#ubuntu-meeting log

14:31 <slyon> #startmeeting Weekly Main Inclusion Requests status
14:31 <meetingology> Meeting started at 14:31:27 UTC.  The chair is slyon.  Information about MeetBot at https://wiki.ubuntu.com/meetingology
14:31 <meetingology> Available commands: action, commands, idea, info, link, nick
14:31 <slyon> Ping for MIR meeting - didrocks joalif slyon sarnold c_paelzer jamespage
14:31 <joalif> o/
14:31 <slyon> #topic current component mismatches
14:31 <slyon> Mission: Identify required actions and spread the load among the teams
14:31 <slyon> #link https://people.canonical.com/~ubuntu-archive/component-mismatches-proposed.svg
14:31 <slyon> #link https://people.canonical.com/~ubuntu-archive/component-mismatches.svg
14:32 <slyon> c-m is looking rather clean. except for nvidia-graphics-drivers-418-server
14:33 <slyon> but this is a binary update which has been in restricted before, so I guess there's nothing to do for us, and it just needs promotion
14:33 <sarnold> I can't recall one of these things coming up before
14:33 <didrocks> hey
14:34 <slyon> I assume it got dropped & auto-demoted... now a new upload moved to multiverse instead of restricted. I'd leave this to the AAs to sort out
14:34 <sarnold> will they automatically know it needs sorting out? or would a note in #ubuntu-release be appropriate?
14:35 <slyon> It shows up in the AAs reports, so they should be aware
14:35 <slyon> (e.g. c-m, which is an AA report)
14:35 <slyon> #topic New MIRs
14:35 <slyon> Mission: ensure to assign all incoming reviews for fast processing
14:35 <slyon> #link https://bugs.launchpad.net/ubuntu/?field.searchtext=&orderby=-date_last_updated&field.status%3Alist=NEW&field.status%3Alist=CONFIRMED&assignee_option=none&field.assignee=&field.subscriber=ubuntu-mir
14:36 <slyon> nothing \o/ (we took it all last week :))
14:36 <slyon> #topic Incomplete bugs / questions
14:36 <slyon> Mission: Identify required actions and spread the load among the teams
14:36 <slyon> #link https://bugs.launchpad.net/ubuntu/?field.searchtext=&orderby=-date_last_updated&field.status%3Alist=INCOMPLETE_WITH_RESPONSE&field.status%3Alist=INCOMPLETE_WITHOUT_RESPONSE&field.subscriber=ubuntu-mir
14:36 <slyon> bug #1990655 : libgit2, http-parser
14:37 <slyon> didrocks: I feel like this should be status: New instead of Incomplete? ^
14:37 <slyon> it is pending security review, but good from our POV
14:38 <didrocks> libgit2 is for sure, I only changed the assignee, resetting to New
14:38 <slyon> thanks
14:38 <slyon> what do we still need for http-parser?
14:39 <sarnold> comment #6 suggests just security review
14:39 <joalif> i dont recall we wait for anything
14:39 <didrocks> yeah, seems to be the same to me, joalif didn’t have any remaining concerns?
14:39 <slyon> joalif: if there's nothing else, could you change the status to "New" as well?
14:40 <joalif> just a really minor recommended todo
14:40 <joalif> but nothing else
14:40 <slyon> joalif: ok sounds good!
14:40 <joalif> sure
14:40 <slyon> bug #1990582 => waiting for feedback/action from the reporter, nothing to do right now for us
14:41 <slyon> that's all updates for today.
14:41 <slyon> I assume the MIR reviews we assigned last week are slowly progressing (I handled 2/5 already)
14:41 <slyon> #topic MIR related Security Review Queue
14:41 <slyon> Mission: Check on progress, do deadlines seem doable?
14:41 <slyon> #link https://bugs.launchpad.net/~ubuntu-security/+bugs?field.searchtext=%5BMIR%5D&assignee_option=choose&field.assignee=ubuntu-security&field.bug_reporter=&field.bug_commenter=&field.subscriber=ubuntu-mir
14:42 <slyon> Internal link:
14:42 <slyon> #link https://warthogs.atlassian.net/jira/software/c/projects/SEC/boards/594
14:42 <slyon> sarnold: can you give a brief update?
