=== oubiwann is now known as oubiwann_ === JackyAlcine is now known as DanteAshton2 === Artir is now known as DanteAshton3 === DanteAshton2 is now known as JackyAlcine === DanteAshton3 is now known as Artir === JackyAlcine is now known as phillw1 === Artir is now known as phillw3 === phillw3 is now known as Artir === phillw1 is now known as JackyAlcine === JackyAlcine is now known as DanteAshton1 === DanteAshton1 is now known as JackyAlcine === Artir is now known as DanteAhston === DanteAhston is now known as Artir [12:01] cody-somerville, soren, cjwatson, geser, stgraber, bdrung: about? [12:02] yeah [12:04] hi [12:04] don't we have a new board yet? :) [12:05] We're picking one today, so this is the last for both of you. [12:05] If we fail to get quorum to pick one, I'll pass the information received to the TB, and so there will be one for next time. [12:09] stgraber, cody-somerville, bdrung ? [12:09] Just need one more. [12:13] sigh [12:14] Right. I don't want to chair a non-meeting. [12:14] cjwatson, soren: Thanks a lot for serving on the DMB. You will be missed. [12:14] I'll ask the TB to select a new DMB from the nominees, with the poll data. [12:14] And the new DMB can process the pending applications. [12:15] You're welcome; bye! [12:15] oh wait [12:15] * geser waves [12:15] Oh, hey geser! [12:15] aha, quorum [12:15] #startmeeting [12:15] Meeting started at 06:15. The chair is persia. [12:15] Commands Available: [TOPIC], [IDEA], [ACTION], [AGREED], [LINK], [VOTE] [12:16] [LINK] https://wiki.ubuntu.com/DeveloperMembershipBoard/Agenda [12:16] LINK received: https://wiki.ubuntu.com/DeveloperMembershipBoard/Agenda [12:16] [TOPIC] Selection of a new DMB [12:16] New Topic: Selection of a new DMB [12:16] * persia ends the poll [12:16] * Amaranth rushes to vo....oh [12:16] ;) [12:17] So, we had some nominees, and we had a poll. [12:17] Results are now available, with 93 voters. [12:17] [LINK] http://www.cs.cornell.edu/w8/~andru/cgi-perl/civs/results.pl?id=E_924ef5b8e9f6d03b [12:17] not bad [12:17] LINK received: http://www.cs.cornell.edu/w8/~andru/cgi-perl/civs/results.pl?id=E_924ef5b8e9f6d03b [12:18] So, do we wish to accept the winning set from CIVS? Any reservations or concerns? [12:18] * bdrung is here now. [12:18] persia: lgtm [12:18] so all incumbents stay, and Laney and maco replace soren and me [12:19] That would be the result, yes. [12:19] fairly tight race around the boundary [12:19] * cdbs came last [12:20] but I don't see a reason to be concerned about the result [12:20] Well, if both of those departing are happy, and since the rest of us have obvious bias, I'll call that agreed. [12:21] [AGREED} New DMB to be the winners of the CIVS poll, without modification or adjustment. [12:21] AGREED received: [AGREED} New DMB to be the winners of the CIVS poll, without modification or adjustment. [12:21] "None of the above" did particularly poorly. [12:21] does that come into effect after this meeting, or immediately? :) [12:21] (because if immediately, we probably just became inquorate) [12:21] We'd lose quorum if it's immediate. You're the closest to the TB we have available: how long did the term extension last? [12:22] "does not expect this to be complete until after 14th February", from your original mail [12:22] and the TB agreed to an extension covering that [12:23] so I think it's OK to consider the extension as covering this meeting [12:23] I assert it's still 14th February, as none of us are in New Zealand or points east. [12:23] Moving on. [12:23] the new DMB will need to select their own meeting times, etc., anyway [12:23] [TOPIC] MOTU Application for Sylvestre Ledru [12:23] New Topic: MOTU Application for Sylvestre Ledru [12:24] [LINK] https://wiki.ubuntu.com/UbuntuDevelopment/SylvestreLedruMOTU [12:24] LINK received: https://wiki.ubuntu.com/UbuntuDevelopment/SylvestreLedruMOTU [12:24] The LP link on that page is broken. [12:24] [LINK] https://launchpad.net/~sylvestre [12:24] LINK received: https://launchpad.net/~sylvestre [12:24] Why was the page created under the UbuntuDevelopment/ directory? [12:24] is there a change in policy? [12:24] no [12:24] No [12:25] wiki layout in "random" shocker :) [12:25] the launchpad link is broken [12:25] bdrung, That's why I posted two links :) [12:25] Sylvestre, are you present? [12:25] I've taken the liberty of editing his application to fix the LP link [12:28] He doesn't seem to be present. [12:28] Moving on. [12:28] [TOPIC] Development application for Dave Walker [12:28] New Topic: Development application for Dave Walker [12:28] o/ [12:29] Daviey is applying for all of MOTU, Server, and Core at the same time. I trimmed that down to just core-dev. [12:29] persia, Yes, but i did want to go through the process for the other two [12:29] Daviey's application has not yet aged the week we request. Do we wish to review it today, or wait for general comments, and review next time? [12:29] core-dev covers the lot, although it's rational to apply for the lot since that means that if we decline his core-dev application he doesn't need to go through another application cycle for the others [12:29] Daviey, code-dev is a member of both others. [12:30] Indeed. That's how I read it: if we reject core-dev, we re-review MOTU and Server. [12:30] persia, Direct inclusion