14:34 <cpaelzer> #startmeeting Weekly Main Inclusion Requests status 14:34 <meetingology> Meeting started at 14:34:57 UTC. The chair is cpaelzer. Information about MeetBot at https://wiki.ubuntu.com/meetingology 14:34 <meetingology> Available commands: action, commands, idea, info, link, nick 14:35 <cpaelzer> Ping for MIR meeting - didrocks joalif slyon sarnold cpaelzer jamespage 14:35 <cpaelzer> #topic current component mismatches 14:35 <cpaelzer> Mission: Identify required actions and spread the load among the teams 14:35 <cpaelzer> #link https://people.canonical.com/~ubuntu-archive/component-mismatches-proposed.svg 14:35 <cpaelzer> #link https://people.canonical.com/~ubuntu-archive/component-mismatches.svg 14:35 <cpaelzer> let us see if we have anything new in there to act on 14:35 <slyon> nothing new AFAICT 14:35 <cpaelzer> yep, I still ping jamespage / coreycb for jaraco every week 14:35 <cpaelzer> but indeed all in there are known cases 14:35 <cpaelzer> \o/ 14:36 <sarnold> \o/ 14:36 <cpaelzer> #topic New MIRs 14:36 <cpaelzer> Mission: ensure to assign all incoming reviews for fast processing 14:36 <cpaelzer> #link https://bugs.launchpad.net/ubuntu/?field.searchtext=&orderby=-date_last_updated&field.status%3Alist=NEW&field.status%3Alist=CONFIRMED&assignee_option=none&field.assignee=&field.subscriber=ubuntu-mir 14:36 <cpaelzer> https://bugs.launchpad.net/ubuntu/+source/webp-pixbuf-loader/+bug/1979121 14:36 <ubottu> Launchpad bug 1979121 in webp-pixbuf-loader (Ubuntu) "[MIR] webp-pixbuf-loader" [Low, New] 14:36 <cpaelzer> just this one 14:36 <cpaelzer> marked low prio and no milestone 14:36 <cpaelzer> so it might be non-urgent, but I havne't read the details 14:37 <coreycb> cpaelzer: re: jaraco. I think that's ready for main (?) 14:37 <sarnold> there's text in the bug that asks for august 25 14:37 <cpaelzer> coreycb: jaraco.text is in, but it depends on jaraco.context which has no MIR assigned 14:37 <slyon> "The package webp-pixbuf-loader is required in Ubuntu main no later than aug 25 due to feature freeze" 14:37 <cpaelzer> indeed sarnold, I set the milestone accordingly 14:37 <sarnold> thanks 14:38 <cpaelzer> looking for a review volunteer on webp 14:38 <coreycb> cpaelzer: https://bugs.launchpad.net/ubuntu/+source/jaraco.context/+bug/1975600 14:38 <ubottu> Launchpad bug 1975600 in jaraco.context (Ubuntu) "[MIR] jaraco.context" [Undecided, Fix Committed] 14:38 <cpaelzer> reading coreycb ... 14:38 <cpaelzer> coreycb: it didn#t have the MIR team subscribed 14:38 <cpaelzer> fixed it 14:38 <coreycb> ahh ok, thanks! 14:39 <cpaelzer> now you need an AA to promote it 14:39 <cpaelzer> I can take that for tomorrow 14:39 <didrocks> I can have a look, but this is desktopish and it’s always a little bit off for me to ask a manual test plan (that again, we don’t have here as a wiki page :/) 14:39 <coreycb> cpaelzer: great, thank you 14:39 <cpaelzer> I haven't done a graphic MIR in a while I also take webpm 14:39 <didrocks> so having another pair of eye would be better to reenforce that this is 1. a fallback plan and 2. not optional 14:40 <cpaelzer> I will didrocks, thanks for the hint 14:40 <sarnold> no tests for an image loader? :( 14:41 <cpaelzer> TBH I've seen plenty of image loader tests - like convert from A->B and then check expected output 14:41 <cpaelzer> is webp non deterministic? 14:41 <didrocks> even non determinstic, you can add fuzzy comparison… 14:41 <cpaelzer> like could it produce slightly different output on the panel it draws to every time? 14:41 <sarnold> on the other hand, a package without tests can't possibly be broken.. 