#ubuntu-meeting log

14:36 <slyon> #startmeeting Weekly Main Inclusion Requests status
14:36 <meetingology> Meeting started at 14:36:08 UTC.  The chair is slyon.  Information about MeetBot at https://wiki.ubuntu.com/meetingology
14:36 <slyon> Ping for MIR meeting - didrocks joalif slyon sarnold cpaelzer jamespage ( eslerm dviererbe )
14:36 <slyon> #topic current component mismatches
14:36 <slyon> Missio
14:36 <meetingology> Available commands: action, commands, idea, info, link, nick
14:36 <slyon> Mission: Identify required actions and spread the load among the teams
14:36 <slyon> #link https://people.canonical.com/~ubuntu-archive/component-mismatches-proposed.svg
14:36 <slyon> #link https://people.canonical.com/~ubuntu-archive/component-mismatches.svg
14:37 <slyon> This looks all very common. Mostly known false-positives. Except for jaraco.text, which apparently didn't make it this cycle, again. :(
14:37 <slyon> #topic New MIRs
14:37 <slyon> Mission: ensure to assign all incoming reviews for fast processing
14:37 <slyon> #link https://bugs.launchpad.net/ubuntu/?field.searchtext=&orderby=-date_last_updated&field.status%3Alist=NEW&field.status%3Alist=CONFIRMED&assignee_option=none&field.assignee=&field.subscriber=ubuntu-mir
14:37 <slyon> empty.
14:37 <cpaelzer> I'm here now, but not the full length
14:37 <cpaelzer> thanks for driving the meeting slyon
14:37 <slyon> #topic Incomplete bugs / questions
14:37 <slyon> Mission: Identify required actions and spread the load among the teams
14:37 <slyon> #link https://bugs.launchpad.net/ubuntu/?field.searchtext=&orderby=-date_last_updated&field.status%3Alist=INCOMPLETE_WITH_RESPONSE&field.status%3Alist=INCOMPLETE_WITHOUT_RESPONSE&field.subscriber=ubuntu-mir
14:38 <slyon> going back one week 2023-10-03, we have only one update in bug #2023971
14:38 * slyon reading
14:39 <cpaelzer> I know that mirespace follows some leads I have given her
14:39 <cpaelzer> which will cut down the list of packages needed a lot
14:39 <cpaelzer> essentially she is trying to save us all 40 more MIR packages
14:39 <slyon> nice!
14:40 <slyon> Seems there are some clear next steps defined on her side
14:40 <slyon> Nothing to do for us, right now.
14:40 <slyon> #topic Process/Documentation improvements
14:40 <slyon> Mission: Review pending process/documentation pull-requests or issues
14:40 <slyon> #link https://github.com/canonical/ubuntu-mir/pulls
14:40 <slyon> #link https://github.com/canonical/ubuntu-mir/issues
14:40 <cpaelzer> PR is a draft and held back for better times
14:41 <cpaelzer> the issues are also old news
14:41 <cpaelzer> I think we can go on
14:41 <slyon> ack.
14:41 <slyon> #topic MIR related Security Review Queue
14:41 <eslerm> Simon asked for clarification on when tools in main needed re-review, as we had fro s390-tools
14:41 <slyon> Mission: Check on progress, do deadlines seem doable?
14:41 <slyon> Some clients can only work with one, some with the other escaping - the URLs point to the same place.
14:41 <slyon> #link https://bugs.launchpad.net/~ubuntu-security/+bugs?field.searchtext=%5BMIR%5D&assignee_option=choose&field.assignee=ubuntu-security&field.bug_reporter=&field.bug_commenter=&field.subscriber=ubuntu-mir
14:41 <cpaelzer> eslerm: you know the discussion on re-review as a process
14:41 <slyon> #link https://bugs.launchpad.net/~ubuntu-security/+bugs?field.searchtext=[MIR]&assignee_option=choose&field.assignee=ubuntu-security&field.bug_reporter=&field.bug_commenter=&field.subscriber=ubuntu-mir
14:42 <cpaelzer> which has thoughts, but everyone saying "no resources for that, please do not add it atm"
14:42 <slyon> eslerm: cpaelzer: and for s390-tools it was also a (hidden) component-mismatch
14:42 <cpaelzer> the reason for s390-tools has been because it was a voluntary (appreciated) "there is a massive change"
14:42 <slyon> as it was pulling in new non-reviewed dependencies. (even though vendored)
14:42 <cpaelzer> exactly - ack to slyon
14:43 <eslerm> thank you
14:43 <slyon> Internal link
14:43 <slyon> #link https://warthogs.atlassian.net/jira/software/c/projects/SEC/boards/594
14:43 <slyon> So eslerm, do you want to give and update on the security review process?
14:43 <cpaelzer> or rather s/process/progress/ :-)
14:43 <eslerm> non-reviewed dependencies sounds like the whole process in general ?
14:44 <cpaelzer> it is the whole process, but they could have sneaked them in as they would have been vendored
14:44 <eslerm> Security doesn't have a great way to work through all vendoreded dependencies, rustc has ~700 and we can't review them all
14:44 <cpaelzer> so the tooling would not have stopped them
14:45 <cpaelzer> eslerm: you mean rustc itself has 700 other things?
14:45 <eslerm> ah, understood, I'll add a task to the jira board above
14:45 <eslerm> rustc/cargo has ~700 vendored packages
14:46 <eslerm> issues in those packages should be tracked too
14:46 <eslerm> rustc 1.70.0 has 532 folders in ./vendor/
14:47 <slyon> I agree. I'll start a discussion at the next engineering sprint about having toolchain maintainers provide a set of "base" dependencies (tiny but ubiquitous) for their ecosystem and help maintaining them in "main". Hopefully that should cover many of those 532 folders
14:48 <eslerm> thank you slyon
14:48 <eslerm> overlap with rustc is appreciated
14:48 <cpaelzer> which is one of the issues you see in github
14:48 <cpaelzer> talk about these base sets
14:48 <slyon> any other update from the security team?
14:49 <eslerm> none, except s390-tools being ack'd last week
14:49 <slyon> eslerm: Thanks and kudos. That's much appreciated! I know timing was very tight.
14:49 <slyon> #topic Any other business?
14:50 <slyon> cpaelzer: did you want to bring up anything?
14:50 <cpaelzer> no
14:50 <joalif> none
14:50 <slyon> ok. Nothing from my side either.
14:50 <eslerm> none
14:50 <slyon> Alright. I guess that's it then for today.
14:50 <slyon> thank you all!
14:50 <eslerm> thanks slyon, all o/
14:51 <slyon> #endmeeting