14:31 <slyon> #startmeeting Weekly Main Inclusion Requests status 14:31 <meetingology> Meeting started at 14:31:27 UTC. The chair is slyon. Information about MeetBot at https://wiki.ubuntu.com/meetingology 14:31 <meetingology> Available commands: action, commands, idea, info, link, nick 14:31 <slyon> Ping for MIR meeting - didrocks joalif slyon sarnold c_paelzer jamespage 14:31 <joalif> o/ 14:31 <slyon> #topic current component mismatches 14:31 <slyon> Mission: Identify required actions and spread the load among the teams 14:31 <slyon> #link https://people.canonical.com/~ubuntu-archive/component-mismatches-proposed.svg 14:31 <slyon> #link https://people.canonical.com/~ubuntu-archive/component-mismatches.svg 14:32 <slyon> c-m is looking rather clean. except for nvidia-graphics-drivers-418-server 14:33 <slyon> but this is a binary update which has been in restricted before, so I guess there's nothing to do for us, and it just needs promotion 14:33 <sarnold> I can't recall one of these things coming up before 14:33 <didrocks> hey 14:34 <slyon> I assume it got dropped & auto-demoted... now a new upload moved to multiverse instead of restricted. I'd leave this to the AAs to sort out 14:34 <sarnold> will they automatically know it needs sorting out? or would a note in #ubuntu-release be appropriate? 14:35 <slyon> It shows up in the AAs reports, so they should be aware 14:35 <slyon> (e.g. c-m, which is an AA report) 14:35 <slyon> #topic New MIRs 14:35 <slyon> Mission: ensure to assign all incoming reviews for fast processing 14:35 <slyon> #link https://bugs.launchpad.net/ubuntu/?field.searchtext=&orderby=-date_last_updated&field.status%3Alist=NEW&field.status%3Alist=CONFIRMED&assignee_option=none&field.assignee=&field.subscriber=ubuntu-mir 14:36 <slyon> nothing \o/ (we took it all last week :)) 14:36 <slyon> #topic Incomplete bugs / questions 14:36 <slyon> Mission: Identify required actions and spread the load among the teams 14:36 <slyon> #link https://bugs.launchpad.net/ubuntu/?field.searchtext=&orderby=-date_last_updated&field.status%3Alist=INCOMPLETE_WITH_RESPONSE&field.status%3Alist=INCOMPLETE_WITHOUT_RESPONSE&field.subscriber=ubuntu-mir 14:36 <slyon> bug #1990655 : libgit2, http-parser 14:37 <slyon> didrocks: I feel like this should be status: New instead of Incomplete? ^ 14:37 <slyon> it is pending security review, but good from our POV 14:38 <didrocks> libgit2 is for sure, I only changed the assignee, resetting to New 14:38 <slyon> thanks 14:38 <slyon> what do we still need for http-parser? 14:39 <sarnold> comment #6 suggests just security review 14:39 <joalif> i dont recall we wait for anything 14:39 <didrocks> yeah, seems to be the same to me, joalif didn’t have any remaining concerns? 14:39 <slyon> joalif: if there's nothing else, could you change the status to "New" as well? 14:40 <joalif> just a really minor recommended todo 14:40 <joalif> but nothing else 14:40 <slyon> joalif: ok sounds good! 14:40 <joalif> sure 14:40 <slyon> bug #1990582 => waiting for feedback/action from the reporter, nothing to do right now for us 14:41 <slyon> that's all updates for today. 14:41 <slyon> I assume the MIR reviews we assigned last week are slowly progressing (I handled 2/5 already) 14:41 <slyon> #topic MIR related Security Review Queue 14:41 <slyon> Mission: Check on progress, do deadlines seem doable? 14:41 <slyon> #link https://bugs.launchpad.net/~ubuntu-security/+bugs?field.searchtext=%5BMIR%5D&assignee_option=choose&field.assignee=ubuntu-security&field.bug_reporter=&field.bug_commenter=&field.subscriber=ubuntu-mir 14:42 <slyon> Internal link: 14:42 <slyon> #link https://warthogs.atlassian.net/jira/software/c/projects/SEC/boards/594 14:42 <slyon> sarnold: can you give a brief update? 14:42 <sarnold> there's been no progress on the security reviews, other tasks have sucked all the oxygen out of the room 14:43 <slyon> we're getting very close to the end-of-cycle. Do we have any misses that we need to notify people about? 