14:42 <sarnold> there's been no progress on the security reviews, other tasks have sucked all the oxygen out of the room
14:43 <slyon> we're getting very close to the end-of-cycle. Do we have any misses that we need to notify people about?
14:43 <sarnold> I believe I did that last week
14:43 <slyon> perfect, thanks!
14:44 <sarnold> well, not *perfect*, but .. :)
14:44 <slyon> indeed :p
14:44 <slyon> #topic Any other business?
14:44 <joalif> i have a  couple of questions
14:44 <sarnold> I'll miss next week's meeting, so I shall see you in prague :)
14:44 <joalif> i'm reviewing ruby-ffi https://bugs.launchpad.net/ubuntu/+source/ruby-ffi/+bug/1990570
14:45 <joalif> i noticed that it makes a ffi_c.so , should there be a symbols file for this ?
14:46 <joalif> also security wise it's ok according to the list, this package provides a gem to programmatically load dynamic libraries
14:46 <didrocks> it depends if there are external consumer
14:46 <joalif> do you think it would need a security review ?
14:46 <didrocks> (for the symbols file)
14:46 <didrocks> like, if the lib internal, only for the ruby binding?
14:47 <joalif> i think it's for the ruby binding not external but i'll double check
14:48 <didrocks> I would then check for the practice of python C bindings
14:48 <joalif> ok thanks!
14:48 <slyon> I reviewed ruby-childprocess, which is making use of ruby-ffi for IPC. I requested security-review, because I feel passing random data between processes should be double checked, as it could crash/DoS those processes. sarnold what do you tihnk?
14:49 <slyon> so I would lean towards requesting sec-review for ruby-ffi, too.
14:49 <sarnold> $ apt-file search /usr/lib/x86_64-linux-gnu/ruby/vendor_ruby/ | grep '\.so$' | wc -l
14:49 <sarnold> 167
14:50 <joalif> slyon: yes, I saw your review that's why i'm wondering for ruby-ffi at well, thanks
14:50 <sarnold> there might other examples in the ruby world, though if we're looking at the pythons because we think they're more likely to be done right..
14:50 <didrocks> (that was my guess in getting inspired by python, because it’s not done for the other ruby projects I checked and I think it’s better to double cross)
14:50 <didrocks> but from the few python examples I found, it’s the same, no symbol file
14:51 <didrocks> I think if they are tests importing the final product (python or ruby) module, and exercising it, it’s good enough to ensure about the ABI stability regarding the runtime?
14:52 <sarnold> slyon: good question; I'm more inclined to say it depends upon the type of software architecture the library encourages -- oftentimes ipc is used for things that are logically one program and this is just a detail of shuffling bytes around, so there's no boundaries being crossed. but others are intended to provide generic client-server or peers-on-a-bus architecture (like dbus) and that would be
14:52 <sarnold> more important for a security review, I think
14:52 <joalif> re symbols : it's not just tests in this case, in any case I look into it to see exactly how it's used and what happens with other rudy libs and python
14:53 <slyon> sarnold: IIUC ruby-childprocess/-ffi is basically a module, which could be used to implement both types of architecture.
14:54 <sarnold> This gem aims at being a simple and reliable solution for controlling
14:54 <sarnold> external programs running in the background on any Ruby / OS combination.
14:54 <sarnold> hah, yeah, that does feel like a security review would fit
14:54 <sarnold> if I had a dollar for every time I saw unsafe child process handling..
14:54 <slyon> sarnold: haha, thanks for the confirmation!
14:55 <sarnold> thanks :D
14:55 <slyon> joalif: does that answer your questions?
14:55 <joalif> yup all covered!
14:55 <joalif> thank you all!
14:55 <slyon> do we have anything else?
14:55 <joalif> nothing from me
14:56 <slyon> alright, thank you all!
14:56 <sarnold> thanks slyon, all :)
14:57 <slyon> looking forward to meeting you in prague!
14:57 <slyon> #endmeeting