#ubuntu-meeting log

18:02:29 <jdstrand> #startmeeting
18:02:29 <meetingology> Meeting started Mon Mar  5 18:02:29 2012 UTC.  The chair is jdstrand. Information about MeetBot at http://wiki.ubuntu.com/meetingology.
18:02:29 <meetingology> 
18:02:29 <meetingology> Available commands: #accept #accepted #action #agree #agreed #chair #commands #endmeeting #endvote #halp #help #idea #info #link #lurk #meetingname #meetingtopic #nick #progress #rejected #replay #restrictlogs #save #startmeeting #subtopic #topic #unchair #undo #unlurk #vote #voters #votesrequired
18:02:47 <jdstrand> [LINK] https://wiki.ubuntu.com/SecurityTeam/Meeting
18:02:49 <jjohansen> \o
18:02:53 <micahg> o/
18:03:03 <jdstrand> [TOPIC] Announcements
18:03:15 <jdstrand> * Thanks
18:03:28 <jdstrand> Kilian Krause (kilian) from Debian provided debdiffs for lucid for fex (DSAs 2414 and 2259)
18:03:33 <jdstrand> Your work is very much appreciated and will keep Ubuntu users secure. Great job! :)
18:03:43 <jdstrand> [TOPIC] Review of any previous action items
18:03:55 * jdstrand sbeattie to follow up on qrt bugs from QA team
18:04:39 <sbeattie> Yep, did that (finally)
18:04:43 <jdstrand> \o/
18:04:46 <jdstrand> sbeattie: thanks :)
18:05:08 <jdstrand> [TOPIC] Weekly stand-up report
18:05:14 <jdstrand> I'll go first
18:05:29 <jdstrand> I finally got caught up on archive admin work
18:05:52 <jdstrand> I'm in the happy place this week and hope to catch up on MIR security audits
18:06:02 <jdstrand> there is an embargoed issue I am working on
18:06:31 <jdstrand> and maybe I can pick back up some pending updates
18:06:48 <jdstrand> if not by the end of the week, certainly next week
18:06:58 <jdstrand> (assuming nothing else comes up)
18:07:02 <jdstrand> mdeslaur: you're next
18:07:10 <mdeslaur> I'm on triage this week
18:07:28 <mdeslaur> I released lightdm updates this morning, and am currently testing flashplugin-nonfree
18:07:41 <mdeslaur> and then I have an embargoed issue I'm working on
18:08:04 <mdeslaur> I have a few security bugs to research
18:08:13 <mdeslaur> and then will pick other updates from the list
18:08:19 <mdeslaur> that's it from me
18:08:20 <mdeslaur> sbeattie: you're it
18:08:48 <sbeattie> I'm in the happy place this week
18:09:28 <sbeattie> I'm still working on my glibc update
18:09:55 <sbeattie> Once that's done, I'll be focusing on apparmor userspace bugs/workitems
18:10:07 <sbeattie> that's pretty much it for me.
18:10:29 <sbeattie> is micahg back?
18:10:31 <micahg> yes
18:12:08 <jdstrand> micahg: it's your turn
18:12:12 <micahg> I uploaded chromium earlier this morning and will be testing that, still trying to get the Firefox/icedtea crash fixed (now with new upstream commit :)), and time permitting webkit, this is also the week before Mozilla's rapid release day, so I'll be staging and testing anything that's available this week
18:12:29 <micahg> jdstrand: I know, just a little slow typing :)
18:12:57 <micahg> that's it for me I think, tyhicks?
18:13:08 <tyhicks> I'm handling community this week
18:13:13 <jdstrand> micahg: let me test chromium when it goes to -proposed again.
18:13:29 <micahg> jdstrand: as you wish
18:14:06 <tyhicks> I will start on a gnutls update
18:14:27 <tyhicks> and work on an embargoed issue
18:14:34 <tyhicks> that's it for me
18:14:41 <tyhicks> jjohansen?
