[16:37] <tyhicks> hello
[16:37] <chrisccoulson> hi
[16:37] <tyhicks> #startmeeting
[16:37] <meetingology> Meeting started Mon Nov  6 16:37:27 2017 UTC.  The chair is tyhicks. Information about MeetBot at http://wiki.ubuntu.com/meetingology.
[16:37] <meetingology> Available commands: action commands idea info link nick
[16:37] <tyhicks> The meeting agenda can be found at:
[16:37] <tyhicks> [LINK] https://wiki.ubuntu.com/SecurityTeam/Meeting
[16:37] <tyhicks> [TOPIC] Announcements
[16:37] <tyhicks> Lucas Kocia (lkocia) provided a debdiff for xenial for firewalld (LP: #1617617)
[16:37] <tyhicks> Jeremy Bicha (jbicha) provided a debdiff for zesty for gdm3 (LP: #1729354)
[16:37] <tyhicks> Thank you for your assistance in keeping Ubuntu users secure! :)
[16:37] <tyhicks> [TOPIC] Weekly stand-up report
[16:37] <tyhicks> jdstrand: you're up
[16:38] <mdeslaur> \o
[16:38] <leosilva> o/
[16:38] <jdstrand> hello
[16:38] <jdstrand> Last week I focused primarily on the customer regression related to the expanded udev tagging work that landed in 2.28. This week I plan:
[16:38] <jdstrand> * finish up some new spread tests based for better high-level coverage of security backcends
[16:38] <jdstrand> * investigate the udev_enumerate regression ondra reported
[16:38] <jdstrand> * investigate the broadcom-asic-control interfacec bug
[16:38] <jdstrand> * snapd PR reviews
[16:38] <jdstrand> * continue uid/gid work for snap privilege dropping
[16:38] <jdstrand> s/based//
[16:39] <jdstrand> that's it from me. mdeslaur, you're up
[16:39] <mdeslaur> I'm on bug triage this week
[16:39] <mdeslaur> I'm currently testing openssl updates. chrisccoulson managed to figure out the regression on armhf caused by the newer gcc on artful+ with some pretty impressive debugging work
[16:40] <mdeslaur> and I have a big imagemagick update to look at
[16:40] <mdeslaur> that's pretty much it for me, sbeattie?
[16:41] <tyhicks> chrisccoulson: thanks for helping out with that openssl build failure
[16:41] <tyhicks> chrisccoulson: that was quite impressive work
[16:41] <chrisccoulson> no worries :)
[16:41] <tyhicks> I'll go and maybe Steve will be around later
[16:42] <tyhicks> I've got a couple more eCryptfs kernel patches to review and also need to prepare for the 4.15 merge window (only bug fixes to go up)
[16:42] <tyhicks> oh, I'm in the happy place this week
[16:43] <tyhicks> I have an embargoed issue
[16:43] <tyhicks> and then I'll start work on squashfs reproduceability
[16:43] <tyhicks> I got sidetracked last week as we were finalizing the apparmor move to gitlab and figuring out the new processes
[16:43] <tyhicks> that's it for me
[16:43] <jdstrand> chrisccoulson: btw, that was a pretty awesome debug :)
[16:44] <tyhicks> jjohansen isn't around
[16:44] <tyhicks> sarnold: you're up
[16:44] <jdstrand> re squashfs reproducability> \o/
[16:45]  * tyhicks pokes sarnold again
[16:45] <sarnold> I'm in the happy place this week; I'll be doing apparmor patch reviews as I can, and embargoed work
[16:45]  * mdeslaur hands tyhicks the memset magic wand
[16:46] <sarnold> I think that should be it for me this week, chrisccoulson?
[16:46] <chrisccoulson> I've got a firefox update to prepare, although the update isn't until next week. It's a big one though, so I wouldn't mind people installing it
[16:47] <tyhicks> chrisccoulson: let us know when we can start using it
[16:48] <chrisccoulson> Then there's rust 1.21. There's still 2 builds that don't complete successfully, but the failures are completely random. I'm not too sure what to do with these yet, but I want to avoid losing another week to this
[16:48] <chrisccoulson> (I've just hit retry on one again actually whilst there's not a backlog of builds)
[16:49] <sarnold> did we switch to using rust's llvm fork?
