/srv/irclogs.ubuntu.com/2013/05/17/#ubuntu-motu.txt

=== tumbleweed_ is now known as tumbleweed
=== Ursinhal is now known as Ursinha
=== achiang` is now known as achiang
=== Guest65132 is now known as Zic
=== DarkSideOfTheSpo is now known as DSpoon
DSpoonhey everyone15:37
=== slangase` is now known as slangasek
DSpoonive been using ubuntu since 5.10, and have been in love with it since15:40
DSpoonhope this doesnt sound rude - ive been keeping the universe and multiverse repos disabled for security reasons15:40
DSpooni am currently forced to enable it to install gnome-panel, and just read about you all who maintain the universe repos15:42
maxbIt does sound like you have a rather highly unusual attitude to main vs. universe15:42
DSpoonmaxb: i guess i have been reading too much between the lines of 'supported' vs 'unsupported'15:43
tumbleweedit's more complex than that. Not everything in main is supported by Canonical, and not everything in universe isn't.15:44
DSpoonsince ive standardized on ubuntu across all my machines, i do have a certain doubt about having malware injected into a package15:44
tumbleweedI don't think the Canonical-support status of a package has any impact on the chance of that happening15:45
DSpoontumbleweed: oh. I assumed there would be some kind of code audit within canonical15:45
DSpooni'd love to hear from you guys about how things are run - it would make me feel a lot safer.15:47
DSpoonhope im not annoying you with this not-really-technical question.15:47
DSpoonthe way i see it, any binary repository would be a natural target for an attacker15:48
tumbleweedthere is a security audit before things get into main, true15:51
LaneyI think you'd probably go for a high profile target if you wanted to do that kind of thing15:51
tumbleweedsuch as a package in main :P15:52
Laneyright, so avoiding universe probably isn't that beneficial15:53
ScottKDSpoon: Of course Universe is huge, so there's always work to be done with fixing issues.  You're welcome to join us.15:55
DSpoonScottK: id love to, but ive never coded for GTK, and my C skills are rusty.15:56
ScottKDSpoon: That's OK.  I can't do either of those things either.15:56
DSpooni do my bit in supporting users on #linux on dalnet15:57
ScottKIf you know a bit about shell or make, you're enough of a programmer to help.15:57
ScottKMost of what we do for security in Universe is take upstream patches and integrate them into the released packages.15:57
DSpoonive never used make, but its not something i believe i would have a tough time with15:57
ScottKI'd never used make when I started either.15:58
DSpoonScottK: upstream - is that from debian, or direct from each source?15:58
ScottKDSpoon: It could be either.15:58
ScottKSometimes from other distros (side stream, I guess).15:58
ScottKActually trying to write our own fix for a security issue is pretty much the last resort.15:59
DSpoonand we just recompile, test, and upload?15:59
ScottKPretty much.15:59
ScottKSometimes the patches don't apply exactly to older versions, so a bit of sleuthing is required.15:59
ScottKmdeslaur: Do you have time to give someone an intro into providing security updates for Universe packages?16:00
DSpoonScottK: im currently browsing around https://wiki.ubuntu.com/MOTU/School16:01
ScottKThat's a good place to read up.16:01
ScottKThis is specific to security: https://wiki.ubuntu.com/SecurityTeam/SponsorsQueue16:02
DSpoonlet me read through it; will figure out if its in my comfort zone.16:02
ScottKDSpoon: It won't be, at first, but trust me, it'll all work out.  Everything you do will be supervised and checked until everyone is comfortable you know what you are doing (including you).16:03
DSpoonlet me give it a shot. For a start, ill be around here. Do you coordinate tasks on this chan, or is there a bugzilla for it?16:06
ScottKDSpoon: We just launchpad for bugs.  We do coordinate here, but mostly it's work on what interests you (there's plenty to go around), so don't feel like you need permission to work on stuff.16:17
DSpoon:)16:18
TheLordOfTimeScottK:  security updates for universe i think are similar to the process for any other package... find the patch, patch it, submit for consideration, security team considers.16:19
TheLordOfTimeat least, for the nginx package (in universe), that's the case16:19
ScottKTheLordOfTime: That's generally true, there are a few security specific rules about versioning and bug status.16:19
TheLordOfTimeyeah i leave bug status setting to them16:20
TheLordOfTimeor i ask in -hardened16:20
ScottKAlso, for me they are way different because non-security stuff I can upload, security stuff I still have to submit a debdiff.16:20
TheLordOfTimeversioning is listed already16:20
* TheLordOfTime grabs the wiki page16:20
Laneyyeah, all security is unified within itself16:20
Laneybut different from other stuff16:20
TheLordOfTimemhm16:21
TheLordOfTimebtw https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation16:21
TheLordOfTimealso has versioning listed there16:21
