=== nigelbabu is now known as nigelb === inkvizitor68sl is now known as ink|off|ZNC === ink|off|ZNC is now known as inkvizitor68sl === inkvizitor68sl is now known as inky_GPRS === inky_GPRS is now known as inkvizitor68sl === inkvizitor68sl is now known as ink|off|ZNC === doko__ is now known as doko === fader_` is now known as fader_ [12:58] cody-somerville,persia,geser,nixternal,soren,stgraber: DMB meeting in three minutes, by my calendar [12:58] two [12:58] bagsy not chair, since I chaired the last mega-meeting [13:00] I should note that I won't usually be able to make this time. I saw an e-mail about there being a proposed time change but I thought I'd have more time to respond before the change was actually made. [13:00] the discussion dragged on for months [13:00] I'm sorry you didn't feel there was enough time to respond, but in any event it was clear that no one time was good for everyone. Can you make the 1900 UTC slot in the rotation? [13:01] * stgraber waves [13:02] I haven't had a chance to read the e-mail yet. I was sick for most of last week and on vacation the week before. [13:02] * geser is here [13:03] but as I'm at work, I'm not the best candidate for chair [13:03] Date: Tue, 31 Aug 2010 13:22:45 +0100 [13:03] Please speak now or forever hold your peace (at least until the next [13:03] time). [13:03] * barry waves [13:04] * stgraber is also at work with a face-to-face meeting in 57 minutes (just after DMB) so probably not the best to chair that one either, sorry. [13:05] cjwatson, Yea, 1900 UTC shouldn't be a problem at all. [13:05] there was also a thread from early July that AFAICS you didn't follow up to, Cody [13:05] ok, good [13:05] cody-somerville,geser: can one of you chair, perhaps? [13:06] cjwatson: how far up on your TODO list is setting up the voting for the free DMB seat? [13:06] we appear to have basic quorum at least [13:06] geser: not very; if you'd like to take it over, please do [13:06] is there a howto for it? [13:07] I don't think so [13:07] which is one reason I haven't done it yet [13:07] Hi guys, Raphael Pinson here, hope I'm not too late for the DMB [13:08] I guess I can chair. [13:08] #startmeeting [13:08] Meeting started at 07:08. The chair is cody-somerville. [13:08] Commands Available: [TOPIC], [IDEA], [ACTION], [AGREED], [LINK], [VOTE] [13:09] Do we have quorum? [13:10] we are at least 4 on IRC from what I can see, so I think so. [13:11] chair> thanks [13:11] [TOPIC] Administrative Matters: Review Marco Rodrigues participation in Ubuntu Development [13:11] New Topic: Administrative Matters: Review Marco Rodrigues participation in Ubuntu Development [13:11] [LINK] https://wiki.ubuntu.com/MarcoRodrigues/ParticipationApplication [13:11] LINK received: https://wiki.ubuntu.com/MarcoRodrigues/ParticipationApplication [13:13] He doesn't appear to be here. [13:13] we should consider in absentia I think [13:14] I find ScottK's comment disturbing, and am looking for a citation so that I can read more about it [13:14] (regarding debian-games) [13:14] Indeed. [13:15] does anyone have one to hand? [13:15] (this is not doubting ScottK; I'm looking for a citation so that I can see how recent it is and make my own judgement about the circumstances) [13:15] that should be around the same time as his trouble in Ubuntu [13:16] at least I don't know of any more recent one [13:16] It's not particularly recent. It was shortly after he was asked not to contribute to Ubuntu. [13:16] (I looked for the relevant message on the debian-games archive and couldn't find it) [13:17] The issue I was attempting to bring up was not that it was a recent problem, but that his description of his involvement with Debian is at best incomplete. [13:18] He seems active in Debian in other teams. [13:19] his endorsements would be OK (if sparse) for a new application, but they seem a bit half-hearted for the standard of "MOTUs supporting this wish actively" (https://lists.ubuntu.com/archives/ubuntu-motu/2008-January/003067.html) [13:20] to