[07:09] <dholbach> good morning
[07:16] <angelabad> good morning
[07:34] <ronin___> dholbach: good morning
[07:35] <dholbach> hi ronin___
[07:46]  * rextsai need help to review the patch for sru - https://launchpad.net/bugs/842115
[11:18] <jtaylor> how does security support for universe work?
[11:21] <jtaylor> e.g. the bcfg2 security vurnability fixed in debian, there is no bug in ubuntu, will that be handled by some team?
[11:25] <Laney> not really
[12:09] <jtaylor> so how does one proceed in fixing this?
[12:09] <Laney> I think there's a ubuntu-security-sponsors team
[12:10] <Laney> but ask in #ubuntu-hardened how it works
[12:13] <Daviey> jtaylor: security raised that with me yesterday, there isn't currently a Ubuntu bug opened (last i checkd)
[12:14] <Daviey> jtaylor: so, if you want to raise a ubuntu bug, propose a fix via debdiff or bzr (set the pocket to $release-security).. i imagine it'll get uploaded today
[12:14] <Daviey> (sponsored by the security team as Laney said.)
[12:17] <Daviey> jtaylor: If you do that, you'll win the love of all BTW.
[12:18] <nigelb> You forgot about the $beer bit.
[12:18] <jtaylor> I can do that, but what is a pocket?
[12:19] <Daviey> jtaylor: in debian/changelog, where you'd normally put lucid etc.. put lucid-security
[12:19] <Daviey> top line.
[12:20] <nigelb> jtaylor: This could be helpful -  https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures
[12:21] <jtaylor> the package has a version in -updates in natty, should one base the fix on that or in the release version?
[12:21] <Daviey> jtaylor: BTW, Oneiric will also need a fresh merge.
[12:21] <jtaylor> ah that is in the link, base on release
[12:22] <jtaylor> probably a bit late for a merge
[12:22] <Laney> the link says -updates
[12:22] <Daviey> erm, you probably want to base on -updates... depending on the nature of what is in -updates
[12:22] <Daviey> i'd be pretty suprised if you didn't want to base on -updates
[12:22] <Laney> "always base it on the latest approved version of the source package for the release in the archive"
[12:23] <jtaylor> reading is hard ._.
[12:23] <nigelb> heh
[12:23] <Daviey> jtaylor: nah, Oneiric can be merged.
[12:23] <Laney> nigelb: !!!
[12:24] <Laney> nigelb: I need you! And here you are!
[12:24] <nigelb> Laney: what did I do?
[12:24] <Daviey> bah, sorry, it is a new upstream versin
[12:24] <Laney> you know cleansweep?
[12:24] <nigelb> yes
[12:24] <Laney> do you run scripts for that on an ongoing basis?
[12:24] <nigelb> I started it, but it fell off my list due to lack of time.
[12:24] <Laney> oh ok
[12:25] <nigelb> I wish there were more hours in a day.
[12:25] <nigelb> I started focusing on writing more code, mostly web related, so I had I had to refocus my priorities :(
[12:25] <nigelb> However, how can I help?
[12:25] <jdstrand> (that is the precise page to use)
[12:26] <Laney> I was going to ask you to extend the script to notice patches which look like debdiffs and to automatically subscribe the sponsors
[12:26] <jdstrand> (https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures#Preparing_an_update that is)
[12:26] <nigelb> Laney: AHHHH. The patch tagging scripts?
[12:26] <Laney> i don't know :'(
[12:26] <nigelb> bdmurray runs scripts for those.
[12:26] <nigelb> Ah, yes. I saw the discussion earlier about debdiffs and Launchpad
[12:27] <Laney> anyway I got a list of all of the old stuff that we'll do something with
[12:27] <Laney> for new stuff we should just put it on the list automatically probably
[12:27] <Laney> seems cleansweepish
[12:27] <nigelb> I can talk to brian and get you a script :)
[12:27] <Laney> you don't need to get me anything, just get someone to run it :P
[12:28] <nigelb> haha
[12:28] <Laney> if patch_looks_like_a_debdiff { add_message_about_automatically_subscribing_sponsors(); subscribe_sponsors(); }
[12:28] <nigelb> Laney: Again, bdmurray is a neat target for that ;)
[12:28]  * Laney assumes highlights have been appropriately issued
[12:29] <nigelb> Me too. Or else I'll grab him later when he gets online.
