#ubuntu-meeting log

16:42 <jdstrand> #startmeeting
16:42 <meetingology> Meeting started Mon Mar 17 16:42:12 2014 UTC.  The chair is jdstrand. Information about MeetBot at http://wiki.ubuntu.com/meetingology.
16:42 <meetingology> 
16:42 <meetingology> Available commands: action commands idea info link nick
16:42 <jdstrand> The meeting agenda can be found at:
16:42 <jdstrand> [LINK] https://wiki.ubuntu.com/SecurityTeam/Meeting
16:42 <jdstrand> [TOPIC] Review of any previous action items
16:42 <jdstrand> [ACTION] chrisccoulson send oxide and qtwebkit benchmark results to mailing list
16:42 * meetingology chrisccoulson send oxide and qtwebkit benchmark results to mailing list
16:43 <chrisccoulson> that's done
16:43 <jdstrand> chrisccoulson: cool. where did that go? I haven't gone through all of my email yet from being off friday
16:44 <chrisccoulson> jdstrand, https://lists.launchpad.net/oxide/msg00003.html
16:44 <jdstrand> awesome!
16:44 * jdstrand hugs chrisccoulson :)
16:45 <jdstrand> [TOPIC] Weekly stand-up report
16:45 <jdstrand> I'll go first
16:45 <jdstrand> I have pending updates
16:45 <jdstrand> and an embargoed issue
16:46 <jdstrand> mdeslaur: you're up
16:46 <mdeslaur> I'm on triage this week
16:46 <mdeslaur> I just published a couple of usns, and I have a few more that are at the testing stage
16:47 <jdstrand> mdeslaur: (fyi, sb eattie is off today)
16:47 <mdeslaur> that's about it, I'll be going down the list after that
16:47 <mdeslaur> tyhicks: you're up
16:47 <tyhicks> I submitted v2 of the dbus-daemon patches upstream last friday
16:48 <jjohansen> \o/
16:48 <tyhicks> so now I'm looking at kdbus and helping out with apparmor work items this week
16:48 <tyhicks> if I can get to it, taking another look at the test-kernel-security.py failures on powerpc would be good, too
16:48 <tyhicks> that's it for me
16:49 <tyhicks> jjohansen: you're up
16:49 <jjohansen> I'm pulling my hair out, err working on apparmor again this week.
16:49 <chrisccoulson> heh :)
16:50 <jjohansen> There where some qrt test failures that sarnold reported at the end of the week that we need to finish looking in to.
16:50 <jdstrand> jjohansen: that is 2.8.95 related?
16:50 <jjohansen> and there are still issues around ipc, with sockets
16:50 <jjohansen> jdstrand: yes
16:50 <jdstrand> hrm
16:51 <jdstrand> do we expect 2.8.95 to land this week?
16:51 <jdstrand> (that is for sarnold and jjohansen)
16:52 <jjohansen> jdstrand: I think so
16:52 <sarnold> jdstrand: I think so, there were more QRT failures on the nexus 4 than I expected, but it was rough even getting it to run there, so perhaps itshouldn't be a surprise
16:53 <jdstrand> hmm
16:53 <jjohansen> jdstrand: 2 of the failures are due to things not being supported in the test environment/platform and not being properly detected as such. The others I haven't looked into yet
16:53 <jdstrand> tyhicks: didn't you do qrt on the nexus 4?
16:53 <jdstrand> I thought it was working
16:53 <jdstrand> but might be misremembering
16:53 <sarnold> jdstrand: .. and I think the 2.8.0 apparmor packaging on the nexus 4 fails your test plan in the same ways as the new 2.8.95 apparmor fails it, so I'm hopeful there :)
16:53 <tyhicks> jdstrand: I'm pretty sure that I did
16:54 <tyhicks> but I'd guess that sarnold is talking about testing 2.8.95 on the nexus 4
16:54 <jdstrand> sarnold: I'm interested in hearing more specifics about that
16:54 <jdstrand> tyhicks: yes, but just said that 2.8.0 fails similarly
16:54 <tyhicks> oh
16:54 <jdstrand> sarnold: we can discuss outside of the meeting
16:55 <jjohansen> yep
16:55 <jjohansen> I think that is it from me, sarnold your up
16:56 <sarnold> I'm on community this week
16:56 <sarnold> also landing apparmor this week
16:56 <sarnold> and I still have juju, schroot, strongswan, glusterfs, and cgmanager MIRs to start and finish.