be honest, what I would be looking for is people saying "he's great now, we'd really like him back because it would take so much load off our shoulders" [13:20] Its not clear to me what exactly Marco wants. [13:21] I certainly appreciate his efforts in cleaning up bugs against removed packages in Debian, although it is worth noting that ftpmaster is looking to do that automatically instead [13:21] cody-somerville: he is banned from participating in Ubuntu development; he wants that ban lifted [13:22] (see https://lists.ubuntu.com/archives/ubuntu-motu/2008-January/003067.html) [13:22] * persia apologises for being tardy [13:25] does anyone else have an actual opinion here? mine seems to currently be: I'm not seeing a pressing reason to lift the ban, although I kind of dislike having to ban people as a general rule and understand that it is worth reviewing any bans we do have to impose from time to time [13:26] and what I'd really appreciate in trying to form a more complete opinion is more strong opinions from other developers who've interacted with Kmos recently [13:28] I'd also appreciate getting more feedback (be it negative or positive) and ideally more documented than what we currently have [13:29] some more feedback would be nice, I see currently on two weak endorsements from ~ubuntu-dev and one comment against lifting from ~ubuntu-dev [13:29] I don't really like administering the ban, and the few bits of feedback I've received have been positive, but I'll admit to not having much feedback. [13:30] perhaps it would be worth deferring, and have the minutes of this meeting explicitly call for comments from developers? [13:30] I guess my question is, is it justified to require more from kmos than any other to allow him to participate because of his history? Should no longer being disruptive but instead on par with any new contributor be the necessary threshold to permit Marco to participate again? [13:30] cody-somerville: my feeling is that lifting a ban should require more than the normal threshold, simply because we have that prior history [13:31] that said, I don't think bans should be unalterably for life [13:31] I think it ought require a lower threshold than we might require for other sorts of approvals we perform, simply because he's not permitted to engage in most of the activities we typically review. [13:31] interesting, and I see your point. perhaps a different kind of threshold [13:31] "different kind" is a better way of phrasing it, indeed. [13:31] We don't require any review though for an individual to be able to participate. [13:31] I guess what I mean by a higher threshold is that it ought to require a higher level of enthusiasm from *people* [13:32] given that many of the problems were essentially social [13:32] I believe we also must judge based on the criteria in the ban email, rather than anything else. [13:33] I agree, and I'm trying to extemporise "MOTUs supporting this wish actively" into something we can apply [13:33] Why would a Ubuntu developer get enthusiastic about someone who isn't allowed to participate in Ubuntu development? [13:33] I don't know about you but I develop in more than just Ubuntu :-) [13:33] plenty of people have Debian experience for instance [13:34] And plenty who don't end up spending time reviewing changes coming from Debian. [13:34] is Kmos allowed to contribute through proxies (other MOTUs)? [13:34] the positive comments so far seem to be essentially "I got a few patches and they seemed OK" [13:34] and that kind of thing [13:34] geser, That's a complex question: I'd say that some of the work he's done with pitti skirts the edge of banned behaviour, whereas I was confortable with his work with liw (computer-janitor) [13:35] Lucas' comment involves some of the most direct experience, and is the most positive [13:35] * persia spends some time each week reviewing apparent activity in Ubuntu and Debian, and counselling when there is an appearance of Ubuntu-development-related