/srv/irclogs.ubuntu.com/2023/10/10/#ubuntu-meeting.txt

=== JanC is now known as Guest7641
=== JanC_ is now known as JanC
slyonheyho o/14:31
eslermhello o/14:31
joalifo/14:31
slyonI wonder if cpaelzer is around ... (I thought he would be)14:34
slyonLet's wait for one more minute, otherwise I can run us through the script. I don't think there's a lot on the normal agenda today, due to being in release week.14:35
slyon#startmeeting Weekly Main Inclusion Requests status14:36
meetingologyMeeting started at 14:36:08 UTC.  The chair is slyon.  Information about MeetBot at https://wiki.ubuntu.com/meetingology14:36
slyonPing for MIR meeting - didrocks joalif slyon sarnold cpaelzer jamespage ( eslerm dviererbe )14:36
slyon#topic current component mismatches14:36
slyonMissio14:36
meetingologyAvailable commands: action, commands, idea, info, link, nick14:36
slyonMission: Identify required actions and spread the load among the teams14:36
slyon#link https://people.canonical.com/~ubuntu-archive/component-mismatches-proposed.svg14:36
slyon#link https://people.canonical.com/~ubuntu-archive/component-mismatches.svg14:36
slyonThis looks all very common. Mostly known false-positives. Except for jaraco.text, which apparently didn't make it this cycle, again. :(14:37
slyon#topic New MIRs14:37
slyonMission: ensure to assign all incoming reviews for fast processing14:37
slyon#link https://bugs.launchpad.net/ubuntu/?field.searchtext=&orderby=-date_last_updated&field.status%3Alist=NEW&field.status%3Alist=CONFIRMED&assignee_option=none&field.assignee=&field.subscriber=ubuntu-mir14:37
slyonempty.14:37
cpaelzerI'm here now, but not the full length14:37
cpaelzerthanks for driving the meeting slyon14:37
slyon#topic Incomplete bugs / questions14:37
slyonMission: Identify required actions and spread the load among the teams14:37
slyon#link https://bugs.launchpad.net/ubuntu/?field.searchtext=&orderby=-date_last_updated&field.status%3Alist=INCOMPLETE_WITH_RESPONSE&field.status%3Alist=INCOMPLETE_WITHOUT_RESPONSE&field.subscriber=ubuntu-mir14:37
slyongoing back one week 2023-10-03, we have only one update in bug #202397114:38
-ubottu:#ubuntu-meeting- Bug 2023971 in libmail-dmarc-perl (Ubuntu) "[MIR] libmail-dmarc-perl" [Undecided, Incomplete] https://launchpad.net/bugs/202397114:38
* slyon reading14:38
cpaelzerI know that mirespace follows some leads I have given her14:39
cpaelzerwhich will cut down the list of packages needed a lot14:39
cpaelzeressentially she is trying to save us all 40 more MIR packages14:39
slyonnice!14:39
slyonSeems there are some clear next steps defined on her side14:40
slyonNothing to do for us, right now.14:40
slyon#topic Process/Documentation improvements14:40
slyonMission: Review pending process/documentation pull-requests or issues14:40
slyon#link https://github.com/canonical/ubuntu-mir/pulls14:40
slyon#link https://github.com/canonical/ubuntu-mir/issues14:40
cpaelzerPR is a draft and held back for better times14:40
cpaelzerthe issues are also old news14:41
cpaelzerI think we can go on14:41
slyonack.14:41
slyon#topic MIR related Security Review Queue14:41
eslermSimon asked for clarification on when tools in main needed re-review, as we had fro s390-tools14:41
slyonMission: Check on progress, do deadlines seem doable?14:41
slyonSome clients can only work with one, some with the other escaping - the URLs point to the same place.14:41
slyon#link https://bugs.launchpad.net/~ubuntu-security/+bugs?field.searchtext=%5BMIR%5D&assignee_option=choose&field.assignee=ubuntu-security&field.bug_reporter=&field.bug_commenter=&field.subscriber=ubuntu-mir14:41
cpaelzereslerm: you know the discussion on re-review as a process14:41
slyon#link https://bugs.launchpad.net/~ubuntu-security/+bugs?field.searchtext=[MIR]&assignee_option=choose&field.assignee=ubuntu-security&field.bug_reporter=&field.bug_commenter=&field.subscriber=ubuntu-mir14:41
cpaelzerwhich has thoughts, but everyone saying "no resources for that, please do not add it atm"14:42
slyoneslerm: cpaelzer: and for s390-tools it was also a (hidden) component-mismatch14:42
cpaelzerthe reason for s390-tools has been because it was a voluntary (appreciated) "there is a massive change"14:42
slyonas it was pulling in new non-reviewed dependencies. (even though vendored)14:42
cpaelzerexactly - ack to slyon14:42
eslermthank you14:43
