=== NCommander_ is now known as NCommander
=== NCommander is now known as Guest88162
=== Guest88162 is now known as NCommmander
=== czajkowski is now known as cz-tab
=== cz-tab is now known as czajkowski
=== dyfet` is now known as dyfet
=== imlad_ is now known as imlad|brb
=== imlad|brb is now known as imlad_
=== bjf-afk is now known as bjf
=== yofel_ is now known as yofel
=== niko is now known as Guest79188
=== bladernr_ is now known as bladernr-afk
=== nik0 is now known as niko
keesjdstrand, mdeslaur: ready for a quick meeting?18:02
keeslet's see, I'm on triage this week18:06
keesand I'll try to snag a few low-hanging updates, but I've not checked the list yet.18:06
keesI made progress on testing the symlink protection kernel patch last week18:07
keesthat's it from me.  jdstrand, you're up!18:07
jdstrandthis is the symlink in a sticky dir where you are not the owner patch?18:07
jdstrandkees: ^18:08
jdstrandso I am on community work this week18:09
keesignore the changelog; that was just a place-holder18:09
jdstranda few moin CVEs crept in last week, so I plan to work on it18:10
jdstrandI plan to follow-up with cemc on the clamav/hardy update to get that out this week18:10
jdstrand(he is doing testing since it is in universe)18:10
jdstrandif I have time, I'll try to get to firefox/apparmor refactoring, which I didn't get to last week18:11
jdstrandthat is it from me18:11
jdstrandmdeslaur: you're up18:11
mdeslaurI'm in the happy place this week18:11
jdstrandmdeslaur: do you feel happy?18:12
mdeslaurI plan on looking over the new gnome-screensaver CVEs and have an embargoed update to test18:12
mdeslaurjdstrand: sometimes :)18:12
jjohansenand that is a happy place?18:12
mdeslaurI will also go down the list18:13
mdeslaurso, I have a couple of other things I want to talk about18:13
* jdstrand had one too18:13
mdeslaurjdstrand: you go first18:13
jdstrandkees: I didn't follow the TB meeting too closely-- where do we stand on representatives from the various teams attending our meetings and generally being aware of security issues in their packages?18:14
keesjdstrand: I haven't sent any email yet; ran out of time on friday.  I want to make a general proposal, and we'll see how that flies.18:15
keesbasically, TB wants to see a proposal, have it discussed in email, language adjusted, etc.18:16
* jdstrand nods18:16
jdstrandmdeslaur: that's it from me18:16
mdeslaurokay, so cr3 sent us the review request18:17
mdeslaurI'll take a look, and kees, will you take a look also?18:17
mdeslaurkees: you're the man with the insecure code detector built in :)18:18
keesyup, totally.  he was asking about how to manage some fifo work.18:18
mdeslaurok, second thing is webkit...there's a zillion CVEs in it, and I wanted to start to look at them again, but then remembered that in the firefox backporting work, a newer webkit will probably get pushed to the stable releases18:19
keeserr, totally help with audit; not sure I've got that detector built-in.  ;)18:19
jdstrandmdeslaur: oh? I didn't realize that was part of it. is it getting a microrelease exception?18:19
keesmdeslaur: correct; though it doesn't change KDE's use of it.18:19
keeswait, I'm suddenly confused18:20
keesfirefox -> webkit?18:20
mdeslaurokay, let me explain18:20
jdstrandkees: no, but stuff in stable releases has to be migrated to webkit to get rid of xulrunner, iiuc18:20
mdeslaurin order to get rid of xulrunner, a bunch of applications in previous stable releases will get updated to versions that support webkit18:20
mdeslaurso, a recent webkit will probably get introduced to stable releases18:21
mdeslaurBUT, that's probably a one-time only thing18:21
keesah, fun.18:21
mdeslaurwhat's not so good, is now webkit will probably need to be supported in hardy where it wasn't before18:21
mdeslaurI think we should call a meeting with ccheney and discuss all of this18:22
keesis webkit micro-release sane?18:22
mdeslaurkees: and yes, it won't fix the embedded webkit in kde and qt418:22
jdstrandmdeslaur: it sounds like hardy should get whatever webkit is in lucid then-- that doesn't sound too bad from a support perspective18:23
jdstrand(ie, it doesn't add significant work for us)18:23
mdeslauryeah, it will simplify things for the time being, as all our releases will probably have the same webkit version18:23
keesjdstrand: yeah, true18:23
mdeslaurthe problem with webkit, is there are _no_ releases...it's a repository18:24
jdstrandmdeslaur: so your question is really-- should you fix webkit now, or wait18:24
