=== edson is now known as ecanto
=== starcraftman is now known as CanMoose
=== CanMoose is now known as starcraftman
[07:59] <stochastic> Who all is here for the Ubuntu Studio developers meeting?
[08:05] <stochastic> hmm, are any studio developers around?
[08:06] <stochastic> Looks like the lack of reminder e-mail and the non-mandatory status of the meeting killed the turnout.
[08:22] <jono> stochastic, maybe send out the reminder a week before?
[08:22] <jono> ubuntu studio is awesome :)
[08:22] <stochastic> yeah, next month I'll do that
[08:24] <jono> stochastic, :)
[08:48] <jussi01> Im here now
[08:48] <jussi01> got stuck in a work meeting
[08:48] <jussi01> stochastic: TheMuso ^
[08:52]  * TheMuso is here
[08:52] <TheMuso> But I think its a no go.
=== dholbach_ is now known as dholbach
=== ogra_ is now known as ogra
=== pgraner` is now known as pgraner
=== james_w` is now known as james_w
=== fader|away is now known as fader_
=== imlad|away is now known as imlad
=== marjomercado is now known as marjo
[15:51] <RoAkSoAx> morning
=== mhall1191work is now known as mhall119|work
=== ember__ is now known as ember
[18:04] <kees> jdstrand, mdeslaur: I'll go first?  I've still got neon to finish, and the 777 symlink thing to test
[18:05] <mdeslaur> kees: that's the nautilus glibc thing?
[18:05] <kees> well, just glib (not glibc)
[18:05] <jdstrand> glib, not glibc
[18:05] <mdeslaur> yeah, glib
[18:05] <mdeslaur> d'uh
[18:06] <kees> uhm, and I think once bug 322562 is solved, we can start on the sync-to-LP project
[18:06] <ubottu> Launchpad bug 322562 in malone "Cannot lookup bug list from CVE" [Medium,In progress] https://launchpad.net/bugs/322562
[18:07] <kees> everything else seems like it's in place.  nominations was the big missing piece, and that appears to work on edge now
[18:07] <jdstrand> cool
[18:08] <kees> I've got one item for the end of the meeting, but for tasks, I'm done.
[18:08] <jdstrand> shall I go?
[18:08] <kees> sure
=== noy_ is now known as noy
[18:09] <jdstrand> ok, well, this is going to be a busy week. I've got an openoffice.org and kdelibs update I'm working on. I started on but need to finish a gnutls regression that was reported in Debian which we are affected by (but no one has reported it in Ubuntu)
[18:10] <jdstrand> I need to update my libvirt/apparmor patch and resubmit to upstream. I'd like to get to it this week, but based on how oo.o is going so far, that may not happen
[18:11] <jdstrand> there is also a weird valgrind bug that cjwatson asked me to help out with, but again, we'll see if I can get to it
[18:11] <kees> jdstrand: I can help with the OOo build process...
[18:12] <jdstrand> kees: well, I have all that documented. I just need to rebuild my schroots
[18:12] <kees> jdstrand: yeah, well, we can take that offline
[18:12] <jdstrand> kees: the problem is patches aren't applying cleanly. I'm early in the process, so we'll see
[18:12] <kees> ugh
[18:13] <jdstrand> that's it on tasks, but I have two items at the end of the meeting
[18:14] <mdeslaur> my turn?
[18:14] <kees> yuppers
[18:15] <mdeslaur> I'm publishing openssl and openexr in a couple of minutes
[18:15] <mdeslaur> I'll take freeradius
[18:15] <kees> freeradius is just a DoS though?
[18:15] <mdeslaur> I want to work on packaging the apparmor apache2 stuff to my PPA
[18:15] <mdeslaur> kees: DoS on a network service
[18:15] <kees> mdeslaur: ah, right
[18:16] <mdeslaur> And want to investigate the aa-logprof bug
[18:16] <mdeslaur> that's it for me
[18:17] <kees> okay, item from me: reviewing sponsorship processes.
[18:17] <kees> I want to compare the security-sponsorship process to the "standard" sponsorship proceses
[18:18] <kees> the goal being to make our sponsorship work more visible to the world.  dholbach is using some of their process to track how much is happening, etc
[18:18] <kees> and we don't really show up in there.
[18:18] <kees> nothing formal, yet, but just wanted to give a heads-up for potential process changes.
