address books then those wouldn’t get confused because the address being used was a legitimate address belonging to the user in question.

Of course, some people always wanted to hide their addresses for obvious privacy reasons, so since 2006 Launchpad has had a “Hide my email address from other Launchpad users” switch (which you can set on your Change your personal details page), and since 2010 Launchpad has honoured this for bug notifications, so if you have that switch set then your bug comments will be sent out as something like “From: Your Name <bug-id@bugs.launchpad.net>“. This compromise worked tolerably well for a while.

But spammers and other bad actors ruin everything, and the internet email landscape has changed. It’s reasonably common now for operators of email domains to publish DMARC policies that require emails whose From: headers are within that domain to be authenticated in some way, and this is incompatible with the older approach. As a result, it’s been getting increasingly common for Launchpad bug notifications not to be delivered because they failed these authentication checks. Regardless of how justifiable our notification-sending practices were, we have to exist within the reality of internet email as it’s actually deployed.

So, thanks to a contribution from Thomas Ward, Launchpad now sends all its bug notifications as if the user in question had the “Hide my email address from other Launchpad users” switch set: that is, they’ll all appear as something like “From: Your Name <bug-id@bugs.launchpad.net>“. Over time we expect to extend this sort of approach to the other types of email that we send, possibly with different details depending on the situation.

Please let us know if this causes any strange behaviour in your email client. We may not be able to fix all of them, depending on how they interact with DMARC’s requirements, but we’d like to be aware of what’s going on.

Here’s a brief changelog of what we’ve been up to since our last general update.

(more…)

Here’s a brief changelog for this month.

(more…)

Here’s a brief changelog of what we’ve been up to since our last general update.

(more…)

We’ve had Git hosting support in Launchpad for a few years now. One thing that some users asked for, particularly larger users such as the Ubuntu kernel team, was the ability to set up per-branch push permissions for their repositories. Today we rolled out the last piece of this work.

Launchpad’s default behaviour is that repository owners may push anything to their own repositories, including creating new branches, force-pushing (rewriting history), and deleting branches, while nobody else may push anything. Repository owners can now also choose to protect branches or tags, either individually or using wildcard rules. If a branch is protected, then by default repository owners can only create or push it but cannot force-push or delete; if a tag is protected, then by default repository owners can create it but cannot move or delete it.

You can also allow selected contributors to push to protected branches or tags, so if you’re collaborating with somebody on a branch and just want to be able to quickly pair-program via git push, or you want a merge robot to be able to land merge proposals in your repository without having to add it to the team that owns the repository and thus give it privileges it doesn’t need, then this feature may be for you.

There’s some initial documentation on our help site, and here’s a screenshot of a repository that’s been set up to give a contributor push access to a single branch:

Here’s a brief changelog for this month.

(more…)

Here’s a brief changelog for this month.

(more…)