| === NCommander_ is now known as NCommander | ||
| === NCommander is now known as Guest88162 | ||
| === Guest88162 is now known as NCommmander | ||
| === czajkowski is now known as cz-tab | ||
| === cz-tab is now known as czajkowski | ||
| === dyfet` is now known as dyfet | ||
| === imlad_ is now known as imlad|brb | ||
| === imlad|brb is now known as imlad_ | ||
| === bjf-afk is now known as bjf | ||
| === yofel_ is now known as yofel | ||
| === niko is now known as Guest79188 | ||
| === bladernr_ is now known as bladernr-afk | ||
| === nik0 is now known as niko | ||
| kees | jdstrand, mdeslaur: ready for a quick meeting? | 18:02 |
|---|---|---|
| jdstrand | o/ | 18:02 |
| mdeslaur | yep! | 18:04 |
| kees | okay | 18:05 |
| kees | let's see, I'm on triage this week | 18:06 |
| kees | and I'll try to snag a few low-hanging updates, but I've not checked the list yet. | 18:06 |
| kees | I made progress on testing the symlink protection kernel patch last week | 18:07 |
| kees | that's it from me. jdstrand, you're up! | 18:07 |
| jdstrand | this is the symlink in a sticky dir where you are not the owner patch? | 18:07 |
| jdstrand | kees: ^ | 18:08 |
| kees | yeah | 18:09 |
| jdstrand | cool | 18:09 |
| kees | http://people.canonical.com/~kees/0001-symlink-protection-logic.patch | 18:09 |
| jdstrand | so I am on community work this week | 18:09 |
| kees | ignore the changelog; that was just a place-holder | 18:09 |
| jdstrand | a few moin CVEs crept in last week, so I plan to work on it | 18:10 |
| jdstrand | I plan to follow-up with cemc on the clamav/hardy update to get that out this week | 18:10 |
| jdstrand | (he is doing testing since it is in universe) | 18:10 |
| jdstrand | if I have time, I'll try to get to firefox/apparmor refactoring, which I didn't get to last week | 18:11 |
| jdstrand | that is it from me | 18:11 |
| jdstrand | mdeslaur: you're up | 18:11 |
| mdeslaur | I'm in the happy place this week | 18:11 |
| jdstrand | mdeslaur: do you feel happy? | 18:12 |
| mdeslaur | I plan on looking over the new gnome-screensaver CVEs and have an embargoed update to test | 18:12 |
| mdeslaur | jdstrand: sometimes :) | 18:12 |
| jjohansen | and that is a happy place? | 18:12 |
| mdeslaur | heh | 18:13 |
| mdeslaur | I will also go down the list | 18:13 |
| mdeslaur | so, I have a couple of other things I want to talk about | 18:13 |
| * jdstrand had one too | 18:13 | |
| mdeslaur | jdstrand: you go first | 18:13 |
| jdstrand | k | 18:13 |
| jdstrand | kees: I didn't follow the TB meeting too closely-- where do we stand on representatives from the various teams attending our meetings and generally being aware of security issues in their packages? | 18:14 |
| kees | jdstrand: I haven't sent any email yet; ran out of time on friday. I want to make a general proposal, and we'll see how that flies. | 18:15 |
| jdstrand | cool | 18:15 |
| kees | basically, TB wants to see a proposal, have it discussed in email, language adjusted, etc. | 18:16 |
| * jdstrand nods | 18:16 | |
| jdstrand | mdeslaur: that's it from me | 18:16 |
| mdeslaur | okay, so cr3 sent us the review request | 18:17 |
| mdeslaur | I'll take a look, and kees, will you take a look also? | 18:17 |
| mdeslaur | kees: you're the man with the insecure code detector built in :) | 18:18 |
| kees | yup, totally. he was asking about how to manage some fifo work. | 18:18 |
| mdeslaur | ok, second thing is webkit...there's a zillion CVEs in it, and I wanted to start to look at them again, but then remembered that in the firefox backporting work, a newer webkit will probably get pushed to the stable releases | 18:19 |
| kees | err, totally help with audit; not sure I've got that detector built-in. ;) | 18:19 |
| jdstrand | mdeslaur: oh? I didn't realize that was part of it. is it getting a microrelease exception? | 18:19 |
| kees | mdeslaur: correct; though it doesn't change KDE's use of it. | 18:19 |
| kees | wait, I'm suddenly confused | 18:20 |
