[18:02] <kees> jdstrand, mdeslaur: ready for a quick meeting?
[18:02] <jdstrand> o/
[18:04] <mdeslaur> yep!
[18:05] <kees> okay
[18:06] <kees> let's see, I'm on triage this week
[18:06] <kees> and I'll try to snag a few low-hanging updates, but I've not checked the list yet.
[18:07] <kees> I made progress on testing the symlink protection kernel patch last week
[18:07] <kees> that's it from me.  jdstrand, you're up!
[18:07] <jdstrand> this is the symlink in a sticky dir where you are not the owner patch?
[18:08] <jdstrand> kees: ^
[18:09] <kees> yeah
[18:09] <jdstrand> cool
[18:09] <kees> http://people.canonical.com/~kees/0001-symlink-protection-logic.patch
[18:09] <jdstrand> so I am on community work this week
[18:09] <kees> ignore the changelog; that was just a place-holder
[18:10] <jdstrand> a few moin CVEs crept in last week, so I plan to work on it
[18:10] <jdstrand> I plan to follow-up with cemc on the clamav/hardy update to get that out this week
[18:10] <jdstrand> (he is doing testing since it is in universe)
[18:11] <jdstrand> if I have time, I'll try to get to firefox/apparmor refactoring, which I didn't get to last week
[18:11] <jdstrand> that is it from me
[18:11] <jdstrand> mdeslaur: you're up
[18:11] <mdeslaur> I'm in the happy place this week
[18:12] <jdstrand> mdeslaur: do you feel happy?
[18:12] <mdeslaur> I plan on looking over the new gnome-screensaver CVEs and have an embargoed update to test
[18:12] <mdeslaur> jdstrand: sometimes :)
[18:12] <jjohansen> and that is a happy place?
[18:13] <mdeslaur> heh
[18:13] <mdeslaur> I will also go down the list
[18:13] <mdeslaur> so, I have a couple of other things I want to talk about
[18:13]  * jdstrand had one too
[18:13] <mdeslaur> jdstrand: you go first
[18:13] <jdstrand> k
[18:14] <jdstrand> kees: I didn't follow the TB meeting too closely-- where do we stand on representatives from the various teams attending our meetings and generally being aware of security issues in their packages?
[18:15] <kees> jdstrand: I haven't sent any email yet; ran out of time on friday.  I want to make a general proposal, and we'll see how that flies.
[18:15] <jdstrand> cool
[18:16] <kees> basically, TB wants to see a proposal, have it discussed in email, language adjusted, etc.
[18:16]  * jdstrand nods
[18:16] <jdstrand> mdeslaur: that's it from me
[18:17] <mdeslaur> okay, so cr3 sent us the review request
[18:17] <mdeslaur> I'll take a look, and kees, will you take a look also?
[18:18] <mdeslaur> kees: you're the man with the insecure code detector built in :)
[18:18] <kees> yup, totally.  he was asking about how to manage some fifo work.
[18:19] <mdeslaur> ok, second thing is webkit...there's a zillion CVEs in it, and I wanted to start to look at them again, but then remembered that in the firefox backporting work, a newer webkit will probably get pushed to the stable releases
[18:19] <kees> err, totally help with audit; not sure I've got that detector built-in.  ;)
[18:19] <jdstrand> mdeslaur: oh? I didn't realize that was part of it. is it getting a microrelease exception?
[18:19] <kees> mdeslaur: correct; though it doesn't change KDE's use of it.
[18:20] <kees> wait, I'm suddenly confused
[18:20] <kees> firefox -> webkit?
[18:20] <mdeslaur> okay, let me explain
[18:20] <jdstrand> kees: no, but stuff in stable releases has to be migrated to webkit to get rid of xulrunner, iiuc
[18:20] <mdeslaur> in order to get rid of xulrunner, a bunch of applications in previous stable releases will get updated to versions that support webkit
[18:21] <mdeslaur> so, a recent webkit will probably get introduced to stable releases
[18:21] <mdeslaur> BUT, that's probably a one-time only thing
[18:21] <kees> ah, fun.
[18:21] <mdeslaur> what's not so good, is now webkit will probably need to be supported in hardy where it wasn't before
[18:22] <mdeslaur> I think we should call a meeting with ccheney and discuss all of this
[18:22] <kees> is webkit micro-release sane?
[18:22] <mdeslaur> kees: and yes, it won't fix the embedded webkit in kde and qt4
[18:23] <jdstrand> mdeslaur: it sounds like hardy should get whatever webkit is in lucid then-- that doesn't sound too bad from a support perspective
[18:23] <jdstrand> (ie, it doesn't add significant work for us)
[18:23] <mdeslaur> yeah, it will simplify things for the time being, as all our releases will probably have the same webkit version
[18:23] <kees> jdstrand: yeah, true
[18:24] <mdeslaur> the problem with webkit, is there are _no_ releases...it's a repository
[18:24] <jdstrand> mdeslaur: so your question is really-- should you fix webkit now, or wait
[18:24] <kees> wait, what?  no releases?
