=== pushkarnk1 is now known as pushkarnk === enr0n_ is now known as enr0n [15:30] o/ [15:30] o/ [15:31] #startmeeting Weekly Main Inclusion Requests status [15:31] Meeting started at 15:31:12 UTC. The chair is cpaelzer. Information about MeetBot at https://wiki.ubuntu.com/meetingology [15:31] Available commands: action, commands, idea, info, link, nick [15:31] Ping for MIR meeting - didrocks joalif slyon sarnold cpaelzer jamespage ( eslerm dviererbe ) [15:31] o/ [15:31] hello party people [15:31] #topic current component mismatches [15:31] Mission: Identify required actions and spread the load among the teams [15:31] #link https://people.canonical.com/~ubuntu-archive/component-mismatches-proposed.svg [15:31] #link https://people.canonical.com/~ubuntu-archive/component-mismatches.svg [15:31] That is not much ... [15:32] we still have kexec-tools -> xen, I guess my ping to xnox last week might no more help as much depending on his priorities now [15:32] Let me bring this up in #kernel for awareness [15:33] done [15:34] on libcryptx I know that miriam has an upload to make he expected change up for review [15:34] so that dependency will soon be gone [15:34] #topic New MIRs [15:34] Mission: ensure to assign all incoming reviews for fast processing [15:34] #link https://bugs.launchpad.net/ubuntu/?field.searchtext=&orderby=-date_last_updated&field.status%3Alist=NEW&field.status%3Alist=CONFIRMED&assignee_option=none&field.assignee=&field.subscriber=ubuntu-mir [15:34] we had plenty last two weeks [15:34] good morning [15:34] let us have a look this week [15:34] hi sarnold [15:34] wow [15:35] as calm as component mismatches [15:35] well, ok [15:35] #topic Incomplete bugs / questions [15:35] .. is it working? :) [15:35] Mission: Identify required actions and spread the load among the teams [15:35] #link https://bugs.launchpad.net/ubuntu/?field.searchtext=&orderby=-date_last_updated&field.status%3Alist=INCOMPLETE_WITH_RESPONSE&field.status%3Alist=INCOMPLETE_WITHOUT_RESPONSE&field.subscriber=ubuntu-mir [15:35] ok I see plenty of recent updates here === flag is now known as ppisati [15:36] https://bugs.launchpad.net/ubuntu/+source/libmail-dmarc-perl/+bug/2023971 is back on mirespace [15:36] -ubottu:#ubuntu-meeting- Launchpad bug 2023971 in libmail-dmarc-perl (Ubuntu) "[MIR] libmail-dmarc-perl" [High, Incomplete] [15:36] thanks joalif for the review [15:36] https://bugs.launchpad.net/ubuntu/+source/bpfcc/+bug/2052813 I reviewed today [15:36] -ubottu:#ubuntu-meeting- Launchpad bug 2052813 in bpfcc (Ubuntu) "[MIR] bpfcc" [Undecided, Incomplete] [15:36] it is ok but with quite a few required and recommended todos [15:36] here in particular I wanted to ask eslerm and sarnold something [15:37] could you open my review and scroll to the [Security] section [15:37] In this case I'm not sure if I should say we need or do not need a security review [15:37] WDYT? [15:38] I'm [15:38] yes you are [15:38] :D [15:38] I'm not sure either; on the one hand, administrative privilege is required to run these, so there's a thin barrier at best [15:38] most of the security layer happens in the kernel [15:38] yes, by BPF being in isolation there [15:39] some isolation [15:39] here is the deal, if you say you do not think it is needed, my call will be it is not needed [15:39] I'll let sarnold decide [15:39] and then we are fine [15:39] a quick review might remove some footguns [15:39] if you say, no you want - then I go that way [15:39] I believe that this package itself is very little risk to the security team, but the kernel portion might -- so, I'm inclined to say that this doesn't need security team review [15:40] eslerm: is there a good way to express "we should have a quick check but not a full reivew" [15:40] likely :) [15:41] hehe [15:41] how about you volunteer for that "quick but not full" check [15:41] then the solution is that I'll assign you [15:41] actually it is back with mkukri so I'd subscribe you [15:41] a short audit might find something useful to report upstream, it might just be bugs, if the security context cannot be made worse by bugs [15:42] I can do that [15:42] thank you [15:42] (i.e., only bugs exist if you are already root, not vulnerabilities) [15:42] you are subscvribed [15:42] "subscribed" [15:42] next is https://bugs.launchpad.net/ubuntu/+source/dbus-broker/+bug/2015538 [15:42] oh anything is fine by me as far as these MIRs go [15:42] -ubottu:#ubuntu-meeting- Launchpad bug 2015538 in dbus-broker (Ubuntu) "[MIR] dbus-broker" [Undecided, Incomplete] [15:43] current plan is for me to address the TODOs next week and hopefully get it uploaded by FF [15:43] thanks mkukri if only we'd have known that we could dump anything on you as part of this :-P [15:43] cpaelzer: so you helped get the apparmor delta upstreamed into Debian dbus-broker? We should be able to drop the Ubuntu delta then, right? [15:43] "these