| kees | firefox -> webkit? | 18:20 |
| mdeslaur | okay, let me explain | 18:20 |
| jdstrand | kees: no, but stuff in stable releases has to be migrated to webkit to get rid of xulrunner, iiuc | 18:20 |
| mdeslaur | in order to get rid of xulrunner, a bunch of applications in previous stable releases will get updated to versions that support webkit | 18:20 |
| mdeslaur | so, a recent webkit will probably get introduced to stable releases | 18:21 |
| mdeslaur | BUT, that's probably a one-time only thing | 18:21 |
| kees | ah, fun. | 18:21 |
| mdeslaur | what's not so good, is now webkit will probably need to be supported in hardy where it wasn't before | 18:21 |
| mdeslaur | I think we should call a meeting with ccheney and discuss all of this | 18:22 |
| kees | is webkit micro-release sane? | 18:22 |
| mdeslaur | kees: and yes, it won't fix the embedded webkit in kde and qt4 | 18:22 |
| jdstrand | mdeslaur: it sounds like hardy should get whatever webkit is in lucid then-- that doesn't sound too bad from a support perspective | 18:23 |
| jdstrand | (ie, it doesn't add significant work for us) | 18:23 |
| mdeslaur | yeah, it will simplify things for the time being, as all our releases will probably have the same webkit version | 18:23 |
| kees | jdstrand: yeah, true | 18:23 |
| mdeslaur | the problem with webkit, is there are _no_ releases...it's a repository | 18:24 |
| jdstrand | mdeslaur: so your question is really-- should you fix webkit now, or wait | 18:24 |
| kees | wait, what? no releases? | 18:24 |
| * kees holds his face | 18:24 | |
| mdeslaur | kees: webkit doesn't have any releases AFAIK | 18:24 |
| mdeslaur | so, I don't know how to add a microrelease exception for that | 18:25 |
| jdstrand | mdeslaur: I thought they had some concept of api (or was it abi?) though? doesn't that imply releases? | 18:25 |
| mdeslaur | jdstrand: yeah, I think they went from 1.0 to 1.1 at some point | 18:25 |
| * jdstrand wonders why all the web stuff has to be so complicated | 18:25 | |
| mdeslaur | let me investigate further | 18:25 |
| jdstrand | mdeslaur: to answer what I think your question was regarding updating webkit-- I think we need more info from ccheney | 18:26 |
| mdeslaur | jdstrand: yes, I propose we schedule a meeting with him to see what he expects to happen | 18:26 |
| jdstrand | mdeslaur: if it is going to be relatively soon, maybe we can get away with fixing the most serious security issues and wait | 18:26 |
| jdstrand | for the transition | 18:27 |
| kees | I think keeping lucid and hardy in sync wrt webkit is a really good idea, if we end up having a supported webkit in hardy, though. | 18:27 |
| mdeslaur | jdstrand: that's what we would need to figure out | 18:27 |
| * jdstrand nods | 18:27 | |
| jdstrand | maybe ccheney is available now... | 18:28 |
| * jdstrand goes to look | 18:28 | |
| mdeslaur | so, webkitgtk has a "stable" branch: http://gitorious.org/webkitgtk/stable | 18:29 |
| mdeslaur | but, we're way past it in lucid :P | 18:29 |
| jdstrand | hmmm | 18:29 |
| jdstrand | I asked for ccheney to join us (in #ubuntu-devel) | 18:32 |
| jdstrand | he's not responded yet, so maybe wait a few more minutes? | 18:32 |
| mdeslaur | We _need_ to meet with the webkitgtk people and try and discuss webkit security | 18:32 |
| ccheney | hello | 18:35 |
| jdstrand | hey ccheney :) | 18:35 |
| jdstrand | mdeslaur: fire away | 18:35 |
| mdeslaur | ccheney: rat-tat-tat-tat | 18:35 |
| mdeslaur | ccheney: hi! | 18:35 |
| mdeslaur | ccheney: we are discussing the large number of open CVEs that we have in webkit in our stable releases | 18:36 |
| ccheney | hi | 18:36 |
| mdeslaur | ccheney: and, I know you're doing some work for the firefox backporting stuff | 18:36 |
| ccheney | yea | 18:36 |
| mdeslaur | ccheney: what's the plan regarding webkit? are you backporting a current webkit to our older stable releases? | 18:36 |
| ccheney | i am backporting the webkit from karmic to hardy | 18:37 |