keeswait, what?  no releases?18:24
* kees holds his face18:24
mdeslaurkees: webkit doesn't have any releases AFAIK18:24
mdeslaurso, I don't know how to add a microrelease exception for that18:25
jdstrandmdeslaur: I thought they had some concept of api (or was it abi?) though? doesn't that imply releases?18:25
mdeslaurjdstrand: yeah, I think they went from 1.0 to 1.1 at some point18:25
* jdstrand wonders why all the web stuff has to be so complicated18:25
mdeslaurlet me investigate further18:25
jdstrandmdeslaur: to answer what I think your question was regarding updating webkit-- I think we need more info from ccheney18:26
mdeslaurjdstrand: yes, I propose we schedule a meeting with him to see what he expects to happen18:26
jdstrandmdeslaur: if it is going to be relatively soon, maybe we can get away with fixing the most serious security issues and wait18:26
jdstrandfor the transition18:27
keesI think keeping lucid and hardy in sync wrt webkit is a really good idea, if we end up having a supported webkit in hardy, though.18:27
mdeslaurjdstrand: that's what we would need to figure out18:27
* jdstrand nods18:27
jdstrandmaybe ccheney is available now...18:28
* jdstrand goes to look18:28
mdeslaurso, webkitgtk has a "stable" branch: http://gitorious.org/webkitgtk/stable18:29
mdeslaurbut, we're way past it in lucid :P18:29
jdstrandI asked for ccheney to join us (in #ubuntu-devel)18:32
jdstrandhe's not responded yet, so maybe wait a few more minutes?18:32
mdeslaurWe _need_ to meet with the webkitgtk people and try and discuss webkit security18:32
jdstrandhey ccheney :)18:35
jdstrandmdeslaur: fire away18:35
mdeslaurccheney: rat-tat-tat-tat18:35
mdeslaurccheney: hi!18:35
mdeslaurccheney: we are discussing the large number of open CVEs that we have in webkit in our stable releases18:36
mdeslaurccheney: and, I know you're doing some work for the firefox backporting stuff18:36
mdeslaurccheney: what's the plan regarding webkit? are you backporting a current webkit to our older stable releases?18:36
ccheneyi am backporting the webkit from karmic to hardy18:37
ccheneynot sure about any other plans other than that, asac probably knows more about the details of the rest of the plan18:37
mdeslaurccheney: so, since intrepid will be eol in a month, you're not doing anything there, right?18:38
ccheneywebkit is being backported primarily to allow backporting of epiphany-browser using webkit to hardy so we can drop its xulrunner dep18:38
ccheneyafaik i am not working on intrepid :)18:38
mdeslaurccheney: backporting webkit to hardy means you're updating the relevant libs also? like libsoup?18:38
ccheneymdeslaur: yea its a fairly big project, currently we are modifying libsoup to include the glib/gtk changes required18:39
ccheneymdeslaur: also requires libproxy which didn't exist in hardy, etc18:39
mdeslauroh! so you're not updating the libsoup version, you're backporting the required stuff to the libsoup that is already in hardy?18:40
mdeslaurccheney: do you have a repo somewhere that has the work in progress in it?18:40
ccheneynot at the moment it keeps changing so much that putting it in a repo would cause version numbers to rapidly increase18:40
ccheneyi've stuck snapshots of the packages at people.canonical.com/~ccheney18:41
ccheneythough they are a little out of date i think18:41
jdstrandccheney: do you have a bllpark idea of when the new webkit will hit hardy?18:42
ccheneyprobably within a few weeks18:42
ccheneyi'm now working on epiphany itself so hopefully sooner than that, but at least within a few weeks timeframe at most18:42
jdstrandccheney: do you know if the webkit in lucid is going to stay 1.1.21?18:43
ccheneyno idea18:43
ccheneythe extent of what i know is that i am responsible for getting epiphany from karmic backported to hardy including all deps, and the info on the blueprint for the xulrunner security stuff18:44
keesccheney: we were thinking it might make sense to have the lucid webkit be the version in hardy (so it's easier to track fixes across both releases)18:44
jdstrandccheney: I ask because since the webkit in hardy is in universe, pulling a webkit into main on hardy will require (not insignificant) resources for our team for the hardy release. ideally, lucid and hardy would have the same version18:44
mdeslaurccheney: so, normally karmic's webkit needs libsoup 2.27.91, and we have 2.4 in hardy...you've backported all the relevant code to libsoup2.4?18:44
ccheneymdeslaur: yea18:44
