18:03:27 <jdstrand> #startmeeting 18:03:27 <meetingology> Meeting started Mon Mar 18 18:03:27 2013 UTC. The chair is jdstrand. Information about MeetBot at http://wiki.ubuntu.com/meetingology. 18:03:27 <meetingology> 18:03:27 <meetingology> Available commands: #accept #accepted #action #agree #agreed #chair #commands #endmeeting #endvote #halp #help #idea #info #link #lurk #meetingname #meetingtopic #nick #progress #rejected #replay #restrictlogs #save #startmeeting #subtopic #topic #unchair #undo #unlurk #vote #voters #votesrequired 18:03:52 <jdstrand> The meeting agenda can be found at: 18:03:53 <jdstrand> [LINK] https://wiki.ubuntu.com/SecurityTeam/Meeting 18:04:01 <jdstrand> [TOPIC] Announcements 18:04:36 <jdstrand> ChrisCoulson moved over to the security team as our browser security engineer. Chris has been a long-time friend to the security team as the Mozilla maintainer on the desktop team. Welcome Chris! :) 18:04:56 <mdeslaur> chrisccoulson 18:05:03 <chrisccoulson> :) 18:05:11 <sbeattie> Woot! Welcome, chrisccoulson! 18:05:16 <mdeslaur> welcome! 18:05:19 <sarnold> hunh, I never noticed that extra 'c' :) 18:05:30 <chrisccoulson> hah, that confuses people ;) 18:05:40 <sarnold> tab-complete for the brain missed it entirely :) welcome :) 18:05:42 <jdstrand> me either-- that will make my irssi commands interesting :) 18:05:57 <chrisccoulson> all of my names begin with C. I'll let you try to guess what my other name is ;) 18:06:07 <mdeslaur> Custard? 18:06:12 <chrisccoulson> lol 18:06:12 <jdstrand> maybe in another channel :P 18:06:57 <jdstrand> Thanks to Christian Kuersteiner (ckuerste) who provided a debdiff for precise for tinyproxy (LP: #1154502) and a debdiff for oneiric for tomcat7 (LP: #1115053). Your work is very much appreciated and will keep Ubuntu users secure. Great job! 18:07:00 <ubottu> Launchpad bug 1154502 in tinyproxy (Ubuntu Precise) "Multiple open vulnerabilities in tinyproxy" [High,Fix released] https://launchpad.net/bugs/1154502 18:07:01 <ubottu> Launchpad bug 1115053 in tomcat7 (Ubuntu Precise) "Multiple open vulnerabilities in tomcat7 in 12.04 and 11.10" [Undecided,Triaged] https://launchpad.net/bugs/1115053 18:07:13 <jdstrand> [TOPIC] Review of any previous action items 18:07:28 <jdstrand> n/a 18:07:31 <jdstrand> [TOPIC] Weekly stand-up report 18:07:35 <jdstrand> I'll go first 18:08:06 <jdstrand> I'm on triage this week 18:08:13 <jdstrand> I'm working on a nova update 18:08:23 <jdstrand> I've also got another embargoed update 18:08:53 <jdstrand> the CVE list is pretty high atm. I hope to work on something else there 18:09:15 <jdstrand> I've also got a work item for apparmor dbus policy I need to do before next week 18:09:36 <jdstrand> I may pick up an audit as well 18:09:42 <jdstrand> mdeslaur: you're up 18:09:53 <mdeslaur> I just published a couple of USNs 18:09:58 <mdeslaur> and I'm on community this week 18:10:06 <mdeslaur> I'm currently working on perl updates 18:10:11 <mdeslaur> and will continue going down the list, as usual 18:10:28 <mdeslaur> jdstrand: we need to send out the EoL notices 18:10:37 <sbeattie> \o/ 18:10:38 <mdeslaur> a bunch of stuff in dying in a month 18:10:44 <mdeslaur> and that's it from me 18:10:45 <chrisccoulson> ooh, i like EoL notices ;) 18:10:46 <mdeslaur> sbeattie: you're up 18:11:02 <jdstrand> mdeslaur: ack 18:11:17 <sbeattie> I'm on apparmor again this week, working on the display manager blueprint workitems 18:11:52 <sbeattie> I'm still working on the apparmor dm prototype, still tracking down some memory allocation errors on my part 18:12:22 <sbeattie> and digging into the mir codebase 18:12:36 <sbeattie> that's pretty much it for me. tyhicks: tag 18:13:05 <jdstrand> tyhicks: is out today 18:13:10 <jdstrand> jjohansen: you're up 18:13:15 <jjohansen> I need to finish up with a regression bug 1145234, and then fixing the loading profiles from cache issue. 