#ubuntu-meeting log

15:29 <slyon> #startmeeting Weekly Main Inclusion Requests status
15:29 <meetingology> Meeting started at 15:29:21 UTC.  The chair is slyon.  Information about MeetBot at https://wiki.ubuntu.com/meetingology
15:29 <meetingology> Available commands: action, commands, idea, info, link, nick
15:29 <slyon> Ping for MIR meeting - didrocks joalif slyon sarnold c_paelzer jamespage eslerm
15:30 <slyon> #topic current component mismatches
15:30 <slyon> Mission: Identify required actions and spread the load among the teams
15:30 <slyon> #link https://people.canonical.com/~ubuntu-archive/component-mismatches-proposed.svg
15:30 <slyon> #link https://people.canonical.com/~ubuntu-archive/component-mismatches.svg
15:30 <slyon> Let's start with -proposed (it's pretty crowded)
15:30 <joalif> o/
15:30 <eslerm_> good morning o/
15:31 <slyon> devscripts: I created a draft MIR for libdigest-md5-file-perl to hand it out to the foundations team
15:31 <jamespage> o/
15:31 <sarnold> good morning
15:31 <slyon> devscripts: libswitch-perl has been in main in the past
15:31 <slyon> I wonder if we can just re-propote it? It's looking pretty healty from a quick sanity check
15:31 <slyon> bug #785607
15:32 <didrocks> hey
15:32 <slyon> I guess this is a question for didrocks, jamespage or maybe sarnold if we did have some precendene on that in the past? (see my latest comment on that bug)
15:32 <didrocks> so, in the past, that was a repromotion without question
15:33 <didrocks> but now, we have stricter requirements
15:33 <didrocks> in term of testing and so on
15:33 <slyon> testing is covered for this one
15:33 <didrocks> so, I would reask for a template + a full review if the package was promoted before those requirements
15:33 <slyon> OK
15:33 <didrocks> just for a sanity check
15:33 <slyon> I will hand it out to the team then.
15:33 <slyon> thanks
15:33 <didrocks> yw
15:33 <slyon> continuting with c-m-p
15:33 <slyon> logcheck and the seeds are false-positives
15:34 <slyon> libsub-quote-perl: I dropped that recommend an hour ago, so it should vanish from the report
15:34 <sarnold> \o/
15:34 <slyon> ceilometer: looking good, I think we can promote python-xmltodict. But we'll talk about that in our "updates" section
15:35 <slyon> cups-browserd: boths deps pending security review
15:35 <slyon> flashrom: I dropped the new libjaylink dependency/functionality (until somebody in Ubuntu actually wants to use it). So it should vanish, too
15:36 <slyon> jaraco.text: this is with the openstack-team to fix things (cc jamespage)
15:36 <slyon> netplan.io: mdurl & mardown-it-py are pending security review
15:36 <jamespage> ack re jaraco.text
15:36 <slyon> rich: this should be tagged for security review, too (cc sarnold, eslerm_) - see my latest comment on the bug
15:37 <slyon> pkgconf: looking good, ready for promotion. I prepared a seed change eralier today, to switch pkg-config -> pkgconf. Pending review from my teammates
15:37 <slyon> licensecheck: pending MIR by a collegue of mine
15:37 <slyon> policykit-1: pending sec-review
15:38 <slyon> for c-m: nothing new. libsub-quote-perl got resolved in -proposed as stated earlier
15:38 <slyon> #topic New MIRs
15:38 <slyon> Mission: ensure to assign all incoming reviews for fast processing
15:38 <slyon> #link https://bugs.launchpad.net/ubuntu/?field.searchtext=&orderby=-date_last_updated&field.status%3Alist=NEW&field.status%3Alist=CONFIRMED&assignee_option=none&field.assignee=&field.subscriber=ubuntu-mir
15:38 <didrocks> \o/
15:38 <sarnold> slyon: we may have skipped non-proposed
15:39 <slyon> Nothing \o/ (we might still have some work left from last week)
15:39 <didrocks> (and yes)
15:39 <slyon> sarnold: "for c-m: nothing new. libsub-quote-perl got resolved in -proposed as stated earlier" (see above)
15:39 <sarnold> oh! I see it now
15:39 <slyon> #topic Incomplete bugs / questions
15:39 <slyon> Mission: Identify required actions and spread the load among the teams
15:39 <slyon> #link https://bugs.launchpad.net/ubuntu/?field.searchtext=&orderby=-date_last_updated&field.status%3Alist=INCOMPLETE_WITH_RESPONSE&field.status%3Alist=INCOMPLETE_WITHOUT_RESPONSE&field.subscriber=ubuntu-mir
15:39 <slyon> bug #2007279
15:40 <slyon> (draft to be handed out to the foundations team to fill the template)
15:40 <slyon> bug #2003083
15:40 <slyon> draft to be filled by the foundations team (tracking update)
15:40 <slyon> bug #2002576
15:40 <slyon> This got security ACK
15:41 <slyon> and MIR ACK. it's being pulled in already by ceilometer
15:41 <slyon> openstack team is subscribed
15:41 <slyon> so I think it's ready for promotion
15:41 <slyon> didrocks: could you handle this?
