14:31 <cpaelzer> #startmeeting Weekly Main Inclusion Requests status 14:31 <meetingology> Meeting started at 14:31:53 UTC. The chair is cpaelzer. Information about MeetBot at https://wiki.ubuntu.com/meetingology 14:31 <meetingology> Available commands: action, commands, idea, info, link, nick 14:32 <cpaelzer> Ping for MIR meeting - didrocks joalif slyon sarnold cpaelzer jamespage 14:32 <joalif> o/ 14:32 <cpaelzer> hello everyone, I know a few are on PTO, others are sick and I wasn't around for a few weeks so I might have lost all context 14:32 <cpaelzer> nevertheless les us get going 14:32 <cpaelzer> hi joalif 14:32 <sarnold> good morning 14:32 <didrocks> hey 14:32 <cpaelzer> hi sarnold 14:32 <cpaelzer> hi didrocks 14:32 <cpaelzer> slyon is off today 14:33 <cpaelzer> and jamespage always has a hard time to attend, btw @jamespage if you want to send anyone else representin the openstack team let us know about it 14:33 <cpaelzer> #topic current component mismatches 14:33 <cpaelzer> Mission: Identify required actions and spread the load among the teams 14:33 <cpaelzer> #link https://people.canonical.com/~ubuntu-archive/component-mismatches-proposed.svg 14:33 <cpaelzer> #link https://people.canonical.com/~ubuntu-archive/component-mismatches.svg 14:33 <cpaelzer> do I see 6 approved MIRs 14:34 <cpaelzer> - all known false positives 14:34 <cpaelzer> that might be 4 14:34 <jamespage> cpaelzer: an idea 14:35 <cpaelzer> libhtml-tokeparser-simple-perl and libfreezethaw-perl seem to be ready for promotion AFICS 14:35 <didrocks> yeah, they are 14:35 <cpaelzer> I'm taking a todo to double check and do that tomorrow morning 14:36 <cpaelzer> today is meeting overload, hence tomorrow :-) 14:36 <cpaelzer> ok, nothing else in there 14:36 <cpaelzer> feature freeze helps :-) 14:36 <cpaelzer> #topic New MIRs 14:36 <cpaelzer> Mission: ensure to assign all incoming reviews for fast processing 14:36 <cpaelzer> #link https://bugs.launchpad.net/ubuntu/?field.searchtext=&orderby=-date_last_updated&field.status%3Alist=NEW&field.status%3Alist=CONFIRMED&assignee_option=none&field.assignee=&field.subscriber=ubuntu-mir 14:36 <cpaelzer> tund is now up 14:36 <cpaelzer> tuna already got assigned to joalif last week IIRC 14:37 <didrocks> I can have a look at tuned as nobody volunteered in between 14:37 <cpaelzer> sarnold: is your question of the relationship between those sufficiently answered? 14:37 <joalif> I'm still reviewing it tuna has a few problems that i need to discuss 14:37 <cpaelzer> yes, didrocks that would be great 14:37 <sarnold> cpaelzer: not really, it'd be nice to hear something specific that it does that the others cannot do 14:37 <cpaelzer> joalif: do you want/need to discuss it here (and now)? Or with the bug reporter on the bug? 14:38 <joalif> well tbh there's no template filed for tuna, should I ask for it ? (i've almost done the review) 14:38 <joalif> also to run it needs root shall it go through security ? 14:39 <joalif> there are some other problems but those canbe discussed with the reporter in the bug 14:39 <cpaelzer> I updated the case in regard to seths question 14:40 <cpaelzer> now reading the issue here 14:40 <cpaelzer> yes ask for a template for tuna 14:40 <cpaelzer> jsalibury just isn't away of the process details, so let him know and I'm sure he will add it 14:40 <joalif> ack thanks 14:40 <cpaelzer> joalif: you mean the daemon runs as root right? 14:41 <joalif> it is not a deamon, it is the application itself 14:41 <joalif> it messes with cpu affinity and irqs 14:41 <didrocks> clearly needs a security review IMHO :) 14:41 <joalif> so it needs to be run as root 14:41 <joalif> yeah that's my feeling too 14:41 <joalif> it needs security check 14:42 <cpaelzer> I guess we are all clear why that rule exists, running as root ives it more power which makes it more prone to mess up things when exploited 14:42 <cpaelzer> hence yes, it usually means that we want a security check 14:42 <joalif> however this is for later, there are other need to be done before security review 14:42 <cpaelzer> even though, not being a daemon there will not be a port or api that can be accessed and exploited 14:43 <cpaelzer> there might be e.g. users