| ccheney | not sure about any other plans other than that, asac probably knows more about the details of the rest of the plan | 18:37 |
| mdeslaur | ccheney: so, since intrepid will be eol in a month, you're not doing anything there, right? | 18:38 |
| ccheney | webkit is being backported primarily to allow backporting of epiphany-browser using webkit to hardy so we can drop its xulrunner dep | 18:38 |
| ccheney | afaik i am not working on intrepid :) | 18:38 |
| mdeslaur | ccheney: backporting webkit to hardy means you're updating the relevant libs also? like libsoup? | 18:38 |
| ccheney | mdeslaur: yea its a fairly big project, currently we are modifying libsoup to include the glib/gtk changes required | 18:39 |
| ccheney | mdeslaur: also requires libproxy which didn't exist in hardy, etc | 18:39 |
| mdeslaur | oh! so you're not updating the libsoup version, you're backporting the required stuff to the libsoup that is already in hardy? | 18:40 |
| mdeslaur | ccheney: do you have a repo somewhere that has the work in progress in it? | 18:40 |
| ccheney | not at the moment it keeps changing so much that putting it in a repo would cause version numbers to rapidly increase | 18:40 |
| ccheney | i've stuck snapshots of the packages at people.canonical.com/~ccheney | 18:41 |
| ccheney | though they are a little out of date i think | 18:41 |
| jdstrand | ccheney: do you have a bllpark idea of when the new webkit will hit hardy? | 18:42 |
| ccheney | probably within a few weeks | 18:42 |
| ccheney | i'm now working on epiphany itself so hopefully sooner than that, but at least within a few weeks timeframe at most | 18:42 |
| jdstrand | ccheney: do you know if the webkit in lucid is going to stay 1.1.21? | 18:43 |
| ccheney | no idea | 18:43 |
| ccheney | the extent of what i know is that i am responsible for getting epiphany from karmic backported to hardy including all deps, and the info on the blueprint for the xulrunner security stuff | 18:44 |
| kees | ccheney: we were thinking it might make sense to have the lucid webkit be the version in hardy (so it's easier to track fixes across both releases) | 18:44 |
| jdstrand | ccheney: I ask because since the webkit in hardy is in universe, pulling a webkit into main on hardy will require (not insignificant) resources for our team for the hardy release. ideally, lucid and hardy would have the same version | 18:44 |
| mdeslaur | ccheney: so, normally karmic's webkit needs libsoup 2.27.91, and we have 2.4 in hardy...you've backported all the relevant code to libsoup2.4? | 18:44 |
| ccheney | mdeslaur: yea | 18:44 |
| mdeslaur | kees, jdstrand: well, the webkit in karmic is the stable branch of webkit...it may be better than lucid's | 18:45 |
| === bladernr-afk is now known as bladernr_ | ||
| jdstrand | mdeslaur: I see it as 1.1.15.2 | 18:45 |
| ccheney | lucid is still a moving target which was why i was told to backport karmic's i assume :) | 18:45 |
| jdstrand | mdeslaur: is 1.1 considered stable? | 18:45 |
| jdstrand | ccheney: sure | 18:45 |
| mdeslaur | jdstrand: 1.1.15 is the stable branch: http://gitorious.org/webkitgtk/stable | 18:45 |
| mdeslaur | jdstrand: although, I don't know for how long... | 18:46 |
| jdstrand | right, I see that now... | 18:46 |
| mdeslaur | it kind of looks dead | 18:46 |
| jdstrand | yeah, there has been, oh I don't know, 1 or 2 CVEs since last november | 18:46 |
| mdeslaur | hehe | 18:47 |
| ccheney | luckily hardy only needs support for one more year :) | 18:47 |
| mdeslaur | ccheney: so, are you doing anything for jaunty, or is that already okay? | 18:47 |
| jdstrand | kees, mdeslaur: maybe someone from our team should at least bring up the idea of lucid's webkit for hardy | 18:47 |
| ccheney | mdeslaur: i don't know that status for jaunty, sorry | 18:47 |
| jdstrand | kees: ccheney brings up a good point on hardy-- webkit isn't going to get dragged into 5 year support is it? | 18:48 |