or through inheritance? [12:30] inheritence. [12:31] But, in practice, it doesn't matter. You get the badges on LP. You get accepted by the teams if you're working with them, etc. [12:31] persia, yeah, it's just that server-dev is looking kinda neglected.. so wanted to help raise the membership count addionally. [12:31] Well, not he server package set one. [12:31] s/ he/ the/ [12:32] core-dev isn't a member of that team, IIRC. [12:32] the package set isn;t quite ready yet, is it cjwatson ? [12:32] Or am I on crack again? [12:32] I was under the impression it was waiting for the first member for the process to be completed [12:32] Yeah, core-dev is not a member of that team. [12:33] the package set exists and AFAIK is administered by the DMB [12:33] No, the process is complete. At this point, any issues are implementation bugs. [12:33] Last time i polled the ACL, server-dev didn't have access. [12:33] indeed, that would imply the DMB delegating permissions [12:34] which is generally a separate discussion from creating a package set [12:34] oh, wait, the DMB owns ubuntu-server-dev [12:34] And I believe we had that discussion at the time server-dev was created, and decided that we would not delegate at this time. [12:34] * Daviey wonders if he can be heard this meeting, but with the final ack being done with now+1 week pending criticism of his application. [12:34] == All uploaders for package set 'ubuntu-server' in 'natty' == [12:34] Archive Upload Rights for ubuntu-core-dev: archive 'primary', package set 'ubuntu-server' in natty [12:34] Archive Upload Rights for ubuntu-server-dev: archive 'primary', package set 'ubuntu-server' in natty [12:35] so ubuntu-server-dev does have access to the ubuntu-server package set [12:35] So all is good. === oubiwann_ is now known as oubiwann [12:35] and mathiaz was the first member there [12:35] oh... that has been updated since i last polled then :/ [12:36] or i am on soren;s crack [12:36] Opinions on questioning Daviey today? Do any DMB members want more time to develop interesting questions? [12:37] I have perhaps one question. [12:37] Is there anything specific that you intend to work on that's outside of MOTU+ubuntu-server-dev's reach? [12:38] soren, yes - I have an interest in the whole platform [12:38] Which was one reason i worked on dpkg. [12:38] * soren can relate to that :) [12:38] * bdrung is still reading the application. [12:38] The server set isn't exactly complete for my interests. [12:39] ...but if we're not going the process the applicatino today, it doesn't matter anyway. [12:39] You can see the difference if you look at the assigned packages for bug purposes and the package set [12:39] it's reasonably large. [12:39] cjwatson, geser: are you fine with questioning Daviey today? [12:39] I'm fine [12:40] I'm OK, though I've added a brief endorsement on his application too so don't really have any questions [12:40] One of the reasons i've got around to apply, is that i'm finding that I want to work on less - as i'm using up my favours of sponsorship working on things i HAVE to work on, rather than the addition of things i want to work on. [12:40] s/apply/applying/ [12:41] Daviey, How do you think we can encourage more peer-review by Ubuntu Developers? [12:41] persia, well the patch pilot scheme has IMO already made a massive difference to this. [12:42] But it still lacks personal attachment. [12:42] People use the patch pilot for peer reviews? [12:42] No. [12:42] Ah sorry [12:42] Oh. [12:42] i missread the question [12:42] Does it? While I like what patch-pilot is doing for sponsoring, I don't see how it helps peer-review between Ubuntu Developers. [12:42] I think UDD can make a larger difference with this. [12:43] I don't feel enough people use merge requests. [12:43] what do you mean by peer review? [12:43] I agree that JFDI attitude can help productivity [12:43] you mean people who are already Ubuntu developers? (just clarifying) [12:43] cjwatson, Developers that can upload, asking peers to review it before uploading [12:44] ah, right, thanks [12:44] if you understood the question I suppose that's all that matters :) [12:44] heh [12:44] Yes, well JFDI can aid productivity - but something i have noticed; tradionally the server has often got a little rough end of the deal, when a feature in Desktop is needed [12:45] Plymouth introduction was quite bad for Server IMO. [12:45] Do you think encouraging peer review would help that, or do you think we need more coordination between flavours? [12:45] And some packages where silly mistakes have been made, could have been avoided if they had a once over. [12:46] Plymouth will end up as a big advantage for server users, too, though. [12:46] Some packages i've seen have had almost hacking away at a bug, until it's fixed. [12:46] ...but that's a separate discussion :) [12:46] * persia has seen packages hacked away at until they aren't fixed, but the tests passed [12:46] persia, Yeah, i realised as i was typing that; it's two issues really. [12:46] one thing I noticed, as somebody caught in the middle, was that a number of server folks basically had the attitude of "no, it was fine as it was, we want you to rip this all back out" rather than an attitude of trying to improve new packages so that they could