16:37 <tyhicks> #startmeeting 16:37 <meetingology> Meeting started Mon Mar 2 16:37:20 2015 UTC. The chair is tyhicks. Information about MeetBot at http://wiki.ubuntu.com/meetingology. 16:37 <meetingology> 16:37 <meetingology> Available commands: action commands idea info link nick 16:37 <tyhicks> The meeting agenda can be found at: 16:37 <tyhicks> [LINK] https://wiki.ubuntu.com/SecurityTeam/Meeting 16:37 <tyhicks> [TOPIC] Weekly stand-up report 16:37 <tyhicks> jdstrand: you're up 16:38 <jdstrand> I'm working on the store review tools wrt snappy 16:38 <jdstrand> I'm also helping with the oxide FFe and helping coordinate some oxide work 16:39 <jdstrand> I also have performance reviews to do 16:40 <jdstrand> I hope to work on snappy hw access some more. phase 1 landed, but need to be thinking longer term now 16:40 <jdstrand> I'd like to sync up with tyhicks and/or jjohansen on overlayfs/apparmor at some point this week too 16:40 <jdstrand> that's it from me 16:41 <mdeslaur> I'm on community this week 16:41 <mdeslaur> and tomorrow, I have patch piloting 16:41 <mdeslaur> I'm still banging my head on the icu updates 16:42 <mdeslaur> that's probably going to take up a couple of days still 16:42 <mdeslaur> after that, I'll continue down the CVE list 16:42 <mdeslaur> that's it for me 16:42 <mdeslaur> sbeattie: you're up 16:42 <sbeattie> I'm on security bug triage this week 16:43 <sbeattie> I also need to correct the mir abstraction library paths for bug 1422521 16:43 <ubottu> bug 1422521 in apparmor (Ubuntu) "mmap of ...mir/client-platform/mesa.so DENIED" [High,In progress] https://launchpad.net/bugs/1422521 16:43 <sbeattie> I'm continuing to test gcc-5 with pie enabled by default. 16:44 <sbeattie> I have some apparmor patches to review and am hoping to release 2.9.2 soon. 16:44 <sbeattie> That's pretty much it for me. 16:44 <sbeattie> tyhicks: tag. 16:44 <jdstrand> sbeattie: will 2.9.2 contain the mir abstraction? 16:44 <jdstrand> or we still want it to mature? 16:45 <sbeattie> Maybe. I'd kind of like it to mature a bit, perhaps move the unpriv mir client socket there as well. 16:46 <sbeattie> But I can also see the desire to get it in place upstream and fleshed out there instead. 16:47 <tyhicks> sbeattie: have you wrapped up the work to look at how well the apparmor init script is working with systemd? 16:48 <sbeattie> tyhicks: mostly, I want to poke at it a little more, but things are looking okay so far. 16:48 <tyhicks> sbeattie: good to hear - thanks for looking at that :) 16:48 <tyhicks> I'm on CVE triage this week 16:48 <tyhicks> it is the first time in a long time so it'll take me a while to get back in the swing of things 16:49 <tyhicks> I still need to land fixes upstream, retest and publish ecryptfs-utils security updates 16:49 <tyhicks> I'm going to add the ability to check subfeatures and then send out v2 of the libapparmor API changes 16:49 <tyhicks> by subfeatures, I mean the permissions typically found in the "mask" files of apparmorfs (such as apparmorfs/dbus/mask) 16:50 <tyhicks> then I'll restart my work on AppArmor kernel keyring mediation for user data encryption 16:50 <tyhicks> that's it for me 16:50 <tyhicks> jjohansen: you're up 16:50 <jjohansen> I need to finish testing the fix for the fd_inheritance Bug 1423810 (it is backport kernels only), 16:50 <jjohansen> I still need to finish looking into Bug 1425398, a first glance lead me to believe its actually a bug fix against the trusty version of apparmor that is causing the issue. 