16:58 <jdstrand> #startmeeting 16:58 <meetingology> Meeting started Mon Aug 12 16:58:40 2013 UTC. The chair is jdstrand. Information about MeetBot at http://wiki.ubuntu.com/meetingology. 16:58 <meetingology> 16:58 <meetingology> Available commands: #accept #accepted #action #agree #agreed #chair #commands #endmeeting #endvote #halp #help #idea #info #link #lurk #meetingname #meetingtopic #nick #progress #rejected #replay #restrictlogs #save #startmeeting #subtopic #topic #unchair #undo #unlurk #vote #voters #votesrequired 16:58 <jdstrand> The meeting agenda can be found at: 16:58 <jdstrand> [LINK] https://wiki.ubuntu.com/SecurityTeam/Meeting 16:58 <jdstrand> [TOPIC] Announcements 16:58 <jdstrand> Colin Watson (cjwatson) provided debdiffs for precise-raring for putty. Your work is very much appreciated and will keep Ubuntu users secure. Great job! :) 16:59 <jdstrand> [TOPIC] Weekly stand-up report 16:59 <jdstrand> I'll go first 16:59 <jdstrand> I'm on triage this week 16:59 <jdstrand> I've got openstack updates to do 16:59 <jdstrand> I need to test the latest upstart-app-launch 16:59 <jdstrand> I want to implement the xdg user dir support in apparmor 17:00 <jdstrand> I need to sync up with sarnold on code audits and give some to him since he is actually pretty good at completing them :) 17:00 <jdstrand> I have a number of follow-ups on application confinement discussions 17:00 <jdstrand> and patch piloting 17:00 <jdstrand> mdeslaur: you're up 17:01 <mdeslaur> I'm on community this week 17:01 <mdeslaur> I have a couple of updates that need testing 17:01 <mdeslaur> so I'll be doing that to try and get them released 17:01 <mdeslaur> I'll also try and get the list down a bit since I go on vacation next week 17:01 <mdeslaur> that's it for me 17:01 <mdeslaur> sbeattie: you're up 17:02 <sbeattie> I'm on apparmor again this week 17:02 <sbeattie> I'm currently trying to sort out what's going on after being gone on holiday and at black hat 17:02 <sbeattie> I have a bug or two in click-apparmor to fix 17:02 <jdstrand> sbeattie: we should sync up 17:03 <sbeattie> I also have a couple of black hat related items (expenses, trip report) to do 17:03 <sbeattie> jdstrand: yeah 17:03 <sbeattie> so that's pretty much it for me. 17:03 <sbeattie> tyhicks: you're up 17:03 <jdstrand> sbeattie: I took the liberty of making a few small changes to click-apparmor in support of the MIR request that I filed last week 17:03 <sbeattie> jdstrand: kewl 17:04 <tyhicks> This morning, I'll be preparing debdiffs against apparmor and dbus for AppArmor D-Bus mediation 17:04 <jdstrand> sbeattie: you might want to pull 0.1.0 from the archive into your branch and review (btw, is there an official home for it?) 17:04 * tyhicks pauses 17:04 <sbeattie> jdstrand: not really outside of the +junk tree I have 17:05 <sbeattie> we can move it to a more formal location under the security team 17:05 <jdstrand> I think we may want to have it live somewhere, but we can talk somewhere else 17:05 <jdstrand> yeah 17:05 <sbeattie> yeah, sounds good 17:05 <jdstrand> tyhicks: please proceed 17:05 <mdeslaur> help the homeless 17:05 * sbeattie presses play on tyhicks 17:05 <tyhicks> :) 17:05 <tyhicks> This morning, I'll be preparing debdiffs against apparmor and dbus for AppArmor D-Bus mediation 17:05 <tyhicks> (yeah, yeah, you've heard that before but it is for real this time :) 17:06 <mdeslaur> hehe 17:06 <tyhicks> jjohansen will be pushing a kernel patch out that enables it for all Saucy users - until then, the dbus-dev PPA kernel will still be needed for mediation to be enabled 17:06 <jdstrand> tyhicks: you mean fr saucy upload? 