[17:22] <kees> \o
[17:22] <jdstrand> o/
[17:22] <mdeslaur> hellow!
[17:22] <jjohansen> \o
[17:22]  * sbeattie waves
[17:22] <jdstrand> sorry I was a little late. let's get started
[17:22] <jdstrand> #startmeeting
[17:22] <MootBot> Meeting started at 12:22. The chair is jdstrand.
[17:22] <MootBot> Commands Available: [TOPIC], [IDEA], [ACTION], [AGREED], [LINK], [VOTE]
[17:23] <jdstrand> The meeting agenda can be found at:
[17:23] <jdstrand> [LINK] https://wiki.ubuntu.com/SecurityTeam/Meeting
[17:23] <MootBot> LINK received:  https://wiki.ubuntu.com/SecurityTeam/Meeting
[17:23] <jdstrand> [TOPIC] Review of any previous action items
[17:23] <MootBot> New Topic:  Review of any previous action items
[17:23] <jdstrand> we don't have any formal ones from last week. jjohansen said he'd talk to me about dbus/apparmor, and did :)
[17:23] <jdstrand> [TOPIC] Weekly stand-up report
[17:23] <MootBot> New Topic:  Weekly stand-up report
[17:23] <jdstrand> I'll go first
[17:24] <jdstrand> I'm an triage this week
[17:24] <jdstrand> I have several updates I am working on
[17:24] <jdstrand> I am going to attempt to get a dbus/apparmor uploaded with just the stubs for the apparmor hooks, as after talking with skaet this should make things either
[17:24] <jdstrand> s/either/easier/
[17:25] <jdstrand> I've also got a couple of apparmor profiles I'd like to get uploaded (related to work items)
[17:25] <jdstrand> I have more training
[17:25] <jdstrand> and apparently am the only active archive admin on duty for the week, due to debconf
[17:25] <jdstrand> it looks to be a busy week
[17:25] <jdstrand> kees: you're next
[17:25]  * Daviey hides RE: libvirt.
[17:26] <kees> alright, I'm on community
[17:26] <jdstrand> Daviey: I may have to just upload :( we'll talk later
[17:26] <kees> I'm trying to catch up on kernel CVEs -- it looks like mitre is very far behind, so I've got to go through oss-security to find stuff
[17:26] <jdstrand> bleck
[17:26] <bliss> mitre is always behind
[17:26] <kees> bliss: this is much worse than usual
[17:27] <kees> but regardless, yeah, they are, so I'm moving "review oss-security" up my priority list for each day :)
[17:27] <jdstrand> they really have been for quite a few months
[17:27] <kees> at the same time, i'm working on getting a bug sync tool written to help the kernel team with bug statuses
[17:27] <kees> that's it from me
[17:28] <bliss> proc commander out
[17:28] <mdeslaur> lol
[17:28]  * kees threatens bliss ;)
[17:28] <bliss> sorry, don't mean to be disruptive :-)
[17:29] <jdstrand> hehe
[17:29] <kees> nah, that was for 'proc commander' :) anyway, mdeslaur is up
[17:29]  * jdstrand loves 'proc commander', fwiw :)
[17:29] <mdeslaur> this week, I'm in the happy place
[17:29] <mdeslaur> I've just published freetype updates, and am currently working on libpng
[17:29] <mdeslaur> am also working on an embargoed issue
[17:30] <mdeslaur> and will further go down the list
[17:30] <mdeslaur> friday, I'm on patch piloting
[17:30] <mdeslaur> (different than being the proc commander)
[17:30] <mdeslaur> that's it from me
[17:30] <mdeslaur> sbeattie: you're up
[17:30] <sbeattie> I'm also in the happy place this week, after being on community last week.
[17:31] <sbeattie> I've got an icedtea-web/openjdk update I'm working on.
[17:32] <sbeattie> After that, I'm going to try to catch up on my apparmor work items.
[17:32] <sbeattie> that's it for me; micahg?
