/srv/irclogs.ubuntu.com/2013/07/08/#ubuntu-meeting.txt

=== fego_ is now known as zephyr
=== jono is now known as Guest27980
=== Sp4rKy is now known as Sp4rKy_
=== Sp4rKy_ is now known as Sp4rKy
=== JoseAntonioR is now known as JoseeAntonioR
=== zequence_ is now known as zequence
=== psivaa is now known as psivaa-lunch
=== fader_` is now known as fader_
=== kyri is now known as tr3quart1sta
=== cking_ is now known as cking
=== psivaa-lunch is now known as psivaa
=== cjohnston_ is now known as cjohnston
=== chiluk` is now known as chiluk
=== dosaboy_ is now known as dosaboy
=== plars_ is now known as plars
mdeslaur	\o	16:34
mdeslaur	o/	16:34
jdstrand	hi!	16:34
mdeslaur	\o/	16:34
tyhicks	hello	16:35
jdstrand	#startmeeting	16:35
meetingology	Meeting started Mon Jul 8 16:35:04 2013 UTC. The chair is jdstrand. Information about MeetBot at http://wiki.ubuntu.com/meetingology.	16:35
meetingology	Available commands: #accept #accepted #action #agree #agreed #chair #commands #endmeeting #endvote #halp #help #idea #info #link #lurk #meetingname #meetingtopic #nick #progress #rejected #replay #restrictlogs #save #startmeeting #subtopic #topic #unchair #undo #unlurk #vote #voters #votesrequired	16:35
jdstrand	The meeting agenda can be found at:	16:35
jdstrand	[LINK] https://wiki.ubuntu.com/SecurityTeam/Meeting	16:35
jdstrand	[TOPIC] Announcements	16:35
=== meetingology changed the topic of #ubuntu-meeting to: Announcements
jdstrand	Christian Kuersteiner (ckuerste) provided debdiffs to lucid, precise, to fix libopenid-ruby (LP: #1190491). Your work is very much appreciated and will keep Ubuntu users secure.	16:35
ubottu	Launchpad bug 1190491 in ruby-openid (Ubuntu Quantal) "XML denial of service vulnerability" [Medium,Fix released] https://launchpad.net/bugs/1190491	16:35
jdstrand	[TOPIC] Weekly stand-up report	16:35
=== meetingology changed the topic of #ubuntu-meeting to: Weekly stand-up report
jdstrand	I'll go first	16:35
jdstrand	I'm on triage this week	16:35
jdstrand	last week did various !AppArmor work in support of click packages, application isolation and the SDK. Some more to do there. Uploading patches to !AppArmor today (two uploads for saucy for now-- one with and without apache 2.4 patches	16:35
jdstrand	I have several pending updates I am trying to get out too	16:36
jdstrand	and patch piloting got deferred to this week	16:36
jdstrand	mdeslaur: you're up	16:36
mdeslaur	I just published raptor2 updates	16:36
mdeslaur	I'm on community this week	16:36
mdeslaur	I'm working on some ruby updates at the moment	16:36
mdeslaur	and have some other updates to test	16:36
mdeslaur	that's it from me	16:36
mdeslaur	sbeattie: you're up	16:36
sbeattie	I'm on apparmor this week	16:37
sbeattie	I'm also working on the SDK/click stuff.	16:37
sbeattie	I also need to review the bits that jdstrand has worked on.	16:37
sbeattie	That's pretty much the focus for me this week. tyhicks?	16:38
tyhicks	I'm currently finishing up a lot of changes to the apparmor regression tests for dbus	16:38
tyhicks	One of the changes addresses hangs that jdstrand experienced last week on a loaded system	16:38
tyhicks	I'll be working to drive the dbus syntax to completion	16:39
tyhicks	I wasn't able to get to any of the eCryptfs maintainership duties that I mentioned last week, so those will have to be done this week	16:39
tyhicks	I think that's it for me	16:39
tyhicks	jjohansen: you're up	16:39
jjohansen	well there will be some syntax completion work this week	16:40
jjohansen	an apparmor meeting to prep for	16:40
jjohansen	and I will be continuing to work on my apparmor wi for July	16:41
jjohansen	I think that is it from me, sarnold your up	16:42
sarnold	I'm going to finish review of aa-easyprof changes, apparmor 2.8.2 release, and MIR audits this week	16:43
jdstrand	sarnold: sorry for another big patch :) I think that may be it for a little bit anyway	16:44
sarnold	apparmor 2.8.2 relies upon sbeattie or jjohansen to help walk me through it, but I think we wanted it released before tomorrow's apparmor meeting, so it'll probably happen today :)	16:44
sarnold	jdstrand: oh cool :)	16:44
sbeattie	sarnold: I'll help guide you along for 2.8.2	16:45
sarnold	ah, no chrisccoulson, jdstrand, back to you :)	16:45
sarnold	sbeattie: thanks	16:45
jdstrand	[TOPIC] Highlighted packages	16:45
=== meetingology changed the topic of #ubuntu-meeting to: Highlighted packages
jdstrand	The Ubuntu Security team will highlight some community-supported packages that might be good candidates for updating and or triaging. If you would like to help Ubuntu and not sure where to start, this is a great way to do so.	16:45