[18:18]  * jdstrand nods
[18:18] <kees> that's it from me.
[18:18] <robbiew> that's a good idea
[18:19] <jdstrand> I only have one extra thing
=== greg_g is now known as greg-g
[18:19] <jdstrand> we may want to clarify the partner package tracking process
[18:20] <mdeslaur> jdstrand: good idea
[18:20] <kees> jdstrand: how so?
[18:20] <jdstrand> I'm not sure that is documented anywhwere, but I was pinged about whether we will alert partner package maintainers about it
[18:20] <jdstrand> I said 'yes', but I'm not sure it's been documented, the process, etc
[18:21] <jdstrand> oh, I did have one other thing
[18:22] <kees> we're not exporting issues in partner packages yet...  http://people.canonical.com/~ubuntu-security/cve/pkg/opera.html
[18:22] <kees> but I know we can look them up.
[18:22] <kees> oh, maybe opera doesn't have any at the moment
[18:23] <jdstrand> in UCT it seems that for dapper EOL packages, we should 'ignore' them so we can actually retire those CVEs. as it is, nothing will ever retire in UCT cause dapper is there
[18:23] <jdstrand> kees: we don't have opera anymore
[18:23] <jdstrand> adobe-flashplugin would be one
[18:23] <kees> ah, right.  ok, I take it back.  we *are* exporting details: http://people.canonical.com/~ubuntu-security/cve/pkg/sugarcrm.html
[18:23] <kees> http://people.canonical.com/~ubuntu-security/cve/pkg/adobe-flashplugin.html
[18:23] <jdstrand> kees: ah, so I can just point the maintainers to that and we are done
[18:23] <jdstrand> kees: I like that
[18:23] <kees> jdstrand: right, that's why I created them.
[18:24] <kees> on my todo list is to also publish an RSS feed, but... it's low priority
[18:24] <jdstrand> kees: cool, I'll follow up and document that somewhere
[18:24] <kees> sweet
[18:24] <jdstrand> kees, mdeslaur: what do you think about the dapper EOL stuff?
[18:25] <jdstrand> ideally, I think it needs to be automated with check-cves
[18:25] <kees> jdstrand: "stuff" being what?
[18:25] <jdstrand> 12:21 < jdstrand> oh, I did have one other thing
[18:25] <mdeslaur> well, is dapper desktop EoL as in "dead", or is it now reverted to the community
[18:25] <jdstrand> 12:23 < jdstrand> in UCT it seems that for dapper EOL packages, we should  'ignore' them so we can actually retire those CVEs. as it is,  nothing will ever retire in UCT cause dapper is there
[18:25] <kees> mdeslaur: community
[18:26] <ScottK> kees: I disagree.
[18:26] <kees> jdstrand: oh, sorry, I jumped over that while digging up URLs  :)
[18:26] <mdeslaur> if it's community, then the CVEs shouldn't be marked "ignored"
[18:26] <ScottK> It's got to be dead.
[18:26] <jdstrand> I was under the impression dead
[18:26] <kees> okay, I'll take "dead".  :)
[18:26] <jdstrand> I mean, if someone really wants to submit a patch, we can process it, but I think that should be the exception
[18:26] <mdeslaur> ScottK: if that's the case, what happens to all the stuff in universe that depend on stuff that's now "dead" in main?
[18:27] <ScottK> It's dead too, IMO.
[18:27] <ScottK> I'd like it if it could be moved to old-releases now, but I understand that's technically problematic.
[18:27] <jdstrand> if it is not dead, then we need to make sure all of our reporting is very accurate
[18:27] <mdeslaur> hmm...so do we consider all of dapper universe as being "dead"?
[18:28] <jdstrand> I have looked at it, but would imagine there are issues in our reporting
[18:28] <ScottK> If the policy isn't clear to you two, then maybe the tech board needs to clarify
[18:28] <jdstrand> s/have/haven't/
[18:28] <ScottK> two/three
[18:28] <kees> my take was that it simple moved out of "commercially supported".
[18:28] <jdstrand> well, the desktop is considered EOL
[18:28] <jdstrand> gutsy is EOL
[18:29] <kees> so, while I'd be okay with "dead" since it simplifies tracking (kind of), the reality of the situation is that the package still exists, and is still vulnerable.
