#ubuntu-meeting log

15:01 <cjwatson> #startmeeting
15:01 <meetingology> Meeting started Thu Jul 17 15:01:52 2014 UTC.  The chair is cjwatson. Information about MeetBot at http://wiki.ubuntu.com/meetingology.
15:01 <meetingology> 
15:01 <meetingology> Available commands: action commands idea info link nick
15:02 <cjwatson> #topic Lightning round
15:02 * mvo_ waves
15:02 <cjwatson> $ echo $(shuf -e barry doko stgraber jodh bdmurray slangasek cjwatson xnox caribou infinity mvo bhuey sil2100 robru)
15:02 <sil2100> o/
15:02 <cjwatson> bhuey infinity stgraber doko cjwatson caribou sil2100 xnox barry slangasek robru mvo jodh bdmurray
15:03 <bdmurray> cjwatson: I have to run an errand towards the end of the meeting could I go closer to the beginning?
15:03 <cjwatson> bdmurray: mkay, why don't you go first, not sure Bill's around
15:03 <sil2100> Maybe bdmurray could go first, bdmurray starts with the same letter as bhuey o/
15:03 * sil2100 nods to himself proudly
15:04 <bdmurray> and ends with the same letter too!
15:04 <sil2100> !
15:04 <bdmurray> review of armhf retracing results
15:04 <bdmurray> research into missing libmirclientplatform-android-dbgsym issue (its not in the Packages file)
15:04 <bdmurray> pinged wgrant, pitti about Packages files on ddebs.ubuntu.com
15:04 <bdmurray> investigation into apport's error re "package liburcu1 does not exist, ignoring"
15:04 <bdmurray> that was due to Contents.gz being out of date
15:04 <bdmurray> research into apport bug 1336062 (confirmed and testcase created)
15:04 <ubottu> bug 1336062 in apport (Ubuntu) "apport-retrace uses system package lists which may return a different source package for a binary" [Undecided,Fix committed] https://launchpad.net/bugs/1336062
15:04 <bdmurray> wrote test and submitted mp fixing bug 1336062
15:04 <bdmurray> worked with thedac to get apport updated to r2818 which fixes bug 1336062
15:04 <bdmurray> modified how the retracer uses the original_sas
15:04 <bdmurray> investigation into whoopsie bug 1339916
15:04 <ubottu> bug 1339916 in whoopsie (Ubuntu) "SystemIdentifier can change between reboots" [High,Confirmed] https://launchpad.net/bugs/1339916
15:04 <bdmurray> rewrote and tested how daisy/submit_core.py manages rabbit connections
15:04 <bdmurray> pinged jjo about cassandra / swift errors (he'd done something about it already)
15:04 <bdmurray> updated daisy-retracer charm and error-tracker-dependencies to use oops-amqp settings
15:04 <bdmurray> investigation into missing stacktrace for a specific bucket
15:04 <bdmurray> updated daisy to save the retraced crash report if the retraced crash has no Stacktrace
15:04 <bdmurray> got the dpkcomparator to build, then it failed oopsrepository tests (sorted that out)
15:04 <bdmurray> discussed tearing down newcassandra with thedac (its going to happen)
15:04 <bdmurray> irc discussion with plars regarding whoopsie and how it behaves and how it should behave
15:05 <bdmurray> ✔ done
15:05 <mvo_> tearing it down?
15:05 <infinity> * spent a lot of time on the kernel security and SRU updates
15:05 <infinity> * was sick for a bit
15:05 <infinity> * working on cleaning up last-minute pending bits for trusty point release
15:05 <infinity> * EOLing saucy today \o/
15:05 <infinity> ∞
15:05 <bdmurray> infinity: oh right, less crashes to accept!
15:06 <xnox> infinity: \o/ EOL EOL EOL =)
15:06 <cjwatson> #chair slangasek
15:06 <meetingology> Current chairs: cjwatson slangasek
15:07 <cjwatson> slangasek: http://paste.ubuntu.com/7809421/
15:07 <slangasek> cjwatson: ta
15:08 <infinity> stgraber: You're up.
15:09 <doko> continuing ...
