[14:27] <sarnold> good morning
[14:30] <joalif> o/
[14:30] <slyon> o/
[14:31] <didrocks> hey
[14:31] <cpaelzer> OMW
[14:31] <cpaelzer> one sec ...
[14:34] <cpaelzer> now I'm hgere
[14:34] <cpaelzer> too many conflicting meetings
[14:34] <cpaelzer> thanks for your patience
[14:34] <cpaelzer> #startmeeting Weekly Main Inclusion Requests status
[14:34] <meetingology> Meeting started at 14:34:57 UTC.  The chair is cpaelzer.  Information about MeetBot at https://wiki.ubuntu.com/meetingology
[14:34] <meetingology> Available commands: action, commands, idea, info, link, nick
[14:35] <cpaelzer> Ping for MIR meeting - didrocks joalif slyon sarnold cpaelzer jamespage
[14:35] <cpaelzer> #topic current component mismatches
[14:35] <cpaelzer> Mission: Identify required actions and spread the load among the teams
[14:35] <cpaelzer> #link https://people.canonical.com/~ubuntu-archive/component-mismatches-proposed.svg
[14:35] <cpaelzer> #link https://people.canonical.com/~ubuntu-archive/component-mismatches.svg
[14:35] <cpaelzer> let us see if we have anything new in there to act on
[14:35] <slyon> nothing new AFAICT
[14:35] <cpaelzer> yep, I still ping jamespage / coreycb for jaraco every week
[14:35] <cpaelzer> but indeed all in there are known cases
[14:35] <cpaelzer> \o/
[14:36] <sarnold> \o/
[14:36] <cpaelzer> #topic New MIRs
[14:36] <cpaelzer> Mission: ensure to assign all incoming reviews for fast processing
[14:36] <cpaelzer> #link https://bugs.launchpad.net/ubuntu/?field.searchtext=&orderby=-date_last_updated&field.status%3Alist=NEW&field.status%3Alist=CONFIRMED&assignee_option=none&field.assignee=&field.subscriber=ubuntu-mir
[14:36] <cpaelzer> https://bugs.launchpad.net/ubuntu/+source/webp-pixbuf-loader/+bug/1979121
[14:36] <cpaelzer> just this one
[14:36] <cpaelzer> marked low prio and no milestone
[14:36] <cpaelzer> so it might be non-urgent, but I havne't read the details
[14:37] <coreycb> cpaelzer: re: jaraco. I think that's ready for main (?)
[14:37] <sarnold> there's text in the bug that asks for august 25
[14:37] <cpaelzer> coreycb: jaraco.text is in, but it depends on jaraco.context which has no MIR assigned
[14:37] <slyon> "The package webp-pixbuf-loader is required in Ubuntu main no later than aug 25 due to feature freeze"
[14:37] <cpaelzer> indeed sarnold, I set the milestone accordingly
[14:37] <sarnold> thanks
[14:38] <cpaelzer> looking for a review volunteer on webp
[14:38] <coreycb> cpaelzer: https://bugs.launchpad.net/ubuntu/+source/jaraco.context/+bug/1975600
[14:38] <cpaelzer> reading coreycb ...
[14:38] <cpaelzer> coreycb: it didn#t have the MIR team subscribed
[14:38] <cpaelzer> fixed it
[14:38] <coreycb> ahh ok, thanks!
[14:39] <cpaelzer> now you need an AA to promote it
[14:39] <cpaelzer> I can take that for tomorrow
[14:39] <didrocks> I can have a look, but this is desktopish and it’s always a little bit off for me to ask a manual test plan (that again, we don’t have here as a wiki page :/)
[14:39] <coreycb> cpaelzer: great, thank you
[14:39] <cpaelzer> I haven't done a graphic MIR in a while I also take webpm
[14:39] <didrocks> so having another pair of eye would be better to reenforce that this is 1. a fallback plan and 2. not optional
[14:40] <cpaelzer> I will didrocks, thanks for the hint
[14:40] <sarnold> no tests for an image loader? :(
[14:41] <cpaelzer> TBH I've seen plenty of image loader tests - like convert from A->B and then check expected output
[14:41] <cpaelzer> is webp non deterministic?
[14:41] <didrocks> even non determinstic, you can add fuzzy comparison…
[14:41] <cpaelzer> like could it produce slightly different output on the panel it draws to every time?
[14:41] <sarnold> on the other hand, a package without tests can't possibly be broken..
