16:37 <jdstrand> #startmeeting 16:37 <meetingology> Meeting started Mon Feb 10 16:37:20 2014 UTC. The chair is jdstrand. Information about MeetBot at http://wiki.ubuntu.com/meetingology. 16:37 <meetingology> 16:37 <meetingology> Available commands: action commands idea info link nick 16:37 * sbeattie waves 16:37 <jdstrand> The meeting agenda can be found at: 16:37 <jdstrand> [LINK] https://wiki.ubuntu.com/SecurityTeam/Meeting 16:37 <jdstrand> [TOPIC] Announcements 16:37 <jdstrand> Thanks to Felix Geyer (debfx) provided debdiffs for Precise, Raring, Saucy for libotr, libotr2 (LP: #1266016). Your work is very much appreciated and will keep Ubuntu users secure. Great job! :) 16:37 <ubottu> Launchpad bug 1266016 in libotr2 (Ubuntu Saucy) "Disable insecure OTRv1 protocol" [Undecided,Fix released] https://launchpad.net/bugs/1266016 16:38 <jdstrand> [TOPIC] Review of any previous action items 16:38 <jdstrand> [ACTION] chrisccoulson to benchmark oxide and qtwebkit 16:38 * meetingology chrisccoulson to benchmark oxide and qtwebkit 16:38 <jdstrand> chrisccoulson: I think we are in a position now where that can happen this week? 16:39 <jdstrand> chrisccoulson: all I'm looking for is on mako, opening the few testsuites in both oxide and qtwebkit and putting the results somewhere 16:40 <jdstrand> chrisccoulson: I think we would wnat a non-debug build 16:42 <mdeslaur> chrisccoulson: WAKE UP ^G^G^G^G^G 16:42 <jdstrand> ok, I'll swing back 16:43 <jdstrand> [TOPIC] Weekly stand-up report 16:43 <jdstrand> I'll go first 16:43 <jdstrand> I'm on triage this week 16:43 <jdstrand> I have some pending updates I am working on 16:43 <chrisccoulson> oh, sorry, i'm here now ;) 16:44 <jdstrand> I have an incredible amount of followups from the sprint and other things that accumulated during the sprint 16:44 <jdstrand> I hope to tie up several work items too 16:45 <jdstrand> that's it for me 16:45 <jdstrand> mdeslaur: you're up 16:45 <mdeslaur> I'm on community this week 16:45 <mdeslaur> I'm currently testing some libgadu updates I should be pushing out in a few miutes 16:46 <mdeslaur> and will continue going down the CVE list, as usual 16:46 <mdeslaur> that's about it from me 16:46 <mdeslaur> sbeattie: you're up 16:46 <sbeattie> I'm focused on apparmor work again this week. 16:46 <sbeattie> I'll be concentrating on the apparmor testing work items in support of jjohansen's work on IPC. 16:47 <sbeattie> I also accumulated a couple of other tasks from the sprint around apparmor and will take care of those. 16:47 <sbeattie> That's pretty much it for me. tyhicks? 16:47 <tyhicks> I was able to wrap up several nagging work items during the sprint last week 16:48 <tyhicks> so now my priorities for this week are: 16:48 <tyhicks> Submitting some kdbus patches upstream 16:48 <tyhicks> Submitting our dbus-daemon mediation patches upstream 16:48 <mdeslaur> cool 16:49 <tyhicks> and, to a much lesser extent, testing a bug fix to precise's audit package and getting a test-audit.py in place 16:49 <tyhicks> that's it for me 16:49 <tyhicks> jjohansen: you're up 16:49 <tyhicks> (the bug fix is for LP: #1158500) 16:49 <ubottu> Launchpad bug 1158500 in audit (Ubuntu) "auditd fails to add rules when used in precise with -lts-quantal kernel" [High,Triaged] https://launchpad.net/bugs/1158500 16:50 <jjohansen> I'm working on apparmor this week. I've got a ppa upload to get out, and then some more ipc and stacking bugs to fix 16:50 <jjohansen> oh and I should try drowning the list in patches too, I suppose 16:51 <jjohansen> that is it for me, sarnold your up 16:53 <sarnold> I'm in happy place this week, I've got an nginx mir to finish, a security update to prepare, test, and release, and finish testing the patches from the ubuntu apparmor packaging when pushed into the upstream apparmor trunk 16:54 <mdeslaur> \o/ nginx in main 16:54 <mdeslaur> sarnold: any blockers so far? 16:54 <sarnold> mdeslaur: no, it's depressingly good code :) there's nearly nothing to complain about. I did find one funny cute little bug, but it is in code that we don't build and wouldn't have any real security impact anyway 16:55 <mdeslaur> sarnold: awesome! 