=== bladernr_30kFeet is now known as bladernr_ === Guest13468 is now known as balloons_ [16:47] hi! [16:47] \o [16:47] \o [16:47] hello [16:47] #startmeeting [16:47] Meeting started Mon Sep 29 16:47:44 2014 UTC. The chair is jdstrand. Information about MeetBot at http://wiki.ubuntu.com/meetingology. [16:47] Available commands: action commands idea info link nick [16:47] The meeting agenda can be found at: [16:47] [LINK] https://wiki.ubuntu.com/SecurityTeam/Meeting [16:48] [TOPIC] Announcements === meetingology changed the topic of #ubuntu-meeting to: Announcements [16:48] Thanks to Jonathan Riddell (jr) who provided a debdiff for trusty for krfb (LP: #1374043). Your work is very much appreciated and will keep Ubuntu users secure. Great job! :) [16:48] Launchpad bug 1374043 in krfb (Ubuntu Utopic) "vulnerabilities in libvncserver" [Undecided,Fix released] https://launchpad.net/bugs/1374043 [16:48] [TOPIC] Review of any previous action items === meetingology changed the topic of #ubuntu-meeting to: Review of any previous action items [16:48] I'll go first [16:49] last week I did quite a bit with apparmor and didn't do much else of what I planned. the good news is that utopic and rtm should be good to go with our current caching plans [16:50] this week I'm on triage [16:50] I plan to sponsor apparmor updates as I get them, and fix bugs as they come in [16:51] I need to write policy for the ubuntu-downloader-manager uncompress helper [16:51] and finetune the docker.io policy (I finished lxc and libvirt-lxc last week) [16:51] I plan to adjust UCT for derivative branches [16:51] have some click-reviewers-tools updates [16:51] and patch piloting [16:52] mdeslaur: you're up :) [16:52] I'm currently pushing out some libvncserver updates [16:52] and have a couple more in the list to work on [16:53] we may be getting more bash updates and possibly a regression fix this week, but the latest update should mitigate further parser issues [16:53] so the other updates aren't critical [16:53] friday I'm off [16:53] and...I'm on community this week [16:53] that's it for me, sbeattie? [16:54] I'm currently poking at QRT, fixing up the kernel security checking script to compensate for a change in the reporting behavior around capabilities. [16:55] I'm on apparmor this week; I need to review one last patch from tyhicks on the regression tests and a parser patch from jjohansen. [16:55] thanks for all the patch review you did last week [16:55] I'll also work on pulling an updated snapshot into utopic, as its only been bug fixes since our last snapshot. [16:56] that's pretty much it for me. tyhicks? [16:56] I'm just about done getting caught up from vacation last week [16:57] I'm in the process of committing the apparmor AF_UNIX regression test patches that sbeattie reviewed for me [16:57] I'll also send out an additional patch or two today to add a few more tests that he suggested [16:57] after that, I'd like to get to a few things that I've had to ignore lately [16:58] there are lots of comments that I need to respond to and/or address in the upstream dbus bug for apparmor mediation [16:58] I need to prepare for the upcoming kernel merge window to get a few ecryptfs kernel fixes in [16:59] other general ecryptfs maint duties that I've ignored recently [16:59] and then it'd be nice to get back to the apparmor caching patches I was working on [16:59] that's it for me [16:59] jjohansen: you're up [17:00] I am working on apparmor bugs this week. We will see if we can't get the last few kernel/parser bugs finally squashed. [17:01] I need some time on upstream apparmor to prepare for the next opportunity for upstreaming [17:02] And I expect I will also do a little poking around to make sure my bits are in place for an upstream 2.9 release, which should happen real soon now [17:03] jjohansen: if you need help with kernel testing, let me know [17:03] jdstrand: yep, I will [17:04] I think that is it for me, sarnold you're up [17:05] I'm in the happy place this week; I'm working on several MIR audits, chances are good those will take the entire week. I may do some quick apparmor patch reviews as refreshers depending upon how things go. [17:06] that's it for me, chrisccoulson? [17:07] sorry, I'm a bit unprepared because I've been talking in another channel :) [17:07] hold on 1 sec [17:09] so, this week I shall be finishing code reviews (I did one this morning) [17:10] and, fingers crossed, landing bug 1260016 [17:10] bug 1260016 in oxide-qt (Ubuntu RTM) "Add an API to allow defining custom URL scheme delegates" [Critical,In progress] https://launchpad.net/bugs/1260016 [17:10] (I