jdstrand	See https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures for details and if you have any questions, feel free to ask in #ubuntu-security. To find out other ways of helping out, please see https://wiki.ubuntu.com/SecurityTeam/GettingInvolved.	16:45
jdstrand	http://people.canonical.com/~ubuntu-security/cve/pkg/heimdal.html	16:45
jdstrand	http://people.canonical.com/~ubuntu-security/cve/pkg/hostapd.html	16:45
jdstrand	http://people.canonical.com/~ubuntu-security/cve/pkg/flatnuke.html	16:45
jdstrand	http://people.canonical.com/~ubuntu-security/cve/pkg/tinymce.html	16:45
jdstrand	http://people.canonical.com/~ubuntu-security/cve/pkg/openvas-server.html	16:45
jdstrand	[TOPIC] Miscellaneous and Questions	16:46
=== meetingology changed the topic of #ubuntu-meeting to: Miscellaneous and Questions
jdstrand	Does anyone have any other questions or items to discuss?	16:46
jdstrand	mdeslaur, sbeattie, tyhicks, jjohansen, sarnold: thanks!	16:56
jdstrand	#endmeeting	16:56
=== meetingology changed the topic of #ubuntu-meeting to: Ubuntu Meeting Grounds \| Calendar/Scheduled meetings: http://fridge.ubuntu.com/calendar \| Logs: https://wiki.ubuntu.com/MeetingLogs \| Meetingology documentation: https://wiki.ubuntu.com/meetingology
meetingology	Meeting ended Mon Jul 8 16:56:09 2013 UTC.	16:56
meetingology	Minutes (wiki): http://ubottu.com/meetingology/logs/ubuntu-meeting/2013/ubuntu-meeting.2013-07-08-16.35.moin.txt	16:56
meetingology	Minutes (html): http://ubottu.com/meetingology/logs/ubuntu-meeting/2013/ubuntu-meeting.2013-07-08-16.35.html	16:56
tyhicks	thanks!	16:56
sbeattie	jdstrand: thanks!	16:56
mdeslaur	thanks jdstrand!	16:56
sarnold	thanks jdstrand :)	16:56
jjohansen	thanks jdstrand	16:56
=== funkyHat_ is now known as funkyHat
mdz	#startmeeting	19:58
meetingology	Meeting started Mon Jul 8 19:58:35 2013 UTC. The chair is mdz. Information about MeetBot at http://wiki.ubuntu.com/meetingology.	19:58
meetingology	Available commands: #accept #accepted #action #agree #agreed #chair #commands #endmeeting #endvote #halp #help #idea #info #link #lurk #meetingname #meetingtopic #nick #progress #rejected #replay #restrictlogs #save #startmeeting #subtopic #topic #unchair #undo #unlurk #vote #voters #votesrequired	19:58
soren	o/	19:59
* stgraber waves		20:00
mdz	#topic action review	20:01
=== meetingology changed the topic of #ubuntu-meeting to: action review
mdz	I don't see any actions recorded from the previous meeting. correct?	20:01
mdz	#topic Discussion and vote on the development series alias name	20:01
=== meetingology changed the topic of #ubuntu-meeting to: Discussion and vote on the development series alias name
mdz	following up from the previous meeting	20:02
mdz	current proposals are "rolling" (preferred by Rick) and "next' (preferred by the TB)	20:02
stgraber	I don't think we gave any direct action indeed, though there's a sort of action for cjwatson to implement the LP code for the series alias	20:02
mdz	Rick doesn't seem to be around	20:02
mdz	IIRC the reason we deferred was to get his input	20:02
cjwatson	I mailed him earlier today, but he's just back from holiday and may be snowed under still	20:02
cjwatson	I don't think there's a point in revisiting without him, since the point was indeed to reconcile	20:02
mdz	ok	20:03
cjwatson	perhaps we should try mail	20:03
cjwatson	in any case:	20:03
stgraber	I also directly Cced him on the minutes but I haven't heard anything back from him either	20:03
mdz	I recommend that if the topic comes around again in 2 weeks and he's not here, we proceed anyway	20:03
cjwatson	there's an implementation issue wgrant raised when I started trying to get database changes made in support of this, with respect to PPAs	20:03
cjwatson	I need to hash that out with him	20:03
cjwatson	however William is now himself off on holiday	20:03
cjwatson	so this is blocked for a while in any event	20:03
cjwatson	I have the rest of the code written, so will be pretty close once that's sorted	20:04
mdz	ok	20:04
mdz	even if it's not blocking, it's not good to keep this open for too long	20:04
mdz	so I'd like to wrap it next time regardless	20:04
mdz	fair?	20:04
cjwatson	agreed	20:05
mdz	#topic Discussion and vote on OpenSSL as a system library	20:06
=== meetingology changed the topic of #ubuntu-meeting to: Discussion and vote on OpenSSL as a system library
stgraber	fine with me, I'll be at a sprint in London for our next meeting, but should still be able to attend	20:06
mdz	thread: https://lists.ubuntu.com/archives/technical-board/2013-June/001653.html	20:06
mdz	previous thread: https://lists.ubuntu.com/archives/technical-board/2013-May/001602.html	20:06