15:41 <sarnold> ack
15:41 <didrocks> sure
15:41 <slyon> thx!
15:41 <slyon> and that's all for recent updates
15:42 <slyon> #topic MIR related Security Review Queue
15:42 <slyon> Mission: Check on progress, do deadlines seem doable?
15:42 <slyon> #link https://bugs.launchpad.net/~ubuntu-security/+bugs?field.searchtext=%5BMIR%5D&assignee_option=choose&field.assignee=ubuntu-security&field.bug_reporter=&field.bug_commenter=&field.subscriber=ubuntu-mir
15:42 <slyon> #link https://warthogs.atlassian.net/jira/software/c/projects/SEC/boards/594
15:42 <slyon> sarnold: how are things looking?
15:42 <sarnold> mm, is log4cplus overlooked / neglected?
15:43 <sarnold> https://bugs.launchpad.net/ubuntu/+source/log4cplus/+bug/2003549  -- currently unassigned, I'm wondering if this ought to be back on the server team
15:43 <slyon> log4cplus is older than last week's meeting.
15:43 <slyon> (and pending input from the MIR reporter)
15:43 <sarnold> athos: ^^ https://bugs.launchpad.net/ubuntu/+source/log4cplus/+bug/2003549
15:43 <sarnold> there we go, now my conscience is clean :)
15:44 <slyon> sarnold: nice. I've also assigned the bug accordingly
15:44 <sarnold> so, security queue, I'm feeling good with our current position; this is the closest we've bbeen to getting things done before feature freeze, ever :)
15:44 <slyon> that's very nice to hear. Kudos to the security team!
15:44 <sarnold> there's enough on our plate that I don't think *everything* will be done before feature freeze, but it's hard to guess where exactly the misses might be :(
15:44 <didrocks> yes, this is great to hear :)
15:45 <sarnold> anyway, this feels good. thanks everyone for the help :)
15:45 <slyon> could we get this into the security queue: https://bugs.launchpad.net/ubuntu/+source/rich/+bug/2003570 ?
15:45 <slyon> (still fine post-ff, but should be this cycle)
15:45 <didrocks> sarnold: just be informed that I’m assigning the cups* transition to the security. I feel the first promotion to main were done before the MIR process was created. There are quite some gaps and some components are quite critical (running as root, setuid, parsing data format)
15:46 <eslerm_> maybe, could you review SEC-1640 privately in JIRA?
15:46 <didrocks> even if it’s monitored for CVE, I think it’s the right time for a re-review
15:47 <sarnold> hmm, I wonder if we should re-poke upstream, how long ago was that?
15:47 <eslerm_> almost a week now
15:48 <eslerm_> I could assign CVEs and move on with review
15:48 <eslerm_> pcs is taking my priority currently though
15:48 <sarnold> didrocks: with a project that mature and (i'm guessing underresourced) it might be a challenge to get sweeping architectural changes of the sort that we'd expect from projects these days :( setuid executables parsing things isj ust a horrible feeling..
15:49 <sarnold> I've gotten the impression completing the pcs stack is our top priority at the moment, I think that should continue
15:49 <sarnold> but a quick re-poke of upstream is cheap enough / easy enough
15:49 <eslerm_> can do
15:49 <slyon> who will do that poking of upstream?
15:49 <slyon> thank you!
15:50 <slyon> #topic Any other business?
15:50 <sarnold> rich https://warthogs.atlassian.net/browse/SEC-1694
15:50 <sarnold> none here
15:50 <slyon> sarnold: thanks!
15:51 <didrocks> nothing here, thanks!
15:51 <joalif> none
15:51 <eslerm_> none either
15:51 <slyon> alright folks, that's all for today :) o/
15:51 <slyon> #endmeeting