| === vladk|offline is now known as vladk | ||
| === vladk is now known as vladk|offline | ||
| === vladk|offline is now known as vladk | ||
| === dholbach_ is now known as dholbach | ||
| === vladk is now known as vladk|offline | ||
| === vladk|offline is now known as vladk | ||
| === ubott2 is now known as ubottu | ||
| === Trevinho_ is now known as Trevinho | ||
| === Adri2000 is now known as Guest67185 | ||
| === Guest67185 is now known as Adri2000_ | ||
| === doko_ is now known as doko | ||
| tyhicks | hello | 16:53 |
|---|---|---|
| sarnold | hello | 16:53 |
| jdstrand | hi! | 16:53 |
| jdstrand | #startmeeting | 16:54 |
| jdstrand | The meeting agenda can be found at: | 16:54 |
| jdstrand | [LINK] https://wiki.ubuntu.com/SecurityTeam/Meeting | 16:54 |
| mdeslaur | hello! | 16:54 |
| jdstrand | [TOPIC] Announcements | 16:54 |
| jdstrand | Andrew Starr-Bochicchio (andrewsomething) provided a debdiff for trusty for libtorrent-rasterbar (LP: #1330703) | 16:54 |
| ubottu | Launchpad bug 1330703 in libtorrent-rasterbar (Ubuntu Trusty) "[Security] UPNP opens port 0 which fully exposes PC to the internet." [High,Fix released] https://launchpad.net/bugs/1330703 | 16:54 |
| jdstrand | James Page (jamespage) provided an update for trusty for percona-xtradb-cluster-5.5 (LP: #1325916) | 16:54 |
| ubottu | Launchpad bug 1325916 in percona-xtradb-cluster-5.5 (Ubuntu Utopic) "Update to 5.5.37 for security updates" [Undecided,Fix released] https://launchpad.net/bugs/1325916 | 16:54 |
| jdstrand | Felix Geyer (debfx) provided a debdiff for trusty for mumble (LP: #1335597) | 16:54 |
| ubottu | Launchpad bug 1335597 in mumble (Ubuntu Saucy) "CVE-2014-3755 and CVE-2014-3756" [Undecided,Confirmed] https://launchpad.net/bugs/1335597 | 16:54 |
| jdstrand | Louis Bouchard (caribou) provided a debdiff for precise-utopic for openssl098 (LP: #1331452) | 16:54 |
| ubottu | Launchpad bug 1331452 in openssl098 (Ubuntu Utopic) "Please backport current CVEs for Precise LTS openssl098" [High,Fix released] https://launchpad.net/bugs/1331452 | 16:54 |
| jdstrand | Your work is very much appreciated and will keep Ubuntu users secure. Great job! | 16:54 |
| jdstrand | [TOPIC] Weekly stand-up report | 16:54 |
| jdstrand | I'll go first | 16:54 |
| jdstrand | I'm back from vacation so am catching up on what I missed | 16:55 |
| jdstrand | seems to be going ok so far | 16:55 |
| jdstrand | thank you for covering for me | 16:55 |
| jdstrand | I'm off Wednesday | 16:55 |
| jdstrand | I plan to do apparmor testing of jjohansen's abstract socket mediation patch set | 16:55 |
| mdeslaur | jdstrand: it was easy, I just did /nick jdstrand "I don't know." all week | 16:55 |
| jdstrand | hehe | 16:55 |
| jdstrand | I have an rtm work item I will be working on for click-apparmor | 16:56 |
| jdstrand | and I need to really get cracking on the performance reviews | 16:56 |
| jdstrand | mdeslaur: you're up | 16:56 |
| mdeslaur | I'm on triage this week | 16:56 |
| mdeslaur | I've got a few updates to test and release, including dbus | 16:56 |
| mdeslaur | and am currently working on php5 updates | 16:56 |
| mdeslaur | the list is getting long, so that's what I'll be doing the rest of the week also | 16:57 |
| mdeslaur | that's it for me! sbeattie, you're up | 16:57 |
| sbeattie | I'm also back from vacation and catching up on what I missed | 16:57 |
| sbeattie | I digging back into the gcc pie stuff | 16:57 |
| mdeslaur | ah crud, I forgot about smb's xen updates last week...I'll be sponsoring that too | 16:58 |
| sbeattie | I need to sync up with jjohansen | 16:58 |
| mdeslaur | sbeattie: hrm, please ask if jj has anything for you to help with before looking at gcc again | 16:58 |
| sbeattie | mdeslaur: heh, yeah, that's what I'm trying to say. | 16:59 |
| mdeslaur | cool | 16:59 |
| sbeattie | mdeslaur: but ack | 16:59 |
| sbeattie | anyway, that's pretty much it for me | 16:59 |
| sbeattie | tyhicks: you're up | 16:59 |
