16:34 <jdstrand> #startmeeting
16:34 <meetingology> Meeting started Mon Nov  4 16:34:17 2013 UTC.  The chair is jdstrand. Information about MeetBot at http://wiki.ubuntu.com/meetingology.
16:34 <meetingology> 
16:34 <meetingology> Available commands: #accept #accepted #action #agree #agreed #chair #commands #endmeeting #endvote #halp #help #idea #info #link #lurk #meetingname #meetingtopic #nick #progress #rejected #replay #restrictlogs #save #startmeeting #subtopic #topic #unchair #undo #unlurk #vote #voters #votesrequired
16:34 <jdstrand> The meeting agenda can be found at:
16:34 <jdstrand> [LINK] https://wiki.ubuntu.com/SecurityTeam/Meeting
16:34 <jdstrand> [TOPIC] Announcements
16:34 <jdstrand> Thanks to the following individuals:
16:34 <jdstrand> Christian Biamont (christianbiamont) provided a debdiff for precise for xml-security-c (LP: #1192874)
16:34 <ubottu> Launchpad bug 1192874 in xml-security-c (Ubuntu Saucy) "heap overflow while processing InclusiveNamespace PrefixList" [Undecided,Fix released] https://launchpad.net/bugs/1192874
16:34 <jdstrand> Felix Geyer (debfx) provided debdiffs for precise-raring for libapache2-mod-fcgid (LP: #1238242)
16:34 <ubottu> Launchpad bug 1238242 in libapache2-mod-fcgid (Ubuntu Lucid) "CVE-2013-4365: possible heap buffer overwrite" [Undecided,New] https://launchpad.net/bugs/1238242
16:34 <jdstrand> Felix Geyer (debfx) provided debdiffs for precise-raring for ejabberd (LP: #1239307)
16:34 <ubottu> Launchpad bug 1239307 in ejabberd (Ubuntu Lucid) "Allows SSLv2 and weak ciphers" [Undecided,New] https://launchpad.net/bugs/1239307
16:34 <jdstrand> christianbiamont, debfx: Your work is very much appreciated and will keep Ubuntu users secure. Great job! :)
16:35 <jdstrand> [TOPIC] Weekly stand-up report
16:35 <chrisccoulson> hi!
16:35 <jdstrand> I'll go first
16:35 <jdstrand> I'm on triage this week
16:36 <jdstrand> I've got quite a few things to catch up on from being at the sprint last week
16:36 <jdstrand> also I need to process/communicate outcomes from sprint next week
16:36 <jdstrand> in general, there shouldn't be any surprises for our team
16:37 <jdstrand> nothing major was added to our plans for 14.04 and 14.10
16:38 <jdstrand> I will be doing a click-apaprmor upload to sponsor a fix for cjwatson. I'm getting some CI testing going around click-apparmor which is why I haven't updated it yet
16:38 <jdstrand> I hope to have that today or tomorrow at the latest
16:38 <jdstrand> I know tyhicks wants me to sponsor an apparmor upload
16:38 <jdstrand> I think that's it for me
16:38 <jdstrand> mdeslaur: you're up
16:38 <mdeslaur> hi! I'm on community this week
16:39 <mdeslaur> I'm currently pushing out libav updates
16:39 <mdeslaur> FYI, the libav and ffmpeg codebases have diverged to the point of it being unreasonable to track both using the same set of CVEs
16:39 <mdeslaur> as such, I've updated the CVEs in the tracker
16:39 <jdstrand> oh, interesting
16:39 <jdstrand> mdeslaur: updated as in, updated the boilerplate?
16:40 <mdeslaur> jdstrand: as in added README.libav, killing the boilerplate, and marking existing cves as ignored or not-affected for libav
16:40 <jdstrand> cool
16:40 <mdeslaur> we shouldn't track ffmpeg CVEs as affecting libav
16:41 <jdstrand> I noticed libav is now in universe in trusty
16:41 <sarnold> does kurt agree?
16:41 <mdeslaur> tomorrow I'm off, and further down this week, I plan on finishing my merges and picking up some more updates
16:41 <mdeslaur> sarnold: no idea
16:42 <mdeslaur> sarnold: but the CVE descriptions never had "libav" in them
16:42 <mdeslaur> and I can't track vulnerabilities/commits across them
16:42 <mdeslaur> and libav is commiting a whole slew of independant security fixes now without asking for CVEs
16:44 <mdeslaur> anyway, that's it from me
16:44 <mdeslaur> sbeattie: you're up
16:45 <mdeslaur> hrm, sbeattie seems to be MIA
16:45 <tyhicks> I'll go
16:45 <tyhicks> I'll wrap up a pending apparmor upload today and hand it off to jdstrand (thanks!)
16:45 <tyhicks> Then I need to look into an ecryptfs/apparmor kernel bug that I hit last week
16:46 <tyhicks> I also have some merges that I need to do
16:46 <tyhicks> oh, and I need to look at enabling yama on the mobile kernels
16:47 <tyhicks> that's it for me
16:47 <tyhicks> jjohansen: you're up
16:48 <tyhicks> sarnold: lets go to you
16:48 <sarnold> hehe
16:49 <sarnold> it appears I'm in my happy place again this week \o/
16:49 <sarnold> I've been getting the hang of both canonistack and smo ser's virtual maas deployment scripts with an eye towards being able to do some maas update testing
16:50 <sarnold> I've prepared new versions of the maas updates for release hopefully this week -- it depends if the -proposed updates have moved into the -updates queue yet or not.
