16:30 <tyhicks> #startmeeting
16:30 <meetingology`> Meeting started Mon Aug  7 16:30:50 2017 UTC.  The chair is tyhicks. Information about MeetBot at http://wiki.ubuntu.com/meetingology.
16:30 <meetingology`> 
16:30 <meetingology`> Available commands: action commands idea info link nick
16:30 <meetingology> Meeting started Mon Aug  7 16:30:50 2017 UTC.  The chair is tyhicks. Information about MeetBot at http://wiki.ubuntu.com/meetingology.
16:30 <meetingology> Available commands: action commands idea info link nick
16:30 * sbeattie waves
16:30 <chrisccoulson> o/
16:30 <leosilva> o/
16:31 <tyhicks> The meeting agenda can be found at:
16:31 <tyhicks> [LINK] https://wiki.ubuntu.com/SecurityTeam/Meeting
16:31 <tyhicks> [TOPIC] Announcements
16:31 <tyhicks> heh, zero meeting bots last week and two meeting bots this week
16:31 <mdeslaur> oooh! bot fight!
16:31 <tyhicks> James Lu (tacocat) provided debdiffs for xenial-zesty for gnome-exe-thumbnailer (LP: #651610)
16:31 <ubottu> Launchpad bug 651610 in gnome-exe-thumbnailer (Ubuntu) "[CVE-2017-11421] Version number for .msi thumbnail is obtained from unreliable source" [Critical,Fix released] https://launchpad.net/bugs/651610
16:31 <tyhicks> Simon Quigley (tsimonq2) provided debdiffs for trusty-xenial for lxterminal (LP: #1690416)
16:31 <ubottu> Launchpad bug 1690416 in lxterminal (Ubuntu Artful) "[CVE] socket can be blocked by another user" [Undecided,Fix released] https://launchpad.net/bugs/1690416
16:31 <tyhicks> Simon Quigley (tsimonq2) provided debdiffs for trusty-zesty for pcmanfm (LP: #1708542)
16:31 <ubottu> Launchpad bug 1708542 in pcmanfm (Ubuntu Zesty) "Fix potential access violation, use runtime user dir instead of tmp dir" [Undecided,Fix released] https://launchpad.net/bugs/1708542
16:31 <tyhicks> Otto Kekäläinen (otto) provided debdiffs for trusty for mariadb-5.5 (LP: #1705944)
16:31 <ubottu> Launchpad bug 1705944 in mariadb-5.5 (Ubuntu) "USN-3357-1: partially applies to MariaDB too" [Medium,Fix released] https://launchpad.net/bugs/1705944
16:32 <tyhicks> Otto Kekäläinen (otto) provided debdiffs for xenial for mariadb-10.0 (LP: #1698689)
16:32 <ubottu> Launchpad bug 1698689 in mariadb-10.1 (Ubuntu Artful) "USN-3269-1: partially applies to MariaDB too" [Undecided,New] https://launchpad.net/bugs/1698689
16:32 <tyhicks> Otto Kekäläinen (otto) provided debdiffs for zesty for mariadb-10.1 (LP: #1698689)
16:32 <tyhicks> Roger Light (ral) provided debdiffs for trusty-zesty for mosquitto (LP: #1700490)
16:32 <ubottu> Launchpad bug 1700490 in mosquitto (Ubuntu) "Persistence file is world readable" [Undecided,Fix released] https://launchpad.net/bugs/1700490
16:32 <tyhicks> Thank you for your assistance in keeping Ubuntu users secure! :)
16:32 <tyhicks> [TOPIC] Weekly stand-up report
16:32 <tyhicks> jdstrand: you're up
16:33 <jdstrand> hey
16:33 <jdstrand> Last week I focused a lot on interface reviews (broadcom-asic-control, udev tagging,kvm, spi, avahi reimplementation. I also coordinated with the Desktop team wrt snaps on 17.10 desktop. I triaged the snapd-interface bugs and picked up the wayland work a bit.
16:33 <jdstrand> This week I plan to:
16:33 <jdstrand> - finish going through the wayland interface (this has required quite a bit of investigation wrt interactions with snapd's setting of XDG_RUNTIME_DIR
16:33 <jdstrand> - be responsive to various snappy PRs and feature discussions (eg, udev tagging, avahi, snapd user/groups, portals, etc)
16:34 <jdstrand> - perform several PRs against snapd 2.27 for recent PRs that need to be in the next release
16:34 <jdstrand> - pickup new 'desktop' interface for gnome-shell, plasma and sway as have time
16:34 <jdstrand> that's it from me
16:34 <jdstrand> mdeslaur: you're up
16:34 <mdeslaur> I'm on triage this week
16:34 <mdeslaur> and I have a couple of updates to publish
16:34 <mdeslaur> and after down, down the list, as usual
16:34 <mdeslaur> sbeattie: you're up
16:34 <sbeattie> I'm in the happy place this week
16:35 <sbeattie> I have a couple of kernel USNs to publish this morning
16:35 <sbeattie> I have an embargoed issue on my plate
16:36 <sbeattie> I'm stll waiting on openjdk-7 from td aitx, but might have that to publish this week
16:36 <sbeattie> I'll  look at picking up other updates as well
16:36 <tsimonq2> tyhicks: :D
16:36 <sbeattie> I also have some apparmor bits and qrt bits to poke at.
