14:30 <cpaelzer> #startmeeting Weekly Main Inclusion Requests status 14:30 <meetingology> Meeting started at 14:30:25 UTC. The chair is cpaelzer. Information about MeetBot at https://wiki.ubuntu.com/meetingology 14:30 <meetingology> Available commands: action, commands, idea, info, link, nick 14:30 <cpaelzer> no old actions to look at 14:30 <cpaelzer> #topic current component mismatches 14:30 <didrocks> hey 14:30 <cpaelzer> #link https://people.canonical.com/~ubuntu-archive/component-mismatches-proposed.svg 14:30 <cpaelzer> #link https://people.canonical.com/~ubuntu-archive/component-mismatches.svg 14:31 <sarnold> good morning 14:31 <cpaelzer> hiho 14:31 <sarnold> I like this multidimensional fire idea 14:31 <cpaelzer> these seem to contain the same as recently 14:31 <cpaelzer> let us check the status 14:31 <cpaelzer> fence-agents still on security via https://bugs.launchpad.net/ubuntu/+source/fence-agents/+bug/1927004 14:31 <ubottu> Launchpad bug 1927004 in fence-agents (Ubuntu) "[MIR] fence-agents" [Undecided, New] 14:32 <cpaelzer> cherrypy on jamespage 14:32 <cpaelzer> oh this one 14:32 <cpaelzer> screen-resolution-extra -> policykit-1-gnome 14:32 <didrocks> this is an alternative, I remember we used to have already c-m picking the wrong one and we had to workaroudn it, but did anyone of you remember what we did exactly? 14:32 <cpaelzer> didrocks: you said last week you wanted to take a loolk 14:32 <didrocks> http://launchpadlibrarian.net/544364041/screen-resolution-extra_0.18build2_0.18.1.diff.gz 14:32 <cpaelzer> look 14:32 <didrocks> it’s fullfiled by gnome-shell already 14:33 <cpaelzer> ok so we consider this done and it will vanish from this view in some time 14:33 <cpaelzer> thanks didrocks 14:33 <didrocks> cpaelzer: no no 14:33 <didrocks> it’s not done 14:33 <cpaelzer> oh 14:33 <didrocks> the issue is triggered by this diff 14:33 <cpaelzer> then I misinerpreted "fulfilled" 14:33 <cpaelzer> oh I see 14:33 <cpaelzer> thanks 14:33 <didrocks> and this diff is for every flavor not picking up gnome-shell 14:33 <didrocks> so, the issue is in component-mismatch 14:34 <didrocks> and I don’t remember how we workarounded it in other cases in the past… 14:34 <sarnold> I think "oh that's a holdovre from..." 14:34 <sarnold> (like terminator, esmtp, etc) 14:35 <didrocks> yeah 14:35 <cpaelzer> yes 14:35 <cpaelzer> + policykit-1-gnome | gnome-shell | polkit-1-auth-agent, 14:35 <cpaelzer> ok I'll try to remember this is part of that group 14:35 <cpaelzer> thanks for checking didrocks 14:35 <didrocks> yw 14:35 <cpaelzer> #topic New MIRs 14:35 <cpaelzer> #link https://bugs.launchpad.net/ubuntu/?field.searchtext=&orderby=-date_last_updated&field.status%3Alist=NEW&field.status%3Alist=CONFIRMED&assignee_option=none&field.assignee=&field.subscriber=ubuntu-mir 14:35 <cpaelzer> still no action by doko on flashrom/libftdi :-/ 14:36 <cpaelzer> I'll contact him and matt offline via a mail 14:36 * didrocks is surprised on busybox not being in main… 14:36 <cpaelzer> as I'd love to get it out of this stage in some way (continue or abort it) 14:36 <cpaelzer> didrocks: lets us talk about busybox 14:36 <cpaelzer> I guess we can agree and promite it right away 14:36 <cpaelzer> TL;DR busyboy is in main, this is about an extra binary from the src package to be promoted 14:37 <cpaelzer> Usually people ask that on the old MIR bugs 14:37 <cpaelzer> but this one is so old, it has no MIR bug 14:37 <sarnold> I wouldn't be surprised if there's outstanding cves in busybox that we've ignored, something like their tools for downloading files don't check tls certificates.. 14:37 <didrocks> ah ack only one binary missing, I was wondering for a while with what I was playing after happy testing in casper :p 14:38 <cpaelzer> sarnold: why would those have been ignroed? 