16:31:25 <jdstrand> #startmeeting 16:31:25 <meetingology> Meeting started Mon Apr 15 16:31:25 2013 UTC. The chair is jdstrand. Information about MeetBot at http://wiki.ubuntu.com/meetingology. 16:31:25 <meetingology> 16:31:25 <meetingology> Available commands: #accept #accepted #action #agree #agreed #chair #commands #endmeeting #endvote #halp #help #idea #info #link #lurk #meetingname #meetingtopic #nick #progress #rejected #replay #restrictlogs #save #startmeeting #subtopic #topic #unchair #undo #unlurk #vote #voters #votesrequired 16:31:48 <jdstrand> The meeting agenda can be found at: 16:31:49 <jdstrand> [LINK] https://wiki.ubuntu.com/SecurityTeam/Meeting 16:31:59 <jdstrand> [TOPIC] Announcements 16:32:02 <jdstrand> (none this week) 16:32:10 <jdstrand> [TOPIC] Weekly stand-up report 16:32:13 <jdstrand> I'll go first 16:32:24 <jdstrand> I'm on community this week 16:33:07 <jdstrand> I have more requirements gathering, planning and communications of our plans to do 16:33:17 <jdstrand> I also have to finish up performance reviews 16:33:26 <jdstrand> there are a couple audits to finish 16:33:43 <jdstrand> and I will be working on two embargoed updates 16:34:49 <jdstrand> that's it for me 16:34:52 <jdstrand> mdeslaur: you're up 16:34:59 <mdeslaur> I'm in the happy place this week 16:35:08 <jdstrand> you bet you are! :P 16:35:13 <sbeattie> hehe 16:35:13 <mdeslaur> and I only have two days...wednesday I'm on vacation 16:35:18 <mdeslaur> jdstrand: hehe :) 16:35:35 <mdeslaur> (on vac until the 29th 16:35:55 <mdeslaur> I'm currently writing a test script for haproxy, which I'll likely release this afternoon or tomorrow 16:36:09 <mdeslaur> and am working on an embargoed issue to hand off to one of the non-vacationing suckers 16:36:18 <mdeslaur> and, that's it from me. 16:36:20 <mdeslaur> sbeattie: you're up 16:36:23 <jdstrand> fyi, I forgot one-- hope to do install audits this week too 16:36:33 <sbeattie> ah cool 16:36:46 <sbeattie> I'm working on apparmor work items again this week. 16:37:25 <sbeattie> I'm continuing to write some example clients for confinement, wrote a couple of qml demos last week. 16:37:40 <sbeattie> will need to put some automation around them as well. 16:37:52 <mdeslaur> sbeattie: could you stick those in a bzr tree somewhere? 16:38:09 <jdstrand> sbeattie: re automation, what are you thinking, for automatic testing? 16:38:34 <sbeattie> jdstrand: yeah, for automatic testing, as much as possible. 16:38:49 <sbeattie> drag-n-drop stuff may be harder to automate. 16:39:08 <sbeattie> mdeslaur: https://code.launchpad.net/~sbeattie/+junk/apparmor-examples 16:39:18 <jdstrand> sbeattie: cool-- though aiui, having automatic testing is not in scope for this month per se. 16:39:26 <mdeslaur> sbeattie: ah! cool 16:39:53 <jdstrand> sbeattie: obviously we want it-- what are you thinking about in terms of scheduling that work? 16:40:28 <sbeattie> jdstrand: uhh, hadn't really decided on anything concrete for schedule. 16:40:34 <jdstrand> ok 16:40:55 <sbeattie> jdstrand: was expecting to coordinate that with you/the team 16:41:10 <jdstrand> sbeattie: basically my questons are coming from the palce of 'let's focus on what we said we would focus on, but if we have to adjust, let's talk about it' 16:41:15 <sbeattie> okay 16:41:25 <jdstrand> so yeah, talking later is fine 16:41:44 <sbeattie> anyway, that's pretty much it for me. 16:41:59 <sbeattie> tyhicks: you're up 16:42:09 <tyhicks> I'm working on https://blueprints.launchpad.net/ubuntu/+spec/security-1304-appisolation-dbus this week 16:42:23 <tyhicks> Still wrapping up the dbus parser tests item 16:42:42 <tyhicks> Last week while writing parser tests, I ran across some parser bugs 16:42:59 <tyhicks> Those are fixed now and I'm back to improving the tests 16:43:27 <tyhicks> then I'll move on to "dbus daemon - regression tests" and then to "dbus daemon, pass labeling info on messages so security context can be queried by recipient" 16:43:53 <tyhicks> eCryptfs prep work for the kernel merge window stole some time from me last week but that is now all done 16:44:06 <tyhicks> so my sole focus will be on aa work items this week 16:44:07 <sbeattie> tyhicks: did you push your tests anywhere? 