#ubuntu-meeting log

16:33 <tyhicks> #startmeeting
16:33 <meetingology> Meeting started Mon Jun  1 16:33:48 2015 UTC.  The chair is tyhicks. Information about MeetBot at http://wiki.ubuntu.com/meetingology.
16:33 <meetingology> 
16:33 <meetingology> Available commands: action commands idea info link nick
16:34 <chrisccoulson> o/
16:34 <tyhicks> The meeting agenda can be found at:
16:34 <tyhicks> [LINK] https://wiki.ubuntu.com/SecurityTeam/Meeting
16:34 <jdstrand> hi
16:34 <tyhicks> [TOPIC] Announcements
16:34 <tyhicks> We had a number of contributions over the last two weeks
16:34 <tyhicks> Stefan Bader (smb) provided debdiffs for trusty-vivid for xen
16:34 <tyhicks> Otto Kekäläinen (otto) provided debdiffs for trusty-utopic for mariadb-5.5 (LP: #1451677)
16:34 <ubottu> Launchpad bug 1451677 in mariadb-5.5 (Ubuntu) "USN-2575-1: MySQL vulnerabilities partially also applies to MariaDB" [Undecided,Fix released] https://launchpad.net/bugs/1451677
16:34 <tyhicks> Gianfranco Costamagna (LocutusOfBorg) provided debdiffs for precise-utopic for virtualbox (LP: #1456553)
16:34 <ubottu> Launchpad bug 1456553 in virtualbox (Ubuntu) "CVE-2015-3456" [Undecided,Fix released] https://launchpad.net/bugs/1456553
16:34 <tyhicks> Andreas Cadhalpun (andreas-cadhalpun) provided a debdiff for vivid for ffmpeg (LP: #1458171)
16:34 <ubottu> Launchpad bug 1458171 in ffmpeg (Ubuntu) "FFmpeg security fixes May 2015" [Undecided,Fix released] https://launchpad.net/bugs/1458171
16:34 <tyhicks> Felipe Reyes (freyes) provided debdiffs for precise-vivid for openldap (LP: #1446809)
16:34 <ubottu> Launchpad bug 1446809 in openldap (Ubuntu Precise) "[SRU] denial of service via an LDAP search query (CVE-2012-1164, CVE-2013-4449, CVE-2015-1545)" [High,Fix released] https://launchpad.net/bugs/1446809
16:34 <tyhicks> Thanks to you all for your assistance in keeping Ubuntu secure! :)
16:35 <tyhicks> [TOPIC] Weekly stand-up report
16:35 <tyhicks> jdstrand: you're up
16:36 <jdstrand> hopefully today I will finish the big review tools update that will make the store and packages work as well for snappy apps and frameworks as for clicks
16:36 <jdstrand> that got delayed a bit last week due to store api changes and LP being down (I wanted to pull down everything from the store and compare existing tools with trunk)
16:36 <jdstrand> that's all resolved, just need to go through the output now
16:38 <jdstrand> I've been working quite a bit on processes surrounding security support for system-image variants of Ubuntu (eg, touch and core)
16:38 <jdstrand> that will continue
16:38 <jdstrand> there is work planning with tyhicks
16:39 <jdstrand> and I hope to at least start if not finish (for wily) handling seccomp policy upgrades on snappy
16:39 <jdstrand> which will then need an SRU, at which point I will also do an SRU for ubuntu-core-security. that SRU work is likely next week
16:39 <jdstrand> I have two embargoed items
16:41 <jdstrand> that's it from me
16:41 <mdeslaur> I guess I'm up
16:41 <mdeslaur> I'm about to publish an ipsec-tools update for precise
16:41 <mdeslaur> and I have some openssl updates that will be going out today that disable export ciphers
16:42 <mdeslaur> after that, I'll be working on testing an apache2 update for precise that backports ecc support and better dh handling
16:42 <mdeslaur> I also have some qt updates to test
16:42 <mdeslaur> I am also looking into a glibc tzdata regression that is causing mercurial to FTBFS on 32 bit platforms
16:42 <mdeslaur> that's it from me, sbeattie, you're up
16:42 <sbeattie> I'm on community this week
16:43 <sbeattie> I'm working through the backlog of outstanding apparmor patch reviews.
16:43 <sbeattie> I'm also working on testing for the apparmor trusty SRU
16:44 <sbeattie> I still have the gcc pie work on my plate.
16:44 <mdeslaur> mmm....pie
16:44 <mdeslaur> (that joke never gets old)
16:44 <sbeattie> and I have an nbd updtae simmering on the back burner.
16:45 * sbeattie takes a note to use cooking analogies for all his future status reports)
16:45 <sbeattie> that's it for me. tyhicks?
16:45 <tyhicks> sbeattie: is it still possible to land the PIE change for wily?
16:46 <sbeattie> I think so, yes.