MIRs" as in the ones already assigned, anything extra will have to go through foundations managers, am afraid :) [15:44] yes slyon the Debian maintainer is helpful and friendly, he asked for that delta even [15:44] and on the bug he helped to explain to resolve some of the discussions [15:44] like not ever fully replacing dbus anyway because dbus-run-session from the src:dbus package works just fine [15:44] that directly addresses a concern of eslerm [15:45] and overall makes this more likely to work out [15:45] I have no good overview of what else is left open here, but it could go back to seb128 to reconsider [15:45] jbicha: ^^ could you pass that info on please as seb seems to not be around atm [15:45] should we then ask for a split of src:dbus into one package for dbus-run-session, one package for the policy/config/deps that bluca mentions, and one package (for universe) for the daemon that we want to demote? [15:46] sarnold: IMHO no, we have packages where we explicitly say "this binary in main, the rest not" [15:46] cpaelzer: hah, I see I forgot the word 'binary' in there [15:46] doing that here is much smaller maintenance effort than keeping a huge delta splitting the source [15:46] oh [15:47] yeah, that "splitting the binaries to just keep what we want in main" would be a good next step then [15:47] +1 [15:48] +1 [15:48] I added a comment on the bug [15:48] a rust vendored version of dbus-broker-session is also needed, right? [15:48] I also just synced the dbus-broker package [15:48] thank you for the discussion [15:48] yes eslerm, that is one of the known required todos [15:48] dbus-broker-session is still in PR iiuc [15:49] interesting [15:49] https://github.com/bus1/dbus-broker/pull/321 [15:49] -ubottu:#ubuntu-meeting- Pull 321 in bus1/dbus-broker "session: implement dbus-broker-session" [Open] [15:49] wow [15:49] next incomplete is https://bugs.launchpad.net/ubuntu/+source/gnome-snapshot/+bug/2052652 [15:49] -ubottu:#ubuntu-meeting- Launchpad bug 2052652 in gnome-snapshot (Ubuntu) "[MIR] gnome-snapshot" [Undecided, Incomplete] [15:49] but bluca mentions we could keep using dbus-run-session (if it is split into an separate binary anyway) [15:49] got a review by slyon [15:49] ack slyon, that is how I understood it too [15:50] ah, ack [15:50] So I guess this is just back to the requesting team to resolve required TODOs [15:50] gnome-snapshot has quite some TODOs for jbicha. I wonder if we should already get this into security-queue, as it seems time sensitive? [15:50] it will go to the security reivew [15:50] so you might want to add that to the queue already despite being back for open tasks [15:50] hehe [15:50] we thought alike slyon [15:50] hehe [15:50] sarnold: eslerm: WDYT? [15:51] yeah, we should be pulling things forward as we can [15:51] I prefer things hitting our queue early [15:51] I'll forward this conversation to Seb but I believe he won't be able to respond this week [15:51] ok, do it! [15:52] jbicha: thank you, feel free to respond in his name or pull in others as you see appropriate (or don't - really up to you) [15:52] next recent incomplete is https://bugs.launchpad.net/ubuntu/+source/libtraceevent/+bug/2051916 [15:52] -ubottu:#ubuntu-meeting- Launchpad bug 2051916 in libtraceevent (Ubuntu) "[MIR] promote libtraceevent as a trace-cmd dependency" [Undecided, Incomplete] [15:52] yet another review done, thanks didrocks [15:52] again having lots of required and some recommended TODOs [15:52] that is back on Paul for now [15:52] should security review this while others are working on TODOs? [15:52] a bit symbols, plenty of testing .- just like bpfcc actually [15:53] this again was called to need a review [15:53] so yes, to bring things forward I think it would be great to add that to the queue already as well [15:53] upils: is working on this actively [15:53] I need to keep time in mind, so I'll go on [15:53] but this section was very worthwhile today [15:54] bringing a lot of things forwards [15:54] #topic Process/Documentation improvements [15:54] Mission: Review pending process/documentation pull-requests or issues [15:54] #link https://github.com/canonical/ubuntu-mir/pulls [15:54] #link https://github.com/canonical/ubuntu-mir/issues [15:54] nothing new [15:54] #topic MIR related Security Review Queue [15:54] Mission: Check on progress, do deadlines seem doable? [15:54] Some clients can only work with one, some with the other escaping - the URLs point to the same place. [15:54] #link https://bugs.launchpad.net/~ubuntu-security/+bugs?field.searchtext=%5BMIR%5D&assignee_option=choose&field.assignee=ubuntu-security&field.bug_reporter=&field.bug_commenter=&field.subscriber=ubuntu-mir [15:54] #link https://bugs.launchpad.net/~ubuntu-security/+bugs?field.searchtext=[MIR]&assignee_option=choose&field.assignee=ubuntu-security&field.bug_reporter=&field.bug_commenter=&field.subscriber=ubuntu-mir [15:54] Internal link [15:54] we fixed the graph last week with dviererbe :) [15:54] - ensure your teams items are prioritized among each other as you'd expect [15:54] - ensure community requests do not get stomped by teams calling for favors too much [15:54] #link https://warthogs.atlassian.net/jira/software/c/projects/SEC/boards/594 [15:54] we just said we will add two [15:54] awesome slyon and dviererbe [15:54] I added a comment to https://bugs.launchpad.net/ubuntu/+source/fdk-aac-free/+bug/1977614 [15:54] -ubottu:#ubuntu-meeting- Launchpad bug 1977614 in fdk-aac-free (Ubuntu) "[MIR] fdk-aac-free" [Undecided, Confirmed] [15:54] slyon woo! :) thanks [15:55] thanks eslerm [15:55] that was jbicha requesting that, he might know if that is of current priority or not [15:56] I'll go on in the agenda ... [15:56] #topic Any other business? [15:56] I have one more question [15:56] I had all mine above already [15:56] shoot eslerm [15:56] https://bugs.launchpad.net/ubuntu/+source/wsl-pro-service/+bug/2052495 [15:56] -ubottu:#ubuntu-meeting- Launchpad bug 2052495 in wsl-pro-service (Ubuntu Noble) "[MIR] wsl-pro-service" [Undecided, Confirmed] [15:56] not to be considered an order [15:56] is any special consideration needed for promoting to older LTS' [15:57] ok, I know a bit of that context [15:57] yes, we'd like to get fdk-aac-free into main for Noble. I will ping my Fedora contacts today about the fork being outdated [15:57] eslerm: so far the package is not even available on older series... so I would ignore it for now? [15:57] thanks jbicha [15:57] ack, thanks slyon [15:57] so, our review would not be acking old LTS then ? [15:57] the consideration we had in the past [15:57] the owning team should request MIR for the older series once it's ready [15:58] sounds good to me [15:58] slyon: but here they requested it right away [15:58] they did spell out that this will immediately go back to older releases [15:58] what we have done in that case in the past [15:58] eslerm: yes. We'll probably have the same version backported to older LTS (I assume)... so an follow-up MIR for older LTS should be easy [15:58] was looking if that adds any special issues [15:58] cpaelzer: wsl currently plays no part in any of the testing anywhere in the companym, as far as I can tell: there's no britney, none of the security team tests have ever been tested in wsl, etc. it's always felt like a "well, if it works, that's neat" sort of thing [15:58] like, dependencies or the context no more working [15:59] cpaelzer: it's weird to me to be considering selling pro for wsl without having the basic testing story covered [15:59] and then we have said "this is ok, also for those releases" [15:59] sarnold: this is for pro in wsl as you say, and that is actually tested daily and on any change by the Desktop team owning this agent and by the pro team it is tested as well from the other POV to this [16:00] pro on wsl, does not make this story any different [16:00] we could also say we need tests on each cloud, each container stack, ... then [16:00] but we do not [16:00] I believe security can proceed with only Nobel in mind (a conditional ack for just 24.04 if needed) while this is all worked out [16:00] can windows execute systemd yet? [16:01] as far as I know, the clouds can, and some of the containers do, some do not.. [16:01] to be clear, you can have a lot of things in WSL already, even pro works there. But it isn't called that way and this makes it able to enable it more smoothly. [16:01] sarnold: I remember helping with systemd support for wsl in the past, so probably yes [16:01] yes, it can in some environments [16:02] I seem to recall lucy making it work, but does the thing that we or microsoft ship work? [16:02] it isn't as bad as you might think :-) [16:02] I think comparing it to a new architecture is perhaps the better comparison [16:02] but again, this request is only for an agent that makes enabling pro possible in smoother ways [16:02] sure [16:03] it is not "let us create Ubuntu for WSL, what should we do" [16:03] I'm asking the larger question [16:03] those are questions to be asked, but not as part of this MIR [16:03] cpaelzer: just promise me that someone is asking these questions of the right people [16:04] sarnold: you send me a mail summarize with what you want to be asked and I make it happen [16:04] cpaelzer: awesome, thanks :) [16:04] I have quite some ties to many people, probably all that need to hear that [16:04] ok [16:04] thank you all, I need to close [16:04] I'm too late already ... [16:04] thanks cpaelzer, all :) [16:04] thanks++ [16:04] thanks everyone o/ [16:04] #endmeeting [16:04] Meeting ended at 16:04:50 UTC. Minutes at https://ubottu.com/meetingology/logs/ubuntu-meeting/2024/ubuntu-meeting.2024-02-20-15.31.moin.txt [16:05] thanks! o/ === ppisati is now known as flag