16:44:31 * jdstrand is happy to hear that we are finding and fixing bugs when writing our tests :) 16:44:38 <sbeattie> indeed! 16:44:54 <tyhicks> sbeattie: not yet, when I fully complete that work item the tests will live in the apparmor package of the dbus-dev ppa 16:45:18 <sbeattie> tyhicks: okay, just wondered if you wanted any feedback/review of them... 16:45:42 <tyhicks> I also did a lot of work (still pending upload) on fixing up the patches in the dbus-dev apparmor package so that the patches will be easier to send upstream 16:45:56 <tyhicks> sbeattie: I will want some feedback for sure. I'll send them to the list. 16:46:01 <tyhicks> that's it for me 16:46:05 <tyhicks> jjohansen: you're up 16:46:16 <sbeattie> tyhicks: thanks 16:46:25 <jjohansen> I'll be continuing to work on https://blueprints.launchpad.net/ubuntu/+spec/security-1304-appisolation-signals-ipc-ptrace 16:46:25 <jjohansen> Mostly it should be work around sockets (labeling, passing them, etc) 16:46:25 <jjohansen> I will also need to spend some time pushing some patches to the upstream security tree so they are there for when the merge window opens 16:46:57 <jdstrand> tyhicks: regarding upstreamifying-- is that DBus upstreaming, apparmor, kernel, or some combination? 16:47:24 <jjohansen> jdstrand: kernel - ecryptfs work 16:47:31 <tyhicks> jdstrand: apparmor 16:47:49 <jjohansen> tyhicks: oh? 16:48:21 <tyhicks> the patches against the apparmor package were piling up and it was going to be a pain to get them all in order and broken down for upstreaming 16:48:21 <jdstrand> tyhicks: as in, making them easily digestible for the list? 16:48:26 <tyhicks> jdstrand: exactly 16:48:38 <tyhicks> just a little tidying up before things got too ugly 16:48:41 <jjohansen> ah 16:49:38 <jdstrand> jjohansen: curious-- what are you snding to the upstream security tree? 16:50:16 <jjohansen> jdstrand: about the first 20 patches from the queue that have been reviewed. Its all the base code cleanups and bug fixes 16:50:26 <jdstrand> neat 16:51:13 <jjohansen> sarnold: your up 16:51:23 <sarnold> I'm on triage this week 16:51:50 <sarnold> I'm finishing up curl publication today, and I'm liable to ask jdstrand if I can take one of his MIR audits 16:52:23 <sarnold> I'd like to get around to fixing up my juju charms, but that might take a back burner again to doing another update 16:52:42 <mdeslaur> sarnold: if you're up to a challenge, you can try and take the bouncycastle update 16:52:47 <jdstrand> sarnold: actually one is a MIR audit (ie, not security audit) and the other I'm putting in that category-- it is about the scopes privacy 16:52:48 <mdeslaur> sarnold: java backporting fun 16:52:55 <sarnold> mdeslaur: that -is- a challenge :) 16:53:09 <jdstrand> sarnold: actually, it might not be a bad idea to get some help there 16:53:10 <sarnold> .. with all the goodness of inexplicable crypto goo :) 16:53:15 <jdstrand> sarnold: but we'll talk later 16:53:42 <sarnold> cool :) 16:54:02 <sarnold> chrisccoulson: your turn :) 16:54:09 <chrisccoulson> yoyoyo 16:54:20 <chrisccoulson> i got a flash update out last week 16:54:48 <chrisccoulson> also fixed an arm crash in chromium (waiting on testing feedback from the ufa guys, but it works here) 16:55:03 <chrisccoulson> fixed https://bugzilla.mozilla.org/show_bug.cgi?id=858670, which appeared in the ff20 update 16:55:04 <ubottu> Mozilla bug 858670 in Extension Compatibility "crash in uGlobalMenuObject::ShouldShowIcon with GlobalMenu on Ubuntu" [Critical,New] 16:55:38 <chrisccoulson> https://bugzilla.mozilla.org/show_bug.cgi?id=858782 also appeared, but i've no idea what is happening there. if any of you use google docs and can recreate it, please let me know ;) 16:55:39 <ubottu> Mozilla bug 858782 in Extension Compatibility "crash in uGlobalMenuDocListener::DoHandleMutations with GlobalMenu on Ubuntu" [Critical,New] 16:56:37 <chrisccoulson> did a