[14:41] <cpaelzer> lol
[14:41] <didrocks> until people are using it? :p
[14:41] <cpaelzer> very helpful sarnold, very helpful :-P
[14:41]  * sarnold bows
[14:41] <cpaelzer> anyway I'll have a look
[14:42] <didrocks> thx cpaelzer
[14:42] <cpaelzer> #topic Incomplete bugs / questions
[14:42] <cpaelzer> Mission: Identify required actions and spread the load among the teams
[14:42] <cpaelzer> #link https://bugs.launchpad.net/ubuntu/?field.searchtext=&orderby=-date_last_updated&field.status%3Alist=INCOMPLETE_WITH_RESPONSE&field.status%3Alist=INCOMPLETE_WITHOUT_RESPONSE&field.subscriber=ubuntu-mir
[14:42] <cpaelzer> gsasl just landed 2.x
[14:42] <cpaelzer> that is the update there
[14:42] <didrocks> (btw, sorry for missing the parsing part)
[14:42] <cpaelzer> np didrocks, we come to that later
[14:43] <didrocks> I asked jawn-smith to have a look at the diff, not redo a whole MIR
[14:43] <cpaelzer> there is always a lessons learned :-)
[14:43] <cpaelzer> libiso* is also ok
[14:43] <cpaelzer> was reviewed waits for the reporting team
[14:43] <cpaelzer> I think we can go on
[14:43] <jawn-smith> ack, will hopefully have that done today
[14:43] <cpaelzer> thanks jawn-smith
[14:43] <cpaelzer> #topic MIR related Security Review Queue
[14:43] <cpaelzer> Mission: Check on progress, do deadlines seem doable?
[14:43] <cpaelzer> #link https://bugs.launchpad.net/~ubuntu-security/+bugs?field.searchtext=%5BMIR%5D&assignee_option=choose&field.assignee=ubuntu-security&field.bug_reporter=&field.bug_commenter=&field.subscriber=ubuntu-mir
[14:43] <cpaelzer> Internal link
[14:43] <cpaelzer> - ensure your teams items are prioritized among each other as you'd expect
[14:43] <cpaelzer> - ensure community requests do not get stomped by teams calling for favors too much
[14:43] <cpaelzer> #link https://warthogs.atlassian.net/jira/software/c/projects/SEC/boards/594
[14:43] <cpaelzer> sarnold: I keep saying the list grows - but it really really does by now
[14:44] <cpaelzer> you said "telegraf and something else in progress" often enough (no offense) - who do we need to bully to give you more time and people?
[14:44] <sarnold> aye, and I don't expect any progress on it this week, the security team is sprinting this week
[14:44] <cpaelzer> sarnold: can the outcome of the sprint be that this gets more attention before we have the same explosion as last cycle?
[14:45] <sarnold> cpaelzer: I believe we do have a short meeting on MIRs to make sure we're all on the same page, yeah
[14:45] <cpaelzer> ok, please push as hard as you can on it sarnold. Because we will ask you every week
[14:45] <sarnold> I expect nothing less :D
[14:45] <cpaelzer> and we includes more or less everyone requesting those cases
[14:46] <cpaelzer> which ends up to be a lot of people :-)
[14:46] <cpaelzer> #topic Any other business?
[14:46] <sarnold> none here
[14:46] <cpaelzer> her ewe come to the case you mentioned didrocks
[14:46] <slyon> Just a FYI that I rejected this from last week: https://bugs.launchpad.net/ubuntu/+source/python-charset-normalizer/+bug/1977475
[14:46] <cpaelzer> thanks slyon - we (the reporting team) agreed
[14:46] <slyon> I don't think it's strictly needed and would introduce duplication. ACKed by Lena
[14:46] <cpaelzer> we found the switch to the normalizer, but not the debate to drop it alltogether
[14:46] <cpaelzer> that really helped - thanks slyon
[14:47] <slyon> nothing else from my side
[14:47] <cpaelzer> on gsasl didrocks and I had a talk
[14:47] <cpaelzer> it was first marked as not needing a security review
[14:47] <joalif> nothing here I still work on the ipmitool review
[14:47] <cpaelzer> and I want to point us all to the rules section [Security] for a quick check
[14:47] <cpaelzer> thanks joalif
[14:48] <cpaelzer> it currently says
[14:48] <cpaelzer> TODO: - history of CVEs does not look concerning
[14:48] <cpaelzer> TODO: - does not run a daemon as root
[14:48] <cpaelzer> TODO: - does not use webkit1,2
[14:48] <cpaelzer> TODO: - does not use lib*v8 directly
[14:48] <cpaelzer> TODO: - does not parse data formats
[14:48] <cpaelzer> TODO: - does not open a port/socket
[14:48] <cpaelzer> TODO: - does not process arbitrary web content
[14:48] <cpaelzer> TODO: - does not use centralized online accounts
[14:48] <cpaelzer> TODO: - does not integrate arbitrary javascript into the desktop
[14:48] <cpaelzer> TODO: - does not deal with system authentication (eg, pam), etc)
[14:48] <cpaelzer> TODO: - does not deal with security attestation (secure boot, tpm, signatures)
[14:48] <cpaelzer> That covers a lot, but we have (didrocks now, but I myself in other cases in the past) to make a good split on when it is "parse data"
[14:48] <cpaelzer> I mean is having any CLI or socket or API or I/O => "parsing data"
[14:48] <sarnold> it's hard to say, since that's the core behaviour of nearly everything..
[14:48] <cpaelzer> I do not want to get philosphical, but
[14:49] <cpaelzer> I'd propose to add one more line to catch one particular kind that obviously needs to go through security expertise
[14:49] <cpaelzer> TODO: - does not deal with cryptography (en-/decryption, certificates, signing, ...)
