[03:58] <LinkinX64_> hello!
[16:01] <BlackZ> showard, huats ping
[16:01] <showard> hey i'm here
[16:02] <BlackZ> RoAkSoAx is absent
[16:02] <BlackZ> wait again a while
[16:02] <BlackZ> otherwise, if he will be again absent, we will start
[16:03] <huats> I am here too
[16:03] <huats> but not really available
[16:03] <huats> well a bit :)
[16:06] <BlackZ> OK, can we start?
[16:07] <showard> Yes, you can start the mootbot thing if you'd like
[16:07] <huats> sure
[16:07] <BlackZ> #startmeeting
[16:07] <MootBot> Meeting started at 10:07. The chair is BlackZ.
[16:07] <MootBot> Commands Available: [TOPIC], [IDEA], [ACTION], [AGREED], [LINK], [VOTE]
[16:07] <BlackZ> [LINK] https://wiki.ubuntu.com/MOTU/Mentoring/Reception/Meeting
[16:08] <MootBot> LINK received:  https://wiki.ubuntu.com/MOTU/Mentoring/Reception/Meeting
[16:08] <BlackZ> [TOPIC] Review ACTION points from previous sessions.
[16:08] <MootBot> New Topic:  Review ACTION points from previous sessions.
[16:08] <showard> I think our only action points were to type up the notes fromlast time
[16:09] <huats> showard, Ithink so
[16:09] <showard> [LINK] https://wiki.ubuntu.com/MOTU/Mentoring/Reception/Meeting/Minutes
[16:09] <MootBot> LINK received:  https://wiki.ubuntu.com/MOTU/Mentoring/Reception/Meeting/Minutes
[16:09] <BlackZ> OK
[16:10] <BlackZ> so, do you want to start, showard ?
[16:10] <showard> If the notes are ok, we canmove to thenext topic
[16:11] <showard> Ok, at the end of the previous meeting, we were discussing about possible having a system where mentors pick their mentees
[16:12] <showard> this way the number and quality of mentees would be visible. However, hauts pointed out that it was not allowed in the past
[16:12] <showard> to avoid creating "pockets" of knowledge where mentors and mentees would possible communicate outside of public channels and not in english
[16:13] <BlackZ> showard: yes
[16:13] <huats> I am strongly against the idea of letting the mentee choose the mentor
[16:13] <huats> :)
[16:14] <showard> Ok, I'll defer to hauts experience on that one! I can see benefits in both, but don't feel strongly eitherway
[16:14] <BlackZ> agree with huats, for clear reasons
[16:15] <showard> Ok, so mentee selection will go through reception
[16:16] <showard> [AGREED]  mentee selection will go through reception, self selection not allowed
[16:16] <showard> eh, i think only the chair could do that
[16:16] <BlackZ> +1 from me
[16:17] <showard> Continuing on. hauts: how do you recruit mentors?
[16:18] <huats> showard, sorry
[16:18] <huats> I am a bit away
[16:19] <showard> (np, you told us you were busy before - whenever you get to it, we can talk about something else)
[16:19] <huats> 1 way to recruit
[16:19] <huats> to ask
[16:19] <huats> :)
[16:20] <huats> on many channels
[16:20] <huats> mainly ubuntu-devel
[16:20] <huats> but I also think it might be wise to contact every new developer (after they have been granted) to explain them the process
[16:22] <huats> showard, BlackZ any other idea ?
[16:23] <showard> That pretty much is the standard way of doing things. Hopefully it'll get some buzz on it's own (if it's successful).
[16:24] <BlackZ> huats: yes, it can be a way to recruit
[16:24] <showard> We also can point people to the mentee bugs, even if someone isn't interested in becoming a mentor, it might be easy to just look through the applicants - maybe someone would do it even if they weren't interested at first
[16:24] <showard> because they see someone they sponsored or someone interested in a similar area
[16:25] <BlackZ> showard: yes, that's a way too
[16:26] <BlackZ> other idea?
