/srv/irclogs.ubuntu.com/2022/06/21/#ubuntu-meeting.txt

=== athos_ is now known as athos
sarnoldgood morning14:27
joalifo/14:30
slyono/14:30
didrockshey14:31
cpaelzerOMW14:31
cpaelzerone sec ...14:31
cpaelzernow I'm hgere14:34
cpaelzertoo many conflicting meetings14:34
cpaelzerthanks for your patience14:34
cpaelzer#startmeeting Weekly Main Inclusion Requests status14:34
meetingologyMeeting started at 14:34:57 UTC.  The chair is cpaelzer.  Information about MeetBot at https://wiki.ubuntu.com/meetingology14:34
meetingologyAvailable commands: action, commands, idea, info, link, nick14:34
cpaelzerPing for MIR meeting - didrocks joalif slyon sarnold cpaelzer jamespage14:35
cpaelzer#topic current component mismatches14:35
cpaelzerMission: Identify required actions and spread the load among the teams14:35
cpaelzer#link https://people.canonical.com/~ubuntu-archive/component-mismatches-proposed.svg14:35
cpaelzer#link https://people.canonical.com/~ubuntu-archive/component-mismatches.svg14:35
cpaelzerlet us see if we have anything new in there to act on14:35
slyonnothing new AFAICT14:35
cpaelzeryep, I still ping jamespage / coreycb for jaraco every week14:35
cpaelzerbut indeed all in there are known cases14:35
cpaelzer\o/14:35
sarnold\o/14:36
cpaelzer#topic New MIRs14:36
cpaelzerMission: ensure to assign all incoming reviews for fast processing14:36
cpaelzer#link https://bugs.launchpad.net/ubuntu/?field.searchtext=&orderby=-date_last_updated&field.status%3Alist=NEW&field.status%3Alist=CONFIRMED&assignee_option=none&field.assignee=&field.subscriber=ubuntu-mir14:36
cpaelzerhttps://bugs.launchpad.net/ubuntu/+source/webp-pixbuf-loader/+bug/197912114:36
ubottuLaunchpad bug 1979121 in webp-pixbuf-loader (Ubuntu) "[MIR] webp-pixbuf-loader" [Low, New]14:36
cpaelzerjust this one14:36
cpaelzermarked low prio and no milestone14:36
cpaelzerso it might be non-urgent, but I havne't read the details14:36
coreycbcpaelzer: re: jaraco. I think that's ready for main (?)14:37
sarnoldthere's text in the bug that asks for august 2514:37
cpaelzercoreycb: jaraco.text is in, but it depends on jaraco.context which has no MIR assigned14:37
slyon"The package webp-pixbuf-loader is required in Ubuntu main no later than aug 25 due to feature freeze"14:37
cpaelzerindeed sarnold, I set the milestone accordingly14:37
sarnoldthanks14:37
cpaelzerlooking for a review volunteer on webp14:38
coreycbcpaelzer: https://bugs.launchpad.net/ubuntu/+source/jaraco.context/+bug/197560014:38
ubottuLaunchpad bug 1975600 in jaraco.context (Ubuntu) "[MIR] jaraco.context" [Undecided, Fix Committed]14:38
cpaelzerreading coreycb ...14:38
cpaelzercoreycb: it didn#t have the MIR team subscribed14:38
cpaelzerfixed it14:38
coreycbahh ok, thanks!14:38
cpaelzernow you need an AA to promote it14:39
cpaelzerI can take that for tomorrow14:39
didrocksI can have a look, but this is desktopish and it’s always a little bit off for me to ask a manual test plan (that again, we don’t have here as a wiki page :/)14:39
coreycbcpaelzer: great, thank you14:39
cpaelzerI haven't done a graphic MIR in a while I also take webpm14:39
didrocksso having another pair of eye would be better to reenforce that this is 1. a fallback plan and 2. not optional14:39
cpaelzerI will didrocks, thanks for the hint14:40
sarnoldno tests for an image loader? :(14:40
cpaelzerTBH I've seen plenty of image loader tests - like convert from A->B and then check expected output14:41
cpaelzeris webp non deterministic?14:41
didrockseven non determinstic, you can add fuzzy comparison…14:41
cpaelzerlike could it produce slightly different output on the panel it draws to every time?14:41
sarnoldon the other hand, a package without tests can't possibly be broken..14:41
cpaelzerlol14:41
didrocksuntil people are using it? :p14:41
cpaelzervery helpful sarnold, very helpful :-P14:41
* sarnold bows14:41
cpaelzeranyway I'll have a look14:41
didrocksthx cpaelzer14:42
cpaelzer#topic Incomplete bugs / questions14:42
cpaelzerMission: Identify required actions and spread the load among the teams14:42
cpaelzer#link https://bugs.launchpad.net/ubuntu/?field.searchtext=&orderby=-date_last_updated&field.status%3Alist=INCOMPLETE_WITH_RESPONSE&field.status%3Alist=INCOMPLETE_WITHOUT_RESPONSE&field.subscriber=ubuntu-mir14:42
cpaelzergsasl just landed 2.x14:42