15:09 <doko> - we are waldmeister
15:09 <doko> - openjdk-6 update, security will follow
15:09 <doko> - openjdk-7 update
15:09 <doko> - gcc-4.8, gcc-4.9 builds, for trusty, utopic, xgene
15:09 <doko> - some merges
15:09 <doko> - discussing and packaging of some third party software
15:09 <doko> - will be at Linaro on Fri, GNU Cauldron the weekend, and travelling back on Mon
15:09 <doko> (done)
15:09 <mvo_> lol
15:10 <cjwatson> Customer meeting.
15:10 <cjwatson> Working on parted 3 transition (in Debian).  Almost done - just need to fix partitionmanager and possibly NMU guymager, then get an ack from the Debian release team to start the transition.
15:10 <cjwatson> Pushing along the libav transition.  Also almost done - calligra still needs to be fixed, and then I need to coordinate the gallery-app changes.
15:10 <cjwatson> Landing team shift on Wednesday.
15:10 <cjwatson> launchpad-buildd change to improve compatibility with scalingstack.
15:10 <cjwatson> Optimised step A2 of the Launchpad publisher, cutting about three minutes off the primary archive publishing time in several cases.
15:10 <cjwatson> Preparing for RTM dogfood dry-run next week.  Discussed CI Train changes, added ubuntu-rtm support to livecd-rootfs, and most of the way through adding support to cdimage.
15:10 <cjwatson> ..
15:10 <caribou> * Sprint week with team in London
15:10 <caribou> * Complete Debian Maintainer application
15:10 <caribou> * Complete work on sosreport 3.1 backport on Precise (python3)
15:10 <caribou> * Work on sosreport for Debian upstream
15:10 <caribou> * Start migration to new escalation workflow
15:11 <caribou> (done)
15:11 <sil2100> o/
15:11 <sil2100> - Landing team work, landing e-mails, landing coordination - standard stuff
15:11 <xnox> caribou: are there details on the new workflow? Would like to be inline with it, when people ping me out of order.
15:11 <sil2100> - CI Train maintenance and features:
15:11 <sil2100> * Testing new auto merge & clean functionality
15:11 <sil2100> * Performing some security-based tests on the CI Train, reverts
15:11 <sil2100> * Debugging CI Train spreadsheet issues
15:11 <sil2100> * Looking into the jenkins secure start-build remote triggers
15:11 <sil2100> * Work on enabling CI Train for other-than-ubuntu distributions (e.g. ubuntu-rtm)
15:11 <sil2100> * Moving the unapproved-merges check to the publish job
15:11 <sil2100> * Testing the 'do not modify package version' functionality
15:11 <sil2100> * Minor tweaks
15:11 <sil2100> - Work on the CI Train Issue tracker:
15:11 <sil2100> * Sniffing around Launchpad's API lack of both JSONP or CORS
15:11 <sil2100> * Working backend, almost finished frontend
15:11 <sil2100> - Work on +1 Maintenance:
15:11 <sil2100> * Pushing an updated NEW libaudclient (now accepted into the archive)
15:11 <sil2100> * Pushing some rdeps of libaudclient2 to unblock: audtty, pidgin-audacious, wmaud
15:11 <sil2100> - Patch pilot work:
15:11 <sil2100> * Looking at the rp-pppoe release, commenting on some required changes/fixes
15:12 <sil2100> * Sponsoring the osm-gps-map trusty SRU upload
15:12 <sil2100> - Help out with packaging advice for various upstreams
15:12 <caribou> xnox: shoudn't change anything to UE, mostly to allign with CTS support tools
15:12 <sil2100> (done)
15:12 <xnox> caribou: ok.
15:12 <caribou> xnox: and UE interaction will remain on LP
15:12 <xnox> caribou: perfect.
15:12 <slangasek> xnox: Contents.gz being out of date> have you made any progress on that?
15:12 <xnox> slangasek: nope.