18:13:17 <ubottu> bug 1145234 in QA Regression Testing "FAIL: parent ptrace(PTRACE_SINGLESTEP) failed - : No such process" [Undecided,Confirmed] https://launchpad.net/bugs/1145234 18:13:19 <jdstrand> s/:// 18:13:47 <jjohansen> And then it will be back to the apparmor labeling wi 18:13:53 <jdstrand> jjohansen: can you elaborate on 1145234? 18:14:02 <jdstrand> jjohansen: did this come about because of a security update? 18:14:24 <jjohansen> jdstrand: yes our ptrace backport causes failures on lucid 18:15:00 <jdstrand> jjohansen: ok, and only lucid? is it just with the backport kernels on lucid? 18:15:08 <jjohansen> yes only on lucid 18:15:11 <jdstrand> or even those kernels at all 18:15:36 <jjohansen> jdstrand: only the lucid kernel with the ptrace backport 18:16:02 <jjohansen> jdstrand: I know which patch even, however its not that simple as the patch is correct 18:16:27 <jdstrand> hrm 18:16:29 <jdstrand> ok 18:16:38 <jjohansen> its the logic inbetween the backported patch that is missing that is causing problems 18:17:07 <jjohansen> in other words we need to backport more than the 4 patches we are already doing for the bug 18:17:07 <jdstrand> so it needs either some more commits or some glue 18:17:12 <jjohansen> yeah 18:17:15 * jdstrand nods 18:17:33 * mdeslaur gets out the Elmer's 18:17:48 <sarnold> did you guys ever get the exploit to work on lucid? 18:18:16 <jjohansen> sarnold: yes, it was hardy we failed on 18:18:24 <sarnold> ah :/ 18:18:36 <jjohansen> but hardy should theoretically be vulnerable as well 18:19:18 <jjohansen> sarnold: your up 18:20:13 <sarnold> I'm finishing up the systemd-related MIR audits this week; I've also got the lxc MIR audit outstanding that I'll work on unless jjohansen hands me a new patch set first :) 18:20:52 <sarnold> I also upgraded my laptop to raring over the weekend, initial impressions are quite good :) a handful of small bugs to file, but ... yay :) 18:21:30 <jdstrand> nice 18:21:32 <sarnold> I think that's it for me, chrisccoulson's turn 18:23:00 <chrisccoulson> so, for anyone who's not aware, one of the things i've been working on recently is improving our browser automated tests. i've done quite a lot of work for firefox already, but this week i plan to start improving the situation for chromium too 18:23:22 <chrisccoulson> starting with hooking the upstream tests in to jenkins, like we have already for firefox 18:23:36 <chrisccoulson> and then replacing our existing manual tests with more automated ones :) 18:23:52 <chrisccoulson> and i've got some wiki stuff to read ;) 18:24:17 <jdstrand> chrisccoulson: how would you characterize the status of the firefox tests? 18:25:03 <chrisccoulson> jdstrand, in mostly good shape. there's some failures i don't yet understand, and some random failures too (eg, https://jenkins.qa.ubuntu.com/job/raring-ppa-adt-ubuntu_mozilla_daily_ppa-firefox-trunk/ARCH=i386,label=adt/lastCompletedBuild/testReport/dom.media.tests/mochitest/test_peerConnection_bug840344_html/ - although we've just established this one is an OOM) 18:25:43 <chrisccoulson> but otherwise, the failure rate is very low. it would be nice to get it to zero though :) 18:25:51 <jdstrand> chrisccoulson: not saying you should do this for this case, but is it possible to disable individual problematic tests? 