[14:30] <slyon> o/
[14:30] <sarnold> good morning
[14:31] <slyon> c_paelzer is busy, I'll be running the meeting today
[14:31] <sarnold> thanks slyon
[14:31] <slyon> #startmeeting Weekly Main Inclusion Requests status
[14:31] <meetingology> Meeting started at 14:31:27 UTC.  The chair is slyon.  Information about MeetBot at https://wiki.ubuntu.com/meetingology
[14:31] <meetingology> Available commands: action, commands, idea, info, link, nick
[14:31] <slyon> Ping for MIR meeting - didrocks joalif slyon sarnold c_paelzer jamespage
[14:31] <joalif> o/
[14:31] <slyon> #topic current component mismatches
[14:31] <slyon> Mission: Identify required actions and spread the load among the teams
[14:31] <slyon> #link https://people.canonical.com/~ubuntu-archive/component-mismatches-proposed.svg
[14:31] <slyon> #link https://people.canonical.com/~ubuntu-archive/component-mismatches.svg
[14:32] <slyon> c-m is looking rather clean. except for nvidia-graphics-drivers-418-server
[14:33] <slyon> but this is a binary update which has been in restricted before, so I guess there's nothing to do for us, and it just needs promotion
[14:33] <sarnold> I can't recall one of these things coming up before
[14:33] <didrocks> hey
[14:34] <slyon> I assume it got dropped & auto-demoted... now a new upload moved to multiverse instead of restricted. I'd leave this to the AAs to sort out
[14:34] <sarnold> will they automatically know it needs sorting out? or would a note in #ubuntu-release be appropriate?
[14:35] <slyon> It shows up in the AAs reports, so they should be aware
[14:35] <slyon> (e.g. c-m, which is an AA report)
[14:35] <slyon> #topic New MIRs
[14:35] <slyon> Mission: ensure to assign all incoming reviews for fast processing
[14:35] <slyon> #link https://bugs.launchpad.net/ubuntu/?field.searchtext=&orderby=-date_last_updated&field.status%3Alist=NEW&field.status%3Alist=CONFIRMED&assignee_option=none&field.assignee=&field.subscriber=ubuntu-mir
[14:36] <slyon> nothing \o/ (we took it all last week :))
[14:36] <slyon> #topic Incomplete bugs / questions
[14:36] <slyon> Mission: Identify required actions and spread the load among the teams
[14:36] <slyon> #link https://bugs.launchpad.net/ubuntu/?field.searchtext=&orderby=-date_last_updated&field.status%3Alist=INCOMPLETE_WITH_RESPONSE&field.status%3Alist=INCOMPLETE_WITHOUT_RESPONSE&field.subscriber=ubuntu-mir
[14:36] <slyon> bug #1990655 : libgit2, http-parser
[14:37] -ubottu:#ubuntu-meeting- Bug 1990655 in http-parser (Ubuntu) "MIR: libgit2, http-parser" [High, Incomplete] https://launchpad.net/bugs/1990655
[14:37] <slyon> didrocks: I feel like this should be status: New instead of Incomplete? ^
[14:37] <slyon> it is pending security review, but good from our POV
[14:38] <didrocks> libgit2 is for sure, I only changed the assignee, resetting to New
[14:38] <slyon> thanks
[14:38] <slyon> what do we still need for http-parser?
[14:39] <sarnold> comment #6 suggests just security review
[14:39] <joalif> i dont recall we wait for anything
[14:39] <didrocks> yeah, seems to be the same to me, joalif didn’t have any remaining concerns?
[14:39] <slyon> joalif: if there's nothing else, could you change the status to "New" as well?
[14:40] <joalif> just a really minor recommended todo
[14:40] <joalif> but nothing else
[14:40] <slyon> joalif: ok sounds good!
[14:40] <joalif> sure
[14:40] <slyon> bug #1990582 => waiting for feedback/action from the reporter, nothing to do right now for us
[14:40] -ubottu:#ubuntu-meeting- Bug 1990582 in thin (Ubuntu) "[MIR] Promote thin to main as a pcs dependency" [Undecided, Incomplete] https://launchpad.net/bugs/1990582
[14:41] <slyon> that's all updates for today.
[14:41] <slyon> I assume the MIR reviews we assigned last week are slowly progressing (I handled 2/5 already)
[14:41] <slyon> #topic MIR related Security Review Queue
[14:41] <slyon> Mission: Check on progress, do deadlines seem doable?
