#ubuntu-meeting log

14:34 <cpaelzer> #startmeeting Weekly Main Inclusion Requests status
14:34 <meetingology> Meeting started at 14:34:57 UTC.  The chair is cpaelzer.  Information about MeetBot at https://wiki.ubuntu.com/meetingology
14:34 <meetingology> Available commands: action, commands, idea, info, link, nick
14:35 <cpaelzer> Ping for MIR meeting - didrocks joalif slyon sarnold cpaelzer jamespage
14:35 <cpaelzer> #topic current component mismatches
14:35 <cpaelzer> Mission: Identify required actions and spread the load among the teams
14:35 <cpaelzer> #link https://people.canonical.com/~ubuntu-archive/component-mismatches-proposed.svg
14:35 <cpaelzer> #link https://people.canonical.com/~ubuntu-archive/component-mismatches.svg
14:35 <cpaelzer> let us see if we have anything new in there to act on
14:35 <slyon> nothing new AFAICT
14:35 <cpaelzer> yep, I still ping jamespage / coreycb for jaraco every week
14:35 <cpaelzer> but indeed all in there are known cases
14:35 <cpaelzer> \o/
14:36 <sarnold> \o/
14:36 <cpaelzer> #topic New MIRs
14:36 <cpaelzer> Mission: ensure to assign all incoming reviews for fast processing
14:36 <cpaelzer> #link https://bugs.launchpad.net/ubuntu/?field.searchtext=&orderby=-date_last_updated&field.status%3Alist=NEW&field.status%3Alist=CONFIRMED&assignee_option=none&field.assignee=&field.subscriber=ubuntu-mir
14:36 <cpaelzer> https://bugs.launchpad.net/ubuntu/+source/webp-pixbuf-loader/+bug/1979121
14:36 <ubottu> Launchpad bug 1979121 in webp-pixbuf-loader (Ubuntu) "[MIR] webp-pixbuf-loader" [Low, New]
14:36 <cpaelzer> just this one
14:36 <cpaelzer> marked low prio and no milestone
14:36 <cpaelzer> so it might be non-urgent, but I havne't read the details
14:37 <coreycb> cpaelzer: re: jaraco. I think that's ready for main (?)
14:37 <sarnold> there's text in the bug that asks for august 25
14:37 <cpaelzer> coreycb: jaraco.text is in, but it depends on jaraco.context which has no MIR assigned
14:37 <slyon> "The package webp-pixbuf-loader is required in Ubuntu main no later than aug 25 due to feature freeze"
14:37 <cpaelzer> indeed sarnold, I set the milestone accordingly
14:37 <sarnold> thanks
14:38 <cpaelzer> looking for a review volunteer on webp
14:38 <coreycb> cpaelzer: https://bugs.launchpad.net/ubuntu/+source/jaraco.context/+bug/1975600
14:38 <ubottu> Launchpad bug 1975600 in jaraco.context (Ubuntu) "[MIR] jaraco.context" [Undecided, Fix Committed]
14:38 <cpaelzer> reading coreycb ...
14:38 <cpaelzer> coreycb: it didn#t have the MIR team subscribed
14:38 <cpaelzer> fixed it
14:38 <coreycb> ahh ok, thanks!
14:39 <cpaelzer> now you need an AA to promote it
14:39 <cpaelzer> I can take that for tomorrow
14:39 <didrocks> I can have a look, but this is desktopish and it’s always a little bit off for me to ask a manual test plan (that again, we don’t have here as a wiki page :/)
14:39 <coreycb> cpaelzer: great, thank you
14:39 <cpaelzer> I haven't done a graphic MIR in a while I also take webpm
14:39 <didrocks> so having another pair of eye would be better to reenforce that this is 1. a fallback plan and 2. not optional
14:40 <cpaelzer> I will didrocks, thanks for the hint
14:40 <sarnold> no tests for an image loader? :(
14:41 <cpaelzer> TBH I've seen plenty of image loader tests - like convert from A->B and then check expected output
14:41 <cpaelzer> is webp non deterministic?
14:41 <didrocks> even non determinstic, you can add fuzzy comparison…
14:41 <cpaelzer> like could it produce slightly different output on the panel it draws to every time?
14:41 <sarnold> on the other hand, a package without tests can't possibly be broken..