[18:29] <jdstrand> the two should mean the same thing-- dead
[18:29] <ScottK> My take is "Dumped on the community" is not a good plan.
[18:29] <mdeslaur> so the question is: is dapper universe "Dead/EoL" also?
[18:29] <kees> jdstrand: actually, that language just suddenly convinced me.
[18:29] <jdstrand> it only still exists because the archive can't handle moving it
[18:29] <kees> we have declared dapper desktop EOL, which is the same as "out of the tracker"
[18:29] <ScottK> Just to make it more fun, next month Kubuntu Hardy is EOL, but Ubuntu isn't.
[18:29] <ScottK> Good luck figuring that one out.
[18:30] <kees> ScottK: ooh, I'd forgotten about that.
[18:30] <mdeslaur> ScottK: oh!
[18:30] <jdstrand> ScottK: thank you for pointing that out, I don't think any of us were thinking about it :)
[18:30] <kees> ScottK: it should be possible-ish to do it in the same way we did dapper desktop eol: static package lists
[18:30] <ScottK> Then I never have to worry about KDE3 again.....
[18:30] <kees> heh
[18:31] <mdeslaur> uhm...kde packages are part of Ubuntu also, which we support
[18:31] <ScottK> Yep.
[18:31] <kees> ScottK: <random>do you happen to know who to poke about fridge schedules?  this meeting is on the fridge iCal, but doesn't show up on the website.
[18:31] <ScottK> I'm really not sure how you handle it.
[18:31] <mdeslaur> I don't see how we can stop support for kde packages if they're in main
[18:31] <ScottK> kees: Nope.
[18:31] <kees> ok
[18:31] <jdstrand> mdeslaur: we'll just need to look at them and see if there is something we can/should do
[18:32] <mdeslaur> jdstrand: what do you mean?
[18:32] <ScottK> Once again, I don't know what the policy is, but someone ought to decide.
[18:32] <jdstrand> mdeslaur: I mean I don't think we'll solve what is supported or not in this conversation :P
[18:32] <mdeslaur> jdstrand: ah! well, me either :P
[18:33] <jdstrand> we also need to look at the language of the Kubuntu release and consult slangasek once we have a grasp of the issues
[18:33]  * kees nods
[18:33] <jdstrand> so, dapper?
[18:33] <ScottK> EOL
[18:33] <mdeslaur> dapper universe?
[18:34] <ScottK> EOL if it needs X
[18:34] <jdstrand> EOL/dead +1 (it's been in all documentation and release notes)
[18:34] <kees> dead +1, but I don't yet have any idea how to correctly "show" this automatically in ubuntu-cve-tracker
[18:35] <jdstrand> like I said, the formal policy should be 'dead'. if someone is inclined to give a patch, we can process without USN if required
[18:35] <ScottK> Implementation detail.
[18:35]  * kees nods
[18:35] <jdstrand> it is an implementation detail, but that was actually my original question :)
[18:35] <kees> "ignored" means we don't care, not "not-affected", so I think it's okay.
[18:35] <jdstrand> (I had assumed everyone knew it was dead)
[18:35] <jdstrand> kees: yes, 'ignored'
[18:35] <mdeslaur> ok, ignored +1
[18:36] <jdstrand> kees: 'ignored (end-of-life)'
[18:36] <kees> jdstrand: right, but if one runs ./scripts/madison it shows up in "universe" instead of "main", though it should show up as DNE, kind-of.
[18:36] <kees> yeah
[18:36] <kees> anyway, DNE is wrong, so I'm stuck wondering how to automatically show it.  but, not important at the moment.
[18:36] <kees> jdstrand: you had another issue?
[18:36] <kees> wait, no, that was it.
[18:37] <jdstrand> kees: wrt dapper? no. I just want to make sure we fix it in the tracker so that we can a) retire things and b) ensure our reporting is valid
[18:37]  * kees nods
[18:37] <jdstrand> that is it from me
[18:38] <kees> okay, anything else?
[18:38] <jdstrand> nope
[18:38] <kees> cool, meeting over.  thanks!
[18:39] <robbiew> thnx
[18:40] <jdstrand> o/
=== Seeker`_ is now known as Seeker`
=== fader_ is now known as fader|away
=== imlad is now known as imlad|away
=== robbiew is now known as robbiew-afk