cover both server and desktop bases [12:46] soren, agreed... but the introduction could have been better handled perhaps. [12:46] So, what's your proposal? Since you don't like it, and you're wanting to join Core dev... [12:46] do you think this is a fair criticism, is it recognisable to you, and what do you think we can do about it? [12:47] (this is very much something core-devs need to deal with - we're supposed to be integrating, not just picking a side) [12:47] cjwatson, interesting... i had not seen that attitude being too obvious. [12:47] cjwatson, I know some *users* mentioned that...but not sure it was clear cut within the team [12:48] ok, that's a reasonable response, the boundary wasn't always clear to me [12:48] Many of the server team want to see more polish... and on a non-LTS release perhaps making it better is greater than stability on server. [12:48] (not desktop or other flavours) [12:49] I cannot count how many hours I've spent on IRC, IRL, on blogs, eetc explaining that event driven boot isn't *just* about speeding things up. [12:49] soren, yes, upstart actually has more benefits to server than desktop IMO. [12:50] Particulary if upstart adds some of the features it initially blueprinted. [12:50] I can kind of see where people are coming from, though. Stuf that used to work suddenly didn't. It's easy to blame The New, Big Thing[tm]. [12:50] such as xinetd incorporation. [12:51] So, let's step away from discussing upstart features. [12:51] It's unfortunate that this often means increasing the delta with Debian. [12:51] I'm still curious how the issue that makes Daviey unhappy could be addressed. [12:52] persia, Something we considered at a team level was peer review of every upload after a certain mark in the release schedule [12:52] It wasn't entirely agreed... but there was also some support for this. [12:52] This was also discussed at the last UDS... [12:52] Daviey, Did you imagine people would have reviews by people in their immediate teams (with interest in the package), or from other teams? [12:53] ... and that was "eventful"... but that was the whole platform, not just a specific area. [12:53] persia, both... [12:53] Will you be bringing this issue to next UDS? [12:53] If the package is depends/recommends of another team, then the merge proposal is a good way of notifing them of a potential diff [12:53] persia, Yes. [12:54] Daviey: isn't this peer-review like a spsonsorship for each upload which seems to slow you down in your productivitiy? [12:54] geser, interesting you say that... [12:54] :) [12:54] I would like to point out the peer review blog post regarding either bzr/lp... don't have it handy [12:55] But i think it might slow people down initially... but a review can be quite fast when in the habbit [12:55] Daviey: how can we encourage devs to review packages from other teams? i am doing reviews for the package in the teams i am involved with and doing sponsoring, but i never reviewed packages from outside the team IIRC. [12:55] geser, equally, sometimes it's good to be slowed down :) [12:55] bdrung, It depends - is this packages outside a set? [12:56] Not all team-maintained packages happen to have corresponding packagesets today. [12:56] Daviey: i maintain most packages in Debian [12:56] But for several teams, there are no outside contributions, despite the lack of packageset [12:56] bdrung, you must be busy :) [12:57] persia, The blog post i'd like to refer you to made specifc references to working outside your comfort zone. [12:57] I'd LOVE to be more involved in development outside my daily duties [12:57] I think it adds an education factor, and better understanding [12:57] Hrm? I'm just responding to the question "is this packages outside a set", to indicate that we have a very weak mapping of teams and packagesets currently. [12:58] Sometimes doing reviews can be harder than doing the change yourself.. and reviewing outside comfort zone makes everyone better IMO. [12:58] persia, Perhaps my response would have been better targeted towards bdrung [12:59] * persia is done with questions [12:59] persia, but yes, having good defintions of teams/people linked to packages makes it easier to know who to talk to [12:59] It then reduces the need to maintain in-head knowledge [13:00] For example, i know not to touch some packages without speaking to certain individuals/teams [13:00] And having a good person+team/package list defintion helps new contributors IMO. [13:01] Daviey: assuming that i want to have my changes reviewed. then i push the bzr branch with my changes and create a merge proposal. wo will get notified with this merge proposal? what do i need to do to get notified about the packages i care about? [13:02] bdrung, It might require a bug against LP, AIUI currently you have to select who reviews it. [13:03] I want to add, that i don't think it should be mandatory, but a better ethos of people asking each other,.... perhaps even informal [13:04] hm, it would be nice if lp gives you the possibility to subscribe to merge proposals for specific packages and a way to query who is subscribed and has upload rights (= similar to Uploaders in d/control) [13:04] What i have said so far, is possibly better continued in a shared UDS session.... and not one chappy spouting