=== JanC_ is now known as JanC === JanC_ is now known as JanC === JanC_ is now known as JanC [16:30] hello [16:30] #startmeeting [16:30] Meeting started Mon Jan 23 16:30:14 2017 UTC. The chair is tyhicks. Information about MeetBot at http://wiki.ubuntu.com/meetingology. [16:30] Available commands: action commands idea info link nick [16:30] The meeting agenda can be found at: [16:30] [LINK] https://wiki.ubuntu.com/SecurityTeam/Meeting [16:30] [TOPIC] Announcements === meetingology changed the topic of #ubuntu-meeting to: Announcements [16:30] Ahmed Farag provided notifications for false positive virus identification for files in the archive (pnsnap, ettercap-common, dbacl, and libmail-deliverystatus-bounceparser-perl). [16:30] Scott Kitterman (ScottK) provided a debdiff for trusty for pdns-recursor (LP: #1656931) [16:30] Launchpad bug 1656931 in pdns-recursor (Ubuntu Trusty) "Security update for pdns-recursor on trusty" [High,Fix released] https://launchpad.net/bugs/1656931 [16:30] Clive Johnston (clivejo) provided a debdiff for xenial for ark (LP: #1655507) [16:30] Launchpad bug 1655507 in ark (Ubuntu Yakkety) "CVE-2017-5330 - Ark: unintended execution of scripts and executable files" [High,Fix released] https://launchpad.net/bugs/1655507 [16:30] \o [16:30] Vishnu Vardhan Reddy Naini (visred) provided a debdiff for yakkety for ark (LP: #1655507) [16:30] Thank you for your assistance in keeping Ubuntu users secure! :) [16:30] [TOPIC] Weekly stand-up report === meetingology changed the topic of #ubuntu-meeting to: Weekly stand-up report [16:31] jdstrand: you're up [16:31] This week I plan to work on: [16:31] - various PR reviews (8 new ones since friday) [16:31] - miscellaneous apparmor policy updates [16:31] - prepare snap for testing security policy [16:31] - seccomp arg filtering policy [16:31] that's it from me. mdeslaur, you're up [16:31] I'm on community this week, so i'll be sponsoring a bunch of stuff [16:32] I have a short week, I'm off on friday [16:32] I plan on publishing a couple of usns this afternoon, and if I have time I'll be picking something from the list [16:32] that's it from me, sbeattie, you're up [16:32] I'm on bug triage this week [16:33] I'll have openjdk-8 packages from tdaitx to test and publish [16:34] I need to push some packages to the security pocket that recent linux-raspi2 kernels depend on. [16:34] after that, I'll be going through the list looking for updates as well [16:34] that's it for me, tyhicks? [16:34] I'm on cve triage this week [16:35] I will finish and submit the second revision of seccomp/libseccomp patches to upstream [16:35] I am also working on uploading AppArmor 2.11.0 to zesty but have hit some test failures that need to be sorted out first [16:35] I have an embargoed issue [16:35] any free time will go towards a security update [16:35] that's it for me [16:35] jjohansen: go ahead [16:36] I will be looking into some outstanding bugs 1658219, and 1656121 [16:36] bug 1658219 in AppArmor "flock not mediated by 'k'" [Undecided,New] https://launchpad.net/bugs/1658219 [16:36] and probably a couple more [16:37] I have a nice stack of patches for the xenial/yakketty kernels that I need to cleanup and send up to the kteam [16:38] I will be doing some work on revising the dconf/gsetting patches and synching with will on them [16:39] and if I have any time I will be working on the next steps in upstreaming, likely the securityfs modification RFC [16:40] thats it for me, sarnold? you're up [16:41] I'm in the happy place this week; I expect to finish the uvp-monitor sorta-mir today, I'll file some bugs with upstream project for things i've found so far. I'm having trouble seeing the point of the thing compared to e.g. collectd or other popular tools... [16:41] so tyhicks, another suggestion for the next thing to undertake soon, but not immediately :) [16:42] also I'm losing verbs at