15:12 <xnox> * upstart 1.13 landed in the archive \o/
15:12 <xnox> * TODO land 1.13.1 into the archive
15:12 <xnox> * mdadm 3.3 merge done
15:12 <xnox> * plymouth 0.9.0 merge done
15:12 <bdmurray> :-(
15:12 <xnox> - but regresses vt_handoff=, e.g. i can instrument and see tty1
15:12 <xnox> getty between plymouth and lightdm
15:13 <xnox> * thanks barry for round of reviews on
15:13 <xnox> launchpadlib/lazr.restfulclient, need to fix things up abit more
15:13 <xnox> before proceeding to mass porting of
15:13 <xnox> ubuntu-dev-tools/ubuntu-archivetools, etc.
15:13 <xnox> * working on resolving:
15:13 <xnox> - desktop images failing to work in ci.ubuntu.com automated preseeding
15:13 <bdmurray> slangasek: we did win that race recently though
15:13 <xnox> - some other installer bugs
15:13 <xnox> ..
15:13 <xnox> slangasek: bdmurray: should be looking into it later today.
15:13 <cjwatson> sil2100: Just to be clear, are you working on both cupstream2distro and the spreadsheet?
15:13 <barry> phone: working on releasing system-image 2.3.  lots of work on stabilizing the test suite, investigating, reporting, and working around various external issues (e.g. LP: #1341685).  LP: #1339157.  LP: #1340882.  LP: #1342183.  LP: #1273354.  released 2.3 upstream, now working on the packaging branch for the citrain.  should be ready by eow.
15:13 <cjwatson> (for ubuntu-rtm)
15:14 <ubottu> Launchpad bug 1341685 in ubuntu-download-manager "When unconstrained, udm sometimes downloads files to wrong location" [Undecided,New] https://launchpad.net/bugs/1341685
15:14 <ubottu> Launchpad bug 1339157 in ubuntu-download-manager "Short term support for wifi-only downloads" [Undecided,New] https://launchpad.net/bugs/1339157
15:14 <ubottu> Launchpad bug 1340882 in Ubuntu system image "Include the D-Bus API documentation in system-image-dbus(8)" [High,Fix committed] https://launchpad.net/bugs/1340882
15:14 <ubottu> Launchpad bug 1342183 in Ubuntu system image "systemimage.config.Configuration() should take an ini_file argument" [High,Fix committed] https://launchpad.net/bugs/1342183
15:14 <ubottu> Launchpad bug 1273354 in Ubuntu system image "The mock service doesn't return downloading==1 for UpdateAvailable when a download is in progress" [Medium,Fix committed] https://launchpad.net/bugs/1273354
15:14 <barry> debuntu: zope.browserpage 4.1.0a1-0ubuntu1, zope.formlib 4.3.0a2-0ubuntu1, zope.copypastemove 4.0.0a1-0ubuntu1, debian bug #754016.  still haven't quite gotten all the zope.* packages cleared from -proposed, but i'll be looking at the blockers in more detail after landing system-image 2.3.
15:14 <ubottu> Debian bug 754016 in src:python-mode "python-mode: please switch to emacs24" [Normal,Fixed] http://bugs.debian.org/754016
15:14 <barry> other: helped various colleagues with python issues/questions/porting/reviews.  occasional py3 autopilot merging and pushing.
15:14 <barry> done
15:14 <sil2100> cjwatson: yes, but I didn't change too much on the spreadsheet side for RTM-support yet as there we're 'always' working on a live system
15:14 <sil2100> cjwatson: so I prefer to have the backend finished up and tested first
15:15 <cjwatson> xnox: ubuntu-archive-tools should almost all be ready for Python 3 already.  I made some effort there a while back, although most of the porting was a bit blind.
15:15 <cjwatson> xnox: There's the problem that I expect some AAs are still running them on trusty, though, and some people other than AAs use ubuntu-archive-tools too.
15:15 <cjwatson> So we may need to wait a while before flipping #!.
15:16 <cjwatson> sil2100: Right, thanks
15:17 <robru> is it my turn? sorry guys I got disconnected at the exact moment that the order was given, I missed it
15:17 <barry> slangasek's turn i think
15:17 <infinity> robru: You're after slangasek.
15:18 <slangasek> caribou: escalation workflow shouldn't change anything for UE> so I should continue to ignore out-of-band requests for help on the nis package? ;-)
15:18 <robru> infinity, thanks
15:18 <slangasek> ok one sec
15:18 <xnox> cjwatson: yeah, I understand that trusty is important and thus shebang shouldn't be changed yet. If i port enough bits and validate that they run correctly, I can look into upstream release of python3 enabled stack, uploads to debian/ubuntu and then possibly backport python3 support into e.g. trusty-backports or some such.
