[15:37] <DSpoon> hey everyone
[15:40] <DSpoon> ive been using ubuntu since 5.10, and have been in love with it since
[15:40] <DSpoon> hope this doesnt sound rude - ive been keeping the universe and multiverse repos disabled for security reasons
[15:42] <DSpoon> i am currently forced to enable it to install gnome-panel, and just read about you all who maintain the universe repos
[15:42] <maxb> It does sound like you have a rather highly unusual attitude to main vs. universe
[15:43] <DSpoon> maxb: i guess i have been reading too much between the lines of 'supported' vs 'unsupported'
[15:44] <tumbleweed> it's more complex than that. Not everything in main is supported by Canonical, and not everything in universe isn't.
[15:44] <DSpoon> since ive standardized on ubuntu across all my machines, i do have a certain doubt about having malware injected into a package
[15:45] <tumbleweed> I don't think the Canonical-support status of a package has any impact on the chance of that happening
[15:45] <DSpoon> tumbleweed: oh. I assumed there would be some kind of code audit within canonical
[15:47] <DSpoon> i'd love to hear from you guys about how things are run - it would make me feel a lot safer.
[15:47] <DSpoon> hope im not annoying you with this not-really-technical question.
[15:48] <DSpoon> the way i see it, any binary repository would be a natural target for an attacker
[15:51] <tumbleweed> there is a security audit before things get into main, true
[15:51] <Laney> I think you'd probably go for a high profile target if you wanted to do that kind of thing
[15:52] <tumbleweed> such as a package in main :P
[15:53] <Laney> right, so avoiding universe probably isn't that beneficial
[15:55] <ScottK> DSpoon: Of course Universe is huge, so there's always work to be done with fixing issues.  You're welcome to join us.
[15:56] <DSpoon> ScottK: id love to, but ive never coded for GTK, and my C skills are rusty.
[15:56] <ScottK> DSpoon: That's OK.  I can't do either of those things either.
[15:57] <DSpoon> i do my bit in supporting users on #linux on dalnet
[15:57] <ScottK> If you know a bit about shell or make, you're enough of a programmer to help.
[15:57] <ScottK> Most of what we do for security in Universe is take upstream patches and integrate them into the released packages.
[15:57] <DSpoon> ive never used make, but its not something i believe i would have a tough time with
[15:58] <ScottK> I'd never used make when I started either.
[15:58] <DSpoon> ScottK: upstream - is that from debian, or direct from each source?
[15:58] <ScottK> DSpoon: It could be either.
[15:58] <ScottK> Sometimes from other distros (side stream, I guess).
[15:59] <ScottK> Actually trying to write our own fix for a security issue is pretty much the last resort.
[15:59] <DSpoon> and we just recompile, test, and upload?
[15:59] <ScottK> Pretty much.
[15:59] <ScottK> Sometimes the patches don't apply exactly to older versions, so a bit of sleuthing is required.
[16:00] <ScottK> mdeslaur: Do you have time to give someone an intro into providing security updates for Universe packages?
[16:01] <DSpoon> ScottK: im currently browsing around https://wiki.ubuntu.com/MOTU/School
[16:01] <ScottK> That's a good place to read up.
[16:02] <ScottK> This is specific to security: https://wiki.ubuntu.com/SecurityTeam/SponsorsQueue
[16:02] <DSpoon> let me read through it; will figure out if its in my comfort zone.
[16:03] <ScottK> DSpoon: It won't be, at first, but trust me, it'll all work out.  Everything you do will be supervised and checked until everyone is comfortable you know what you are doing (including you).
[16:06] <DSpoon> let me give it a shot. For a start, ill be around here. Do you coordinate tasks on this chan, or is there a bugzilla for it?
[16:17] <ScottK> DSpoon: We just launchpad for bugs.  We do coordinate here, but mostly it's work on what interests you (there's plenty to go around), so don't feel like you need permission to work on stuff.
[16:18] <DSpoon> :)
[16:19] <TheLordOfTime> ScottK:  security updates for universe i think are similar to the process for any other package... find the patch, patch it, submit for consideration, security team considers.
[16:19] <TheLordOfTime> at least, for the nginx package (in universe), that's the case
[16:19] <ScottK> TheLordOfTime: That's generally true, there are a few security specific rules about versioning and bug status.
[16:20] <TheLordOfTime> yeah i leave bug status setting to them
[16:20] <TheLordOfTime> or i ask in -hardened
[16:20] <ScottK> Also, for me they are way different because non-security stuff I can upload, security stuff I still have to submit a debdiff.
[16:20] <TheLordOfTime> versioning is listed already
[16:20]  * TheLordOfTime grabs the wiki page
[16:20] <Laney> yeah, all security is unified within itself
[16:20] <Laney> but different from other stuff
[16:21] <TheLordOfTime> mhm
[16:21] <TheLordOfTime> btw https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation
[16:21] <TheLordOfTime> also has versioning listed there
[16:21] <TheLordOfTime> which i think is generally accepted for standard SRUs too
[16:21] <Laney> sure
[16:22] <TheLordOfTime> yeah, https://wiki.ubuntu.com/StableReleaseUpdates, 3.5.1  (the security policy document has a well-working scheme which can be used for SRUs.)
[16:22] <ScottK> TheLordOfTime: The difference is that while that versioning is often used in SRUs, there's no versioning rule for them.  For security uploads, the version scheme is required.
[16:22] <ScottK> Can, not must.
