#ubuntu-meeting log

18:08:01 <jdstrand> #startmeeting
18:08:01 <meetingology> Meeting started Mon Mar 19 18:08:01 2012 UTC.  The chair is jdstrand. Information about MeetBot at http://wiki.ubuntu.com/meetingology.
18:08:01 <meetingology> 
18:08:01 <meetingology> Available commands: #accept #accepted #action #agree #agreed #chair #commands #endmeeting #endvote #halp #help #idea #info #link #lurk #meetingname #meetingtopic #nick #progress #rejected #replay #restrictlogs #save #startmeeting #subtopic #topic #unchair #undo #unlurk #vote #voters #votesrequired
18:08:03 <jjohansen> \o
18:08:05 <jdstrand> The meeting agenda can be found at:
18:08:06 <jdstrand> [LINK] https://wiki.ubuntu.com/SecurityTeam/Meeting
18:08:13 <jdstrand> [TOPIC] Announcements
18:08:31 <jdstrand> Julian Taylor (jtaylor) provided a debdiff for oneiric for super (LP: #954579)
18:08:34 <jdstrand> Your work is very much appreciated and will keep Ubuntu users secure. Great job! :)
18:08:42 <jdstrand> [TOPIC] Weekly stand-up report
18:08:47 <jdstrand> I'll go first
18:09:35 <jdstrand> I'm on triage this week. I'm happy to see that after running process_cves this morning, there was nothing new in oss-security
18:10:09 <jdstrand> (I went back 5 weeks by exporting my oss-security folder in evo as mbox, then running check-cves --untriaged on it)
18:10:49 <jdstrand> so, hopefully this indicates we are back on track despite mitre's efforts to thwart us :)
18:11:23 <mdeslaur> hehe
18:11:33 <jdstrand> my focus this week is on finishing up my MIR secruity audits. I completed many last week but have 3 left. I think 1 more will be coming after that though
18:11:46 <jdstrand> depending on time, I will then move to install audits
18:11:51 <mdeslaur> jdstrand: you did the locate_cves on it first though, right?
18:12:18 <jdstrand> mdeslaur: you know, I missed that step :)
18:12:25 * jdstrand will report back momentarily
18:12:26 <mdeslaur> jdstrand: whoops :)
18:12:32 <jdstrand> mdeslaur: you're next
18:12:58 <mdeslaur> I'm working on a ca-certificates-java issue, and will go down the list after that
18:13:05 <mdeslaur> I'm in the happy place this week
18:13:14 <mdeslaur> meh, nothing further to report
18:13:18 <mdeslaur> sbeattie, you're up
18:13:46 <sbeattie> I'm on community this week, and have at least mahara to review.
18:14:06 <sbeattie> Otherwise, I'm working on apparmor bugs
18:14:16 <sbeattie> That's pretty much it for me.
18:14:22 <sbeattie> micahg: tag, you're it.
18:14:38 <micahg> I have patch piloting, as well as everything I didn't finish last week (Thunderbird update, Icedtea regression, thunderbird SRU), all to be completed this week, then there's webkit and possibly a chromium major update if they're on their 6 week schedule
18:15:01 <micahg> well, thunderbird SRU not to be completed, but uploaded :)
18:15:36 <micahg> questions?
18:15:52 <micahg> off to tyhicks then :)
18:16:09 <tyhicks> I'm in the happy place this week
18:17:07 <tyhicks> Making good progress on the freetype update. I noticed that Debian mainly only patched the invalid write vulns, while I'm also patching the invalid reads.
18:17:44 <tyhicks> It is a taking a bit longer, but I've got all the tests in place and I've backported everything to oneiric. Hopefully the other backports aren't too bad now.
18:18:19 <tyhicks> I've got another revision of my patch for bug 842647 done
18:18:21 <ubottu> Launchpad bug 842647 in eCryptfs "[git] file blocks duplicated at the end of the file" [High,In progress] https://launchpad.net/bugs/842647
18:18:43 <tyhicks> test kernels just got finished building and I'll be posting a link to those shortly, after doing a quick smoke test
18:19:06 <tyhicks> That's about it for me. I'll be moving on to another update after I'm done with freetype.