[16:27] <showard> Hopefully that will be sustainable. How about "packaging training" people? We could introduce that as a way for new MOTUs and devels to take some higher level responsibility in the ubuntu project
[16:28] <BlackZ> showard: yes, agree with it
[16:29] <huats> YES
[16:29] <huats> it is something I'd like to raise
[16:29] <showard> This way we aren't always leaning on the same people every month. New MOTUs and devels tend to have a good amount of "energy"and not a lot of responsibility, usually
[16:29] <huats> since I've talked about it with dholbach
[16:30] <huats> we should contact https://edge.launchpad.net/~packaging-training-coordinators
[16:30] <dholbach> https://wiki.ubuntu.com/Packaging/Training
[16:30] <huats> :)
[16:30] <huats> thanks daniel
[16:30] <dholbach> if you want to join the coordinators or give a session, any kind of help is appreciated
[16:31] <showard> we were thinking of leveraging those packaging training sessions and also trying to increase the number of people giving sessions. That would be the first place we'd point mentees to
[16:32] <huats> There is also the Ubuntu Beginners Development Focus group who have contacted me
[16:32] <huats> if would be good to act with them
[16:32] <BlackZ> huats: yes, it would
[16:33] <showard> Yes, I think we shouldn't reinvent the wheel but to give support to and improve infrastructure that already exists
[16:34] <BlackZ> showard: indeed ^
[16:35] <showard> Ok, I think we have a structure for what we see the mentoring program to be like within the designated development team structure. I think we should write up a proposal of what we've discussed
[16:35] <BlackZ> sure showard
[16:36] <BlackZ> what's the next item?
[16:36] <showard> I think we're done with the "continued from last meeting"
[16:36] <BlackZ> OK, then we can go ahead
[16:36] <showard> we're up to discussion of implementation, namely that we should go ahead an write up that proposal
[16:37] <showard> once we all agree on it, we can get feedback from potential mentors, the development teams, packaging training people, beginner's focus group, and eventually the DMB
[16:38] <showard> I think we should split up the writing of the proposal - blackz, hauts, would you have time this week?
[16:39] <huats> showard, honnestly I wont
[16:39] <BlackZ> showard: sure - in the evening, except wednesday
[16:39] <huats> I have 2 very very busy weeks
[16:40] <BlackZ> s/evening/morning
[16:40] <huats> I would be able to read them/react
[16:40] <showard> Sure, np hauts.  BlackZ: we can do iton ourown,don't need to schedule
[16:40] <huats> but not to write that formally sorry
[16:40] <huats> showard, it is huats btw not hauts :)
[16:40] <showard> (my spacebar is weak today, sorry!)
[16:40] <BlackZ> OK showard
[16:41] <showard> The outline being: (1) motivation and general overview, (2) process for mentees, (3) process for mentors, (4) relationships with other teams
[16:42] <showard> What do you think? (I kind of just made that up, might not be optimal)
[16:43] <BlackZ> showard: it's a good idea, eventually we can add any other
[16:45] <showard> Sure, would you want to start (1) and (2), I'll take (3) and (4)? Since i've been doing most of the writing, I think it is best if we can see the "general overview" without filtering it through my head again (make sure we all are on the same page)
[16:46] <BlackZ> showard: yes, I will, also, we can discuss of them on the next meeting
[16:46] <showard> good plan, we can write it up this week and next week's agenda could be to approve it, internally, and make the plan on how to approach people to get feedback
[16:47] <showard> I think we've covered the agenda for the day
[16:48] <showard> the action items: make a wiki page for the proposal, showard and blackz will start filling it in, other team members review it throughout the week so we can approve it next monday
[16:49] <showard> any other things to cover?
[16:50] <BlackZ> sorry, crashed
[16:51] <showard> no problem. If there isn't any new news or topics, I think blackz can bring the hammerdown
[16:51] <showard> (as in closing the meeting with a gavel)
[16:52] <showard> ok, I think we can #endmeeting
[16:53] <BlackZ> #endmeeting
[16:53] <MootBot> Meeting finished at 10:53.
[16:53] <BlackZ> thanks all
[16:54] <showard> great! ok, we'll coordinate on email. BlackZ, could you start the wiki page in our /MOTU/Mentoring/Reception/[newpage]space? I'll do the minutes again unless someone else wants to
[16:55] <BlackZ> showard: I will
[18:04] <kees> jdstrand, mdeslaur: meetin' time?
[18:05] <jjohansen> \o
[18:06] <kees> heya jjohansen
[18:07] <mdeslaur> kees: I'm back
[18:07] <kees> mdeslaur: cool.  robbiew, you joining us too?
[18:08] <robbiew> kees: only in spirit...;)
[18:08] <kees> hehe
[18:08]  * robbiew is reminded to work on the job posting
[18:08] <robbiew> bah!
[18:11] <jdstrand> o/
[18:11] <jdstrand> kees, mdeslaur: here now
[18:12] <kees> #startmeeting
[18:12] <MootBot> Meeting started at 12:12. The chair is kees.
[18:12] <MootBot> Commands Available: [TOPIC], [IDEA], [ACTION], [AGREED], [LINK], [VOTE]
[18:12] <kees> [TOPIC] stand-up report
[18:12] <MootBot> New Topic:  stand-up report
[18:13] <kees> I'll be checking in with the kernel team on the next security update
[18:13] <kees> and then grinding out blueprints, which I'd like to cover later in this meeting.