[18:24]  * kees holds his face
[18:24] <mdeslaur> kees: webkit doesn't have any releases AFAIK
[18:25] <mdeslaur> so, I don't know how to add a microrelease exception for that
[18:25] <jdstrand> mdeslaur: I thought they had some concept of api (or was it abi?) though? doesn't that imply releases?
[18:25] <mdeslaur> jdstrand: yeah, I think they went from 1.0 to 1.1 at some point
[18:25]  * jdstrand wonders why all the web stuff has to be so complicated
[18:25] <mdeslaur> let me investigate further
[18:26] <jdstrand> mdeslaur: to answer what I think your question was regarding updating webkit-- I think we need more info from ccheney
[18:26] <mdeslaur> jdstrand: yes, I propose we schedule a meeting with him to see what he expects to happen
[18:26] <jdstrand> mdeslaur: if it is going to be relatively soon, maybe we can get away with fixing the most serious security issues and wait
[18:27] <jdstrand> for the transition
[18:27] <kees> I think keeping lucid and hardy in sync wrt webkit is a really good idea, if we end up having a supported webkit in hardy, though.
[18:27] <mdeslaur> jdstrand: that's what we would need to figure out
[18:27]  * jdstrand nods
[18:28] <jdstrand> maybe ccheney is available now...
[18:28]  * jdstrand goes to look
[18:29] <mdeslaur> so, webkitgtk has a "stable" branch: http://gitorious.org/webkitgtk/stable
[18:29] <mdeslaur> but, we're way past it in lucid :P
[18:29] <jdstrand> hmmm
[18:32] <jdstrand> I asked for ccheney to join us (in #ubuntu-devel)
[18:32] <jdstrand> he's not responded yet, so maybe wait a few more minutes?
[18:32] <mdeslaur> We _need_ to meet with the webkitgtk people and try and discuss webkit security
[18:35] <ccheney> hello
[18:35] <jdstrand> hey ccheney :)
[18:35] <jdstrand> mdeslaur: fire away
[18:35] <mdeslaur> ccheney: rat-tat-tat-tat
[18:35] <mdeslaur> ccheney: hi!
[18:36] <mdeslaur> ccheney: we are discussing the large number of open CVEs that we have in webkit in our stable releases
[18:36] <ccheney> hi
[18:36] <mdeslaur> ccheney: and, I know you're doing some work for the firefox backporting stuff
[18:36] <ccheney> yea
[18:36] <mdeslaur> ccheney: what's the plan regarding webkit? are you backporting a current webkit to our older stable releases?
[18:37] <ccheney> i am backporting the webkit from karmic to hardy
[18:37] <ccheney> not sure about any other plans other than that, asac probably knows more about the details of the rest of the plan
[18:38] <mdeslaur> ccheney: so, since intrepid will be eol in a month, you're not doing anything there, right?
[18:38] <ccheney> webkit is being backported primarily to allow backporting of epiphany-browser using webkit to hardy so we can drop its xulrunner dep
[18:38] <ccheney> afaik i am not working on intrepid :)
[18:38] <mdeslaur> ccheney: backporting webkit to hardy means you're updating the relevant libs also? like libsoup?
[18:39] <ccheney> mdeslaur: yea its a fairly big project, currently we are modifying libsoup to include the glib/gtk changes required
[18:39] <ccheney> mdeslaur: also requires libproxy which didn't exist in hardy, etc
[18:40] <mdeslaur> oh! so you're not updating the libsoup version, you're backporting the required stuff to the libsoup that is already in hardy?
[18:40] <mdeslaur> ccheney: do you have a repo somewhere that has the work in progress in it?
[18:40] <ccheney> not at the moment it keeps changing so much that putting it in a repo would cause version numbers to rapidly increase
[18:41] <ccheney> i've stuck snapshots of the packages at people.canonical.com/~ccheney
[18:41] <ccheney> though they are a little out of date i think
[18:42] <jdstrand> ccheney: do you have a bllpark idea of when the new webkit will hit hardy?
[18:42] <ccheney> probably within a few weeks
[18:42] <ccheney> i'm now working on epiphany itself so hopefully sooner than that, but at least within a few weeks timeframe at most
[18:43] <jdstrand> ccheney: do you know if the webkit in lucid is going to stay 1.1.21?
[18:43] <ccheney> no idea
[18:44] <ccheney> the extent of what i know is that i am responsible for getting epiphany from karmic backported to hardy including all deps, and the info on the blueprint for the xulrunner security stuff
[18:44] <kees> ccheney: we were thinking it might make sense to have the lucid webkit be the version in hardy (so it's easier to track fixes across both releases)
[18:44] <jdstrand> ccheney: I ask because since the webkit in hardy is in universe, pulling a webkit into main on hardy will require (not insignificant) resources for our team for the hardy release. ideally, lucid and hardy would have the same version
[18:44] <mdeslaur> ccheney: so, normally karmic's webkit needs libsoup 2.27.91, and we have 2.4 in hardy...you've backported all the relevant code to libsoup2.4?
