[16:47] <jdstrand> hi!
[16:47] <jjohansen> \o
[16:47] <mdeslaur> \o
[16:47] <tyhicks> hello
[16:47] <jdstrand> #startmeeting
[16:47] <meetingology> Meeting started Mon Sep 29 16:47:44 2014 UTC.  The chair is jdstrand. Information about MeetBot at http://wiki.ubuntu.com/meetingology.
[16:47] <meetingology> Available commands: action commands idea info link nick
[16:47] <jdstrand> The meeting agenda can be found at:
[16:47] <jdstrand> [LINK] https://wiki.ubuntu.com/SecurityTeam/Meeting
[16:48] <jdstrand> [TOPIC] Announcements
[16:48] <jdstrand> Thanks to Jonathan Riddell (jr) who provided a debdiff for trusty for krfb (LP: #1374043). Your work is very much appreciated and will keep Ubuntu users secure. Great job! :)
[16:48] <jdstrand> [TOPIC] Review of any previous action items
[16:48] <jdstrand> I'll go first
[16:49] <jdstrand> last week I did quite a bit with apparmor and didn't do much else of what I planned. the good news is that utopic and rtm should be good to go with our current caching plans
[16:50] <jdstrand> this week I'm on triage
[16:50] <jdstrand> I plan to sponsor apparmor updates as I get them, and fix bugs as they come in
[16:51] <jdstrand> I need to write policy for the ubuntu-downloader-manager uncompress helper
[16:51] <jdstrand> and finetune the docker.io policy (I finished lxc and libvirt-lxc last week)
[16:51] <jdstrand> I plan to adjust UCT for derivative branches
[16:51] <jdstrand> have some click-reviewers-tools updates
[16:51] <jdstrand> and patch piloting
[16:52] <jdstrand> mdeslaur: you're up :)
[16:52] <mdeslaur> I'm currently pushing out some libvncserver updates
[16:52] <mdeslaur> and have a couple more in the list to work on
[16:53] <mdeslaur> we may be getting more bash updates and possibly a regression fix this week, but the latest update should mitigate further parser issues
[16:53] <mdeslaur> so the other updates aren't critical
[16:53] <mdeslaur> friday I'm off
[16:53] <mdeslaur> and...I'm on community this week
[16:53] <mdeslaur> that's it for me, sbeattie?
[16:54] <sbeattie> I'm currently poking at QRT, fixing up the kernel security checking script to compensate for a change in the reporting behavior around capabilities.
[16:55] <sbeattie> I'm on apparmor this week; I need to review one last patch from tyhicks on the regression tests and a parser patch from jjohansen.
[16:55] <tyhicks> thanks for all the patch review you did last week
[16:55] <sbeattie> I'll also work on pulling an updated snapshot into utopic, as its only been bug fixes since our last snapshot.
[16:56] <sbeattie> that's pretty much it for me. tyhicks?
[16:56] <tyhicks> I'm just about done getting caught up from vacation last week
[16:57] <tyhicks> I'm in the process of committing the apparmor AF_UNIX regression test patches that sbeattie reviewed for me
[16:57] <tyhicks> I'll also send out an additional patch or two today to add a few more tests that he suggested
[16:57] <tyhicks> after that, I'd like to get to a few things that I've had to ignore lately
[16:58] <tyhicks> there are lots of comments that I need to respond to and/or address in the upstream dbus bug for apparmor mediation
[16:58] <tyhicks> I need to prepare for the upcoming kernel merge window to get a few ecryptfs kernel fixes in
[16:59] <tyhicks> other general ecryptfs maint duties that I've ignored recently
[16:59] <tyhicks> and then it'd be nice to get back to the apparmor caching patches I was working on
[16:59] <tyhicks> that's it for me
[16:59] <tyhicks> jjohansen: you're up
[17:00] <jjohansen> I am working on apparmor bugs this week. We will see if we can't get the last few kernel/parser bugs finally squashed.
[17:01] <jjohansen> I need some time on upstream apparmor to prepare for the next opportunity for upstreaming
[17:02] <jjohansen> And I expect I will also do a little poking around to make sure my bits are in place for an upstream 2.9 release, which should happen real soon now
[17:03] <jdstrand> jjohansen: if you need help with kernel testing, let me know
[17:03] <jjohansen> jdstrand: yep, I will
[17:04] <jjohansen> I think that is it for me, sarnold you're up
[17:05] <sarnold> I'm in the happy place this week; I'm working on several MIR audits, chances are good those will take the entire week. I may do some quick apparmor patch reviews as refreshers depending upon how things go.
[17:06] <sarnold> that's it for me, chrisccoulson?
