18:03:31 <jdstrand> #startmeeting 18:03:31 <meetingology> Meeting started Mon Jan 7 18:03:31 2013 UTC. The chair is jdstrand. Information about MeetBot at http://wiki.ubuntu.com/meetingology. 18:03:31 <meetingology> 18:03:31 <meetingology> Available commands: #accept #accepted #action #agree #agreed #chair #commands #endmeeting #endvote #halp #help #idea #info #link #lurk #meetingname #meetingtopic #nick #progress #rejected #replay #restrictlogs #save #startmeeting #subtopic #topic #unchair #undo #unlurk #vote #voters #votesrequired 18:03:35 <jdstrand> The meeting agenda can be found at: 18:03:35 <jdstrand> [LINK] https://wiki.ubuntu.com/SecurityTeam/Meeting 18:03:38 <jdstrand> [TOPIC] Announcements 18:03:52 <jdstrand> Happy New Year and welcome back :) 18:04:00 <jdstrand> Thanks to Thomas Ward (TheLordOfTime) provided a debdiff for lucid for znc (LP: #1090195) 18:04:01 <ubottu> Launchpad bug 1090195 in znc (Ubuntu Hardy) "ZNC security report: CVEs for Lucid, Hardy" [Undecided,Incomplete] https://launchpad.net/bugs/1090195 18:04:03 <jdstrand> Thanks to Christian Kuersteiner (ckuerste) provided a debdiff for lucid-precise for dtach (LP: #1088355) 18:04:04 <ubottu> Launchpad bug 1088355 in dtach (Ubuntu Raring) "Information disclosure Vulnerability" [Undecided,Fix released] https://launchpad.net/bugs/1088355 18:04:12 <jdstrand> Your work is very much appreciated and will keep Ubuntu users secure. Great job! :) 18:04:47 <jdstrand> [TOPIC] Weekly stand-up report 18:04:51 <jdstrand> I'll go first 18:05:14 <jdstrand> I'm in the happy place this week 18:05:42 <jdstrand> before (and during) the break I took some time to play with the dbus apparmor patches 18:06:00 <jdstrand> it's working really well for me and I am starting to see patterns for abstractions 18:06:11 <sbeattie> nice! 18:06:26 <jdstrand> it is inconvenient that aa-notify can only read one logfile at a time though 18:06:32 <tyhicks> \o/ 18:06:47 <jdstrand> so I started poking at a python rewrite that would allow reading multiple logfiles 18:07:00 <sbeattie> woo 18:07:25 <tyhicks> jdstrand: I can flip the switch on enabling auditd support in the dbus-dev ppa's dbus package 18:07:50 <tyhicks> we can talk about it offline 18:07:53 <jdstrand> all this got me rather excited about the work the security team has been doing, so I started to write up a multipart blog series for apparmor 18:08:05 <jdstrand> tyhicks: yeah, I thought about that too-- yes let's talk later 18:09:01 <jdstrand> the idea behind the blogging is to basically say what we have done, how we use it in Ubuntu, what we are currently working on, then talk about my experiences with dbus specifically 18:09:19 <jdstrand> that should set it up such that any of us (or me) could blog about the other bits 18:09:31 <jdstrand> that the team is working on 18:09:59 <jdstrand> thanks to sarnold and jjohansen for reviewing my 1st draft 18:10:21 <jdstrand> jjohansen: btw, let's talk about your comments offline since the upstream wiki also needs to be updated 18:10:34 <jdstrand> beyond that 18:10:37 <jjohansen> jdstrand: sure 18:11:04 <jdstrand> I am patch piloting this week (supposed to be today, but I need to push that to later in the week because... ) 18:11:28 <jdstrand> I'm also working on an nss update, testing/sponsoring firefox and thunderbird, and hopefully chromium-browser 18:11:57 <jdstrand> I need to follow-up with chad on chromium-browser, since I think all that is left is lucid 18:12:42 <jdstrand> mdes laur returns tomorrow. he will be on triage 18:12:49 <jdstrand> sbeattie: you're up 18:13:04 <sbeattie> I'm still an apparmor monkey this week 18:13:46 <sbeattie> I'm still working on the display manager prototype as well as doing prep work for the 2.8.1 release, the upcoming alpha, and for the apparmor meeting tomorrow. 