16:35 <jdstrand> #startmeeting
16:35 <meetingology> Meeting started Mon Mar 24 16:35:28 2014 UTC.  The chair is jdstrand. Information about MeetBot at http://wiki.ubuntu.com/meetingology.
16:35 <meetingology> 
16:35 <meetingology> Available commands: action commands idea info link nick
16:35 <jdstrand> The meeting agenda can be found at:
16:35 <jdstrand> [LINK] https://wiki.ubuntu.com/SecurityTeam/Meeting
16:35 <jdstrand> [TOPIC] Announcements
16:36 <jdstrand> I'm happy to announce I just booted into the ipc kernel and apparmor userspace that is available in the dbus-dev ppa (it is in that ppa for historical reasons, there are no dbus changes)
16:36 <jdstrand> :)
16:36 <jdstrand> [TOPIC] Weekly stand-up report
16:37 <jdstrand> I'll go first
16:38 <jdstrand> so, as mentioned, I am running the ipc kernel and userspace. I plan to continue running it and report issues, feed information back to the team, etc
16:38 <jdstrand> I have to look into golang a bit and comment in its MIR (related to juju-core)
16:38 <jdstrand> oxide-qt will be uploaded to the archive soon, and I'll help with that as I can
16:39 <chrisccoulson> hi :)
16:39 <jdstrand> I have a couple of action items related to webbrowser-app/webapp-container moving to oxide that I will work on
16:39 <jdstrand> chrisccoulson: hi!
16:40 <jdstrand> ScopesConfinement discussions have continued. I'm not sure I'll have more this week on that, but will be thinking about it for a meeting with the scopes team next week
16:40 <jdstrand> I have several embargoed items
16:41 <jdstrand> I'm on triage and will do updates if I can
16:41 <jdstrand> mdeslaur: you're up
16:42 <mdeslaur> I'm on community this week
16:42 <mdeslaur> I have a bunch of updates to test
16:42 <mdeslaur> I'm about to push out ca-certificates updates for our stable releases
16:42 <mdeslaur> and also an initramfs-tools update to fix /run being mounted without noexec
16:43 <mdeslaur> and apache2
16:43 <mdeslaur> If I have any time pending those, I'll be going down the CVE list, as usual
16:43 <mdeslaur> that's it for me, sbeattie?
16:43 <sbeattie> I'm on apparmor this week
16:44 <sbeattie> I too am focused on testing the ipc kernel and userspace
16:44 <mdeslaur> is the ipc userspace pretty much done now?
16:44 <jjohansen1> no
16:44 <mdeslaur> I seem to recall discussion of syntax changes
16:45 <jjohansen1> right, very limited discussion on that happened
16:45 <jjohansen1> thats one of the things that needs to happen
16:45 <sbeattie> yeah, I'll look at that as well
16:45 <sbeattie> as part of testing
16:45 <jdstrand> I will probably be able to respond too now that I am starting to profile some things
16:46 <mdeslaur> jjohansen1: the userspace changes only affect userspace, right?
16:46 <jdstrand> aiui, really just the discussion needs to happen. once it does, the changes are trivial
16:46 <jjohansen1> mdeslaur: yes
16:47 <mdeslaur> jjohansen1: ok, cool
16:48 <sbeattie> anyway, I'm also monitoring fallout from the apparmor userspace upload from last week (though tyhicks got tagged with the lxc issue that was raised)
16:48 <sbeattie> and that's pretty much it for me.
16:48 <sbeattie> tyhicks: you're up
16:48 <tyhicks> I'm working on LXC regressions in AppArmor (LP: #1296459, LP: #1295774)
16:48 <ubottu> Launchpad bug 1296459 in apparmor (Ubuntu) "Upgrade from 2.8.0-0ubuntu38 to 2.8.95~2430-0ubuntu2 breaks LXC containers" [Critical,New] https://launchpad.net/bugs/1296459
16:48 <ubottu> Launchpad bug 1295774 in apparmor (Ubuntu) "ERROR processing policydb rules for profile lxc-container-default, failed to load" [Undecided,Incomplete] https://launchpad.net/bugs/1295774
16:48 <mdeslaur> tyhicks: any quick idea what could be the cause?
16:49 <tyhicks> the dfa generation for mount rules changed and it looks like some permissions are missing in the dfa
16:49 <tyhicks> mdeslaur: ^
16:49 <mdeslaur> ok
16:49 <tyhicks> it also looks like the mount.sh regression test is busted and exits early
16:49 <tyhicks> I'll fix that, too
16:49 <tyhicks> after that I'll help with AppArmor work items, as needed
16:50 <tyhicks> that's it for me
16:50 <tyhicks> jjohansen1: you're up
16:50 * jjohansen1 is working on apparmor again this week
16:50 <jdstrand> tyhicks: fyi, that could be considered as a separate uploading depending on the timing of things. if so, we could roll in the aa.py fixes
16:50 * tyhicks nods
16:50 <jdstrand> s/uploading/upload/
16:51 * jjohansen1 is working on more ipc revisions to apparmor
16:51 <jjohansen1> and will be coordinating with sbeattie, tyhicks, ...
16:52 <mdeslaur> jjohansen1: what's the current status...have you managed to wrangle some of the bugs you had last week?
