15:29 <slyon> #startmeeting Weekly Main Inclusion Requests status 15:29 <meetingology> Meeting started at 15:29:21 UTC. The chair is slyon. Information about MeetBot at https://wiki.ubuntu.com/meetingology 15:29 <meetingology> Available commands: action, commands, idea, info, link, nick 15:29 <slyon> Ping for MIR meeting - didrocks joalif slyon sarnold c_paelzer jamespage eslerm 15:30 <slyon> #topic current component mismatches 15:30 <slyon> Mission: Identify required actions and spread the load among the teams 15:30 <slyon> #link https://people.canonical.com/~ubuntu-archive/component-mismatches-proposed.svg 15:30 <slyon> #link https://people.canonical.com/~ubuntu-archive/component-mismatches.svg 15:30 <slyon> Let's start with -proposed (it's pretty crowded) 15:30 <joalif> o/ 15:30 <eslerm_> good morning o/ 15:31 <slyon> devscripts: I created a draft MIR for libdigest-md5-file-perl to hand it out to the foundations team 15:31 <jamespage> o/ 15:31 <sarnold> good morning 15:31 <slyon> devscripts: libswitch-perl has been in main in the past 15:31 <slyon> I wonder if we can just re-propote it? It's looking pretty healty from a quick sanity check 15:31 <slyon> bug #785607 15:32 <didrocks> hey 15:32 <slyon> I guess this is a question for didrocks, jamespage or maybe sarnold if we did have some precendene on that in the past? (see my latest comment on that bug) 15:32 <didrocks> so, in the past, that was a repromotion without question 15:33 <didrocks> but now, we have stricter requirements 15:33 <didrocks> in term of testing and so on 15:33 <slyon> testing is covered for this one 15:33 <didrocks> so, I would reask for a template + a full review if the package was promoted before those requirements 15:33 <slyon> OK 15:33 <didrocks> just for a sanity check 15:33 <slyon> I will hand it out to the team then. 15:33 <slyon> thanks 15:33 <didrocks> yw 15:33 <slyon> continuting with c-m-p 15:33 <slyon> logcheck and the seeds are false-positives 15:34 <slyon> libsub-quote-perl: I dropped that recommend an hour ago, so it should vanish from the report 15:34 <sarnold> \o/ 15:34 <slyon> ceilometer: looking good, I think we can promote python-xmltodict. But we'll talk about that in our "updates" section 15:35 <slyon> cups-browserd: boths deps pending security review 15:35 <slyon> flashrom: I dropped the new libjaylink dependency/functionality (until somebody in Ubuntu actually wants to use it). So it should vanish, too 15:36 <slyon> jaraco.text: this is with the openstack-team to fix things (cc jamespage) 15:36 <slyon> netplan.io: mdurl & mardown-it-py are pending security review 15:36 <jamespage> ack re jaraco.text 15:36 <slyon> rich: this should be tagged for security review, too (cc sarnold, eslerm_) - see my latest comment on the bug 15:37 <slyon> pkgconf: looking good, ready for promotion. I prepared a seed change eralier today, to switch pkg-config -> pkgconf. Pending review from my teammates 15:37 <slyon> licensecheck: pending MIR by a collegue of mine 15:37 <slyon> policykit-1: pending sec-review 15:38 <slyon> for c-m: nothing new. libsub-quote-perl got resolved in -proposed as stated earlier 15:38 <slyon> #topic New MIRs 15:38 <slyon> Mission: ensure to assign all incoming reviews for fast processing 15:38 <slyon> #link https://bugs.launchpad.net/ubuntu/?field.searchtext=&orderby=-date_last_updated&field.status%3Alist=NEW&field.status%3Alist=CONFIRMED&assignee_option=none&field.assignee=&field.subscriber=ubuntu-mir 15:38 <didrocks> \o/ 15:38 <sarnold> slyon: we may have skipped non-proposed 15:39 <slyon> Nothing \o/ (we might still have some work left from last week) 15:39 <didrocks> (and yes) 15:39 <slyon> sarnold: "for c-m: nothing new. libsub-quote-perl got resolved in -proposed as stated earlier" (see above) 15:39 <sarnold> oh! I see it now 15:39 <slyon> #topic Incomplete bugs / questions 15:39 <slyon> Mission: Identify required actions and spread the load among the teams 15:39 <slyon> #link