cjwatson	so, I haven't had a chance to reply properly to kees on this, but I finally managed to articulate my objection to his line of argument just now when preparing for this meeting	20:06
cjwatson	it is this: his line of argument could be used to justify constructing derived works that combine the GPL with any other free-but-GPL-incompatible licence, as long as it's far enough embedded into our system	20:08
cjwatson	and I just can't reconcile that with my understanding of the spirit of the GPL, as presented by the FSF	20:08
mdz	I think in many cases there's a divergence between the intent of the FSF and the intent of the copyright holder	20:09
mdz	and it seems fair to favor the latter	20:09
cjwatson	sure, and I'm happy to accept an explicit statement from the licensor, as I've mentioned before	20:09
cjwatson	however, we are talking here about the fallback case where there isn't an explicit statement	20:09
mdz	we're talking about GPLv2, yes?	20:10
cjwatson	v2 in one case, v3 in the other. I forget which was which.	20:10
cjwatson	if mongodb/squid/whatever issue an explicit statement clarifying the intent of their licence, and that covers the GPLed code involved, I'm more than happy to honour that	20:10
cjwatson	that much I think is not in dispute	20:10
mdz	agreed	20:11
mdz	so there seems to be no practical problem on the table (anymore)?	20:11
cjwatson	but, for the rest, an interpretation where it can be freely linked with openssl is not within my understanding of the spirit of the GPL, so I couldn't vote for allowing that	20:11
cjwatson	well, except that neither has actually got round to issuing such a statement AFAIK	20:12
mdz	ScottK requested a statement on this regardless of any specific case	20:12
soren	mdz: I understand there's a decent chance the copyright holder didn't intend to prevent us from linking their code with openssl. However, if our reading of the license says that it's not permitted, I think we're in very dangerous territory by wholesale assuming that the copyright holder didn't mean to have that particular bit of their license to us apply.	20:12
cjwatson	my understanding was that mongodb said they were planning to but hadn't yet, and some squid developers had been making vague noises, but nothing determinative	20:12
mdz	soren, agreed	20:12
cjwatson	I respect the alternate readings that Dave and Kees and others have put forward; I just don't agree with them :)	20:13
* kees is here, sorry I'm late		20:13
cjwatson	http://gplv3.fsf.org/wiki/index.php/Compatible_licenses#GPLv2-incompatible_licenses explicitly lists the FSF's opinion that the OpenSSL licence is incompatible with the GPLv2	20:14
cjwatson	so I have an extremely hard time saying that we could assume the contrary in the absence of an explicit statement	20:14
mdz	I'm inclined to agree	20:15
kees	hm, given openssl is explicitly called out there, then yeah.	20:15
cjwatson	similarly on http://www.gnu.org/licenses/license-list.html	20:15
* soren too		20:15
mdz	but I'm willing to be pragmatic with the statement from the copyright holders	20:15
cjwatson	sorry, http://www.gnu.org/licenses/license-list.html#OpenSSL	20:15
cjwatson	mdz: right, me too, absolutely	20:15
mdz	e.g. an email is fine, I don't see it as necessary to have them change all of the copyright notices	20:15
soren	I wish it weren't so, as it obviously is a pain in the "#¤%, but that's just how it is.	20:15
kees	my rationale was mostly from the perspective of "since this is vague"... but that would make it NOT vague. :P	20:15
kees	although, I still wonder one thing...	20:15
cjwatson	soren: Yep, I entirely agree that this position is inconvenient - I just don't think we get to read licences for our convenience	20:16
kees	there's no question it is incompat... but can it be dynamically linked?	20:16
soren	cjwatson: Precisely.	20:16
kees	i.e. clearly can't _include_ openssl in a piece of software. but link?	20:16
mdz	kees, that comes down to the interpretation of a derived work	20:16
cjwatson	kees: The FSF's position on that is clear elsewhere; dynamically linking forms a derivative work of the two	20:16
cjwatson	Again, I would be happy to accept the overriding opinion of a licensor (copyright holder)	20:16
cjwatson	But it makes sense to me that if you've written software such that it requires dynamically linking against OpenSSL to actually work, then it's a derived work ...	20:17
kees	how can linking be derived? the point of shared objects was to create API boundries.	20:17
soren	Naturally. The license is the copyright holder's terms for other people's use of their software. Their interpretation will always take precedence.	20:17