[14:49] <slyon> yeah, I've been strugling with that one, too
[14:49] <sarnold> i've always interpreted it to mean more along the lines of images, video, audio, xml, json, asn.1 ..
[14:49] <didrocks> I was going to propose about dealing with certificates
[14:49] <didrocks> I guess your line captures it
[14:50] <sarnold> I like the cryptography addition, yeah
[14:50] <cpaelzer> could I get an discussion7ack on that line above then we could talk about potential second rule that makes the "parsing" more granular
[14:50] <didrocks> sounds like a good addition to me
[14:50] <cpaelzer> opinions, objections, +1 on the line proposed above
[14:50] <didrocks> +1
[14:50] <slyon> +1
[14:50] <joalif> +1
[14:50] <sarnold> +1
[14:50] <slyon> also +1 on sarnold's suggestion about the parsing part
[14:51] <cpaelzer> there I have come up with something
[14:51] <cpaelzer> TODO: - does not parse data formats (from files [images, video, audio, xml, json, asn.1], network packets, structures, ...)
[14:51] <cpaelzer> are there other commonly epxloitet attack vectors worth to be mentioned explicitly as example?
[14:52] <didrocks> I wonder about json/yaml, because let’s say any package that embeds a json parser would be impacted, no?
[14:52] <didrocks> (let’s say, a go app vendoring go-yaml )
[14:53] <didrocks> so basically, everything having configuration would end up in the security queue, is that desired?
[14:53] <sarnold> it really does run the risk of sending *everything* through the security team..
[14:53] <didrocks> which would be the safest option. Then we have to deal with reality…
[14:53] <sarnold> some additional 'from untrusted sources' might be nice, but that can be hard to tell
[14:54] <didrocks> even libreoffice, in some way, is parsing its own file format
[14:54] <sarnold> and ossfuzz finds things with libreoffice basically every other day..
[14:54] <cpaelzer> untrusted source is good here
[14:54] <didrocks> yeah, I like the untrusted source as a delimiter
[14:54] <cpaelzer> indeed
[14:55] <cpaelzer> TODO: - does not parse data formats (files [images, video, audio, xml, json, asn.1], network packets, structures, ...) from an untrusted source
[14:55] <cpaelzer> could we vote on that as well please then?
[14:55] <cpaelzer> +1
[14:55] <didrocks> +1
[14:55] <sarnold> I think mostly the 'this needs security review' vs 'this doesn't need security review' mostly works out pretty well, so in some sense I think the intuitons of the team have been pretty good
[14:55] <slyon> yes. and the sysadming (e.g. config files yaml/json/xml/ini) would be trusted
[14:55] <slyon> +1
[14:55] <joalif> +1
[14:55] <sarnold> +1
[14:56] <cpaelzer> ok thank you all
[14:56] <cpaelzer> consider both rules added (in a bit)
[14:56] <slyon> thank you cpaelzer!
[14:56] <didrocks> thank you cpaelzer for the proposals :)
[14:57] <cpaelzer> we can only get better if we try :-)
[14:57] <cpaelzer> anything else to discuss left?
[14:57] <didrocks> nothing from me this week
[14:57] <joalif> nothing from me
[14:57] <slyon> nothing here
[14:58] <cpaelzer> ok, clsoing then
[14:58] <cpaelzer> or rather "closing"
[14:58] <cpaelzer> FYI: review rules in the wiki updated
[14:58] <didrocks> (parsing error)
[14:58] <cpaelzer> #endmeeting
[14:58] <meetingology> Meeting ended at 14:58:25 UTC.  Minutes at https://ubottu.com/meetingology/logs/ubuntu-meeting/2022/ubuntu-meeting.2022-06-21-14.34.moin.txt
[14:58] <didrocks> thanks!
[14:58] <sarnold> thanks cpaelzer, all :)
[14:58] <joalif> thanks cpaelzer, all:)
[14:59] <slyon> thank you!
[19:01] <rbasak> o/
[19:03] <rbasak> vorlon: meeting?
[19:03] <rbasak> I don't see the other two here.
[19:19] <rbasak> vorlon: also, when you see this, please could you update the calendar meeting to the new phasing? I can't do that as I don't have edit rights; I think you "own" the event.
[19:19] <rbasak> Perhaps that's why you're not here :)
[19:20] <vorlon> hi, sorry! that's exactly right, didn't realize that's why the calendar wasn't updated
[19:20] <vorlon> and didn't realize the meeting was on until I got email notifications of your google doc edits
[19:21] <vorlon> updated now, for all that's worth :/
[19:21] <rbasak> Thanks :)
[19:21] <rbasak> I used the time to work on the doc
[19:21] <vorlon> ack
[19:22] <vorlon> regarding that, are we close to a conclusion?  I wasn't sure how much sil2100 had reviewed the current doc
[19:22] <vorlon> (I'm unsurprised if he's unavailable right now fwiw, there was an... injury earlier today while he was at the vet)
[19:24] <rbasak> It's on me at the moment.
[19:24] <rbasak> I have to work out what we're already shipping and what exceptions might be needed.
[19:25] <rbasak> That's the biggest task I think.
[19:26] <vorlon> ok