| tyhicks | I'm currently fixing an eCryptfs kernel bug | 16:59 |
| tyhicks | it doesn't yet have an official bug, but it is mentioned in another bug: https://bugzilla.kernel.org/show_bug.cgi?id=41692#c2 | 17:00 |
| ubottu | bugzilla.kernel.org bug 41692 in ecryptfs "Obscure improper EACCES with ecryptfs_xattr_metadata" [Normal,New] | 17:00 |
| tyhicks | I also plan to review a patch for an upcoming file encryption kernel feature | 17:01 |
| tyhicks | I need to rebase my dbus merge against the latest version debian testing | 17:01 |
| tyhicks | and then push it through | 17:02 |
| tyhicks | and then I'd like to take a look at my outstanding work items | 17:02 |
| mdeslaur | tyhicks: helping jj with whatever tasks he has to land the stuff for rtm has priority | 17:02 |
| tyhicks | I think "implement kernel postinst policy compiles" work item from last month would be a good one to start on | 17:02 |
| jdstrand | so, jjohansen said earlier that he would likely have some abstract patches | 17:02 |
| tyhicks | ok | 17:02 |
| jdstrand | mdeslaur: perhaps tyhicks can help with the Ubuntu packaging/testing? | 17:03 |
| tyhicks | jjohansen: give me anything you'd like and I'll drop whatever I'm working on | 17:03 |
| mdeslaur | definitely | 17:03 |
| tyhicks | ok | 17:03 |
| jdstrand | cool, yeah, let's have tyhicks take the lead on the Ubuntu landing. | 17:03 |
| * tyhicks nods | 17:03 | |
| jdstrand | tyhicks: I'll work with you on that like last time | 17:03 |
| tyhicks | ok | 17:03 |
| tyhicks | that's it for me | 17:04 |
| tyhicks | jjohansen: you're up | 17:04 |
| jjohansen | well gee, I think its all been covered already :) | 17:04 |
| jdstrand | hehe | 17:04 |
| jdstrand | jjohansen: you are the man of the hour :) | 17:04 |
| jjohansen | I need to sync up with sbeattie, and jdstrand | 17:04 |
| jjohansen | I need to push out the abstract socket patches, I am currently doing some revisions on them | 17:05 |
| tyhicks | jjohansen: are you revising the kernel or userspace patches? (or both?) | 17:05 |
| jjohansen | tyhicks: both | 17:05 |
| tyhicks | ok | 17:05 |
| tyhicks | I'll watch the list for the userspace patches and then start packaging them up | 17:06 |
| jjohansen | tyhicks: I'll start kicking stuff out today, I'll push the userspace first | 17:06 |
| tyhicks | sounds good | 17:06 |
| jdstrand | jjohansen: will this include the backports for the touch kernels? | 17:07 |
| jjohansen | once the abstract/anonymous socket mediation patches look good, I have to get some patches together to push upstream | 17:07 |
| jjohansen | jdstrand: uh sort of | 17:08 |
| jdstrand | ? | 17:09 |
| jjohansen | jdstrand: its a set of changes on top of the current stuff. I expect we are going to just drop it as a diff on top of the current set. So now rebase etc is needed | 17:09 |
| jdstrand | ok, that's sounds fine | 17:09 |
| jjohansen | I can certainly build touch kernels with the diff on top of the current | 17:09 |
| jdstrand | we can't consider this landed until it is both userspace and the touch kernels | 17:10 |
| jjohansen | jdstrand: correct | 17:10 |
| jdstrand | so I just wanted to ask | 17:10 |
| jdstrand | jjohansen: for tyhicks and myself, we'll need generic amd64 (at least, perhaps i386), mako and goldfish | 17:10 |
| jjohansen | jdstrand: for landing there is some dependency ordering on policy | 17:10 |
| jdstrand | sure | 17:10 |
| jjohansen | right | 17:10 |
| jdstrand | like last time | 17:10 |
| jjohansen | kernel is not dependent on userspace and userspace on kernel, so just policy | 17:11 |
| jjohansen | yep | 17:11 |
| jdstrand | so we don't have to hash that our all here. sounds like things are in order, we just need to execute | 17:11 |
| * jdstrand is excited, but slightly worried about the policy changes | 17:11 | |
| jdstrand | jjohansen: have you seen anything scary wrt policy changes? | 17:12 |
| jjohansen | define scary :) | 17:12 |
| mdeslaur | scary as in "breaks everything" | 17:12 |