[17:07] <chrisccoulson> sorry, I'm a bit unprepared because I've been talking in another channel :)
[17:07] <chrisccoulson> hold on 1 sec
[17:09] <chrisccoulson> so, this week I shall be finishing code reviews (I did one this morning)
[17:10] <chrisccoulson> and, fingers crossed, landing bug 1260016
[17:10] <chrisccoulson> (I made quite a few changes last week in preparation for this)
[17:10] <chrisccoulson> other than that, fixing bugs as they come in too
[17:10] <chrisccoulson> I think that's me done
[17:13] <jdstrand> re 1260016> \o/
[17:14] <jdstrand> chrisccoulson: I asked this in another channel, but since I have you here-- was the 2d canvas accel enabled for nexus devices?
[17:15] <chrisccoulson> jdstrand, not yet. justin only provided the strings for krillin. I'm ok with that for now though (in the interests of avoiding scope creep)
[17:19] <jdstrand> chrisccoulson: I understand that position. personally, as a dogfooder, I wouldn't mind that extending out since they said it worked there too (aiui)
[17:19] <jdstrand> but anyhoo
[17:19]  * jdstrand was looking forward to having it on his phone, and was crushed to see it not there ;)
[17:20]  * jdstrand is not asking to change the decision, just providing user feedback
[17:20] <jdstrand> ok, moving on
[17:20] <jdstrand> [TOPIC] Highlighted packages
[17:20] <jdstrand> The Ubuntu Security team will highlight some community-supported packages that might be good candidates for updating and or triaging. If you would like to help Ubuntu and not sure where to start, this is a great way to do so.
[17:20] <jdstrand> See https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures for details and if you have any questions, feel free to ask in #ubuntu-security. To find out other ways of helping out, please see https://wiki.ubuntu.com/SecurityTeam/GettingInvolved.
[17:20] <jdstrand> http://people.canonical.com/~ubuntu-security/cve/pkg/php-xajax.html
[17:20] <jdstrand> http://people.canonical.com/~ubuntu-security/cve/pkg/haskell-tls-extra.html
[17:20] <jdstrand> http://people.canonical.com/~ubuntu-security/cve/pkg/snack.html
[17:21] <jdstrand> http://people.canonical.com/~ubuntu-security/cve/pkg/libicc.html
[17:21] <jdstrand> http://people.canonical.com/~ubuntu-security/cve/pkg/freeipa.html
[17:21] <jdstrand> [TOPIC] Miscellaneous and Questions
[17:21] <jdstrand> Does anyone have any other questions or items to discuss?
[17:24] <jdstrand> mdeslaur, sbeattie, tyhicks, jjohansen, sarnold, ChrisCoulson: thanks!
[17:24] <jdstrand> #endmeeting
[17:24] <meetingology> Meeting ended Mon Sep 29 17:24:07 2014 UTC.
[17:24] <meetingology> Minutes:        http://ubottu.com/meetingology/logs/ubuntu-meeting/2014/ubuntu-meeting.2014-09-29-16.47.moin.txt
[17:24] <ScottK> re bash: Are we done yet?
[17:24] <mdeslaur> thanks jdstrand!
[17:24] <jjohansen> thanks jdstrand
[17:24] <ScottK> jdstrand: I did have a quick question there.
[17:24] <jdstrand> mdeslaur: ^
[17:24] <mdeslaur> ScottK: hi
[17:24] <ScottK> Hello.
[17:24] <mdeslaur> ScottK: the latest update should mitigate any parser issues that are subsequently discovered
[17:25] <mdeslaur> ScottK: there are a couple of remaining things though
[17:25] <mdeslaur> ScottK: there is a regression with "at"
[17:25] <ScottK> OK.
[17:25] <mdeslaur> ScottK: and redhat's patch doesn't use the same suffix as what upstream chose
[17:25] <mdeslaur> ScottK: and redhat's patch also broke function names with special chars I believe
[17:26] <ScottK> Fun.
[17:26] <mdeslaur> so once everyone agrees on what should ultimately be done, there will probably be an update to get everyone using the same prefix/suffix and other restrictions
[17:26] <ScottK> I have read that Debian/Ubuntu were lower risk than other distros because we use dash for the system shell.  It would be great to see a detailed risk analysis published and what things we had in place in advance turned out to be mitigating factors.
[17:27] <mdeslaur> perhaps, but it's hard to say as it depends greatly on what kind of scripts people were using for their CGI setups
[17:27] <mdeslaur> ie: if they had /bin/sh, they were safe, if they had /bin/bash, they were not
[17:27] <chrisccoulson> jdstrand, sorry, I missed your last message. Do you now have a krillin device?
[17:28] <chrisccoulson> I don't mind adding the strings for the nexus 4 if it helps
[17:29] <sbeattie> mdeslaur: well, it's mitigated in that if people are writing CGIs in non-shell languages, but called things like system() or popen(), they'd get dash and not bash.
[17:29] <mdeslaur> sbeattie: ah, yes, also
[17:33] <jdstrand> chrisccoulson: I don't have a krillin. I have a mako
[17:33] <jdstrand> chrisccoulson: it would help me, but I wouldn't spend a lot of time on it if it is distracting you from other stuff
[17:33] <jdstrand> (though, it would help quite a few people-- I'm not the only mako dogfooder)
[17:35] <ScottK> mdeslaur: Thanks.