== Meeting information == * #ubuntu-meeting Meeting, 01 Oct at 16:32 — 16:54 UTC * Full logs at [[http://ubottu.com/meetingology/logs/ubuntu-meeting/2018/ubuntu-meeting.2018-10-01-16.32.log.html]] == Meeting summary == ''LINK:'' https://wiki.ubuntu.com/SecurityTeam/Meeting === Announcements === The discussion about "Announcements" started at 16:32. === Weekly stand-up report === The discussion about "Weekly stand-up report" started at 16:33. === Highlighted packages === The discussion about "Highlighted packages" started at 16:52. === Miscellaneous and Questions === The discussion about "Miscellaneous and Questions" started at 16:52. == Vote results == == Done items == * (none) == People present (lines said) == * jdstrand (36) * mdeslaur (17) * ebarretto (9) * chrisccoulson (8) * leosilva (7) * sbeattie (7) * msalvatore (5) * sarnold (3) * meetingology (3) * jjohansen (3) == Full Log == 16:32 #startmeeting 16:32 Meeting started Mon Oct 1 16:32:11 2018 UTC. The chair is jdstrand. Information about MeetBot at http://wiki.ubuntu.com/meetingology. 16:32 16:32 Available commands: action commands idea info link nick 16:32 The meeting agenda can be found at: 16:32 [LINK] https://wiki.ubuntu.com/SecurityTeam/Meeting 16:32 [TOPIC] Announcements 16:32 First off, I'd like to warmly welcome joemcmanus to the team as our new security team manager. Glad to have you Joe! :) 16:32 welcome, joemcmanus! 16:33 The generalist role rotation for this week as follows: 16:33 \o 16:33 CVE Triage: msalvatore (ebarretto), Bug Triage: sarnold, Community: sbeattie, Happy Place: amurray, mdeslaur, leosilva, ebarretto 16:33 [TOPIC] Weekly stand-up report 16:34 oh, I forgot one announcement 16:34 The Ubuntu Security Team is hiring! 16:34 Ubuntu Security engineer: https://boards.greenhouse.io/canonical/jobs/1158266?t=8c0a6c1f1 16:34 ok, I'll go first for standup 16:34 This week I plan to: 16:34 * continue brand store snap declarations 16:34 * continue kubernetes-support interfaces 16:34 * various snapd PR reviews 16:34 * iterate on docker PRs 16:34 * embargoed issue 16:35 mdeslaur: you're up 16:35 I'm in the happy place this week 16:35 I just finished publishing a whole new ghostscript version to the stable releases to fix a bunch of security issues that don't have CVE numbers 16:36 hopefully it won't cause any major regressions 16:36 I have an embargoed issue to publish later on once upstream makes the issue public 16:36 and I'll be continuing more CVE work after that 16:36 that's about it, sbeattie, you're up 16:36 I'm on community this week 16:37 mdeslaur: do you think it warrants a call for testing? 16:37 what, ghostscript? 16:37 it's already out the door :) 16:37 I already published it 16:37 I tested the heck out of it 16:37 mdeslaur: yes, and, ok :) 16:37 and judging by the number of open bugs against the old version, this one can only be better 16:38 mdeslaur: it was the 'hopefully' that threw me:) 16:38 I will keep a look out for regression bugs 16:38 * jdstrand nods 16:38 mdeslaur: thanks for taking that on. ghostscript can be challenging 16:39 sorry sbeattie, go ahead :) 16:39 kernel updates are being published now, will start the USNs for them after the meeting. 16:40 I have imagemagick packages in the ubuntu-security-proposed ppa that disable pdf/ps support, to avoid ghostscript (for all the reasons above) that I'll be testing and publishing. 16:40 \o/ 16:40 After that, I need to spend some time looking at possible addiitonal toolchain hardening for cosmic+1. 16:41 That will probably take up my week. 16:41 jjohansen: over to you. 16:41 Its a short week for me, I am off Wednesday, Thursday, and maybe Friday. 16:41 I am still trying to finish up last weeks items, apparmor items for the 4.20 pull request: mjg secmark patch, kernel_t label for kernel network tasks, and the nonewprivs work. LSM stacking patches, and the 2.10.4, 2.11.2, 2.12.1, 2.13.1 stable releases for apparmor 16:42 thats it for me, sarnold you're up 16:43 I'm on bug triage this week; I'm going to finish the xdg-desktop-portal-gtk MIR 1750069 this week, hopefully by tomorrow; then I'll run down the list of MIRs in trello. I'll do apparmor patch reviews as needed. 16:43 that's it for me.. leosilva? 16:43 I'm in the happy place this week 16:43 I pushed a USN for bind9 for precise 16:43 I spent some time in a glib2.0 regression, but it eends as a no sec regression 16:44 I'll do the hunting pkg and find something to update - right now I'm digging on liblouis 16:44 that is it for me 16:44 libleo 16:44 msalvatore: I think it's up to you now 16:44 hehe. 16:45 Hi all. I'm on CVE triage this week, but It's a super short week for me (I'm out oct2-oct12) 16:45 ebarretto will fill in for CVE triage 16:45 I published fixes for uwsgi this morning 16:45 I'm focusing on CVE triage and re-triage of older CVEs for today. 16:45 ebarretto: you're up 16:46 I'm in the happy place/cve triage this week: 16:46 - Released today new opencv update for bionic 16:46 - Also released a new version of monit for xenial because of a regression in the last update (LP: #Bug:1786910) 16:46 - I am working on updating libav for trusty, right now I am testing the security fixes that were backported 16:46 - I will be doing CVE triage starting tomorrow to cover msalvatore 16:46 - If anyone finds any problem in uwsgi update from msalvatore, feel free to ping me and add me to bugs 16:47 that's it for me ... joemcmanus you're up 16:49 jdstrand, did we skip chrisccoulson ? 16:49 yep ;) 16:49 shall I go now? 16:49 ebarretto: he was skipped. I thought it was me now knowing who was out :) 16:49 man, we keep forgetting chrisccoulson 16:49 he's too quiet 16:49 lol 16:49 chrisccoulson: yes please :) 16:49 hey, I can't prove it, but I was thinking about it :) 16:49 hehe 16:50 hehe 16:50 I'm expecting a firefox release to test and publish this week, although the release hasn't happened yet 16:50 I've got an embargoed update too 16:50 and I'll be working on the libssh2 MIR 16:51 that shouldn't take all week, so I'll have time for something else (something else on the review queue?) 16:51 that's me done 16:51 chrisccoulson: I think so, yes, we getting to the end :) 16:52 [TOPIC] Highlighted packages 16:52 The Ubuntu Security team suggests that contributors look into merging Debian security updates in community-supported packages. If you would like to help Ubuntu but are not sure where to start, this is a great way to do so. See http://people.canonical.com/~ubuntu-security/d2u/ for available merges and https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures for details on preparing Ubuntu security 16:52 updates. If you have any questions, feel free to ask in #ubuntu-hardened. To find out other ways of helping out, please see https://wiki.ubuntu.com/SecurityTeam/GettingInvolved. 16:52 [TOPIC] Miscellaneous and Questions 16:52 Does anyone have any other questions or items to discuss? 16:54 mdeslaur, sbeattie, jjohansen, sarnold, chrisccoulson (see, I didn't forget!), leosilva, msalvatore, ebarretto, joemcmanus: thanks! 16:54 #endmeeting Generated by MeetBot 0.1.5 (http://wiki.ubuntu.com/meetingology)