18:03:27 <jdstrand> #startmeeting
18:03:27 <meetingology> Meeting started Mon Mar 18 18:03:27 2013 UTC.  The chair is jdstrand. Information about MeetBot at http://wiki.ubuntu.com/meetingology.
18:03:27 <meetingology> 
18:03:27 <meetingology> Available commands: #accept #accepted #action #agree #agreed #chair #commands #endmeeting #endvote #halp #help #idea #info #link #lurk #meetingname #meetingtopic #nick #progress #rejected #replay #restrictlogs #save #startmeeting #subtopic #topic #unchair #undo #unlurk #vote #voters #votesrequired
18:03:52 <jdstrand> The meeting agenda can be found at:
18:03:53 <jdstrand> [LINK] https://wiki.ubuntu.com/SecurityTeam/Meeting
18:04:01 <jdstrand> [TOPIC] Announcements
18:04:36 <jdstrand> ChrisCoulson moved over to the security team as our browser security engineer. Chris has been a long-time friend to the security team as the Mozilla maintainer on the desktop team. Welcome Chris! :)
18:04:56 <mdeslaur> chrisccoulson
18:05:03 <chrisccoulson> :)
18:05:11 <sbeattie> Woot! Welcome, chrisccoulson!
18:05:16 <mdeslaur> welcome!
18:05:19 <sarnold> hunh, I never noticed that extra 'c' :)
18:05:30 <chrisccoulson> hah, that confuses people ;)
18:05:40 <sarnold> tab-complete for the brain missed it entirely :) welcome :)
18:05:42 <jdstrand> me either-- that will make my irssi commands interesting :)
18:05:57 <chrisccoulson> all of my names begin with C. I'll let you try to guess what my other name is ;)
18:06:07 <mdeslaur> Custard?
18:06:12 <chrisccoulson> lol
18:06:12 <jdstrand> maybe in another channel :P
18:06:57 <jdstrand> Thanks to Christian Kuersteiner (ckuerste) who provided a debdiff for precise for tinyproxy (LP: #1154502) and a debdiff for oneiric for tomcat7 (LP: #1115053). Your work is very much appreciated and will keep Ubuntu users secure. Great job!
18:07:00 <ubottu> Launchpad bug 1154502 in tinyproxy (Ubuntu Precise) "Multiple open vulnerabilities in tinyproxy" [High,Fix released] https://launchpad.net/bugs/1154502
18:07:01 <ubottu> Launchpad bug 1115053 in tomcat7 (Ubuntu Precise) "Multiple open vulnerabilities in tomcat7 in 12.04 and 11.10" [Undecided,Triaged] https://launchpad.net/bugs/1115053
18:07:13 <jdstrand> [TOPIC] Review of any previous action items
18:07:28 <jdstrand> n/a
18:07:31 <jdstrand> [TOPIC] Weekly stand-up report
18:07:35 <jdstrand> I'll go first
18:08:06 <jdstrand> I'm on triage this week
18:08:13 <jdstrand> I'm working on a nova update
18:08:23 <jdstrand> I've also got another embargoed update
18:08:53 <jdstrand> the CVE list is pretty high atm. I hope to work on something else there
18:09:15 <jdstrand> I've also got a work item for apparmor dbus policy I need to do before next week
18:09:36 <jdstrand> I may pick up an audit as well
18:09:42 <jdstrand> mdeslaur: you're up
18:09:53 <mdeslaur> I just published a couple of USNs
18:09:58 <mdeslaur> and I'm on community this week
18:10:06 <mdeslaur> I'm currently working on perl updates
18:10:11 <mdeslaur> and will continue going down the list, as usual
18:10:28 <mdeslaur> jdstrand: we need to send out the EoL notices
18:10:37 <sbeattie> \o/
18:10:38 <mdeslaur> a bunch of stuff in dying in a month
18:10:44 <mdeslaur> and that's it from me
18:10:45 <chrisccoulson> ooh, i like EoL notices ;)
18:10:46 <mdeslaur> sbeattie: you're up
18:11:02 <jdstrand> mdeslaur: ack
18:11:17 <sbeattie> I'm on apparmor again this week, working on the display manager blueprint workitems
18:11:52 <sbeattie> I'm still working on the apparmor dm prototype, still tracking down some memory allocation errors on my part
18:12:22 <sbeattie> and digging into the mir codebase
18:12:36 <sbeattie> that's pretty much it for me. tyhicks: tag
18:13:05 <jdstrand> tyhicks: is out today
18:13:10 <jdstrand> jjohansen: you're up
18:13:15 <jjohansen> I need to finish up with a regression bug 1145234, and then fixing the loading profiles from cache issue.