16:57 <sarnold> so I'm really hoping we can land apparmor today :)
16:58 <sarnold> I think that's it for me, chrisccoulson you're up :)
16:58 <chrisccoulson> this week, i've got mozilla updates
16:58 <chrisccoulson> also planning to land oxide in the archive
16:59 <chrisccoulson> and finish my ever growing list of oxide code reviews :)
16:59 <chrisccoulson> and hopefully get https://code.launchpad.net/~chrisccoulson/oxide/network-callbacks merged, which has turned in to quite a significant chunk of work now
16:59 <chrisccoulson> i think that's me done :)
17:02 <jdstrand> chrisccoulson: network-callbacks is the lion's share of the UA overrides work you mentioned in the oxide meeting?
17:03 <chrisccoulson> jdstrand,  it is. but it also contains hooks for storage access permissions (well, currently only cookies, but this is going to be extended to local storage, appcache, indexeddb and webdb as well) too
17:03 <chrisccoulson> and it has support for third party cookie blocking
17:03 <jdstrand> ack
17:03 <jdstrand> [TOPIC] Highlighted packages
17:03 <jdstrand> he Ubuntu Security team will highlight some community-supported packages that might be good candidates for updating and or triaging. If you would like to help Ubuntu and not sure where to start, this is a great way to do so.
17:03 <jdstrand> See https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures for details and if you have any questions, feel free to ask in #ubuntu-security. To find out other ways of helping out, please see https://wiki.ubuntu.com/SecurityTeam/GettingInvolved.
17:03 <jdstrand> http://people.canonical.com/~ubuntu-security/cve/pkg/slurm-llnl.html
17:04 <jdstrand> http://people.canonical.com/~ubuntu-security/cve/pkg/gksu-polkit.html
17:04 <jdstrand> http://people.canonical.com/~ubuntu-security/cve/pkg/lib3ds.html
17:04 <jdstrand> http://people.canonical.com/~ubuntu-security/cve/pkg/google-authenticator.html
17:04 <jdstrand> http://people.canonical.com/~ubuntu-security/cve/pkg/libdigidoc.html
17:04 <jdstrand> [TOPIC] Miscellaneous and Questions
17:04 <jdstrand> I have some questions related to our major deliverables for 14.04
17:06 <jdstrand> based on the oxide standup today, oxide should be landing in the archive this week. webbrowser-app will follow after that and there is still quite a bit to do, but it is still believed that we will deliver oxide (and other teams webbrowser-app, UbuntuWebView and webapp-container)
17:06 <jdstrand> that is awesome
17:07 <jdstrand> apparmor 2.8.95 seems like it is close and sounds like it should land this week. We really need to make sure it does to pave the way for the next update
17:07 <jdstrand> jjohansen: you mentioned that there is a bug related to ipc, with sockets. is that the remaining known bug?
17:07 <jjohansen> the as in singular? no
17:08 <jjohansen> its one of the remaining problems
17:08 <jjohansen> v5 behavior (old kernel should be fine)
17:08 <jdstrand> jjohansen: assuming 2.8.95 was fixed and landed in the archive, what is left for landing ipc?
17:08 <jjohansen> new kernel has issues
17:09 <jjohansen> jdstrand: there needs to be some revisions around ptrace, signals, and other policy
17:10 <jjohansen> there needs to be some fixes to the network code
17:10 <jjohansen> I think its doable this week
17:10 <jdstrand> jjohansen: the network code is doable this week?
17:11 <jjohansen> I think so
17:11 <jdstrand> is the sockets ipc bug for this week?
17:11 <jjohansen> yes I plan to fix that this week
17:12 <jdstrand> jjohansen: 'new kernel has issues' - is that the network code, v5 behavior, or something else?
17:14 * jdstrand meant to add to his items this week to comment on the ipc policy
17:14 <jjohansen> jdstrand: there are a few things, network code, there is a replacement issue around compound labels, there needs to be a versioning behavior change around the xtrans table in the parser that is fed into the kernel
17:15 <jdstrand> ok. so, I'm just trying to create a list so I better understand where we are
17:15 <jjohansen> jdstrand: lets put it this way, its good enough to pass the current regression tests, but issues are known (which just means we need to add more tests)
17:16 <jdstrand> cause I'm starting to get nervous about ipc landing
17:16 * jjohansen too
17:16 <jjohansen> oh and I need to do testing of it as a backport on precise and make sure its working right there
17:17 <jdstrand> jjohansen: is the versioning change for this week?