14:41 <cpaelzer> lol
14:41 <didrocks> until people are using it? :p
14:41 <cpaelzer> very helpful sarnold, very helpful :-P
14:41 * sarnold bows
14:41 <cpaelzer> anyway I'll have a look
14:42 <didrocks> thx cpaelzer
14:42 <cpaelzer> #topic Incomplete bugs / questions
14:42 <cpaelzer> Mission: Identify required actions and spread the load among the teams
14:42 <cpaelzer> #link https://bugs.launchpad.net/ubuntu/?field.searchtext=&orderby=-date_last_updated&field.status%3Alist=INCOMPLETE_WITH_RESPONSE&field.status%3Alist=INCOMPLETE_WITHOUT_RESPONSE&field.subscriber=ubuntu-mir
14:42 <cpaelzer> gsasl just landed 2.x
14:42 <cpaelzer> that is the update there
14:42 <didrocks> (btw, sorry for missing the parsing part)
14:42 <cpaelzer> np didrocks, we come to that later
14:43 <didrocks> I asked jawn-smith to have a look at the diff, not redo a whole MIR
14:43 <cpaelzer> there is always a lessons learned :-)
14:43 <cpaelzer> libiso* is also ok
14:43 <cpaelzer> was reviewed waits for the reporting team
14:43 <cpaelzer> I think we can go on
14:43 <jawn-smith> ack, will hopefully have that done today
14:43 <cpaelzer> thanks jawn-smith
14:43 <cpaelzer> #topic MIR related Security Review Queue
14:43 <cpaelzer> Mission: Check on progress, do deadlines seem doable?
14:43 <cpaelzer> #link https://bugs.launchpad.net/~ubuntu-security/+bugs?field.searchtext=%5BMIR%5D&assignee_option=choose&field.assignee=ubuntu-security&field.bug_reporter=&field.bug_commenter=&field.subscriber=ubuntu-mir
14:43 <cpaelzer> Internal link
14:43 <cpaelzer> - ensure your teams items are prioritized among each other as you'd expect
14:43 <cpaelzer> - ensure community requests do not get stomped by teams calling for favors too much
14:43 <cpaelzer> #link https://warthogs.atlassian.net/jira/software/c/projects/SEC/boards/594
14:43 <cpaelzer> sarnold: I keep saying the list grows - but it really really does by now
14:44 <cpaelzer> you said "telegraf and something else in progress" often enough (no offense) - who do we need to bully to give you more time and people?
14:44 <sarnold> aye, and I don't expect any progress on it this week, the security team is sprinting this week
14:44 <cpaelzer> sarnold: can the outcome of the sprint be that this gets more attention before we have the same explosion as last cycle?
14:45 <sarnold> cpaelzer: I believe we do have a short meeting on MIRs to make sure we're all on the same page, yeah
14:45 <cpaelzer> ok, please push as hard as you can on it sarnold. Because we will ask you every week
14:45 <sarnold> I expect nothing less :D
14:45 <cpaelzer> and we includes more or less everyone requesting those cases
14:46 <cpaelzer> which ends up to be a lot of people :-)
14:46 <cpaelzer> #topic Any other business?
14:46 <sarnold> none here
14:46 <cpaelzer> her ewe come to the case you mentioned didrocks
14:46 <slyon> Just a FYI that I rejected this from last week: https://bugs.launchpad.net/ubuntu/+source/python-charset-normalizer/+bug/1977475
14:46 <ubottu> Launchpad bug 1977475 in python-charset-normalizer (Ubuntu) "[MIR] python-charset-normalizer" [Undecided, Won't Fix]
14:46 <cpaelzer> thanks slyon - we (the reporting team) agreed
14:46 <slyon> I don't think it's strictly needed and would introduce duplication. ACKed by Lena
14:46 <cpaelzer> we found the switch to the normalizer, but not the debate to drop it alltogether
14:46 <cpaelzer> that really helped - thanks slyon
14:47 <slyon> nothing else from my side
14:47 <cpaelzer> on gsasl didrocks and I had a talk
14:47 <cpaelzer> it was first marked as not needing a security review
14:47 <joalif> nothing here I still work on the ipmitool review
14:47 <cpaelzer> and I want to point us all to the rules section [Security] for a quick check
14:47 <cpaelzer> thanks joalif
14:48 <cpaelzer> it currently says
14:48 <cpaelzer> TODO: - history of CVEs does not look concerning
14:48 <cpaelzer> TODO: - does not run a daemon as root
14:48 <cpaelzer> TODO: - does not use webkit1,2
14:48 <cpaelzer> TODO: - does not use lib*v8 directly
14:48 <cpaelzer> TODO: - does not parse data formats
14:48 <cpaelzer> TODO: - does not open a port/socket
14:48 <cpaelzer> TODO: - does not process arbitrary web content
14:48 <cpaelzer> TODO: - does not use centralized online accounts
14:48 <cpaelzer> TODO: - does not integrate arbitrary javascript into the desktop
14:48 <cpaelzer> TODO: - does not deal with system authentication (eg, pam), etc)
14:48 <cpaelzer> TODO: - does not deal with security attestation (secure boot, tpm, signatures)
14:48 <cpaelzer> That covers a lot, but we have (didrocks now, but I myself in other cases in the past) to make a good split on when it is "parse data"
14:48 <cpaelzer> I mean is having any CLI or socket or API or I/O => "parsing data"
14:48 <sarnold> it's hard to say, since that's the core behaviour of nearly everything..
