#title #ubuntu-meeting Meeting Meeting started by jdstrand at 18:16:28 UTC. The full logs are available at http://ubottu.com/meetingology/logs/ubuntu-meeting/2011/ubuntu-meeting.2011-11-07-18.16.log.html . == Meeting summary == ''LINK:'' https://wiki.ubuntu.com/SecurityTeam/Meeting (jdstrand, 18:16:37) *Announcements *Weekly stand-up report *Highlighted packages ''LINK:'' http://people.canonical.com/~ubuntu-security/cve/pkg/lastfm.html (jdstrand, 18:30:52) ''LINK:'' http://people.canonical.com/~ubuntu-security/cve/pkg/yaws.html (jdstrand, 18:30:56) ''LINK:'' http://people.canonical.com/~ubuntu-security/cve/pkg/libmojolicious-perl.html (jdstrand, 18:30:59) ''LINK:'' http://people.canonical.com/~ubuntu-security/cve/pkg/tinyproxy.html (jdstrand, 18:31:02) ''LINK:'' http://people.canonical.com/~ubuntu-security/cve/pkg/gromacs.html (jdstrand, 18:31:05) *Miscellaneous and Questions Meeting ended at 18:56:20 UTC. == Votes == == Action items == * (none) == People present (lines said) == * jdstrand (55) * mdeslaur (21) * broder (10) * tyhicks (10) * micahg (9) * jjohansen (9) * sbeattie (8) * meetingology (3) * ubottu (1) == Full Log == 18:16:28 #startmeeting 18:16:28 Meeting started Mon Nov 7 18:16:28 2011 UTC. The chair is jdstrand. Information about MeetBot at http://wiki.ubuntu.com/AlanBell/mootbot. 18:16:28 18:16:28 Available commands: #accept #accepted #action #agree #agreed #chair #commands #endmeeting #endvote #halp #help #idea #info #link #lurk #meetingname #meetingtopic #nick #progress #rejected #replay #restrictlogs #save #startmeeting #subtopic #topic #unchair #undo #unlurk #vote #voters #votesrequired 18:16:35 The meeting agenda can be found at: 18:16:37 [LINK] https://wiki.ubuntu.com/SecurityTeam/Meeting 18:17:23 [TOPIC] Announcements 18:17:31 Team attended UDS last week. It was a very busy week and we have a lot to do. For details, see http://summit.ubuntu.com/uds-p and our blueprints at https://blueprints.launchpad.net/ubuntu?searchtext=security-p 18:17:45 [TOPIC] Weekly stand-up report 18:17:48 I'll go first 18:18:04 I have a bunch of updates I am working on, so will continue with those 18:18:15 I've got a bit of an email backlog that I need to tend to 18:18:28 I'm also going through my merges today, and getting to some of them 18:18:36 I will be patch piloting this week 18:18:54 and then there is UDS aftermath (eg, discussing work items, prioritizing, etc) 18:19:01 that's it from me 18:19:05 mdeslaur: you're up 18:19:29 I'm currently testing tomcat6 updates, hopefully I'll get them out today or tomorrow morning. 18:19:39 I'm also working on some embargoed issues 18:19:48 and have a few more packages to test that are ready to publish 18:20:39 This week, we'll be going through the blueprints and assigning and prioritizing work items...We'll talk more about that once everyone has done their status report 18:20:50 that's it from me. sbeattie, you're up 18:20:57 I'm on triage this week 18:21:51 I've got updates for openjdk, apache, and squid that I need to test and publish, with more in the pipeline. 18:22:11 I also need to a bit of post UDS cleanup 18:22:27 I think that's it for me 18:22:30 micahg: poke 18:24:26 I've got Mozilla updates, short week (off Wed and Thu), have to look into the DigiCert issue that Mozilla posted to see if we need other updates for it, some Chromium testing, that's it for me 18:25:57 I guess thats me up them 18:25:57 I have some kernel work flow (2 kernels), an email backlog, UDS aftermath (work item priorities, and apparmor ml follow on discussions), bug #810270, and starting on policy stacking 18:26:00 Launchpad bug 810270 in openldap (Ubuntu Oneiric) "AppArmor profiles need updates for /var/run → /run and /var/lock → /run/lock and /dev/shm → /run/shm" [High,Fix