=== not_phunyguy is now known as phunyguy === genii is now known as genii-core === not_phunyguy is now known as phunyguy [14:29] pre-ping for MIR ddstreet doko sarnold didrocks jamespage [14:29] * cpaelzer lights a multi-dimensional campfire (for those with flooding it is warm and dry, for those with heat issues it is a cooling fire, for everyone else it is whatever they need) [14:30] #startmeeting Weekly Main Inclusion Requests status [14:30] Meeting started at 14:30:25 UTC. The chair is cpaelzer. Information about MeetBot at https://wiki.ubuntu.com/meetingology [14:30] Available commands: action, commands, idea, info, link, nick [14:30] no old actions to look at [14:30] #topic current component mismatches [14:30] hey [14:30] #link https://people.canonical.com/~ubuntu-archive/component-mismatches-proposed.svg [14:30] #link https://people.canonical.com/~ubuntu-archive/component-mismatches.svg [14:31] good morning [14:31] hiho [14:31] I like this multidimensional fire idea [14:31] these seem to contain the same as recently [14:31] let us check the status [14:31] fence-agents still on security via https://bugs.launchpad.net/ubuntu/+source/fence-agents/+bug/1927004 [14:31] Launchpad bug 1927004 in fence-agents (Ubuntu) "[MIR] fence-agents" [Undecided, New] [14:32] cherrypy on jamespage [14:32] oh this one [14:32] screen-resolution-extra -> policykit-1-gnome [14:32] this is an alternative, I remember we used to have already c-m picking the wrong one and we had to workaroudn it, but did anyone of you remember what we did exactly? [14:32] didrocks: you said last week you wanted to take a loolk [14:32] http://launchpadlibrarian.net/544364041/screen-resolution-extra_0.18build2_0.18.1.diff.gz [14:32] look [14:32] it’s fullfiled by gnome-shell already [14:33] ok so we consider this done and it will vanish from this view in some time [14:33] thanks didrocks [14:33] cpaelzer: no no [14:33] it’s not done [14:33] oh [14:33] the issue is triggered by this diff [14:33] then I misinerpreted "fulfilled" [14:33] oh I see [14:33] thanks [14:33] and this diff is for every flavor not picking up gnome-shell [14:33] so, the issue is in component-mismatch [14:34] and I don’t remember how we workarounded it in other cases in the past… [14:34] I think "oh that's a holdovre from..." [14:34] (like terminator, esmtp, etc) [14:35] yeah [14:35] yes [14:35] + policykit-1-gnome | gnome-shell | polkit-1-auth-agent, [14:35] ok I'll try to remember this is part of that group [14:35] thanks for checking didrocks [14:35] yw [14:35] #topic New MIRs [14:35] #link https://bugs.launchpad.net/ubuntu/?field.searchtext=&orderby=-date_last_updated&field.status%3Alist=NEW&field.status%3Alist=CONFIRMED&assignee_option=none&field.assignee=&field.subscriber=ubuntu-mir [14:35] still no action by doko on flashrom/libftdi :-/ [14:36] I'll contact him and matt offline via a mail [14:36] * didrocks is surprised on busybox not being in main… [14:36] as I'd love to get it out of this stage in some way (continue or abort it) [14:36] didrocks: lets us talk about busybox [14:36] I guess we can agree and promite it right away [14:36] TL;DR busyboy is in main, this is about an extra binary from the src package to be promoted [14:37] Usually people ask that on the old MIR bugs [14:37] but this one is so old, it has no MIR bug [14:37] I wouldn't be surprised if there's outstanding cves in busybox that we've ignored, something like their tools for downloading files don't check tls certificates.. [14:37] ah ack only one binary missing, I was wondering for a while with what I was playing after happy testing in casper :p [14:38] sarnold: why would those have been ignroed? [14:38] as far as I ahve looked it seems to be a differnt build from the same source [14:38] so no "new code" to be promoted [14:38] I'd like to understand why in this scenario CVEs would have been ignored, to get a feeling if this needs only MIR ack or also security re-review [14:38] yeah, it’s only the dynamic linking (the static is in main) if I read the MIR correctly [14:39] yes didrocks - that should be it [14:39] cpaelzer: because busybox is often used in environments where 'the usual things' are broken / missing / intentionally unavailable [14:39] ah but now you could use it in "others environments" [14:39] yeah [14:39] and that might change the attack surface [14:39] ok thanks [14:40] I think this is a trivial review from the MIR POV (nt a full one), but a more coplex one from the security side then [14:40] looks like it [14:40] heh, alas yes.. [14:40] but since this is a server case I'd want to ask if someone else could do the MIR-check on this [14:40] to not look like special-case-self-signed-off [14:40] since no one but the three of us seem available, would you didrocks be able to do that MIR check there? [14:41] and then probably assign it to security to get thie rre-eval? [14:41] cpaelzer: will do [14:41] oh btw #action cpaelzer to clarify libftdi with matt/doko [14:41] #action cpaelzer to clarify libftdi with matt/doko [14:41] ACTION: cpaelzer to clarify libftdi with matt/doko [14:41] thanks didrocks [14:41] that gets us to the next agenda item [14:41] yw! [14:42] #topic Incomplete bugs / questions [14:42] #link https://bugs.launchpad.net/ubuntu/?field.searchtext=&orderby=-date_last_updated&field.status%3Alist=INCOMPLETE_WITH_RESPONSE&field.status%3Alist=INCOMPLETE_WITHOUT_RESPONSE&field.subscriber=ubuntu-mir [14:42] sdl is me, that will soon be ready for promotion [14:42] no action needed [14:42] o/ [14:42] flatpack ... [14:42] reading [14:42] oh we marked it incomplete last week [14:42] ok nothing new [14:42] welcome doko [14:43] before I send you a mail doko, would you this week have time to resolve flashrom/libftdi ? [14:43] I have asked a few weeks in a row and some way it should get off our incoming list [14:43] right, it should be updated, fwupd needs a dependency [14:43] I've outlined it a few times already, it is about a non MIR-team evaluation wihch seems "approved" by you [14:44] yes, but I don't want to see it. fwupd needs to build with that support. waiting for an upload now [14:45] an upload of fwupd to pull it in? [14:45] yes [14:46] jawn-smith working on it [14:46] so this was an approval by you then back on 2021-03-11 [14:47] if you could confirm this now that would be helpful, then I could do an update and set the bug to the right states [14:48] o/ I can do upload a change with a dependency [14:49] s/do// [14:49] jawn-smith: I was mostly concerned because the bug looked like needing a review still [14:49] this is now clarified and I have updated the bug [14:49] you can do the upload now and then promotion to main can happen [14:49] and it is by now gone from the MIR-team incoming queue [14:50] Thanks for all the clarifications, we look good again now ... [14:50] #topic Any other business? [14:50] excellent, thanks! [14:50] nothing from me [14:50] \o/ [14:50] nothing from me [14:50] nothing either [14:55] ok timeout :-) [14:55] see you all next week then [14:55] woot, thanks cpaelzer, all :) [14:55] thanks [14:55] #endmeeting [14:55] Meeting ended at 14:55:43 UTC. Minutes at https://new.ubottu.com/meetingology/logs/ubuntu-meeting/2021/ubuntu-meeting.2021-06-29-14.30.moin.txt [14:55] see you o/ === genii-core is now known as genii [18:57] o/ [18:57] o/ [19:04] mdeslaur: around? [19:04] vorlon? [19:04] * rbasak doesn't see sil2100 here [19:19] * rbasak goes back to his evening === genii is now known as genii-core === JanC_ is now known as JanC