16:58 <jdstrand> #startmeeting
16:58 <meetingology> Meeting started Mon Aug 12 16:58:40 2013 UTC.  The chair is jdstrand. Information about MeetBot at http://wiki.ubuntu.com/meetingology.
16:58 <meetingology> 
16:58 <meetingology> Available commands: #accept #accepted #action #agree #agreed #chair #commands #endmeeting #endvote #halp #help #idea #info #link #lurk #meetingname #meetingtopic #nick #progress #rejected #replay #restrictlogs #save #startmeeting #subtopic #topic #unchair #undo #unlurk #vote #voters #votesrequired
16:58 <jdstrand> The meeting agenda can be found at:
16:58 <jdstrand> [LINK] https://wiki.ubuntu.com/SecurityTeam/Meeting
16:58 <jdstrand> [TOPIC] Announcements
16:58 <jdstrand> Colin Watson (cjwatson) provided debdiffs for precise-raring for putty. Your work is very much appreciated and will keep Ubuntu users secure. Great job! :)
16:59 <jdstrand> [TOPIC] Weekly stand-up report
16:59 <jdstrand> I'll go first
16:59 <jdstrand> I'm on triage this week
16:59 <jdstrand> I've got openstack updates to do
16:59 <jdstrand> I need to test the latest upstart-app-launch
16:59 <jdstrand> I want to implement the xdg user dir support in apparmor
17:00 <jdstrand> I need to sync up with sarnold on code audits and give some to him since he is actually pretty good at completing them :)
17:00 <jdstrand> I have a number of follow-ups on application confinement discussions
17:00 <jdstrand> and patch piloting
17:00 <jdstrand> mdeslaur: you're up
17:01 <mdeslaur> I'm on community this week
17:01 <mdeslaur> I have a couple of updates that need testing
17:01 <mdeslaur> so I'll be doing that to try and get them released
17:01 <mdeslaur> I'll also try and get the list down a bit since I go on vacation next week
17:01 <mdeslaur> that's it for me
17:01 <mdeslaur> sbeattie: you're up
17:02 <sbeattie> I'm on apparmor again this week
17:02 <sbeattie> I'm currently trying to sort out what's going on after being gone on holiday and at black hat
17:02 <sbeattie> I have a bug or two in click-apparmor to fix
17:02 <jdstrand> sbeattie: we should sync up
17:03 <sbeattie> I also have a couple of black hat related items (expenses, trip report) to do
17:03 <sbeattie> jdstrand: yeah
17:03 <sbeattie> so that's pretty much it for me.
17:03 <sbeattie> tyhicks: you're up
17:03 <jdstrand> sbeattie: I took the liberty of making a few small changes to click-apparmor in support of the MIR request that I filed last week
17:03 <sbeattie> jdstrand: kewl
17:04 <tyhicks> This morning, I'll be preparing debdiffs against apparmor and dbus for AppArmor D-Bus mediation
17:04 <jdstrand> sbeattie: you might want to pull 0.1.0 from the archive into your branch and review (btw, is there an official home for it?)
17:04 * tyhicks pauses
17:04 <sbeattie> jdstrand: not really outside of the +junk tree I have
17:05 <sbeattie> we can move it to a more formal location under the security team
17:05 <jdstrand> I think we may want to have it live somewhere, but we can talk somewhere else
17:05 <jdstrand> yeah
17:05 <sbeattie> yeah, sounds good
17:05 <jdstrand> tyhicks: please proceed
17:05 <mdeslaur> help the homeless
17:05 * sbeattie presses play on tyhicks
17:05 <tyhicks> :)
17:05 <tyhicks> This morning, I'll be preparing debdiffs against apparmor and dbus for AppArmor D-Bus mediation
17:05 <tyhicks> (yeah, yeah, you've heard that before but it is for real this time :)
17:06 <mdeslaur> hehe
17:06 <tyhicks> jjohansen will be pushing a kernel patch out that enables it for all Saucy users - until then, the dbus-dev PPA kernel will still be needed for mediation to be enabled
17:06 <jdstrand> tyhicks: you mean fr saucy upload?
