[03:44] <amurray> luis220413: if you happen to see this in channel logs etc - please there is no need to announce every time when you are going to go and come back - IRC is assumed to be asynchronous, Ubuntu developers are all over the globe in different time zones so it is assumed that in general no-one will reply immediately
[03:45] <amurray> luis220413: therefore it is fine if you are not here at the time someone is trying to contact you - so please save some electrons and dispense with the 'I will return...' 'I returned' type messages
[03:47] <Unit193> ...I just read that last bit in a Dragoon voice. >_>
=== jbicha_ is now known as jbicha
=== ChanServ changed the topic of #ubuntu-security to: Twitter: @ubuntu_sec || https://usn.ubuntu.com || https://wiki.ubuntu.com/SecurityTeam || https://wiki.ubuntu.com/Security/Features || Community: sarnold
=== arif-ali_ is now known as arif-ali
=== arif-ali_ is now known as arif-ali
[16:46] <teward> oh good sarnold is on community duty this week heh
[18:54] <teward[m]> sarnold if/when you awake, do me a favor and ping me via PM
[18:54] <teward[m]> i have things to discuss ;P
[18:58]  * sarnold hides behind flakey matrix bridges
[18:59]  * teward hides the matrix bridges behind sarnold
[18:59] <teward> oops :)
[18:59] <teward> you're hiding behind the bridge which is hiding behind you which is.... [KERNEL PANIC] oom tried to kill init.
[19:00]  * sarnold falls over
[19:06] <tomreyn> now he's hiding *under* the bridge
[19:08] <teward> hah
[19:19] <sarnold> :D
[19:25] <luis220413> https://bugs.launchpad.net/%7Eluis220413/+bugs?field.searchtext=&orderby=-importance&field.status%3Alist=NEW&field.status%3Alist=CONFIRMED&field.status%3Alist=TRIAGED&field.status%3Alist=INPROGRESS&field.status%3Alist=FIXCOMMITTED&field.status%3Alist=INCOMPLETE_WITH_RESPONSE&field.status%3Alist=INCOMPLETE_WITHOUT_RESPONSE&field.information_type%3Alist=PUBLICSECURITY&assignee_opti
[19:29] <luis220413> We will need to have a workaround for the toolchain requirements in bug 1970783.
[19:29] <ubottu> Bug 1970783 in webkit2gtk (Ubuntu) "Multiple vulnerabilities in Bionic" [Wishlist, In Progress] https://launchpad.net/bugs/1970783
[19:35] <sarnold> hello luis220413, the upstream webkit2gtk folks move toolchains pretty quickly; we can't support it in older releases. see https://wiki.ubuntu.com/SecurityTeam/FAQ#WebKitGTK
[19:36] <teward> luis220413: while you're at it, read the entirety of https://wiki.ubuntu.com/SecurityTeam/FAQ before you ping anyone in here again
[19:36] <teward> sarnold knows all the reasoning behind this request, and likely will stand by the request even though I"m not on the SEcurity Team
[19:36] <teward> Eickmeyer: *cough*
[19:37] <Eickmeyer[m]> teward: ack
[20:10] <luis220413> sarnold: There are only 2 insufficient dependencies in Bionic, that can be backported with new source and binary package names.
[20:12] <luis220413> This is not a request, but a statement that I am available to get this fixed.
[20:13] <teward> new source and binary names are less likely to get included in an already released Ubuntu release as security updates
[20:13] <teward> so for that reason alone I would assume the FAQ statement about the upstream moving too quickly stands
[20:13] <teward> cc sarnold 
[20:14] <teward> yes there are exceptions, and those exceptions are well documented
[20:14] <teward> and i don't think this falls into those exception cases
[20:16] <teward> luis220413: also, when the security team says 'no' and says 'we can't support this in older releases', just accept "no" as the answer
[20:24] <teward> i'll let sarnold make a decision but those're my opinions anyways
[20:31] <luis220413> New source and binary names are needed in the security pocket because security updates only build with the release and security pockets enabled.
[20:33] <sarnold> adding new packages is an undertaking; then those new packages must also be maintained, for whatever it is that people do with them. whatever built against the old version of webkit needs to be tested to make sure it works with new versions. Given that upstream has abandoned these old releases, they are perhaps not super-responsive to abi breaks.
[20:33] <sarnold> both firefox and chromium-browser are supported and exist
[20:41] <luis220413> I can maintain the CMake and ICU backports, except that the ICU backport will have to be in main.
[20:41] <luis220413> sarnold: What ABI breaks?