17:06 <tyhicks> jdstrand: yep 17:06 <jdstrand> \o/ 17:06 <mdeslaur> jdstrand: don't celebrate yet, it's a trap :P 17:06 <tyhicks> hehe 17:06 <mdeslaur> :) 17:06 <tyhicks> Then I'll be working on my content-hub work items 17:06 <jdstrand> you'll want to be prepared for everyone saying you broke everything :P 17:07 <tyhicks> yeah, I'll probably need to plan in some support response time 17:07 <jdstrand> probably a good idea 17:07 <tyhicks> I imagine there will be questions 17:07 <tyhicks> hopefully not too many bugs 17:07 <tyhicks> After that, I'll work with jjohansen to add necessary APIs to libapparmor that allow trusted helpers to operate on AppArmor label sets 17:07 <jdstrand> well, there may be no bugs-- doesn't mean you won't get blamed :P 17:08 <tyhicks> true :) 17:08 <tyhicks> Finally, I need to revise the dbus regression tests in the apparmor source tree for upstream approval and I also need to add tests for proper apparmor delegation when passing fds over dbus 17:08 * jdstrand was referring to that scenario in his initial comment :) 17:08 <tyhicks> I think that's it for me 17:08 <tyhicks> jjohansen: you're up 17:08 <jjohansen> I'm on apparmor again as well, 17:08 <jjohansen> I've got to finish fixing a bug in the replacedby logic that is causing crashes when we enable compound labels, 17:08 <jjohansen> I need to: look into the 3.11 flink/linkat changes http://lwn.net/Articles/562488/, push the kernel patch for the label query that dbus needs, deal with bug 1202161, prepare for tuesdays apparmor meeting, and then perhaps get back to the current apparmor work items 17:08 <ubottu> bug 1202161 in linux (Ubuntu) "seccomp filter: execve(): Operation not permitted" [Medium,Incomplete] https://launchpad.net/bugs/1202161 17:09 <tyhicks> jjohansen: Good! I've been meaning to make sure you're aware of flink/linkat 17:10 <tyhicks> I couldn't think of any potential problems for apparmor, but I'm sure that you can :) 17:10 <jjohansen> tyhicks: well I remember seeing it, and making my self a note that got lost in all the other notes 17:11 <jjohansen> yes it is going to rework some work around our link rules 17:11 <jjohansen> but, I need to trace the security hooks because I don't think they are sufficient to mediate it 17:12 <jjohansen> or more correctly currently only the inode hook is, mediating it 17:12 <tyhicks> ah 17:13 <jjohansen> anyways that it from me sarnold your up 17:13 <jdstrand> sarnold: hold on a sec 17:14 <jdstrand> jjohansen: I didn't recognize the IPC work items in your list this week-- would it be helpful/possible to shuffle some work around to free up some time? 17:15 <jjohansen> jdstrand: sorry that is the "current apparmor work items" bit 17:15 <jdstrand> jjohansen: related: flink/linkat is for 3.11-- are we going to ship 3.11 in 13.10 and if not, is that something we can/should put on the backburner for a bit? 17:15 <jjohansen> jdstrand: saucy will be 3.11 17:15 <jdstrand> ok 17:16 <jjohansen> that isn't to say I won't go only as far as getting the info to file a bug on this item for this week, and deal with it later 17:16 <jdstrand> oh, why was I thinking we had 3.10 still 17:17 <tyhicks> I think the switch just happened 17:17 <jdstrand> oh, hah, cause it happened today :) 17:18 <jjohansen> jdstrand: no the switch happened last week when tim rebased to -rc4 17:19 <jjohansen> we had issues in the 3.11 kernel where I couldn't even get the machine to boot in -rc2, and the kt was shaking out a couple issues in -rc3 17:19 <jdstrand> maybe-- but I see 3.10.0-6.17 was only superceded a little while ago 17:20 <jdstrand> (in saucy release) 17:20 <jdstrand> anyhoo, doesn't matter 17:20 <jdstrand> superseded 17:22 <jdstrand> jjohansen: so, aiui, you've got the stuff you listed and you don't think it will take an inordinate amount of time (something that will take longer will be planned/done later) and you plan to work on ipc still? 