released] https://launchpad.net/bugs/810270 18:26:17 ah gah, wrong bug# 18:26:46 now /me has to dig through the bugs instead of notes 18:27:19 hehe 18:27:41 anyways its the alias bug cboltz brought up 18:27:45 * sbeattie marks jjohansen down for post-UDS organizational cleanup, too. 18:28:08 hehe, yeah 18:28:58 tyhicks: you're next 18:29:01 ack 18:29:05 I'm in the happy place this week 18:29:12 I've got a little bit of a start on a freetype update. I'll finish up that one before moving onto the rest of my security update queue 18:29:15 I need to finish testing a couple eCryptfs fixes and get them applied upstream A 18:29:24 ASAP* 18:29:41 I've got an ubuntu-security-sponsors update that spilled over from last week, while at UDS, that I want to get to before mdeslaur does 18:29:47 jdstrand: that's it 18:29:55 oh! yeah, I'm on community this week also 18:30:21 cool, thanks 18:30:28 [TOPIC] Highlighted packages 18:30:33 The Ubuntu Security team will highlight some community-supported packages that might be good candidates for updating and or triaging. If you would like to help Ubuntu and not sure where to start, this is a great way to do so. See https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures for details and if you have any questions, feel free to ask in #ubuntu-security. To find out other ways of helping out, please see https://wiki.ubuntu.com/Securi 18:30:52 http://people.canonical.com/~ubuntu-security/cve/pkg/lastfm.html 18:30:56 http://people.canonical.com/~ubuntu-security/cve/pkg/yaws.html 18:30:59 http://people.canonical.com/~ubuntu-security/cve/pkg/libmojolicious-perl.html 18:31:02 http://people.canonical.com/~ubuntu-security/cve/pkg/tinyproxy.html 18:31:05 http://people.canonical.com/~ubuntu-security/cve/pkg/gromacs.html 18:31:18 [TOPIC] Miscellaneous and Questions 18:31:21 jdstrand: your blurb got truncated there ^ 18:31:27 meh 18:31:38 The Ubuntu Security team will highlight some community-supported packages that might be good candidates for updating and or triaging. If you would like to help Ubuntu and not sure where to start, this is a great way to do so. 18:31:43 See https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures for details and if you have any questions, feel free to ask in #ubuntu-security. To find out other ways of helping out, please see https://wiki.ubuntu.com/SecurityTeam/GettingInvolved. 18:31:53 Does anyone have any other questions or items to discuss? 18:32:14 jdstrand: shall we discuss blueprints/work items now? 18:32:30 mdeslaur: sure, go for it 18:32:43 * jdstrand hands the mic to mdeslaur 18:32:55 is this on? 18:33:00 hehe 18:33:16 * jdstrand actually heard the tap in his head. kinda weird 18:33:29 so, this week we'll be going through the blueprints to 1- assign work items, 2- prioritize work items 18:34:29 jdstrand, sbeattie, micahg, tyhicks, jjohansen: could you please go through your blueprints and create work items for the ones that currently don't have any? This needs to be done before wednesday so we can then prioritize them 18:34:48 also, if you see work items you would like, please mark your named next to them to make it easier once we go down the list 18:34:53 mdeslaur: not before Wed, I can do it Friday 18:35:10 jdstrand: ack 18:35:14 mdeslaur: ack 18:35:40 mdeslaur: ack 18:35:43 jdstrand: perhaps you meant mdeslaur? 