[16:53] <tyhicks> hello
[16:53] <sarnold> hello
[16:53] <jdstrand> hi!
[16:54] <jdstrand> #startmeeting
[16:54] <jdstrand> The meeting agenda can be found at:
[16:54] <jdstrand> [LINK] https://wiki.ubuntu.com/SecurityTeam/Meeting
[16:54] <mdeslaur> hello!
[16:54] <jdstrand> [TOPIC] Announcements
[16:54] <jdstrand> Andrew Starr-Bochicchio (andrewsomething) provided a debdiff for trusty for libtorrent-rasterbar (LP: #1330703)
[16:54] <jdstrand> James Page (jamespage) provided an update for trusty for percona-xtradb-cluster-5.5 (LP: #1325916)
[16:54] <jdstrand> Felix Geyer (debfx) provided a debdiff for trusty for mumble (LP: #1335597)
[16:54] <jdstrand> Louis Bouchard (caribou) provided a debdiff for precise-utopic for openssl098 (LP: #1331452)
[16:54] <jdstrand> Your work is very much appreciated and will keep Ubuntu users secure. Great job!
[16:54] <jdstrand> [TOPIC] Weekly stand-up report
[16:54] <jdstrand> I'll go first
[16:55] <jdstrand> I'm back from vacation so am catching up on what I missed
[16:55] <jdstrand> seems to be going ok so far
[16:55] <jdstrand> thank you for covering for me
[16:55] <jdstrand> I'm off Wednesday
[16:55] <jdstrand> I plan to do apparmor testing of jjohansen's abstract socket mediation patch set
[16:55] <mdeslaur> jdstrand: it was easy, I just did /nick jdstrand "I don't know." all week
[16:55] <jdstrand> hehe
[16:56] <jdstrand> I have an rtm work item I will be working on for click-apparmor
[16:56] <jdstrand> and I need to really get cracking on the performance reviews
[16:56] <jdstrand> mdeslaur: you're up
[16:56] <mdeslaur> I'm on triage this week
[16:56] <mdeslaur> I've got a few updates to test and release, including dbus
[16:56] <mdeslaur> and am currently working on php5 updates
[16:57] <mdeslaur> the list is getting long, so that's what I'll be doing the rest of the week also
[16:57] <mdeslaur> that's it for me! sbeattie, you're up
[16:57] <sbeattie> I'm also back from vacation and catching up on what I missed
[16:57] <sbeattie> I digging back into the gcc pie stuff
[16:58] <mdeslaur> ah crud, I forgot about smb's xen updates last week...I'll be sponsoring that too
[16:58] <sbeattie> I need to sync up with jjohansen
[16:58] <mdeslaur> sbeattie: hrm, please ask if jj has anything for you to help with before looking at gcc again
[16:59] <sbeattie> mdeslaur: heh, yeah, that's what I'm trying to say.
[16:59] <mdeslaur> cool
[16:59] <sbeattie> mdeslaur: but ack
[16:59] <sbeattie> anyway, that's pretty much it for me
[16:59] <sbeattie> tyhicks: you're up
[16:59] <tyhicks> I'm currently fixing an eCryptfs kernel bug
[17:00] <tyhicks> it doesn't yet have an official bug, but it is mentioned in another bug: https://bugzilla.kernel.org/show_bug.cgi?id=41692#c2
[17:01] <tyhicks> I also plan to review a patch for an upcoming file encryption kernel feature
[17:01] <tyhicks> I need to rebase my dbus merge against the latest version debian testing
[17:02] <tyhicks> and then push it through
[17:02] <tyhicks> and then I'd like to take a look at my outstanding work items
[17:02] <mdeslaur> tyhicks: helping jj with whatever tasks he has to land the stuff for rtm has priority
[17:02] <tyhicks> I think "implement kernel postinst policy compiles" work item from last month would be a good one to start on
[17:02] <jdstrand> so, jjohansen said earlier that he would likely have some abstract patches
[17:02] <tyhicks> ok
[17:03] <jdstrand> mdeslaur: perhaps tyhicks can help with the Ubuntu packaging/testing?
[17:03] <tyhicks> jjohansen: give me anything you'd like and I'll drop whatever I'm working on
[17:03] <mdeslaur> definitely
[17:03] <tyhicks> ok
[17:03] <jdstrand> cool, yeah, let's have tyhicks take the lead on the Ubuntu landing.
[17:03]  * tyhicks nods
[17:03] <jdstrand> tyhicks: I'll work with you on that like last time
[17:03] <tyhicks> ok
[17:04] <tyhicks> that's it for me
[17:04] <tyhicks> jjohansen: you're up
[17:04] <jjohansen> well gee, I think its all been covered already :)
[17:04] <jdstrand> hehe
[17:04] <jdstrand> jjohansen: you are the man of the hour :)
[17:04] <jjohansen> I need to sync up with sbeattie, and jdstrand
[17:05] <jjohansen> I need to push out the abstract socket patches, I am currently doing some revisions on them
[17:05] <tyhicks> jjohansen: are you revising the kernel or userspace patches? (or both?)