kees	derived is "and then I added a new encryption scheme to openssl" not "and then I opened an https connection"	20:18
cjwatson	https://www.gnu.org/licenses/gpl-faq.html#GPLStaticVsDynamic	20:18
soren	kees: When you consume libraries, your work builds on top of their functionality.	20:18
cjwatson	I think this has been tested in court although [citation needed]	20:18
kees	so "combined work" != "derived work"	20:18
soren	kees: That constitutes "derived work" in my book.	20:18
kees	so, "use LGPL" is the other answer, I guess.	20:19
mdz	there is room for interpretation there, and maybe even different rulings in different jurisdictions	20:19
kees	but what about the exceptions to this that were made for non-free libc?	20:19
cjwatson	That was because you couldn't run anything on those platforms at all without using the non-free libc	20:19
cjwatson	That being the point of the system library exception	20:20
mdz	yes	20:20
cjwatson	But there are alternatives to using OpenSSL ...	20:20
mdz	FSVO "alternative" :-)	20:20
kees	heh, so if we kick gnutls out of the archive, we can link against openssl? :P	20:20
cjwatson	I've never been convinced by trying to expand the scope of the system library exception, partly because it doesn't seem to fit the historical context of that exception	20:20
cjwatson	Also	20:21
kees	I would argue that the context still holds: when all examples of using crypto references openssl, when is the defacto standard, that kind of makes it a system library, imo	20:21
cjwatson	In the case of the system library exception, you're using interfaces that have both free and non-free implementations - nothing about your program is inherently derived from the non-free thing	20:21
cjwatson	But in the case of the OpenSSL APIs (as opposed to the crypto standards they implement), those are very definitely proprietary (in the sense of ownership) to OpenSSL	20:22
kees	I think that stands for openssl too -- there is no other interface to swap into place.	20:22
cjwatson	So the C library and OpenSSL are not comparable here	20:22
cjwatson	If the GnuTLS stub for the OpenSSL APIs ever reached reasonable completion, then you could swap them freely and I think that changes the argument, not to mention the pragmatics	20:23
* soren .oO{ What if all the time spent in different communities in different contexts discussing this particular problem had been put towards perfecting a libssl compatible wrapper for gnutls }		20:23
kees	I disagree. All the examples and recommended implementations of crypto I've seen for new programmers, school texts, etc, all use openssl interfaces.	20:23
cjwatson	But we just aren't there	20:23
cjwatson	And those are therefore derivative of OpenSSL	20:23
kees	soren: yeah, that would be nice, for sure.	20:23
cjwatson	The OpenSSL people put substantial creativity into those interfaces - they aren't neutral things	20:24
kees	I don't see libc being a neutral interface either. If "C Programming in the Unix Environment" shows me how to use "popen", and it's an exception, then I think "Secure Programming" showing how to use OpenSSL is very nearly the same.	20:25
mdz	kees, I don't think the question is whether it's a de facto standard	20:25
cjwatson	But popen has lots of implementations, many free	20:25
kees	then why would there be an exception for the non-free ones?	20:25
mdz	but whether it's a Major Component or part of a Major Component of Ubuntu	20:25
cjwatson	If nobody else has managed to produce a sufficient replacement for OpenSSL, that strengthens OpenSSL's claim to have its licence respected properly	20:25
kees	mdz: right, and I view crypto as an OS primitive.	20:26
cjwatson	I do not	20:26
cjwatson	It is not a required element	20:26
mdz	The “System Libraries” of an executable work include anything, other than the work as a whole, that (a) is included in the normal form of packaging a Major Component, but which is not part of that Major Component, and (b) serves only to enable use of the work with that Major Component, or to implement a Standard Interface for which an implementation is available to the public in source code form. A “Major Component”, in this context, means a m	20:26
mdz	ajor essential component (kernel, window system, and so on) of the specific operating system (if any) on which the executable work runs, or a compiler used to produce the work, or an object code interpreter used to run it.	20:26
mdz	(GPLv3)	20:26
cjwatson	mdz: (the wording is importantly different between v2 and v3; I analysed both in my original mail to the list about this)	20:27
mdz	yes, just adding some context here	20:27
