#ubuntu-meeting log

14:30 <cpaelzer> #startmeeting Weekly Main Inclusion Requests status
14:30 <meetingology> Meeting started at 14:30:25 UTC.  The chair is cpaelzer.  Information about MeetBot at https://wiki.ubuntu.com/meetingology
14:30 <meetingology> Available commands: action, commands, idea, info, link, nick
14:30 <cpaelzer> no old actions to look at
14:30 <cpaelzer> #topic current component mismatches
14:30 <didrocks> hey
14:30 <cpaelzer> #link https://people.canonical.com/~ubuntu-archive/component-mismatches-proposed.svg
14:30 <cpaelzer> #link https://people.canonical.com/~ubuntu-archive/component-mismatches.svg
14:31 <sarnold> good morning
14:31 <cpaelzer> hiho
14:31 <sarnold> I like this multidimensional fire idea
14:31 <cpaelzer> these seem to contain the same as recently
14:31 <cpaelzer> let us check the status
14:31 <cpaelzer> fence-agents still on security via https://bugs.launchpad.net/ubuntu/+source/fence-agents/+bug/1927004
14:31 <ubottu> Launchpad bug 1927004 in fence-agents (Ubuntu) "[MIR] fence-agents" [Undecided, New]
14:32 <cpaelzer> cherrypy on jamespage
14:32 <cpaelzer> oh this one
14:32 <cpaelzer> screen-resolution-extra -> policykit-1-gnome
14:32 <didrocks> this is an alternative, I remember we used to have already c-m picking the wrong one and we had to workaroudn it, but did anyone of you remember what we did exactly?
14:32 <cpaelzer> didrocks: you said last week you wanted to take a loolk
14:32 <didrocks> http://launchpadlibrarian.net/544364041/screen-resolution-extra_0.18build2_0.18.1.diff.gz
14:32 <cpaelzer> look
14:32 <didrocks> it’s fullfiled by gnome-shell already
14:33 <cpaelzer> ok so we consider this done and it will vanish from this view in some time
14:33 <cpaelzer> thanks didrocks
14:33 <didrocks> cpaelzer: no no
14:33 <didrocks> it’s not done
14:33 <cpaelzer> oh
14:33 <didrocks> the issue is triggered by this diff
14:33 <cpaelzer> then I misinerpreted "fulfilled"
14:33 <cpaelzer> oh I see
14:33 <cpaelzer> thanks
14:33 <didrocks> and this diff is for every flavor not picking up gnome-shell
14:33 <didrocks> so, the issue is in component-mismatch
14:34 <didrocks> and I don’t remember how we workarounded it in other cases in the past…
14:34 <sarnold> I think "oh that's a holdovre from..."
14:34 <sarnold> (like terminator, esmtp, etc)
14:35 <didrocks> yeah
14:35 <cpaelzer> yes
14:35 <cpaelzer> + policykit-1-gnome | gnome-shell | polkit-1-auth-agent,
14:35 <cpaelzer> ok I'll try to remember this is part of that group
14:35 <cpaelzer> thanks for checking didrocks
14:35 <didrocks> yw
14:35 <cpaelzer> #topic New MIRs
14:35 <cpaelzer> #link https://bugs.launchpad.net/ubuntu/?field.searchtext=&orderby=-date_last_updated&field.status%3Alist=NEW&field.status%3Alist=CONFIRMED&assignee_option=none&field.assignee=&field.subscriber=ubuntu-mir
14:35 <cpaelzer> still no action by doko on flashrom/libftdi :-/
14:36 <cpaelzer> I'll contact him and matt offline via a mail
14:36 * didrocks is surprised on busybox not being in main…
14:36 <cpaelzer> as I'd love to get it out of this stage in some way (continue or abort it)
14:36 <cpaelzer> didrocks: lets us talk about busybox
14:36 <cpaelzer> I guess we can agree and promite it right away
14:36 <cpaelzer> TL;DR busyboy is in main, this is about an extra binary from the src package to be promoted
14:37 <cpaelzer> Usually people ask that on the old MIR bugs
14:37 <cpaelzer> but this one is so old, it has no MIR bug
14:37 <sarnold> I wouldn't be surprised if there's outstanding cves in busybox that we've ignored, something like their tools for downloading files don't check tls certificates..
14:37 <didrocks> ah ack only one binary missing, I was wondering for a while with what I was playing after happy testing in casper :p
14:38 <cpaelzer> sarnold: why would those have been ignroed?