cpaelzerthat is the update there14:42
didrocks(btw, sorry for missing the parsing part)14:42
cpaelzernp didrocks, we come to that later14:42
didrocksI asked jawn-smith to have a look at the diff, not redo a whole MIR14:43
cpaelzerthere is always a lessons learned :-)14:43
cpaelzerlibiso* is also ok14:43
cpaelzerwas reviewed waits for the reporting team14:43
cpaelzerI think we can go on14:43
jawn-smithack, will hopefully have that done today14:43
cpaelzerthanks jawn-smith14:43
cpaelzer#topic MIR related Security Review Queue14:43
cpaelzerMission: Check on progress, do deadlines seem doable?14:43
cpaelzer#link https://bugs.launchpad.net/~ubuntu-security/+bugs?field.searchtext=%5BMIR%5D&assignee_option=choose&field.assignee=ubuntu-security&field.bug_reporter=&field.bug_commenter=&field.subscriber=ubuntu-mir14:43
cpaelzerInternal link14:43
cpaelzer- ensure your teams items are prioritized among each other as you'd expect14:43
cpaelzer- ensure community requests do not get stomped by teams calling for favors too much14:43
cpaelzer#link https://warthogs.atlassian.net/jira/software/c/projects/SEC/boards/59414:43
cpaelzersarnold: I keep saying the list grows - but it really really does by now14:43
cpaelzeryou said "telegraf and something else in progress" often enough (no offense) - who do we need to bully to give you more time and people?14:44
sarnoldaye, and I don't expect any progress on it this week, the security team is sprinting this week14:44
cpaelzersarnold: can the outcome of the sprint be that this gets more attention before we have the same explosion as last cycle?14:44
sarnoldcpaelzer: I believe we do have a short meeting on MIRs to make sure we're all on the same page, yeah14:45
cpaelzerok, please push as hard as you can on it sarnold. Because we will ask you every week14:45
sarnoldI expect nothing less :D14:45
cpaelzerand we includes more or less everyone requesting those cases14:45
cpaelzerwhich ends up to be a lot of people :-)14:46
cpaelzer#topic Any other business?14:46
sarnoldnone here14:46
cpaelzerher ewe come to the case you mentioned didrocks14:46
slyonJust a FYI that I rejected this from last week: https://bugs.launchpad.net/ubuntu/+source/python-charset-normalizer/+bug/197747514:46
ubottuLaunchpad bug 1977475 in python-charset-normalizer (Ubuntu) "[MIR] python-charset-normalizer" [Undecided, Won't Fix]14:46
cpaelzerthanks slyon - we (the reporting team) agreed14:46
slyonI don't think it's strictly needed and would introduce duplication. ACKed by Lena14:46
cpaelzerwe found the switch to the normalizer, but not the debate to drop it alltogether14:46
cpaelzerthat really helped - thanks slyon14:46
slyonnothing else from my side14:47
cpaelzeron gsasl didrocks and I had a talk14:47
cpaelzerit was first marked as not needing a security review14:47
joalifnothing here I still work on the ipmitool review14:47
cpaelzerand I want to point us all to the rules section [Security] for a quick check14:47
cpaelzerthanks joalif14:47
cpaelzerit currently says14:48
cpaelzerTODO: - history of CVEs does not look concerning14:48
cpaelzerTODO: - does not run a daemon as root14:48
cpaelzerTODO: - does not use webkit1,214:48
cpaelzerTODO: - does not use lib*v8 directly14:48
cpaelzerTODO: - does not parse data formats14:48
cpaelzerTODO: - does not open a port/socket14:48
cpaelzerTODO: - does not process arbitrary web content14:48
cpaelzerTODO: - does not use centralized online accounts14:48
cpaelzerTODO: - does not integrate arbitrary javascript into the desktop14:48
cpaelzerTODO: - does not deal with system authentication (eg, pam), etc)14:48
cpaelzerTODO: - does not deal with security attestation (secure boot, tpm, signatures)14:48
cpaelzerThat covers a lot, but we have (didrocks now, but I myself in other cases in the past) to make a good split on when it is "parse data"14:48
cpaelzerI mean is having any CLI or socket or API or I/O => "parsing data"14:48
sarnoldit's hard to say, since that's the core behaviour of nearly everything..14:48
cpaelzerI do not want to get philosphical, but14:48
cpaelzerI'd propose to add one more line to catch one particular kind that obviously needs to go through security expertise14:49
cpaelzerTODO: - does not deal with cryptography (en-/decryption, certificates, signing, ...)14:49
slyonyeah, I've been strugling with that one, too14:49
