#ubuntu-meeting log

14:32 <slyon> #startmeeting Weekly Main Inclusion Requests status
14:32 <meetingology> Meeting started at 14:32:17 UTC.  The chair is slyon.  Information about MeetBot at https://wiki.ubuntu.com/meetingology
14:32 <meetingology> Available commands: action, commands, idea, info, link, nick
14:32 <sarnold> woo, thanks slyon
14:32 <joalif> yup I'm at sprint, but I'm around
14:32 <slyon> #topic Review of previous action items
14:33 <slyon> joalif: did you already have a chance to review bug #1965115 from last week's meeting?
14:33 <ubottu> Bug 1965115 in nullboot (Ubuntu) "[MIR] nullboot" [Undecided, New] https://launchpad.net/bugs/1965115
14:33 <joalif> I'm working on it
14:33 <slyon> ok, thanks. I think we had no other action items
14:33 <slyon> #topic current component mismatches
14:33 <slyon> Mission: Identify required actions and spread the load among the teams
14:33 <slyon> #link https://people.canonical.com/~ubuntu-archive/component-mismatches-proposed.svg
14:33 <slyon> #link https://people.canonical.com/~ubuntu-archive/component-mismatches.svg
14:34 <slyon> there are quite some mismatches, especially in -proposed, but let's start with the release pocket
14:34 <slyon> llvm-toolchain-13 vs z3 is in foundation's backlog, we're still investigating if we can drop one recommends, or if we actually need to do a z3 MIR
14:35 <sarnold> libnotify -> sugar -> { python-gwebsockets, sugar-toolkit-gtk3} looks new to me
14:35 <didrocks> yeah, I can take libnotify
14:35 <slyon> libnotify looks new to me, too
14:35 <slyon> thanks didrocks
14:35 <slyon> looking at -proposed mismatches, there is gvfs -> libsoup3 -> sysprof – that is a desktop package too
14:35 <didrocks> indeed, taking as well
14:36 <slyon> didrocks: do you have capacity to ivestigate what's happening there, too?
14:36 <slyon> thanks!
14:36 <slyon> ok, next here are plenty of foundations packages, that I will have a look at:
14:36 <slyon> licensecheck, sphinx, twisted, mutt, requests
14:36 <slyon> I will at least try to do an investigation on those.
14:37 <didrocks> (enjoy :))
14:37 <slyon> finally we have jaraco.text -> jaraco.context which is an openstack package, so for jamespage to have a look at (after the sprint I suppose)
14:38 <slyon> did I miss anything?
14:38 <sarnold> I think that's it
14:38 <slyon> #topic New MIRs
14:38 <slyon> Mission: ensure to assign all incoming reviews for fast processing
14:38 <slyon> #link https://bugs.launchpad.net/ubuntu/?field.searchtext=&orderby=-date_last_updated&field.status%3Alist=NEW&field.status%3Alist=CONFIRMED&assignee_option=none&field.assignee=&field.subscriber=ubuntu-mir
14:38 <slyon> <none> :)
14:38 <sarnold> \o/
14:38 <slyon> #topic Incomplete bugs / questions
14:38 <didrocks> yeah!
14:38 <slyon> Mission: Identify required actions and spread the load among the teams
14:38 <slyon> #link https://bugs.launchpad.net/ubuntu/?field.searchtext=&orderby=-date_last_updated&field.status%3Alist=INCOMPLETE_WITH_RESPONSE&field.status%3Alist=INCOMPLETE_WITHOUT_RESPONSE&field.subscriber=ubuntu-mir
14:39 <slyon> we have bug #1963707 that was updated since last week
14:39 <ubottu> Bug 1963707 in libqrtr-glib (Ubuntu) "[MIR] libqrtr-glib" [Low, Incomplete] https://launchpad.net/bugs/1963707
14:39 <slyon> seb created this... do you know anything about it didrocks ?
14:39 <slyon> it's still in "Incomplete" status, is that accurate?
14:39 <didrocks> I don’t. I can check on this, but this might wait for the sprint to be over
14:40 <didrocks> I can chat with Jeremy too
14:40 <slyon> that should be fine, i guess. As priority is set to "Low"
14:40 <didrocks> yeah
14:40 <slyon> Thanks that'd be great
14:40 <slyon> #topic MIR related Security Review Queue
14:40 <slyon> Mission: Check on progress, do deadlines seem doable?
