/srv/irclogs.ubuntu.com/2018/02/27/#ubuntu-meeting-2.txt

mdeslaur\o19:59
* slangasek waves19:59
slangasekI think we have some topics this week19:59
slangasekhopefully we also have a chair20:00
mdeslaurhi infinity!20:00
* slangasek waves20:00
infinityOh look, I'm the chair.20:00
infinity#startmeeting Ubuntu Technical Board20:01
meetingologyMeeting started Tue Feb 27 20:01:21 2018 UTC.  The chair is infinity. Information about MeetBot at http://wiki.ubuntu.com/meetingology.20:01
meetingologyAvailable commands: action commands idea info link nick20:01
infinitySo, who's here?  Do we have quorum?20:01
* stgraber waves20:02
infinityWe do!20:02
mdeslaurwow! hi stgraber!20:02
infinity#topic Action Review20:02
infinityMaaS thingee: I've still entirely failed to review the current state.  I should make a personal TODO item to get that done.20:03
infinitysupport-status thingee: Superseded by recent SRUs.20:03
infinityslangasek: Bugs thingee?20:03
slangasekinfinity: continues to be backlogged20:03
infinityBudgie LTS status, that seems to have been handled on-list, unless we want a quorum vote taken?20:04
mdeslaurnah20:05
infinityI'm +1 to mdeslaur and stgraber's cumulative +220:05
slangasekI had also +1'ed it, mind20:05
slangasekI think we're good20:05
infinityKay.20:05
infinityThat brings up another topic, which is that we should probably send out a call for LTSiness and renew all the flavours.20:06
slangasekunder TB or Release Team hat?20:06
infinityYes.20:06
tsimonq2Did I hear "flavor"? :)20:07
slangasekis that an [action] for you? :)20:07
infinityTB needs to approve them, but if we're okay with the status quo, then just release team.20:07
infinityThe one that I'm currently not okay with is kylin at 5y, since that used to be based on them being based on Ubuntu, which they aren't anymore.20:07
infinityI think they're not Xubuntu based?20:07
infinityIIRC.20:07
infinitys/not/now/20:07
tsimonq2(Ubuntu MATE)20:08
tsimonq2UKUI is a fork of MATE20:08
infinityAhh, or that.20:08
infinityEither way, they're now based on a 3y flavour, and unless they really think they can handle the extra 2y on their own (which I'd strongly discourage), we should drop them to 3y.20:09
slangasekfull ack20:09
slangasekinfinity: where are you seeing this as 5y, btw?20:09
infinityslangasek: maintenance-check.py in lp:ubuntu-archive-publishing20:10
infinity    DISTRO_NAMES = [20:10
infinity        "ubuntu",20:10
infinity        "ubuntukylin",20:10
infinity        ]20:10
infinity    DISTRO_NAMES_SHORT = [20:10
infinity        "kubuntu",20:10
infinity        "lubuntu",20:10
infinity        "ubuntu-budgie",20:10
infinity        "ubuntu-mate",20:10
infinity        "ubuntustudio",20:10
infinity        "xubuntu",20:10
infinity        ]20:10
infinitySo, kylin should move to short for Bionic, and Budgie needs to be added.20:10
infinityAnd we need to get everyone to confirm the current status.20:10
slangasekbudge is there20:10
slangaseki20:11
infinitySo it is.20:11
tsimonq2One thing; if Lubuntu Next 18.04 should be regarded as a 9m rather than a 3y, is there anything that needs to be done on the release team or TB end?20:12
infinityI think I'll JFDI the kylin move, then do the confirmation thing.20:12
slangasekinfinity: +120:12
slangasekinfinity: seems you already declared Budgie LTS in October, according to the commit history ;)20:12
infinitytsimonq2: lubuntu-next has its own seeds, right?20:12
infinityOr is it in the lubuntu seed set?20:12
tsimonq2infinity: Correct, but it's under the same branch as the other Lubuntu ones.20:12
tsimonq2Right.20:12
slangasektsimonq2: do you intend lubuntu-next to release, this time?  Given that it's been daily-only in the past20:12
tsimonq2Correct, that's the goal.20:13
tsimonq2So the *-share-* and the *-gtk-* seeds under the Lubuntu branch should be 3y as normal, and *-qt-* should be 9m.20:14
infinityYeah, that'll take a little bit of mangling of maintenance-check.20:14
