#ubuntu-meeting log

14:31 <cpaelzer> #startmeeting Weekly Main Inclusion Requests status
14:31 <meetingology> Meeting started at 14:31:05 UTC.  The chair is cpaelzer.  Information about MeetBot at https://wiki.ubuntu.com/meetingology
14:31 <meetingology> Available commands: action, commands, idea, info, link, nick
14:31 <cpaelzer> Ping for MIR meeting - didrocks joalif slyon sarnold cpaelzer jamespage ( eslerm dviererbe )
14:31 <cpaelzer> plenty of people said hi already before the meeting got started
14:31 <cpaelzer> so let me get going with the agenda
14:31 <cpaelzer> #topic current component mismatches
14:31 <cpaelzer> Mission: Identify required actions and spread the load among the teams
14:31 <cpaelzer> #link https://people.canonical.com/~ubuntu-archive/component-mismatches-proposed.svg
14:31 <cpaelzer> #link https://people.canonical.com/~ubuntu-archive/component-mismatches.svg
14:31 <sarnold> good morning
14:31 <cpaelzer> rust -> fonts
14:32 <cpaelzer> we know rust is temporarily demoted
14:32 <cpaelzer> not suer why the fonts would show up now
14:32 <cpaelzer> but given how things were int he past probably a false positive
14:32 <slyon> cpaelzer: font's are only from the -doc packages, can be ignored
14:32 <cpaelzer> ack
14:32 <slyon> they will stay in universe
14:32 <cpaelzer> then for actual fonts
14:32 <sarnold> probably a previous mix of main vs universe binaries has been turned into "omg all these universe packages should be in main"
14:32 <cpaelzer> fonts-liberation -> fonts-liberation-sans-narrow
14:33 <cpaelzer> the former is a desktop package
14:33 <cpaelzer> AFAIK those get a relative easy pass
14:33 <cpaelzer> if they are really just fonts
14:33 <cpaelzer> and there is no active code
14:33 <cpaelzer> but we'd still want to see a bug that states that it is intentional and wanted
14:33 <cpaelzer> because no matter how simple, the package will need an owner
14:34 <didrocks> that was exactly my point
14:34 <cpaelzer> didrocks: can you carry that to the desktop folks?
14:34 <didrocks> sure, will do
14:34 <cpaelzer> I feel like parrot
14:34 <cpaelzer> the MIRs for the perl explosion will come
14:34 <cpaelzer> soon (tm)
14:35 <cpaelzer> jaraco seems almost ready right?
14:36 <cpaelzer> ok joalif reviewed the last element recently
14:36 <cpaelzer> todo is back on openstack
14:36 <slyon> there are some open TODOs from joalif
14:36 <cpaelzer> jamespage: ^^ FYI
14:36 <cpaelzer> yep
14:36 <cpaelzer> so far that is all I see in mismatches
14:36 <cpaelzer> no further things that we need to act on in there right now
14:37 <cpaelzer> #topic New MIRs
14:37 <cpaelzer> Mission: ensure to assign all incoming reviews for fast processing
14:37 <cpaelzer> #link https://bugs.launchpad.net/ubuntu/?field.searchtext=&orderby=-date_last_updated&field.status%3Alist=NEW&field.status%3Alist=CONFIRMED&assignee_option=none&field.assignee=&field.subscriber=ubuntu-mir
14:37 <cpaelzer> empty
14:37 <cpaelzer> wow
14:37 <sarnold> broken?
14:37 <slyon> xD
14:37 <joalif> lol
14:37 * sarnold pokes launchpad with a stick
14:37 <didrocks> zen attitude :p
14:37 <dviererbe> o/
14:37 <didrocks> don’t be as negative as sarnold :p
14:37 <cpaelzer> #topic Incomplete bugs / questions
14:37 <cpaelzer> Mission: Identify required actions and spread the load among the teams
14:37 <cpaelzer> #link https://bugs.launchpad.net/ubuntu/?field.searchtext=&orderby=-date_last_updated&field.status%3Alist=INCOMPLETE_WITH_RESPONSE&field.status%3Alist=INCOMPLETE_WITHOUT_RESPONSE&field.subscriber=ubuntu-mir
14:38 <cpaelzer> 5 incompletes with recent updates
14:38 <cpaelzer> dhcpd I fixed the state as it has a few open todos left
14:38 <cpaelzer> didrocks: did the same for aom
14:39 <cpaelzer> libhttp-cookiejar-perl seems to be worked on by foundations
14:39 <didrocks> python-rlpycairo and all reverse dependencies only used by hplip should be demoted it seems…
14:39 <slyon> bug #2026608 I don't think this necessarily needs a security-review (considering lua has been in main for a while and covered by our security team), but maybe sarnold still wants to do a spot check and see if a full review would be useful (assign ubuntu-security, if you feel like)
14:39 <slyon> didrocks: right. I brought that up with the desktop team, looks like we can demote hplip + dependencies later this cycle
14:40 <cpaelzer> ok, good on hplip+dependencies then
14:40 <cpaelzer> slyon: I agree on 2026608
14:40 <sarnold> slyon: ack, thanks
14:40 <cpaelzer> sarnold: what do you think?
