16:31 <tyhicks> #startmeeting 16:31 <meetingology> Meeting started Mon Jan 29 16:31:01 2018 UTC. The chair is tyhicks. Information about MeetBot at http://wiki.ubuntu.com/meetingology. 16:31 <meetingology> 16:31 <meetingology> Available commands: action commands idea info link nick 16:31 <tyhicks> The meeting agenda can be found at: 16:31 <tyhicks> [LINK] https://wiki.ubuntu.com/SecurityTeam/Meeting 16:31 <tyhicks> [TOPIC] Weekly stand-up report 16:31 <tyhicks> jdstrand: you're up 16:31 <jdstrand> hi 16:32 <jdstrand> Last week I spent most of my developement time on layouts reviews but other work was preempted by the steam-support interface, which required a lot of investigation. This week I plan to: 16:32 <jdstrand> - travel to/from and attend snapcraft sprint 16:32 <jdstrand> - continue the steam-support interface investigation/design 16:32 <jdstrand> - snapd portals reviews 16:32 <jdstrand> - LSM stacking demo preparation as have time 16:32 <jdstrand> - lxd snap regression wrt confinement as have time 16:32 <jdstrand> - create screencast interface as have time 16:32 <jdstrand> - strict mode snaps on livecd as have time 16:32 <jdstrand> that's it from me. mdeslaur, you're up 16:33 <mdeslaur> I'm on bug trige this week 16:33 <mdeslaur> I'm still working on qemu/libvirt updates 16:34 <mdeslaur> I'm currently trying to get artful installed inside a trusty vm, but it's not working well 16:34 <mdeslaur> since I don't have real hardware I can update microcode on 16:34 <mdeslaur> I'm also working on clamav updates 16:34 <cpaelzer> sorry to interrupt - jdstrand: you also did the chrony apparmor profile - which btw is fully picke dup by Debian already 16:34 <mdeslaur> that's about it, sbeattie, you're up 16:35 <sbeattie> cpaelzer: what's the question? 16:35 <ratliff> cpaelzer: since you are here :) Can you help mdeslaur with qemu ^^? 16:35 <jdstrand> cpaelzer: yes I did and this is captured in trello. Thanks for mentioning the debian sync-- I noticed the bug this morning 16:36 <tyhicks> sbeattie: he was just pointing out the chrony profile since Jamie didn't list it in his work from last week 16:37 <sbeattie> last week? that's old news. 16:37 <sbeattie> :) 16:37 <cpaelzer> ratliff: what is the help that is needed atm? 16:38 <cpaelzer> I usually run some extra tests once mdeslaur pings me 16:38 <mdeslaur> cpaelzer: we need to make sure libvirt and qemu expose the new microcode bits to guests 16:38 <cpaelzer> we synced on HW - I don't have any that has the microcode update either 16:38 <mdeslaur> cpaelzer: do you have hardware that supports the 20180108 intel microcode update? 16:38 <cpaelzer> well I have my laptop 16:38 <cpaelzer> as most of us do 16:38 <cpaelzer> I suggested on Friday to use lxd on that to drive a testbed for KVM 16:38 <cpaelzer> with a bit of a how-to 16:39 <jdstrand> cpaelzer: do note that I had already incorporated the Debian feedback into ubuntu3 of chrony. looking at -2, I see the only difference to the profile is that Debian used utf8 quotes in a comment :) 16:39 <cpaelzer> jdstrand: yep 16:39 <cpaelzer> I found the same and synced it today jdstrand 16:39 <cpaelzer> ratliff: so the only microcode capable system I have is the same that mdeslaur has (at least according to our talk on Friday) 16:40 <cpaelzer> mdeslaur: did you try the kvm in lxd I suggested? 