work [13:35] persia also commented in the report "The vast majority of the reports I have received about his work in Debian have been positive, especially those received in the last year" [13:35] I think we should give Marco a second chance, ie. a probationary period. [13:36] At the end of the probationary period, we can evaluate any comments or complaints made against kmos after that time and make a decision if he can continue to participate or not. [13:36] I'm ambivalent about the ban-skating; on one hand I disapprove of working around bans, but on the other it seems somehow mean to complain based purely on that [13:37] I don't think it requires a probationary period. I think the question before us is simply: shall we allow him to start as a new contributor. If he doesn't behave, there's plenty of precedent to ask him to stop. The risk is that we cause annoyance for developers, some of whom have already spent way too much time untangling from past actions. [13:37] persia: were the three cases of ban-skating recent? [13:37] the ones that caused developers to report them [13:38] persia, If we let him start as a new contributor than the same burden of proof to ban a new contributor will be required to ban him again. [13:38] how recent is "recent"? [13:38] how about "how long ago were they?" [13:38] One of them was somewhere around lucid release (I think after beta freeze). The others were earlier. I'd have to dig logs to get exact dates. [13:39] rough impression is OK [13:39] We need to move on. [13:39] how severe were those annoyances? [13:40] More common behaviour is to watch IRC (he's only +q), and when something he can sort comes up, passing the answer to someone in /query, which I tend to tolerate so long as nobody complains and it's not too obvious. [13:40] geser, People saying "Isn't he banned"? I don't recall any cases where there was something he did that caused specific cleanup issues. [13:40] I motion to postpone consideration. [13:41] Let me qualify that: I don't remember any such after the initial issues related to implementation of the ban. [13:42] I second Cody's motion as long as the postponement includes a call for feedback from developers [13:42] (otherwise we'll just postpone indefinitely) [13:42] he should get allowed to work through a proxy (a MOTU) to get some actual feedback [13:43] Given that the threshold to get banned is SO high, it seems odd to me to consider it was a mistake. [13:43] geser, I'm not sure how that is different from any other participation by a non-member of ~ubuntu-dev: to me that is equivalent to lifting the ban. [13:44] [VOTE] Postpone consideration of Marco Rodrigues's request and call for feedback from developers. [13:44] Please vote on: Postpone consideration of Marco Rodrigues's request and call for feedback from developers.. [13:44] Public votes can be registered by saying +1/-1/+0 in the channel, private votes by messaging the channel followed by +1/-1/+0 to MootBot [13:44] E.g. /msg MootBot +1 #ubuntu-meeting [13:44] ScottK, I very much don't consider the ban a mistake. I think it was important that it happened. I happen to know that Kmos agrees. [13:44] it's different because the proxy is volunteering to essentially be exposed to somebody who may turn out to waste their time [13:44] +1 [13:44] +1 received from cody-somerville. 1 for, 0 against. 0 have abstained. Count is now 1 [13:44] and to take responsibility for the actions that result that are visible to other Ubuntu developers [13:44] I'm just under the impression that he's close to having reached the threshold required in the ban terms. [13:44] +1 [13:44] +1 received from persia. 2 for, 0 against. 0 have abstained. Count is now 2 [13:44] +1 [13:44] +1 received from geser. 3 for, 0 against. 0 have abstained. Count is now 3 [13:44] +1 # with comments above [13:44] +1 received from cjwatson. 4 for, 0 against. 0 have abstained. Count is now 4 [13:44] +1 [13:44] +1 received from stgraber. 5 for, 0 against. 