=== maclin1 is now known as maclin === fabo_ is now known as fabo === apw_ is now known as apw === fnordahl_ is now known as fnordahl === ogra_ is now known as ogra === marcoceppi_ is now known as marcoceppi === fginther` is now known as fginther [16:30] \o [16:30] #startmeeting [16:30] Meeting started Mon Aug 7 16:30:50 2017 UTC. The chair is tyhicks. Information about MeetBot at http://wiki.ubuntu.com/meetingology. [16:30] Available commands: action commands idea info link nick [16:30] Meeting started Mon Aug 7 16:30:50 2017 UTC. The chair is tyhicks. Information about MeetBot at http://wiki.ubuntu.com/meetingology. [16:30] Available commands: action commands idea info link nick [16:30] * sbeattie waves [16:30] o/ [16:30] o/ [16:31] The meeting agenda can be found at: [16:31] [LINK] https://wiki.ubuntu.com/SecurityTeam/Meeting [16:31] [TOPIC] Announcements === meetingology changed the topic of #ubuntu-meeting to: Announcements === meetingology` changed the topic of #ubuntu-meeting to: Announcements [16:31] heh, zero meeting bots last week and two meeting bots this week [16:31] oooh! bot fight! [16:31] James Lu (tacocat) provided debdiffs for xenial-zesty for gnome-exe-thumbnailer (LP: #651610) [16:31] Launchpad bug 651610 in gnome-exe-thumbnailer (Ubuntu) "[CVE-2017-11421] Version number for .msi thumbnail is obtained from unreliable source" [Critical,Fix released] https://launchpad.net/bugs/651610 [16:31] Simon Quigley (tsimonq2) provided debdiffs for trusty-xenial for lxterminal (LP: #1690416) [16:31] Launchpad bug 1690416 in lxterminal (Ubuntu Artful) "[CVE] socket can be blocked by another user" [Undecided,Fix released] https://launchpad.net/bugs/1690416 [16:31] Simon Quigley (tsimonq2) provided debdiffs for trusty-zesty for pcmanfm (LP: #1708542) [16:31] Launchpad bug 1708542 in pcmanfm (Ubuntu Zesty) "Fix potential access violation, use runtime user dir instead of tmp dir" [Undecided,Fix released] https://launchpad.net/bugs/1708542 [16:31] Otto Kekäläinen (otto) provided debdiffs for trusty for mariadb-5.5 (LP: #1705944) [16:31] Launchpad bug 1705944 in mariadb-5.5 (Ubuntu) "USN-3357-1: partially applies to MariaDB too" [Medium,Fix released] https://launchpad.net/bugs/1705944 [16:32] Otto Kekäläinen (otto) provided debdiffs for xenial for mariadb-10.0 (LP: #1698689) [16:32] Launchpad bug 1698689 in mariadb-10.1 (Ubuntu Artful) "USN-3269-1: partially applies to MariaDB too" [Undecided,New] https://launchpad.net/bugs/1698689 [16:32] Otto Kekäläinen (otto) provided debdiffs for zesty for mariadb-10.1 (LP: #1698689) [16:32] Roger Light (ral) provided debdiffs for trusty-zesty for mosquitto (LP: #1700490) [16:32] Launchpad bug 1700490 in mosquitto (Ubuntu) "Persistence file is world readable" [Undecided,Fix released] https://launchpad.net/bugs/1700490 [16:32] Thank you for your assistance in keeping Ubuntu users secure! :) [16:32] [TOPIC] Weekly stand-up report === meetingology changed the topic of #ubuntu-meeting to: Weekly stand-up report === meetingology` changed the topic of #ubuntu-meeting to: Weekly stand-up report [16:32] jdstrand: you're up [16:33] hey [16:33] Last week I focused a lot on interface reviews (broadcom-asic-control, udev tagging,kvm, spi, avahi reimplementation. I also coordinated with the Desktop team wrt snaps on 17.10 desktop. I triaged the snapd-interface bugs and picked up the wayland work a bit. [16:33] This week I plan to: [16:33] - finish going through the wayland interface (this has required quite a bit of investigation wrt interactions with snapd's setting of XDG_RUNTIME_DIR [16:33] - be responsive to various snappy PRs and feature discussions (eg, udev tagging, avahi, snapd user/groups, portals, etc) [16:34] - perform several PRs against snapd 2.27 for recent PRs that need to be in the next release [16:34] - pickup new 'desktop' interface for gnome-shell, plasma and sway as have time [16:34] that's it from me [16:34] mdeslaur: you're up [16:34] I'm on triage this week [16:34] and I have a couple of updates to publish [16:34] and after down, down the list, as usual [16:34] sbeattie: you're up [16:34] I'm in the happy place this week [16:35] I have a couple of kernel USNs to publish this morning [16:35] I have an embargoed issue on my plate [16:36] I'm stll waiting on openjdk-7 from td aitx, but might have that to publish this week [16:36] I'll look at picking up other updates as well [16:36] tyhicks: :D [16:36] I also have some apparmor bits and qrt bits to poke at. [16:37] that's it for me. tyhicks, over to you... [16:37] I'm in the happy place this week [16:37] I will finish making changes to seccomp v6 kernel patch set, test, and submit upstream [16:37] need to do fscrypt pam module review and packaging [16:37] still need to familiarize myself with the latest LSM stacking patch set [16:37] I also still need to review jdstrand's snapd users/groups writeup [16:38] jjohansen: you're up [16:38] I