[20:43] <luis220413> There are security-sensitive uses of libwebkit2gtk-4.0-37 in Bionic:
[20:43] <luis220413> * libgoa-backend-1.0-1 uses it to access online account login pages
[20:43] <luis220413> * gnome-online-accounts same
[20:44] <sarnold> luis220413: packages in ubuntu are typically maintained by teams: people come, people go, but teams are expected to continue
[20:44] <luis220413> * epiphany-browser is a web browser
[20:45] <luis220413> sarnold: I know, but I will not go before Bionic end-of-standard-support (April 2023)
[20:46] <luis220413> * surf is another web browser
[20:46] <luis220413> * libatrilview3 uses WebKit to execute JavaScript in PDFs
[20:48] <luis220413> * gthumb has a web album feature that appears to use WebKit
[20:55] <luis220413> I will prepare backports (if needed) and an updated webkit2gtk for Bionic soon.
[21:02] <sarnold> I suggest you find a different way to spend your time
[21:02] <sarnold> bringing in two new packages, who need an owner, is no small undertaking
[21:02] <sarnold> there's got to be something more important to work on
[21:10] <luis220413> They will be direct backports from Focal and this is affecting users right now. An alternative would be to state in the package description that support is only guaranteed during the first 3 years of the LTS period.
[21:11] <luis220413> Because they are direct backports from Focal, maintaining them would not take a lot of time.
[21:13] <luis220413> sarnold: What do you mean by "owner"?
[21:14] <sarnold> luis220413: someone who would read all bug reports, triage them, respond to them, look for fixes, apply fixes, perform testing on all dependent packages, etc, for the next ten years
[21:17] <luis220413> These backports will only be needed until the next few months. Once Bionic enters ESM upstream will cease to support Focal.
[21:17] <luis220413> *in the next few months
[21:17] <teward> upstream's support period doesn't matter
[21:17] <teward> the ESM period for Ubuntu does matter though to some extent
[21:17] <teward> because it's not EOL until the end of ESM
[21:18] <teward> hence 'eight years' and 'ten years' and such
[21:18] <teward> including current LTS + its ESM period
[21:19] <teward> that's where Seth's values come into play
[21:20] <sarnold> luis220413: heh, is that an argument *for* this work or against this work?
[21:20] <teward> i would argue that your argument that upstream will cease to support Focal after Bionic enters ESM is support for *not* updating packages
[21:21] <teward> just, you know, my view on this.  (your statement to this effect is like shooting yourself in the foot and NOT in favor of doing the backporting)
[21:21] <luis220413> # My argument is for this work. Thomas Ward is right, but once upstream releases a version that requires new dependencies (most likely months after Bionic enters ESM) another backport will be needed.
[21:21] <luis220413> Remove the #
[21:21] <luis220413> * most likely a few months
[21:22] <luis220413> OK, I retire the "few months" statement.
[21:23] <teward> sarnold: remind me, ESM for Bionic starts when?
[21:23] <teward> April?
[21:24] <sarnold> teward: yeah, currently scheduled for april https://wiki.ubuntu.com/Releases
[21:25] <teward> so about 8 months.  I don't see a justification to put this amount of effort into something that will ultimately become irrelevant in 8 months time.
[21:25] <teward> 7 months*
[21:25] <luis220413> This will only become irrelevant when upstream releases a version with additional dependencies that are not satisfied in Bionic.
[21:25] <luis220413> nor by the backports
[21:27] <luis220413> OK
[21:30] <luis220413> Sorry. This will not become irrelevant because, when additional dependencies appear, additional backports can be made until the end of ESM.
[21:31] <luis220413> ESM for 16.04 covers the entirety of Ubuntu main, and I expect that that will also happen for 18.04.
[21:31] <luis220413> Source: https://wiki.ubuntu.com/SecurityTeam/ESM/16.04
[21:31] <teward> i don't think you understand the scope for ESM
[21:31] <teward> from the FAQ:
[21:31] <teward> ESM customers receive security updates for high and critical CVEs (common vulnerabilities and exposures) for the most commonly used server packages in the Ubuntu main archive. 
[21:31] <teward> *not* the entire Main archive
[21:32] <teward> the FAQ link in that link you have points to the FAQ I referenced
[21:32] <teward> reread what https://wiki.ubuntu.com/SecurityTeam/FAQ#Standard_Support says
[21:32] <teward> i'm going to literally quote Seth here:
[21:32] <teward> [We] suggest you find a different way to spend your time.  there's got to be something more important to work on.
[21:32] <luis220413> Sorry, but I have to say this part of the FAQ is a bit outdated. This is true for Precise and Trusty, but not Xenial.
[21:33] <luis220413> *That part of the FAQ is true for Precise and Trusty but not Xenial.
[21:33] <luis220413> teward: OK. I will prepare several security updates in the next weeks.
[21:34] <teward> sarnold: my suggestion is ^^ you ignore any of their prods because all of their proddings have led to arguments and CoC violations
[21:34] <teward> you and the security team*