slyonInternal link14:43
slyon#link https://warthogs.atlassian.net/jira/software/c/projects/SEC/boards/59414:43
slyonSo eslerm, do you want to give and update on the security review process?14:43
cpaelzeror rather s/process/progress/ :-)14:43
eslermnon-reviewed dependencies sounds like the whole process in general ?14:43
cpaelzerit is the whole process, but they could have sneaked them in as they would have been vendored14:44
eslermSecurity doesn't have a great way to work through all vendoreded dependencies, rustc has ~700 and we can't review them all14:44
cpaelzerso the tooling would not have stopped them14:44
cpaelzereslerm: you mean rustc itself has 700 other things?14:45
eslermah, understood, I'll add a task to the jira board above14:45
eslermrustc/cargo has ~700 vendored packages14:45
eslermissues in those packages should be tracked too14:46
eslermrustc 1.70.0 has 532 folders in ./vendor/14:46
slyonI agree. I'll start a discussion at the next engineering sprint about having toolchain maintainers provide a set of "base" dependencies (tiny but ubiquitous) for their ecosystem and help maintaining them in "main". Hopefully that should cover many of those 532 folders14:47
eslermthank you slyon14:48
eslermoverlap with rustc is appreciated14:48
cpaelzerwhich is one of the issues you see in github14:48
cpaelzertalk about these base sets14:48
slyonany other update from the security team?14:48
eslermnone, except s390-tools being ack'd last week14:49
slyoneslerm: Thanks and kudos. That's much appreciated! I know timing was very tight.14:49
slyon#topic Any other business?14:49
slyoncpaelzer: did you want to bring up anything?14:50
cpaelzerno14:50
joalifnone14:50
slyonok. Nothing from my side either.14:50
eslermnone14:50
slyonAlright. I guess that's it then for today.14:50
slyonthank you all!14:50
eslermthanks slyon, all o/14:50
slyon#endmeeting14:51
meetingologyMeeting ended at 14:51:25 UTC.  Minutes at https://ubottu.com/meetingology/logs/ubuntu-meeting/2023/ubuntu-meeting.2023-10-10-14.36.moin.txt14:51
cpaelzerthanks slyon14:51
joalifthanks all14:52
rbasako/19:01
seb128hey19:01
* vorlon waves19:02
vorlonsil2100 is at the release sprint this week, so given the timing I think he probably won't be joining (he's hopefully getting some dinner now)19:03
vorlon#startmeeting19:03
meetingologyMeeting started at 19:03:10 UTC.  The chair is vorlon.  Information about MeetBot at https://wiki.ubuntu.com/meetingology19:03
meetingologyAvailable commands: action, commands, idea, info, link, nick19:03
vorlon#topic apologies19:03
vorlonamurray sent his apologies to the list19:03
vorlonand as mentioned, I expect sil2100 is indisposed due to release sprint19:03
vorlon#topic action review19:03
vorlonseb128/amurray/sil200 to help drafting the snap-store Ubuntu-specific tracks usage19:04
vorlonseb128: anything to update here?19:04
seb128not from me, and I didn't see activity from the others either19:04
vorlonok, carrying over19:04
vorlon#action seb128/amurray/sil200 to help drafting the snap-store Ubuntu-specific tracks usage19:04
meetingologyACTION: seb128/amurray/sil200 to help drafting the snap-store Ubuntu-specific tracks usage19:04
vorlonrbasak to draft a proposal of the DMB-proposed inactivity expiration policy for TB ratification19:04
vorlonrbasak: ?19:05
rbasakCarry over again please19:05
vorlon#action rbasak to draft a proposal of the DMB-proposed inactivity expiration policy for TB ratification19:05
meetingologyACTION: rbasak to draft a proposal of the DMB-proposed inactivity expiration policy for TB ratification19:05
vorlonrbasak to follow up on finding consensus on question of test plans for third party apps19:05
rbasakSame again19:05
vorlon#action rbasak to follow up on finding consensus on question of test plans for third party apps19:05
meetingologyACTION: rbasak to follow up on finding consensus on question of test plans for third party apps19:05
rbasakAnd my third too19:05
vorlon#action rbasak to open wider discussion on third-party repo policy19:05
meetingologyACTION: rbasak to open wider discussion on third-party repo policy19:05
vorlonseb128 to follow up with SRU, AA, Release, Backporters and Security teams to document their membership process and link to it from https://wiki.ubuntu.com/TechnicalBoard#Team_Delegations19:05
vorlonthis appears to be in process19:05