14:38 <cpaelzer> as far as I ahve looked it seems to be a differnt build from the same source
14:38 <cpaelzer> so no "new code" to be promoted
14:38 <cpaelzer> I'd like to understand why in this scenario CVEs would have been ignored, to get a feeling if this needs only MIR ack or also security re-review
14:38 <didrocks> yeah, it’s only the dynamic linking (the static is in main) if I read the MIR correctly
14:39 <cpaelzer> yes didrocks - that should be it
14:39 <sarnold> cpaelzer: because busybox is often used in environments where 'the usual things' are broken / missing / intentionally unavailable
14:39 <cpaelzer> ah but now you could use it in "others environments"
14:39 <sarnold> yeah
14:39 <cpaelzer> and that might change the attack surface
14:39 <cpaelzer> ok thanks
14:40 <cpaelzer> I think this is a trivial review from the MIR POV (nt a full one), but a more coplex one from the security side then
14:40 <didrocks> looks like it
14:40 <sarnold> heh, alas yes..
14:40 <cpaelzer> but since this is a server case I'd want to ask if someone else could do the MIR-check on this
14:40 <cpaelzer> to not look like special-case-self-signed-off
14:40 <cpaelzer> since no one but the three of us seem available, would you didrocks be able to do that MIR check there?
14:41 <cpaelzer> and then probably assign it to security to get thie rre-eval?
14:41 <didrocks> cpaelzer: will do
14:41 <cpaelzer> oh btw #action cpaelzer to clarify libftdi with matt/doko
14:41 <cpaelzer> #action cpaelzer to clarify libftdi with matt/doko
14:41 * meetingology cpaelzer to clarify libftdi with matt/doko
14:41 <cpaelzer> thanks didrocks
14:41 <cpaelzer> that gets us to the next agenda item
14:41 <didrocks> yw!
14:42 <cpaelzer> #topic Incomplete bugs / questions
14:42 <cpaelzer> #link https://bugs.launchpad.net/ubuntu/?field.searchtext=&orderby=-date_last_updated&field.status%3Alist=INCOMPLETE_WITH_RESPONSE&field.status%3Alist=INCOMPLETE_WITHOUT_RESPONSE&field.subscriber=ubuntu-mir
14:42 <cpaelzer> sdl is me, that will soon be ready for promotion
14:42 <cpaelzer> no action needed
14:42 <doko> o/
14:42 <cpaelzer> flatpack ...
14:42 <cpaelzer> reading
14:42 <cpaelzer> oh we marked it incomplete last week
14:42 <cpaelzer> ok nothing new
14:42 <cpaelzer> welcome doko
14:43 <cpaelzer> before I send you a mail doko, would you this week have time to resolve flashrom/libftdi ?
14:43 <cpaelzer> I have asked a few weeks in a row and some way it should get off our incoming list
14:43 <doko> right, it should be updated, fwupd needs a dependency
14:43 <cpaelzer> I've outlined it a few times already, it is about a non MIR-team evaluation wihch seems "approved" by you
14:44 <doko> yes, but I don't want to see it. fwupd needs to build with that support. waiting for an upload now
14:45 <cpaelzer> an upload of fwupd to pull it in?
14:45 <doko> yes
14:46 <doko> jawn-smith working on it
14:46 <cpaelzer> so this was an approval by you then back on 2021-03-11
14:47 <cpaelzer> if you could confirm this now that would be helpful, then I could do an update and set the bug to the right states
14:48 <jawn-smith> o/ I can do upload a change with a dependency
14:49 <jawn-smith> s/do//
14:49 <cpaelzer> jawn-smith: I was mostly concerned because the bug looked like needing a review still
14:49 <cpaelzer> this is now clarified and I have updated the bug
14:49 <cpaelzer> you can do the upload now and then promotion to main can happen
14:49 <cpaelzer> and it is by now gone from the MIR-team incoming queue
14:50 <cpaelzer> Thanks for all the clarifications, we look good again now ...
14:50 <cpaelzer> #topic Any other business?
14:50 <jawn-smith> excellent, thanks!
14:50 <cpaelzer> nothing from me
14:50 <sarnold> \o/
14:50 <sarnold> nothing from me
14:50 <didrocks> nothing either
14:55 <cpaelzer> ok timeout :-)
14:55 <cpaelzer> see you all next week then
14:55 <sarnold> woot, thanks cpaelzer, all :)
14:55 <cpaelzer> thanks
14:55 <cpaelzer> #endmeeting