18:15:14 <jjohansen> well, I need to post out the revisions to the upstream kernel patches
18:15:34 <jjohansen> and debug some mount failures, that people are running into
18:16:01 <jjohansen> I am testing the fix to minimization, and we should be able to get that uploaded today too
18:16:59 <jjohansen> other than that /me wants to try picking off his remaining work items this week
18:17:50 <jjohansen> thats it for me I think jdstrand back to you
18:17:55 <jdstrand> thanks
18:18:06 <jdstrand> micahg: I meant to ask: how is the webkit progress?
18:19:00 <micahg> well, if I can spend a little bit of time on it, I should be able to start uploading some test builds to my PPA this week
18:19:32 <jdstrand> awesome!
18:19:42 * jdstrand hopes the chromium testing helps there
18:19:51 <jdstrand> [TOPIC] Highlighted packages
18:19:58 <jdstrand> The Ubuntu Security team will highlight some community-supported packages that might be good candidates for updating and or triaging. If you would like to help Ubuntu and not sure where to start, this is a great way to do so.
18:20:02 <jdstrand> See https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures for details and if you have any questions, feel free to ask in #ubuntu-security. To find out other ways of helping out, please see https://wiki.ubuntu.com/SecurityTeam/GettingInvolved.
18:20:09 <jdstrand> http://people.canonical.com/~ubuntu-security/cve/pkg/slim.html
18:20:12 <jdstrand> http://people.canonical.com/~ubuntu-security/cve/pkg/icecast2.html
18:20:15 <jdstrand> http://people.canonical.com/~ubuntu-security/cve/pkg/libdigest-perl.html
18:20:19 <jdstrand> http://people.canonical.com/~ubuntu-security/cve/pkg/xfce4-session.html
18:20:22 <jdstrand> http://people.canonical.com/~ubuntu-security/cve/pkg/djbdns.html
18:20:31 <jdstrand> [TOPIC] Miscellaneous and Questions
18:20:47 <jdstrand> we do have one topic to discuss:
18:20:54 <jdstrand> * Discuss another non-native PPA for staging SRUs and development packages
18:21:09 <jdstrand> this came up as a result of internal discussions
18:21:23 <mdeslaur> non-native?
18:21:33 <jdstrand> the basic idea is this-- we have PPAs for our security updates, but not our dev work
18:21:44 <jdstrand> actually, s/non-native//
18:21:51 <jdstrand> no decisions are made (sorry)
18:22:16 <jdstrand> would it be helpful to have a team ppa that we all have enabled, for the dev release or SRUs
18:22:30 <jdstrand> we wouldn't have any mandatory process around it at this time
18:23:08 <jdstrand> but, for example, if sbeattie was preparing an apparmor userspace upload, or jjohansen a kernel upload, or me a ufw upload and we wanted others from the team to test it, we upload there
18:23:20 <jdstrand> and then everyone just gets it automatically
18:23:43 <jdstrand> is it worthwhile?
18:24:05 <tyhicks> jdstrand: This ppa would only be enabled on our machines that we do not use for security update testing, right?
18:24:19 <jdstrand> tyhicks: yes. this is for dev work, not security updates
18:24:32 <jjohansen> is it any better than having a separate ppa for each project?
18:24:39 <jdstrand> tyhicks: ie, you might upload ecryptfs there
18:24:57 <jdstrand> jjohansen: it is only better in that it is a one stop for all our dev work
18:24:58 <tyhicks> gotcha
18:25:17 <jdstrand> ie, we decide we all run with that ppa enable
18:25:20 <jdstrand> enabled
18:25:35 <jdstrand> as opposed to having 7 different ppas enabled
18:25:41 <jdstrand> (or whatever)
18:25:59 <jjohansen> hrmm, down side is you can't be selective about which ppa you have enabled
18:26:03 <jdstrand> I don't have a staging ppa for ufw anyway, so I think it could help with that sort of thing too
18:26:36 <mdeslaur> jdstrand: this isn't for experimental stuff, right? this is for "I'm ready to upload, but want some more testing first"?