[17:05] <jjohansen> tyhicks: both
[17:05] <tyhicks> ok
[17:06] <tyhicks> I'll watch the list for the userspace patches and then start packaging them up
[17:06] <jjohansen> tyhicks: I'll start kicking stuff out today, I'll push the userspace first
[17:06] <tyhicks> sounds good
[17:07] <jdstrand> jjohansen: will this include the backports for the touch kernels?
[17:07] <jjohansen> once the abstract/anonymous socket mediation patches look good, I have to get some patches together to push upstream
[17:08] <jjohansen> jdstrand: uh sort of
[17:09] <jdstrand> ?
[17:09] <jjohansen> jdstrand: its a set of changes on top of the current stuff. I expect we are going to just drop it as a diff on top of the current set. So now rebase etc is needed
[17:09] <jdstrand> ok, that's sounds fine
[17:09] <jjohansen> I can certainly build touch kernels with the diff on top of the current
[17:10] <jdstrand> we can't consider this landed until it is both userspace and the touch kernels
[17:10] <jjohansen> jdstrand: correct
[17:10] <jdstrand> so I just wanted to ask
[17:10] <jdstrand> jjohansen: for tyhicks and myself, we'll need generic amd64 (at least, perhaps i386), mako and goldfish
[17:10] <jjohansen> jdstrand: for landing there is some dependency ordering on policy
[17:10] <jdstrand> sure
[17:10] <jjohansen> right
[17:10] <jdstrand> like last time
[17:11] <jjohansen> kernel is not dependent on userspace and userspace on kernel, so just policy
[17:11] <jjohansen> yep
[17:11] <jdstrand> so we don't have to hash that our all here. sounds like things are in order, we just need to execute
[17:11]  * jdstrand is excited, but slightly worried about the policy changes
[17:12] <jdstrand> jjohansen: have you seen anything scary wrt policy changes?
[17:12] <jjohansen> define scary :)
[17:12] <mdeslaur> scary as in "breaks everything"
[17:12] <jdstrand> I'm hoping it'll be a more or less non-event for upgraders (ie, we can tweak base and apparmor-easyprof-ubuntu accordingly)
[17:13] <jdstrand> I'm also hoping that we don't have bad required policy
[17:13] <jjohansen> uh yeah if rules aren't in place you can break things that are using abstract sockets
[17:13] <jdstrand> like apps have to talk to the upstart abstract socket for some reason
[17:14] <jjohansen> think just like with the unix socket fix that was done with saucy, without certain rules in place you fail to boot
[17:14] <jdstrand> jjohansen: right, I meant in your work, have you seen anything that was obvious that it couldn't be handled well by adjusting base, etc
[17:14] <jdstrand> or do we expect things to be similar to signal/ptrace mediation
[17:15] <jdstrand> (which went very well)
[17:15] <jjohansen> jdstrand: hrmmm, I haven't really thought about where the best place for the additions is, we certainly can add to base
[17:15] <jjohansen> yep
[17:15] <jdstrand> ok, that's fine. just wondering if you had a feel for it yet. we certainly will once the patches go up :)
[17:16]  * jdstrand is done with his questions
[17:17] <jjohansen> jdstrand: so my feel is we will stuff some of it in base. which is fine, its just a matter of tuning how tight you want things
[17:17]  * jjohansen is done, sarnold you're up
[17:17] <jdstrand> cool, sounds great
[17:17] <jdstrand> we'll discuss all that in #apparmor when the time is right
[17:17]  * sarnold hides
[17:18] <sarnold> I'm on community this week; I have a MIR for trust-store to work on, blueprint items to work on, and it sounds like jj's going to give me a giant gift-wrapped bow-tied balloon-festooned box of new patches to review! \o/
[17:19] <mdeslaur> sarnold: are you still working with mterry on phone password handling?
[17:19] <sarnold> mdeslaur: let me go reload that bug :)
[17:19] <sarnold> s/bug/merge request/
[17:20] <mdeslaur> sarnold: I believe he had some follow up questions about how to handle empty passwords, etc, and I told him to work that out with you
[17:20] <sarnold> mdeslaur: ah, looks like he's got wonderful answers to my questions, no new questions, looks like he's probably good :D
[17:20] <sarnold> mdeslaur: ah right, and the securetty bits. i'm sorry I forgot about those.
[17:21] <mdeslaur> sarnold: ping him when you get a chance and follow up to make sure all is resolved, please
[17:21] <sarnold> mdeslaur: ack :)
[17:22] <sarnold> I think that's me done, chrisccoulson?