[18:13] <kees> we also need to review the job req, it needs to be fine-tuned.
[18:13] <kees> (also later)
[18:13] <kees> that's it from me, really.  mdeslaur is up.
[18:14] <mdeslaur> okie
[18:14] <mdeslaur> I released ffmpeg regression fixes this morning
[18:14] <mdeslaur> am currently working on texlive-bin
[18:14] <mdeslaur> and will do dvipng
[18:15] <mdeslaur> looked at the postgresql updates that weren't build for -security and needs to sort that out with someone called "kees"
[18:15] <mdeslaur> and will go down list
[18:15]  * kees noticed that in back-scroll.  which CVE was it?
[18:15] <mdeslaur> that's it
[18:15] <mdeslaur> kees: CVE-2010-0442
[18:16] <jdstrand> that is fairly vague
[18:16] <kees> that really doesn't ring a bell; or if that IS the issue, it wasn't well understood at the time.  :(
[18:16] <mdeslaur> it's for sure an authenticated user server DoS
[18:16] <kees> yeah
[18:16] <mdeslaur> and may be an integer underflow also
[18:17] <mdeslaur> although it's unclear how exploitable it is
[18:17] <kees> it should go to security; a simple rebuild should be fine.
[18:17] <mdeslaur> so either we rebuild all the postgresql packages for -security, or we don't consider it important enough and can wait until the next batch of postgresql updates
[18:17] <kees> looks like 2010-0733 needs to be published too?
[18:18] <mdeslaur> 2010-0733 was actually fixed by the _previous_ postgresql release
[18:18] <kees> and there are some for -8.3 too
[18:18] <kees> oh
[18:18] <mdeslaur> which did go to security
[18:18] <jdstrand> sounds somewhere between a low and a medium
[18:18] <jdstrand> I vote fix it
[18:18] <kees> hrm, so the state of CVEs for postgresql-* needs to be rechecked.
[18:18] <kees> yeah.
[18:18] <mdeslaur> kees: I just did them all
[18:18] <mdeslaur> kees: update your tree
[18:18] <kees> oh, /me refreshes
[18:19] <kees> since it's already tested, it should be a quick publication.
[18:19] <mdeslaur> kees: so you don't recall your discussion with pitti?
[18:20] <kees> mdeslaur: I remember it vaguely.  something about it must not have been well-understood at the time.  as it stands now, it should go to -security
[18:20] <mdeslaur> ok, sounds good. any volunteers? (or did I just volunteer? :) )
[18:20] <jdstrand> I can do it
[18:21] <kees> and with that, it's jdstrand's turn...
[18:21] <jdstrand> I want to check the qrt tests on lucid anyway-- and it'll give my a chance to look at it
[18:21] <jdstrand> s/my/me/
[18:21] <mdeslaur> ok, cool jdstrand
[18:21] <mdeslaur> thanks
[18:21] <jdstrand> oh sure-- this is a pretty easy one-- lot's of testing already done :)
[18:21] <jdstrand> so, this week I plan to do the postgresql update
[18:21] <jdstrand> :P
[18:22] <kees> hehe
[18:22] <mdeslaur> lol
[18:23] <jdstrand> along with that, there is a pending netpbm-free update I need to publish, and also I'm working on koffice (embedded xpdf 2.0 vulns in the kword importer)
[18:23] <jdstrand> I am finishing up install audits today
[18:24] <jdstrand> that's it for me
[18:24] <kees> cool, great
[18:24] <kees> [topic] blueprints for UDS
[18:24] <MootBot> New Topic:  blueprints for UDS
[18:24] <kees> so, we need to get our blueprints finished by the end of the week
[18:24] <kees> we should at least renew the stuff that can deferred, and then add anything else fun we want to do.
[18:25] <kees> robbiew: do you have any new projects you want us to have as blueprints?
[18:25] <kees> jjohansen: can you convert your mental AppArmor TODO list into a blueprint?
[18:25] <mdeslaur> kees: do we have a scratch area somewhere to post ideas that we can do through and clean up?
[18:25] <robbiew> kees: no way
[18:25] <robbiew> lol
[18:25] <jjohansen> urgh, I can try
[18:26] <jdstrand> mdeslaur: we can do that outside of this meeting
[18:26] <jjohansen> it actually largely already exists in the wiki as a list of work items
[18:26] <jdstrand> I too, would like to do that
[18:26] <mdeslaur> jjohansen: the security team is not going to accept your "get into mainline" blueprint :)
[18:26] <kees> jjohansen: which wiki page?
[18:26] <kees> mdeslaur: we don't yet have a scratch area.  let's create that, then double-check it tomorrow?