seb128I finally found some time to reach out to the teams19:05
vorlonseb128: I was surprised that you were emailing the AAs about this because you are an admin in that team, and I thought in a previous round of discussion I suggested that you should take the point on drafting?19:06
seb128but it was only yesterday, rbasak replied for the SRU team today19:06
vorlonyes19:06
seb128vorlon, I do plan to follow up/work on that but I decided to email anyway to give the context to everyone in the team19:06
seb128I should perhaps have included a note about that directly19:07
seb128I will follow up19:07
vorlonok19:07
vorlonis there a new action that should be recorded now that this is in progress? the follow-up is done but of course there's nothing to record on the wiki yet19:08
seb128maybe reword slightly the action item?19:08
rbasak+119:08
vorlonhuh maybe the new action would also be follow-up? :)19:09
seb128follow up -> continue working19:09
vorlonok19:09
vorlon#action seb128 to continue working with SRU, AA, Release, Backporters and Security teams to document their membership process and link to it from https://wiki.ubuntu.com/TechnicalBoard#Team_Delegations19:09
meetingologyACTION: seb128 to continue working with SRU, AA, Release, Backporters and Security teams to document their membership process and link to it from https://wiki.ubuntu.com/TechnicalBoard#Team_Delegations19:09
vorlonand mine is also carry-over19:09
vorlon#action vorlon to write up draft guidelines for packages in the archive that download from the Internet19:09
meetingologyACTION: vorlon to write up draft guidelines for packages in the archive that download from the Internet19:09
vorlon#topic Scan the mailing list archive for anything we missed (standing item)19:10
vorlonso in https://lists.ubuntu.com/archives/technical-board/2023-September/002763.html seb128 says he would like to "put the topic back on the agenda for the next TB meeting"19:11
vorlonseb128: is there a discussion you want to have about this right now?19:11
seb128vorlon, let's postpone to next time to let a chance for the concerned team to follow up on the emails I just sent, and also to have more TB members around?19:12
vorlonok19:12
vorlon#action add to next meeting agenda to have follow-up discussion on https://lists.ubuntu.com/archives/technical-board/2023-September/002763.html19:12
meetingologyACTION: add to next meeting agenda to have follow-up discussion on https://lists.ubuntu.com/archives/technical-board/2023-September/002763.html19:12
vorlonthen there is also https://lists.ubuntu.com/archives/technical-board/2023-October/002767.html19:13
vorlonin which rbasak asks for TB sign-off19:13
vorlonwhile we could vote here with 3 of us, that seems better done via the mailing list IMHO?19:13
rbasakBut nobody replied in the ML19:13
seb128I was waiting for the meeting thinking it would be easier19:14
seb128I will reply on the list since that didn't work out19:14
rbasakWe're here, so could we just do it now?19:14
rbasakIf you're both happy, then we could just call it done, and I can reply to the ML and speak for the TB in approving.19:15
rbasakIf you have questions or concerns, then we could discuss that right now.19:15
vorlonrbasak: I'm happy, and additionally I don't see the fact that this is done after EoSS to be something that structurally requires TB signoff19:15
seb128I'm +1 as well19:16
rbasakI was unclear if that aspect was for the TB or SRU team to decide - it's unclear that the SRU team has any say after EoSS at all.19:16
vorlonif we're doing the formal signoff here let's call a vote19:16
rbasakBut I figured that if the TB and SRU team are both happy, then we can call it done.19:16
vorlonrbasak: <shrug> the fact that there is a difference between standard support and esm support, and the fact that we keep the archive open past the end of standard support, is also not anything that required TB signoff19:17
rbasakWe don't have any formal definition of what requires TB sign-off :)19:17
vorlon#vote sign off on UbuntuAdvantageToolsUpdates exception that "Facilities that enable access to Ubuntu Pro may be added to the main Ubuntu archive and installed by default" and "Updates shall be permitted as usual for SRUs and additionally after EoSS."19:17