16:37 <sbeattie> that's it for me. tyhicks, over to you...
16:37 <tyhicks> I'm in the happy place this week
16:37 <tyhicks> I will finish making changes to seccomp v6 kernel patch set, test, and submit upstream
16:37 <tyhicks> need to do fscrypt pam module review and packaging
16:37 <tyhicks> still need to familiarize myself with the latest LSM stacking patch set
16:37 <tyhicks> I also still need to review jdstrand's snapd users/groups writeup
16:38 <tyhicks> jjohansen: you're up
16:38 <jjohansen> I am still working on upstreaming apparmor, specifically the type splitting needed to fixed the stored path issue in our unix domain sockets.
16:38 <jjohansen> I will be doing some more testing of the LSM stacking kernel, and getting my feedback to Casey
16:38 <jjohansen> I have some Ralley prep to take care of this week.
16:39 <jjohansen> and if there is time some misc apparmor test suite issues to poke at
16:39 <jdstrand> tyhicks: fyi, niemeyer ack'd that the users/groups write-up is accurate which I think is a precursor to his full review/comment
16:40 <jjohansen> thats it for me sarnold you're up
16:40 <sarnold> I'm on community this week; also setting up rally travel, and working down the MIRs. Maybe review a patch or two from jjohansen if he think it'd be helpful.
16:40 <sarnold> that's it for me, chrisccoulson?
16:40 <chrisccoulson> I've got firefox and chromium updates this week
16:41 <jjohansen> sarnold: oh yes
16:41 <chrisccoulson> I'm also in the process of updating rust to 1.19, but I've got an issue with 1.18 first. I imagine this will take up most of my week
16:41 <chrisccoulson> That's me done
16:41 <ratliff> I'm in the happy place this week
16:42 <ratliff> I will be focusing on KPIs for the foreseeable future
16:42 <ratliff> leosilva: you are up
16:43 <leosilva> I worked in a couple of update/finished the publishment today morning
16:43 <leosilva> this week I'm bug triage and also finish triage hope to get some updates too
16:43 <leosilva> that's it for me
16:43 <leosilva> tyhicks: it's back to you
16:44 <leosilva> duh, I mean, soon finish triage*
16:44 * tyhicks is catching up
16:45 <tyhicks> [TOPIC] Highlighted packages
16:45 <tyhicks> The Ubuntu Security team will highlight some community-supported packages that might be good candidates for updating and or triaging. If you would like to help Ubuntu and not sure where to start, this is a great way to do so.
16:45 <tyhicks> See https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures for details and if you have any questions, feel free to ask in #ubuntu-security. To find out other ways of helping out, please see https://wiki.ubuntu.com/SecurityTeam/GettingInvolved.
16:45 <tyhicks> http://people.canonical.com/~ubuntu-security/cve/pkg/unrar-nonfree.html
16:45 <tyhicks> http://people.canonical.com/~ubuntu-security/cve/pkg/yaml-cpp.html
16:45 <tyhicks> http://people.canonical.com/~ubuntu-security/cve/pkg/qpid-proton.html
16:45 <tyhicks> http://people.canonical.com/~ubuntu-security/cve/pkg/freeciv.html
16:45 <tyhicks> http://people.canonical.com/~ubuntu-security/cve/pkg/inspircd.html
16:45 <tyhicks> [TOPIC] Miscellaneous and Questions
16:45 <tyhicks> Does anyone have any other questions or items to discuss?
16:47 <sarnold> probably it's worth adding http://people.canonical.com/~ubuntu-security/cve/pkg/varnish.html to that list, four or so community folks filed bugs but I don't recall seeing any debdiffs http://people.canonical.com/~ubuntu-security/cve/pkg/varnish.html
16:47 <tyhicks> good thought
16:48 <tyhicks> I think varnish updates would be more useful than any of the ones I listed
16:50 <tsimonq2> I can provide debdiffs within the next hour if someone can help me test them.
16:50 <tsimonq2> Because it's a Universe package right?
16:50 <tsimonq2> (yes, answered my own question)
16:51 <tyhicks> tsimonq2: you could post debdiffs, sarnold could sponsor them to the ubuntu-security-proposed PPA, and then we could ask for testing in the bug
16:51 <tsimonq2> tyhicks: Works for me.
16:51 <tyhicks> tsimonq2: thanks!
16:51 <tyhicks> jdstrand, mdeslaur, sbeattie, jjohansen, sarnold, ChrisCoulson, ratliff, leosilva: thank you!
16:51 <tyhicks> #endmeeting