[18:27] <mdeslaur> kees: sounds good
[18:27] <jjohansen> https://apparmor.wiki.kernel.org/index.php/DevelopmentRoadmap
[18:27] <jjohansen> https://apparmor.wiki.kernel.org/index.php/WorkItems
[18:28] <kees> notes on blueprints are here: https://wiki.ubuntu.com/UDS-M  names must be "security-m-foo"
[18:29] <kees> I figure we can create the blueprints that we know will exist, and the rest of our ideas we can put in the brain-dump wiki
[18:29]  * jdstrand thinks there may be a name collision or two
[18:29] <kees> where 'foo' is replaced!  :P
[18:29] <jdstrand> oh!
[18:29] <jdstrand> :P
[18:29] <kees> :)
[18:29] <mdeslaur> kees: I'd like to discuss all my ideas before we commit to creating them
[18:29] <kees> how about here for brain-dump: https://wiki.ubuntu.com/SecurityTeam/UDS/M
[18:29] <jdstrand> wfm
[18:30] <kees> mdeslaur: sure, that's fine.  I have at least one (fscaps for dpkg) that I know can be a full blueprint
[18:30] <mdeslaur> kees: does that page not exist yet?
[18:30] <jdstrand> we should move https://wiki.ubuntu.com/SecurityTeam/UDS to https://wiki.ubuntu.com/SecurityTeam/UDS/L btw
[18:31] <kees> mdeslaur: right, I was proposing a location for it.  wanted it public, since we've traditionally done it in the canonical wiki, which isn't optimal.
[18:31] <kees> jdstrand: yes
[18:32] <kees> okay, so, anything else on blueprints we can take out-of-meeting.
[18:32] <mdeslaur> ok
[18:32] <kees> [topic] open job req
[18:32] <MootBot> New Topic:  open job req
[18:32] <kees> I sent a rough-draft, based on the prior posting.  at least one thing needed to be added: familiarity with web programming, or something to that effect.
[18:33] <kees> any other additions/changes?
[18:33] <jdstrand> let me reread it real quick
[18:33] <mdeslaur> web programming and web security issues
[18:33] <kees> right, yes.
[18:33] <mdeslaur> ie: web code auditing
[18:34] <jdstrand> kees, mdeslaur: I think the "Analyze, fix, and test vulnerabilities in Ubuntu packages" should be adjusted for this
[18:35] <mdeslaur> kees, jdstrand: we should probably add python programming
[18:36] <jdstrand> perhaps "requires good skills in web programming languages such as php and python, as well as good skills in C and thorough test planning)
[18:36] <kees> mdeslaur: yeah, it only lightly hints at it in the "testing with python-unit" bit
[18:36] <kees> jdstrand: yeah
[18:36] <mdeslaur> jdstrand: how about: "requires good skills in web programming languages such as php, as well as good skills in C, python, and thorough test planning
[18:37] <jdstrand> mdeslaur: seems good
[18:37] <mdeslaur> "enjoys working on webkit"
[18:37] <jdstrand> hehe
[18:37]  * jdstrand wonders if java should be a part of all that
[18:38] <kees> okay, how about we play pastebin-tag with revisions today out-of-meeting and get a final version to robbie by EOD today?
[18:38] <jdstrand> sure
[18:38] <mdeslaur> ok
[18:38] <kees> jdstrand: while tempting, I don't think we have enough evidence to suggest we need to specifically call it out yet.
[18:38] <kees> [topic] other stuff!
[18:38] <MootBot> New Topic:  other stuff!
[18:38] <kees> anyone have anything else for the security team?
[18:39] <jdstrand> maybe, though a *lot* of java was pulled in for euca and the java server stack...
[18:39] <jdstrand> though I would hate to have someone who only really knew java
[18:39] <kees> jdstrand: yeah.  I'm suspicious as well, but I don't want to make the position unhirable.  :)
[18:39] <jdstrand> heh
[18:39] <mdeslaur> the jre gets a lot of security issues, but java applications aren't that bad
[18:40] <kees> that's my gut too.  I only remember 1 in recent history (the hash test truncation thingy)
[18:40] <mdeslaur> well, tomcat has a lot, but it's a web server
[18:40] <kees> right
[18:41] <mdeslaur> ok, I'm done
[18:41] <mdeslaur> anyone else?
[18:41] <mdeslaur> going once...
[18:41] <mdeslaur> twice...
[18:41] <kees> sold!
[18:41] <kees> #endmeeting
[18:41] <MootBot> Meeting finished at 12:41.
[18:41] <mdeslaur> sold to the lady with the blue hat!
[18:41] <kees> hehehe
[18:41] <jdstrand> o/