15:18 <mvo_> hello, sorry - we had a power outage here
15:18 <xnox> mvo_: heat power cut?! =)
15:18 <slangasek> * finishing up the console-setup merge
15:18 <slangasek> * not enough beer in the world
15:18 <slangasek> * working on supporting nss_extrausers in adduser; however, there seem to be various requirements that assume other pieces will Just Work when they don't, now reviewing the spec
15:18 <mvo_> probably :)
15:18 <slangasek> * nudged upstart 1.13 into the archive a bit
15:18 <slangasek> * moving the C++11 ABI transition forward so we can unblock gcc-4.9
15:18 <mvo_> and no mobile either
15:18 <slangasek> * performance review cycle stuff
15:18 <slangasek> * patch piloting today
15:19 <cjwatson> xnox: *nod*
15:19 <caribou> slangasek: business as usual
15:19 <xnox> slangasek: apw and I can ship more beer to get that merge done =)
15:20 <slangasek> xnox: at some point you start to drown in it, and that's also an impediment?
15:20 <xnox> slangasek: there is always dehydrated caplets and IV drips.....
15:20 <xnox> =))))
15:21 <caribou> slangasek: but I thought my OOB request was on pamd
15:21 <slangasek> (done)
15:21 <slangasek> caribou: this wasn't you ;)
15:21 <slangasek> robru: your turn
15:21 <robru> * updated CI Train dashboard and queuebot to not hard-code spreadsheet column numbers, making them more flexible in the face of spreadsheet changes, which will happen soon to support RTM
15:21 <robru> * neutered Friends API, so it still exists for compatibility, but does not actually send or receive any messages. this fixes a long-standing security hole on the desktop where Friends would let any app impersonate you on your social networks without any authentication.
15:21 <robru> * ton of ongoing landings as usual.
15:21 <robru> * Trusty SRU of webapps-greasemonkey
15:21 <robru> * branch to drop friends scope from unity7
15:21 <robru> * de-seeded friends-app from touch image 131 & up
15:21 <robru> * minor branch to fix a merge failure in the g++-4.9 transition
15:21 <robru> * tweaked CI Train silo dashboard to not hover-hide MP URLs when there's a search term present. so if you're looking at just a couple silos, you don't need to fiddly-hover over the source package name to see the MP links.
15:21 <robru> * also made the hover-mp-list slightly less fiddly to mouse to by squaring-off the top left corner, and decreasing the left margin, so you can mouse to it with less precision.
15:21 <robru> ✔ done
15:21 <caribou> slangasek: ah
15:21 <mvo_> citrain:
15:21 <mvo_> - Add warning to the .gs script when low on silos
15:21 <mvo_> - Landing team duty
15:21 <mvo_> click:
15:21 <mvo_> - Code review
15:21 <mvo_> - Discussion about click signatures/read the old ML thread to be uptodate
15:21 <mvo_> - fix bug in debsigs --delete
15:22 <mvo_> (https://gitorious.org/debsigs/debsigs/merge_requests/1)
15:22 <mvo_> - Improve lp:/~mvo/click/lp1334611-getpwnam based on Colins feedback (thanks)
15:22 <mvo_> - lp:~mvo/click/click-ubuntu-policy - initial skeleton for the debsig-verify
15:22 <mvo_> based verification
15:22 <mvo_> - lp:~mvo/click/debsigs-verify
15:22 <mvo_> - Lp:~mvo/click/more-integration-tests3
15:22 <mvo_> - Trying to debug #1338994 (no luck)
15:22 <mvo_> hwe:
15:22 <mvo_> - Debug/fix #1341324 and upload new version to precise-proposed
15:22 <mvo_> - Debugged/fixed #1342424 - simple, but underlying problem is in pam,
15:22 <mvo_> created possible solution for this as well
15:22 <mvo_> - fix bug in update-motd to take
15:22 <mvo_> /var/lib/update-notifier/disable-hwe-eol-messages into effect when
15:22 <barry> robru: RIP friends?