17:06 <tyhicks> jdstrand: yep
17:06 <jdstrand> \o/
17:06 <mdeslaur> jdstrand: don't celebrate yet, it's a trap :P
17:06 <tyhicks> hehe
17:06 <mdeslaur> :)
17:06 <tyhicks> Then I'll be working on my content-hub work items
17:06 <jdstrand> you'll want to be prepared for everyone saying you broke everything :P
17:07 <tyhicks> yeah, I'll probably need to plan in some support response time
17:07 <jdstrand> probably a good idea
17:07 <tyhicks> I imagine there will be questions
17:07 <tyhicks> hopefully not too many bugs
17:07 <tyhicks> After that, I'll work with jjohansen to add necessary APIs to libapparmor that allow trusted helpers to operate on AppArmor label sets
17:07 <jdstrand> well, there may be no bugs-- doesn't mean you won't get blamed :P
17:08 <tyhicks> true :)
17:08 <tyhicks> Finally, I need to revise the dbus regression tests in the apparmor source tree for upstream approval and I also need to add tests for proper apparmor delegation when passing fds over dbus
17:08 * jdstrand was referring to that scenario in his initial comment :)
17:08 <tyhicks> I think that's it for me
17:08 <tyhicks> jjohansen: you're up
17:08 <jjohansen> I'm on apparmor again as well,
17:08 <jjohansen> I've got to finish fixing a bug in the replacedby logic that is causing crashes when we enable compound labels,
17:08 <jjohansen> I need to: look into the 3.11 flink/linkat changes http://lwn.net/Articles/562488/, push the kernel patch for the label query that dbus needs, deal with bug 1202161, prepare for tuesdays apparmor meeting, and then perhaps get back to the current apparmor work items
17:08 <ubottu> bug 1202161 in linux (Ubuntu) "seccomp filter: execve(): Operation not permitted" [Medium,Incomplete] https://launchpad.net/bugs/1202161
17:09 <tyhicks> jjohansen: Good! I've been meaning to make sure you're aware of flink/linkat
17:10 <tyhicks> I couldn't think of any potential problems for apparmor, but I'm sure that you can :)
17:10 <jjohansen> tyhicks: well I remember seeing it, and making my self a note that got lost in all the other notes
17:11 <jjohansen> yes it is going to rework some work around our link rules
17:11 <jjohansen> but, I need to trace the security hooks because I don't think they are sufficient to mediate it
17:12 <jjohansen> or more correctly currently only the inode hook is, mediating it
17:12 <tyhicks> ah
17:13 <jjohansen> anyways that it from me sarnold your up
17:13 <jdstrand> sarnold: hold on a sec
17:14 <jdstrand> jjohansen: I didn't recognize the IPC work items in your list this week-- would it be helpful/possible to shuffle some work around to free up some time?
17:15 <jjohansen> jdstrand: sorry that is the "current apparmor work items" bit
17:15 <jdstrand> jjohansen: related: flink/linkat is for 3.11-- are we going to ship 3.11 in 13.10 and if not, is that something we can/should put on the backburner for a bit?
17:15 <jjohansen> jdstrand: saucy will be 3.11
17:15 <jdstrand> ok
17:16 <jjohansen> that isn't to say I won't go only as far as getting the info to file a bug on this item for this week, and deal with it later
17:16 <jdstrand> oh, why was I thinking we had 3.10 still
17:17 <tyhicks> I think the switch just happened
17:17 <jdstrand> oh, hah, cause it happened today :)
17:18 <jjohansen> jdstrand: no the switch happened last week when tim rebased to -rc4
17:19 <jjohansen> we had issues in the 3.11 kernel where I couldn't even get the machine to boot in -rc2, and the kt was shaking out a couple issues in -rc3
17:19 <jdstrand> maybe-- but I see 3.10.0-6.17 was only superceded a little while ago
17:20 <jdstrand> (in saucy release)
17:20 <jdstrand> anyhoo, doesn't matter
17:20 <jdstrand> superseded
17:22 <jdstrand> jjohansen: so, aiui, you've got the stuff you listed and you don't think it will take an inordinate amount of time (something that will take longer will be planned/done later) and you plan to work on ipc still?