an astounding rate. good luck. [16:42] sarnold: what's the suggestion? [16:42] tyhicks: hehe, the missing bit, "I need another suggestion" :) if it's another MIR or reactive or whatever [16:43] I would vote for libapache2-mod-auth-mellon [16:43] I think there are some new MIRs that I need to add to the list [16:44] I bet ratliff's suggestion is the right one to take next [16:44] works for me, thanks :) [16:44] that's it for me, chrisccoulson? [16:44] It's firefox update week this week [16:45] In addition to that, I need to fix some issues in the ubufox extension caused by breaking changes in firefox 53 (removal of the non-standard 'for each' syntax) [16:46] I'll also be spending time trying to get rust backported, but I need to talk to foundations first to agree how to split the work [16:46] Other than that, I'll be working on oxide stuff, particularly work around JS dialogs [16:47] that's me done [16:47] I'm in the happy place this week [16:47] I will spend time working on updates for snappy-prev [16:47] back to you tyhicks [16:48] thanks! [16:48] [TOPIC] Highlighted packages === meetingology changed the topic of #ubuntu-meeting to: Highlighted packages [16:48] The Ubuntu Security team will highlight some community-supported packages that might be good candidates for updating and or triaging. If you would like to help Ubuntu and not sure where to start, this is a great way to do so. [16:48] See https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures for details and if you have any questions, feel free to ask in #ubuntu-security. To find out other ways of helping out, please see https://wiki.ubuntu.com/SecurityTeam/GettingInvolved. [16:48] http://people.canonical.com/~ubuntu-security/cve/pkg/pxz.html [16:48] http://people.canonical.com/~ubuntu-security/cve/pkg/ckeditor.html [16:48] http://people.canonical.com/~ubuntu-security/cve/pkg/radicale.html [16:48] http://people.canonical.com/~ubuntu-security/cve/pkg/elog.html [16:48] http://people.canonical.com/~ubuntu-security/cve/pkg/gksu.html [16:48] [TOPIC] Miscellaneous and Questions === meetingology changed the topic of #ubuntu-meeting to: Miscellaneous and Questions [16:48] Does anyone have any other questions or items to discuss? [16:49] chrisccoulson: I wanted to ask what sort of deadline are we looking at for having rustc available in the archive in old stable releases that don't already include it? [16:52] tyhicks, I'm not entirely sure yet. Mozilla said firefox will depend on it in "early 2017", but that will give us between 12-18 weeks before it reaches stable [16:52] chrisccoulson: ok, thanks [16:52] So we've still got 3 months, at least [16:52] * tyhicks nods [16:53] jdstrand, mdeslaur, sbeattie, jjohansen, sarnold, ChrisCoulson, ratliff: Thanks! [16:53] #endmeeting === meetingology changed the topic of #ubuntu-meeting to: Ubuntu Meeting Grounds: Please leave swords by the door | Calendar/Scheduled meetings: http://fridge.ubuntu.com/calendars | Logs: https://wiki.ubuntu.com/MeetingLogs | Meetingology documentation: https://wiki.ubuntu.com/meetingology [16:53] Meeting ended Mon Jan 23 16:53:05 2017 UTC. [16:53] Minutes: http://ubottu.com/meetingology/logs/ubuntu-meeting/2017/ubuntu-meeting.2017-01-23-16.30.moin.txt [16:53] thank you, tyhicks! [16:53] thanks tyhicks! [16:53] thanks tyhicks [16:53] thanks tyhicks! [16:56] tyhicks, in fact, it's better than that. Because it's release week this week, we've got 18 weeks (unless they sneak a hard rust dependency in today) [16:56] And one of the release cycles is 8 weeks (over the easter holiday), which pushes that out to 20 weeks [16:57] https://wiki.mozilla.org/RapidRelease/Calendar [16:57] (firefox 55 would be the earliest release with a hard rust dependency) [16:59] chrisccoulson: that helps a lot - thanks [16:59] ratliff: ^ [17:02] tyhicks, I mean firefox 54 btw, but that's still 20 weeks (june 13th) [17:05] ack