| ccheney | jdstrand: getting lucid's webkit into hardy should be doable once lucid's version is frozen | 18:48 |
| ccheney | jdstrand: you just have to ask the right people i suppose (rick spencer) | 18:48 |
| kees | jdstrand: so far, no | 18:48 |
| mdeslaur | ccheney: do you have a list of applications that are going to use webkit in hardy? | 18:49 |
| ccheney | mdeslaur: i think its just epiphany but you would have to ask asac to be certain | 18:49 |
| mdeslaur | ccheney: you're just working on epiphany? | 18:49 |
| ccheney | yes | 18:50 |
| ccheney | so aiui we are backporting epiphany because it is officially supported for hardy and uses xulrunner in a manner that is at risk for security, other things that use xulrunner that aren't as exposed still will use it (aiui) | 18:51 |
| jdstrand | that is consistent with my understanding as well | 18:51 |
| ccheney | so if there are other supported browsers that use xulrunner (none that i know of other than firefox) we would probably need to do something about those too | 18:51 |
| jdstrand | if a xul-running app isn't exposed to the internet, we won't worry about the CVE | 18:51 |
| mdeslaur | so, we'll have an outdated xulrunner that will live forever in hardy with stuff using it | 18:52 |
| jdstrand | (and therefore migrating it to webkit) | 18:52 |
| ccheney | https://wiki.ubuntu.com/DesktopTeam/Specs/Lucid/FirefoxNewSupportModel/xulrunner-list bottom of the page is most pertient | 18:52 |
| jdstrand | liferea | 18:52 |
| ccheney | looks like jaunty might need to be ported too if i am reading the chart correctly | 18:53 |
| mdeslaur | ccheney: wait a sec...is the newer webkit you're backporting to hardy _replacing_ the old webkit or will it be _added_? | 18:53 |
| ccheney | it will be renamed somehow to be in addition | 18:53 |
| kees | oh nasty | 18:54 |
| ccheney | i'm still working on getting it working at all, then will work on cleaning up from packaging standpoint | 18:54 |
| kees | can't we replace the webkit in hardy instead? | 18:54 |
| ccheney | aiui the old webkit and new one aren't abi compatible, maybe not even api (?) | 18:54 |
| ccheney | but i may be misinformed | 18:54 |
| mdeslaur | ccheney: I was under the impression webkit 1.1 also built a 1.0 library for compatibility | 18:55 |
| ccheney | all i see is a libwebkit-1.0-2 but it might be in there | 18:56 |
| ccheney | asac: 12:55 < mdeslaur> ccheney: I was under the impression webkit 1.1 also built a 1.0 library for compatibility | 18:56 |
| ccheney | asac: do you know if webkit from karmic can fully replace webkit in hardy? | 18:56 |
| mdeslaur | I may be very wrong on that one | 18:56 |
| ccheney | mdeslaur: yea i don't see any other library in the package other than the package named one | 18:57 |
| mdeslaur | yeah, me neither | 18:57 |
| mdeslaur | wow, the name of the library in hardy is completely different from the current webkit | 18:59 |
| ccheney | yea | 19:01 |
| ccheney | was webkit supported in hardy, i'm not sure | 19:01 |
| jdstrand | mdeslaur: is there more to discuss here or can we take this out of the meeting? | 19:02 |
| ccheney | if not then only the new one will need to be | 19:02 |
| jdstrand | ccheney: it was universe | 19:02 |
| ccheney | ok | 19:02 |
| mdeslaur | ccheney: thanks for all the info | 19:02 |
| mdeslaur | jdstrand: that's it from mw | 19:02 |
| mdeslaur | me | 19:02 |
| ccheney | no problem, if anyone has more questions just msg me later :) | 19:02 |
| jdstrand | ccheney: thanks! | 19:03 |
| jdstrand | kees: anything else? | 19:03 |
| jdstrand | alright then, meeting adjourned | 19:06 |
| jdstrand | thanks! | 19:06 |
| jdstrand | kees, mdeslaur: ^ | 19:06 |
| kees | yup, done. thanks! | 19:06 |
| === The_Toxic_Mite is now known as The_Toxic_Mite_ | ||
| === The_Toxic_Mite_ is now known as The_Toxic_Mite | ||
| === bladernr_ is now known as bladernr-away | ||
| === robbiew is now known as robbiew_ | ||
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!