=== freeflying is now known as freeflying_away === freeflying_away is now known as freeflying === freeflying is now known as freeflying_away === freeflying_away is now known as freeflying === Ursinha_ is now known as Ursinha === fader_ is now known as fader === freeflying is now known as freeflying_away === Ursinha is now known as Ursinha-afk === Ursinha-afk is now known as Ursinha [16:33] hi! [16:33] hello [16:33] #startmeeting [16:33] Meeting started Mon Nov 4 16:34:17 2013 UTC. The chair is jdstrand. Information about MeetBot at http://wiki.ubuntu.com/meetingology. [16:33] Available commands: #accept #accepted #action #agree #agreed #chair #commands #endmeeting #endvote #halp #help #idea #info #link #lurk #meetingname #meetingtopic #nick #progress #rejected #replay #restrictlogs #save #startmeeting #subtopic #topic #unchair #undo #unlurk #vote #voters #votesrequired [16:33] The meeting agenda can be found at: [16:33] [LINK] https://wiki.ubuntu.com/SecurityTeam/Meeting [16:33] [TOPIC] Announcements === meetingology changed the topic of #ubuntu-meeting to: Announcements [16:34] Thanks to the following individuals: [16:34] Christian Biamont (christianbiamont) provided a debdiff for precise for xml-security-c (LP: #1192874) [16:34] Launchpad bug 1192874 in xml-security-c (Ubuntu Saucy) "heap overflow while processing InclusiveNamespace PrefixList" [Undecided,Fix released] https://launchpad.net/bugs/1192874 [16:34] Felix Geyer (debfx) provided debdiffs for precise-raring for libapache2-mod-fcgid (LP: #1238242) [16:34] Launchpad bug 1238242 in libapache2-mod-fcgid (Ubuntu Lucid) "CVE-2013-4365: possible heap buffer overwrite" [Undecided,New] https://launchpad.net/bugs/1238242 [16:34] Felix Geyer (debfx) provided debdiffs for precise-raring for ejabberd (LP: #1239307) [16:34] Launchpad bug 1239307 in ejabberd (Ubuntu Lucid) "Allows SSLv2 and weak ciphers" [Undecided,New] https://launchpad.net/bugs/1239307 [16:34] christianbiamont, debfx: Your work is very much appreciated and will keep Ubuntu users secure. Great job! :) [16:34] [TOPIC] Weekly stand-up report === meetingology changed the topic of #ubuntu-meeting to: Weekly stand-up report [16:34] hi! [16:34] I'll go first [16:35] I'm on triage this week [16:35] I've got quite a few things to catch up on from being at the sprint last week [16:35] also I need to process/communicate outcomes from sprint next week [16:36] in general, there shouldn't be any surprises for our team [16:36] nothing major was added to our plans for 14.04 and 14.10 [16:37] I will be doing a click-apaprmor upload to sponsor a fix for cjwatson. I'm getting some CI testing going around click-apparmor which is why I haven't updated it yet [16:37] I hope to have that today or tomorrow at the latest [16:38] I know tyhicks wants me to sponsor an apparmor upload [16:38] I think that's it for me [16:38] mdeslaur: you're up [16:38] hi! I'm on community this week [16:38] I'm currently pushing out libav updates [16:38] FYI, the libav and ffmpeg codebases have diverged to the point of it being unreasonable to track both using the same set of CVEs [16:39] as such, I've updated the CVEs in the tracker [16:39] oh, interesting [16:39] mdeslaur: updated as in, updated the boilerplate? [16:39] jdstrand: as in added README.libav, killing the boilerplate, and marking existing cves as ignored or not-affected for libav [16:40] cool [16:40] we shouldn't track ffmpeg CVEs as affecting libav [16:40] I noticed libav is now in universe in trusty [16:40] does kurt agree? [16:41] tomorrow I'm off, and further down this week, I plan on finishing my merges and picking up some more updates [16:41] sarnold: no idea [16:41] sarnold: but the CVE descriptions never had "libav" in them [16:42] and I can't track vulnerabilities/commits across them [16:42] and libav is commiting a whole slew of independant security fixes now without asking for CVEs [16:43] anyway, that's it from me [16:43] sbeattie: you're up [16:44] hrm, sbeattie seems to be MIA [16:45] I'll go [16:45] I'll wrap up a pending apparmor upload today and hand it off to jdstrand (thanks!) [16:45] Then I need to look into an ecryptfs/apparmor kernel bug that I hit last week [16:45] I also have some merges that I need to do [16:46] oh, and I need to look at enabling yama on the mobile kernels [16:46] that's it for me [16:46] jjohansen: you're up [16:47] sarnold: lets go to you [16:48] hehe [16:48] it appears I'm in my happy place again this week \o/ [16:49] I've been getting the hang of both canonistack and smo ser's virtual maas deployment scripts with an eye towards being able to do some maas update testing [16:49] I've prepared new versions of the maas updates for release hopefully