16:46 <tyhicks> ok
16:46 <tyhicks> I'm handling bug triage this week
16:46 <mdeslaur> oh, I have something else I forgot to mention
16:46 <tyhicks> go for it
16:47 <mdeslaur> I plan on uploading bash to wily today with the setuid privilege dropping re-enabled, and I plan on looking at taviso's patch for dash to do the same
16:47 <tyhicks> oh cool
16:47 <sbeattie> \o/
16:48 <sarnold> yay :)
16:48 <tyhicks> I plan on helping out with security updates this week
16:48 <tyhicks> I will return to working on adding kernel keyring mediation support to AppArmor parser
16:49 <tyhicks> hopefully wrap up work planning tasks
16:49 <tyhicks> and I have a few embargoed items
16:50 <tyhicks> that's it for me
16:50 <tyhicks> jjohansen: you're up
16:50 <jjohansen> I need to finish up dealing with 2.10 patch review and replies, so we can get 2.10 out the door.
16:51 <jjohansen> Finish up with the kernel security sign-offs
16:51 <jjohansen> Figure out what we are doing for LSS (if anything)
16:51 <jjohansen> Sync up on dconf mediation
16:52 <jjohansen> Continue with the kernel patch cleanup
16:52 <jjohansen> and I have an embargoed item or two
16:53 <tyhicks> jjohansen: can you send your fix for bug #1430546 to the kteam this week? (I'm assuming it is just a git send-email away)
16:53 <ubottu> bug 1430546 in linux (Ubuntu) "apparmor kernel BUG kills firefox" [Medium,Triaged] https://launchpad.net/bugs/1430546
16:54 <jjohansen> tyhicks: yes
16:54 <tyhicks> thanks
16:54 <tyhicks> sarnold: you're up
16:54 <sarnold> I'm on cve triage this week; I'm also going to continue going through open openstack issues and figuring out which ones are still needing attention; I'll also try to handle a few apparmor patch reviews.
16:54 <sarnold> I think that's it for me
16:54 <sarnold> chrisccoulson?
16:55 <chrisccoulson> I'm hoping for chromium updates this week
16:55 <chrisccoulson> Also, I need to spend some time on Firefox - a recent change upstream has broken the way we handle localized search plugins in our packaging
16:57 <chrisccoulson> I got an email last week (I think it got sent to everyone with an account on addons.mozilla.org) with details of addon signing in Firefox
16:57 <chrisccoulson> It had a link to https://wiki.mozilla.org/Addons/Extension_Signing
16:57 <tyhicks> I was about to ask if you have heard anything about that :)
16:57 <chrisccoulson> (the tl;dr version - we need to get our addons reviewed and signed)
16:57 <chrisccoulson> In Firefox 40, unsigned addons will be disabled (but there'll be a pref to override)
16:58 <chrisccoulson> in Firefox 41, there'll be no override
16:59 <chrisccoulson> I tried getting ubufox reviewed, but the automatic part of the process compains that we override the startpage (something which is prohibited in addons, but is the whole point of our customizations)
16:59 <chrisccoulson> So I'm not confident we'll get that through a manual review
16:59 <chrisccoulson> and then, webapps.....
16:59 <chrisccoulson> Anyway
17:00 <chrisccoulson> Other than that, I'll be working on stuff from https://launchpad.net/oxide/+milestone/branch-1.9
17:00 <chrisccoulson> I think that's me done
17:01 <tyhicks> chrisccoulson: dbarth's team will handle the webapps reviews?
17:02 <tyhicks> chrisccoulson: who should handle the "Ubuntu Online Accounts" review?
17:02 <chrisccoulson> tyhicks, I'm not sure. The experience with that addon is so bad currently, I wonder whether it's worth the effort (but I guess that's up to dbarth's team)
17:02 <chrisccoulson> tyhicks, that would be dbarth too
17:02 <tyhicks> ok
17:03 <tyhicks> chrisccoulson: lets make sure they're aware of the newly released details in tomorrow's oxide meeting
17:03 <tyhicks> [TOPIC] Highlighted packages
17:03 <tyhicks> The Ubuntu Security team will highlight some community-supported packages that might be good candidates for updating and or triaging. If you would like to help Ubuntu and not sure where to start, this is a great way to do so.
17:03 <tyhicks> See https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures for details and if you have any questions, feel free to ask in #ubuntu-security. To find out other ways of helping out, please see https://wiki.ubuntu.com/SecurityTeam/GettingInvolved.
17:03 <tyhicks> http://people.canonical.com/~ubuntu-security/cve/pkg/gajim.html
17:03 <tyhicks> http://people.canonical.com/~ubuntu-security/cve/pkg/nginx.html
17:03 <tyhicks> http://people.canonical.com/~ubuntu-security/cve/pkg/pyfribidi.html
17:03 <tyhicks> http://people.canonical.com/~ubuntu-security/cve/pkg/gcc-4.4-armel-cross.html
17:03 <tyhicks> http://people.canonical.com/~ubuntu-security/cve/pkg/shaarli.html
17:03 <tyhicks> [TOPIC] Miscellaneous and Questions
17:04 <tyhicks> Does anyone have any other questions or items to discuss?
17:06 <tyhicks> jdstrand, mdeslaur, sbeattie, jjohansen, sarnold, ChrisCoulson: Thanks!
17:06 <tyhicks> #endmeeting