0 have abstained. Count is now 5 [13:44] #endvote [13:45] whats the command to end the vote? [13:45] persia: eg. a new contributor can use requestsync, he should send them first to his proxy instead of directly to LP and ~ubuntu-sponsors [13:45] [ENDVOTE] [13:45] [ENDVOTE] [13:45] Final result is 5 for, 0 against. 0 abstained. Total: 5 [13:45] geser, Ah, so another oversight period. Let's discuss next time, but I think I could accept that sort of thing, if there were volunteers. [13:46] [ACTION] cody-somerville: Call for feedback from developers on Marco Rodrigues's request [13:46] ACTION received: cody-somerville: Call for feedback from developers on Marco Rodrigues's request [13:46] [TOPIC] PerPackageUploader Applications: Barry Warsaw for gtimelog [13:46] New Topic: PerPackageUploader Applications: Barry Warsaw for gtimelog [13:46] FIFO order for the rest of the agenda is barry then raphink [13:46] ah yes :) [13:46] [LINK] https://wiki.ubuntu.com/BarryWarsaw/MyApplication [13:46] LINK received: https://wiki.ubuntu.com/BarryWarsaw/MyApplication [13:47] hi guys [13:48] barry, Please briefly introduce yourself and the rationale for your request. [13:49] barry warsaw here. i'm on platform foundations, and a long time python core dev. i have ppu for a handful of packages and was recently given upstream commit privs to gtimelog. since i'll be spinning packages for it i'd like to get ppu for gtimelog in ubuntu [13:49] barry, How many times have you uploaded gtimelog to Ubuntu? [13:50] cody-somerville, one sponsored upload. the version in lucid was *way* out of date (squeeze too), so i worked w/upstream to get a new version out, then fixed the packaging and got sponsor to upload [13:51] barry, Does gtimelog use any patch system? [13:51] quilt3 [13:52] barry, How is the state of gtimelog in Debian? [13:52] barry: I guess doko reviewed the new packaging before sponsoring. Did he found any issues you needed to fix? [13:53] persia, we need to get 0.4.0 into debian. i've contacted the debian maintainer and between him, myself, and upstream author, we're trying to work out a transfer or cooperation [13:53] geser, no, i don't think so [13:53] persia, iirc the current registered deb maint for gtimelog is mia [13:54] barry, Do you you build your packages in a chroot before uploading to Ubuntu? [13:54] It's orphaned, actually: Debian bug #585145 [13:54] Debian bug 585145 in wnpp "ITA: gtimelog -- minimal timelogging system" [Normal,Open] http://bugs.debian.org/585145 [13:54] cody-somerville: (I don't ;-) ) [13:55] cody-somerville, yep, and a ppa (~gtimelog-dev) [13:55] barry, Are you subscribed to bug reports filed against gtimelog in Ubuntu? [13:56] cody-somerville, i am [13:56] cody-somerville, upstream uses lp for bugs and i am now an admin for ~gtimelog-dev so i'm watching everything (at least i think i am ;) [13:56] Any other questions for barry before I call the vote? [13:57] * stgraber doesn't have any. [13:57] * cjwatson has none, other than get on with building enough breadth that we can just make you a MOTU already :-) [13:58] Or something else, as appropriate. [13:58] cjwatson, :) [13:58] persia, i actually think we should add some kind of python packageset [13:58] [VOTE] Grant Barry Warsaw PPU permission to gtimelog [13:58] Please vote on: Grant Barry Warsaw PPU permission to gtimelog. [13:58] Public votes can be registered by saying +1/-1/+0 in the channel, private votes by messaging the channel followed by +1/-1/+0 to MootBot [13:58] E.g. /msg MootBot +1 #ubuntu-meeting [13:58] +1 [13:58] +1 received from cjwatson. 1 for, 0 against. 0 have abstained. Count is now 1 [13:58] +1 [13:58] +1 [13:58] +1 received from stgraber. 2 for, 0 against. 0 have abstained. Count is now 2 [13:58] +1 received from geser. 3 for, 0 against. 0 have abstained. Count is now 3 [13:58] +1 [13:58] +1 received from cody-somerville. 4 for, 0 against. 0 have abstained. Count is now 4 [13:59] +0 : insufficient prior history of work with the package: one upload does not show maintainance history [13:59] Abstention received from persia. 