18:35:49 :) 18:35:49 hah 18:35:51 mdeslaur: ack 18:35:52 jjohansen: No, he's talking to himself again :) 18:35:53 in particular, the following don't currently have work items: https://blueprints.launchpad.net/ubuntu/+spec/security-p-ecryptfs , https://blueprints.launchpad.net/ubuntu/+spec/security-p-mozilla-lts , https://blueprints.launchpad.net/ubuntu/+spec/security-p-apparmor-ubuntu 18:35:56 jjohansen: ;) 18:36:08 I've got the last one 18:36:15 I have the middle one :) 18:36:16 I've got the eCryptfs one 18:36:30 mdeslaur: okay 18:36:31 no fistfights, how nice :) 18:36:55 micahg: can you at least do a quick first pass on that bp? I don't think there is a ton and it will help mdeslaur 18:37:17 (friday is too late for the release status meeting) 18:37:30 micahg: if not, we can do a first pass 18:37:30 ACK, will try 18:37:32 so, on wed, we'll be going down the list and making sure they're assigned to the right people, and prioritizing them 18:38:05 micahg: that's why firefox and chromium are written in C, to give you time to do other stuff while they are compiling... :) 18:38:50 ok, that's it for me 18:38:57 * mdeslaur hands mike back to jdstrand 18:39:20 mdeslaur: thanks! 18:39:29 anything else? 18:39:46 md5 stuff? 18:39:58 or we can save it for next week 18:40:35 micahg: what would you like to talk about md5 stuff? 18:41:41 about the possibility of enabling a warning in certain libraries that md5 is being used and that it might be insecure if that's in a security context for the duration of the alphas in precise 18:43:46 micahg: that is a work item in the catch-all. we left it that it would be prioritized with the others, and depending on how it is prioritized, go from there 18:43:58 ok 18:44:27 o/ re: backports stuff 18:44:36 broder: go ahead 18:44:43 broder: and hello :) 18:44:48 * broder waves 18:45:05 we're now generating a report of backports that have been superseded by security or stable updates: http://people.ubuntuwire.org/~broder/rebackporter/rebackports.json 18:45:10 (code in lp:~broder/+junk/rebackporter) 18:45:24 (html-friendly report to come as soon as harvest starts importing again) 18:45:38 broder: cool! 18:45:45 broder: excellent! thanks :) 18:46:17 state of things looks mostly good. i'm going to be following up with the backports team to try and establish policies for security/SRU backports going forward 18:46:50 broder: sounds awesome. thanks to you, tumbleweed and the other backporters on following up on this. we'll adjust that work item accordingly 18:46:52 for the ones where the source release of the backport is deprecated, we don't have the manpower to test replacing them with a backport from a current release, so my proposal is to use the deprecated release as a being strictly better than what's in backports now 18:47:25 and for all of them, i'm going to advocate reducing the testing requirements from our usual backports requirements so we can try and reduce the friction of getting them in 18:48:14 broder: I wonder if removing these types of backports would make sense, so others won't get them (since, by your admission, they aren't really maintainable any more) 18:48:51 hmm...yeah, that seems like it could be a reasonable option as well 18:49:29 hrm, at least having them there allows the possibility of them being manually patched for security issues 18:49:56 nothing saying someone can't still provide said update at a later date 18:49:57 if they're not there and someone wants them, they can request a backport from a supported release 18:50:14 (or do what micahg said) 18:50:37 right, though for most of these (e.g. libvirt) the burden of backporting them (and testing reverse-dependencies) from a stable release is much higher than just cherry-picking updates 18:51:38 yep. I gave tumbleweed some pointers on trying to get the lucid libvirt going on hardy, but that is going to be a hairy update 18:52:35 but that is a corner case-- most aren't like that 18:53:46 are there any other items to discuss with the security team? 18:56:13 mdeslaur, sbeattie, micahg, tyhicks, jjohansen: (and broder) thanks! 18:56:20 #endmeeting Generated by MeetBot 0.1.5 (http://wiki.ubuntu.com/AlanBell/mootbot)