kees	right, so that's why we differ in our conclusions. I believe crypto to be a Major Component, with OpenSSL being the defacto standard interface.	20:28
* soren idly wonders how amazingly amputated Ubuntu would be without libssl		20:28
cjwatson	In GPLv2, the business about "major components" pertains to distributing source, section 3, but does not affect the requirement to distribute the work as a whole under the same licence, section 2	20:28
kees	soren: I'll let you know right after I sniff all your traffic.	20:28
mdz	A "Standard Interface" means an interface that either is an official standard defined by a recognized standards body, or, in the case of interfaces specified for a particular programming language, one that is widely used among developers working in that language. [GPLv3]	20:28
cjwatson	So IMO even invoking the system library exception does not save you for GPLv2	20:28
soren	kees: rimshot	20:28
kees	mdz: exactly. I actually think GPLv3 is MORE supportive of it.	20:29
mdz	kees, yes, I agree there is more wiggle room in v3	20:29
kees	soren: but that's one of many reasons I think it's a critical piece of the OS.	20:29
mdz	in that particular definition	20:29
mdz	but as cjwatson says, that's not the main issue in v2	20:29
soren	I don't really think it matters whether it's an implementation of an official standard.	20:30
mdz	that's one of two conditions, only one of which needs to be met	20:30
soren	If there were some esoteric operating system whose basic API was entirely homegrown, I could write GPL software that runs on there without problems.	20:30
kees	I absolutely understand where cjwatson is coming from. I just don't come to the same conclusions.	20:30
mdz	can we defer to someone with the requisite legal expertise here, rather than armchairing it?	20:31
soren	mdz: But it's fun!	20:31
cjwatson	mdz: The FSF have published their analysis	20:31
mdz	we're all clearly capable of putting forth coherent, logical arguments which contradict each other	20:31
cjwatson	I don't see what we gain from trying to rebut the authors of the licence	20:31
mdz	cjwatson, what are you referring to? something other than the license itself?	20:32
kees	cjwatson: though I don't think they have published a statement that openssl is not a major component of ubuntu.	20:32
cjwatson	kees: OpenSSL would have to be "included in the normal form of packaging a Major Component, but which is not part of that Major Component" to qualify	20:33
cjwatson	mdz: Things like the license-list above	20:33
mdz	despite the long, proud Debian tradition of debating license interpretations, I don't see this as part of the tech board's charter	20:33
cjwatson	Well, I tried to reject it for ubuntu-archive, which is the normal body to interpret such things	20:34
soren	mdz: Can you think of a more suitable, existing governing body for this?	20:34
cjwatson	But it's been escalated	20:34
stgraber	agreed, the FSF clearly lists the OpenSSL license as being incompatible without the extra clause so unless the copyright holder says otherwise (which they can and we should encourage them to when possible), I believe we should respect the license's author's interpretation	20:34
mdz	so I don't think we'll come to a unanimous agreement here today	20:35
cjwatson	Can we dispose of part of it? I had the sense we were (mostly?) agreed that the situation with GPLv2 was clear	20:36
stgraber	the TB is the normal escalation path from ubuntu-archive, so I have no problem with us making a call here, not sure what we'd gain in postponing it some more or trying to find somebody else to delegate to	20:36
mdz	cjwatson, good point	20:36
mdz	kees, can you concede the v2 piece?	20:36
mdz	stgraber, this is a technical matter, but not within the discipline where we have expertise	20:36
mdz	(with all due respect for cjwatson's experience with licensing)	20:37
cjwatson	oh, merely an experienced armchair lawyer :P	20:37
mdz	we are fundamentally reliant on third party analysis to make a reasonable call here	20:37
cjwatson	no need for due-respect qualifiers :)	20:37
mdz	whereas for technical matters pertaining to software engineering and suchlike, I would be comfortable with us being a primary source	20:38
kees	mdz: I don't think I do, since GPLv3 was meant to clarify GPLv2, and GPLv3 (to me) supports OpenSSL being a Major Component.	20:38
stgraber	mdz: sure, and I believe the various documents that have been linked and the various analysis on our mailing-list and others is sufficient for us to make a reasonable call	20:38
cjwatson	kees: What about my point that the major component bit of GPLv2 is not sufficient to permit what people are trying to do?	20:38