4 for, 0 against. 1 have abstained. Count is now 4 [13:59] * stgraber is off to another meeting now [14:00] [ENDVOTE] [14:00] Final result is 4 for, 0 against. 1 abstained. Total: 4 [14:00] persia, ack. it's a rather slow moving package, but i do intend to do more bug fixing on it [14:00] o/ [14:01] Is that successful? [14:01] oh hello soren [14:01] barry, Understood. Note that I was +0 rather than -1 because I know you'll do a good job on it, but I think that you don't qualify under PPU guidelines according to https://wiki.ubuntu.com/UbuntuDevelopers [14:01] cody-somerville, Yes. [14:01] * barry nods [14:02] Sorry, apparantly I suck at timezones. [14:02] [VOTE] Ubuntu Core Developer Application: Raphaël Pinson (recovery) [14:02] Please vote on: Ubuntu Core Developer Application: Raphaël Pinson (recovery). [14:02] Public votes can be registered by saying +1/-1/+0 in the channel, private votes by messaging the channel followed by +1/-1/+0 to MootBot [14:02] E.g. /msg MootBot +1 #ubuntu-meeting [14:02] err.. [14:02] [ENDVOTE] [14:02] Final result is 0 for, 0 against. 0 abstained. Total: 0 [14:02] * cjwatson doesn't interpret the "uploads" there as a strict plural; it depends on the circumstances [14:02] [TOPIC] Ubuntu Core Developer Application: Raphaël Pinson (recovery) [14:02] New Topic: Ubuntu Core Developer Application: Raphaël Pinson (recovery) [14:02] hehe ;) [14:02] [LINK] https://lists.ubuntu.com/archives/devel-permissions/2010-August/000098.html [14:02] LINK received: https://lists.ubuntu.com/archives/devel-permissions/2010-August/000098.html [14:02] I can give a summary here :-) [14:03] raphink, please do and please include a link to your launchpad page [14:03] Hello, I'm Raphael Pinson. Some of you probably know me from my involvment in Kubuntu as a core-dev, mostly between 2005 and 2007. Since then, I have mostly worked as a Systems Engineer for a major telecom company and built a buildd/wanna-build/reprepro system to automate the creation of Debian/Ubuntu packages for a fleet of about 3000 servers. My recent involvment in Ubuntu has mostly been on projects like byobu (with kirkland) or augeas ( [14:03] with nxvl). [14:03] Like I posted on the ML, some time ago, I lost my ubuntu-dev, ubuntu-coredev and ubuntu-members upload rights as I hadn't renewed my LP memberships. Thanks to the advice of canonical employees, I was able to get my ubuntu-members membership back so I can use my @ubuntu.com email again, but I would like to recover my upload rights as well. I have quite a few packages to contribute (mostly server software such as db5.0, mysql-server-5.1 or db [14:03] xml) and I'd be happy to upload them. [14:03] LP page: https://launchpad.net/~raphink [14:03] I hope none of that is intended for Maverick? [14:04] [LINK] https://launchpad.net/~raphink [14:04] LINK received: https://launchpad.net/~raphink [14:04] the wiki page is a bit oldish probably ;-) [14:04] soren: I'm not in a hurry to upload anything, and when it comes to db5.0 for example, I would certainly speak to the db4.8 package maintainer first ;-) [14:05] although db5.0 doesn't exist in the repositories yet, so it wouldn't hurt [14:05] woo, i see raphink \o/ [14:05] haha, hi nixternal :-) [14:06] How long ago did your membership expire? [14:06] hmmm probably almost a year ago I would say, not sure of the date [14:07] the LP page for core-dev used to list deactivated members with the date [14:07] Expired on 2009-03-13 [14:07] Subject: raphink expired from team [14:07] Date: Fri, 13 Mar 2009 05:15:10 -0000 [14:07] ok :) [14:07] (According to https://edge.launchpad.net/~ubuntu-core-dev/+members ) [14:07] you're better than me at finding these info :-) [14:07] raphink: what did you do to get up-to-date with current processes? [14:08] raphink, What caused you to let your development lapse? [14:08] family :-) [14:08] there's priorities in life, contributing is important to me, but it's not the #1 priority [14:08] as far as processes and techiques geser [14:08] like I said, I'm ftpmaster at my work [14:09] so I'm the one training all the packagers in my company with all the packaging technos and processes (debian policy) when they need to [14:09] that doesn't necessarily ensure I know everything about the latest processes inside Ubuntu [14:09] but I'm up-to-date as far as packaging techniques go [14:10] I would certainly ask if in doubt [14:10] I know enough people around here to find experts in processes if I need to [14:11] I'm quite hungry so I'd like to call the vote if nobody has any other questions. [14:11] hehe ;) [14:13] no questions [14:13] I'm good. [14:13] [VOTE] Ubuntu Core Developer Application: Raphaël Pinson (recovery) [14:13] Please vote on: Ubuntu Core Developer Application: Raphaël Pinson (recovery). [14:13] Public votes can be registered by saying +1/-1/+0 in the channel, private votes by messaging the channel followed by +1/-1/+0 to MootBot [14:13] E.g. /msg MootBot +1 #ubuntu-meeting [14:13] +1 [14:13] +1 received from soren. 1 for, 0 against. 0 have abstained. Count is now 1 [14:13] +0 [14:13] Abstention received from cody-somerville. 1 for, 0 against. 1 have abstained. Count is now 1 [14:13] +1 [14:13] +1 received from persia. 2 for, 0 against. 1 have abstained. Count is now 2 [14:13] +1 [14:13] +1 received from geser. 3 for, 0 against. 1 have abstained. Count is now 3 [14:14] +1 # generally happy for people to return as long as they can put some time in again and have put some effort into catching up [14:14] +1 received from cjwatson. 4 for, 0 against. 1 have abstained. Count is now 4 [14:14] [ENDVOTE] [14:14] Final result is 4 for, 0 against. 1 abstained. Total: 4 [14:14] (While I would prefer if people would just renew their memebership when Launchpad tells them to, I believe re-granting them their membership should be a formality) [14:14] [TOPIC] Select a chair for the next meeting [14:14] New Topic: Select a chair for the next meeting [14:14] soren: sometimes you're on vacation when this happens ;-) [14:15] They could be as up-to-date (or out-of-date) as the ones who manage to click "Renew". [14:15] thanks guys, enjoy your meal cody-somerville [14:15] raphink: Precisely. [14:15] the next meeting is at 19:00 UTC, right? [14:15] yup [14:15] then I should be able to chair it [14:16] [ACTION] geser to chair next meeting [14:16] Sorry about missing the first hour. /me adjusts calendar. :( [14:16] ACTION received: geser to chair next meeting [14:16] #endmeeting [14:16] Meeting finished at 08:16. [14:16] soren, I like to hear why people left, and what they plan to do when they come back. We had a couple cases in the past where people seemed to want things for vanity reasons, and I think it's important we don't encourage our repositories to be more vulnerable. [14:17] persia: If they explicitly left, sure. [14:17] persia: If they exired, less so. [14:17] * persia doesn't see much difference, since it's impossible to understand the mindset of folks not pressing the button [14:17] persia: Is you're really serious about checking up on people every once in a while, we shoulnd't let people refresh on their own, but always come before the DMB to get it refreshed. [14:17] That said, we could do a much better job about poking people who expire to ensure it's intentional. [14:18] that's more work for sure [14:18] soren, I would prefer that were the case, personally. The few discussions about it in which I've participated always fall down somewhere along the way. [14:18] persia: /me finds it equally impossible to understand the mindset of people who /do/ press the button. [14:18] raphink, I think that's the main reason we don't do it that way :) [14:19] soren, Compeltely agreed. [14:19] from my experience, having your membership expire can be discouraging [14:19] soren, Weel, identically impossible, rather. [14:19] as in, it might prevent you from uploading some things because you don't want to go through a process of