[18:44] <ccheney> mdeslaur: yea
[18:45] <mdeslaur> kees, jdstrand: well, the webkit in karmic is the stable branch of webkit...it may be better than lucid's
[18:45] <jdstrand> mdeslaur: I see it as 1.1.15.2
[18:45] <ccheney> lucid is still a moving target which was why i was told to backport karmic's i assume :)
[18:45] <jdstrand> mdeslaur: is 1.1 considered stable?
[18:45] <jdstrand> ccheney: sure
[18:45] <mdeslaur> jdstrand: 1.1.15 is the stable branch: http://gitorious.org/webkitgtk/stable
[18:46] <mdeslaur> jdstrand: although, I don't know for how long...
[18:46] <jdstrand> right, I see that now...
[18:46] <mdeslaur> it kind of looks dead
[18:46] <jdstrand> yeah, there has been, oh I don't know, 1 or 2 CVEs since last november
[18:47] <mdeslaur> hehe
[18:47] <ccheney> luckily hardy only needs support for one more year :)
[18:47] <mdeslaur> ccheney: so, are you doing anything for jaunty, or is that already okay?
[18:47] <jdstrand> kees, mdeslaur: maybe someone from our team should at least bring up the idea of lucid's webkit for hardy
[18:47] <ccheney> mdeslaur: i don't know that status for jaunty, sorry
[18:48] <jdstrand> kees: ccheney brings up a good point on hardy-- webkit isn't going to get dragged into 5 year support is it?
[18:48] <ccheney> jdstrand: getting lucid's webkit into hardy should be doable once lucid's version is frozen
[18:48] <ccheney> jdstrand: you just have to ask the right people i suppose (rick spencer)
[18:48] <kees> jdstrand: so far, no
[18:49] <mdeslaur> ccheney: do you have a list of applications that are going to use webkit in hardy?
[18:49] <ccheney> mdeslaur: i think its just epiphany but you would have to ask asac to be certain
[18:49] <mdeslaur> ccheney: you're just working on epiphany?
[18:50] <ccheney> yes
[18:51] <ccheney> so aiui we are backporting epiphany because it is officially supported for hardy and uses xulrunner in a manner that is at risk for security, other things that use xulrunner that aren't as exposed still will use it (aiui)
[18:51] <jdstrand> that is consistent with my understanding as well
[18:51] <ccheney> so if there are other supported browsers that use xulrunner (none that i know of other than firefox) we would probably need to do something about those too
[18:51] <jdstrand> if a xul-running app isn't exposed to the internet, we won't worry about the CVE
[18:52] <mdeslaur> so, we'll have an outdated xulrunner that will live forever in hardy with stuff using it
[18:52] <jdstrand> (and therefore migrating it to webkit)
[18:52] <ccheney> https://wiki.ubuntu.com/DesktopTeam/Specs/Lucid/FirefoxNewSupportModel/xulrunner-list bottom of the page is most pertient
[18:52] <jdstrand> liferea
[18:53] <ccheney> looks like jaunty might need to be ported too if i am reading the chart correctly
[18:53] <mdeslaur> ccheney: wait a sec...is the newer webkit you're backporting to hardy _replacing_ the old webkit or will it be _added_?
[18:53] <ccheney> it will be renamed somehow to be in addition
[18:54] <kees> oh nasty
[18:54] <ccheney> i'm still working on getting it working at all, then will work on cleaning up from packaging standpoint
[18:54] <kees> can't we replace the webkit in hardy instead?
[18:54] <ccheney> aiui the old webkit and new one aren't abi compatible, maybe not even api (?)
[18:54] <ccheney> but i may be misinformed
[18:55] <mdeslaur> ccheney: I was under the impression webkit 1.1 also built a 1.0 library for compatibility
[18:56] <ccheney> all i see is a libwebkit-1.0-2 but it might be in there
[18:56] <ccheney> asac: 12:55 < mdeslaur> ccheney: I was under the impression webkit 1.1 also built a  1.0 library for compatibility
[18:56] <ccheney> asac: do you know if webkit from karmic can fully replace webkit in hardy?
[18:56] <mdeslaur> I may be very wrong on that one
[18:57] <ccheney> mdeslaur: yea i don't see any other library in the package other than the package named one
[18:57] <mdeslaur> yeah, me neither
[18:59] <mdeslaur> wow, the name of the library in hardy is completely different from the current webkit
[19:01] <ccheney> yea
[19:01] <ccheney> was webkit supported in hardy, i'm not sure
[19:02] <jdstrand> mdeslaur: is there more to discuss here or can we take this out of the meeting?
[19:02] <ccheney> if not then only the new one will need to be
[19:02] <jdstrand> ccheney: it was universe
[19:02] <ccheney> ok
[19:02] <mdeslaur> ccheney: thanks for all the info
[19:02] <mdeslaur> jdstrand: that's it from mw
[19:02] <mdeslaur> me
[19:02] <ccheney> no problem, if anyone has more questions just msg me later :)
[19:03] <jdstrand> ccheney: thanks!
[19:03] <jdstrand> kees: anything else?
[19:06] <jdstrand> alright then, meeting adjourned
[19:06] <jdstrand> thanks!
[19:06] <jdstrand> kees, mdeslaur: ^
[19:06] <kees> yup, done.  thanks!