[16:31] <jdstrand> hi!
[16:32]  * sbeattie waves hello
[16:32] <jdstrand> #startmeeting
[16:32] <jdstrand> The meeting agenda can be found at:
[16:32] <jdstrand> [LINK] https://wiki.ubuntu.com/SecurityTeam/Meeting
[16:32] <meetingology> Meeting started Mon Oct  1 16:32:11 2018 UTC.  The chair is jdstrand. Information about MeetBot at http://wiki.ubuntu.com/meetingology.
[16:32] <meetingology> Available commands: action commands idea info link nick
[16:32] <jdstrand> [TOPIC] Announcements
[16:32] <jdstrand> First off, I'd like to warmly welcome joemcmanus to the team as our new security team manager. Glad to have you Joe! :)
[16:32] <sbeattie> welcome, joemcmanus!
[16:33] <jdstrand> The generalist role rotation for this week as follows:
[16:33] <mdeslaur> \o
[16:33] <jdstrand> CVE Triage: msalvatore (ebarretto), Bug Triage: sarnold, Community: sbeattie, Happy Place: amurray, mdeslaur, leosilva, ebarretto
[16:33] <jdstrand> [TOPIC] Weekly stand-up report
[16:34] <jdstrand> oh, I forgot one announcement
[16:34] <jdstrand> The Ubuntu Security Team is hiring!
[16:34] <jdstrand> Ubuntu Security engineer: https://boards.greenhouse.io/canonical/jobs/1158266?t=8c0a6c1f1
[16:34] <jdstrand> ok, I'll go first for standup
[16:34] <jdstrand> This week I plan to:
[16:34] <jdstrand> * continue brand store snap declarations
[16:34] <jdstrand> * continue kubernetes-support interfaces
[16:34] <jdstrand> * various snapd PR reviews
[16:34] <jdstrand> * iterate on docker PRs
[16:34] <jdstrand> * embargoed issue
[16:35] <jdstrand> mdeslaur: you're up
[16:35] <mdeslaur> I'm in the happy place this week
[16:35] <mdeslaur> I just finished publishing a whole new ghostscript version to the stable releases to fix a bunch of security issues that don't have CVE numbers
[16:36] <mdeslaur> hopefully it won't cause any major regressions
[16:36] <mdeslaur> I have an embargoed issue to publish later on once upstream makes the issue public
[16:36] <mdeslaur> and I'll be continuing more CVE work after that
[16:36] <mdeslaur> that's about it, sbeattie, you're up
[16:36] <sbeattie> I'm on community this week
[16:37] <jdstrand> mdeslaur: do you think it warrants a call for testing?
[16:37] <mdeslaur> what, ghostscript?
[16:37] <sarnold> it's already out the door :)
[16:37] <mdeslaur> I already published it
[16:37] <mdeslaur> I tested the heck out of it
[16:37] <jdstrand> mdeslaur: yes, and, ok :)
[16:37] <mdeslaur> and judging by the number of open bugs against the old version, this one can only be better
[16:38] <jdstrand> mdeslaur: it was the 'hopefully' that threw me:)
[16:38] <mdeslaur> I will keep a look out for regression bugs
[16:38]  * jdstrand nods
[16:38] <jdstrand> mdeslaur: thanks for taking that on. ghostscript can be challenging
[16:39] <jdstrand> sorry sbeattie, go ahead :)
[16:39] <sbeattie> kernel updates are being published now, will start the USNs for them after the meeting.
[16:40] <sbeattie> I have imagemagick packages in the ubuntu-security-proposed ppa that disable pdf/ps support, to avoid ghostscript (for all the reasons above) that I'll be testing and publishing.
[16:40] <mdeslaur> \o/
[16:40] <sbeattie> After that, I need to spend some time looking at possible addiitonal toolchain hardening for cosmic+1.
[16:41] <sbeattie> That will probably take up my week.
[16:41] <sbeattie> jjohansen: over to you.
[16:41] <jjohansen> Its a short week for me, I am off Wednesday, Thursday, and maybe Friday.
[16:41] <jjohansen> I am still trying to finish up last weeks items, apparmor items for the 4.20 pull request: mjg secmark patch, kernel_t label for kernel network tasks, and the nonewprivs work.  LSM stacking patches, and the 2.10.4, 2.11.2, 2.12.1, 2.13.1 stable releases for apparmor
[16:42] <jjohansen> thats it for me, sarnold you're up
[16:43] <sarnold> I'm on bug triage this week; I'm going to finish the xdg-desktop-portal-gtk MIR 1750069 this week, hopefully by tomorrow; then I'll run down the list of MIRs in trello. I'll do apparmor patch reviews as needed.