kees	stgraber: I don't disagree that trying to release KeesSSL (forked from OpenSSL) would mean it's not GPL compat.	20:38
cjwatson	kees: It's confined to the source-distribution bit in section 3, while the must-distribute-work-as-a-whole-under-this-licence thing is in section 2 with no mention of the system library exception ...	20:39
kees	cjwatson: I'm not sure I understood what you meant with it.	20:39
mdz	kees, he means that there's no such exception which enables the distribution of the software under the terms of the GPL	20:40
cjwatson	My objection to linking GPLv2 with OpenSSL is that I believe that forms a derived work as a whole, and v2 s. 2 says that the work as a whole must be licensed under the terms of the GPL	20:40
mdz	there's only an exception to allow those components to be excluded from source code distribution	20:40
kees	mdz: "the software" being OpenSSL or thing-dyn-linking-to-openssl ?	20:40
cjwatson	And that the system library bit is an exception for s. 3 not s. 2	20:40
mdz	kees, the derived work	20:40
kees	I suck at arm-chair lawyering	20:42
mdz	ok, so the options seem to be: 1. vote here and now, or 2. defer to an expert opinion	20:42
mdz	any other options to put on the table?	20:42
mdz	"keep arguing" is excluded ;-)	20:42
mdz	it's been a month and no consensus has emerged	20:43
kees	cjwatson: where in GPLv2 is the linking bit?	20:43
stgraber	I unfortunately fear that 2. is == "keep arguing" and I agree we've argued enough about this :)	20:43
mdz	stgraber, how so? I think we could easily agree on a law firm we could trust to give us an informed opinion	20:44
mdz	but we have another topic on the agenda and only 15 minutes left	20:44
mdz	I for one have a meeting directly after	20:44
cjwatson	kees: v2 doesn't specify, it relies on copyright law interpretation to define what's a derived work	20:44
cjwatson	kees: v3 clarified this to "Corresponding Source includes interface definition files associated with source files for the work, and the source code for shared libraries and dynamically linked subprograms that the work is specifically designed to require, ..."	20:45
kees	cjwatson: the faq seems to imply v2 has a system library exception. https://www.gnu.org/licenses/gpl-faq.html#GPLIncompatibleLibs	20:46
cjwatson	covering source code distribution	20:46
cjwatson	oh, found another interesting thing	20:46
cjwatson	http://www.lawseminars.com/materials/08OPSMA/opsma%20m%20fontana%2010-29%20new%20up.pdf	20:46
cjwatson	from one of the authors of the GPLv3; says 'Debian unsuccessfully sought FSF opinion that OpenSSL was a GPLv3 "System Library"'	20:46
kees	interesting	20:47
mdz	#vote +1 means vote here and now, -1 means defer to an expert third party opinion, +0 means do nothing and leave things as they are (i.e. somewhat ambiguous)	20:47
meetingology	Please vote on: +1 means vote here and now, -1 means defer to an expert third party opinion, +0 means do nothing and leave things as they are (i.e. somewhat ambiguous)	20:47
meetingology	Public votes can be registered by saying +1, +0 or -1 in channel, (private votes don't work yet, but when they do it will be by messaging the channel followed by +1/-1/+0 to me)	20:47
meetingology	+1 means vote here and now, -1 means defer to an expert third party opinion, +0 means do nothing and leave things as they are (i.e. somewhat ambiguous) received from mdz	20:47
ScottK	FWIW, right now we have at least two archive admins with a different view of what's permissible and if something is accepted into the archive shouldn't depend on who does the review.	20:47
stgraber	+1	20:48
meetingology	+1 received from stgraber	20:48
kees	+1	20:48
meetingology	+1 received from kees	20:48
mdz	weird, meetingology seems to have interpreted my vote request as a vote	20:48
cjwatson	and has the context that the v3 redraft of the system library exception was motivated by making Nexenta legal	20:48
soren	+1	20:48
meetingology	+1 received from soren	20:48
mdz	-1	20:48
meetingology	-1 received from mdz	20:48
cjwatson	+1 I feel I have read enough expert third party opinions and would rather get it over wish	20:48
meetingology	+1 I feel I have read enough expert third party opinions and would rather get it over wish received from cjwatson	20:48
cjwatson	*with	20:48
mdz	#endvote	20:48
meetingology	Voting ended on: +1 means vote here and now, -1 means defer to an expert third party opinion, +0 means do nothing and leave things as they are (i.e. somewhat ambiguous)	20:48
meetingology	Votes for:4 Votes against:1 Abstentions:0	20:48
meetingology	Motion carried	20:48
mdz	ok, so we vote	20:48