18:19:15 <tyhicks> jjohansen: You're up
18:19:26 <jjohansen> I am continuing to look at Bug #959560, and any other apparmor bug that surfaces, or needs looking into (that includes following up with Christain on the mod_apparmor bug and also the APPARMOR_STOP mode for debugging).  I need to post out the next revision of the mount rules kernel patch to lkml, get some mount rule tests added to the regression test suite,  I also needed to start catching up on some of the deferred kernel
18:19:27 <ubottu> Launchpad bug 959560 in AppArmor "deny mount does not work correctly" [Undecided,New] https://launchpad.net/bugs/959560
18:20:18 <jjohansen> sigh, /me needs to also work on getting that paste right so it doesn't show up as one big blob
18:20:23 <jjohansen> jdstrand: back to you
18:21:14 <jdstrand> thanks
18:21:30 <jdstrand> so it looks like there were 6 things in oss-sec we didn't have. still not bad
18:21:44 <jdstrand> [TOPIC] Highlighted packages
18:21:49 <jdstrand> The Ubuntu Security team will highlight some community-supported packages that might be good candidates for updating and or triaging. If you would like to help Ubuntu and not sure where to start, this is a great way to do so.
18:21:53 <jdstrand> See https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures for details and if you have any questions, feel free to ask in #ubuntu-security. To find out other ways of helping out, please see https://wiki.ubuntu.com/SecurityTeam/GettingInvolved.
18:22:06 <jdstrand> http://people.canonical.com/~ubuntu-security/cve/pkg/jruby.html
18:22:09 <jdstrand> http://people.canonical.com/~ubuntu-security/cve/pkg/rt73.html
18:22:12 <jdstrand> http://people.canonical.com/~ubuntu-security/cve/pkg/xcftools.html
18:22:16 <jdstrand> http://people.canonical.com/~ubuntu-security/cve/pkg/chasen.html
18:22:18 <jdstrand> http://people.canonical.com/~ubuntu-security/cve/pkg/open-vm-tools.html
18:22:29 <jdstrand> [TOPIC] Miscellaneous and Questions
18:22:33 <jdstrand> Does anyone have any other questions or items to discuss?
18:23:29 <sbeattie> jdstrand: I noted you were planning on doing install audits; should we also start verifying qa-r-t tests for precise?
18:24:29 <sbeattie> I'm asking because I fixed on issue with mysql/qart on precise, but now the upstream tests are failing, and it may require fixing something in the mysql package.
18:25:29 <jdstrand> sbeattie: I'm not sure how we want to do these. we (I) failed in getting them done for precise and aiui the qa team is incorporating them
18:25:49 <jdstrand> sbeattie: my feeling at this time is to just update them as we have time
18:26:24 <jdstrand> and fix any bugs that the qa team reports. we can maybe formalize this a bit more next month. I don't think any of us have time to get this done before april all things considered
18:26:48 <jdstrand> mdeslaur: what are your thoughts?
18:27:15 <sbeattie> jdstrand: I somewhat agree, and in fact, the whole reason I looked at mysql was due to GrueMaster pointing out the breakage.
18:27:21 <mdeslaur> I think we should wait for qa team bug reports and/or patches
18:27:44 <sbeattie> but for some things it's better to know in advance...
18:28:15 <mdeslaur> well, for stuff like apparmor where we're pretty much the maintainer, I agree we should be looking at them for precise
18:28:34 <mdeslaur> but for other packages, I assume the qa team is running them on the dev release
18:28:35 <jdstrand> sbeattie: certainly. the QA team is supposed to get to the point where they are running these all the time, so the advanced notice is just part of our normal qa process.afaik, we aren't there yet, but should be fixing any bugs that they give to us
18:29:03 <jdstrand> mdeslaur: oh certainly. if a qrt package is tied to our acceptance criteria, we need to be running it
18:29:13 <jdstrand> s/package/script/
18:29:47 <jdstrand> sbeattie: can you hand that mysql failure to someone else on the team for now?
18:29:55 <jdstrand> sbeattie: can discuss outside of the meeting
18:30:15 <sbeattie> jdstrand: okay.
18:31:31 <jdstrand> mdeslaur, sbeattie, micahg, tyhicks, jjohansen: thanks!
18:31:32 <jdstrand> #endmeeting