renewal, DMB, etc. [14:20] Ideally that shouldn't be something people consider hard or scary. [14:21] mhm [14:22] Note that getting from here to my ideal world is a long, long journey :) [14:22] haha [14:22] raphink: is the renewal process to hard/easy? [14:22] once you know about it, it's rather easy ;-) [14:22] maybe it's lacking documentation (or I'm bad at finding it) [14:23] probably the first [14:39] I think the (limited) documentation is some email to the MC list a long time ago. [14:45] persia: you were my documentation in that case iirc [14:46] heh, yeah. I need to upload increasing chunks of my memory to the wiki, a bad habit I've had for years now, sadly. [14:47] well, same here === Ursinha is now known as Ursinha-lunch === ian_brasil___ is now known as ian_brasil === Ursinha-lunch is now known as Ursinha [18:07] mdeslaur, jdstrand, sbeattie, robbiew, nxvl, jjohansen: security team meeting! ready? [18:07] o/ [18:07] hi! [18:08] hey [18:08] quorum! [18:08] okay, I'll start. [18:08] \o [18:08] the update I was going to be working on has been delayed by upstream, so I'm going to find something else to do. [18:08] the CVE triage last week was mysteriously light. it scares me. [18:09] calm before the storm [18:09] kees: that's because the week before, it was painful [18:09] ah-ha. [18:09] kees: feel free to go back and review the umpteen webkit/chromium and other issues I triaged. [18:09] 0/ [18:09] I've been fighting with the rng qrt; dieharder is yelling about minor stuff [18:09] sbeattie: let's hire someone to do that. :) [18:10] I'm working on an embargoed issue, but that's mostly done and the solution is simple and in the hands of who needs it. [18:10] * jdstrand triaged some of the chromium ones [18:11] I've got a topic for the end, so I'll stop here. jdstrand is up [18:12] last week I beat down a number of bugs in libvirt. one of them gave me a better understanding for my update [18:13] I still have to do lucid testing of all the peripheral applications as mentioned before... maybe this is the week that happens... [18:13] I'm on triage this week [18:13] I plan to do the get_file_list.sh audits (as part of ReleaseCycle) as well as do the qrt testing of applications that have apparmor profiles [18:14] I need jjohansen's network mediation fix though [18:14] you mean maverick testing, yes? [18:14] jjohansen: do have an amd64 kernel for maverick [18:14] jdstrand: duh, I'll get you a kernel in about an hour [18:14] kees: yes-- run the qrt tests on maverick [18:14] kees: well, all of it-- all maverick, all the time [18:15] these things and any new bugs that come in should keep me busy this week [18:15] that's it from me. mdeslaur? [18:15] my turn [18:15] so, I finally released the fixes for CVE-2009-3555 [18:16] The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as used in Microsoft Internet Information Services (IIS) 7.0, mod_ssl in the Apache HTTP Server 2.2.14 and earlier, OpenSSL before 0.9.8l, GnuTLS 2.8.5 and earlier, Mozilla Network Security Services (NSS) 3.12.4 and earlier, multiple Cisco products, and other products, does not properly associate renegotiation handshakes with an existing connection, which allows man-in-the-middle att [18:16] \o/ [18:16] * mdeslaur punches ubottu [18:16] and there hasn't been any bugs reported against them so far, so it's looking good :) [18:16] mdeslaur: great, great job [18:16] jjohansen: oh, I forgot to thank you. thanks! [18:17] yeah, awesome work mdeslaur [18:17] this week, I'll be releasing: avahi, libgdiplus, libhx, libmikmod, lvm2 and mako updates [18:17] wooo! [18:17] mdeslaur: is that all? [18:17] slacker [18:17] lol [18:17] :) [18:18] hehe [18:18] that's it from me [18:18] sbeattie? [18:18] I was on community last week. [18:18] I released a quassel update and also moved ant from security-proposed. [18:20] I still need to do an SRU upload for openjdk/lucid to address the haxb regressions, but want to look for other potential SRU fixes as well. [18:20] this week I'm in