14:41 <cpaelzer> lol 14:41 <didrocks> until people are using it? :p 14:41 <cpaelzer> very helpful sarnold, very helpful :-P 14:41 * sarnold bows 14:41 <cpaelzer> anyway I'll have a look 14:42 <didrocks> thx cpaelzer 14:42 <cpaelzer> #topic Incomplete bugs / questions 14:42 <cpaelzer> Mission: Identify required actions and spread the load among the teams 14:42 <cpaelzer> #link https://bugs.launchpad.net/ubuntu/?field.searchtext=&orderby=-date_last_updated&field.status%3Alist=INCOMPLETE_WITH_RESPONSE&field.status%3Alist=INCOMPLETE_WITHOUT_RESPONSE&field.subscriber=ubuntu-mir 14:42 <cpaelzer> gsasl just landed 2.x 14:42 <cpaelzer> that is the update there 14:42 <didrocks> (btw, sorry for missing the parsing part) 14:42 <cpaelzer> np didrocks, we come to that later 14:43 <didrocks> I asked jawn-smith to have a look at the diff, not redo a whole MIR 14:43 <cpaelzer> there is always a lessons learned :-) 14:43 <cpaelzer> libiso* is also ok 14:43 <cpaelzer> was reviewed waits for the reporting team 14:43 <cpaelzer> I think we can go on 14:43 <jawn-smith> ack, will hopefully have that done today 14:43 <cpaelzer> thanks jawn-smith 14:43 <cpaelzer> #topic MIR related Security Review Queue 14:43 <cpaelzer> Mission: Check on progress, do deadlines seem doable? 14:43 <cpaelzer> #link https://bugs.launchpad.net/~ubuntu-security/+bugs?field.searchtext=%5BMIR%5D&assignee_option=choose&field.assignee=ubuntu-security&field.bug_reporter=&field.bug_commenter=&field.subscriber=ubuntu-mir 14:43 <cpaelzer> Internal link 14:43 <cpaelzer> - ensure your teams items are prioritized among each other as you'd expect 14:43 <cpaelzer> - ensure community requests do not get stomped by teams calling for favors too much 14:43 <cpaelzer> #link https://warthogs.atlassian.net/jira/software/c/projects/SEC/boards/594 14:43 <cpaelzer> sarnold: I keep saying the list grows - but it really really does by now 14:44 <cpaelzer> you said "telegraf and something else in progress" often enough (no offense) - who do we need to bully to give you more time and people? 14:44 <sarnold> aye, and I don't expect any progress on it this week, the security team is sprinting this week 14:44 <cpaelzer> sarnold: can the outcome of the sprint be that this gets more attention before we have the same explosion as last cycle? 14:45 <sarnold> cpaelzer: I believe we do have a short meeting on MIRs to make sure we're all on the same page, yeah 14:45 <cpaelzer> ok, please push as hard as you can on it sarnold. Because we will ask you every week 14:45 <sarnold> I expect nothing less :D 14:45 <cpaelzer> and we includes more or less everyone requesting those cases 14:46 <cpaelzer> which ends up to be a lot of people :-) 14:46 <cpaelzer> #topic Any other business? 14:46 <sarnold> none here 14:46 <cpaelzer> her ewe come to the case you mentioned didrocks 14:46 <slyon> Just a FYI that I rejected this from last week: https://bugs.launchpad.net/ubuntu/+source/python-charset-normalizer/+bug/1977475 14:46 <ubottu> Launchpad bug 1977475 in python-charset-normalizer (Ubuntu) "[MIR] python-charset-normalizer" [Undecided, Won't Fix] 14:46 <cpaelzer> thanks slyon - we (the reporting team) agreed 14:46 <slyon> I don't think it's strictly needed and would introduce duplication. ACKed by Lena 14:46 <cpaelzer> we found the switch to the normalizer, but not the debate to drop it alltogether 14:46 <cpaelzer> that really helped - thanks slyon 14:47 <slyon> nothing else from my side 14:47 <cpaelzer> on gsasl didrocks and I had a talk 14:47 <cpaelzer> it was first marked as not needing a security review 14:47 <joalif> nothing here I still work on the ipmitool review 14:47 <cpaelzer> and I want to point us all to the rules section [Security] for a quick check 14:47 <cpaelzer> thanks joalif 14:48 <cpaelzer> it currently says 14:48 <cpaelzer> TODO: - history of CVEs does not look concerning 14:48 <cpaelzer> TODO: - does not run a daemon as root 14:48 <cpaelzer> TODO: - does not use webkit1,2 14:48 <cpaelzer> TODO: - does not use lib*v8 directly 14:48 <cpaelzer> TODO: - does not parse data formats 14:48 <cpaelzer> TODO: - does not open a port/socket 14:48 <cpaelzer> TODO: - does not process arbitrary web content 14:48 <cpaelzer> TODO: - does not use centralized online accounts 14:48 <cpaelzer> TODO: - does not integrate arbitrary javascript into the desktop 14:48 <cpaelzer> TODO: - does not deal with system authentication (eg, pam), etc) 14:48 <cpaelzer> TODO: - does not deal with security attestation (secure boot, tpm, signatures) 14:48 <cpaelzer> That covers a lot, but we have (didrocks now, but I myself in other cases in the past) to make a good split on when it is "parse data" 14:48 <cpaelzer> I mean is having any CLI or socket or API or I/O => "parsing data" 14:48 <sarnold> it's hard to say, since that's the core behaviour of nearly everything.. 