dropping conffiles somewhere for root to pick it up via the tool - and boom 14:43 <sarnold> somewhere in the service there's a d-bus interface 14:43 <cpaelzer> is it, then eeven more -> yes security review 14:43 <sarnold> that might be more the tuned thing than a tuna thing 14:43 <joalif> sarnold: i think dbus is for tuned 14:43 <cpaelzer> and joalif, if you have more for them to answer or implement reflect it back to them and set it to incomplete 14:43 <cpaelzer> since we also wait for the answers to Seths question 14:43 <joalif> yup I'll do 14:43 <cpaelzer> and to whatever didrocks finds on tuna 14:43 <cpaelzer> I guess for now this case is ok 14:43 <didrocks> yep 14:43 <cpaelzer> it won't be 22.10 material anyway 14:44 <cpaelzer> nothin else in the list 14:44 <cpaelzer> #topic Incomplete bugs / questions 14:44 <cpaelzer> Mission: Identify required actions and spread the load among the teams 14:44 <cpaelzer> #link https://bugs.launchpad.net/ubuntu/?field.searchtext=&orderby=-date_last_updated&field.status%3Alist=INCOMPLETE_WITH_RESPONSE&field.status%3Alist=INCOMPLETE_WITHOUT_RESPONSE&field.subscriber=ubuntu-mir 14:44 <cpaelzer> openconnect is stil getting updates, but also still incomplewte 14:44 <cpaelzer> no need to act on it 14:45 <cpaelzer> qtr I got contacted by seb 14:45 <sarnold> ah, good 14:45 <cpaelzer> he mentioned that he discussed it her ein the past, we entered a mail series that tries to come up with "if we do, what would we need to ack it as special case" 14:45 <cpaelzer> after some iterations of that we might come back here for a group ack 14:46 <cpaelzer> but it isn't ready enough yet 14:46 <cpaelzer> so I can#t discuss more details yet, but will come back 14:46 <didrocks> teasing :) 14:46 <sarnold> lol 14:47 <cpaelzer> TL;DR in some cases e.g. vendoring and some other cases e.g. multipath/kernel not having all HW - we already make excuses. But we then in turn rquire a clear "yes I really know what I'm committing to here" + "This is how I try to make this situation better in the long run" 14:47 <cpaelzer> something along these lines it might end up to make me consider it a "well ok, special case ack" 14:48 <cpaelzer> I understand the case and want to help, but OTOH I do not want to make it too easy tough, or it will just become the pattern everone uses 14:48 <cpaelzer> ok enough of that, going on ... 14:48 <cpaelzer> #topic MIR related Security Review Queue 14:48 <cpaelzer> Mission: Check on progress, do deadlines seem doable? 14:48 <cpaelzer> #link https://bugs.launchpad.net/~ubuntu-security/+bugs?field.searchtext=%5BMIR%5D&assignee_option=choose&field.assignee=ubuntu-security&field.bug_reporter=&field.bug_commenter=&field.subscriber=ubuntu-mir 14:48 <cpaelzer> Internal link 14:48 <cpaelzer> - ensure your teams items are prioritized among each other as you'd expect 14:48 <cpaelzer> - ensure community requests do not get stomped by teams calling for favors too much 14:48 <cpaelzer> #link https://warthogs.atlassian.net/jira/software/c/projects/SEC/boards/594 14:50 <sarnold> unfortunately I stillh aven't caught up after covid :/ mdevctl is in progress, mark is working on editorconfig-core -- I'm worried that it might allow untrusted inputs straight to pcre, which is historically a horrible idea 14:50 <cpaelzer> but pcre itself it mean to be "safe" as it is in main- isn't it? 14:50 <sarnold> the team has other, higher, priorities at the moment, so it'll be just me again for a while 14:50 <sarnold> not really :( 14:51 <sarnold> the expression compiler is unsafe 14:51 <cpaelzer> it was so great seing the recent progress, sad to hear you are along again 14:51 <cpaelzer> but I understand that there are many things pulling, and for now we are way into FF anyway 14:51 <sarnold> afaik only go and rust's regex engines are intended to be safe for untrusted inputs 14:51 <cpaelzer> sarnold: if there is anything not "yes ok" on mdevctl please let myself and athos know immediately about it 14:51 <sarnold> (they're not perfect but at least they try) 14:52 <sarnold> cpaelzer: will do, athos has been very responsive so far :) 100% would recommend, hehe 14:52 <cpaelzer> great 14:52 <cpaelzer> sarnold: one more thing - all the ccid/opensc/smart-card which is marked "in progress" 14:53 <cpaelzer> sarnold: I was told this might get a bump as you lost some related resources, does this go back to square #1 or will this stay in this state? 