14:48 <cpaelzer> I do not want to get philosphical, but
14:49 <cpaelzer> I'd propose to add one more line to catch one particular kind that obviously needs to go through security expertise
14:49 <cpaelzer> TODO: - does not deal with cryptography (en-/decryption, certificates, signing, ...)
14:49 <slyon> yeah, I've been strugling with that one, too
14:49 <sarnold> i've always interpreted it to mean more along the lines of images, video, audio, xml, json, asn.1 ..
14:49 <didrocks> I was going to propose about dealing with certificates
14:49 <didrocks> I guess your line captures it
14:50 <sarnold> I like the cryptography addition, yeah
14:50 <cpaelzer> could I get an discussion7ack on that line above then we could talk about potential second rule that makes the "parsing" more granular
14:50 <didrocks> sounds like a good addition to me
14:50 <cpaelzer> opinions, objections, +1 on the line proposed above
14:50 <didrocks> +1
14:50 <slyon> +1
14:50 <joalif> +1
14:50 <sarnold> +1
14:50 <slyon> also +1 on sarnold's suggestion about the parsing part
14:51 <cpaelzer> there I have come up with something
14:51 <cpaelzer> TODO: - does not parse data formats (from files [images, video, audio, xml, json, asn.1], network packets, structures, ...)
14:51 <cpaelzer> are there other commonly epxloitet attack vectors worth to be mentioned explicitly as example?
14:52 <didrocks> I wonder about json/yaml, because let’s say any package that embeds a json parser would be impacted, no?
14:52 <didrocks> (let’s say, a go app vendoring go-yaml )
14:53 <didrocks> so basically, everything having configuration would end up in the security queue, is that desired?
14:53 <sarnold> it really does run the risk of sending *everything* through the security team..
14:53 <didrocks> which would be the safest option. Then we have to deal with reality…
14:53 <sarnold> some additional 'from untrusted sources' might be nice, but that can be hard to tell
14:54 <didrocks> even libreoffice, in some way, is parsing its own file format
14:54 <sarnold> and ossfuzz finds things with libreoffice basically every other day..
14:54 <cpaelzer> untrusted source is good here
14:54 <didrocks> yeah, I like the untrusted source as a delimiter
14:54 <cpaelzer> indeed
14:55 <cpaelzer> TODO: - does not parse data formats (files [images, video, audio, xml, json, asn.1], network packets, structures, ...) from an untrusted source
14:55 <cpaelzer> could we vote on that as well please then?
14:55 <cpaelzer> +1
14:55 <didrocks> +1
14:55 <sarnold> I think mostly the 'this needs security review' vs 'this doesn't need security review' mostly works out pretty well, so in some sense I think the intuitons of the team have been pretty good
14:55 <slyon> yes. and the sysadming (e.g. config files yaml/json/xml/ini) would be trusted
14:55 <slyon> +1
14:55 <joalif> +1
14:55 <sarnold> +1
14:56 <cpaelzer> ok thank you all
14:56 <cpaelzer> consider both rules added (in a bit)
14:56 <slyon> thank you cpaelzer!
14:56 <didrocks> thank you cpaelzer for the proposals :)
14:57 <cpaelzer> we can only get better if we try :-)
14:57 <cpaelzer> anything else to discuss left?
14:57 <didrocks> nothing from me this week
14:57 <joalif> nothing from me
14:57 <slyon> nothing here
14:58 <cpaelzer> ok, clsoing then
14:58 <cpaelzer> or rather "closing"
14:58 <cpaelzer> FYI: review rules in the wiki updated
14:58 <didrocks> (parsing error)
14:58 <cpaelzer> #endmeeting