18:26:44 <jdstrand> jjohansen: this is meant to be for fairly stable stuff-- we don't want to break our teammates machines. we can always do that in other ppas
18:26:47 <mdeslaur> ie: you wouldn't push apparmor dbus stuff in there
18:26:56 <jdstrand> mdeslaur: correct
18:27:11 <jdstrand> the idea is this is a 'testing' ppa for what is eventually going to hit the archive
18:27:35 <tyhicks> experimental ppa'
18:27:37 <jdstrand> whether it be the dev release or an SRU (I imagine this is less useful for SRUs since we typically run the dev release)
18:27:45 <tyhicks> oops... experimental ppa's would be the daily build ppa's
18:27:55 <jdstrand> tyhicks: yes, or soemthing else
18:28:03 <jdstrand> again, this should be fairly stable
18:28:08 <tyhicks> yep
18:28:12 <sbeattie> jdstrand: well, some of us do have stable release machines around as well
18:28:19 * jdstrand nods
18:28:28 * sbeattie looks askance at his build server
18:29:09 * sbeattie is not sure he's got security-proposed enabled everywhere it could be.
18:29:39 <sbeattie> generally, I'm in favor of this; I do think it should probably be a seperate ppa from security-proposed.
18:29:51 <jdstrand> so, this isn't meant to be an administrative burden. it is meant to allow us to more easily and test the stuff we are uploading
18:30:00 <mdeslaur> sbeattie: you do know I upload completely untested stuff to security-proposed, right? :)
18:30:08 <micahg> as do I :)
18:30:09 <jdstrand> eg, my 2.8beta1 apparmor upload might have gone there
18:30:41 <sbeattie> mdeslaur, micahg: and that's different from the stuff going into devel how? :-)
18:30:50 <jdstrand> (it was something I did test and run, but might have been nice to have others run it for a bit before uploading to the archive proper)
18:31:22 <jdstrand> I really wanted to test jjohansen's recent kernel-- this could have been something we all could have just gotten 'for free'
18:31:33 <tyhicks> jdstrand: It makes sense to me. Instead of everyone being affected by a new bug, it would result in potentially just our team being affected. We would have been affected anyways, if we didn't have this buffer ppa to catch it early.
18:31:47 <jdstrand> tyhicks: yes
18:32:03 <jjohansen> jdstrand: uh kernel builds from ppas are an absolute pita
18:32:08 <tyhicks> If we have systems that are a bit too critical for something like this, we just don't enable it on those systems.
18:32:21 <mdeslaur> yeah, the kernel is probably a bad example there
18:32:29 <jdstrand> I am not advocating this running everywhere
18:33:02 <jdstrand> I am only advocating is use for the dev release. we can use it for SRUs if people want. the stuff we upload should be solid in our minds, not experimental :)
18:33:38 <jdstrand> re kernel> not sure why, we use to build them all the time in our ppa, but whatever. let's not get hung up on that detail
18:34:19 <jdstrand> in other words> whatever machine you are running the dev release on, just enable this ppa too
18:34:42 <jdstrand> (not necessarily testing VMs)
18:35:17 <jdstrand> do we agree that it could be worthwhile? if we don't like it, we don't need to continue using it
18:35:45 <tyhicks> I don't see any negatives. I would have gotten the update on my development release machines either way.
18:36:05 <sbeattie> jdstrand: +1 from me.