this week -- it depends if the -proposed updates have moved into the -updates queue yet or not. [16:50] sarnold: \o/ [16:50] (bigjools had finished the last verification-needed test last week, so I hope the automated framework moved them through by now) [16:50] mdeslaur: yeah, it'll be nice to finally cross these two off the list :) [16:51] which two? [16:52] unfortunately smo ser's older script isn't his preferred testing method, and I had trouble getting the newer script to work, but I think his older script will work well enough for a starting point for documenting how the whole thing works.. [16:52] jdstrand: CVE-2013-1057 and CVE-2013-1058 [16:52] ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1057) [16:52] ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1058) [16:52] ah, two CVEs, yes (I thought you were talking about source packages) [16:52] ah :) [16:53] once this is done I may do another MIR or pick up an update, depending upon mdeslaur's preference :) [16:53] * mdeslaur consults magic 8 ball [16:53] chrisccoulson: your turn :) [16:54] chromium is up to date now (had mozilla updates last week as well) [16:54] \o/ [16:54] \o/ [16:54] chrisccoulson: woot! [16:54] this week i shall be helping get people up and running with oxide [16:56] \o/ [16:56] i'm currently trying to improve the workflow for maintaining the chromium patches in oxide. there were various issues at the end of last week [16:56] interesting [16:56] other than that, i'll be back on to the usual again :) [16:56] chrisccoulson: so, oxide made a big splash last week-- you should be getting the help now [16:56] jdstrand, excellent, thanks [16:57] jdstrand, you did a presentation didn't you? [16:57] I did [16:58] jdstrand, how did that go? [16:59] chrisccoulson: well-- most everyone realized it was the plan of record [16:59] chrisccoulson: phonedations had a number of questions cause we hadn't brought them into the loop before that (though they were in the meeting in april and saw the emails on it stating it was the plan) [17:00] chrisccoulson: they've done quite a bit of work on qtwebkit to make sure it works well on armhf [17:00] ah, ok. although i can't imagine it working that well, with no jit ;) [17:01] chrisccoulson: and I imagine they will also start helping out soon (eg rsalveti). but like I said elsewhere-- getting you the armhf hardware and you can do some benchmarks marks to give to them [17:01] yeah, I don't have the details. you and rsalveti should definitely talk at some point though [17:01] yeah, that's cool [17:01] I want to update/form a new bp for oxide for this cycle [17:02] we can talk more about that this week [17:02] oh, yes, that is another thing I have to do-- work with mdeslaur and all of you on bps for vUDS [17:03] I don't know that we'll have an oxide session-- I think the work is known. we'll discuss later [17:03] chrisccoulson: did you have any other questions or anything else to report? [17:03] jdstrand, no, i think that's me done [17:04] [TOPIC] Highlighted packages === meetingology changed the topic of #ubuntu-meeting to: Highlighted packages [17:04] The Ubuntu Security team will highlight some community-supported packages that might be good candidates for updating and or triaging. If you would like to help Ubuntu and not sure where to start, this is a great way to do so. [17:04] See https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures for details and if you have any questions, feel free to ask in #ubuntu-security. To find out other ways of helping out, please see https://wiki.ubuntu.com/SecurityTeam/GettingInvolved. [17:04] http://people.canonical.com/~ubuntu-security/cve/pkg/openjpa.html [17:04] http://people.canonical.com/~ubuntu-security/cve/pkg/flightgear.html [17:04] http://people.canonical.com/~ubuntu-security/cve/pkg/sanlock.html [17:04] http://people.canonical.com/~ubuntu-security/cve/pkg/rawstudio.html [17:04] http://people.canonical.com/~ubuntu-security/cve/pkg/lighttpd.html [17:04] [TOPIC] Miscellaneous and Questions === meetingology changed the topic of #ubuntu-meeting to: Miscellaneous and Questions [17:04] Does anyone have any other questions or items to discuss? [17:05] mdeslaur, tyhicks, sarnold, chrisccoulson: thanks! [17:05] #endmeeting === meetingology changed the topic of #ubuntu-meeting to: Ubuntu Meeting Grounds | Calendar/Scheduled meetings: http://fridge.ubuntu.com/calendar | Logs: https://wiki.ubuntu.com/MeetingLogs | Meetingology documentation: https://wiki.ubuntu.com/meetingology [17:05] Meeting ended Mon Nov 4 17:06:23 2013 UTC. [17:05] Minutes (wiki): http://ubottu.com/meetingology/logs/ubuntu-meeting/2013/ubuntu-meeting.2013-11-04-16.34.moin.txt [17:05] Minutes (html): http://ubottu.com/meetingology/logs/ubuntu-meeting/2013/ubuntu-meeting.2013-11-04-16.34.html [17:06] thanks jdstrand! [17:06] thanks! [17:07] thanks jdstrand :) [19:02] !dmb-ping [19:02] bdrung, ScottK, Laney, micahg, barry, tumbleweed, stgraber: DMB ping [19:02] * stgraber waves [19:02] (not that it looks like we need a meeting) [19:02] * barry waves [19:02] no utlemming again this time afaict [19:03] o/ [19:03] he does appear to be on freenode, just not in here [19:04] hi, I'm here [19:04] awesome! [19:05] bdrung: you're chairing today, if you're around [19:10] * bdrung comes around [19:10] #startmeeting [19:10] Meeting started Mon Nov 4 19:10:55 2013 UTC. The chair is bdrung. Information about MeetBot at http://wiki.ubuntu.com/meetingology. [19:10] Available commands: #accept #accepted #action #agree #agreed #chair #commands #endmeeting #endvote #halp #help #idea #info #link #lurk #meetingname #meetingtopic #nick #progress #rejected #replay #restrictlogs #save #startmeeting #subtopic #topic #unchair #undo #unlurk #vote #voters #votesrequired [19:11] no previous action items. let's begin with our applications. [19:12] #topic Per Package Uploader Applications === meetingology changed the topic of #ubuntu-meeting to: Per Package Uploader Applications [19:13] #subtopic Ben Howard applying for PPU for walinuxagent and hv-kvp-daemon-init [19:13] #link https://wiki.ubuntu.com/utlemming/PPUApplication [19:13] utlemming: welcome. can you introduce yourself? [19:13] hi, I' [19:13] I'm Ben Howard and I spend my days in the cloud [19:14] I rather enjoy working on Ubuntu and maintain those two packages, working with sponsors [19:14] and I build the Cloud Images for Ubuntu [19:15] so just a few random questions to get started ;) [19:15] are you subscribed to ubuntu-devel-announce? [19:16] er, I am not...but will be shortly :) [19:16] good :) [19:16] and done [19:19] (sorry, trying to think about some clever questions, and failing at the moment ;)) [19:21] so those two packages are Azure specific, right? are there equivalents for other cloud platforms that you'll end up maintaining? or is Azure special in that regard? [19:22] indeed, they are specific to Azure. The other package that I do a lot of work on is cloud-init. However, I lean on Scott Moser for that. [19:22] there are no other packages at this time that I maintain as part of cloud work....and I would like to keep it that way. The goal is to put all that stuff into Cloud-init. [19:24] utlemming: is walinuxagent something that we want to get into Debian too? [19:25] tumbleweed: yes, and there is a version in Debian called waagent. However, I have been unssuccesful in working with the debian maintainer. [19:26] oh, it's the same thing [19:26] tumbleweed: our version, however, is much cleaner as we've made cloud-init to handle the majority of the work. So we do carry a delta. [19:26] yeah, that's unfortunate [19:27] tumbleweed: that said, I have worked with MS to get some our changes upstreamed, including carrying our init scripts and packaging to make maintance easier. [19:28] does it make sense for ubuntu to have both walinuxagent and waagent? shouldn't we be dropping one or rebasing onto debian's package? [19:29] at least the package name should be the same [19:29] bdrung: if you look at the debian logs, they used our early version of the package to create waagent [19:30] utlemming: can you go into any detail about the debian maintainer issues? [19:31] barry: we introduced the intial version of the walinuxagent ~ 12.04 time frame, while walinuxagent was still having a lot of issues. I worked with MS to get those straigtened out. The Debian guys decided to package it, and introduced waagent based on our packaging. In the 12.10 and then 13.04 I reached out asking about merging the packages and removing the differences, which fell on deaf ears. [19:33] utlemming: did they just not respond? are the orig maintainers still interested in maintaining the package in debian? [19:33] on a related topic, are you aware of the (fairly low traffic) debian-cloud list? [19:33] barry: no response. I haven't followed up in while -- I intend on following up on that latter [19:34] tumbleweed: yes, I am and I am on it [19:34] tumbleweed: I even hang out on their IRC channel [19:34] utlemming: cool [19:34] ok. hopefully we can solve this some day [19:34] but in the meantime, shouldn't we rename our walinuxagent source package? or remove waagent in Ubuntu? [19:36] tumbleweed: that is a great question. waagent today exists as MS's originally saw it, while walinuxagent now requires cloud-init and uses cloud-init to behave like a cloud instance. [19:36] tumbleweed: maybe schedule that for later in