16:52 <sbeattie> jdstrand: there's other bits to pull in as well as aa.py fixes, some of the testsuite fixes address issues that show up on arm/ppc64el
16:52 <jjohansen1> mdeslaur: they are a work in progress, so not done
16:53 <mdeslaur> cool
16:53 <jjohansen1> so I am still working on the bugs from last week, and turned up a few more and fixed those
16:54 <jjohansen1> I think that is it from me sarnold, your up
16:55 <sarnold> I'm in the happy place this week, which means working on MIRs, which will make some people very happy indeed :)  I've got juju-core, glusterfs, schroot, and strongswan to review and I don't think they're all doable this week, but I aim to make progress on them :)
16:55 <sarnold> if there's a new apparmor upload in the works I may do that one again, to keep those neurons fresh and try to take work from jjohansen1 and sbeattie
16:56 <sarnold> it depends upon how much effort the brain-dumps would take, I guess
16:56 <jdstrand> tyhicks may be able to help there. let's be flexible
16:56 <sarnold> oh okay
16:56 <tyhicks> we'll decide on the fly
16:56 <jdstrand> sarnold: (and thanks for offering, we might need it)
16:56 <sarnold> I think that's it for me, chrisccoulson, your turn :)
16:57 <chrisccoulson> i'm just about to upload oxide to the archive :)
16:57 <jdstrand> \o/
16:57 <jdstrand> huge milestone-- great job :)
16:57 <chrisccoulson> and then i've got a bunch of reviews that i need to get through for webapps
16:57 <chrisccoulson> other than that, it's business as usual :)
16:57 <chrisccoulson> did everyone see the blog posts?
16:58 <mdeslaur> chrisccoulson: congrats!
16:58 <jdstrand> chrisccoulson: was there another recent one beyond http://www.chriscoulson.me.uk/blog/?p=242?
16:58 <jdstrand> I know of that and http://www.chriscoulson.me.uk/blog/?p=196
16:58 <sarnold> chrisccoulson: heh, I saw the one about oxide running on raw egl, no display managers...
16:58 <chrisccoulson> jdstrand, http://www.chriscoulson.me.uk/blog/?p=251
17:00 <mdeslaur> chrisccoulson: nice
17:02 <ScottK> o/
17:02 <mdeslaur> hi ScottK!
17:02 <ScottK> You might want to consider promoting clamav 0.98.1 from backports to updates or security/updates.  0.97.8 is not able to use all the current virus definitions and so there's a capability/security gap there if people aren't using backports.
17:02 <ScottK> I think both upstream and the packaging are in a pretty stable place ATM.
17:03 <jdstrand> chrisccoulson: ah, nice!
17:03 <mdeslaur> ScottK: oh, cool. Is there a bug open about this?
17:03 <ScottK> No.
17:04 <ScottK> I can open one if you want, I thought it was worth a discussion first.
17:04 <ScottK> There's no CVE's the force it, but I think we're at a point where it would be smart.
17:05 <mdeslaur> ScottK: I think it definitely makes sense if the engine can't parse all the signatures...is there a link somewhere upstream where that is mentioned
17:05 <mdeslaur> ?
17:05 <ScottK> I suspect it's in the changelog.
17:06 <ScottK> Let me look.
17:06 <mdeslaur> ScottK: if you could please open a bug with a link, and assign it to me, I'll take care of it
17:06 <ScottK> OK.
17:06 <ScottK> I don't immediately see it in the Changelog, it may take reading the code.
17:07 <ScottK> (there's a variable that gets bumped.
17:07 <ScottK> Also there's on access scanning now that works with our kernel.
17:07 <ScottK> Other goodness too.
17:10 <mdeslaur> jdstrand: I think we're done?
17:10 <jdstrand> can this be taken to the bug or is there more discussin needed here?
17:10 <jdstrand> ok
17:10 <jdstrand> [TOPIC] Highlighted packages
17:10 <jdstrand> The Ubuntu Security team will highlight some community-supported packages that might be good candidates for updating and or triaging. If you would like to help Ubuntu and not sure where to start, this is a great way to do so.
17:10 <jdstrand> See https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures for details and if you have any questions, feel free to ask in #ubuntu-security. To find out other ways of helping out, please see https://wiki.ubuntu.com/SecurityTeam/GettingInvolved.
17:10 <jdstrand> http://people.canonical.com/~ubuntu-security/cve/pkg/php-radius.html
17:10 <jdstrand> http://people.canonical.com/~ubuntu-security/cve/pkg/gamera.html
17:10 <jdstrand> http://people.canonical.com/~ubuntu-security/cve/pkg/offlineimap.html
17:10 <jdstrand> http://people.canonical.com/~ubuntu-security/cve/pkg/banshee.html
17:10 <jdstrand> http://people.canonical.com/~ubuntu-security/cve/pkg/python-scipy.html
17:10 <jdstrand> [TOPIC] Miscellaneous and Questions
17:10 <jdstrand> Does anyone have any other questions or items to discuss?
17:11 <ScottK> jdstrand: Working on the bug now.
17:16 <jdstrand> mdeslaur, sbeattie, tyhicks, jjohansen1, sarnold, chrisccoulson, ScottK: thanks
17:17 <jdstrand> #endmeeting