[17:22] <chrisccoulson> hi :)
[17:23] <chrisccoulson> this week, I'm looking at getting daily builds going for oxide (I did a hangout last week with oSoMoN and psivaa, and we decided to separate the CI and daily builds tasks, with me taking the latter)
[17:23] <chrisccoulson> also, will hopefully be testing and publishing a chromium update from chad :)
[17:24] <mdeslaur> \o/
[17:24] <chrisccoulson> and, there'll be an oxide update too (with the new chromium release in)
[17:24] <chrisccoulson> so, if you're using webapps in trusty, please do install the oxide build from https://launchpad.net/~ubuntu-mozilla-security/+archive/ppa/
[17:25] <mdeslaur> sweet
[17:26] <jdstrand> chrisccoulson: re daily builds> oh nice :)
[17:26] <chrisccoulson> also, when I did our hangout last week, I did a little diagram explaining the release cycle: https://docs.google.com/a/canonical.com/presentation/d/1cJ_2nhHgv1A4tMUy4-7Tc1kt5r861a0CnYaG9GiOqIo/edit?usp=sharing
[17:26] <jdstrand> very nice on oxide update for trusty too
[17:27] <mdeslaur> cool
[17:27] <chrisccoulson> I'll put that in a blog post soon (the diagram is currently not publically shared, although there's no reason it shouldn't be)
[17:27] <chrisccoulson> so the link won't work for anyone outside of canonical atm
[17:27] <jdstrand> cool
[17:28] <chrisccoulson> I think that's me done
[17:29] <jdstrand> chrisccoulson: so, I think we need some sort of MRE like thing for oxide
[17:29] <jdstrand> https://wiki.ubuntu.com/StableReleaseUpdates/MicroReleaseExceptions
[17:29] <sarnold> meal ready to eat?
[17:29] <sarnold> oh jeeze
[17:29] <chrisccoulson> aha :)
[17:30] <jdstrand> chrisccoulson: perhaps mdeslaur can help there since he is on the TB
[17:30] <jdstrand> it is the plan of action, but it hasn't been ratified by the TB
[17:30] <mdeslaur> since there are security fixes included, no need for a mre
[17:31] <mdeslaur> if you ever want to publish new versions with only fixes, you need an mre
[17:31] <jdstrand> this will have more than security updates aiui
[17:31] <jdstrand> just like firefox and chromium-browser
[17:31] <mdeslaur> doesn't matter, the mres are only for SRUs
[17:31] <jdstrand> (which have MREs)
[17:31] <jdstrand> ok, fair enough
[17:31] <jdstrand> makes it easier :)
[17:32] <mdeslaur> I mean, we still should probably ask for one, in case there are updates that don't include security fixes
[17:32]  * jdstrand nods
[17:33] <mdeslaur> once we've done a couple via security updates, chrisccoulson can ask for the MRE
[17:33] <jdstrand> sounds like a plan
[17:33] <jdstrand> [TOPIC] Highlighted packages
[17:34] <jdstrand> http://people.canonical.com/~ubuntu-security/cve/pkg/redis.html
[17:34] <jdstrand> http://people.canonical.com/~ubuntu-security/cve/pkg/sup-mail.html
[17:34] <jdstrand> http://people.canonical.com/~ubuntu-security/cve/pkg/forked-daapd.html
[17:34] <jdstrand> http://people.canonical.com/~ubuntu-security/cve/pkg/syncevolution.html
[17:34] <jdstrand> http://people.canonical.com/~ubuntu-security/cve/pkg/libjboss-cache3-java.html
[17:34] <jdstrand> The Ubuntu Security team will highlight some community-supported packages (^) that might be good candidates for updating and or triaging. If you would like to help Ubuntu and not sure where to start, this is a great way to do so.
[17:34] <jdstrand> See https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures for details and if you have any questions, feel free to ask in #ubuntu-security. To find out other ways of helping out, please see https://wiki.ubuntu.com/SecurityTeam/GettingInvolved.
[17:34] <jdstrand> [TOPIC] Miscellaneous and Questions
[17:35] <jdstrand> I only have one thing: if you have RTM work items, please work with mdeslaur on finding time to do them. we are rapidly approaching bug fixes only on the phone
[17:36] <jdstrand> otoh, I have one and then there is the abstract sockets
[17:36] <jdstrand> (mine is small and should be done this week)
[17:36] <jdstrand> if you aren't sure if it is for rtm, ask me and mdeslaur
[17:36] <jdstrand> Does anyone have any other questions or items to discuss?
[17:39] <jdstrand> #endmeeting
[17:39] <jdstrand> mdeslaur, sbeattie, tyhicks, jjohansen, sarnold, ChrisCoulson: thanks!
[17:39] <sarnold> thanks jdstrand :)
[17:40] <tyhicks> thanks!
[17:40] <mdeslaur> thanks jdstrand!
[17:40] <jjohansen> thanks jdstrand
[17:40] <jdstrand> where is meeting bot?
[17:40]  * jdstrand shrugs
[17:41] <mdeslaur> jdstrand: it's a national bot holiday today
[17:41] <jdstrand> hehe
[17:41] <mdeslaur> either that, or world cup
[17:42] <sbeattie> heh
[17:42] <sbeattie> thanks jdstrand