his opinions :) [13:04] bdrung, agreed! [13:05] Daviey: yes, let's continue this discussion on an other channel / next UDS [13:05] Daviey, The key is that this is a time when you have the spotlight to complain, and we have a duty to ensure you can move forward to solve the problem. You taking it to UDS is the right answer in both cases. [13:05] Anyone else have other questions for Daviey? [13:06] no [13:06] no [13:06] not I [13:06] Great. [13:07] Please feel free to vote by email to the d-m-b list, and I'll take a final tally when the comment period completes, with a renewed call for votes in the event that quorum is not reached. [13:07] [TOPIC] Next Meeting [13:07] New Topic: Next Meeting [13:07] why vote by e-mail rather than here? [13:07] Oh, and one more thing... i am *sometimes* wrong. Greater peer review just might not work.. but it'sworth trying - if it doeshelp improve quality. [13:08] I don't want to vote until after the comment period, in case something happens to change my vote. [13:08] in that case I shouldn't vote at all [13:08] Probably not: we'll consider your comment. [13:08] ho hum ding. [13:09] * cjwatson sends mail [13:09] So, the newly selected DMB does not have agreement on meeting times. We'll try to select some by email, and try to announce them by next Monday, to ensure that applicants can know when they have to attend a meeting when applying. [13:09] [TOPIC] Anything else [13:09] New Topic: Anything else [13:09] Anyone have anything here? [13:11] Excellent. [13:11] #endmeeting [13:11] Meeting finished at 07:11. [13:11] \o/ [13:11] Thanks everyone for coming. [13:11] So long and thanks for all the fish! [13:11] :) [13:12] thanks all for hearing me. [13:17] persia: oh, somebody should take over developer-membership-board@ and devel-permissions@ list administration from me. Do you want to do it? [13:18] Oh, very much not, but I suppose I ought. Please do adjust them to me. [13:18] or if somebody else wants it that's fine too [13:18] do you have the passwords? [13:18] And I'll hope I can find another victim from the new DMB. [13:18] I don't believe I have the passwords: I'd appreciate them fresh in any case. [13:19] I'll send you them by encrypted mail [13:20] Thanks. [13:20] How would you like us to make requests for TB-changes to ACLs? random ping? mail to you? Mail to TB? [13:21] mail to TB is probably the right thing [13:21] I'm sure I'll often pick them up, but it would be best not to enshrine myself in a process [13:25] makes sense. I'll ensure we do that in the future. === oubiwann is now known as oubiwann_ === cking is now known as cking-afk [15:26] hm, it would be nice if lp gives you the possibility to subscribe to merge proposals for specific packages and a way to query who is subscribed and has upload rights (= similar to Uploaders in d/control) <-- yes yes yes please === JackyAlcine is now known as Graviti === Graviti is now known as JackyAlcine [15:58] hi ara, bjf [15:58] moin [15:58] hey skaet! [15:59] * charlie-tca waves [15:59] * skaet waves back to charlie-tca [15:59] * hggdh grabs new coffee [15:59] Hi all! [16:00] * marjo waves [16:00] looks like quorum, so time to start. :) [16:01] #startmeeting [16:01] Meeting started at 10:01. The chair is skaet. [16:01] Commands Available: [TOPIC], [IDEA], [ACTION], [AGREED], [LINK], [VOTE] [16:01] Reminder, please follow the convention of using ".." on a separate line when you've finished typing. Also, If someone wants to comment on the last point, please "o/", so we know to wait. [16:01] This meeting will be focusing on the 10.04.2 release. [16:01] * charlie-tca hides [16:01] Couple of snags cropped up in the image creation on Friday, and a few more on the sniff testing over the weekend, so want to make sure we're all seeing the same priorities [16:02] sounds like a plan [16:02] * zul waves [16:02] On the good news front, hardware cert has mostly finished the 2 week hardware certification runs, and no regressions were found as of last friday. More details from ara later. :) [16:03] Images currently under rebuild are Xubuntu, and the K/Ubuntu DVDs. [16:03] Any questions before I get into the mailed out agenda/round table? [16:03] .. [16:03] skaet, are we building Xubuntu 10.04.2 images? :) [16:03] ara, yes they're being rebuilt. [16:04] I thought point releases images were just for Ubuntu [16:04] I guess I was wrong [16:04] \o [16:04] charlie-tca, go [16:04] There are being built by request, for Xubuntu [16:05] We did not do the .1 release, and wanted to get new stuff into the image, instead of the 352 updates after installing [16:05] .. [16:05] charlie-tca: are testers lined up & committed? [16:05] yes [16:06] charlie-tca: thx much [16:06] You are welcome [16:06] ara, marjo - They are also being built for kubuntu. [16:06] skaet: ack [16:06] ok, no more hands, so on to the round table [16:07] [TOPIC] HW cert results and final image tests planned - ara [16:07] New Topic: HW cert results and final image tests planned - ara [16:07] The HW testing for 10.04.2 went pretty well. We are happy with the coverage we got. The results are available at: [16:07] [LINK] http://people.canonical.com/~hwcert/point-release-testing/10_04_2.html [16:07] LINK received: http://people.canonical.com/~hwcert/point-release-testing/10_04_2.html [16:07] The systems that didn't get tested are due to problems of infrastructure or faulty hardware that needs to get replaced, but all in all, I think the results are good enough to give the thumbs up hardware wise. [16:07] :) [16:08] About the testing of the final images, has anything hardware related changed from the candidate images until now? [16:08] bjf, sconklin: ^^ ? [16:09] Not sure why you called on me, we don't have anything to do with the testing . . . [16:09] sconklin - has any change gone in in the last 2 weeks that could impact the hardware that you're aware of? [16:09] * skaet thinks not, but is just double checking. [16:09] no. [16:10] you've not taken a new kernel from us during the point release process, so how could it ? [16:10] bjf, fair enough [16:11] skaet, then, I guess there is no need to test the final images in hardware [16:12] skaet, ? [16:12] ara, sorry, thinking if the boot infrastruture has changed [16:13] lets assume not unless rest of meeting brings up a good reason then. [16:13] skaet, OK, so that's all from me [16:13] .. [16:13] [TOPIC] QA sniff testing from weekend and hot issues - jibel [16:13] New Topic: QA sniff testing from weekend and hot issues - jibel [16:14] 10.04.2 ISO Testing started last weekend and is going well. [16:14] 2 major issues have been found: [16:14] * bug 718749 (rebuild in progress) [16:14] * bug 645818 (not a bug in lucid) [16:14] Launchpad bug 718749 in Ubuntu CD Images "Xubuntu i386 Lucid 10.04.2 images will not boot" [Critical,Fix released] https://launchpad.net/bugs/718749 [16:14] Launchpad bug 645818 in usb-creator (Ubuntu Natty) "10.04.1 image created in Maverick does not boot in my Dell Mini9" [Critical,Triaged] https://launchpad.net/bugs/645818 [16:14] For 645818, we are looking for someone with a Lucid system, to create a bootable usb and confirm that he's not affected by this issue. [16:14] Last week, we have tested the upgrades from K/Ubuntu Desktop i386/amd64 Hardy and Karmic to 10.04.2. [16:15] 2 have been found issues found: [16:15] * bug 715206 [16:15] * bug 715247 [16:15] Launchpad bug 715206 in gnome-panel (Ubuntu) "9.10 to 10.04.2: The panel encountered a problem while loading "OAFIID:GNOME_ClockApplet"." [Undecided,New] https://launchpad.net/bugs/715206 [16:15] Launchpad bug 715247 in nautilus (Ubuntu) "8.04.4 -> 10.04.2 upgrade: popup with corba error during upgrade" [Undecided,New] https://launchpad.net/bugs/715247 [16:15] Untested images: [16:15] * Ubuntu Server Installation and upgrade [16:15] .. [16:16] any question ? [16:16] do you guys need help with that? [16:16] hggdh, ^ [16:17] jibel: sorry, I was not aware I was to test 10.04.2 [16:17] :-) [16:17] zul, okay we need help then [16:17] I spent last week on hardy... [16:18] jibel: ok ill bring it up in the meeting tomorrow then [16:18] zul, thanks. [16:18] jibel, how are we going to get testers to work around the maverick/natty bug for creation of 10.04.2 iso cds and usbs? Is there some good documentation on this somewhere? [16:20] skaet, For testers I'll send an email to explain the issue, and point them to the bug report. === Technovi1ing is now known as Technoviking [16:21] jibel, thanks - that will help. I'll make sure its documented in release notes. [16:22] skaet, it's not a nice bug but the workaround is easy. [16:22] thanks jibel. any other questions? [16:23] [TOPIC] Image build status and plans - cjwatson [16:23] New Topic: Image build status and plans - cjwatson [16:24] as far as I know most things are green, with the exception of my screwup that broke the Xubuntu images and Ubuntu DVDs (i386 only). The code bug is fixed and rebuilds are in progress. [16:25] The only build issue I'm aware of is that the following images are oversized: Xubuntu desktop amd64, Xubuntu desktop powerpc, Xubuntu desktop powerpc+ps3, Xubuntu alternate powerpc [16:25] oh, and Kubuntu desktop i386 [16:25] I don't know how much we care about those, and about which ones [16:26] charlie-tca, Riddell, ^^ ? [16:28] * skaet looks around.. [16:28] we will live with it if I can't get them dow [16:29] I will get someone to look at the Xubuntu desktop amd64 and try to squeeze it down [16:30] The other ones, I guess I don't really card so much [16:30] charlie-tca, ok, thanks. If we can't squeeze, we'll need to release note, so we should probably open a bug to track. [16:30] I will do that [16:31] cjwatson. I'll follow up with Riddell about Kubuntu after the meeting about Kubuntu [16:31] any other questions? [16:32] thanks cjwatson [16:32] [TOPIC] any new business? [16:32] New Topic: any new business? [16:32] or issues/concerns about 10.04.2? [16:33] ok, thanks for attending, we'll go back to the regular agenda next meeting. [16:33] I'm terribly sorry, missed the time [16:33] #endmeeting [16:33] Meeting finished at 10:33. [16:33] Thanks, skaet [16:34] thanks skaet [16:34] thanks bjf, sconklin, ara, jibel, cjwatson, charlie-tca [16:35] thx skaet [16:35] thanks for chairing skaet [16:35] thanks marjo [16:36] skaet: any fires which I need to put out in lucid? [16:40] pitti, thanks, can you look at the bugs that jibel raised, and make sure no kitten killers in them, cjwatson's handling the image rebuilds. I'll paste them or the log (if available) to you directly [16:41] skaet: thanks, will have a