TheLordOfTimewhich i think is generally accepted for standard SRUs too16:21
Laneysure16:21
TheLordOfTimeyeah, https://wiki.ubuntu.com/StableReleaseUpdates, 3.5.1  (the security policy document has a well-working scheme which can be used for SRUs.)16:22
ScottKTheLordOfTime: The difference is that while that versioning is often used in SRUs, there's no versioning rule for them.  For security uploads, the version scheme is required.16:22
ScottKCan, not must.16:22
TheLordOfTimeScottK:  true!  I tend to follow the security team's versioning schemes anyways16:23
TheLordOfTime:P16:23
TheLordOfTimealthough that should be discussed, making a general "SRUs should follow this: [versioning scheme]", at least IMO16:23
ScottKTheLordOfTime: Why?  Let's not make more rules unless we need them.16:24
TheLordOfTime:P16:24
LaneyI refuse to obey your proposed rule about not making rules.16:25
TheLordOfTimewell, anyways, asking in #ubuntu-hardened if there's a difference between main/universe/etc. security patching wouldn't hurt, although i think the answer is the same.16:25
ScottKIt's the same.16:27
debfxScottK: raring-backports bug mail doesn't end up on the ubuntu-backports list. any idea why?16:33
ScottKdebfx: No.16:33
LaneyDriver?16:34
Laneyoh no, I see it16:34
Laneydebfx: compare https://bugs.launchpad.net/raring-backports/+subscriptions and https://bugs.launchpad.net/quantal-backports/+subscriptions16:34
debfxI thought I looked at the bug subscription page, apparently I'm blind16:37
debfxthanks Laney16:37
Laneynp16:37
* Laney leaves it to you to fix :-)16:37
debfxonly team admins can do that16:39
debfxScottK: could you subscribe ubuntu-backports to the raring and saucy projects16:40
ScottKI can try.16:40
Laneywhat is Ubuntu Backporters Drivers?16:40
LaneyI see that in my list16:40
LaneyBackports*16:40
ScottKdebfx: Done.16:46
mdeslaurScottK: DSpoon: sorry, I'm a bit busy today, but there's some info here: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures#Preparing_an_update16:46
ScottKmdeslaur: Thanks.16:46
ScottKDSpoon: He's one of the Ubuntu Security team engineers.16:46
mdeslaurScottK: DSpoon: and me or sarnold will gladly help you on tuesday with any questions or issues (after everyone gets back from the long weekend)16:46
debfxback to 0 open raring-backport requests :)16:54
DSpoonmdeslaur: good to meet you. Will go through the update procedure link.17:04
mdeslaurDSpoon: cool! :)17:08
mdeslaurDSpoon: welcome! :)17:08
DSpoon:)17:08
=== iulian is now known as Guest36841
richftHi! Can some clarify me. People who is on this list: reqorts.qa.ubuntu.com/reports/sponsoring/index.html seeking for a Sponsorship and the package is approved by the Package Maintainer will get an Ubuntu Membership ?18:10
mitya57richft: No, did you read https://wiki.ubuntu.com/Membership ?18:16
alo21hi... it's time for merging, or have I to wait a little bit?18:20
mitya57alo21: why wait? please help us break saucy!18:26
alo21mitya57, I asked here 10 days ago, and someone said me that is too early doing merge18:27
richftmitya57: Someone informed me incorrectly : ) Ok! Now I get it how is the process.18:29
mitya57alo21: they were wrong18:29
alo21mitya57, are you sure about you are saying? (with all respect)18:32
* mitya57 has already done 3 or 4 merges this cycle18:35
jtaylormitya57: I wouldn't say I was wrong, wheezy was released less than 10 days ago18:35
jtaylorso you may be wasting your time doing merges before that18:35
jtayloras you may have to merge a few days alter again18:35
mitya57jtaylor: one can merge from experimental or vcs18:36
jtaylorsure but thats not the general case18:36
mitya57alo21: what package are you going to merge? :)18:38
alo21mitya57, I am taking a look at alsa-plugins (in main)18:39
alo21mitya57, I will ask to the last uploader, if it's free18:39
alo21and of course if it is a sync or a merge18:40
mitya57  * Upload to unstable.18:40
mitya57 -- Jordi Mallach <jordi@debian.org>  Thu, 09 May 2013 12:40:49 +020018:40
mitya57alo21: feel free to merge (^)18:41
alo21mitya57, and, as I can see, it's a worth-sync18:41
alo21am I right? (just to be sure)18:42
mitya57alo21: at least "Create libasound2-plugins-extra package which contains plugins that use libav" seems like a non-merged-back delta18:43
mitya57other changes look like no longer needed (unless it fails to build)18:44
alo21mitya57, I noticed that the last uploader (in Ubuntu) was Tartler. Is a better idea to ask him if it's free?18:46
mitya57he is here (siretart)18:47
alo21siretart, hi... can I take care of alsa-plugins, please?18:48
alo21mitya57, anyway... how can I create libasound2-plugins-extra package which contains plugins that use libav?18:52
alo21I mean... I think I should edit some lines in rules file18:53
mitya57alo21: that change is already in ubuntu18:55
mitya57so, if you know how to do merges, you'll get it18:55
* alo21 afk18:56
alo21hi... I would like to know if alsa-plugins is a worth-sync or merge...19:28
alo21the package is in main19:28

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!