14:41 <sarnold> I'm inclined to agree that it just needs a very quick once-over
14:41 <cpaelzer> on the quality side I agree to slyons list
14:41 <cpaelzer> we need to give it some love
14:41 <cpaelzer> to make it better than it is
14:41 <cpaelzer> Lena will ping back on the case once ready
14:41 <cpaelzer> nothing for us to act now
14:42 <cpaelzer> ok, next topic then
14:42 <cpaelzer> #topic Process/Documentation improvements
14:42 <cpaelzer> Mission: Review pending process/documentation pull-requests or issues
14:42 <cpaelzer> #link https://github.com/canonical/ubuntu-mir/pulls
14:42 <cpaelzer> #link https://github.com/canonical/ubuntu-mir/issues
14:42 <cpaelzer> 31 and 17 wait
14:42 <cpaelzer> blocked by other things
14:42 <cpaelzer> but 33 and 32 I'd land if there are no objections
14:43 <cpaelzer> thanks dviererbe btw for the quick reviews
14:43 <cpaelzer> thoughts/complaints on https://github.com/canonical/ubuntu-mir/pull/32 or https://github.com/canonical/ubuntu-mir/pull/33 ?
14:44 * slyon approved on GH
14:44 <didrocks> the find calls needs to be on the built binary, no? Otherwise dh_fixperms will fix them if nothing special in debian/rules?
14:44 <didrocks> (so unsure about those checks, I generally only rely on grepping)
14:45 <cpaelzer> yeah, there might be more like postinst
14:45 <cpaelzer> that is why my added line says "at least"
14:45 <cpaelzer> I felt that people might check even less than the find and grep
14:45 <cpaelzer> so wanted to provide a hint
14:45 <cpaelzer> if you find suid set then one can have a look at fixperms and others
14:46 <didrocks> right, my point is that find on the source package will not give you what you expect :)
14:46 <cpaelzer> like the built binaries
14:46 <didrocks> yeah
14:46 <cpaelzer> TBH I expected to check both src and extracted debs or so
14:46 <didrocks> and another question on the other on the other PR: why checking dbus in particular? (it’s all local)
14:46 <sarnold> comments added to both
14:46 <didrocks> we can say the same then on any unix socket?
14:46 <cpaelzer> the case I looked at had dbus and that is just as much an "open port" of some sort
14:47 <cpaelzer> since I didn't want to extend the list infinitely I added "dbus or similar"
14:47 <cpaelzer> IHO, but I'm happy to discuss, any kind of listning turn into potential attack vectors right?
14:47 <cpaelzer> +M
14:48 <didrocks> hum, I kind of disagree for things that are listening "locally", in that sense, clients connecting to the system bus are even more harmful and don’t enter this list
14:48 <didrocks> let’s iterate over the PRs
14:48 <cpaelzer> ok then
14:48 <cpaelzer> pstpone for the meeting
14:48 <cpaelzer> throw the comments onto the PRs
14:48 <cpaelzer> some of you already did
14:48 <dviererbe> > I felt that people might check even less than the find and grep
14:48 <dviererbe> Just a thought: Would that be a good idea to create a tool like check-mir that makes it easier for people to check for sid/gid if so many do it worng or don't do it at all?
14:48 <cpaelzer> I'll rework them and we can talk again here next time
14:49 <cpaelzer> dviererbe: I found that often people then run the tool, do not know what/why it does, and then do fail to think e.g. about the new similar thing
14:49 <sarnold> dviererbe: heh, yeah, I immediately wondered why we don't have an easy tool to find all the setuid/setgid files/directories in the packages
14:49 <cpaelzer> you can write and maintain one :-)
14:49 <cpaelzer> all the PR tries is to help with suggestions
14:50 <sarnold> that's my fear
14:50 <cpaelzer> I'm ok for now
14:50 <cpaelzer> have enough on those to work on them
14:50 <cpaelzer> going on in the agenda
14:50 <cpaelzer> #topic MIR related Security Review Queue
14:50 <cpaelzer> Mission: Check on progress, do deadlines seem doable?