[12:30] <nigelb> Laney: will you be at UDS?
[12:30] <Laney> most likely
[12:31] <nigelb> Could you bring up the challenges stuff that we failed to plan appropriately this time?
[12:31] <nigelb> (I won't be there. In person at least)
[12:31] <Laney> i'll see what i can do
[12:31] <Laney> dholbach is better at Making Stuff Happen than me though
[12:34] <nigelb> We can all always assign the action items to him :P
[12:36] <jtaylor> there is no oneiric-security or?
[12:37] <jtaylor> for that just oneiric as pocket?
[12:37] <jdstrand> jtaylor: just oneiric
[12:49] <jtaylor> hm apparently someone is already working on it lp:~gandelman-a/ubuntu/oneiric/bcfg2/deb640028
[12:50] <jtaylor> but via merging => 3720 lines (+592/-2370) 52 files modified
[13:04] <dholbach> Laney, hm?
[13:04] <nigelb> dholbach: Re: Challenges stuff.
[13:35] <jtaylor> so branches made for all supported versions, that software sure is awful for that it is intended to run as root ...
[14:28] <bdmurray> Laney: hey there what do you have for me?
[14:29] <ScottK> jtaylor: Would you be able to have a look at Bug 818867?
[14:29] <Laney> bdmurray: Just a proposal that requires a little bit of adjustment to your patch scanning script
[14:29] <Laney> bdmurray: if you detect the patch is a debdiff and the sponsors aren't subscribed (after some delay?), do it.
[14:29] <bdmurray> Laney: okay, sounds good
[14:30] <Laney> One issue is that you can't tell if the sponsors are /intentionally/ not subscribed
[14:30] <bdmurray> you could see if they were unsubscribed though using the activity log
[14:31] <Laney> I mean in an "oops, this isn't ready yet" way
[14:31] <Laney> I assumed you'd use created_since or whatever to avoid looking at the same bug multiple times, but activity log works too
[14:32] <jtaylor> ScottK: I'll have a look
[14:32] <nigelb> Laney: The pings worked :D
[14:32] <bdmurray> yes, I use created_since
[14:32] <ScottK> jtaylor: Thanks.
[14:33] <Laney> that's ok then
[14:33] <Laney> I guess we'll see if it's a big problem in practice
[14:36] <bdmurray> Laney: so you have some debdiff detection code then?
[14:36] <Laney> bdmurray: not really, I couldn't think of much better than looking for changes to debian/changelog in the attached patch
[14:37] <ScottK> Laney: I had an idea for a QA script that we could probably do through LP now ...
[14:37] <bdmurray> Laney: okay that seems reasonable
[14:37] <Laney> seemed OK in my scanning of old bugs though
[14:37] <Laney> i.e. in the sample I looked at there weren't any false positives
[14:38] <Laney> ScottK: yeah?
[14:38] <ScottK> During the lucid cycle, cjwatson went through and found old merges (that, IIRC, had been pending review for a full cycle) and then we just sync'ed them on the theory that keeping up with Debian was probably better than leaving stuff unreviewed.
[14:38] <ScottK> It ought to be possible to detect such packages now and make a list for review/sync.
[14:39] <Laney> "pending review" as in?
[14:39] <cjwatson> I don't think we synced them all
[14:39] <Laney> Debian > Ubuntu and Ubuntu changes?
[14:39] <ScottK> There was a merge on MoM that no one had touched
[14:39] <cjwatson> there were definitely some in main that were just too scary to merege
[14:39] <cjwatson> *merge
[14:39] <ScottK> cjwatson: True.
[14:39] <Laney> you could do that with UDD or Launchpad
[14:39] <cjwatson> MoM exposes JSON output
[14:40] <ScottK> Since you and tumbleweed seem to be on a role for this kind of stuff, it seemed like something that it might be worth setting up as a regular QA check.
[14:41] <Laney> In general I like the idea of lists-of-things-to-do, indeed
[14:41] <Laney> but we could make MoM order by date?
[14:42] <ScottK> I don't know what MoM exposes in it's JSON.
[14:42] <Laney> I was thinking of just fixing it to display this notion of priority itself
[14:43] <Laney> care less about pinging the last uploader for merges not touched for a cycle or something
[14:44] <Laney> > 2 cycles, consider dropping the changes if they aren't serious
[14:44]  * Laney shrugs
[14:45] <ScottK> Sounds about right.
