[18:04] <jdstrand> kees, robbiew: meeting?
[18:04]  * robbiew is here ;)
[18:04] <kees> \o
[18:04] <kees> is mdeslaur back?
[18:05]  * jjohansen waves
[18:05] <jdstrand> kees: I don't think so
[18:05] <jdstrand> he said he expected to have to miss today
[18:06] <kees> ah, ok.  let's go ahead with the meeting anyway and we can catch him up tomorrow?
[18:06] <jdstrand> sounds good
[18:07] <kees> alrighty
[18:07] <kees> I'm playing a bit with "dieharder" for testing RNGs, and will probably create a q-r-t script for it.
[18:07] <kees> it's a long-running test, but it's pretty exhaustive.
[18:07] <robbiew> RNGs?
[18:08] <kees> Random Number Generator
[18:08] <jdstrand> kees: perhaps add it to test-rng.py?
[18:08] <kees> I'd done limited RNG testing with the "rngtest" tool but that only covers FIPS-140-2
[18:08] <kees> jdstrand: yeah
[18:09] <jdstrand> test-rng.py allows you to run specific tests if you want, or all, of which dieharder could be one
[18:09] <jdstrand> kees: that is cool-- I hadn't heard of dieharder :)
[18:09] <jdstrand> kees: is rngtest part of test-rng.py now too? or did you not bother cause of dieharder?
[18:10] <kees> I may not bother given how robust dieharder is.
[18:10] <kees> on the other hand, it's super-fast.
[18:10] <jdstrand> might be fun-- you've already learned the tool
[18:11]  * kees nods
[18:11] <kees> going to try to hit some more low-hanging fruit on the updates tree, and if I have any time left, I'm going to start working on the fscaps implementation for dpkg.
[18:12] <kees> that's it from me.
[18:12] <jdstrand> I am triager and I am continuing the transmission update this week.
[18:13] <jdstrand> it looks like I won't get to the getent/passwd apparmor stuff before alpha-2
[18:13] <kees> s'okay, the infrastructure to support it is done, which is great
[18:13] <jdstrand> I plan to work on apparmor dev work for lucid, which includes alias support and the libvirt 0.7.5 merge from Debian
[18:14] <jdstrand> beyond that, I will probably pick up an update
[18:14] <jdstrand> kees: yeah-- we are looking very good wrt to tunables these days
[18:15] <jdstrand> there is a debconf question, apparmor now uses tunables/home.d and likewise-open drops a file in tunables/home.d
[18:15] <jdstrand> already that is a good improvement over previous releases
[18:15] <jdstrand> I have the method I am going to use for the passwd stuff, just need to think about whether to break it out into a separate tool, etc
[18:16] <jdstrand> that will be discussed when I get back to it
[18:16] <jdstrand> that is it from me for this week, but I have a separate item to discuss regarding our blueprints
[18:17] <jdstrand> we can come back to it later, or discuss now)
[18:17] <jdstrand> s/)//
[18:17] <kees> let's do it now.  :)
[18:17] <jdstrand> ok, so an essential item (catchall-essential iirc) has "switch apparmor Firefox profile on for Lucid dev cycle"
[18:17] <jdstrand> (fine)
[18:18] <jdstrand> (well, maybe not, but anyhoo...)
[18:18] <jjohansen> whats not fine?
[18:18]  * kees is confused too
[18:19] <jdstrand> that is a problem atm because a) I know that java is busted and audit doesn't show it as being broke because of profiling) and b) we can't do it until some lower priority blueprints are implemented
[18:19] <kees> kick it down to "high", I'd say.
[18:19] <jjohansen> which blueprints?
[18:20] <jdstrand> specifically: it requires parts of security-lucid-apparmor-usability and security-lucid-apparmor-abstractions, both 'high'
[18:20] <jdstrand> jjohansen: it's all my stuff
[18:20] <jdstrand> jjohansen: though I look forward to the ptrace fix ;)
[18:20] <jjohansen> just curious
[18:20] <jjohansen> right, that won't hit alpha2
[18:20] <jdstrand> (that isn't blueprinted-- I'm just teasing)
[18:20] <jdstrand> well, maybe you bp'd it-- I didn't
[18:21] <jjohansen> erm, I think its a kernel work item
[18:21] <jdstrand> kees: so, yeah, marking it to high would be an option, but it is essential based on the person who suggested it
[18:22] <jdstrand> so I feel kinda stuck
[18:22] <jdstrand> (Mark said turn it on during UDS)
[18:22] <jdstrand> that came out wrong
[18:23] <jdstrand> during UDS, Mark suggested we turn the profile to enforcing
[18:24] <jjohansen> well it would be nice to have it on during alpha2
[18:24] <jdstrand> so I wasn't sure to shuffle stuff around to essential, or to bump it down to high. the java bug is a problem though
[18:24] <jdstrand> jjohansen: I haven't had time to look at the java bug at all, but I confirmed java breaks with the profile on, but there are no denials
[18:24] <jjohansen> right, we need to look at that, is it serious enough that its not worth doing for alpha2
[18:25] <jdstrand> jjohansen: have you seen that bug?
[18:25] <ScottK> Anything that takes a Java upload is clearly too late for Alpha 2.
[18:25] <jdstrand> ScottK: no, not a java upload
[18:25] <jjohansen> just profile
[18:25] <jdstrand> the java plugin breaks and hangs firefox when the firefox profile is in enforcing mode
[18:26]  * robbiew is confused...why must we bump it down to high? is it b/c it won't make alpha2?