look once you paste === ian_brasil_ is now known as ian_brasil [18:00] \o [18:00] * jdstrand waves [18:01] o/ [18:01] * micahg waves [18:01] hellow [18:01] \o [18:02] * jdstrand waits for sbeattie [18:05] ok, let's get started [18:05] #startmeeting [18:05] Meeting started at 12:05. The chair is jdstrand. [18:05] Commands Available: [TOPIC], [IDEA], [ACTION], [AGREED], [LINK], [VOTE] [18:05] The meeting agenda can be found at: [18:05] [LINK] https://wiki.ubuntu.com/SecurityTeam/Meeting [18:05] LINK received: https://wiki.ubuntu.com/SecurityTeam/Meeting [18:05] [TOPIC] Review of any previous action items [18:05] New Topic: Review of any previous action items [18:05] only thing from last week is the ia32-libs. aiui, mdeslaur is doing lucid and sbeattie is working on the rest. Since it is assigned I don't think we need to bring it up every week [18:06] [TOPIC] Weekly stand-up report [18:06] New Topic: Weekly stand-up report [18:06] jdstrand: I'm doing hardy, not lucid [18:06] mdeslaur: oh, I actually knew that. not sure why I put lucid... [18:07] anyhoo [18:07] I'll go first [18:07] I am on community this week [18:07] Mozilla updates are imminent, so I will be testing and publishing firefox, xul and tbird soon [18:07] I got sidetracked last week by several things and made no progress on dbus/apparmor or dbus-glib update. Hopefully I can start on it again [18:07] Some of those things were profiling gnome thumbnailers, a chromium update, writing aa-disable, patch piloting and a number of meetings [18:08] I'm hoping this week will fair slightly better. micahg starts tomorrow, so I'll be handing off all the browser/mozilla stuff to him in the coming weeks [18:08] I think that's it from me [18:08] kees: you're up [18:08] oh sweet! hi micahg! [18:08] hi mdeslaur [18:09] okay [18:09] * jdstrand is *very* happy to have micahg coming on board :) [18:09] * kees hugs micahg [18:09] * micahg hugs kees back [18:09] I've got a few USNs coming up this week [18:10] I'm in happy-place, which means I'm going to try to knock out the gcc testsuite change upstreaming. maybe some more %pK patches to LKML [18:10] honestly, the gcc stuff will probably eat most of my time. running the suite is crazy time-consuming [18:11] I'd like to try to find people to fix the firefox and chromium hardening stuff [18:11] afaik, firefox is still not PIE in natty, and chromium ARM has PIE disabled too [18:11] :( [18:12] that's it from me... [18:12] kees: is that not PIE for armel/firefox or all archs? [18:13] jdstrand: non-PIE for all archs with firefox [18:13] bummer [18:14] yeah, it's a gcc-4.5 regression. following-up with chrisccoulson has bubbled to near the top of my todo list finally. [18:14] micahg: would you be willing to work with chrisccoulson to conditionally set PIE for non-armel? (assuming it works for non-armel) [18:14] then kees can continue to try to find people to fix armel stuff [18:14] jdstrand: it was failing before on all arches, but sure :) [18:14] meh [18:14] jdstrand, it fails on i386 [18:14] well, if it was failing everywhere, it sounds like chrisccoulson already knows about it [18:15] yeah, I'm pretty sure the chromium and firefox PIE issues are separate [18:15] * jdstrand nods [18:15] jdstrand, the behaviour is unique to the i386 implementation of TLS [18:15] but i need to refresh my memory on the issue again ;) [18:16] chrisccoulson: cool. it would be great to not regress on this issue for natty release [18:16] I would think upstream would be interested in this too... [18:16] the arm-pie-chromium issue is technically not a regression (it's been disabled for a while). I just want to also get it fixed. [18:17] kees: actually, on lucid it was only recently turned off [18:17] I'm not sure if that is because only recently people noticed or because it recently broke [18:17] jdstrand: right, but my understanding was that it was due to chromium version bumps [18:18] i.e. it became new enough that someone hit it. or something. dunno; this is why I want to spend some time to investigate and delegate. :) [18:18] I don't know the cause. I do consider disabling pie in a security update, regardless of version bumping, as a regression [18:18] of course, there isn't a lot we can do there... [18:18] * kees nods [18:18] kees: I appreciate you looking into it! :) [18:19] * sbeattie is here, reading scrollback [18:20] my turn? [18:21] mdeslaur: as kees mentioned that was it from him, why don't you go [18:21] So, I'm currently testing fuse updates, and will release them once lucid's fuse package in -proposed gets released [18:22] Besides that, I need to take a look at ffmpeg [18:22] and still have work to do on apparmor-profiles [18:22] I also have some gnome-screensaver fixes I want to push to natty, and possibly SRU into lucid and maverick [18:22] * sbeattie saw mdeslaur's commits to the apparmor-profiles tree; nice start! [18:23] and there was another package I wanted to work on this week...but...it slips my mind right now (d'oh!) [18:23] that's it from me [18:24] * sbeattie takes his turn. [18:24] I have a krb5 update that I'll release once this meeting is over. [18:24] I have an openssl update for right afterward, though I need to do a little more testing with it. [18:25] I made some progress on apparmor release stuff, and have