[16:49] <chrisccoulson> And then hopefully I will actually get time to start working on other things
[16:49] <chrisccoulson> sarnold, I've done that already. The only architecture it's caused a problem on is s390x (doesn't build there at all)
[16:49] <chrisccoulson> I think that's me done
[16:49] <sarnold> argh :/ I was hoping for better than that :(
[16:50] <chrisccoulson> I'm hoping this works out better. The last rust update required around 6 patches backporting to llvm. This one intentionally broke a feature entirely with the system llvm. And the next release will require a whole new llvm version
[16:51] <chrisccoulson> I can't remember who's next. ratliff?
[16:51] <ratliff> I'm in the happy place this week
[16:51] <ratliff> I have another article to write
[16:52] <ratliff> More work on kpis
[16:52] <ratliff> on to you leosilva
[16:52] <leosilva> I'm community this week
[16:52] <leosilva> I just push an update early
[16:52] <leosilva> I'll try to work on vim update (but I'm skeptical about if the patch fix the issue)
[16:52] <leosilva> other than that I'll follow with the normal hunting.
[16:53] <leosilva> that's all for me... tyhicks it's back to you
[16:53] <sbeattie> I can go.
[16:53] <sbeattie> I'm on cve triage this week
[16:53] <sbeattie> I have an openjdk-8 update to publish today
[16:54] <sbeattie> I have some kernel triage stuff to catch up on
[16:54] <sbeattie> I'll be looking at identifying needed snap updates
[16:54] <sbeattie> And I have some background tasks to work on post the apparmor move to gitlab.
[16:54] <sbeattie> That'll likely consume my week.
[16:55] <sbeattie> tyhicks: back to you.
[16:55] <tyhicks> thanks!
[16:55] <tyhicks> [TOPIC] Highlighted packages
[16:55] <tyhicks> The Ubuntu Security team will highlight some community-supported packages that might be good candidates for updating and or triaging. If you would like to help Ubuntu and not sure where to start, this is a great way to do so.
[16:55] <tyhicks> See https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures for details and if you have any questions, feel free to ask in #ubuntu-security. To find out other ways of helping out, please see https://wiki.ubuntu.com/SecurityTeam/GettingInvolved.
[16:55] <tyhicks> https://people.canonical.com/~ubuntu-security/cve/pkg/udfclient.html
[16:55] <tyhicks> https://people.canonical.com/~ubuntu-security/cve/pkg/pidgin.html
[16:55] <tyhicks> https://people.canonical.com/~ubuntu-security/cve/pkg/firebird2.5.html
[16:55] <tyhicks> https://people.canonical.com/~ubuntu-security/cve/pkg/tcptrack.html
[16:55] <tyhicks> https://people.canonical.com/~ubuntu-security/cve/pkg/git-annex.html
[16:55] <tyhicks> [TOPIC] Miscellaneous and Questions
[16:55] <tyhicks> Does anyone have any other questions or items to discuss?
[17:00] <tyhicks> jdstrand, mdeslaur, sbeattie, jjohansen, sarnold, ChrisCoulson, ratliff, leosilva: Thanks!
[17:00] <tyhicks> #endmeeting
[17:00] <meetingology> Meeting ended Mon Nov  6 17:00:10 2017 UTC.
[17:00] <meetingology> Minutes:        http://ubottu.com/meetingology/logs/ubuntu-meeting/2017/ubuntu-meeting.2017-11-06-16.37.moin.txt
[17:00] <ratliff> thanks, tyhicks
[17:00] <mdeslaur> thanks tyhicks!
[17:00] <leosilva> tks tyhicks !
[17:01] <sbeattie> tyhicks: thanks!
[17:02] <jdstrand> thanks tyhicks :)
[17:04] <sarnold> thanks tyhicks!
[18:59] <sil2100> o/
[18:59] <bdmurray> o/
[19:02] <jbicha> hi
[19:03] <sil2100> We don't have much on the agenda, but I'd like to use the occasion to discuss Balint's case and the Budgie packageset
[19:11] <sil2100> But I guess we don't have quorum today anyway
[19:12] <sil2100> jbicha, bdmurray: should we continue to handle Balint's application through e-mail?