17:22 <jdstrand> is that accurate? 17:22 <jjohansen> jdstrand: yes 17:22 <jdstrand> ok, cool, thanks. sorry if I was being dense :) 17:22 <jdstrand> sarnold: you're up 17:24 <sarnold> I'm in the happy place the week; I've got (at least one) MIR audit (click-apparmor), and I've grabbed an update for maas to do. I may steal some of jdstrand's MIR audits as needed. 17:24 <sarnold> and of course, if there are apparmor patches posted, reviewing them will be my top priority. 17:25 <sarnold> I believe that's me 17:25 <sarnold> chrisccoulson: you're up 17:25 <chrisccoulson> hi 17:25 <chrisccoulson> last week, i got firefox and thunderbird out. everything's been pretty quiet since then, which I'll assume is a good thing :) 17:25 <jdstrand> \o/ 17:26 <mdeslaur> chrisccoulson: did you see my critical firefox bug? 17:26 <sarnold> \o/ 17:26 <chrisccoulson> also, i added support for multiple browser contexts to oxide, which hopefully means that it's possible to have webviews with different profile folders now :) 17:26 <jdstrand> neat :) 17:26 <sbeattie> \o/ 17:26 <mdeslaur> \o/ 17:27 <jdstrand> chrisccoulson: that reminds me, I owe you and ubuntu-devel@ an email regarding oxide 17:27 <sarnold> very cool :) 17:27 <jdstrand> (that was one of the things I was planning to follow-up on this week) 17:27 <chrisccoulson> i'm still working on the user script support, which i plan to continue this week. i wanted to get the browser context stuff out of the way first, as i'm making user scripts per-context rather than per-webview, and i didn't want to have to refactor everything later on :) 17:28 <chrisccoulson> i'm not sure if anyone has been following https://code.launchpad.net/~chrisccoulson/oxide/oxide.trunk ? 17:28 <sarnold> sorry, no 17:28 <chrisccoulson> that's ok ;) 17:28 <chrisccoulson> i think that's me done 17:28 <mdeslaur> chrisccoulson: wow, a lot of work in there 17:29 <chrisccoulson> mdeslaur, yeah, it's slowly getting there :) 17:30 <jdstrand> [TOPIC] Highlighted packages 17:30 <jdstrand> The Ubuntu Security team will highlight some community-supported packages that might be good candidates for updating and or triaging. If you would like to help Ubuntu and not sure where to start, this is a great way to do so. 17:30 <jdstrand> See https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures for details and if you have any questions, feel free to ask in #ubuntu-security. To find out other ways of helping out, please see https://wiki.ubuntu.com/SecurityTeam/GettingInvolved. 17:30 <jdstrand> http://people.canonical.com/~ubuntu-security/cve/pkg/ngircd.html 17:30 <jdstrand> http://people.canonical.com/~ubuntu-security/cve/pkg/glusterfs.html 17:30 <jdstrand> http://people.canonical.com/~ubuntu-security/cve/pkg/shibboleth-sp2.html 17:30 <jdstrand> http://people.canonical.com/~ubuntu-security/cve/pkg/qpid-python.html 17:30 <jdstrand> http://people.canonical.com/~ubuntu-security/cve/pkg/darktable.html 17:30 <jdstrand> [TOPIC] Miscellaneous and Questions 17:31 <jdstrand> sarnold pointed out that the community supported drupal7 packages could use some attention on earlier released (particularly 12.04). See http://people.canonical.com/~ubuntu-security/cve/pkg/drupal7.html for details. 17:31 <jdstrand> Does anyone have any other questions or items to discuss? 17:37 <jdstrand> mdeslaur, sbeattie, tyhicks, jjohansen, sarnold, ChrisCoulson: thanks! 17:37 <jdstrand> #endmeeting