14:40 <slyon> #link https://bugs.launchpad.net/~ubuntu-security/+bugs?field.searchtext=%5BMIR%5D&assignee_option=choose&field.assignee=ubuntu-security&field.bug_reporter=&field.bug_commenter=&field.subscriber=ubuntu-mir
14:40 <slyon> sarnold: any updates?
14:41 <sarnold> we haven't worked on MIRs this last week
14:41 <slyon> that's sad :( but we're still early in the cycle! :)
14:41 <slyon> thanks for the update
14:41 <slyon> #topic Any other business?
14:41 <sarnold> yeah, I had hoped to start in on one..
14:41 <joalif> juliank: re lp 1965115 (nullboot) any reason why it vendorizes go libraries ?
14:41 <sarnold> we do have one question on https://bugs.launchpad.net/ubuntu/+source/networkd-dispatcher/+bug/1764362
14:41 <ubottu> Launchpad bug 1965115 in nullboot (Ubuntu) "[MIR] nullboot" [Undecided, New] https://launchpad.net/bugs/1965115
14:41 <ubottu> Launchpad bug 1764362 in networkd-dispatcher (Ubuntu) "[MIR] networkd-dispatcher" [Undecided, Fix Released]
14:42 <slyon> ok. let's go with nullboot first
14:42 <slyon> joalif: are those go-dependencies available as individual packages in the archive?
14:43 <slyon> IIRC we have some rules that allow vendoring of go libraries
14:43 <didrocks> with a correct rationale and ensuring that the maintainance will follow, this is allowed
14:43 <joalif> slyon: need to check this, but still iiuc it is required by the process to be justified why librearies are vendorized
14:43 <slyon> like those: "Go Package that follows the Debian Go packaging guidelines" "vendoring is used, but the reasoning is sufficiently explained" "golang: static builds are used, the team confirmed their commitment to the additional responsibilities implied by static builds."
14:44 <slyon> yes, if the justification and maintenance commitment is missing, you should ask about it in the LP bug
14:44 <joalif> ok thanks
14:45 <slyon> OK. netwirkd-dispatcher next, what was the question there sarnold?
14:46 <sarnold> we're curious why networkd-dispatcher wasn't forwarded to the security team for security review -- the checklist suggests to me that it should have been forwarded to us for review, based on the "Package does install services, timers or recurring jobs" rule https://wiki.ubuntu.com/MainInclusionProcess
14:47 <sarnold> (the context is https://www.microsoft.com/security/blog/2022/04/26/microsoft-finds-new-elevation-of-privilege-linux-vulnerability-nimbuspwn/ )
14:47 <slyon> that MIR is 4 years old... I haven't been involved at that time, does anybody have context about this?
14:47 <slyon> I don't know how our rules MIR evolved in the past 4 year...
14:47 <didrocks> yeah, at the time, security review was more depending on how the reviewed felt it
14:47 <sarnold> quite a lot, I think :)
14:48 <slyon> sarnold: do you think it makes sense to do a security-review retro-actively for networkd-dispatcher?
14:48 <didrocks> we have stricter and defined rules now
14:48 <sarnold> slyon: probably not, I expect our friends at microsoft probably gave it a pretty thorough look
14:49 <slyon> OK. I need to read up on that microsoft link. But other than that, I think we can leave it as is for now?
14:49 <sarnold> I'm more curious if future similar cases of privileged dbus services would be seen differently today or not
14:50 <slyon> sarnold: yes, thanks for bringing this up. IMO according to our new rules anything that runs a system service with escalated privilegs should go through security review.
14:50 <sarnold> cool cool :)
14:50 <slyon> so, yes. I think this would be seen differently today.
14:51 <slyon> didrocks: do you agree? (you've been around longer than me)
14:51 <didrocks> oh sure, today, we have way more rigorous rules and this will definitively go through security
14:51 <slyon> Alright folks, that's all for today then.
14:52 <didrocks> thanks slyon for hosting the meeting :)
14:52 <slyon> if there isnt any thing else?
14:52 <sarnold> nothing else, thanks :)
14:52 <joalif> nope
14:52 <slyon> #endmeeting