mdz	so what do we specifically want to decide? whether an exception is required to have GPL (v2 or v3) software link with OpenSSL in Ubuntu?	20:49
kees	I think that summarizes it, yes.	20:50
cjwatson	we should vote on our interpretation of v2 and v3 separately IMO	20:50
kees	agreed	20:50
mdz	we're all in agreement that it's cool with an exception, and that the exception doesn't need to be shipped with the software, correct?	20:50
kees	shouldn't the exception be in debian/copyright though?	20:50
soren	Yes.	20:50
cjwatson	I'd say the packager ought to put it in debian/copyright, but I'm willing to trust an e-mail, yes	20:50
cjwatson	(plenty of precedent for that, including at least one of my own packages ;-) )	20:50
mdz	proposed motion to vote on: An explicit exception is required in order for GPLv2 licensed software to link (statically or dynamically) with OpenSSL in Ubuntu	20:51
mdz	?	20:51
kees	seems like having the exception living somewhere in HEAD is sufficient, in the source better, in debian/copyright best.	20:51
stgraber	yep, I'm fine with that, it's how we've mostly been doing things and what the license author recommends (not the separate e-mail part, but I'm fine with that if it's in debian/copyright)	20:51
soren	mdz: Sounds good to me.	20:51
cjwatson	Is there any dispute about the static case?	20:52
kees	mdz: yeah, wording on that vote seems good	20:52
kees	I don't dispute the static case at all	20:52
cjwatson	We didn't discuss that above	20:52
mdz	ok, removing that then	20:52
mdz	#vote An explicit exception is required in order for GPLv2 licensed software to dynamically link with OpenSSL in Ubuntu	20:52
meetingology	Please vote on: An explicit exception is required in order for GPLv2 licensed software to dynamically link with OpenSSL in Ubuntu	20:52
meetingology	Public votes can be registered by saying +1, +0 or -1 in channel, (private votes don't work yet, but when they do it will be by messaging the channel followed by +1/-1/+0 to me)	20:52
soren	+1	20:53
meetingology	+1 received from soren	20:53
stgraber	+1	20:53
meetingology	+1 received from stgraber	20:53
mdz	I didn't want the vote to imply that static linking was OK	20:53
mdz	+1	20:53
meetingology	+1 received from mdz	20:53
kees	-1	20:53
meetingology	-1 received from kees	20:53
cjwatson	+1	20:53
meetingology	+1 received from cjwatson	20:53
mdz	#endvote	20:53
meetingology	Voting ended on: An explicit exception is required in order for GPLv2 licensed software to dynamically link with OpenSSL in Ubuntu	20:53
meetingology	Votes for:4 Votes against:1 Abstentions:0	20:53
meetingology	Motion carried	20:53
mdz	#vote An explicit exception is required in order for GPLv3 licensed software to dynamically link with OpenSSL in Ubuntu	20:53
meetingology	Please vote on: An explicit exception is required in order for GPLv3 licensed software to dynamically link with OpenSSL in Ubuntu	20:53
meetingology	Public votes can be registered by saying +1, +0 or -1 in channel, (private votes don't work yet, but when they do it will be by messaging the channel followed by +1/-1/+0 to me)	20:53
mdz	(s/2/3/)	20:53
kees	-1	20:54
meetingology	-1 received from kees	20:54
stgraber	+1	20:54
meetingology	+1 received from stgraber	20:54
mdz	+0 I don't think I have studied this one enough	20:54
meetingology	+0 I don't think I have studied this one enough received from mdz	20:54
cjwatson	+1 - kees did come close to persuading me to at least abstain, but the presentation from Red Hat's counsel has re-convinced me	20:54
meetingology	+1 - kees did come close to persuading me to at least abstain, but the presentation from Red Hat's counsel has re-convinced me received from cjwatson	20:54
soren	+1	20:54
meetingology	+1 received from soren	20:54
mdz	#endvote	20:54
meetingology	Voting ended on: An explicit exception is required in order for GPLv3 licensed software to dynamically link with OpenSSL in Ubuntu	20:54
meetingology	Votes for:3 Votes against:1 Abstentions:1	20:54
meetingology	Motion carried	20:54
mdz	ScottK, satisfactory?	20:54
ScottK	mdz: Definitely. I think that's quite clear.	20:54
mdz	#topic Review our current "provisional" Micro Release Exceptions	20:54
=== meetingology changed the topic of #ubuntu-meeting to: Review our current "provisional" Micro Release Exceptions
ScottK	Thanks for taking on this difficult issue.	20:55
kees	while those slides were very interesting, I still feel that we're a different distro from both RH and debian.	20:55
mdz	https://wiki.ubuntu.com/StableReleaseUpdates/MicroReleaseExceptions	20:55
cjwatson	Thanks; and hope nobody was offended by robust debate :-)	20:55
mdz	Provisional exceptions:	20:55
mdz	Nova, Glance, Horizon, Keystone (to unblock SRU on 2012-06-25)	20:55