15:22 <mvo_> checking if the cache is still valid
15:22 <mvo_> apt:
15:22 <mvo_> - Debug/fix bug commandline arg parsing for packages starting with 0/1
15:22 <mvo_> - Debug kubuntu upgrade issue with riddel
15:22 <mvo_> - Debug/fix segfault Bug#754904
15:22 <mvo_> merge:
15:22 <mvo_> - Manpages, aptitude, krb5, slang2, curl
15:22 <mvo_> - looked at some more like coreutils that are not needed to merge at this
15:22 <mvo_> point, would be nice to have a way to mark them as unneeded somehow
15:22 <mvo_> misc:
15:22 <mvo_> - command-not-found: fix #1130444 and update data for utopic
15:22 <mvo_> - apt-ddtp update/upload
15:22 <mvo_> - Phone issues (browser 100%: #1342195, calendar not working #1338956)
15:22 <mvo_> (done)
15:23 <robru> barry, yep, sorry to say, it just wasn't architected for the mobile world. we can maybe revisit reviving it in 15.04 but it just wasn't suitable to RTM
15:23 <jodh> * foundations-1305-upstart-work-items:
15:23 <jodh> - cgroups+async: Released Upstart 1.13 and updated Upstart Cookbook.
15:23 <jodh> * upstart:
15:23 <jodh> - Fixed bug 1222705.
15:23 <ubottu> bug 1222705 in upstart (Ubuntu) "init assert failure: alloc.c:633: Assertion failed in nih_unref: ref != NULL" [High,Confirmed] https://launchpad.net/bugs/1222705
15:23 <jodh> - Followed up with a 1.13.1 release.
15:23 <jodh> - Uploaded 1.13.1 to archive.
15:23 <jodh> * systemd:
15:23 <jodh> - Fixed bug 1342586.
15:23 <ubottu> bug 1342586 in systemd (Ubuntu) "[utopic] [proposed] cgmanager breaks lightdm login" [High,Fix committed] https://launchpad.net/bugs/1342586
15:23 <jodh> - Picking over 'systemd-boot' bugs
15:23 <jodh> ⌚
15:23 <barry> robru: ah well, who needs friends anyway?
15:23 <robru> barry, not me! I got you guys!
15:23 <jodh> xnox: we haven't yet actually activated cgroup support in upstart. We need something like http://paste.ubuntu.com/7809486/ but I'm not sure if we need tweaks to d/control for cgmanager?
15:24 <barry> robru: with friends like us... :)
15:24 <xnox> jodh: i'd rather not tweak tight dependencies and instead do that but with extra || true
15:24 <jodh> xnox: my local .conf does exactly that :)
15:25 <jodh> xnox: I'll raise an MP...
15:25 <slangasek> mvo_: 1342424> I thought you were fixing it to always use ISO dates?  That seems perfectly appropriate to me, and is then not locale-dependent
15:25 <xnox> jodh: and i'd want to land that when it's relatively quite in the archive, It's not at the moment. Maybe later on friday and/or over the weekend - monday time.
15:25 <mvo_> slangasek: I fixed it that way, yes. I also mentioned in the bugreport that we might consider to make_pamd set the locale/lang environment
15:26 <mvo_> slangasek: but that would not be suitable for a sru I think as it may trigger more bugs/unexpected behavior
15:26 <slangasek> mvo_: ack
15:26 <jodh> xnox: I vote for Monday (Warsaw's Second Law :)
15:26 <barry> :)
15:26 <mvo_> slangasek: but if that something from the pam maintainers perspective that is worthwhile, I can add it in utopic
15:26 <slangasek> mvo_: no, I don't think that warrants an SRU
15:27 <slangasek> bhuey: here?
15:27 <slangasek> seems not
15:28 <slangasek> mvo_: ready to talk about click signing? :)
15:28 <xnox> *gasp* exiting =)
15:28 <mvo_> sure, get ready for a paste attack
15:28 <mvo_> What I'm currently working on: Signatures on Click Packages from
15:28 <mvo_> the store and the developers.