18:13:17 <ubottu> bug 1145234 in QA Regression Testing "FAIL: parent ptrace(PTRACE_SINGLESTEP) failed - : No such process" [Undecided,Confirmed] https://launchpad.net/bugs/1145234
18:13:19 <jdstrand> s/://
18:13:47 <jjohansen> And then it will be back to the apparmor labeling wi
18:13:53 <jdstrand> jjohansen: can you elaborate on 1145234?
18:14:02 <jdstrand> jjohansen: did this come about because of a security update?
18:14:24 <jjohansen> jdstrand: yes our ptrace backport causes failures on lucid
18:15:00 <jdstrand> jjohansen: ok, and only lucid? is it just with the backport kernels on lucid?
18:15:08 <jjohansen> yes only on lucid
18:15:11 <jdstrand> or even those kernels at all
18:15:36 <jjohansen> jdstrand: only the lucid kernel with the ptrace backport
18:16:02 <jjohansen> jdstrand: I know which patch even, however its not that simple as the patch is correct
18:16:27 <jdstrand> hrm
18:16:29 <jdstrand> ok
18:16:38 <jjohansen> its the logic inbetween the backported patch that is missing that is causing problems
18:17:07 <jjohansen> in other words we need to backport more than the 4 patches we are already doing for the bug
18:17:07 <jdstrand> so it needs either some more commits or some glue
18:17:12 <jjohansen> yeah
18:17:15 * jdstrand nods
18:17:33 * mdeslaur gets out the Elmer's
18:17:48 <sarnold> did you guys ever get the exploit to work on lucid?
18:18:16 <jjohansen> sarnold: yes, it was hardy we failed on
18:18:24 <sarnold> ah :/
18:18:36 <jjohansen> but hardy should theoretically be vulnerable as well
18:19:18 <jjohansen> sarnold: your up
18:20:13 <sarnold> I'm finishing up the systemd-related MIR audits this week; I've also got the lxc MIR audit outstanding that I'll work on unless jjohansen hands me a new patch set first :)
18:20:52 <sarnold> I also upgraded my laptop to raring over the weekend, initial impressions are quite good :) a handful of small bugs to file, but ... yay :)
18:21:30 <jdstrand> nice
18:21:32 <sarnold> I think that's it for me, chrisccoulson's turn
18:23:00 <chrisccoulson> so, for anyone who's not aware, one of the things i've been working on recently is improving our browser automated tests. i've done quite a lot of work for firefox already, but this week i plan to start improving the situation for chromium too
18:23:22 <chrisccoulson> starting with hooking the upstream tests in to jenkins, like we have already for firefox
18:23:36 <chrisccoulson> and then replacing our existing manual tests with more automated ones :)
18:23:52 <chrisccoulson> and i've got some wiki stuff to read ;)
18:24:17 <jdstrand> chrisccoulson: how would you characterize the status of the firefox tests?
18:25:03 <chrisccoulson> jdstrand, in mostly good shape. there's some failures i don't yet understand, and some random failures too (eg, https://jenkins.qa.ubuntu.com/job/raring-ppa-adt-ubuntu_mozilla_daily_ppa-firefox-trunk/ARCH=i386,label=adt/lastCompletedBuild/testReport/dom.media.tests/mochitest/test_peerConnection_bug840344_html/ - although we've just established this one is an OOM)
18:25:43 <chrisccoulson> but otherwise, the failure rate is very low. it would be nice to get it to zero though :)
18:25:51 <jdstrand> chrisccoulson: not saying you should do this for this case, but is it possible to disable individual problematic tests?