17:22 <jdstrand> is that accurate?
17:22 <jjohansen> jdstrand: yes
17:22 <jdstrand> ok, cool, thanks. sorry if I was being dense :)
17:22 <jdstrand> sarnold: you're up
17:24 <sarnold> I'm in the happy place the week; I've got (at least one) MIR audit (click-apparmor), and I've grabbed an update for maas to do. I may steal some of jdstrand's MIR audits as needed.
17:24 <sarnold> and of course, if there are apparmor patches posted, reviewing them will be my top priority.
17:25 <sarnold> I believe that's me
17:25 <sarnold> chrisccoulson: you're up
17:25 <chrisccoulson> hi
17:25 <chrisccoulson> last week, i got firefox and thunderbird out. everything's been pretty quiet since then, which I'll assume is a good thing :)
17:25 <jdstrand> \o/
17:26 <mdeslaur> chrisccoulson: did you see my critical firefox bug?
17:26 <sarnold> \o/
17:26 <chrisccoulson> also, i added support for multiple browser contexts to oxide, which hopefully means that it's possible to have webviews with different profile folders now :)
17:26 <jdstrand> neat :)
17:26 <sbeattie> \o/
17:26 <mdeslaur> \o/
17:27 <jdstrand> chrisccoulson: that reminds me, I owe you and ubuntu-devel@ an email regarding oxide
17:27 <sarnold> very cool :)
17:27 <jdstrand> (that was one of the things I was planning to follow-up on this week)
17:27 <chrisccoulson> i'm still working on the user script support, which i plan to continue this week. i wanted to get the browser context stuff out of the way first, as i'm making user scripts per-context rather than per-webview, and i didn't want to have to refactor everything later on :)
17:28 <chrisccoulson> i'm  not sure if anyone has been following https://code.launchpad.net/~chrisccoulson/oxide/oxide.trunk ?
17:28 <sarnold> sorry, no
17:28 <chrisccoulson> that's ok ;)
17:28 <chrisccoulson> i think that's me done
17:28 <mdeslaur> chrisccoulson: wow, a lot of work in there
17:29 <chrisccoulson> mdeslaur, yeah, it's slowly getting there :)
17:30 <jdstrand> [TOPIC] Highlighted packages
17:30 <jdstrand> The Ubuntu Security team will highlight some community-supported packages that might be good candidates for updating and or triaging. If you would like to help Ubuntu and not sure where to start, this is a great way to do so.
17:30 <jdstrand> See https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures for details and if you have any questions, feel free to ask in #ubuntu-security. To find out other ways of helping out, please see https://wiki.ubuntu.com/SecurityTeam/GettingInvolved.
17:30 <jdstrand> http://people.canonical.com/~ubuntu-security/cve/pkg/ngircd.html
17:30 <jdstrand> http://people.canonical.com/~ubuntu-security/cve/pkg/glusterfs.html
17:30 <jdstrand> http://people.canonical.com/~ubuntu-security/cve/pkg/shibboleth-sp2.html
17:30 <jdstrand> http://people.canonical.com/~ubuntu-security/cve/pkg/qpid-python.html
17:30 <jdstrand> http://people.canonical.com/~ubuntu-security/cve/pkg/darktable.html
17:30 <jdstrand> [TOPIC] Miscellaneous and Questions
17:31 <jdstrand> sarnold pointed out that the community supported drupal7 packages could use some attention on earlier released (particularly 12.04). See http://people.canonical.com/~ubuntu-security/cve/pkg/drupal7.html for details.
17:31 <jdstrand> Does anyone have any other questions or items to discuss?
17:37 <jdstrand> mdeslaur, sbeattie, tyhicks, jjohansen, sarnold, ChrisCoulson: thanks!
17:37 <jdstrand> #endmeeting