[14:41] <slyon> #link https://bugs.launchpad.net/~ubuntu-security/+bugs?field.searchtext=%5BMIR%5D&assignee_option=choose&field.assignee=ubuntu-security&field.bug_reporter=&field.bug_commenter=&field.subscriber=ubuntu-mir
[14:42] <slyon> Internal link:
[14:42] <slyon> #link https://warthogs.atlassian.net/jira/software/c/projects/SEC/boards/594
[14:42] <slyon> sarnold: can you give a brief update?
[14:42] <sarnold> there's been no progress on the security reviews, other tasks have sucked all the oxygen out of the room
[14:43] <slyon> we're getting very close to the end-of-cycle. Do we have any misses that we need to notify people about?
[14:43] <sarnold> I believe I did that last week
[14:43] <slyon> perfect, thanks!
[14:44] <sarnold> well, not *perfect*, but .. :)
[14:44] <slyon> indeed :p
[14:44] <slyon> #topic Any other business?
[14:44] <joalif> i have a  couple of questions
[14:44] <sarnold> I'll miss next week's meeting, so I shall see you in prague :)
[14:44] <joalif> i'm reviewing ruby-ffi https://bugs.launchpad.net/ubuntu/+source/ruby-ffi/+bug/1990570
[14:44] -ubottu:#ubuntu-meeting- Launchpad bug 1990570 in ruby-ffi (Ubuntu) "[MIR] Promote ruby-ffi to main a pcs indirect dependency" [Undecided, New]
[14:45] <joalif> i noticed that it makes a ffi_c.so , should there be a symbols file for this ?
[14:46] <joalif> also security wise it's ok according to the list, this package provides a gem to programmatically load dynamic libraries
[14:46] <didrocks> it depends if there are external consumer
[14:46] <joalif> do you think it would need a security review ?
[14:46] <didrocks> (for the symbols file)
[14:46] <didrocks> like, if the lib internal, only for the ruby binding?
[14:47] <joalif> i think it's for the ruby binding not external but i'll double check
[14:48] <didrocks> I would then check for the practice of python C bindings
[14:48] <joalif> ok thanks!
[14:48] <slyon> I reviewed ruby-childprocess, which is making use of ruby-ffi for IPC. I requested security-review, because I feel passing random data between processes should be double checked, as it could crash/DoS those processes. sarnold what do you tihnk?
[14:49] <slyon> so I would lean towards requesting sec-review for ruby-ffi, too.
[14:49] <sarnold> $ apt-file search /usr/lib/x86_64-linux-gnu/ruby/vendor_ruby/ | grep '\.so$' | wc -l
[14:49] <sarnold> 167
[14:50] <joalif> slyon: yes, I saw your review that's why i'm wondering for ruby-ffi at well, thanks
[14:50] <sarnold> there might other examples in the ruby world, though if we're looking at the pythons because we think they're more likely to be done right..
[14:50] <didrocks> (that was my guess in getting inspired by python, because it’s not done for the other ruby projects I checked and I think it’s better to double cross)
[14:50] <didrocks> but from the few python examples I found, it’s the same, no symbol file
[14:51] <didrocks> I think if they are tests importing the final product (python or ruby) module, and exercising it, it’s good enough to ensure about the ABI stability regarding the runtime?
[14:52] <sarnold> slyon: good question; I'm more inclined to say it depends upon the type of software architecture the library encourages -- oftentimes ipc is used for things that are logically one program and this is just a detail of shuffling bytes around, so there's no boundaries being crossed. but others are intended to provide generic client-server or peers-on-a-bus architecture (like dbus) and that would be
[14:52] <sarnold> more important for a security review, I think
[14:52] <joalif> re symbols : it's not just tests in this case, in any case I look into it to see exactly how it's used and what happens with other rudy libs and python
[14:53] <slyon> sarnold: IIUC ruby-childprocess/-ffi is basically a module, which could be used to implement both types of architecture.
[14:54] <sarnold> This gem aims at being a simple and reliable solution for controlling
[14:54] <sarnold> external programs running in the background on any Ruby / OS combination.
[14:54] <sarnold> hah, yeah, that does feel like a security review would fit
[14:54] <sarnold> if I had a dollar for every time I saw unsafe child process handling..
[14:54] <slyon> sarnold: haha, thanks for the confirmation!
[14:55] <sarnold> thanks :D
[14:55] <slyon> joalif: does that answer your questions?
[14:55] <joalif> yup all covered!
[14:55] <joalif> thank you all!
[14:55] <slyon> do we have anything else?
[14:55] <joalif> nothing from me
[14:56] <slyon> alright, thank you all!