14:53 <sarnold> cpaelzer: good question. I think it'd be wise for security to talk again with desktop and make sure it's still a desired feature 14:53 <jbicha> sarnold: btw, gnome-text-editor 42 embeds editorconfig-core; 43 is switching to use the system library 🫤 14:53 <cpaelzer> I think it is for all the enterprise desktop people asking for it 14:53 <sarnold> cpaelzer: maybe there's sufficient interest to keep trying on it once we've made more hires 14:54 <sarnold> jbicha: ugh :) 14:54 <cpaelzer> but yeah having that talk is the right next step sarnold 14:54 <sarnold> jbicha: thanks for fighting the devendoring fight :) 14:54 <cpaelzer> jbicha: so we had it all the time, just now it becomes visible? 14:54 <jbicha> cpaelzer: gnome-text-editor is new to main for 22.10 14:54 <cpaelzer> I see 14:54 <sarnold> well, gnome-text-editor is pretty new, replacing whatever the old gnome text editor was, right? 14:54 <jbicha> I didn't devendor it; upstream did to get us to pcre2 I guess 14:55 <cpaelzer> ok, but mark is ont hat csae 14:55 <cpaelzer> so we can expect some progress 14:55 <cpaelzer> goo 14:55 * athos feels recommended! 14:55 <cpaelzer> I think we are fine with this section 14:55 <sarnold> :) 14:55 <cpaelzer> athos: - you are 14:55 <cpaelzer> #topic Any other business? 14:55 <sarnold> yes 14:56 <cpaelzer> nothing from me, the one I had was that libqtr thing I mentioned above 14:56 <cpaelzer> didrocks: joalif: anything from you 14:56 <joalif> nothing from me 14:56 <cpaelzer> sarnold: what is it then? 14:56 <didrocks> nothing for me 14:56 <sarnold> the openconnect, stoken, fstrm, etc MIRs were all filed by LuÃs -- and he has been uninvited from ubuntu for another year 14:56 <sarnold> s/another// 14:56 <cpaelzer> "uninvited" ?! 14:57 <sarnold> yeah, the community council heard enough complaints about his working style that they weren't able to address to their satisfaction 14:57 <sarnold> I hope when the year is up he's more open to workflow suggestions.. 14:57 <cpaelzer> I see 14:58 <cpaelzer> so you are saying there will be a social/community aspect to the review7approval of these once they are no more "incomplete" 14:58 <sarnold> anyway, we've got a half-dozen or so half-filed MIRs in various states; we could either continue on without his input, or set them all WONTFIX, or leave them as is and let them expire on their own organically 14:59 <sarnold> he signed up teams for support of the things without actually having conversations with the affected teams, so I don't think we can just take the bugs at face value 14:59 <cpaelzer> I would not want to stop someone trying to improve Ubuntu. But one of the main things all these need is a team that will own it, we might check on that and only that first when the cases are no more incomplete. 14:59 <jbicha> desktop hasn't reviewed the openconnect request. I was concerned that Security was hesitant about it in their initial review 14:59 <cpaelzer> without finding such, we can't go on - no matter how ok or not any other aspect is 15:00 <cpaelzer> sarnold: we might just point at the "owning team rule" in FYI updates to the cases 15:00 <cpaelzer> just to manage expectations 15:00 <cpaelzer> fells better (to me) than immediately going to Won't Fix 15:00 <cpaelzer> WDYT? 15:00 <didrocks> yeah, basically the fact that the team owner should agree first is the deal breaker 15:00 <sarnold> these bugs weren't a significant hindrence to our meeting today so status quo might be perfectly fine 15:01 <cpaelzer> ok 15:01 <cpaelzer> thanks for raising this for awareness 15:02 <cpaelzer> will help to not spend too much effort before those details are clarified 15:02 <cpaelzer> that seems it was all we had 15:02 <cpaelzer> ready to close this for today? 15:02 <sarnold> fine by me 15:02 <didrocks> sounds good! 15:02 <joalif> thanks cpaelzer, all :) 15:02 <sarnold> thanks cpaelzer, all :) 15:02 <cpaelzer> ok, thank you all! 15:02 <didrocks> thanks cpaelzer, all 15:02 <cpaelzer> #endmeeting