17:17 <jjohansen> some that should be working but I haven't tested yet with the latest kernel
17:17 <jjohansen> jdstrand: yes it is needed
17:18 <jdstrand> jjohansen: is the replacement issue around compound labels the socket issue or something else?
17:18 <jjohansen> jdstrand: it is something else
17:18 <jdstrand> is the replacement issue for this week?
17:18 <jjohansen> jdstrand: I have a patch to fix it, but applying that patch causes the kernel to die for a different but related reason so I need to fix that
17:19 <jdstrand> ok
17:19 <jjohansen> jdstrand: the replacement issue can be put off, as things can work with out it.
17:19 <jdstrand> jjohansen: were you able to upload test packages to the ppa based of sarnold's 2.8.95 from last week?
17:19 <jjohansen> compound labels just don't get updated correctly after replacement
17:19 <jjohansen> jdstrand: I have not, yet. I can do that today
17:20 <jdstrand> jjohansen: re ppa> well, only if it helps people. perhaps wait until you have the final packages we plan to upload since they may land tomorrow
17:20 <jdstrand> personally, I won't be able to install them today
17:21 <jdstrand> but could tomorrow
17:21 <jjohansen> okay
17:21 <jdstrand> sb eattie is off today, so delaying to at least tomorrow makes sense to me
17:22 <jdstrand> jjohansen: 'there needs to be some revisions around ptrace, signals, and other policy' - are you talking about policy language?
17:23 <jjohansen> yes, its minor
17:23 <jjohansen> the actual work won't take long
17:24 <jdstrand> ok, so known issues. iirc, no one really responded to the policy language changes in the thread
17:24 <jdstrand> of course, we worked through a lot of that before
17:24 <jdstrand> do we feel like the policy language is in good shape (other than this minor issue)?
17:25 <jdstrand> jjohansen: ^
17:26 <jjohansen> I don't even know that I'd call it an issue, as looking for clarification, so we are happy with a final syntax
17:26 <jdstrand> I see-- so, "yes, the final syntax is very close"
17:26 <jjohansen> something that needs input from more than just me
17:27 <jjohansen> yes we are close
17:27 <jjohansen> we are talking about sugar, not functionality
17:27 <jdstrand> right. perhaps respond to the list saying the lack of response is blocking it landing?
17:27 <jjohansen> can do
17:28 <jdstrand> jjohansen: does this look about right> http://paste.ubuntu.com/7109323/
17:28 <jdstrand> oh, I forgot to ask about testing
17:28 <jdstrand> jjohansen: do you know where we stand on coverage for these new features?
17:29 <jjohansen> ptrace is pretty good, signal less so
17:30 <jdstrand> jjohansen: I know that is a lot in sb eattie's domain, but curious if you knew
17:30 <jdstrand> ok'
17:31 <jdstrand> ok
17:31 <jjohansen> that said, signal is not as bad as it may seem. It is actually getting tested in several of the other regression tests
17:31 <jdstrand> so, I think I captured all that. I'd like outside of this meeting to discuss a plan to land this, with assigning people to do different things
17:32 <jdstrand> tyhicks: should we push the v2 dbus patches once upstream ACKs them?
17:32 <jdstrand> tyhicks: push to trusty that is
17:32 <tyhicks> jdstrand: that's something I've been wondering
17:32 <tyhicks> jdstrand: I think it would be a good idea
17:32 <jdstrand> trusty is 5 years LTS
17:33 <jdstrand> it seems like it would be
17:33 <tyhicks> jdstrand: I feel confident in them and have tested them a considerable amount
17:33 <tyhicks> I think so
17:33 <jdstrand> ok, we need to come up with a plan for all this stuff
17:33 <jdstrand> Does anyone have any other questions or items to discuss?
17:33 <jjohansen> yeah I think that its a good idea, to push them in
17:34 <tyhicks> all except for the last 2 patches in the series are a drop-in replacement
17:34 <tyhicks> we wouldn't push those last 2 patches, becaues they depend on a dbus-daemon method that isn't in trusty's dbus-daemon
17:34 <mdeslaur> tyhicks: what's special about the last to?
17:34 <mdeslaur> oh
17:34 <tyhicks> mdeslaur: it is a new method to get a peer's security credentials
17:35 <mdeslaur> ok
17:35 <tyhicks> we would live with our current distro-patched org.freedesktop.DBus.GetConnectionAppArmorSecurityContext() method
17:36 <tyhicks> that's no big deal
17:38 <jdstrand> mdeslaur, tyhicks, jjohansen, sarnold, chrisccoulson: thanks!
17:38 <jdstrand> #endmeeting