mdeslaurkees, jdstrand: well, the webkit in karmic is the stable branch of webkit...it may be better than lucid's18:45
=== bladernr-afk is now known as bladernr_
jdstrandmdeslaur: I see it as
ccheneylucid is still a moving target which was why i was told to backport karmic's i assume :)18:45
jdstrandmdeslaur: is 1.1 considered stable?18:45
jdstrandccheney: sure18:45
mdeslaurjdstrand: 1.1.15 is the stable branch: http://gitorious.org/webkitgtk/stable18:45
mdeslaurjdstrand: although, I don't know for how long...18:46
jdstrandright, I see that now...18:46
mdeslaurit kind of looks dead18:46
jdstrandyeah, there has been, oh I don't know, 1 or 2 CVEs since last november18:46
ccheneyluckily hardy only needs support for one more year :)18:47
mdeslaurccheney: so, are you doing anything for jaunty, or is that already okay?18:47
jdstrandkees, mdeslaur: maybe someone from our team should at least bring up the idea of lucid's webkit for hardy18:47
ccheneymdeslaur: i don't know that status for jaunty, sorry18:47
jdstrandkees: ccheney brings up a good point on hardy-- webkit isn't going to get dragged into 5 year support is it?18:48
ccheneyjdstrand: getting lucid's webkit into hardy should be doable once lucid's version is frozen18:48
ccheneyjdstrand: you just have to ask the right people i suppose (rick spencer)18:48
keesjdstrand: so far, no18:48
mdeslaurccheney: do you have a list of applications that are going to use webkit in hardy?18:49
ccheneymdeslaur: i think its just epiphany but you would have to ask asac to be certain18:49
mdeslaurccheney: you're just working on epiphany?18:49
ccheneyso aiui we are backporting epiphany because it is officially supported for hardy and uses xulrunner in a manner that is at risk for security, other things that use xulrunner that aren't as exposed still will use it (aiui)18:51
jdstrandthat is consistent with my understanding as well18:51
ccheneyso if there are other supported browsers that use xulrunner (none that i know of other than firefox) we would probably need to do something about those too18:51
jdstrandif a xul-running app isn't exposed to the internet, we won't worry about the CVE18:51
mdeslaurso, we'll have an outdated xulrunner that will live forever in hardy with stuff using it18:52
jdstrand(and therefore migrating it to webkit)18:52
ccheneyhttps://wiki.ubuntu.com/DesktopTeam/Specs/Lucid/FirefoxNewSupportModel/xulrunner-list bottom of the page is most pertient18:52
ccheneylooks like jaunty might need to be ported too if i am reading the chart correctly18:53
mdeslaurccheney: wait a sec...is the newer webkit you're backporting to hardy _replacing_ the old webkit or will it be _added_?18:53
ccheneyit will be renamed somehow to be in addition18:53
keesoh nasty18:54
ccheneyi'm still working on getting it working at all, then will work on cleaning up from packaging standpoint18:54
keescan't we replace the webkit in hardy instead?18:54
ccheneyaiui the old webkit and new one aren't abi compatible, maybe not even api (?)18:54
ccheneybut i may be misinformed18:54
mdeslaurccheney: I was under the impression webkit 1.1 also built a 1.0 library for compatibility18:55
ccheneyall i see is a libwebkit-1.0-2 but it might be in there18:56
ccheneyasac: 12:55 < mdeslaur> ccheney: I was under the impression webkit 1.1 also built a  1.0 library for compatibility18:56
ccheneyasac: do you know if webkit from karmic can fully replace webkit in hardy?18:56
mdeslaurI may be very wrong on that one18:56
ccheneymdeslaur: yea i don't see any other library in the package other than the package named one18:57
mdeslauryeah, me neither18:57
mdeslaurwow, the name of the library in hardy is completely different from the current webkit18:59
ccheneywas webkit supported in hardy, i'm not sure19:01
jdstrandmdeslaur: is there more to discuss here or can we take this out of the meeting?19:02
ccheneyif not then only the new one will need to be19:02
jdstrandccheney: it was universe19:02
mdeslaurccheney: thanks for all the info19:02
mdeslaurjdstrand: that's it from mw19:02
ccheneyno problem, if anyone has more questions just msg me later :)19:02
jdstrandccheney: thanks!19:03
jdstrandkees: anything else?19:03
jdstrandalright then, meeting adjourned19:06
jdstrandkees, mdeslaur: ^19:06
keesyup, done.  thanks!19:06
=== The_Toxic_Mite is now known as The_Toxic_Mite_
=== The_Toxic_Mite_ is now known as The_Toxic_Mite
=== bladernr_ is now known as bladernr-away
=== robbiew is now known as robbiew_

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!