== Meeting information ==

 * #ubuntu-meeting: Weekly Main Inclusion Requests status meeting, started by slyon, 18 Oct at 14:31 — 14:57 UTC.
 * Full logs at https://ubottu.com/meetingology/logs/ubuntu-meeting/2022/ubuntu-meeting.2022-10-18-14.31.log.html



== Meeting summary ==

=== current component mismatches ===

Discussion started by slyon at 14:31.

 * ''LINK:'' https://people.canonical.com/~ubuntu-archive/component-mismatches-proposed.svg   (slyon, 14:31)
 * ''LINK:'' https://people.canonical.com/~ubuntu-archive/component-mismatches.svg   (slyon, 14:31)

=== New MIRs ===

Discussion started by slyon at 14:35.

 * ''LINK:'' https://bugs.launchpad.net/ubuntu/?field.searchtext=&orderby=-date_last_updated&field.status%3Alist=NEW&field.status%3Alist=CONFIRMED&assignee_option=none&field.assignee=&field.subscriber=ubuntu-mir   (slyon, 14:35)

=== Incomplete bugs / questions ===

Discussion started by slyon at 14:36.

 * ''LINK:'' https://bugs.launchpad.net/ubuntu/?field.searchtext=&orderby=-date_last_updated&field.status%3Alist=INCOMPLETE_WITH_RESPONSE&field.status%3Alist=INCOMPLETE_WITHOUT_RESPONSE&field.subscriber=ubuntu-mir   (slyon, 14:36)

=== MIR related Security Review Queue ===

Discussion started by slyon at 14:41.

 * ''LINK:'' https://bugs.launchpad.net/~ubuntu-security/+bugs?field.searchtext=%5BMIR%5D&assignee_option=choose&field.assignee=ubuntu-security&field.bug_reporter=&field.bug_commenter=&field.subscriber=ubuntu-mir   (slyon, 14:41)
 * ''LINK:'' https://warthogs.atlassian.net/jira/software/c/projects/SEC/boards/594   (slyon, 14:42)

=== Any other business? ===

Discussion started by slyon at 14:44.




== People present (lines said) ==

 * slyon (47)
 * sarnold (18)
 * joalif (17)
 * didrocks (10)
 * meetingology (2)



== Full log ==


 14:31 <slyon> #startmeeting Weekly Main Inclusion Requests status

 14:31 <meetingology> Meeting started at 14:31:27 UTC.  The chair is slyon.  Information about MeetBot at https://wiki.ubuntu.com/meetingology

 14:31 <meetingology> Available commands: action, commands, idea, info, link, nick

 14:31 <slyon> Ping for MIR meeting - didrocks joalif slyon sarnold c_paelzer jamespage

 14:31 <joalif> o/

 14:31 <slyon> #topic current component mismatches

 14:31 <slyon> Mission: Identify required actions and spread the load among the teams

 14:31 <slyon> #link https://people.canonical.com/~ubuntu-archive/component-mismatches-proposed.svg

 14:31 <slyon> #link https://people.canonical.com/~ubuntu-archive/component-mismatches.svg

 14:32 <slyon> c-m is looking rather clean. except for nvidia-graphics-drivers-418-server

 14:33 <slyon> but this is a binary update which has been in restricted before, so I guess there's nothing to do for us, and it just needs promotion

 14:33 <sarnold> I can't recall one of these things coming up before

 14:33 <didrocks> hey

 14:34 <slyon> I assume it got dropped & auto-demoted... now a new upload moved to multiverse instead of restricted. I'd leave this to the AAs to sort out

 14:34 <sarnold> will they automatically know it needs sorting out? or would a note in #ubuntu-release be appropriate?

 14:35 <slyon> It shows up in the AAs reports, so they should be aware

 14:35 <slyon> (e.g. c-m, which is an AA report)

 14:35 <slyon> #topic New MIRs

 14:35 <slyon> Mission: ensure to assign all incoming reviews for fast processing

 14:35 <slyon> #link https://bugs.launchpad.net/ubuntu/?field.searchtext=&orderby=-date_last_updated&field.status%3Alist=NEW&field.status%3Alist=CONFIRMED&assignee_option=none&field.assignee=&field.subscriber=ubuntu-mir

 14:36 <slyon> nothing \o/ (we took it all last week :))

 14:36 <slyon> #topic Incomplete bugs / questions

 14:36 <slyon> Mission: Identify required actions and spread the load among the teams

 14:36 <slyon> #link https://bugs.launchpad.net/ubuntu/?field.searchtext=&orderby=-date_last_updated&field.status%3Alist=INCOMPLETE_WITH_RESPONSE&field.status%3Alist=INCOMPLETE_WITHOUT_RESPONSE&field.subscriber=ubuntu-mir

 14:36 <slyon> bug #1990655 : libgit2, http-parser

 14:37 <slyon> didrocks: I feel like this should be status: New instead of Incomplete? ^

 14:37 <slyon> it is pending security review, but good from our POV

 14:38 <didrocks> libgit2 is for sure, I only changed the assignee, resetting to New

 14:38 <slyon> thanks

 14:38 <slyon> what do we still need for http-parser?

 14:39 <sarnold> comment #6 suggests just security review

 14:39 <joalif> i dont recall we wait for anything

 14:39 <didrocks> yeah, seems to be the same to me, joalif didn’t have any remaining concerns?