[16:23] <TheLordOfTime> ScottK:  true!  I tend to follow the security team's versioning schemes anyways
[16:23] <TheLordOfTime> :P
[16:23] <TheLordOfTime> although that should be discussed, making a general "SRUs should follow this: [versioning scheme]", at least IMO
[16:24] <ScottK> TheLordOfTime: Why?  Let's not make more rules unless we need them.
[16:24] <TheLordOfTime> :P
[16:25] <Laney> I refuse to obey your proposed rule about not making rules.
[16:25] <TheLordOfTime> well, anyways, asking in #ubuntu-hardened if there's a difference between main/universe/etc. security patching wouldn't hurt, although i think the answer is the same.
[16:27] <ScottK> It's the same.
[16:33] <debfx> ScottK: raring-backports bug mail doesn't end up on the ubuntu-backports list. any idea why?
[16:33] <ScottK> debfx: No.
[16:34] <Laney> Driver?
[16:34] <Laney> oh no, I see it
[16:34] <Laney> debfx: compare https://bugs.launchpad.net/raring-backports/+subscriptions and https://bugs.launchpad.net/quantal-backports/+subscriptions
[16:37] <debfx> I thought I looked at the bug subscription page, apparently I'm blind
[16:37] <debfx> thanks Laney
[16:37] <Laney> np
[16:37]  * Laney leaves it to you to fix :-)
[16:39] <debfx> only team admins can do that
[16:40] <debfx> ScottK: could you subscribe ubuntu-backports to the raring and saucy projects
[16:40] <ScottK> I can try.
[16:40] <Laney> what is Ubuntu Backporters Drivers?
[16:40] <Laney> I see that in my list
[16:40] <Laney> Backports*
[16:46] <ScottK> debfx: Done.
[16:46] <mdeslaur> ScottK: DSpoon: sorry, I'm a bit busy today, but there's some info here: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures#Preparing_an_update
[16:46] <ScottK> mdeslaur: Thanks.
[16:46] <ScottK> DSpoon: He's one of the Ubuntu Security team engineers.
[16:46] <mdeslaur> ScottK: DSpoon: and me or sarnold will gladly help you on tuesday with any questions or issues (after everyone gets back from the long weekend)
[16:54] <debfx> back to 0 open raring-backport requests :)
[17:04] <DSpoon> mdeslaur: good to meet you. Will go through the update procedure link.
[17:08] <mdeslaur> DSpoon: cool! :)
[17:08] <mdeslaur> DSpoon: welcome! :)
[17:08] <DSpoon> :)
[18:10] <richft> Hi! Can some clarify me. People who is on this list: reqorts.qa.ubuntu.com/reports/sponsoring/index.html seeking for a Sponsorship and the package is approved by the Package Maintainer will get an Ubuntu Membership ?
[18:16] <mitya57> richft: No, did you read https://wiki.ubuntu.com/Membership ?
[18:20] <alo21> hi... it's time for merging, or have I to wait a little bit?
[18:26] <mitya57> alo21: why wait? please help us break saucy!
[18:27] <alo21> mitya57, I asked here 10 days ago, and someone said me that is too early doing merge
[18:29] <richft> mitya57: Someone informed me incorrectly : ) Ok! Now I get it how is the process.
[18:29] <mitya57> alo21: they were wrong
[18:32] <alo21> mitya57, are you sure about you are saying? (with all respect)
[18:35]  * mitya57 has already done 3 or 4 merges this cycle
[18:35] <jtaylor> mitya57: I wouldn't say I was wrong, wheezy was released less than 10 days ago
[18:35] <jtaylor> so you may be wasting your time doing merges before that
[18:35] <jtaylor> as you may have to merge a few days alter again
[18:36] <mitya57> jtaylor: one can merge from experimental or vcs
[18:36] <jtaylor> sure but thats not the general case
[18:38] <mitya57> alo21: what package are you going to merge? :)
[18:39] <alo21> mitya57, I am taking a look at alsa-plugins (in main)
[18:39] <alo21> mitya57, I will ask to the last uploader, if it's free
[18:40] <alo21> and of course if it is a sync or a merge
[18:40] <mitya57>   * Upload to unstable.
[18:40] <mitya57>  -- Jordi Mallach <jordi@debian.org>  Thu, 09 May 2013 12:40:49 +0200
[18:41] <mitya57> alo21: feel free to merge (^)
[18:41] <alo21> mitya57, and, as I can see, it's a worth-sync
[18:42] <alo21> am I right? (just to be sure)
[18:43] <mitya57> alo21: at least "Create libasound2-plugins-extra package which contains plugins that use libav" seems like a non-merged-back delta
[18:44] <mitya57> other changes look like no longer needed (unless it fails to build)
[18:46] <alo21> mitya57, I noticed that the last uploader (in Ubuntu) was Tartler. Is a better idea to ask him if it's free?
[18:47] <mitya57> he is here (siretart)
[18:48] <alo21> siretart, hi... can I take care of alsa-plugins, please?
[18:52] <alo21> mitya57, anyway... how can I create libasound2-plugins-extra package which contains plugins that use libav?
[18:53] <alo21> I mean... I think I should edit some lines in rules file
[18:55] <mitya57> alo21: that change is already in ubuntu
[18:55] <mitya57> so, if you know how to do merges, you'll get it
[18:56]  * alo21 afk
[19:28] <alo21> hi... I would like to know if alsa-plugins is a worth-sync or merge...
[19:28] <alo21> the package is in main