18:36:34 <tyhicks> The only possible negative is that it adds a bit of a delay to the update receiving testing from a wider audience, but I don't consider that a big issue
18:36:38 <tyhicks> jdstrand: +1 from me
18:36:50 <jdstrand> mdeslaur, micahg, jjohansen: ^
18:36:54 * micahg wonders if jdstrand wants to cast an official vote :)
18:36:58 <mdeslaur> I'm indifferent to the idea, 0 from me
18:37:14 * jjohansen is indifferent too
18:37:16 <jdstrand> tyhicks: well, keep in mind, we aren't defining process for using it now. if we need a quick upload, we can always do that straight to the archive still
18:37:22 <jdstrand> +1
18:37:30 <jdstrand> ok, then let's try it
18:37:53 <micahg> +1
18:38:11 <jdstrand> I know sbeattie and mdeslaur don't want it to be ubuntu-security-proposed. I really don't care, but if not ubuntu-security-proposed, what do you want to name it?
18:38:26 <jdstrand> micahg: heh, I thought you voted already :)
18:38:28 <sbeattie> ubuntu-security-testing?
18:38:34 <micahg> ubuntu-security-devel
18:38:42 <tyhicks> seems like dev/devel should be in there somewhere
18:38:49 <sbeattie> mmm, yeah, that's probably better
18:38:57 <micahg> ubuntu-security-devel-testing
18:39:04 <mdeslaur> this will have -updates enabled so we can also put SRU stuff in there?
18:39:08 <jdstrand> mdeslaur expressed a desire to use it for SRUs
18:39:22 <jdstrand> (even though he cast a '0' today :)
18:39:26 <sbeattie> ubuntu-security-devel-testing-this-will-eat-your-filesytem-or-brain
18:39:33 <mdeslaur> jdstrand: watch it or I'll switch to -1 :)
18:39:36 <jdstrand> sbeattie: it better not! :P
18:39:41 <micahg> mdeslaur: makes sense as we have security-proposed for non-updates enabled, also there's the option to copy from security-proposed to this for wider testing as well
18:39:49 <jdstrand> mdeslaur: we have enough votes already :P
18:40:06 <jdstrand> updates should be enabled. these aren't security updates
18:40:42 <mdeslaur> cool
18:40:52 <jdstrand> ubuntu-security-staging?
18:41:41 <tyhicks> I have no problem with that
18:41:42 <mdeslaur> sure
18:42:21 * sbeattie is also okay with -staging
18:43:29 <jdstrand> ok. cool. let's skip the native vs non-native bit for when its actually seen some usage
18:44:36 <mdeslaur> sure
18:44:36 <jdstrand> Does anyone have any other questions or items to discuss?
18:44:42 <jdstrand> oh
18:44:43 <mdeslaur> I've got a question for tyhicks
18:44:53 <tyhicks> mdeslaur: shoot
18:45:02 <jdstrand> [ACTION] jdstrand to setup ubuntu-security-staging ppa and communicate to team
18:45:02 * meetingology jdstrand to setup ubuntu-security-staging ppa and communicate to team
18:45:13 <mdeslaur> tyhicks: what's the status on #842647? It's unclear to me
18:45:53 <tyhicks> mdeslaur: I tried off and on for several days to reproduce it and no longer can (despite being able to reproduce it in the past)
18:46:09 <tyhicks> mdeslaur: So, I went ahead and wrote up a patch over the weekend
18:46:32 <mdeslaur> tyhicks: could you update the bug please in the next few days so everyone knows what's up with it?
18:46:55 <tyhicks> mdeslaur: Yep, my plan is to do it today. I was up in the air while working on it over the weekend.
18:47:08 <tyhicks> do it == update the bug
18:47:21 <mdeslaur> tyhicks: ok, cool...sorry :)
18:47:43 <tyhicks> I deserve the questioning since I didn't get my activity report in :)
18:47:58 <mdeslaur> ehe
18:48:37 <mdeslaur> jdstrand: sorry, back to you
18:49:05 <jdstrand> I don't have anything else
18:49:11 <jdstrand> Does anyone have any other questions or items to discuss?
18:52:24 <jdstrand> mdeslaur, sbeattie, micahg, tyhicks, jjohansen: thanks! :)
18:52:26 <jdstrand> #endmeeting