[16:43] <sarnold> that's it for me.. leosilva?
[16:43] <leosilva> I'm in the happy place this week
[16:43] <leosilva> I pushed a USN for bind9 for precise
[16:43] <leosilva> I spent some time in a glib2.0 regression, but it eends as a no sec regression
[16:44] <leosilva> I'll do the hunting pkg and find something to update - right now I'm digging on liblouis
[16:44] <leosilva> that is it for me
[16:44] <mdeslaur> libleo
[16:44] <leosilva> msalvatore: I think it's up to you now
[16:44] <leosilva> hehe.
[16:45] <msalvatore> Hi all. I'm on CVE triage this week, but It's a super short week for me (I'm out oct2-oct12)
[16:45] <msalvatore> ebarretto will fill in for CVE triage
[16:45] <msalvatore> I published fixes for uwsgi this morning
[16:45] <msalvatore> I'm focusing on CVE triage and re-triage of older CVEs for today.
[16:45] <msalvatore> ebarretto: you're up
[16:46] <ebarretto> I'm in the happy place/cve triage this week:
[16:46] <ebarretto> - Released today new opencv update for bionic
[16:46] <ebarretto> - Also released a new version of monit for xenial because of a regression in the last update (LP: #Bug:1786910)
[16:46] <ebarretto> - I am working on updating libav for trusty, right now I am testing the security fixes that were backported
[16:46] <ebarretto> - I will be doing CVE triage starting tomorrow to cover msalvatore
[16:46] <ebarretto> - If anyone finds any problem in uwsgi update from msalvatore, feel free to ping me and add me to bugs
[16:47] <ebarretto> that's it for me ... joemcmanus you're up
[16:49] <ebarretto> jdstrand, did we skip chrisccoulson ?
[16:49] <chrisccoulson> yep ;)
[16:49] <chrisccoulson> shall I go now?
[16:49] <jdstrand> ebarretto: he was skipped. I thought it was me now knowing who was out :)
[16:49] <mdeslaur> man, we keep forgetting chrisccoulson
[16:49] <mdeslaur> he's too quiet
[16:49] <chrisccoulson> lol
[16:49] <jdstrand> chrisccoulson: yes please :)
[16:49] <jdstrand> hey, I can't prove it, but I was thinking about it :)
[16:49] <mdeslaur> hehe
[16:50] <ebarretto> hehe
[16:50] <chrisccoulson> I'm expecting a firefox release to test and publish this week, although the release hasn't happened yet
[16:50] <chrisccoulson> I've got an embargoed update too
[16:50] <chrisccoulson> and I'll be working on the libssh2 MIR
[16:51] <chrisccoulson> that shouldn't take all week, so I'll have time for something else (something else on the review queue?)
[16:51] <chrisccoulson> that's me done
[16:51] <jdstrand> chrisccoulson: I think so, yes, we getting to the end :)
[16:51] <jdstrand> [TOPIC] Highlighted packages
[16:52] <jdstrand> The Ubuntu Security team suggests that contributors look into merging Debian security updates in community-supported packages. If you would like to help Ubuntu but are not sure where to start, this is a great way to do so. See http://people.canonical.com/~ubuntu-security/d2u/ for available merges and https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures for details on preparing Ubuntu security
[16:52] <jdstrand> updates. If you have any questions, feel free to ask in #ubuntu-hardened. To find out other ways of helping out, please see https://wiki.ubuntu.com/SecurityTeam/GettingInvolved.
[16:52] <jdstrand> [TOPIC] Miscellaneous and Questions
[16:52] <jdstrand> Does anyone have any other questions or items to discuss?
[16:54] <jdstrand> mdeslaur, sbeattie, jjohansen, sarnold, chrisccoulson (see, I didn't forget!), leosilva, msalvatore, ebarretto, joemcmanus: thanks!
[16:54] <jdstrand> #endmeeting
[16:54] <meetingology> Meeting ended Mon Oct  1 16:54:40 2018 UTC.
[16:54] <meetingology> Minutes:        http://ubottu.com/meetingology/logs/ubuntu-meeting/2018/ubuntu-meeting.2018-10-01-16.32.moin.txt
[16:54] <sarnold> thanks jdstrand!
[16:54] <jjohansen> thanks jdstrand
[16:54] <ebarretto> thanks jdstrand
[16:55] <sbeattie> jdstrand: thanks!
[16:55] <leosilva> tks jdstrand !
[16:55] <chrisccoulson> :)
[16:56] <mdeslaur> thanks jdstrand