14:43 <sarnold> I believe I did that last week 14:43 <slyon> perfect, thanks! 14:44 <sarnold> well, not *perfect*, but .. :) 14:44 <slyon> indeed :p 14:44 <slyon> #topic Any other business? 14:44 <joalif> i have a couple of questions 14:44 <sarnold> I'll miss next week's meeting, so I shall see you in prague :) 14:44 <joalif> i'm reviewing ruby-ffi https://bugs.launchpad.net/ubuntu/+source/ruby-ffi/+bug/1990570 14:45 <joalif> i noticed that it makes a ffi_c.so , should there be a symbols file for this ? 14:46 <joalif> also security wise it's ok according to the list, this package provides a gem to programmatically load dynamic libraries 14:46 <didrocks> it depends if there are external consumer 14:46 <joalif> do you think it would need a security review ? 14:46 <didrocks> (for the symbols file) 14:46 <didrocks> like, if the lib internal, only for the ruby binding? 14:47 <joalif> i think it's for the ruby binding not external but i'll double check 14:48 <didrocks> I would then check for the practice of python C bindings 14:48 <joalif> ok thanks! 14:48 <slyon> I reviewed ruby-childprocess, which is making use of ruby-ffi for IPC. I requested security-review, because I feel passing random data between processes should be double checked, as it could crash/DoS those processes. sarnold what do you tihnk? 14:49 <slyon> so I would lean towards requesting sec-review for ruby-ffi, too. 14:49 <sarnold> $ apt-file search /usr/lib/x86_64-linux-gnu/ruby/vendor_ruby/ | grep '\.so$' | wc -l 14:49 <sarnold> 167 14:50 <joalif> slyon: yes, I saw your review that's why i'm wondering for ruby-ffi at well, thanks 14:50 <sarnold> there might other examples in the ruby world, though if we're looking at the pythons because we think they're more likely to be done right.. 14:50 <didrocks> (that was my guess in getting inspired by python, because it’s not done for the other ruby projects I checked and I think it’s better to double cross) 14:50 <didrocks> but from the few python examples I found, it’s the same, no symbol file 14:51 <didrocks> I think if they are tests importing the final product (python or ruby) module, and exercising it, it’s good enough to ensure about the ABI stability regarding the runtime? 14:52 <sarnold> slyon: good question; I'm more inclined to say it depends upon the type of software architecture the library encourages -- oftentimes ipc is used for things that are logically one program and this is just a detail of shuffling bytes around, so there's no boundaries being crossed. but others are intended to provide generic client-server or peers-on-a-bus architecture (like dbus) and that would be 14:52 <sarnold> more important for a security review, I think 14:52 <joalif> re symbols : it's not just tests in this case, in any case I look into it to see exactly how it's used and what happens with other rudy libs and python 14:53 <slyon> sarnold: IIUC ruby-childprocess/-ffi is basically a module, which could be used to implement both types of architecture. 14:54 <sarnold> This gem aims at being a simple and reliable solution for controlling 14:54 <sarnold> external programs running in the background on any Ruby / OS combination. 14:54 <sarnold> hah, yeah, that does feel like a security review would fit 14:54 <sarnold> if I had a dollar for every time I saw unsafe child process handling.. 14:54 <slyon> sarnold: haha, thanks for the confirmation! 14:55 <sarnold> thanks :D 14:55 <slyon> joalif: does that answer your questions? 14:55 <joalif> yup all covered! 14:55 <joalif> thank you all! 14:55 <slyon> do we have anything else? 14:55 <joalif> nothing from me 14:56 <slyon> alright, thank you all! 14:56 <sarnold> thanks slyon, all :) 14:57 <slyon> looking forward to meeting you in prague! 14:57 <slyon> #endmeeting