bit more with chromium automated testing. discovered that gtest can already produce junit formatted test results, which is a great help 16:57:22 <chrisccoulson> i'll hopefully be done with updates / chromium etc this week, so i can start on other things i'm meant to be looking at :) 16:57:32 <jdstrand> nice 16:57:36 <jdstrand> (junit) 16:57:53 <jdstrand> well all of it, but you know, that goes for everyone :) 16:58:22 <chrisccoulson> yeah, unfortunately, i discovered it created junit results after i started writing code to parse the results and convert them ;) 16:58:28 <chrisccoulson> (like we're doing for firefox already) 16:59:17 <jdstrand> heh 16:59:27 <jdstrand> chrisccoulson: did you have more? 16:59:38 <chrisccoulson> no, that's me done i think 16:59:56 <jdstrand> chrisccoulson: (fyi, since you're last, you can say 'back to you jdstrand or something :) 17:00:05 <chrisccoulson> sure, no problem 17:00:07 <jdstrand> [TOPIC] Highlighted packages 17:00:10 <jdstrand> The Ubuntu Security team will highlight some community-supported packages that might be good candidates for updating and or triaging. If you would like to help Ubuntu and not sure where to start, this is a great way to do so. 17:00:15 <jdstrand> See https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures for details and if you have any questions, feel free to ask in #ubuntu-security. To find out other ways of helping out, please see https://wiki.ubuntu.com/SecurityTeam/GettingInvolved. 17:00:22 <jdstrand> http://people.canonical.com/~ubuntu-security/cve/pkg/gpw.html 17:00:25 <jdstrand> http://people.canonical.com/~ubuntu-security/cve/pkg/jenkins-winstone.html 17:00:29 <jdstrand> http://people.canonical.com/~ubuntu-security/cve/pkg/policycoreutils.html 17:00:32 <jdstrand> http://people.canonical.com/~ubuntu-security/cve/pkg/spice-gtk.html 17:00:35 <jdstrand> http://people.canonical.com/~ubuntu-security/cve/pkg/openjpeg.html 17:00:55 <jdstrand> [TOPIC] Miscellaneous and Questions 17:01:10 <jdstrand> I have one for several of you 17:01:40 <jdstrand> based on what was said in this meeting, I have a good feeling about progress for the month 17:01:58 <jdstrand> however, if I look at http://status.ubuntu.com/ubuntu-raring/canonical-security-ubuntu-13.04-month-6.html I have a less good feeling 17:02:15 <jdstrand> so, I guess, now that we are 2 weeks in to this month, how are the work items going? Are we 50% done? are there problems? 17:02:52 <jdstrand> jjohansen: ^ we talked about this a bit last week, so afaik, we are slightly behind but aren't worried on our timeline for this month. is that accurate? 17:03:03 <jjohansen> yes 17:03:04 <jdstrand> jjohansen: (talking about your work items specifically) 17:03:21 <tyhicks> I'm not 50% done, but I also haven't been able to spend 100% of my time on the work items 17:03:33 <tyhicks> I will be able to for the remainder of the month 17:03:43 <tyhicks> and I'm confident that I can knock off all of my work items by then 17:03:50 <jdstrand> tyhicks: right.. 17:03:52 <jdstrand> ah, ok 17:04:00 <jdstrand> sbeattie: how about you? ^ 17:04:18 <sbeattie> sorry, I'm notorious for not updating my workitem entries. 17:04:50 <jdstrand> well, I was going to end with 'Please update your work items' :) 17:04:58 <sbeattie> heh 17:05:12 <sbeattie> but yeah, feeling pretty confident about where things are at. 17:05:20 <jdstrand> sbeattie: but in a less burndown chart way: are you on track for your work items for the month? 17:05:22 <tyhicks> forgetting to update the entries is better than not having any updates to make ;) 17:05:31 <jdstrand> tyhicks: yes!! :) 17:05:38 <jdstrand> sbeattie: awesome 17:05:40 <mdeslaur> hehe 17:06:14 <jdstrand> jjohansen, tyhicks, sbeattie: if you could update this month work items sometime today, that would be great 17:06:21 <sbeattie> okay 17:06:23 * tyhicks nods 17:06:29 <jdstrand> Does anyone have any other questions or items to discuss? 17:17:46 <jdstrand> mdeslaur, sbeattie, tyhicks, jjohansen, sarnold, chrisccoulson: thanks! 17:17:49 <jdstrand> #endmeeting