15:28 <mvo_> Most of the discussion happened about a year ago, Colin suggested to
15:28 <mvo_> use debsigs/debsig-verify back then. There was a competing proposal to
15:28 <mvo_> just use gpg detached signatures that caused some discussion but the
15:28 <mvo_> approach via debsig-verify is much more flexible and robust. Its based
15:28 <slangasek> [TOPIC] Click signing
15:28 <mvo_> on detached gpg signatures that get appended to the deb ar
15:28 * xnox *exciting
15:28 <mvo_> container. Because a click is a relocatable deb without the maintainer
15:28 <mvo_> script nonsense we can use those tools just fine. All we are currently
15:28 <mvo_> providing is SSL (which is obviously not good enough) but we will add
15:28 <mvo_> signatures from both the developer and from the store.
15:28 <mvo_> How does it work in detail?
15:28 <mvo_> - the developer signs the foo.click via "debsig --sign=maint", this
15:28 <mvo_> process will be integrated into qtcreator in some way
15:28 <mvo_> - the foo.click is uploaded to the store
15:28 <mvo_> - the store checks that the signature is valid and if so appends its
15:28 <mvo_> own "debsig --sign=origin" signature
15:29 <mvo_> - user A downloads the click with the 2 sigs
15:29 <mvo_> - "click install foo.click" checks the origin signature via
15:29 <mvo_> debsig-verify and rejects invalid/missing ones
15:29 <mvo_> (unless --allow-unauthenticated is given which can overrides
15:29 <mvo_> missing ones)
15:29 <mvo_> - developer signature is not used on the user machine *but* the
15:29 <mvo_> developer (or anyone else) can verify that we didn't alter his/her
15:29 <mvo_> click package. "debsigs --delete=origin" will even restore the identical
15:29 <mvo_> click package that got uploaded to the click store
15:29 <mvo_> What the current status:
15:29 <mvo_> - click branch with debsigs-verify integration is ready for review
15:29 <mvo_> - we need a store origin signing key
15:29 <mvo_> - the store needs to sign the clicks using debsigs --sign=origin
15:29 <mvo_> - a skeleton package click-ubuntu-policy with the debsig-verify policy
15:29 <mvo_> is available, but it needs review and the store signing pubkey
15:29 <mvo_> - once click-ubuntu-policy is ready it gets seeded and becomes part
15:29 <mvo_> of the base image
15:29 <mvo_> - we do not need to modify any of the higher layers (scope, updater)
15:29 <mvo_> References:
15:29 <mvo_> - https://wiki.ubuntu.com/SecurityTeam/Specifications/ClickPackageSigning
15:29 <mvo_> - https://bugs.launchpad.net/ubuntu/+source/click/+bug/1330770
15:29 <mvo_> ---
15:29 <ubottu> Ubuntu bug 1330770 in click (Ubuntu) "click packages rely upon tls for integrity and authenticity" [High,In progress]
15:30 <mvo_> thats the part I prepared :) I think this is the first time I'm part of such a session
15:30 <xnox> mvo_: how does debsigs work? is it extra members in the ar archive?
15:30 <cjwatson> it is
15:30 <mvo_> xnox: yes, it adds a extra member for the origin and the maintainer
15:30 <mvo_> (so one extra each)
15:30 <cjwatson> _gpg<arbitrary name>
15:31 <slangasek> '"debsigs --delete=origin" will even restore the identical click package that got uploaded to the click store' - oh, nice
15:31 <mvo_> yeah, thats a nice property - once the fix for this lands upstream, but we can just distro patch it
15:31 <cjwatson> even without debsigs --delete=origin working (which mvo had to fix), debsigs is append-only, so you can see that your previous package is a prefix
15:31 <xnox> are we gonna sign archive binaries like that as well?
15:32 <xnox> imho it would be benefitial that e.g. one can downloads debs direct from launchpadlib and verify them.