14:38 <cpaelzer> as far as I ahve looked it seems to be a differnt build from the same source 14:38 <cpaelzer> so no "new code" to be promoted 14:38 <cpaelzer> I'd like to understand why in this scenario CVEs would have been ignored, to get a feeling if this needs only MIR ack or also security re-review 14:38 <didrocks> yeah, it’s only the dynamic linking (the static is in main) if I read the MIR correctly 14:39 <cpaelzer> yes didrocks - that should be it 14:39 <sarnold> cpaelzer: because busybox is often used in environments where 'the usual things' are broken / missing / intentionally unavailable 14:39 <cpaelzer> ah but now you could use it in "others environments" 14:39 <sarnold> yeah 14:39 <cpaelzer> and that might change the attack surface 14:39 <cpaelzer> ok thanks 14:40 <cpaelzer> I think this is a trivial review from the MIR POV (nt a full one), but a more coplex one from the security side then 14:40 <didrocks> looks like it 14:40 <sarnold> heh, alas yes.. 14:40 <cpaelzer> but since this is a server case I'd want to ask if someone else could do the MIR-check on this 14:40 <cpaelzer> to not look like special-case-self-signed-off 14:40 <cpaelzer> since no one but the three of us seem available, would you didrocks be able to do that MIR check there? 14:41 <cpaelzer> and then probably assign it to security to get thie rre-eval? 14:41 <didrocks> cpaelzer: will do 14:41 <cpaelzer> oh btw #action cpaelzer to clarify libftdi with matt/doko 14:41 <cpaelzer> #action cpaelzer to clarify libftdi with matt/doko 14:41 * meetingology cpaelzer to clarify libftdi with matt/doko 14:41 <cpaelzer> thanks didrocks 14:41 <cpaelzer> that gets us to the next agenda item 14:41 <didrocks> yw! 14:42 <cpaelzer> #topic Incomplete bugs / questions 14:42 <cpaelzer> #link https://bugs.launchpad.net/ubuntu/?field.searchtext=&orderby=-date_last_updated&field.status%3Alist=INCOMPLETE_WITH_RESPONSE&field.status%3Alist=INCOMPLETE_WITHOUT_RESPONSE&field.subscriber=ubuntu-mir 14:42 <cpaelzer> sdl is me, that will soon be ready for promotion 14:42 <cpaelzer> no action needed 14:42 <doko> o/ 14:42 <cpaelzer> flatpack ... 14:42 <cpaelzer> reading 14:42 <cpaelzer> oh we marked it incomplete last week 14:42 <cpaelzer> ok nothing new 14:42 <cpaelzer> welcome doko 14:43 <cpaelzer> before I send you a mail doko, would you this week have time to resolve flashrom/libftdi ? 14:43 <cpaelzer> I have asked a few weeks in a row and some way it should get off our incoming list 14:43 <doko> right, it should be updated, fwupd needs a dependency 14:43 <cpaelzer> I've outlined it a few times already, it is about a non MIR-team evaluation wihch seems "approved" by you 14:44 <doko> yes, but I don't want to see it. fwupd needs to build with that support. waiting for an upload now 14:45 <cpaelzer> an upload of fwupd to pull it in? 14:45 <doko> yes 14:46 <doko> jawn-smith working on it 14:46 <cpaelzer> so this was an approval by you then back on 2021-03-11 14:47 <cpaelzer> if you could confirm this now that would be helpful, then I could do an update and set the bug to the right states 14:48 <jawn-smith> o/ I can do upload a change with a dependency 14:49 <jawn-smith> s/do// 14:49 <cpaelzer> jawn-smith: I was mostly concerned because the bug looked like needing a review still 14:49 <cpaelzer> this is now clarified and I have updated the bug 14:49 <cpaelzer> you can do the upload now and then promotion to main can happen 14:49 <cpaelzer> and it is by now gone from the MIR-team incoming queue 14:50 <cpaelzer> Thanks for all the clarifications, we look good again now ... 14:50 <cpaelzer> #topic Any other business? 14:50 <jawn-smith> excellent, thanks! 14:50 <cpaelzer> nothing from me 14:50 <sarnold> \o/ 14:50 <sarnold> nothing from me 14:50 <didrocks> nothing either 14:55 <cpaelzer> ok timeout :-) 14:55 <cpaelzer> see you all next week then 14:55 <sarnold> woot, thanks cpaelzer, all :) 14:55 <cpaelzer> thanks 14:55 <cpaelzer> #endmeeting