[19:13] <bdmurray> I think the relevant context is there so that or wrap the existing thread
[19:13] <jbicha> I think the problem is rbalint might not have a strong enough application for core dev right now
[19:14] <jbicha> I think he would have a stronger motu application so maybe we should encourage him to switch to that?
[19:15] <bdmurray> Isn't he also a DD and could get PPU rights for those packages?
[19:16] <jbicha> yes, that's part of why his motu application would be stronger, in my opinion
[19:19] <bdmurray> Well, regardless I think he deserves a response regarding his application as it stands
[19:20] <jbicha> I can follow up to ask him if he wants to apply for motu instead, is that ok?
[19:21] <sil2100> I think it's better if we first have a vote formally made
[19:21] <sil2100> Since recommending motu before actually knowing if the board is willing to approve of his application would be a bit rude
[19:22] <bdmurray> Right we are making an asasumption it wouldn't pass
[19:22] <sil2100> If it fails I'd say we then recommend him MOTU
[19:22] <jbicha> fair enough
[19:22] <sil2100> I already talked with him and he said he'd be fine, although of course core-dev is his aim
[19:25] <bdmurray> Lets try to bring it to a vote then
[19:27] <jbicha> bdmurray: we have quorum now, right? so we do we want to start the vote here and continue on the list if we need more votes?
[19:28] <bdmurray> I think there are only three of us here
[19:28] <micahg> I'm here as well
[19:30] <bdmurray> Unless the vote is unamious we'd have to go to the list and I don't think that's likely.
[19:30] <jbicha> would it speed up the list voting to have people vote here now?
[19:32] <micahg> I think I'd need to reread the correspondence to vote
[19:32] <micahg> so would prefer to do it on the list
[19:33] <bdmurray> It look like Robie owes Balint a reply too regarding his expectations.
[19:33] <cyphermox> fwiw, rbalint did raise a question that he didn't know what was expected of him on his application. That's a fair question that merits a clarification, as it seems we haven't always held people to the same standards
[19:33] <cyphermox> yes, that ^
[19:34] <bdmurray> Okay, I think enough of us are in agreement that we should look at the email thread again and continue the conversation / start voting if you are ready.
[19:36] <sil2100> +1
[19:37] <sil2100> We're really bad at e-mail application handling, would be nice if everyone could take a look at it in the nearest 24 hours
[19:38] <cyphermox> that kind of has to do with going to email threads quickly; that goes as an extension to the IRC that doesn't tend to end
[19:42] <bdmurray> sil2100: Did you want to talk about something else or are we good for the not meeting.
[19:43] <sil2100> I guess we're good, we can discuss the Budgie thing next time, no urgency
[19:43] <sil2100> Since fossfreedom now has the powers he needs
[19:43] <bdmurray> Okay, I'm gonna make some coffee
[19:43] <jbicha> who's going to be responsible for looking at what a Budgie packageset would look like?
[19:45] <micahg> probably depends what's in the seed, but I think he'd have to apply for a flavor packageset as that's not what was voted on
[19:46] <micahg> we've done similar things for ubuntustudio in the past where PPU was sought for core packages for the flavor, but not the full flavor packageset
[19:47] <cyphermox> setting up the flavor seed is trivial, I can get the output for that it would be
[19:47] <jbicha> well my impression was he did originally apply for a flavor packageset but let's see what the diff would be first
[19:48] <cyphermox> jbicha: there are two different things
[19:49] <cyphermox> jbicha: fossfree.dom applied to be able to upload stuff for budgie, he was deemed not ready for having upload rights for a flavor seed, so we sugested PPU for some packages
[19:49] <cyphermox> (based on a list he already had)
[19:49] <jbicha> I think the biggest part of him "not being ready" was that we didn't create the flavor packageset
[19:49] <cyphermox> having a flavour packageset is something that needs to happen anyway, since eventually there should be some dev who uploads to budgie in general
[19:50] <cyphermox> jbicha: no
[19:50] <jbicha> I'm just particularly frustrated about fossfreedom's case, it's part of why I applied to DMB actually
[19:50] <cyphermox> creating the packageset is a job of two minutes, it's not blocking much by any means
[19:50] <jbicha> I don't like how much time we've spent of his asking him to come back and how much time we've kept him waiting for upload rights
[19:51] <cyphermox> the question is "Given flavour X's packageset, is the applicant ready to upload to any of the N packages in there"
[19:51] <jbicha> anyway, please provide us the output of the packageset so that we can actually decide if there's a big enough difference there to ask him to come back
[19:51] <cyphermox> neither am I, but creating packagesets is a question orthogonal to whether someone is ready to have that ACL added.
