[03:28] UBUNTU AND LINUX ARE CANCER IN A SENSE IF YOU USE IT YOUR BODY WILL GET SEPSIS AND YOU WILL GET CANCER EVERYWHERE IN YOUR BODY [03:28] !ops [03:28] Help! Seveas, Hobbsee, LjL, ompaulafk, Keybuk, mdz, sabdfl, janimo, ogra, mdke, dholbach, or jono === noy_ is now known as noy === asac_ is now known as asac === dholbach_ is now known as dholbach === freeflyi1g is now known as freeflying === fader|away is now known as fader_ === mhall1191work is now known as mhall119|work === DJones__ is now known as DJones === akgraner` is now known as akgraner === robbiew_ is now known as robbiew === highvolt1ge is now known as highvoltage === ogasawara_ is now known as ogasawara === \vish is now known as mac_v === mac_v is now known as \vish === fader_ is now known as fader|away === fader|away is now known as fader_ === yofel_ is now known as yofel [18:01] kees: meeting today? [18:07] kees: meeting! [18:07] o/ [18:07] \o [18:08] \o [18:08] sorry, lost in email backlog [18:08] \o/ [18:08] kees: as all of us [18:09] so, uhm, I drank a fair bit and then tried to push compiler hardening bits in Debian. for this week, I'll take krb5 and continue to follow some of the community sponsorship requests. [18:10] heh [18:11] I'll take php5 and gimp, and will start the screenlocking debugging wiki page this week [18:11] I'm still digging through backlog [18:11] I'm on triage also [18:11] mdeslaur: sorry about the state of bugs. I managed to keep on top of CVE triage, though. :P [18:11] kees: np! [18:12] I plan to do some merges as well as some work on essential bps. I'll pick up an update if needed [18:12] s/if/as/ [18:13] that's it from me [18:13] I suppose I could be slightly more specific [18:14] I hope to finish security-lucid-sponsorship-review [18:14] then look at apparmor stuff and the 0.7.5 libvirt merge [18:14] jdstrand: for sponsorship processes, I have some questions now that I've followed it a few times. [18:14] then decide how to tackle the libvirt items [18:15] kees: ok [18:16] if that's it on status, then I'll dive into my sponsorship questions? [18:16] kees: please do [18:17] ok, so, following https://wiki.ubuntu.com/SecurityTeam/SponsorsQueue [18:17] I had two hats: reviewer ("sponsor"?) and Uploader. [18:17] first question is: at what point should the ubuntu-security-sponsors team be unsubscribed from a bug? [18:18] (the only case seems to be when the patch needs work) [18:19] should it be unsubbed when it's been uploaded? [18:19] kees: that is correct [18:19] though we will mark syncs as Invalid [18:19] and also Fix Released [18:19] hrm [18:19] both of those drop the bug off the sponsors radar [18:20] kees: I started to do the whole separated process that I am sure you are thinking of [18:20] ok, so Invalid and Fix Released, but ubuntu-security-sponsors stays sub'd. [18:20] kees: that is how it currently is, but ubuntu-security-sponsors could be unsub'd in those cases, but I don't see a real need for that [18:21] ah! wait, I think I see the source of my confusion. [18:21] the All open link will show bugs that are invalid when there are other open statuses for a bug. [18:22] so, in the case of multiple releases, it gets confusing. [18:22] I didn't opt for the separated process because that is geared for larger teams-- in practice, we and motu-swat will be doing the reviewing-- so I kept it simple for now [18:22] kees: as in New for Lucid and Invalid for Jaunty? [18:22] kees: that may be a bug in LP [18:22] nxvl: right, or like bug 431080, where one part is In Progress (which doesn't need ubuntu-security-sponsors subbed) and others are fix released and invalid. [18:22] Launchpad bug 431080 in drupal5 "Fix critical security issues in drupal packages" [Undecided,In progress] https://launchpad.net/bugs/431080 [18:23] kees: I am writing a tool today, similar to pull-in-progress.py that will make it a bit easier to see [18:23] hrm, why does 481631 still show up? [18:23] what needs work and the status of things [18:24] kees: probably because of the upstream bug? [18:24] jdstrand: oh, no, the query is bad. it includes Invalid and Won't Fix. [18:24] I will adjust the wiki page. [18:24] ok, thanks [18:25] alright. that was basically it. multiple confusions due to the LP bug list. ;) [18:26] oh yikes, moin just HTTP 500'd [18:26] kees: sorry about that [18:26] (not the 500-- I didn't have anything to do with that! ;) [18:27] jdstrand: oh, I don't think that's your fault at all. new processes are fun to clarify. :) [18:27] ok, so now following the "All open" link is much more sensible. [18:27] yeah-- hence the 'Beta Available' implementation :) [18:27] do you think "In progress" should be removed from the list too, since that means the patch writer needs to work on it more? [18:28] kees: I don't, cause 'All' is supposed to convey all open bugs [18:28] ok, sounds good. [18:29] plus, it also could mean that the bug has been uploaded to the ubuntu-security-proposed ppa, and needs to be pocket copied to -proposed [18:29] so I wouldn't want to hide it [18:30] (section '4.2 Uploads') [18:30] ah! yes, just noticed that. [18:31] ok, so, with bug 446838, what's the next step? [18:31] Launchpad bug 446838 in squirrelmail "Multiple cross-site request forgery (CSRF) vulnerabilities in SquirrelMail 1.4.19 and earlier" [High,Fix committed] https://launchpad.net/bugs/446838 [18:31] we got a NACK on the hardy patch [18:31] s/patch/package/ [18:31] * jdstrand looks [18:33] kees: ok, so 'klumpen' said the patch doesn't work. that is not enough detail... [18:34] kees: ultimately though, this is in -proposed and for ubuntu-sru to handle using their processes [18:34] that was my thought too. [18:34] kees: see '5. Verification' [18:34] (I can do a verification for karmic, but not hardy) [18:35] kees: basically, once it goes from ubuntu-security-proposed to -proposed, ubuntu-sru takes it from there [18:35] ok [18:35] that may sound somewhat contentious, but this won't happen for packages in main, and ScottK said that this is the process to use for universe [18:36] it continues to show up on the "open" list, but I guess that's ok. [18:36] regardless, I'm happy with the process. [18:36] kees: we could theoretically unsub ubuntu-security-sponsors at the point that ubuntu-sru has it, but I thought that since the processes are still being defined and people getting used to them, we should keep our eyes on the bug [18:37] s/defined/fine-tuned/ [18:37] yeah, and I think dholbach wants "finished" sponsorships to retain the sponsorship team for his reports. [18:37] Sometimes pitti will push updates out if a particular release isn't tested if the risk seems low. [18:37] ScottK: yeah, but do things get deleted from -proposed if someone NAKs? [18:38] Generally the idea is they get superceded by a fixed update. [18:38] okay [18:38] They should, but I don't know that they always do. [18:38] next up: http://piware.de/workitems/security/lucid/report.html [18:38] that graph shouldn't include weekends and holidays. ;) [18:38] I am pretty sure that if something doesn't supercede it, it will get deleted [18:39] it is a manual process of course [18:39] and I don't know how often that happens, but istr seeing it [18:39] kees: heh [18:39] so, to keep us in line with the burndown, we need to either finish stuff or postpone stuff. [18:40] kees: well yes, but I thought we discussed that we weren't going to overly fret over the burndown-- has that changed? [18:40] I already postponed all the "low", so I'm going to start fishing for "medium" stuff. [18:40] jdstrand: I'm not going to fret at all -- the fact that we're postponing stuff directly reflects that we don't have time for some things. [18:40] (I remember the 'low' discussion) [18:41] I think it's appropriate to choose that which gets tossed out. [18:41] ok [18:41] and if we work from the lowest priority up, that reflects our committment to essential workitems. [18:42] keep in mind, I am doing dev work this week-- I hope to make some progress on my items :) [18:42] to that end, I'd like us to run down the workitems assigned to people outside our team first, and then start picking stuff from our medium list to postpone. [18:42] jdstrand: yup, that's great. :) [18:42] I'd like us to be in line by friday's review. [18:43] kees: well, with coffeedude, I'm not sure how much we can encourage it gets done. likewise is on their own timeframe. ttx may know more about it [18:43] jdstrand: should we ping coffeedude.jerry? [18:43] *one mind* [18:43] heh [18:43] ok, cool. [18:44] next is jjohansen and 'clean up on pam_apparmor' [18:44] * kees nods [18:44] (also a 'medium') [18:44] I already postponed kirkland's item. :) [18:44] ah, yeah I have been meaning to get to that but not for alpha2 [18:45] so yeah postpone please [18:46] done [18:46] ok, any questions for the security team or other items? [18:46] it seems that the parts of sbeattie's items are getting done... ie, the wiki is started [18:46] oh, they are postponed anyway. nm [18:47] jdstrand: there's nothing wrong with flipping a postponed item to "done" too. it's just a matter of tracking the line for a given moment in time. [18:48] yeah doesn't it then show up as green instead of yellow [18:48] * kees nods [18:50] alrighty, meeting over. thanks everyone! [18:51] thanks kees! === Nafallo_ is now known as Nafallo === robbiew is now known as robbiew-AF === robbiew-AF is now known as robbiew-afk === mac_v is now known as \vish === james_w` is now known as james_w === robbiew-afk is now known as robbiew === jibouman` is now known as jiboumans === fader_ is now known as fader|away === robbiew is now known as robbiew_