 14:39 <slyon> joalif: if there's nothing else, could you change the status to "New" as well?

 14:40 <joalif> just a really minor recommended todo

 14:40 <joalif> but nothing else

 14:40 <slyon> joalif: ok sounds good!

 14:40 <joalif> sure

 14:40 <slyon> bug #1990582 => waiting for feedback/action from the reporter, nothing to do right now for us

 14:41 <slyon> that's all updates for today.

 14:41 <slyon> I assume the MIR reviews we assigned last week are slowly progressing (I handled 2/5 already)

 14:41 <slyon> #topic MIR related Security Review Queue

 14:41 <slyon> Mission: Check on progress, do deadlines seem doable?

 14:41 <slyon> #link https://bugs.launchpad.net/~ubuntu-security/+bugs?field.searchtext=%5BMIR%5D&assignee_option=choose&field.assignee=ubuntu-security&field.bug_reporter=&field.bug_commenter=&field.subscriber=ubuntu-mir

 14:42 <slyon> Internal link:

 14:42 <slyon> #link https://warthogs.atlassian.net/jira/software/c/projects/SEC/boards/594

 14:42 <slyon> sarnold: can you give a brief update?

 14:42 <sarnold> there's been no progress on the security reviews, other tasks have sucked all the oxygen out of the room

 14:43 <slyon> we're getting very close to the end-of-cycle. Do we have any misses that we need to notify people about?

 14:43 <sarnold> I believe I did that last week

 14:43 <slyon> perfect, thanks!

 14:44 <sarnold> well, not *perfect*, but .. :)

 14:44 <slyon> indeed :p

 14:44 <slyon> #topic Any other business?

 14:44 <joalif> i have a  couple of questions

 14:44 <sarnold> I'll miss next week's meeting, so I shall see you in prague :)

 14:44 <joalif> i'm reviewing ruby-ffi https://bugs.launchpad.net/ubuntu/+source/ruby-ffi/+bug/1990570

 14:45 <joalif> i noticed that it makes a ffi_c.so , should there be a symbols file for this ?

 14:46 <joalif> also security wise it's ok according to the list, this package provides a gem to programmatically load dynamic libraries

 14:46 <didrocks> it depends if there are external consumer

 14:46 <joalif> do you think it would need a security review ?

 14:46 <didrocks> (for the symbols file)

 14:46 <didrocks> like, if the lib internal, only for the ruby binding?

 14:47 <joalif> i think it's for the ruby binding not external but i'll double check

 14:48 <didrocks> I would then check for the practice of python C bindings

 14:48 <joalif> ok thanks!

 14:48 <slyon> I reviewed ruby-childprocess, which is making use of ruby-ffi for IPC. I requested security-review, because I feel passing random data between processes should be double checked, as it could crash/DoS those processes. sarnold what do you tihnk?

 14:49 <slyon> so I would lean towards requesting sec-review for ruby-ffi, too.

 14:49 <sarnold> $ apt-file search /usr/lib/x86_64-linux-gnu/ruby/vendor_ruby/ | grep '\.so$' | wc -l

 14:49 <sarnold> 167

 14:50 <joalif> slyon: yes, I saw your review that's why i'm wondering for ruby-ffi at well, thanks

 14:50 <sarnold> there might other examples in the ruby world, though if we're looking at the pythons because we think they're more likely to be done right..

 14:50 <didrocks> (that was my guess in getting inspired by python, because it’s not done for the other ruby projects I checked and I think it’s better to double cross)

 14:50 <didrocks> but from the few python examples I found, it’s the same, no symbol file

 14:51 <didrocks> I think if they are tests importing the final product (python or ruby) module, and exercising it, it’s good enough to ensure about the ABI stability regarding the runtime?

 14:52 <sarnold> slyon: good question; I'm more inclined to say it depends upon the type of software architecture the library encourages -- oftentimes ipc is used for things that are logically one program and this is just a detail of shuffling bytes around, so there's no boundaries being crossed. but others are intended to provide generic client-server or peers-on-a-bus architecture (like dbus) and that would be

 14:52 <sarnold> more important for a security review, I think

 14:52 <joalif> re symbols : it's not just tests in this case, in any case I look into it to see exactly how it's used and what happens with other rudy libs and python

 14:53 <slyon> sarnold: IIUC ruby-childprocess/-ffi is basically a module, which could be used to implement both types of architecture.

 14:54 <sarnold> This gem aims at being a simple and reliable solution for controlling

 14:54 <sarnold> external programs running in the background on any Ruby / OS combination.

 14:54 <sarnold> hah, yeah, that does feel like a security review would fit

 14:54 <sarnold> if I had a dollar for every time I saw unsafe child process handling..

 14:54 <slyon> sarnold: haha, thanks for the confirmation!

 14:55 <sarnold> thanks :D

 14:55 <slyon> joalif: does that answer your questions?

 14:55 <joalif> yup all covered!

 14:55 <joalif> thank you all!

 14:55 <slyon> do we have anything else?

 14:55 <joalif> nothing from me

 14:56 <slyon> alright, thank you all!

 14:56 <sarnold> thanks slyon, all :)

 14:57 <slyon> looking forward to meeting you in prague!

 14:57 <slyon> #endmeeting



Generated by MeetBot 0.4.0 (https://wiki.ubuntu.com/meetingology)