| jdstrand | I'm hoping it'll be a more or less non-event for upgraders (ie, we can tweak base and apparmor-easyprof-ubuntu accordingly) | 17:12 |
| jdstrand | I'm also hoping that we don't have bad required policy | 17:13 |
| jjohansen | uh yeah if rules aren't in place you can break things that are using abstract sockets | 17:13 |
| jdstrand | like apps have to talk to the upstart abstract socket for some reason | 17:13 |
| jjohansen | think just like with the unix socket fix that was done with saucy, without certain rules in place you fail to boot | 17:14 |
| jdstrand | jjohansen: right, I meant in your work, have you seen anything that was obvious that it couldn't be handled well by adjusting base, etc | 17:14 |
| jdstrand | or do we expect things to be similar to signal/ptrace mediation | 17:14 |
| jdstrand | (which went very well) | 17:15 |
| jjohansen | jdstrand: hrmmm, I haven't really thought about where the best place for the additions is, we certainly can add to base | 17:15 |
| jjohansen | yep | 17:15 |
| jdstrand | ok, that's fine. just wondering if you had a feel for it yet. we certainly will once the patches go up :) | 17:15 |
| * jdstrand is done with his questions | 17:16 | |
| jjohansen | jdstrand: so my feel is we will stuff some of it in base. which is fine, its just a matter of tuning how tight you want things | 17:17 |
| * jjohansen is done, sarnold you're up | 17:17 | |
| jdstrand | cool, sounds great | 17:17 |
| jdstrand | we'll discuss all that in #apparmor when the time is right | 17:17 |
| * sarnold hides | 17:17 | |
| sarnold | I'm on community this week; I have a MIR for trust-store to work on, blueprint items to work on, and it sounds like jj's going to give me a giant gift-wrapped bow-tied balloon-festooned box of new patches to review! \o/ | 17:18 |
| mdeslaur | sarnold: are you still working with mterry on phone password handling? | 17:19 |
| sarnold | mdeslaur: let me go reload that bug :) | 17:19 |
| sarnold | s/bug/merge request/ | 17:19 |
| mdeslaur | sarnold: I believe he had some follow up questions about how to handle empty passwords, etc, and I told him to work that out with you | 17:20 |
| sarnold | mdeslaur: ah, looks like he's got wonderful answers to my questions, no new questions, looks like he's probably good :D | 17:20 |
| sarnold | mdeslaur: ah right, and the securetty bits. i'm sorry I forgot about those. | 17:20 |
| mdeslaur | sarnold: ping him when you get a chance and follow up to make sure all is resolved, please | 17:21 |
| sarnold | mdeslaur: ack :) | 17:21 |
| sarnold | I think that's me done, chrisccoulson? | 17:22 |
| chrisccoulson | hi :) | 17:22 |
| chrisccoulson | this week, I'm looking at getting daily builds going for oxide (I did a hangout last week with oSoMoN and psivaa, and we decided to separate the CI and daily builds tasks, with me taking the latter) | 17:23 |
| chrisccoulson | also, will hopefully be testing and publishing a chromium update from chad :) | 17:23 |
| mdeslaur | \o/ | 17:24 |
| chrisccoulson | and, there'll be an oxide update too (with the new chromium release in) | 17:24 |
| chrisccoulson | so, if you're using webapps in trusty, please do install the oxide build from https://launchpad.net/~ubuntu-mozilla-security/+archive/ppa/ | 17:24 |
| mdeslaur | sweet | 17:25 |
| jdstrand | chrisccoulson: re daily builds> oh nice :) | 17:26 |
| chrisccoulson | also, when I did our hangout last week, I did a little diagram explaining the release cycle: https://docs.google.com/a/canonical.com/presentation/d/1cJ_2nhHgv1A4tMUy4-7Tc1kt5r861a0CnYaG9GiOqIo/edit?usp=sharing | 17:26 |
| jdstrand | very nice on oxide update for trusty too | 17:26 |
| mdeslaur | cool | 17:27 |
| chrisccoulson | I'll put that in a blog post soon (the diagram is currently not publically shared, although there's no reason it shouldn't be) | 17:27 |
| chrisccoulson | so the link won't work for anyone outside of canonical atm | 17:27 |