18:13:58 <sbeattie> that's pretty much it for me. 18:14:03 <sbeattie> tyhicks: you're up 18:14:22 <tyhicks> I'm working on an embargoed item, the AppArmor kernel policy interface, and I need to review my objectives 18:14:30 <tyhicks> jjohansen: you're up 18:15:06 <jjohansen> I am getting back into apparmor this week as well 18:16:17 <jjohansen> there are a couple bugs that where reported over the holidays that need some more looking into, I need to get some stuff together for the meeting tomorrow, and I need to get the labeling/alpha1 stuff out this week 18:16:51 <jjohansen> I suppose I need to review objectives too 18:16:57 <jjohansen> sarnold: your up 18:17:56 <sarnold> I'm still working on the libvirt/dnsmasq update; I didn't make much progress on it last week, and I'm starting to lean towards not having a reproducer for the specific bugfix that we're looking at integrating. 18:18:13 <sarnold> I'd very much like be unstuck on this :) 18:18:58 <sarnold> I'm going to repoke the axis2/c upstream bugreport I filed before the holidays before refiling my CVE request for not-checking-hostnames 18:19:06 <jdstrand> sarnold: well, automating dhcp reproducers is always tricky. it's ok to fallback to testing that you didn't regress (even if some of that is manual) 18:19:08 <sarnold> but I feel like that should be finished this week 18:19:12 <jdstrand> it's just like that sometimes 18:19:58 <sarnold> I've also got objectives to do, presumably this week, I assumed jdstrand and I would discuss them elsewhere 18:20:20 <jdstrand> sarnold: indeed :) 18:21:29 <sarnold> and in good news, I think I may have finallylicked the last of my "where does my email go?" quandry -- I've switched to using dovecot/delivre to deliver my inbox mail instead of allowing it to fall off the end of procmail into a file 18:21:39 <sarnold> jdstrand: back to you :) 18:22:07 <jdstrand> nice :) 18:22:22 <jdstrand> it is certainly distressing when you aren't sure you are getting your mail 18:22:32 <jdstrand> [TOPIC] Highlighted packages 18:22:35 <jdstrand> The Ubuntu Security team will highlight some community-supported packages that might be good candidates for updating and or triaging. If you would like to help Ubuntu and not sure where to start, this is a great way to do so. 18:22:39 <jdstrand> See https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures for details and if you have any questions, feel free to ask in #ubuntu-security. To find out other ways of helping out, please see https://wiki.ubuntu.com/SecurityTeam/GettingInvolved. 18:22:47 <jdstrand> http://people.canonical.com/~ubuntu-security/cve/pkg/exif.html 18:22:51 <jdstrand> http://people.canonical.com/~ubuntu-security/cve/pkg/ruby-rails-3.2.html 18:22:54 <jdstrand> http://people.canonical.com/~ubuntu-security/cve/pkg/libguac.html 18:22:57 <jdstrand> http://people.canonical.com/~ubuntu-security/cve/pkg/activemq.html 18:23:00 <jdstrand> http://people.canonical.com/~ubuntu-security/cve/pkg/ruby-activerecord-2.3.html 18:23:22 <jdstrand> [TOPIC] Miscellaneous and Questions 18:23:32 <jdstrand> There are a lot of merge opportunities for packages listed in http://people.canonical.com/~ubuntu-security/d2u/. Performing these updates is a great way to help Ubuntu and bolster your developer application. 18:23:51 <jdstrand> Does anyone have any other questions or items to discuss? 18:31:56 <jdstrand> sbeattie, tyhicks, jjohansen, sarnold: thanks! 18:31:58 <jdstrand> #endmeeting