more to do on that this week. [18:25] That's pretty much it for me. [18:26] sbeattie: I've seen a lot of those reviews. some of it should be quite nice (especially the opensuse stuff you slurped in) [18:26] thanks. [18:27] micahg: I know you only officially start tomorrow, but is there anything you'd like to mention? typically we mention what we hope to work on in the coming week, and occasionally work that we did last week as it might affect this week (or that is particularly cool) [18:28] micahg: it is ok to say 'no'. I know I just sprung this on you :) [18:28] Finish getting set up, I'd like to start looking at the webkit update, 1.2.7 is out [18:29] sounds great [18:29] [TOPIC] Miscellaneous and Questions [18:29] New Topic: Miscellaneous and Questions [18:29] One thing sbeattie mentioned to me last week is vendor-sec tracking [18:29] I'll let him expand on it if he wants, but the basic idea is that we treat it as quite ad-hoc [18:30] whoever happens to see something, mentions it [18:30] eg, the last postgresql update [18:30] we knew about it early, but we didn't let pitti know, and basically reacted to it [18:31] I wonder if this could be improved more? [18:31] we could try to use the CVE-2011-NNNX method more often [18:31] jdstrand: did you have anything in mind? [18:31] I've found the vsec threads difficult to really "triage" until they're reached a certain stage [18:32] mdeslaur: not really, this is just open for discussion (beyond what I just mentioned) [18:32] kees: yes, I tend to agree [18:32] I also don't tend to update my embargoed branch very often... [18:32] sometimes there are weeks between something being brought up and it being remotely actionable. [18:33] true. that was indeed the case with postgres, iirc [18:33] * sbeattie wondered if he just needs better management of that particular email folder. [18:34] perhaps it would be best to identify any problems with the current system, and then see if we actually need to fix them [18:35] sbeattie: are there particular things you find lacking? [18:36] the concern I have is us not noticing stuff that comes through vendor-sec, because it comes in a mish-mash of stuff we don't as much about, because there's other active threads that are developing fixes that "drown" out other issues. [18:36] s/don't/don't care/ [18:37] I think that is a valid concern [18:37] what do others think? [18:37] Was wondering if there was a light-weight way of coordinating that we can ignore certain threads, should watch others for deveopling fixes, etc. [18:37] maybe if one person can keep an eye on vendor-sec each week? [18:38] traditionally this is the person doing "triage" [18:38] we could do something like what we do with USN assignments-- a one line assessment in a file... [18:38] I'm not sure how helpful that would be... [18:38] I think vendor-sec is important enough that we all should be looking at it, not just the triage person [18:38] mdeslaur: what are your thoughts? [18:38] I don't exactly see a specific problem to solve yet. [18:38] bug, that being said [18:39] mdeslaur: that's fair [18:39] I was on triage last week [18:39] I think we should make sure to call out any packages we see that appear there, and make sure someone takes responsability for it [18:39] I mentioned only one item [18:39] whether it be in a file or not [18:40] if we notice that we're skipping some, I think we can move into doing the CVE-XXXX stuff, or even a simple file [18:40] in a way, this is preassignment [18:40] so, in the case of postgresql, what exactly did we do wrong there? [18:41] we didn't notify pitti? [18:41] mdeslaur: in that case, pitti told us about it, when we actually had the info [18:41] when we saw something about postgresql, did we just assume pitti would be telling us about it? [18:42] well, without divulging too much info [18:42] there was a question posted regarding notifying upstream [18:42] the answer was that upstream was notified [18:43] then it sat there until pitti told us about it [18:43] but, the issuing wasn't critical [18:43] s/issuing/issue/ [18:43] we all probably read the thread [18:43] I know I wasn't thinking it was a huge deal at the time [18:43] I'm sorry...I though pitti _was_ postgresql upstream [18:44] mdeslaur: he is the debian maintainer [18:44] oh! [18:44] he does not do upstream postgresql afaik [18:44] ah, I thought he did, so I'm mistaken [18:44] mdeslaur: and he happens to provide updates for -security out of tradition [18:44] so...we couldn't have told him anyway [18:44] yes we could have [18:44] hmm [18:45] we are allowed to let developers who work on it know [18:45] eg, kernel embargoed stuff [18:45] they just have to know not to talk about it, etc [18:45] in fact, pitti may have already known [18:45] which I think is part of the problem in this particular case-- we didn't communicate [18:46] but then again, I wasn't thinking it was world-burning and a 0day we had to jump on [18:46] at least, as I recall from reading the thread from weeks ago [18:46] so, ok, let's drive this to resolution [18:47] a) is there a problem? b) if there is, is the answer pre-assigning? [18:47] I'm not sure there is a problem, per se [18:47] jdstrand: are you sure you're thinking of the right vuln? I don't see a "thread" about it, just a singlepost. [18:48] hold