15:32 <xnox> instead of just relying on the librarian SSL
15:32 <slangasek> out of scope ;)
15:32 <cjwatson> .debs have the chain of trust back to Release.gpg - there are some fringe benefits like that to signing them inline, but I'm not sure it's worth the hassle
15:32 <cjwatson> and indeed, out of scope
15:33 <cjwatson> we still need to organise some kind of meeting to generate and shard a store signing key
15:33 <slangasek> note that Debian has consistently refused to support debsigs for packages in the Debian archive
15:33 <cjwatson> that's on the floor right now unless somebody has picked it up lately
15:33 <slangasek> on the grounds that it would seduce users into trusting them in bad ways
15:33 <xnox> ETOMANYSHARDS =)
15:33 <cjwatson> tell me about it <looks at bag>
15:33 <infinity> slangasek: Debian has the problem that their binaries are generated on a whole lot of machines owned/operated by a whole lot of people.
15:34 <infinity> slangasek: We could certainly sign our binaries in a more verifiably secure fashion.
15:34 <slangasek> heh, so we want all the same keymanagement for this as for our other keys?
15:34 <cjwatson> infinity: that's true of click packages too - we're applying the store signature centrally later
15:34 <infinity> (Oh, I guess they could sign on ftpmaster with this append mode business)
15:34 <cjwatson> debsigs supports multiple signatures for this kind of reason
15:34 <slangasek> infinity: that's not the reason ftpmasters reject them
15:34 * xnox ponders if _my_ debs would be rejected if I debsign them.
15:34 <slangasek> xnox: yes
15:34 <xnox> poodles =(
15:34 <barry> infinity: there were some long threads about source-only uploads a la ubuntu, but that seems to have petered out :/
15:35 <cjwatson> slangasek: so, I don't know how much of the full panoply we want, but if we have a key that's being trusted by a gazillion client devices we should manage it securely
15:35 <cjwatson> it probably isn't immediately necessary to have it signed by the über-master key
15:35 <xnox> cjwatson: just convert the ssl private key into a gpg key *giggle* =)
15:35 <xnox> (the store one)
15:35 <slangasek> cjwatson, mvo_: is key rotation already specced out?
15:36 <slangasek> xnox: I'm returning this beer, it's clearly been doped with something
15:36 <mvo_> not in detail, my current plan is to have it as part of the ubuntu-click-policy package that can be updated as part of the system-image
15:36 <slangasek> ok
15:36 <mvo_> I'm not sure if that is in line with the vision of cjwatson and the security team
15:36 <slangasek> I guess we should have that written up sooner rather than later and get eyeballs on it :)
15:37 <mvo_> yes, I will send out a mail after the meeting
15:37 <xnox> slangasek: =)))))
15:38 <slangasek> cool
15:38 <slangasek> any other questions for mvo?
15:39 <slangasek> btw, if we're updating it via a package that's in the system-image anyway, maybe it makes sense to just chain it off one of the existing trust chains in the image instead of creating a whole new root
15:39 <slangasek> i.e., avoid the whole "must reconstitute an offline key to rotate this key"
15:40 * mvo_ nods
15:40 <barry> that's not a bad idea
15:40 <barry> https://wiki.ubuntu.com/ImageBasedUpgrades/GPG
15:42 <slangasek> mvo_: thanks for filling us in on your work!
15:42 <mvo_> thanks for listening
15:42 <slangasek> [TOPIC] AOB
15:42 <mvo_> (or reading)
15:42 <slangasek> anything else?
15:43 * mvo_ mumbles something about the heat
15:43 <infinity> What he said.
15:44 * slangasek is getting quotes for air conditioning this week
15:44 <infinity> As my phone would autocorrect to, "ducking summer".
15:44 <ogra_> icecream !
15:44 <barry> slangasek: what was that about the debconf dorms again? :)
15:44 <slangasek> stay tuned for ranty blogs about internet-enabled thermostats that don't let you manage them without talking to a third-party server!
15:45 <slangasek> barry: well, so far the summer has been surprisingly muggy; I have no reason to believe this will continue into the end of August, Portland usually has its heat wave around this time or a couple of weeks later and then it tapers off - e.g., it's supposed to be 70 degrees this weekend ;)
15:46 <infinity> Is that it?  Can I reboot my firewall now?
15:46 <barry> slangasek: perfect!
15:46 <slangasek> barry: but a heat pump has been on our todo list for a few years, and this year I'm actually in town for the 95 degree weather, so ;)
15:46 <slangasek> infinity: yep!
15:46 <slangasek> #endmeeting