https://bugs.launchpad.net/ubuntu/?field.searchtext=&orderby=-date_last_updated&field.status%3Alist=INCOMPLETE_WITH_RESPONSE&field.status%3Alist=INCOMPLETE_WITHOUT_RESPONSE&field.subscriber=ubuntu-mir 15:39 <slyon> bug #2007279 15:40 <slyon> (draft to be handed out to the foundations team to fill the template) 15:40 <slyon> bug #2003083 15:40 <slyon> draft to be filled by the foundations team (tracking update) 15:40 <slyon> bug #2002576 15:40 <slyon> This got security ACK 15:41 <slyon> and MIR ACK. it's being pulled in already by ceilometer 15:41 <slyon> openstack team is subscribed 15:41 <slyon> so I think it's ready for promotion 15:41 <slyon> didrocks: could you handle this? 15:41 <sarnold> ack 15:41 <didrocks> sure 15:41 <slyon> thx! 15:41 <slyon> and that's all for recent updates 15:42 <slyon> #topic MIR related Security Review Queue 15:42 <slyon> Mission: Check on progress, do deadlines seem doable? 15:42 <slyon> #link https://bugs.launchpad.net/~ubuntu-security/+bugs?field.searchtext=%5BMIR%5D&assignee_option=choose&field.assignee=ubuntu-security&field.bug_reporter=&field.bug_commenter=&field.subscriber=ubuntu-mir 15:42 <slyon> #link https://warthogs.atlassian.net/jira/software/c/projects/SEC/boards/594 15:42 <slyon> sarnold: how are things looking? 15:42 <sarnold> mm, is log4cplus overlooked / neglected? 15:43 <sarnold> https://bugs.launchpad.net/ubuntu/+source/log4cplus/+bug/2003549 -- currently unassigned, I'm wondering if this ought to be back on the server team 15:43 <slyon> log4cplus is older than last week's meeting. 15:43 <slyon> (and pending input from the MIR reporter) 15:43 <sarnold> athos: ^^ https://bugs.launchpad.net/ubuntu/+source/log4cplus/+bug/2003549 15:43 <sarnold> there we go, now my conscience is clean :) 15:44 <slyon> sarnold: nice. I've also assigned the bug accordingly 15:44 <sarnold> so, security queue, I'm feeling good with our current position; this is the closest we've bbeen to getting things done before feature freeze, ever :) 15:44 <slyon> that's very nice to hear. Kudos to the security team! 15:44 <sarnold> there's enough on our plate that I don't think *everything* will be done before feature freeze, but it's hard to guess where exactly the misses might be :( 15:44 <didrocks> yes, this is great to hear :) 15:45 <sarnold> anyway, this feels good. thanks everyone for the help :) 15:45 <slyon> could we get this into the security queue: https://bugs.launchpad.net/ubuntu/+source/rich/+bug/2003570 ? 15:45 <slyon> (still fine post-ff, but should be this cycle) 15:45 <didrocks> sarnold: just be informed that I’m assigning the cups* transition to the security. I feel the first promotion to main were done before the MIR process was created. There are quite some gaps and some components are quite critical (running as root, setuid, parsing data format) 15:46 <eslerm_> maybe, could you review SEC-1640 privately in JIRA? 15:46 <didrocks> even if it’s monitored for CVE, I think it’s the right time for a re-review 15:47 <sarnold> hmm, I wonder if we should re-poke upstream, how long ago was that? 15:47 <eslerm_> almost a week now 15:48 <eslerm_> I could assign CVEs and move on with review 15:48 <eslerm_> pcs is taking my priority currently though 15:48 <sarnold> didrocks: with a project that mature and (i'm guessing underresourced) it might be a challenge to get sweeping architectural changes of the sort that we'd expect from projects these days :( setuid executables parsing things isj ust a horrible feeling.. 15:49 <sarnold> I've gotten the impression completing the pcs stack is our top priority at the moment, I think that should continue 15:49 <sarnold> but a quick re-poke of upstream is cheap enough / easy enough 15:49 <eslerm_> can do 15:49 <slyon> who will do that poking of upstream? 15:49 <slyon> thank you! 15:50 <slyon> #topic Any other business? 15:50 <sarnold> rich https://warthogs.atlassian.net/browse/SEC-1694 15:50 <sarnold> none here 15:50 <slyon> sarnold: thanks! 15:51 <didrocks> nothing here, thanks! 15:51 <joalif> none 15:51 <eslerm_> none either 15:51 <slyon> alright folks, that's all for today :) o/ 15:51 <slyon> #endmeeting