[17:33] <micahg> I'm working on webkit in various forms and associated CVE cleanup, chromium is a little late on their 6 week release train, so I expect a release relatively soon, but have no real idea about when, so if it comes, I'll take care of that, that's it for me
[17:33] <jdstrand> thanks guys
[17:34] <jdstrand> [TOPIC] Highlighted packages
[17:34] <MootBot> New Topic:  Highlighted packages
[17:34] <jdstrand> The Ubuntu Security team will highlight some community-supported packages that might be good candidates for updating and or triaging. If you would like to help Ubuntu and not sure where to start, this is a great way to do so. See https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures for details and if you have any questions, feel free to ask in #ubuntu-security on Freenode. The highlighted packages for this week are:
[17:34] <jdstrand>   * http://people.canonical.com/~ubuntu-security/cve/pkg/smilutils.html
[17:34] <jdstrand>   * http://people.canonical.com/~ubuntu-security/cve/pkg/ccid.html
[17:34] <jdstrand>   * http://people.canonical.com/~ubuntu-security/cve/pkg/libglpng.html
[17:34] <jdstrand>   * http://people.canonical.com/~ubuntu-security/cve/pkg/ntop.html
[17:34] <jdstrand>   * http://people.canonical.com/~ubuntu-security/cve/pkg/ziproxy.html
[17:34] <jdstrand> [TOPIC] Miscellaneous and Questions
[17:34] <MootBot> New Topic:  Miscellaneous and Questions
[17:34] <jdstrand> I will be out of town for two weeks starting next monday (conference/holiday)
[17:35] <jdstrand> I know kees will also be out at least part of next week (conference)
[17:35] <jdstrand> Does anyone have any other questions or items to discuss?
[17:35] <sbeattie> jdstrand: I would like to discuss the openjdk update for a second.
[17:36] <kees> wheee blackhat/defcon
[17:36] <bliss> would it be possible to devote time/effort to auditing packages identified by community members or the security team as needing a security overhaul?  ideally packages that are widely used or commonly integrated into ubuntu
[17:36] <bliss> in a more coordinated way, i mean
[17:37] <bliss> it just strikes me that there are several widely used packages where everyone knows they're broken, but nobody has time or interest in fixing them
[17:37] <kees> i would certain like to see something like that. do you want to do the coordination?
[17:37] <bliss> sure, i'd be happy to help in whatever way i can
[17:38] <bliss> anyone can get involved as well, doesn't need to just be security team
[17:38] <jdstrand> I think starting with wishlist bugs would be a good start. if there is a lot, it could be a wiki page
[17:38] <bliss> yeah
[17:39] <bliss> maybe for starters, a public list of "these packages could use some auditing/hardening"
[17:39] <jdstrand> I can incorporate into the 'Highlighted package' section, if there is an easy way to incorporate it
[17:39] <bliss> cool
[17:39] <bliss> we can brainstorm over the next few days/weeks, no need to draw out the meeting
[17:39] <bliss> just something that's been on my mind
[17:40] <kees> google may want to get involved too
[17:40] <bliss> yeah, i'd imagine
[17:40] <bliss> examples: libavcodec/libavformat, libpoppler, libfreetype
[17:40] <jdstrand> bliss: thanks. maybe this could be discussed on the mailing list (<ubuntu-hardened@lists.ubuntu.com>)
[17:40] <jdstrand> (the process, not necessarily which packages, but it could be
[17:40] <jdstrand> )
[17:41] <jdstrand> sbeattie: you wanted to discuss openjdk?
[17:41] <bliss> alright, i'll flesh out some ideas and send an email
[17:41] <jdstrand> bliss: awesome, thanks :)
[17:41] <sbeattie> jdstrand: bascially, the patches that upstream shipped for icedtea 1.8.9 (used for armel/lucid,maverick) don't compile here.
[17:42] <mdeslaur> sbeattie: awesome
[17:42] <sbeattie> jdstrand: the packages for the other arches and for icedtea-web built okay, I still need to test them.
[17:42] <sbeattie> jdstrand: so I thought I would approach upstream with the issue I have while releasing what I have (after testing).
[17:43] <sbeattie> and then if/when we get a fix for 1.8.9, release those as a -2 update.
[17:43] <sbeattie> does that sound reasonable?
[17:44] <jdstrand> yeah, sounds very reasonable. iirc, in the past we have published a -2 for openjdk for other things (building as I recall)
[17:44] <sbeattie> right.
[17:44] <sbeattie> okay thanks.
[17:45] <jdstrand> anything else?
[17:46] <jdstrand> ok. thanks everyone! :)
[17:46] <jdstrand> #endmeeting
[17:46] <MootBot> Meeting finished at 12:46.
[17:46] <kees> thanks jdstrand!
[17:46] <mdeslaur> thanks jdstrand!
[17:47] <micahg> thanks jdstrand
[17:47] <sbeattie> jdstrand: thanks!