16:50 <mdeslaur> sarnold: \o/
16:50 <sarnold> (bigjools had finished the last verification-needed test last week, so I hope the automated framework moved them through by now)
16:51 <sarnold> mdeslaur: yeah, it'll be nice to finally cross these two off the list :)
16:51 <jdstrand> which two?
16:52 <sarnold> unfortunately smo ser's older script isn't his preferred testing method, and I had trouble getting the newer script to work, but I think his older script will work well enough for a starting point for documenting how the whole thing works..
16:52 <sarnold> jdstrand: CVE-2013-1057 and CVE-2013-1058
16:52 <ubottu> ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem.  When the candidate has been publicized, the details for this candidate will be provided. (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1057)
16:52 <ubottu> ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem.  When the candidate has been publicized, the details for this candidate will be provided. (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1058)
16:52 <jdstrand> ah, two CVEs, yes (I thought you were talking about source packages)
16:53 <sarnold> ah :)
16:53 <sarnold> once this is done I may do another MIR or pick up an update, depending upon mdeslaur's preference :)
16:54 * mdeslaur consults magic 8 ball
16:54 <sarnold> chrisccoulson: your turn :)
16:54 <chrisccoulson> chromium is up to date now (had mozilla updates last week as well)
16:54 <sarnold> \o/
16:55 <jdstrand> \o/
16:55 <mdeslaur> chrisccoulson: woot!
16:55 <chrisccoulson> this week i shall be helping get people up and running with oxide
16:56 <mdeslaur> \o/
16:56 <chrisccoulson> i'm currently trying to improve the workflow for maintaining the chromium patches in oxide. there were various issues at the end of last week
16:56 <jdstrand> interesting
16:57 <chrisccoulson> other than that, i'll be back on to the usual again :)
16:57 <jdstrand> chrisccoulson: so, oxide made a big splash last week-- you should be getting the help now
16:57 <chrisccoulson> jdstrand, excellent, thanks
16:57 <chrisccoulson> jdstrand, you did a presentation didn't you?
16:57 <jdstrand> I did
16:58 <chrisccoulson> jdstrand,  how did that go?
16:59 <jdstrand> chrisccoulson: well-- most everyone realized it was the plan of record
17:00 <jdstrand> chrisccoulson: phonedations had a number of questions cause we hadn't brought them into the loop before that (though they were in the meeting in april and saw the emails on it stating it was the plan)
17:00 <jdstrand> chrisccoulson: they've done quite a bit of work on qtwebkit to make sure it works well on armhf
17:01 <chrisccoulson> ah, ok. although i can't imagine it working that well, with no jit ;)
17:01 <jdstrand> chrisccoulson: and I imagine they will also start helping out soon (eg rsalveti). but like I said elsewhere-- getting you the armhf hardware and you can do some benchmarks marks to give to them
17:02 <jdstrand> yeah, I don't have the details. you and rsalveti should definitely talk at some point though
17:02 <chrisccoulson> yeah, that's cool
17:02 <jdstrand> I want to update/form a new bp for oxide for this cycle
17:02 <jdstrand> we can talk more about that this week
17:03 <jdstrand> oh, yes, that is another thing I have to do-- work with mdeslaur and all of you on bps for vUDS
17:03 <jdstrand> I don't know that we'll have an oxide session-- I think the work is known. we'll discuss later
17:04 <jdstrand> chrisccoulson: did you have any other questions or anything else to report?
17:04 <chrisccoulson> jdstrand, no, i think that's me done
17:04 <jdstrand> [TOPIC] Highlighted packages
17:04 <jdstrand> The Ubuntu Security team will highlight some community-supported packages that might be good candidates for updating and or triaging. If you would like to help Ubuntu and not sure where to start, this is a great way to do so.
17:04 <jdstrand> See https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures for details and if you have any questions, feel free to ask in #ubuntu-security. To find out other ways of helping out, please see https://wiki.ubuntu.com/SecurityTeam/GettingInvolved.
17:04 <jdstrand> http://people.canonical.com/~ubuntu-security/cve/pkg/openjpa.html
17:04 <jdstrand> http://people.canonical.com/~ubuntu-security/cve/pkg/flightgear.html
17:04 <jdstrand> http://people.canonical.com/~ubuntu-security/cve/pkg/sanlock.html
17:04 <jdstrand> http://people.canonical.com/~ubuntu-security/cve/pkg/rawstudio.html
17:04 <jdstrand> http://people.canonical.com/~ubuntu-security/cve/pkg/lighttpd.html
17:05 <jdstrand> [TOPIC] Miscellaneous and Questions
17:05 <jdstrand> Does anyone have any other questions or items to discuss?
17:06 <jdstrand> mdeslaur, tyhicks, sarnold, chrisccoulson: thanks!
17:06 <jdstrand> #endmeeting