tsimonq2But is the TB OK with that plan?20:15
infinityI'm honestly not sure I see the point in you releasing it as kinda-supported before you switch it over to being the new hotness.20:16
slangasekdo we have precedent for a flavor releasing a "next" image as a release image?20:16
slangasekI'm trying to recall what Kubuntu did with plasma20:16
infinityNo.20:16
* slangasek nods20:16
infinityactive and plasma never got released officially until the switch.20:16
slangasekso I'd say there's some healthy skepticism about this plan20:16
slangasekmaybe tsimonq2 should propose it on the mailing list and we should discuss it further?20:17
tsimonq2slangasek: The TB mailing list or the Release Team one?20:17
infinityThat said, regardless of the plan, maint-check will need a bit of a mangle because you're building both from the same seed set, unlike kubuntu that used another.20:17
slangasektsimonq2: TB, I think20:17
tsimonq2infinity: If this is approved by the TB, I'll volunteer to take that on.20:18
tsimonq2slangasek: Sure, I can do that by the next TB meeting.20:18
slangasekyeah, I was going to say, it'd be great to have tsimonq2 submit the patch for maint-check :)20:18
infinityIt's not a hard mangle, per se.  Just needs a filter on the SUPPORTED=all bit.20:18
tsimonq2Right, I can take care of that. :)20:19
infinityYou'll want supported=(all-next) and then supported-not-much=next20:19
infinityAnd not-much.length=9m20:19
infinityAll pseudocode, obviously.20:19
tsimonq2Sure, and I can look into it more myself.20:20
tsimonq2Thanks.20:20
infinity#action tsimonq2 to bring up the support/release status of lubuntu-next on the TB list, and then submit patches to maintenance-check according to the final plan20:20
meetingologyACTION: tsimonq2 to bring up the support/release status of lubuntu-next on the TB list, and then submit patches to maintenance-check according to the final plan20:20
infinity#topic Ubuntu MATE Software Boutique20:21
flexiondotorgo/20:21
infinityflexiondotorg: Oh hai.20:21
slangasekhello!20:21
infinityslangasek: You want to drive this bit?20:21
infinityBecause context.20:22
slangasekwell, I think I've mostly laid out my concerns on the mailing list20:22
slangasekinfinity, mdeslaur, stgraber: did you have a chance already to read that thread?20:22
slangasekI can summarize, regardless20:22
infinityI'm reading now.  But a summary would be nice.20:22
stgraberI've read the thread pretty quickly as they came in20:23
slangasekUbuntu MATE Software Boutique allows push-button installation of packages from a variety of sources20:23
slangasekincluding ppas, and third-party sources20:23
slangaseksome of which are configured by downloading the gpg keys over plaintext http20:23
slangasekand none of these details are surfaced to the user when they choose this software for installation20:24
slangasekso the concern is that this does not align with the TB-approved archive policy https://wiki.ubuntu.com/ExtensionRepositoryPolicy20:24
mdeslaurthird-party sources?20:24
slangasekmdeslaur: I'd have to dig into the code for details; but it includes obvious ones like the upstream Google Chrome repository, and some less obvious ones for repos somewhere in India20:25
mdeslaurooh :(20:26
flexiondotorgThose packages that Boutique installs from 3rd parties are always the official apt repos of the vendor.20:26
slangaseklike, something called 'enpass' which is a 'cross-platform, complete password management solution [...]'; can't think of any reason anyone might have concerns about the gpg key used to authenticate /that/ repo being downloaded from http://repo.sinew.in/keys/enpass-linux.key20:26
slangasekflexiondotorg: yes, and we do not have cryptographic trust to any of those upstream repos20:27
infinityYeah, so, there are multiple concerns here for sure.20:27
mdeslaurand we can't update them or revoke them if they are compromised, etc.20:27
infinityThe first is that the user doesn't appear to be reasonably informed.20:27