18:26:33 <jdstrand> we've been looking at doing that with openjdk for example, where some tests are non-deterministic 18:26:52 <chrisccoulson> jdstrand, yeah, there's the ability to skip problematic tests. and for some of the testsuites, you can also mark them as failing or random so that they still run (and an expected-fail test that passes will cause a test failure) 18:27:17 <jdstrand> heh, 'random' 18:27:22 <jdstrand> chrisccoulson: cool :) 18:27:34 <jdstrand> chrisccoulson: what releases are currently tested? 18:27:56 <chrisccoulson> jdstrand, only raring for now. i'd like to get them running on all releases really though 18:28:03 <chrisccoulson> i need to ask jibel about that though :) 18:28:35 <jdstrand> chrisccoulson: well, since desktop lucid and oneiric are almost EOL, just precise and later would be enough 18:28:45 <chrisccoulson> yeah, that makes sense 18:29:06 <jdstrand> chrisccoulson: you mentioned to me that these are run within an Ubuntu environment, is that right? 18:29:48 <chrisccoulson> mozilla are transitioning their test machines to ubuntu, so the upstream tests will be run on ubuntu 12.04 by mozilla as well 18:29:52 <chrisccoulson> which helps us a bit 18:30:04 <jdstrand> chrisccoulson: what I am eventually leading to asking is how much we'll be able to trust that these tests are valid for our security builds (it looks like this is against daily too) 18:30:40 <jdstrand> chrisccoulson: re upstream> that is nice that they are aligned with our (soon to be) oldest supported LTS 18:30:48 <chrisccoulson> jdstrand, i suspect there will still be additional high-level testing (eg, making sure flash works). but i hope i can automate that too 18:31:50 <jdstrand> chrisccoulson: cool-- thanks for the deeper update. we can talk more about this another time. these automated tests will fill an important void for our team 18:32:33 <jdstrand> chrisccoulson: I may have cut you off. do you have anything else to report? 18:32:43 <chrisccoulson> jdstrand, no, i think i'm done now 18:32:52 <jdstrand> [TOPIC] Highlighted packages 18:32:58 <jdstrand> http://people.canonical.com/~ubuntu-security/cve/pkg/extplorer.html 18:33:01 <jdstrand> http://people.canonical.com/~ubuntu-security/cve/pkg/rt-authen-externalauth.html 18:33:05 <jdstrand> http://people.canonical.com/~ubuntu-security/cve/pkg/tinymce.html 18:33:09 <jdstrand> http://people.canonical.com/~ubuntu-security/cve/pkg/msmtp.html 18:33:12 <jdstrand> http://people.canonical.com/~ubuntu-security/cve/pkg/festival.html 18:33:32 <jdstrand> The above are some community-supported packages that might be good candidates for updating and or triaging. If you would like to help Ubuntu and not sure where to start, this is a great way to do so. See SecurityTeam/UpdateProcedures for details and if you have any questions, feel free to ask in #ubuntu-security on Freenode. 18:33:42 <jdstrand> [TOPIC] Miscellaneous and Questions 18:34:40 <jdstrand> I think we may want to consider moving our team meeting. I'll take an action to explore that and discuss next week 18:35:06 <jdstrand> [ACTION] jdstrand to follow-up on potentially changing time of team meeting 18:35:06 * meetingology jdstrand to follow-up on potentially changing time of team meeting 18:35:17 <jdstrand> Does anyone have any other questions or items to discuss? 18:38:12 <jdstrand> mdeslaur, sbeattie, jjohansen, sarnold, chrisccoulson: thanks! 18:38:16 <jdstrand> #endmeeting