[18:26] <kees> jdstrand: hrm
[18:26] <kees> robbiew: I think the issue is that non-essential bps are blocking an essential bp
[18:26] <jdstrand> robbiew: an essential item depends on two items that are only high to be feasible
[18:26] <robbiew> ah
[18:26] <robbiew> ack
[18:27] <robbiew> makes sense to lower to high then
[18:27] <robbiew> regardless of who requested it ;)
[18:27] <robbiew> the only other option is get the blocking bps raised
[18:27] <jjohansen> agreeded I think its to late to figure out the Java bug and get a fix in
[18:27] <jjohansen> it probably has a kernel component
[18:28] <jdstrand> I mean, I can turn it on right now, but it breaks the java plugin, and regular people won't know what is happening with other profile bugs cause there isn't good gui reporting
[18:28] <jdstrand> jjohansen: fyi, java bug is bug #484148
[18:28] <jdstrand> I confirned it with openjdk
[18:29] <jjohansen> thanks
[18:29] <jjohansen> I'll take a look at it tomorrow
[18:29] <jdstrand> robbiew: the problem with rasing others to essential is that the the profile (excepting java) works well with Ubuntu
[18:29] <robbiew> jdstrand: right...then I guess we have our answer ;)
[18:29] <robbiew> lower it
[18:30] <robbiew> lol
[18:30] <jdstrand> robbiew: but, it is known to have problem in Kubuntu, and is untested in Xubuntu
[18:30] <jdstrand> alright
[18:30] <jjohansen> can we get the QA team to do some testing?
[18:31] <kees> jdstrand: I would like to have the firefox maintainer own this profile.
[18:32] <jjohansen> sure that would be nice
[18:32] <jdstrand> kees: yeah-- but, tbh, he is gone and there the replacement isn't here yet
[18:32]  * kees nods
[18:32] <kees> just wanted to mention it.  :)
[18:32] <jdstrand> kees: and, if you consider the whole of the distro, it isn't fully baked-- it works for Ubuntu, but untested in other places
[18:33] <jdstrand> there is quite a bit more that needs to be done development-wise
[18:33] <jdstrand> I mean, if someone said "hey, assign me that bp" I'd be happy to. no on ei is doing that ;)
[18:34] <jjohansen> well that is why I asked if we could get QA to do some browser testing
[18:34] <jdstrand> that would be excellent
[18:35] <ScottK> Unfortunately this doesn't seem to be the sort of thing they do.
[18:35] <ScottK> (not endorsing that, just saying)
[18:35] <robbiew> yeah...but it won't hurt to ask :)
[18:36] <ScottK> Agreed.
[18:36] <jjohansen> They might be more willing if we could automate it
[18:37] <jdstrand> I'd love an automated test for firefox-- I don't have one though (requires the time to learn the tools)
[18:37] <jjohansen> yeah
[18:38] <jdstrand> anyway, the rest of the discussion can be done outside of this meeting
[18:39] <jdstrand> I just wanted to indicate a problem with the priorities and the problems with that item in general
[18:39] <jdstrand> that is it from me
[18:39] <jdstrand> kees, robbiew: ^
[18:39] <robbiew> ack
[18:41] <kees> anyone have any other questions for the security team?
[18:42] <ScottK> Probably ought to think about clamav 0.94 ->0.95 soon
[18:42] <kees> yeah
[18:42] <ScottK> AFAIK all the packages in backports are in good shap.
[18:42] <ScottK> They just need to be rebuilt against -security (clamav first and then the rdepends)
[18:43] <jdstrand> ScottK: so are you saying we are good to go with moving forward on that?
[18:43] <ScottK> Yes
[18:43] <jdstrand> ScottK: ok-- I'll take that on
[18:43] <ScottK> Great.
[18:43] <jjohansen> not a question, but dfa.minimization won't hit alpha2, its currently buggy
[18:43] <jdstrand> ScottK: I'll contact you soonish-- I am thinking within the next week or so I get into it fully
[18:44] <ScottK> jdstrand: OK.  I'll be around.
[18:44] <jdstrand> ScottK: thanks again for all your hard work on it :)
[18:44] <jdstrand> jjohansen: ack
[18:44] <ScottK> Thanks.
[18:44] <kees> jjohansen: that's fine. cool that it's seeing progress.  :)
[18:44] <jdstrand> yeah, totally
[18:45] <ScottK> jdstrand: BTW, cemc (who has been doing most of the testing and some of the rdepends packaging) in planning on going for  Ubuntu membership soon.  I hope you will endorse him.
[18:45] <jjohansen> it should hit this week, just not by tomorrow
[18:45] <kees> ScottK: I'd be happy to endorse him too (worked with him on pdns-recursor)
[18:45] <ScottK> kees: Great.
[18:45] <jdstrand> ScottK: sure, feel free to have him contact me, and I'll be sure to get him involved in this update
[18:46] <ScottK> jdstrand: OK.  Will do.
[18:46] <jdstrand> (visiably involved with me)
[18:46] <jdstrand> visibly
[18:46] <jdstrand> anything else?
[18:47] <ScottK> Not from me.
[18:47] <jdstrand> alright then, let's adjourn
[18:47] <jdstrand> kees: ^
[18:48] <kees> agreed, thanks everyone
[18:48] <jdstrand> o/
[18:49] <jjohansen> bye