| jdstrand | cool | 17:27 |
| chrisccoulson | I think that's me done | 17:28 |
| jdstrand | chrisccoulson: so, I think we need some sort of MRE like thing for oxide | 17:29 |
| jdstrand | https://wiki.ubuntu.com/StableReleaseUpdates/MicroReleaseExceptions | 17:29 |
| sarnold | meal ready to eat? | 17:29 |
| sarnold | oh jeeze | 17:29 |
| chrisccoulson | aha :) | 17:29 |
| jdstrand | chrisccoulson: perhaps mdeslaur can help there since he is on the TB | 17:30 |
| jdstrand | it is the plan of action, but it hasn't been ratified by the TB | 17:30 |
| mdeslaur | since there are security fixes included, no need for a mre | 17:30 |
| mdeslaur | if you ever want to publish new versions with only fixes, you need an mre | 17:31 |
| jdstrand | this will have more than security updates aiui | 17:31 |
| jdstrand | just like firefox and chromium-browser | 17:31 |
| mdeslaur | doesn't matter, the mres are only for SRUs | 17:31 |
| jdstrand | (which have MREs) | 17:31 |
| jdstrand | ok, fair enough | 17:31 |
| jdstrand | makes it easier :) | 17:31 |
| mdeslaur | I mean, we still should probably ask for one, in case there are updates that don't include security fixes | 17:32 |
| * jdstrand nods | 17:32 | |
| mdeslaur | once we've done a couple via security updates, chrisccoulson can ask for the MRE | 17:33 |
| jdstrand | sounds like a plan | 17:33 |
| jdstrand | [TOPIC] Highlighted packages | 17:33 |
| jdstrand | http://people.canonical.com/~ubuntu-security/cve/pkg/redis.html | 17:34 |
| jdstrand | http://people.canonical.com/~ubuntu-security/cve/pkg/sup-mail.html | 17:34 |
| jdstrand | http://people.canonical.com/~ubuntu-security/cve/pkg/forked-daapd.html | 17:34 |
| jdstrand | http://people.canonical.com/~ubuntu-security/cve/pkg/syncevolution.html | 17:34 |
| jdstrand | http://people.canonical.com/~ubuntu-security/cve/pkg/libjboss-cache3-java.html | 17:34 |
| jdstrand | The Ubuntu Security team will highlight some community-supported packages (^) that might be good candidates for updating and or triaging. If you would like to help Ubuntu and not sure where to start, this is a great way to do so. | 17:34 |
| jdstrand | See https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures for details and if you have any questions, feel free to ask in #ubuntu-security. To find out other ways of helping out, please see https://wiki.ubuntu.com/SecurityTeam/GettingInvolved. | 17:34 |
| jdstrand | [TOPIC] Miscellaneous and Questions | 17:34 |
| jdstrand | I only have one thing: if you have RTM work items, please work with mdeslaur on finding time to do them. we are rapidly approaching bug fixes only on the phone | 17:35 |
| jdstrand | otoh, I have one and then there is the abstract sockets | 17:36 |
| jdstrand | (mine is small and should be done this week) | 17:36 |
| jdstrand | if you aren't sure if it is for rtm, ask me and mdeslaur | 17:36 |
| jdstrand | Does anyone have any other questions or items to discuss? | 17:36 |
| === vladk is now known as vladk|offline | ||
| jdstrand | #endmeeting | 17:39 |
| jdstrand | mdeslaur, sbeattie, tyhicks, jjohansen, sarnold, ChrisCoulson: thanks! | 17:39 |
| sarnold | thanks jdstrand :) | 17:39 |
| tyhicks | thanks! | 17:40 |
| mdeslaur | thanks jdstrand! | 17:40 |
| jjohansen | thanks jdstrand | 17:40 |
| jdstrand | where is meeting bot? | 17:40 |
| * jdstrand shrugs | 17:40 | |
| mdeslaur | jdstrand: it's a national bot holiday today | 17:41 |
| jdstrand | hehe | 17:41 |
| mdeslaur | either that, or world cup | 17:41 |
| sbeattie | heh | 17:42 |
| sbeattie | thanks jdstrand | 17:42 |
| === vladk|offline is now known as vladk | ||
| === vladk is now known as vladk|offline | ||
| === vladk|offline is now known as vladk | ||
| === vladk is now known as vladk|offline | ||
| === vladk|offline is now known as vladk | ||
| === vladk is now known as vladk|offline | ||
| === Ursinha is now known as Ursinha-afk | ||
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!