[19:51] <jbicha> and whether that difference is big enough for him to want to
[19:52] <micahg> we have a few flavors with no flavor packageset uploaders
[19:53] <cyphermox> you can look at the ubuntu-mate seed already, it will be a reasonable approximation of what you might find on the budgie packageset.
[19:53] <cyphermox> (but I'll have packageset-report spit out the result, it just takes a while)
[19:54] <jbicha> would it be fine to post that to the list and we can discuss the specifics next meeting?
[19:54] <cyphermox> micahg: sure, but there's no cost to having the packageset created, and we then know what it entails if someone asks "I want to upload for $cUbuntu
[19:54] <micahg> cyphermox: I'm all for having it ready for people to apply for, just not to grant it willy nilly to people
[19:54] <cyphermox> micahg: there wasn't a question of that
[19:55] <cyphermox> we're in full agreement
[19:55] <micahg> we are :)
[19:55] <jbicha> (sorry to repeat myself), but that is what fossfreedom asked for and we told him no without having a formal vote and without even having the specifics of what it was we were deciding on
[19:55] <cyphermox> jbicha: did you read the thread? because that's not /quite/ what happened as I recall.
[19:56] <micahg> that's what's on the wiki, but not what happened in the meeting as I recall
[19:56] <jbicha> I followed the thread actively at the time, I even attended DMB meetings to urge you to take action since his application was delayed for too long
[19:56] <micahg> I think it's a semantic question
[19:56] <micahg> *question of semantics
[19:56] <micahg> he asked for specific packages
[19:56] <cyphermox> jbicha: there are a couple of things at play: there's not much use in creating the packageset if there's nobody to add to it, but there's also no cost in having the set exist.
[19:57] <cyphermox> jbicha: the content of a packageset is not quite so much the key to whether someone is ready to upload $flavour
[19:57] <cyphermox> I was one who was quite happy to have the packageset generated anyway
[20:04] <jbicha> cyphermox: https://lists.ubuntu.com/archives/devel-permissions/2017-April/001084.html
[20:04] <jbicha> he is clearly asking for packageset rights and we apparently have clearly told him no, largely based on the packageset not existing
[20:05] <micahg> he asked for specific packages as a packageset, not flavor packageset
[20:05] <cyphermox> that's not what that email says?
[20:05] <jbicha> > Please can a packageset be officially defined for Ubuntu Budgie?
[20:06] <jbicha> https://lists.ubuntu.com/archives/technical-board/2017-March/002295.html
[20:06] <jbicha> > I recently requested package-set maintainership for our (Ubuntu Budgie) packages via the DMB.
[20:06] <cyphermox> jbicha: yes, as I mentioned earlier: deferred because there is no reason to create it now when there is nobody who has access to it
[20:07] <jbicha> that's a chicken-and-egg game that was unfair to fossfreedom
[20:07] <cyphermox> no
[20:07] <cyphermox> http://people.canonical.com/~ubuntu-archive/packagesets/artful/personal-fossfreedom exists
[20:07] <cyphermox> packageset != flavor packageset.
[20:08] <jbicha> we're going around in circles here and I don't want to extend this meeting
[20:08] <cyphermox> there is no question that upload rights were fine for the packages in that list, otherwise they would not be.
[20:08] <cyphermox> is anyone waiting for the room?
[20:08] <jbicha> but please send us the packageset you generate and we can discuss what to do next instead of what went wrong
[20:09] <cyphermox> what needs to happen next is the same as usually happens when someone is not approved for upload rights: reapply.
[20:09] <cyphermox> (or well, extend a voting thread by email indefinitely, whatever)