14:50 <cpaelzer> Some clients can only work with one, some with the other escaping - the URLs point to the same place.
14:50 <cpaelzer> #link https://bugs.launchpad.net/~ubuntu-security/+bugs?field.searchtext=%5BMIR%5D&assignee_option=choose&field.assignee=ubuntu-security&field.bug_reporter=&field.bug_commenter=&field.subscriber=ubuntu-mir
14:50 <cpaelzer> #link https://bugs.launchpad.net/~ubuntu-security/+bugs?field.searchtext=[MIR]&assignee_option=choose&field.assignee=ubuntu-security&field.bug_reporter=&field.bug_commenter=&field.subscriber=ubuntu-mir
14:50 <cpaelzer> Internal link
14:50 <cpaelzer> - ensure your teams items are prioritized among each other as you'd expect
14:50 <cpaelzer> - ensure community requests do not get stomped by teams calling for favors too much
14:50 <cpaelzer> #link https://warthogs.atlassian.net/jira/software/c/projects/SEC/boards/594
14:51 <eslerm> I believe we are set. Big item is cargo being assigned to a reviewer
14:52 <cpaelzer> yeah
14:52 <slyon> that's great to hear!
14:52 <cpaelzer> dotnet is also bug
14:52 <cpaelzer> big
14:52 <cpaelzer> that does not have a face on it yet right?
14:52 <sarnold> correct
14:53 <cpaelzer> nvme-stast just entered the queue as I completed review this morning
14:53 <sarnold> i'm worried that the "transition away from the dead package" story isn't quite complete yet
14:53 <cpaelzer> also looking for a reviewer
14:53 <cpaelzer> sarnold: well, we can wait for more details on this - but it would not block the security reivew would it?
14:53 <sarnold> cpaelzer: no, but it is also probably more important than the security review
14:54 <cpaelzer> it is required TODO #1 to clarify that further
14:54 <sarnold> and I understand the discussion is underway
14:55 <cpaelzer> Unless that is completed and approved as being sufficient it won't be promoted
14:55 <sarnold> sounds good to me
14:55 <cpaelzer> but to not lose too much time I think foundations would appreciate to enter the assigned security review queue
14:55 <cpaelzer> I think we are ok on that, give it a thought if it could be assigned
14:55 <cpaelzer> going on
14:55 <cpaelzer> #topic Any other business?
14:55 <cpaelzer> nothing here
14:55 <didrocks> nothing either
14:55 <sarnold> nothing from me
14:56 <joalif> just fyi, i wont be joining the next 4 mtgs
14:56 <seb128> o/ :-)
14:56 <joalif> bank holidays + pto
14:56 <sarnold> joalif: nice :)
14:56 <sarnold> heya seb128
14:56 <seb128> quick one, the fonts-liberation-sans-narrow mentioned earlier
14:56 <cpaelzer> impressive joalif :-)
14:56 <seb128> it seems to be a rename from fonts-liberation
14:56 <sarnold> oh yes, iirc next week is a midcycle sprint, are we intending to have this meeting next week?
14:56 <seb128> basically Debian did
14:57 <seb128> fonts-liberation2 -> fonts-liberation
14:57 <seb128> and
14:57 <cpaelzer> on time off, there will be a sprint this (not much impact) and next (more impact) week that keeps people busy
14:57 <seb128> fonts-liberation -> fonts-liberation-sans-narrow
14:57 <cpaelzer> I'd appreciate, due to the sprint, someone taking over for me next week
14:57 <seb128> because that's the only font remaining provided by the old srcname
14:57 <seb128> do we still need a MIR?
14:57 <didrocks> (same, I will be in the sprint, so if someone else is free to take over…)
14:57 <slyon> cpaelzer: I can probably run the meeting next week.
14:58 <cpaelzer> seb128: file a bug and explain, so there is an audit trail. Does not need to be a full MIR template
14:58 <seb128> cpaelzer, ack, thanks
14:58 <cpaelzer> thanks slyon
14:58 <cpaelzer> ok then, seems we are done for today
14:58 <sarnold> thanks cpaelzer, all
14:58 <joalif> thanks cpaelzer, all :)
14:58 <dviererbe> thanks, all
14:58 <slyon> thanks cpaelzer, all!
14:58 <cpaelzer> joalif:  we will keep the best cases open for when you are back then :-P
14:58 <cpaelzer> #endmeeting