16:55 <jdstrand> sarnold: in the past, the blocker was their release process. can you spend a few minutes looking at that and commenting in the bug. it may be all fine now (this was years ago) 16:55 <sarnold> mdeslaur: they wrote their own printf-style family of printing routines, which is pretty awesome, it's good stuff, but they missed a parameter in a printf -- and since they never caught it, I figure they need to use some gcc attributes to try to catch those -- if they can 16:56 <jdstrand> sarnold: (well, we never looked at it in depth cause of the release process) 16:56 <jdstrand> sarnold: I think someone already commented in the bug on that, but it would be nice for us to verify the claim 16:56 <sarnold> the one I found is nothing impressive, but there might be some I haven't spotted that might be more trouble. 16:57 <sarnold> jdstrand: yeah, I can spend some time working on that. I'm so far liking that they've got a branch for stable updates and a branch for development testing. I -hope- that they intend to support their stable branch for a while, it'd be nice if it isn't replaced immediately.. 17:00 <sarnold> Oh yes, the administrivia from the sprint trip :) I knew I forgot somethng. 17:00 <sarnold> anyway, that's me covered, chrisccoulson you're up if you're here :) 17:00 <chrisccoulson> i am 17:01 <chrisccoulson> this week, i'll be getting firefox and thunderbird out 17:01 <chrisccoulson> and then working on the last couple of things to make oxide actually usable on the device (touch events and pinch to zoom) 17:01 <chrisccoulson> oxide works on maguro btw ;) 17:02 <chrisccoulson> that's me done :) 17:02 <jdstrand> chrisccoulson: did you see my questions above? 17:02 <chrisccoulson> jdstrand, yeah, i think we'll be able to do that 17:03 <jdstrand> chrisccoulson: should that be done via a non-debug ppa build? 17:03 <sarnold> chrisccoulson: nice :D 17:03 <chrisccoulson> yeah, i think so 17:03 <jdstrand> chrisccoulson: or would you just do that locally? 17:04 <chrisccoulson> i'll do another PPA build 17:04 <jdstrand> chrisccoulson: the urls are in the index.html page of that click pacakge I gave you. I can give them to you again if you want (and you can decide which are appropriate) 17:04 <jdstrand> chrisccoulson: cool, thanks 17:06 <jdstrand> chrisccoulson: as for the email-- maybe just upload the results to people.c.c and then give the link and a brief summary> "oxide rocks and can do more than qtwebkit" or similar. ie, don't spend a lot of time analyzing and formatting a great benchmarks email 17:06 <jdstrand> chrisccoulson: (obviously, if there are problems, we should file bugs, etc) 17:06 <jdstrand> anyhoo 17:06 <jdstrand> cool 17:06 <jdstrand> I guess its back to me then 17:06 <jdstrand> [TOPIC] Highlighted packages 17:06 <jdstrand> The Ubuntu Security team will highlight some community-supported packages that might be good candidates for updating and or triaging. If you would like to help Ubuntu and not sure where to start, this is a great way to do so. 17:06 <jdstrand> See https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures for details and if you have any questions, feel free to ask in #ubuntu-security. To find out other ways of helping out, please see https://wiki.ubuntu.com/SecurityTeam/GettingInvolved. 17:06 <jdstrand> http://people.canonical.com/~ubuntu-security/cve/pkg/opensaml2.html 17:06 <jdstrand> http://people.canonical.com/~ubuntu-security/cve/pkg/restlet.html 17:06 <jdstrand> http://people.canonical.com/~ubuntu-security/cve/pkg/linkchecker.html 17:06 <jdstrand> http://people.canonical.com/~ubuntu-security/cve/pkg/prewikka.html 17:07 <jdstrand> http://people.canonical.com/~ubuntu-security/cve/pkg/mpop.html 17:07 <jdstrand> [TOPIC] Miscellaneous and Questions 17:07 <jdstrand> Does anyone have any other questions or items to discuss? 17:22 <jdstrand> #endmeeting