slangasekso that's my summary of the current state20:27
slangasekflexiondotorg: anything else that I've missed?20:27
infinityThe second is that those keys should be shipped in the package, not downloaded on demand.  So there's at least some claim that the developer of the package has vetted the key is the right one.20:28
flexiondotorgThe source of the packages is available from the Details along side each package.20:28
flexiondotorgWe also provide a page where every source is presented to the user.20:28
slangasekflexiondotorg: yes; this is not the same thing as an in-band confirmation from the user before they change the archive security properties of their system20:29
flexiondotorginfinity: I'm happy to ship keys with Boutique.20:29
slangasekflexiondotorg: do you also ship apt pins?20:29
flexiondotorgI'm happy to present a more prominent indication to users that packages are coming from a 3rd party and not supported by Ubuntu.20:29
slangasek(I'm asking because I think that would be a good idea; third-party apt repos have terrible security implications and apt pinning can mitigate against certain kinds of accidents, but not against a truly malicious repo)20:30
flexiondotorgWe are not adding random PPAs or 3rd party repos. They are being vetted.20:31
flexiondotorgAnd some of those repos can be replaced with snaps from the same vendors now. The snap support is landing soon.20:31
slangasekflexiondotorg: but they're not being vetted by either the TB on behalf of the Ubuntu Developers, or by the user when they select for installation, and that's the problem from my perspective :)20:31
slangasekflexiondotorg: to be clear, I don't want to ask you to cripple any functionality here20:32
slangasekbut I do think the security implications need to be surfaced to the user20:32
stgrabersure but any of them being taken over by a malicious third party and all your users are screwed with no way for you to fix them, downloading those keys over http then makes it even worse as it becomes pretty easy for someone to just feed you some other keys they'd like you to trust...20:32
flexiondotorgI understand. I'm keen to retain the functionality is a fashion the TB is comfortable with.20:33
flexiondotorgI just wanted to make it clear we are being careful with the 3rd poarty repos we select.20:33
stgraberFor deb packages, I expect the minimum would be to have the GPG key in question in your package, ship apt pinning config so that they can't push any package other than what you expect AND you should still show a very clear message to the user that they're effectively trusting vendor XYZ with root on their system.20:34
infinity^-- I think that about sums it up for me.20:34
slangasekright, +120:34
flexiondotorgI wasn't aware Boutique was doing anything it shouldn't. My only intention was to provide the software user want with an easy install.20:34
infinityAnd that message can't be a one-time "I trust you to do stupid things for me", but triggered on any new repo enablement.20:35
flexiondotorgI'm happy to ship keys in the application, if that is desirable.20:35
infinity"I explicitly trust Google Chrome's repo" one day and "I also explicitly trust Dave's Janky PPA" the next.20:35
flexiondotorgBoutique is a snap now. So we do have a means to act quickly should a repo become compromised in some fashion.20:35
flexiondotorgWe can notify users and provide corrective action.20:36
infinityflexiondotorg: Shipping keys in the package is the easiest way to maintain a reasonable trust path.  It also makes it easier for you to revoke them in an SRU.20:36
flexiondotorgAs I said, it will land as a snap so we can revoke them promptly via an update should the need arise.20:36
infinity(Has anyone else found it very difficult to correctly type the word "trust" ever since, oh, October 2013 or so?)20:37
mdeslaurheh20:38
flexiondotorgSo, ship keys. Apt pinning. Up front indication that 3rd party packages are not supported by Ubuntu.20:38