made quite a few changes last week in preparation for this) [17:10] other than that, fixing bugs as they come in too [17:10] I think that's me done [17:13] re 1260016> \o/ [17:14] chrisccoulson: I asked this in another channel, but since I have you here-- was the 2d canvas accel enabled for nexus devices? [17:15] jdstrand, not yet. justin only provided the strings for krillin. I'm ok with that for now though (in the interests of avoiding scope creep) [17:19] chrisccoulson: I understand that position. personally, as a dogfooder, I wouldn't mind that extending out since they said it worked there too (aiui) [17:19] but anyhoo [17:19] * jdstrand was looking forward to having it on his phone, and was crushed to see it not there ;) [17:20] * jdstrand is not asking to change the decision, just providing user feedback [17:20] ok, moving on [17:20] [TOPIC] Highlighted packages === meetingology changed the topic of #ubuntu-meeting to: Highlighted packages [17:20] The Ubuntu Security team will highlight some community-supported packages that might be good candidates for updating and or triaging. If you would like to help Ubuntu and not sure where to start, this is a great way to do so. [17:20] See https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures for details and if you have any questions, feel free to ask in #ubuntu-security. To find out other ways of helping out, please see https://wiki.ubuntu.com/SecurityTeam/GettingInvolved. [17:20] http://people.canonical.com/~ubuntu-security/cve/pkg/php-xajax.html [17:20] http://people.canonical.com/~ubuntu-security/cve/pkg/haskell-tls-extra.html [17:20] http://people.canonical.com/~ubuntu-security/cve/pkg/snack.html [17:21] http://people.canonical.com/~ubuntu-security/cve/pkg/libicc.html [17:21] http://people.canonical.com/~ubuntu-security/cve/pkg/freeipa.html [17:21] [TOPIC] Miscellaneous and Questions === meetingology changed the topic of #ubuntu-meeting to: Miscellaneous and Questions [17:21] Does anyone have any other questions or items to discuss? [17:24] mdeslaur, sbeattie, tyhicks, jjohansen, sarnold, ChrisCoulson: thanks! [17:24] #endmeeting === meetingology changed the topic of #ubuntu-meeting to: Ubuntu Meeting Grounds | Calendar/Scheduled meetings: http://fridge.ubuntu.com/calendar | Logs: https://wiki.ubuntu.com/MeetingLogs | Meetingology documentation: https://wiki.ubuntu.com/meetingology [17:24] Meeting ended Mon Sep 29 17:24:07 2014 UTC. [17:24] Minutes: http://ubottu.com/meetingology/logs/ubuntu-meeting/2014/ubuntu-meeting.2014-09-29-16.47.moin.txt [17:24] re bash: Are we done yet? [17:24] thanks jdstrand! [17:24] thanks jdstrand [17:24] jdstrand: I did have a quick question there. [17:24] mdeslaur: ^ [17:24] ScottK: hi [17:24] Hello. [17:24] ScottK: the latest update should mitigate any parser issues that are subsequently discovered [17:25] ScottK: there are a couple of remaining things though [17:25] ScottK: there is a regression with "at" [17:25] OK. [17:25] ScottK: and redhat's patch doesn't use the same suffix as what upstream chose [17:25] ScottK: and redhat's patch also broke function names with special chars I believe [17:26] Fun. [17:26] so once everyone agrees on what should ultimately be done, there will probably be an update to get everyone using the same prefix/suffix and other restrictions [17:26] I have read that Debian/Ubuntu were lower risk than other distros because we use dash for the system shell. It would be great to see a detailed risk analysis published and what things we had in place in advance turned out to be mitigating factors. [17:27] perhaps, but it's hard to say as it depends greatly on what kind of scripts people were using for their CGI setups [17:27] ie: if they had /bin/sh, they were safe, if they had /bin/bash, they were not [17:27] jdstrand, sorry, I missed your last message. Do you now have a krillin device? [17:28] I don't mind adding the strings for the nexus 4 if it helps [17:29] mdeslaur: well, it's mitigated in that if people are writing CGIs in non-shell languages, but called things like system() or popen(), they'd get dash and not bash. [17:29] sbeattie: ah, yes, also [17:33] chrisccoulson: I don't have a krillin. I have a mako [17:33] chrisccoulson: it would help me, but I wouldn't spend a lot of time on it if it is distracting you from other stuff [17:33] (though, it would help quite a few people-- I'm not the only mako dogfooder) [17:35] mdeslaur: Thanks. === balloons_ is now known as balloons === balloons is now known as Guest63150 === Guest63150 is now known as balloons_ === jhenke_ is now known as jhenke === balloons_ is now known as balloons