sarnoldi've always interpreted it to mean more along the lines of images, video, audio, xml, json, asn.1 ..14:49
didrocksI was going to propose about dealing with certificates14:49
didrocksI guess your line captures it14:49
sarnoldI like the cryptography addition, yeah14:50
cpaelzercould I get an discussion7ack on that line above then we could talk about potential second rule that makes the "parsing" more granular14:50
didrockssounds like a good addition to me14:50
cpaelzeropinions, objections, +1 on the line proposed above14:50
didrocks+114:50
slyon+114:50
joalif+114:50
sarnold+114:50
slyonalso +1 on sarnold's suggestion about the parsing part14:50
cpaelzerthere I have come up with something14:51
cpaelzerTODO: - does not parse data formats (from files [images, video, audio, xml, json, asn.1], network packets, structures, ...)14:51
cpaelzerare there other commonly epxloitet attack vectors worth to be mentioned explicitly as example?14:51
didrocksI wonder about json/yaml, because let’s say any package that embeds a json parser would be impacted, no?14:52
didrocks(let’s say, a go app vendoring go-yaml )14:52
didrocksso basically, everything having configuration would end up in the security queue, is that desired?14:53
sarnoldit really does run the risk of sending *everything* through the security team..14:53
didrockswhich would be the safest option. Then we have to deal with reality…14:53
sarnoldsome additional 'from untrusted sources' might be nice, but that can be hard to tell14:53
didrockseven libreoffice, in some way, is parsing its own file format14:54
sarnoldand ossfuzz finds things with libreoffice basically every other day..14:54
cpaelzeruntrusted source is good here14:54
didrocksyeah, I like the untrusted source as a delimiter14:54
cpaelzerindeed14:54
cpaelzerTODO: - does not parse data formats (files [images, video, audio, xml, json, asn.1], network packets, structures, ...) from an untrusted source14:55
cpaelzercould we vote on that as well please then?14:55
cpaelzer+114:55
didrocks+114:55
sarnoldI think mostly the 'this needs security review' vs 'this doesn't need security review' mostly works out pretty well, so in some sense I think the intuitons of the team have been pretty good14:55
slyonyes. and the sysadming (e.g. config files yaml/json/xml/ini) would be trusted14:55
slyon+114:55
joalif+114:55
sarnold+114:55
cpaelzerok thank you all14:56
cpaelzerconsider both rules added (in a bit)14:56
slyonthank you cpaelzer!14:56
didrocksthank you cpaelzer for the proposals :)14:56
cpaelzerwe can only get better if we try :-)14:57
cpaelzeranything else to discuss left?14:57
didrocksnothing from me this week14:57
joalifnothing from me14:57
slyonnothing here14:57
cpaelzerok, clsoing then14:58
cpaelzeror rather "closing"14:58
cpaelzerFYI: review rules in the wiki updated14:58
didrocks(parsing error)14:58
cpaelzer#endmeeting14:58
meetingologyMeeting ended at 14:58:25 UTC.  Minutes at https://ubottu.com/meetingology/logs/ubuntu-meeting/2022/ubuntu-meeting.2022-06-21-14.34.moin.txt14:58
didrocksthanks!14:58
sarnoldthanks cpaelzer, all :)14:58
joalifthanks cpaelzer, all:)14:58
slyonthank you!14:59
rbasako/19:01
rbasakvorlon: meeting?19:03
rbasakI don't see the other two here.19:03
rbasakvorlon: also, when you see this, please could you update the calendar meeting to the new phasing? I can't do that as I don't have edit rights; I think you "own" the event.19:19
rbasakPerhaps that's why you're not here :)19:19
vorlonhi, sorry! that's exactly right, didn't realize that's why the calendar wasn't updated19:20
vorlonand didn't realize the meeting was on until I got email notifications of your google doc edits19:20
vorlonupdated now, for all that's worth :/19:21
rbasakThanks :)19:21
rbasakI used the time to work on the doc19:21
vorlonack19:21
vorlonregarding that, are we close to a conclusion?  I wasn't sure how much sil2100 had reviewed the current doc19:22
vorlon(I'm unsurprised if he's unavailable right now fwiw, there was an... injury earlier today while he was at the vet)19:22
rbasakIt's on me at the moment.19:24
rbasakI have to work out what we're already shipping and what exceptions might be needed.19:24
rbasakThat's the biggest task I think.19:25
vorlonok19:26

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!