trusty if the issue can't be resolved in debian? [19:36] tumbleweed: for cloud-images, we want them to behave like cloud-images and so we use walinuxagent + cloud-init. [19:37] if our changes are a relatively clean set on top of upstream, then applying those on waagent instead (and killing walinuxagent) would make more sense [19:37] if we've diverged to the point where we heavily change the upstream source tarball, then a separate source name isn't entirely unreasonable [19:37] I can agree with that position. Mostly our changes are configuration changes. [19:37] but we should then blacklist and remove waagent from the archive [19:38] it depends what name is preferred. waagent or walinuxagent? [19:38] well, whatever Debian uses is usually best, if only for dependencies [19:38] Am I fashionably late? [19:38] infinity: no, just late ;) [19:38] I would probably blacklist waagent, simply because it is a dangerous package. Part of packaging is to prevent it from hosing a system on installation. [19:38] ScottK asked me to pop in and repeat something I told him in private. [19:38] 12:19 Is utlemming ready for PPU rights for the Azure stuff? [19:38] 12:25 I don't think I've had to fix any of his uploads for a while now, so probably. As long as he's saying the right things about being sane and getting reviews. [19:38] So, there. My work here is done. :) [19:39] Thanks. [19:39] thanks infinity [19:39] maybe it would be good to file a bug against waagent in the BTS to ask for an opinion. either we should adopt the Debian name or Debian should adopt Ubuntu's name. [19:39] I can take that as a work item for this cycle [19:40] depending on the outcome, one of the two source package should be removed (and all needed changed applied to the remaining source package) [19:41] oh, I guess I should also publicly state this since I've only done so in private to the board. I've been doing a fair amount of SRU review mostly of walinuxagent and haven't seen any problem with those so far. utlemming does a good job of getting all the right bits SRUed where it matters and keeping track of the state of Ubuntu Server on Azure. [19:43] #vote Should Ben Howard get upload rights for walinuxagent and hv-kvp-daemon-init and get Ubuntu membership? [19:43] Please vote on: Should Ben Howard get upload rights for walinuxagent and hv-kvp-daemon-init and get Ubuntu membership? [19:43] Public votes can be registered by saying +1, +0 or -1 in channel, (private votes don't work yet, but when they do it will be by messaging the channel followed by +1/-1/+0 to me) [19:43] +1 [19:43] +1 received from stgraber [19:43] +1 [19:43] +1 received from tumbleweed [19:43] +1 [19:43] +1 received from barry [19:43] +1 [19:43] +1 received from bdrung [19:44] utlemming: Congrats. [19:44] :) [19:44] +1 [19:44] +1 received from ScottK [19:44] #endvote [19:44] Voting ended on: Should Ben Howard get upload rights for walinuxagent and hv-kvp-daemon-init and get Ubuntu membership? [19:44] Votes for:5 Votes against:0 Abstentions:0 [19:44] Motion carried [19:45] utlemming: congrats. [19:45] utlemming: so normally I'd grant you those rights immediatel,y however since I've expired from the technical board and no new board has been elected since, it'll take a little while. [19:45] utlemming: I'll have to poke the Launchpad folks to figure out whether someone can cowboy the ACL in there for me ;) [19:46] ack, sounds good [19:47] utlemming: I consider having PPU + Ubuntu Membership to be more than Ubuntu Contributing Developer (which just grants recognition and Ubuntu membership). do you still want to become Ubuntu Contributing Developer? [19:47] er, I think that PPU + Ubuntu Membership is fine [19:48] I'll work towards MOTU next [19:49] #topic Any other business === meetingology changed the topic of #ubuntu-meeting to: Any other business [19:49] anything else to discuss? [19:50] nothing here [19:50] nor here [19:50] same [19:50] okay. [19:51] micahg will be the next chair (following our list) [19:51] thanks for coming. [19:51] #endmeeting === meetingology changed the topic of #ubuntu-meeting to: Ubuntu Meeting Grounds | Calendar/Scheduled meetings: http://fridge.ubuntu.com/calendar | Logs: https://wiki.ubuntu.com/MeetingLogs | Meetingology documentation: https://wiki.ubuntu.com/meetingology [19:51] Meeting ended Mon Nov 4 19:51:40 2013 UTC. [19:51] Minutes (wiki): http://ubottu.com/meetingology/logs/ubuntu-meeting/2013/ubuntu-meeting.2013-11-04-19.10.moin.txt [19:51] Minutes (html): http://ubottu.com/meetingology/logs/ubuntu-meeting/2013/ubuntu-meeting.2013-11-04-19.10.html [19:51] thanks bdrung [19:51] you're welcome. === Ursinha-afk is now known as Ursinha === Ursinha is now known as Ursinha-afk