[14:56] <sarnold> thanks slyon, all :)
[14:57] <slyon> looking forward to meeting you in prague!
[14:57] <slyon> #endmeeting
[14:57] <meetingology> Meeting ended at 14:57:03 UTC.  Minutes at https://ubottu.com/meetingology/logs/ubuntu-meeting/2022/ubuntu-meeting.2022-10-18-14.31.moin.txt
[14:57] <joalif> thanks slyon, all :)
[14:59] <didrocks> thanks! See you in Prague
[18:14] <nicoz> Good luck to all the candidates... each of you makes this community special
[19:02]  * vorlon waves
[19:02] <rbasak> o/
[19:03] <vorlon> https://wiki.ubuntu.com/TechnicalBoardAgenda hasn't been updated, still shows next meeting in August with sil2100 chairing
[19:05] <vorlon> who I don't know whether is planning to make it, given that it's release week
[19:07] <rbasak> I don't have much to report.
[19:08] <rbasak> Third party repo requirements is making good progress, but it's all internal in the sense of the things Canonicalers need to do to get it all implemented.
[19:08] <rbasak> I hope to be able to report back in a few weeks with a more concrete plan in terms of progress.
[19:09] <vorlon> sounds good
[19:09] <rbasak> For requirements B, F1 and F2 in particular.
[19:10] <sil2100> Eeek
[19:10] <sil2100> I think I'm late
[19:10] <sil2100> Sorry
[19:10] <sil2100> o/
[19:11] <vorlon> sil2100: hi, are you willing to chair? (wiki says you're on for it but I don't know if the wiki is just out of date)
[19:11] <sarnold> sil2100: https://paste.debian.net/1257514/
[19:13] <sil2100> I could chair, I guess, just to go formally if we have any new possible action items
[19:13] <vorlon> like you, my head is in release space this week of course
[19:14] <sil2100> Since I suppose the rest is just progress on the two issues
[19:15] <sil2100> #startmeeting Ubuntu Technical Board
[19:15] <meetingology> Meeting started at 19:15:26 UTC.  The chair is sil2100.  Information about MeetBot at https://wiki.ubuntu.com/meetingology
[19:15] <meetingology> Available commands: action, commands, idea, info, link, nick
[19:15] <sil2100> #topic Action review
[19:15] <sil2100> I suppose no sense to go through all of those, I think we already said those are still in progress
[19:15] <sil2100> Release makes it slower
[19:16] <sil2100> #topic Check up on community bugs (standing item)
[19:16] <sil2100> Okay, I see no new open bugs at least
[19:17] <sil2100> #topic Scan the mailing list archive for anything we missed (standing item)
[19:17] <sil2100> I suppose there's no new items
[19:17] <vorlon> I guess one minor thing there since you're the two other Canonicalers on the TB
[19:18] <vorlon> do either of you want to open an RT so I'm not a SPOF on the UES calendar?
[19:18] <sil2100> I think the TB elections are for next month
[19:18] <rbasak> On the topic of the calendar, vorlon I wonder if it's easier for you to just delete the existing recurring event and we can create a fresh one that we all can edit?
[19:18] <rbasak> I don't mind filing an RT either, but I'm not clear on exactly what to ask for.
[19:18] <vorlon> I'm not sure if that's better or worse than the status quo, where I have granted you edit access to the recurring event
[19:19] <vorlon> rbasak: basically, edit access to the calendar that owns this event
[19:19] <vorlon> which I think is better than changing it to be an event I personally own
[19:19] <rbasak> Ah I can edit it
[19:19] <rbasak> I just fixed the meeting location
[19:20] <sil2100> Can we edit the dates as well?
[19:20] <vorlon> as long as you do it in the context of this recurring event yes!
[19:20] <rbasak> Do we need anything further then?
[19:21] <sil2100> I think this is good enough to me
[19:21] <sil2100> Okay, I think that's it for the ML items
[19:21] <sil2100> #topic AOB
[19:21] <sil2100> Anything else to discuss?
[19:21] <rbasak> Nothing from me. Thanks!
[19:23] <vorlon> thanks!
[19:28] <sil2100> #endmeeting
[19:28] <meetingology> Meeting ended at 19:28:19 UTC.  Minutes at https://ubottu.com/meetingology/logs/ubuntu-meeting/2022/ubuntu-meeting.2022-10-18-19.15.moin.txt
[19:28] <sil2100> THank you! And sorry for being late, I try to finish up things at home here to get back to the releasey stuff
[23:47] <Bashing-om> Community Council Election: My vote completed - finally. Thanks to José's patience and guidance :D