meetingologyPlease vote on: sign off on UbuntuAdvantageToolsUpdates exception that "Facilities that enable access to Ubuntu Pro may be added to the main Ubuntu archive and installed by default" and "Updates shall be permitted as usual for SRUs and additionally after EoSS."19:17
meetingologyPublic votes can be registered by saying +1, -1 or +0 in channel (for private voting, private message me with 'vote +1|-1|+0 #channelname')19:17
vorlon+119:18
meetingology+1 received from vorlon19:18
rbasakThe whole ESM arrangement was done with TB members involved so I think we can assume the TB is happy with it.19:18
rbasak+119:18
meetingology+1 received from rbasak19:18
seb128+119:18
meetingology+1 received from seb12819:18
vorlon#endvote19:18
meetingologyVoting ended on: sign off on UbuntuAdvantageToolsUpdates exception that "Facilities that enable access to Ubuntu Pro may be added to the main Ubuntu archive and installed by default" and "Updates shall be permitted as usual for SRUs and additionally after EoSS."19:18
meetingologyVotes for: 3, Votes against: 0, Abstentions: 019:18
meetingologyMotion carried19:18
rbasakGreat! Thanks.19:18
vorlonthat's it for mailing list19:18
vorlon#topic Check up on community bugs and techboard bugs19:18
vorlon#link https://bugs.launchpad.net/ubuntu-community/+bugs?field.assignee=techboard19:19
vorlon019:19
vorlon#link https://bugs.launchpad.net/techboard19:19
vorlonnothing new...19:19
vorlon(and both covered via outstanding actions)19:19
vorlon#topic Select a chair for the next meeting (next from https://launchpad.net/~techboard/+members)19:20
vorlonI believe next is sil2100 with amurray as backup19:20
seb128ack19:21
vorlon#agreed next chair: sil2100, backup: amurray19:21
meetingologyAGREED: next chair: sil2100, backup: amurray19:21
vorlon#topic AOB19:21
vorlonone little thing that might be worth mentioning here vs in a direct message19:22
vorlonDMB recently approved philroche's PPU application for livecd-rootfs19:22
vorlonand the packageset stuff seemed to all happen behind the scenes, which is fine - I assume rbasak switched hats DMB->TB and got it done?19:22
vorlonanyway I also gave him direct commit rights on the git repo (because it's not git-ubuntu yet cough cough) which caused me to notice that rcj who is no longer actively involved in Ubuntu development still has livecd-rootfs ppu rights as well19:23
seb128vorlon, it was mentioned on https://lists.ubuntu.com/archives/devel-permissions/2023-October/002350.html I think?19:23
rbasakYes I just did the PPU addition wearing my TB hat, without bothering with the process for a bug, because I'm on both teams.19:23
vorlonseb128: right, TB isn't expected to be subscribed to that list? (I'm not)19:23
seb128fair enough19:24
vorlonso anyway, this made me aware that DMB doesn't review historic PPU rights or packagesets to confirm they're still relevant and appropriate19:24
rbasakWe only created the bug process to request PPU changes because we were struggling to get the changes done otherwise. I think we should keep that option open (eg. if a TB+DMB member is unavailable or retires) but didn't think it was mandatory to use.19:24
vorlonand I just wanted to make the rest of the TB aware of this19:24
rbasakdoesn't review historic> this applies to things like core dev, too.19:25
vorlonvery true19:25
seb128I was going to say that, taking the archive team as another example19:25
rbasakIt has been suggested that perhaps we should expire people from those teams if they haven't uploaded for some period of time.19:25
rbasakAlthough I wouldn't want to encourage uploaders to make junk uploads to keep their rights, either.19:26
vorlonfwiw it feels to me that ppu should have >= scrutiny to the general uploader teams; because someone who has passed muster for core-dev might perhaps dip in and out of involvement over time while still having passed the bar for technical knowledge of Ubuntu as a whole19:26
rbasakThat would help keep the archive secure - less attack surface for an adversary getting hold of uploaders' keys, etc.19:27
vorlonwhereas someone who has only been approved for PPU of a particular package(set), and has NOT been involved in the maintenance of it... well?19:27
vorlonAnyway!  this isn't something I wanted to demand / propose immediate changes around, just raising awareness and food for thought19:27