16:40 <mdeslaur> cpaelzer: i didn't no 16:40 <ratliff> cpaelzer: ok 16:40 * jdstrand nods 16:40 <mdeslaur> not yet 16:40 <tyhicks> I have some hardware that we can possibly use 16:41 <tyhicks> I also have lxd set up, on a xenial host, which I use to run a container with VMs inside of it 16:41 <tyhicks> mdeslaur: lets talk after the meeting 16:41 <mdeslaur> ack 16:41 <tyhicks> sbeattie: go ahead 16:42 <sbeattie> I'm on cve triage this week, in addition to usual kernel triage bits 16:42 <sbeattie> Apparently, the kernel team published a linux-kvm kernel this morning, so I have a USN to publish for that. 16:43 <sbeattie> I'm working on the gcc retpoline backports, still trying to figure out why my gcc-4.8 backport segfaults. 16:44 <sbeattie> We should be able to push the gcc-5/xenial and gcc-7/artful to -proposed today, I just want to double-check the test results first. 16:44 <tyhicks> sbeattie: lets also get a bionic upload ready 16:45 <sbeattie> tyhicks: doko uploaded gcc-7.3 to bionic-proposed, which has the retpoline bits in it. 16:45 <tyhicks> nice 16:46 <tyhicks> sbeattie: am I up now? 16:46 <sbeattie> I'm still waiting on openjdk packages from td aitx, which I'll probably hand off to someone els.e 16:46 <sbeattie> tyhicks: yeah, that's my week pretty well covered. go for it. 16:47 <tyhicks> yeah, you've got your hands too full w/ cve triage, gcc, kernel bits, and openjdk 16:47 <tyhicks> ratliff: ^ we need to spread Steve's responsibilities this week 16:48 <ratliff> tyhicks: yep 16:48 <tyhicks> for my week, I will continue to help coordinate Meltdown and Spectre fixes (test, investigate, meet w/ CPU vendors, etc.) 16:48 <sarnold> I could grab cve triage this week 16:48 <tyhicks> I also need to work on an LSM stacking demo 16:48 <tyhicks> sarnold: I think that's probably a good idea - we'll chat after 16:49 <tyhicks> jj is out today 16:49 <tyhicks> sarnold: you're up 16:50 <sarnold> I'm in the happy place this week, but happy to take cve triage off steve. I'm goign to finish chrony mir and then move on down the list once that's done. 16:50 <sarnold> that's it for me, chrisccoulson? 16:51 <chrisccoulson> I've got to finish up the thunderbird publication, and then I'm doing webkit updates 16:52 <chrisccoulson> and then rust 1.23 updates and apparmor audit work again 16:52 <chrisccoulson> I think that's me done 16:52 <ratliff> I'm in the happy place this week. 16:53 <ratliff> I have some internal work and I plan to get the historic data for cve triage loaded into InfluxDB. 16:53 <ratliff> leosilva: on to you 16:53 <leosilva> I'm in the community this week. 16:54 <leosilva> I'm working in the curl update, seems only be aplicable to one release (artful) it breaks in all the old ones. Still need to re-check and see before discards 16:54 <leosilva> besides that I'm keeping an eye on cve-list to get some other pkg to update. 16:54 <leosilva> that's it for me 16:54 <leosilva> tyhicks: you are back! 16:56 <tyhicks> [TOPIC] Ways to contribute 16:56 <tyhicks> The Ubuntu Security team suggests that contributors look into merging Debian security updates in community-supported packages. If you would like to help Ubuntu but are not sure where to start, this is a great way to do so. See http://people.canonical.com/~ubuntu-security/d2u/ for available merges and https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures for details on preparing Ubuntu security 16:56 <tyhicks> updates. If you have any questions, feel free to ask in #ubuntu-hardened. To find out other ways of helping out, please see https://wiki.ubuntu.com/SecurityTeam/GettingInvolved. 16:56 <tyhicks> [TOPIC] Miscellaneous and Questions 16:56 <tyhicks> Does anyone have any other questions or items to discuss? 16:59 <tyhicks> jdstrand, mdeslaur, sbeattie, sarnold, ChrisCoulson, ratliff, leosilva: Thanks! 16:59 <ratliff> thank you, tyhicks! 16:59 <tyhicks> #endmeeting