flexiondotorgShipping keys and upfront indication are quick work. Apt pinning will take a little longer.20:39
infinityflexiondotorg: Not just lack of support, but also indicating each time someone enables a new repo that they are explicitly trusting that non-Ubuntu repository with root on their system.20:39
stgraberit's really not just that they're not supported by Ubuntu, I mean universe packages would kinda fit that description, it's more "I'm trusting that vendor with full root access to my system"20:39
flexiondotorgUnderstood.20:40
infinityflexiondotorg: Anyhow, I think the next action here would be for you to come up with a design plan, toss it at the mailing list for review, and move this forward there.20:40
infinityI expect there might be some iteration.20:41
infinityThough, happy to be proven wrong.20:41
flexiondotorgOK20:42
infinity#action flexiondotorg To follow-up on-list with design review to address MATE Boutique security/consent concerns.20:42
meetingologyACTION: flexiondotorg To follow-up on-list with design review to address MATE Boutique security/consent concerns.20:42
infinityAaaand, on we go.20:42
infinity#topic Mailing List Archives20:42
infinitySo, other than the bits we just talked about, there's a Kylin repo revisiting thing, that I think can be addressed on-list.20:43
infinityAnd a PPU request.  Did anyone action that?20:44
infinityslangasek: Did.20:44
infinityMinus the colon.20:44
slangasekyeah, about 30 minutes ago ;)20:44
infinityHeh.20:44
infinity#topic Community Bugs20:44
infinityGUYS WE HAVE ONE.20:44
slangasekOMG20:45
mdeslaurWAT?20:45
slangasekwho wants it? :)20:45
stgrabercan't be20:45
slangasekit's just another edit-acl20:45
infinity"Adding people to that packageset depends on team reorg in the set of teams for Ubuntu Budgie development (or the creation of a new team for it), the Developer Membership Board will take care of the following steps."20:45
infinityLooks like it's spinning wheels waiting on that, though?20:45
infinityI mean, a packageset with no members seems pointless.20:45
slangasekif it avoids the DMB blocking on the TB, it's not pointless IMHO20:46
infinityThat's fair.20:46
infinityslangasek: All yours, if you want to spend the copious amount of time verifying that copy-paste and pasting it.20:46
infinity#topic Chext Nair20:47
slangaseke... d... i.... r... shoot20:47
infinityLooketh like iz kees, mit mdeslaur backup.20:47
mdeslaurack20:47
infinity#topic AOB20:48
* mdeslaur gives stink-eye to kees20:48
infinityAnyone have any OB to gab about?20:48
infinityOther than the minor excitement over having an actual meeting with stuff in it for once?20:48
slangasekI do have one thing more20:48
infinityExcellent.  Thing away.20:48
infinity#topic Steve has a thing20:48
slangasekI started a thread on ubuntu-devel to discuss policy around snaps preinstalled on Ubuntu images20:49
slangasekI think this should eventually go to TB for signoff20:49
infinityThat it should.20:49
mdeslaur+120:49
slangasekany preference on what form that should take?20:49
slangasekshould I put it on agenda for next meeting, or would you prefer email?20:49
infinityOne with an explicit sign-off from Mark that our jobs are safe if we dislike the plan.20:49
infinity*cough*20:49
mdeslaurheh20:50
infinityBut yes, I think on agenda and real-time discussion.20:50
slangasek(I still need to incorporate feedback from the mailing list thread before submitting to TB)20:50
slangasekok20:50
infinityAny other any other any other bidness?20:51
infinity320:51
infinity220:51
infinity120:51
infinity#endmeeting20:51
meetingologyMeeting ended Tue Feb 27 20:51:22 2018 UTC.20:51
meetingologyMinutes:        http://ubottu.com/meetingology/logs/ubuntu-meeting-2/2018/ubuntu-meeting-2.2018-02-27-20.01.moin.txt20:51
slangasekthanks, all!20:51
mdeslaurthanks everyone20:51
infinityWiki updated, and I'm out.21:10

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!