[14:47] <nigelb> woah, how did that email get through to TB.
[14:51] <soren> nigelb: Which one?
[14:51] <soren> nigelb: Oh.
[14:51] <soren> nigelb: That one.
[14:52] <tumbleweed> and it's certainly worth posting the list of merges which haven't happed in a cycle (but that probably should bave been done after DIF / right after FF)
[14:52] <nigelb> soren: heh,yeah. That one :)
[14:52] <cjwatson> nigelb: I approved it because it was the easiest way to reply to it
[14:52] <nigelb> AHH.
[14:52] <nigelb> That makes sense :)
[14:52] <nigelb> You need to get it hit your inbox before you can reply.
[16:53] <jtaylor> ScottK: forwarded a patch for the numpy issue, but its every ugly, don't know if there is a better way to do it: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=640940
[16:53] <ScottK> What did morph have to say about it after he noticed multi-arch was in Debian too?
[16:53] <ScottK> barry: You might want to look into ^^^.
[16:54] <jtaylor> didn't anwser anymore
[16:54] <jtaylor> btw enable worked around this issue in -2
[16:54] <ScottK> OK.  About par for the course.
[16:54] <jtaylor> sync requested, but for normal use cases its harmless due to indirect links
[16:54] <ScottK> We should fix it in the right place.
[16:57] <jtaylor> if morph doesn't react apply that ugly patch to ubuntu?
[16:59] <ScottK> I'd like barry's opinion.
[16:59] <jtaylor> barry mentioned some python bugs for this issue, but numpy has its own distutils
[17:00] <jtaylor> http://bugs.python.org/issue12418
[17:00] <jtaylor> so it needs fixing there, and that requires a sane way to get the triplet (maybe provided by python itself)
[20:54] <ashams> Hello Guys,
[20:54] <ashams> I'm Fixing this bug and it's my first one: https://bugs.launchpad.net/ubuntu/+source/gnomebaker/+bug/818364
[20:54] <ashams> Should I fix for Natty or Oneiric?
[20:54] <jtaylor> first oneiric, then older releases
[20:55] <ashams> jtaylor, Hi, thanks for answer
[20:55] <ashams> but there's no pkg for Oneiric
[20:55] <jtaylor> this is to avoid forgetting to solve it in the development release and the introducing a regression
[20:55] <jtaylor> hm then I guess fixing natty is fine
[20:56] <jtaylor> but then make sure you forward the fix upstream (should that still exist)
[20:57] <ashams> jtaylor, Would you check after me, if there's a pkg for oneiric, sorry I'm brand new: https://launchpad.net/ubuntu/+source/gnomebaker
[21:01] <jtaylor> ashams: it was removed a long time ago in debian, and also in ubuntu as far as I can tell
[21:02] <ashams> jtaylor, so no need to fix?
[21:02] <jtaylor> not really
[21:02] <jtaylor> especially a typo is not worth the effort
[21:02] <jtaylor> also it would have to be a stable release update which are usually not done for typos
[21:03] <jtaylor> see https://wiki.ubuntu.com/StableReleaseUpdates
[21:04] <jtaylor> ashams: see http://harvest.ubuntu.com/ for some other simple to fix bugs
[21:05] <ashams> jtaylor, Yeah, that's why I was asking, it's not worthy an SRU
[21:05] <ashams> but can't I upload it as a Oneric release
[21:06] <jtaylor> no the package was removed for a reason: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=590890
[21:06] <jtaylor> if you want to keep it you would have to take over the maintenance in debian + fix the bugs it was removed for
[21:08] <ashams> jtaylor, but it was working fine with Ubuntu till 2011-07-30 atleast, when the user reported the bug?
[21:10] <jtaylor> apparently it did not work in debian, and had no active maintainer
[21:10] <jtaylor> you can maintain it in ubuntu alone but apparently nobody wanted to do that either
[21:11] <jtaylor> removal of a package where there are better alternatives is preferable to a package rotting in the repository with no care
[21:11] <jtaylor> even if it does work for some
[21:12] <ashams> jtaylor, yeah, seems to
[21:12] <ashams> jtaylor, Thank you very much
[21:12] <ashams> :D
[21:12] <jtaylor> np