mdz	Cinder, Quantum on 2012-12-03	20:55
mdz	LibreOffice (2012-06-25)	20:55
mdz	Mesa (2012-07-23 - SPECIAL CASE: piglit test suite is not in-tree, needs to be run on real hardware)	20:55
mdz	vlc (2012-07-23)	20:55
mdz	ceph for Ubuntu >= 12.10 and ceph upstream LTS releases 2013-02-25	20:55
mdz	libdrm for Ubuntu 12.10. Backport of the 13.04 version to match that backported in 12.04 as part of lts-raring enablement.	20:55
kees	yeah, thanks for this. I never expected to convince everyone, but I'm glad to have had the chance to lay out my thoughts. :)	20:55
stgraber	so I granted the libdrm one as a one-time thing, I believe mlankhorst did that backport and so we can now remove it from the list	20:56
cjwatson	The server MREs seem to be going fairly smoothly from what I've seen	20:56
kees	to review the pMRE list, I'd be curious to see how many times they've been SRUed since the pMRE, and how many regressions were seen.	20:56
mdz	stgraber, agreed, you can go ahead and remove that if you like	20:56
mdz	kees, yes, that would be useful	20:57
mdz	I don't have that information to hand	20:57
mdz	and suspect it would take some legwork to assemble	20:57
stgraber	mdz: done	20:57
kees	bdmurray: do you happen to have any off-the-top-of-your-head thoughts on these pMRE packages's SRU behavior so far?	20:57
cjwatson	Should be minable easily out of /ubuntu/+source/foo/+publishinghistory	20:58
cjwatson	There've certainly been "some" of each of the server ones; I don't immediately recall regressions there ...	20:58
bdmurray	kees: with my work on phasing updates I have a report of possible regressions about packages released to -updates	20:58
cjwatson	bdmurray++	20:58
bdmurray	however, since some of the packages are server related and those don't automatically go to errors it may not very helpful	20:59
bdmurray	here is the report	20:59
bdmurray	http://people.canonical.com/~brian/tmp/phased-updates.html	20:59
mdz	we're out of time	21:00
mdz	I don't recall the reason for reviewing these; presumably just general housecleaning?	21:01
mdz	seems like we could take the analysis offline and probably resolve these by mail	21:01
kees	mdz: yes	21:01
cjwatson	I think so; it ought to be done every so often	21:01
kees	mdz: agreed, thanks!	21:01
mdz	so someone could cross-reference bdmurray's analysis with the list of pMREs and send the results to the mailing list	21:01
cjwatson	mail> agreed	21:01
mdz	any volunteers?	21:01
kees	mdz: I will do that	21:01
mdz	kees, thank you	21:01
cjwatson	thank you!	21:01
stgraber	thanks!	21:02
mdz	#action kees to cross-reference phased-updates.html with pMREs and send analysis to technical-board@	21:02
meetingology	ACTION: kees to cross-reference phased-updates.html with pMREs and send analysis to technical-board@	21:02
mdz	#topic next chair	21:02
=== meetingology changed the topic of #ubuntu-meeting to: next chair
mdz	so stgraber and I swapped	21:02
cjwatson	I guess that means it's probably me?	21:02
mdz	pitti? soren?	21:02
cjwatson	22nd - I'll be at the releng sprint in London	21:02
cjwatson	not totally sure I'll be around	21:03
mdz	pitti would be next in nick order	21:03
mdz	oh, sorry, confused	21:03
mdz	I was going to be last time, right?	21:03
mdz	and stgraber filled in	21:03
stgraber	yep	21:03
cjwatson	oh, that would still make it pitti then I guess	21:03
mdz	so I think pitti next, then soren, then cjwatson	21:03
cjwatson	right	21:03
mdz	#action pitti to chair next meeting	21:03
meetingology	ACTION: pitti to chair next meeting	21:03
cjwatson	if we remember	21:03
mdz	#topic EOB	21:03
=== meetingology changed the topic of #ubuntu-meeting to: EOB
mdz	anything incredibly urgent?	21:03
mdz	er AOB	21:03
cjwatson	sleep	21:04
mdz	once	21:04
cjwatson	:-)	21:04
mdz	twice	21:04
mdz	thrice	21:04
mdz	thanks, all	21:04
mdz	#endmeeting	21:04
=== meetingology changed the topic of #ubuntu-meeting to: Ubuntu Meeting Grounds \| Calendar/Scheduled meetings: http://fridge.ubuntu.com/calendar \| Logs: https://wiki.ubuntu.com/MeetingLogs \| Meetingology documentation: https://wiki.ubuntu.com/meetingology
meetingology	Meeting ended Mon Jul 8 21:04:09 2013 UTC.	21:04
meetingology	Minutes (wiki): http://ubottu.com/meetingology/logs/ubuntu-meeting/2013/ubuntu-meeting.2013-07-08-19.58.moin.txt	21:04
meetingology	Minutes (html): http://ubottu.com/meetingology/logs/ubuntu-meeting/2013/ubuntu-meeting.2013-07-08-19.58.html	21:04
cjwatson	thanks mr chair	21:04
stgraber	thanks!	21:04
=== Trevinho_ is now known as Trevinho
=== JoseeAntonioR is now known as j
=== j is now known as JoseeAntonioR
=== JoseeAntonioR is now known as jose

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!