rbasakI'm not sure I see that distinction really, but I agree with the general principle.19:28
rbasakFWIW, this sort of thing has been discussed within the DMB before. I don't remember anyone having any particular objections.19:28
vorlonrbasak: well in this specific case I would say that if rcj actually exercised his PPU rights on livecd-rootfs I would immediately be checking if his account was compromised (or, er, if he was personally compromised)19:28
rbasakWe don't currently have the mechanism. Somebody would have to write the code.19:28
vorlonalso while security is always a concern, I also want to balance that against not causing folks in the broader Ubuntu developer community feel like they are being cast off if they have had less time to be involved19:29
rbasakI'm not keen on singling out individuals FWIW. If we want to implement this kind of policy, we should do it, but we should define the criteria and apply it at once for whomever it's met.19:29
rbasakPerhaps we could "downgrade" them to "Contributing Developer", and the DMB should have a lower bar on reapplication.19:30
vorlonof course. I'm just using him as an example of why we might want a policy, because I'm familiar enough with the specifics there19:30
rbasakSo that they are still recognised for their previous contributions.19:30
vorlonoh, one other practical implication of all of this19:30
vorlonthe release team bot that auto-approves non-frozen packages in the unapproved queue ... honors packagesets.  So having stale packagesets wastes some developer time during release freezes19:32
rbasakhonors packagesets> what does that mean, exactly?19:32
rbasakIs it re-applying an ACL somehow?19:33
rbasakBecause apart from that, a packageset is just a list of packages, no?19:33
vorlonrbasak: the bot assumes that packages that are part of a packageset, but not seeded in main, should not be blindly waved through the queue19:33
vorlonwhich means they sit in the queue longer until a human reviews them19:33
vorlonmaybe the answer is "the bot shouldn't do that"19:33
rbasakI was going to say that :)19:33
rbasakCan it use seeded-in-ubuntu instead perhaps?19:34
vorlonwell now we're getting into the weeds19:34
vorlonbecause I have issues with the implementation of that command too :)19:34
vorlonanyway, enough of this digression IMHO19:35
rbasakThe thing is, the DMB doesn't actively maintain packagesets19:35
rbasakIt's sort of difficult to do.19:35
rbasakIn practice they are only tweaked on request19:35
vorlonyeah19:35
vorlonIMHO https://ubuntu-archive-team.ubuntu.com/packagesets/mantic/ has some definitely dodgy stuff19:36
seb128we should probably try to review those at some point indeed19:37
seb128the ubuntugnome one for example doesn't make sense anymore19:37
seb128just to pick one random example19:37
vorlonwould we want the TB to do that review?  DMB?  Random Ubuntu devs (maybe on the release team) proposing removals?19:38
seb128having the devs proposing removals might make sense, I'm unsure the TB or DMB have enough context on the specifics of each set19:39
vorlonsounds fine to me19:40
vorlonanyway -19:40
vorlonAOB?19:40
rbasakI just managed to dig up https://irclogs.ubuntu.com/2023/08/07/%23ubuntu-meeting.html#t19:2419:41
rbasakThis is an example of Brian noticing the mythbuntu packageset still existing19:41
vorlonoh augh19:41
vorlon:)19:41
seb128vorlon, on the cleaning of packagesets should we take a note / action item to maybe at least start a discussion about it on a project list tbd?19:41
rbasakHe got an action item to clear it up since he noticed, but I'm not sure if that was recorded properly.19:41
vorlonseb128: I don't want to take the action because it's low-priority, and I don't want it to be "everybody's responsibility" either :)19:42
seb128rbasak, the action isn't listed on the wiki so it seems it wasn't recorded properly19:43
seb128vorlon, fair enough, I keep a note on my backlog of things I might try to do one day if nobody beats me to it19:44
vorlonsounds good19:44
vorlonshall we call the meeting there?19:44
rbasakSure, thanks.19:44
vorlon#endmeeting19:44
meetingologyMeeting ended at 19:44:28 UTC.  Minutes at https://ubottu.com/meetingology/logs/ubuntu-meeting/2023/ubuntu-meeting.2023-10-10-19.03.moin.txt19:44
vorlonrbasak, seb128 thanks!19:44
seb128thanks!19:44

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!