am still working on upstreaming apparmor, specifically the type splitting needed to fixed the stored path issue in our unix domain sockets. [16:38] I will be doing some more testing of the LSM stacking kernel, and getting my feedback to Casey [16:38] I have some Ralley prep to take care of this week. [16:39] and if there is time some misc apparmor test suite issues to poke at [16:39] tyhicks: fyi, niemeyer ack'd that the users/groups write-up is accurate which I think is a precursor to his full review/comment [16:40] thats it for me sarnold you're up [16:40] I'm on community this week; also setting up rally travel, and working down the MIRs. Maybe review a patch or two from jjohansen if he think it'd be helpful. [16:40] that's it for me, chrisccoulson? [16:40] I've got firefox and chromium updates this week [16:41] sarnold: oh yes [16:41] I'm also in the process of updating rust to 1.19, but I've got an issue with 1.18 first. I imagine this will take up most of my week [16:41] That's me done [16:41] I'm in the happy place this week [16:42] I will be focusing on KPIs for the foreseeable future [16:42] leosilva: you are up [16:43] I worked in a couple of update/finished the publishment today morning [16:43] this week I'm bug triage and also finish triage hope to get some updates too [16:43] that's it for me [16:43] tyhicks: it's back to you [16:44] duh, I mean, soon finish triage* [16:44] * tyhicks is catching up [16:45] [TOPIC] Highlighted packages === meetingology changed the topic of #ubuntu-meeting to: Highlighted packages === meetingology` changed the topic of #ubuntu-meeting to: Highlighted packages [16:45] The Ubuntu Security team will highlight some community-supported packages that might be good candidates for updating and or triaging. If you would like to help Ubuntu and not sure where to start, this is a great way to do so. [16:45] See https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures for details and if you have any questions, feel free to ask in #ubuntu-security. To find out other ways of helping out, please see https://wiki.ubuntu.com/SecurityTeam/GettingInvolved. [16:45] http://people.canonical.com/~ubuntu-security/cve/pkg/unrar-nonfree.html [16:45] http://people.canonical.com/~ubuntu-security/cve/pkg/yaml-cpp.html [16:45] http://people.canonical.com/~ubuntu-security/cve/pkg/qpid-proton.html [16:45] http://people.canonical.com/~ubuntu-security/cve/pkg/freeciv.html [16:45] http://people.canonical.com/~ubuntu-security/cve/pkg/inspircd.html [16:45] [TOPIC] Miscellaneous and Questions === meetingology changed the topic of #ubuntu-meeting to: Miscellaneous and Questions === meetingology` changed the topic of #ubuntu-meeting to: Miscellaneous and Questions [16:45] Does anyone have any other questions or items to discuss? [16:47] probably it's worth adding http://people.canonical.com/~ubuntu-security/cve/pkg/varnish.html to that list, four or so community folks filed bugs but I don't recall seeing any debdiffs http://people.canonical.com/~ubuntu-security/cve/pkg/varnish.html [16:47] good thought [16:48] I think varnish updates would be more useful than any of the ones I listed [16:50] I can provide debdiffs within the next hour if someone can help me test them. [16:50] Because it's a Universe package right? [16:50] (yes, answered my own question) [16:51] tsimonq2: you could post debdiffs, sarnold could sponsor them to the ubuntu-security-proposed PPA, and then we could ask for testing in the bug [16:51] tyhicks: Works for me. [16:51] tsimonq2: thanks! [16:51] jdstrand, mdeslaur, sbeattie, jjohansen, sarnold, ChrisCoulson, ratliff, leosilva: thank you! [16:51] #endmeeting === meetingology changed the topic of #ubuntu-meeting to: Ubuntu Meeting Grounds: Please leave swords by the door | Calendar/Scheduled meetings: http://fridge.ubuntu.com/calendars | Logs: https://wiki.ubuntu.com/MeetingLogs | Meetingology documentation: https://wiki.ubuntu.com/meetingology [16:51] Meeting ended Mon Aug 7 16:51:50 2017 UTC. [16:51] Minutes: http://ubottu.com/meetingology/logs/ubuntu-meeting/2017/ubuntu-meeting.2017-08-07-16.30.moin.txt === meetingology` changed the topic of #ubuntu-meeting to: Ubuntu Meeting Grounds: Please leave swords by the door | Calendar/Scheduled meetings: http://fridge.ubuntu.com/calendars | Logs: https://wiki.ubuntu.com/MeetingLogs | Meetingology documentation: https://wiki.ubuntu.com/meetingology [16:51] Meeting ended Mon Aug 7 16:51:50 2017 UTC. [16:51] Minutes: http://ubottu.com/meetingology/logs/ubuntu-meeting/2017/ubuntu-meeting.2017-08-07-16.30.moin.txt [16:51] tyhicks: np, let's follow up in #ubuntu-hardened :) [16:51] thanks tyhicks [16:51] thanks tyhicks :) [16:51] thanks tyhicks [16:51] thanks tyhicks! [16:52] thanks tyhicks! === meetingology` is now known as meetingology === JanC__ is now known as JanC === meetingology` is now known as meetingology === meetingology` is now known as meetingology