14:48 <cpaelzer> I do not want to get philosphical, but 14:49 <cpaelzer> I'd propose to add one more line to catch one particular kind that obviously needs to go through security expertise 14:49 <cpaelzer> TODO: - does not deal with cryptography (en-/decryption, certificates, signing, ...) 14:49 <slyon> yeah, I've been strugling with that one, too 14:49 <sarnold> i've always interpreted it to mean more along the lines of images, video, audio, xml, json, asn.1 .. 14:49 <didrocks> I was going to propose about dealing with certificates 14:49 <didrocks> I guess your line captures it 14:50 <sarnold> I like the cryptography addition, yeah 14:50 <cpaelzer> could I get an discussion7ack on that line above then we could talk about potential second rule that makes the "parsing" more granular 14:50 <didrocks> sounds like a good addition to me 14:50 <cpaelzer> opinions, objections, +1 on the line proposed above 14:50 <didrocks> +1 14:50 <slyon> +1 14:50 <joalif> +1 14:50 <sarnold> +1 14:50 <slyon> also +1 on sarnold's suggestion about the parsing part 14:51 <cpaelzer> there I have come up with something 14:51 <cpaelzer> TODO: - does not parse data formats (from files [images, video, audio, xml, json, asn.1], network packets, structures, ...) 14:51 <cpaelzer> are there other commonly epxloitet attack vectors worth to be mentioned explicitly as example? 14:52 <didrocks> I wonder about json/yaml, because let’s say any package that embeds a json parser would be impacted, no? 14:52 <didrocks> (let’s say, a go app vendoring go-yaml ) 14:53 <didrocks> so basically, everything having configuration would end up in the security queue, is that desired? 14:53 <sarnold> it really does run the risk of sending *everything* through the security team.. 14:53 <didrocks> which would be the safest option. Then we have to deal with reality… 14:53 <sarnold> some additional 'from untrusted sources' might be nice, but that can be hard to tell 14:54 <didrocks> even libreoffice, in some way, is parsing its own file format 14:54 <sarnold> and ossfuzz finds things with libreoffice basically every other day.. 14:54 <cpaelzer> untrusted source is good here 14:54 <didrocks> yeah, I like the untrusted source as a delimiter 14:54 <cpaelzer> indeed 14:55 <cpaelzer> TODO: - does not parse data formats (files [images, video, audio, xml, json, asn.1], network packets, structures, ...) from an untrusted source 14:55 <cpaelzer> could we vote on that as well please then? 14:55 <cpaelzer> +1 14:55 <didrocks> +1 14:55 <sarnold> I think mostly the 'this needs security review' vs 'this doesn't need security review' mostly works out pretty well, so in some sense I think the intuitons of the team have been pretty good 14:55 <slyon> yes. and the sysadming (e.g. config files yaml/json/xml/ini) would be trusted 14:55 <slyon> +1 14:55 <joalif> +1 14:55 <sarnold> +1 14:56 <cpaelzer> ok thank you all 14:56 <cpaelzer> consider both rules added (in a bit) 14:56 <slyon> thank you cpaelzer! 14:56 <didrocks> thank you cpaelzer for the proposals :) 14:57 <cpaelzer> we can only get better if we try :-) 14:57 <cpaelzer> anything else to discuss left? 14:57 <didrocks> nothing from me this week 14:57 <joalif> nothing from me 14:57 <slyon> nothing here 14:58 <cpaelzer> ok, clsoing then 14:58 <cpaelzer> or rather "closing" 14:58 <cpaelzer> FYI: review rules in the wiki updated 14:58 <didrocks> (parsing error) 14:58 <cpaelzer> #endmeeting