on [18:51] sbeattie: yes, I was. I responded privately [18:52] so, postgres aside [18:53] 12:47 < jdstrand> a) is there a problem? b) if there is, is the answer pre-assigning? [18:53] kees, sbeattie, mdeslaur: ^ opinions? [18:53] micahg: ^ [18:54] right, the fear is that, if we didn't this particular postgresql issue until we were prompted from pitti, are we letting other things slip through the cracks. [18:54] * micahg doesn't know whether or not there's a problem yet :) [18:54] heh [18:54] well, whatever slips through the cracks simply shows up after CRD [18:54] it's not as if we're skipping updates altogether [18:54] right [18:55] of course, we need to publish stuff at CRD [18:55] and we jump all over the world-burning stuff [18:55] and I think everybody needs to read vendor-sec and make sure someone's got the ball on things we spot [18:56] well, that is a gray area [18:56] I think postgresql is a bad example in this case [18:56] I mean, we don't need to jump on a low issue [18:56] yes, and there are low issues on vendor-sec...and universe stuff also [18:56] many mediums we probably don't, though it is nice if we do [18:57] alright [18:57] perhaps we should put stuff into the embargoed tree once a CVE has been assigned on vsec, or if it's serious enough with a very short CRD [18:57] kees: that is a good idea [18:57] if it has a CVE, put it in embargoed [18:57] tbh, we should have ben doing that all along [18:57] I certainly haven't [18:57] right [18:57] but they develop so slowly that it can span triagers [18:58] yeah [18:58] well, so we need to be updating our embargoed tree daily probably [18:58] so perhaps the current triager should add CVEs, and update changing CRDs [18:58] and then as we see CVEs assigned in vsec, we add them [18:58] * jdstrand nods [18:58] and skip everything that doesn't have a CVE? :P [18:58] but, as mdeslaur says, we should probably all read it [18:58] others can check/follow-up with the triager [18:59] seems to be that doesn't solve the problem :P [18:59] agreed [18:59] I think it does [18:59] it is tracked [18:59] it'll show up in cve_todo [18:59] only stuff that has a CVE gets tracked [18:59] mdeslaur: if something is coming fast without a CVE, it should get the CVE-2011-NNN1 or whatever [18:59] mdeslaur: or high priority stuff [18:59] then we use the convention kees just mentioned [19:00] ok, so triager adds everything he sees to embargoed tree [19:00] when a cve is assigned, we bzr mv CVE-2011-NNN1 ... [19:00] I don't think so [19:00] (and update the internal name) [19:00] all CVEs assignments [19:00] s/CVEs/CVE/ [19:00] high priority or higher get CVE-2011-NNNX [19:00] but that is my opinion [19:00] ok [19:00] what about stuff not in main, we ignore it? [19:01] mdeslaur: yes [19:01] (again, my opinion) [19:01] well, ignore it in terms of CVE-2011-NNNX [19:01] ok [19:02] jdstrand: so if it does get a cve, but is not in main, we add it to embargoed anyway? [19:02] I think that is fair [19:02] most of that ends up in oss-security anyway [19:02] (ie, not much maintenance work) [19:02] ok [19:02] to summarize: [19:02] if has CVE with CRD, add to embargoed [19:03] if no CVE, but is officially supported and high priority, add to embargoed [19:03] (with CVE-YYYY-NNNX) [19:03] everyone reads the list [19:03] ok [19:03] the triager adds [19:04] +1 from me [19:04] what about CVE with no CRD? [19:04] kees, mdeslaur, sbeattie, micahg: ^ will that address the concerns/issues appropriately? [19:05] mdeslaur: skip it, I think. [19:05] I agree [19:05] jdstrand: sounds good; I've updated the Duties page [19:05] kees: thanks! :) [19:05] ok, +1 [19:05] well [19:05] actually, if it is supported, with a CVE but no CRD, we should ad it [19:06] otherwise skip [19:06] (that way it still shows up in our cve todo list [19:06] ) [19:07] which gives us an opportunity to be reminded to followup with upstream, etc [19:09] kees, mdeslaur, sbeattie: ^ [19:09] micahg: ^ [19:09] jdstrand: that sounds good [19:09] +1 [19:09] sounds good to me [19:09] (Duties re-updated) [19:09] +1 [19:09] micahg: you are not under my fingertips just yet :) [19:09] cool [19:09] ok [19:09] so, that is it from me [19:10] does anyone have any other questions or items to discuss? [19:10] just an update on Mozilla stuff [19:10] no release today, on a day-to-day slip [19:10] thank goodness [19:11] I was going to be hardpressed to get it tested by eod [19:11] jdstrand: I wouldn't bother, there might be new builds [19:11] micahg: what is the new date? [19:12] jdstrand: when it's ready :) [19:12] micahg: and that is tentatively when? :) [19:12] jdstrand: they didn't say, I think they're hoping for tomorrow, but can't promise [19:13] well, then I need to test the current builds [19:13] otherwise I'll be hours to a day late [19:13] (depending on when they push it out) [19:13] anyhoo [19:13] I'll talk to you in #ubuntu-mozillateam [19:14] I think that's it then [19:14] thanks everyone! :) [19:14] #endmeeting [19:14] Meeting finished at 13:14. [19:14] thanks jdstrand! [19:15] jdstrand: thanks! [19:15] jdstrand: thanks :) [19:16] thanks jdstrand :) [19:16] sure! === zul_ is now known as zul === zul_ is now known as zul === jam1 is now known as jam === starcraft is now known as starcraftman === bjf is now known as bjf[afk]