16:50 <jjohansen> push the current stack of bug fixes up to the kt 16:50 <jjohansen> Finish my review of the latest revision of the LSM stacking patches 16:50 <jjohansen> sync up discuss the libapparmor policy load api 16:50 <jjohansen> sync up with jdstrand on overlayfs 16:50 <jjohansen> and of course get back to upstreaming cleanup 16:50 <ubottu> bug 1423810 in apparmor (Ubuntu) "[krillin] apparmor fd_inheritance regression test causes kernel to crash" [Undecided,New] https://launchpad.net/bugs/1423810 16:50 <ubottu> bug 1425398 in linux-lts-utopic (Ubuntu) "Apparmor uses rsyslogd profile for different processes - utopic HWE" [Undecided,New] https://launchpad.net/bugs/1425398 16:51 <jdstrand> sbeattie: re systemd> I just noticed on a snappy system: 16:51 <jdstrand> 1 processes are unconfined but have a profile defined. 16:51 <jdstrand> /sbin/dhclient (723) 16:52 <jdstrand> sbeattie: that may be known-- dhclient is a system profile and not a snap profile, but seems we need to do something special there *if* we weren't going to land cache loading 16:52 <jjohansen> that isn't surprising 16:52 <jdstrand> no, it isn' 16:52 <jdstrand> t 16:52 <sbeattie> jdstrand: hunh, okay. I didn't see that in a vm, but I'll try and play around with snappy this week 16:52 <jdstrand> also, I'm not sure how tradition server software is doing 16:53 <jdstrand> traditional* 16:53 <jdstrand> sbeattie: thanks 16:53 <jdstrand> sbeattie: it might be a race. ping me if you need help with snappy kvm 16:54 <jjohansen> that is it for me sarnold you're up 16:55 <sarnold> I'm in happy place this week; I'm working on several MIR requests and back-burnered the horizon updates; those are blocked on the server team's work on preparing their servrestack testing environment to handle precise with distro-supplied openstack 16:55 <sarnold> when they have something far enough along to test, I'll head over to that 16:56 <sarnold> and I'll try to review some of the apparmor patches coming this week or already outstanding, but it's also not going to be a top priority 16:56 <sarnold> that's it for me, chrisccoulson? 16:56 <tyhicks> sarnold: lets continue to wait on the precise-essex serverstack enablement this week 16:57 <tyhicks> sarnold: if it doesn't happen this week, we need to go back to the wiki page for precise testing next week 16:57 <sarnold> tyhicks: makes sense 16:57 <tyhicks> thanks 16:57 <chrisccoulson> This week, I'll be getting thunderbird out. I also expect a chromium update, which means there'll be a corresponding oxide update 16:58 <chrisccoulson> Other than that, I'll be working on oxide bugs 16:58 <chrisccoulson> That's me done 16:59 <tyhicks> [TOPIC] Highlighted packages 16:59 <tyhicks> The Ubuntu Security team will highlight some community-supported packages that might be good candidates for updating and or triaging. If you would like to help Ubuntu and not sure where to start, this is a great way to do so. 16:59 <tyhicks> See https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures for details and if you have any questions, feel free to ask in #ubuntu-security. To find out other ways of helping out, please see https://wiki.ubuntu.com/SecurityTeam/GettingInvolved. 16:59 <tyhicks> http://people.canonical.com/~ubuntu-security/cve/pkg/insighttoolkit4.html 16:59 <tyhicks> http://people.canonical.com/~ubuntu-security/cve/pkg/libphp-adodb.html 16:59 <tyhicks> [TOPIC] Miscellaneous and Questions 16:59 <tyhicks> http://people.canonical.com/~ubuntu-security/cve/pkg/maildrop.html 16:59 <tyhicks> http://people.canonical.com/~ubuntu-security/cve/pkg/xlockmore.html 16:59 <tyhicks> http://people.canonical.com/~ubuntu-security/cve/pkg/python-soappy.html 16:59 <tyhicks> Does anyone have any other questions or items to discuss? 17:01 <tyhicks> jdstrand, mdeslaur, sbeattie, jjohansen, sarnold, ChrisCoulson: Thanks! 17:01 <tyhicks> #endmeeting