the happy place, so I should be able to do that. [18:20] I'm also hoping to pick up and push out a couple more updates. [18:21] I think that's everything. [18:21] Oh, as an aside, kees wasn't joking when he mention hiring someone for webkit security: http://webapps.ubuntu.com/employment/canonical_UP-USE/ [18:22] (in case anyone reading is interested in applying) [18:22] yep [18:22] that might be a twitter-worthy url, actually. I'll send that out. [18:22] that's all from me. [18:22] oh! yeah, if you're a webkit hacker, please come join the coolest team: security! :) [18:22] (as well as Mozilla and Chromium) [18:22] and mozilla and chromium-- don't leave them out either :) [18:22] and mozilla and chromium [18:23] :) [18:23] I have a quick item for the end as well [18:23] "Want to hack on webkit, chromium, firefox? Join the Ubuntu Security Team! http://webapps.ubuntu.com/employment/canonical_UP-USE/" <- sound good? [18:24] yes [18:24] Works For Me. [18:24] s/firefox/and firefox/ [18:24] but yes, sounds fun and positive :) [18:24] edited and sent [18:25] okay, jdstrand, you first on items [18:25] we may want to do the same in #ubuntu-mozillateam, since that is where all the browser guys hang out [18:26] oh, me, yes [18:26] it would be good if we all peeked at https://bugs.launchpad.net/ubuntu/maverick/+bugs for anything that we touch [18:26] I did this morning and believe the apparmor and libvirt ones are in hand, but other people's eyes would be great [18:26] jdstrand: yeah, I took a look at the earlier [18:26] I think there are ~142 bugs there [18:26] cool [18:27] that was all I had [18:27] there's libtiff that looked related to us [18:27] kees: ^ [18:27] there are still a few libtiff issues that upstream is working on or worked on, yeah [18:27] cool [18:27] I wanted to have us think outloud about UDS planning. [18:28] we already talked about how we wanted to have roundtables and scatter ourselves around the UDS to help guide stuff, but do we have anything more specific we want to do? [18:29] kees: you mean stuff we'd like to cover in our roundtables? [18:29] mdeslaur: no I meant more specifically. blueprints we think we can't do without, etc? [18:30] mdeslaur: i.e. instead of last UDS's planning style ("what is anything we might be interested in?") I figured we could do "what is absolutely required?" [18:31] kees: we need to meet as apparmor upstream for sure [18:31] kees: I'm hoping to do a session with the qa team on increasing collaboration and usage of qa-r-t (again). [18:31] most of my stuff last time is moving BPs forward to track things todo [18:32] that sounded weird [18:32] I'd like to talk to soyuz folks again; I'd like to see incremental publication so we can publish amd64 kernels while we wait on sparc, for example. [18:32] I have a lot todo; I'd like time to do it, but don't have a lot to discuss [18:32] kees: that would be very welcome [18:33] jdstrand: yeah, agreed [18:33] okay, so I guess we'll each make the bps we're interested in and go from there. :) that's really it from me. [18:33] kees: we could schedule some time to go through all the BPs and prioritize them into reality [18:34] jdstrand: all the existing ones, you mean? [18:34] kees: ie, all the ones that didn't get completed-- at least for lucid and maverick [18:34] kees: that is the idea, yeah [18:34] we can reprioritize things [18:34] (if needed) [18:35] you know, so we don't lose track of old stuff that never got implemented due to time constraints and that we didn't move forward [18:35] maybe there isn't a lot, but I feel like it would be worth reviewing [18:35] yup, totally. we did that for maverick too [18:36] cool [18:37] kees: speaking of bps, can you update https://blueprints.launchpad.net/ubuntu/+spec/security-m-gpg-migration? should probably be at least 'Started' [18:37] yeah, good point. [18:38] "slow progress" [18:38] mdeslaur: fwiw, evo in maverick seems just fine with the new keys [18:38] mdeslaur: I bet you already knew that though [18:38]