18:26:33 <jdstrand> we've been looking at doing that with openjdk for example, where some tests are non-deterministic
18:26:52 <chrisccoulson> jdstrand, yeah, there's the ability to skip problematic tests. and for some of the testsuites, you can also mark them as failing or random so that they still run (and an expected-fail test that passes will cause a test failure)
18:27:17 <jdstrand> heh, 'random'
18:27:22 <jdstrand> chrisccoulson: cool :)
18:27:34 <jdstrand> chrisccoulson: what releases are currently tested?
18:27:56 <chrisccoulson> jdstrand, only raring for now. i'd like to get them running on all releases really though
18:28:03 <chrisccoulson> i need to ask jibel about that though :)
18:28:35 <jdstrand> chrisccoulson: well, since desktop lucid and oneiric are almost EOL, just precise and later would be enough
18:28:45 <chrisccoulson> yeah, that makes sense
18:29:06 <jdstrand> chrisccoulson: you mentioned to me that these are run within an Ubuntu environment, is that right?
18:29:48 <chrisccoulson> mozilla are transitioning their test machines to ubuntu, so the upstream tests will be run on ubuntu 12.04 by mozilla as well
18:29:52 <chrisccoulson> which helps us a bit
18:30:04 <jdstrand> chrisccoulson: what I am eventually leading to asking is how much we'll be able to trust that these tests are valid for our security builds (it looks like this is against daily too)
18:30:40 <jdstrand> chrisccoulson: re upstream> that is nice that they are aligned with our (soon to be) oldest supported LTS
18:30:48 <chrisccoulson> jdstrand, i suspect there will still be additional high-level testing (eg, making sure flash works). but i hope i can automate that too
18:31:50 <jdstrand> chrisccoulson: cool-- thanks for the deeper update. we can talk more about this another time. these automated tests will fill an important void for our team
18:32:33 <jdstrand> chrisccoulson: I may have cut you off. do you have anything else to report?
18:32:43 <chrisccoulson> jdstrand, no, i think i'm done now
18:32:52 <jdstrand> [TOPIC] Highlighted packages
18:32:58 <jdstrand> http://people.canonical.com/~ubuntu-security/cve/pkg/extplorer.html
18:33:01 <jdstrand> http://people.canonical.com/~ubuntu-security/cve/pkg/rt-authen-externalauth.html
18:33:05 <jdstrand> http://people.canonical.com/~ubuntu-security/cve/pkg/tinymce.html
18:33:09 <jdstrand> http://people.canonical.com/~ubuntu-security/cve/pkg/msmtp.html
18:33:12 <jdstrand> http://people.canonical.com/~ubuntu-security/cve/pkg/festival.html
18:33:32 <jdstrand> The above are some community-supported packages that might be good candidates for updating and or triaging. If you would like to help Ubuntu and not sure where to start, this is a great way to do so. See SecurityTeam/UpdateProcedures for details and if you have any questions, feel free to ask in #ubuntu-security on Freenode.
18:33:42 <jdstrand> [TOPIC] Miscellaneous and Questions
18:34:40 <jdstrand> I think we may want to consider moving our team meeting. I'll take an action to explore that and discuss next week
18:35:06 <jdstrand> [ACTION] jdstrand to follow-up on potentially changing time of team meeting
18:35:06 * meetingology jdstrand to follow-up on potentially changing time of team meeting
18:35:17 <jdstrand> Does anyone have any other questions or items to discuss?
18:38:12 <jdstrand> mdeslaur, sbeattie, jjohansen, sarnold, chrisccoulson: thanks!
18:38:16 <jdstrand> #endmeeting