== Meeting information == * #ubuntu-meeting: Weekly Main Inclusion Requests status meeting, started by slyon, 10 Oct at 14:36 — 14:51 UTC. * Full logs at https://ubottu.com/meetingology/logs/ubuntu-meeting/2023/ubuntu-meeting.2023-10-10-14.36.log.html == Meeting summary == === current component mismatches === Discussion started by slyon at 14:36. * ''LINK:'' https://people.canonical.com/~ubuntu-archive/component-mismatches-proposed.svg (slyon, 14:36) * ''LINK:'' https://people.canonical.com/~ubuntu-archive/component-mismatches.svg (slyon, 14:36) === New MIRs === Discussion started by slyon at 14:37. * ''LINK:'' https://bugs.launchpad.net/ubuntu/?field.searchtext=&orderby=-date_last_updated&field.status%3Alist=NEW&field.status%3Alist=CONFIRMED&assignee_option=none&field.assignee=&field.subscriber=ubuntu-mir (slyon, 14:37) === Incomplete bugs / questions === Discussion started by slyon at 14:37. * ''LINK:'' https://bugs.launchpad.net/ubuntu/?field.searchtext=&orderby=-date_last_updated&field.status%3Alist=INCOMPLETE_WITH_RESPONSE&field.status%3Alist=INCOMPLETE_WITHOUT_RESPONSE&field.subscriber=ubuntu-mir (slyon, 14:37) === Process/Documentation improvements === Discussion started by slyon at 14:40. * ''LINK:'' https://github.com/canonical/ubuntu-mir/pulls (slyon, 14:40) * ''LINK:'' https://github.com/canonical/ubuntu-mir/issues (slyon, 14:40) === MIR related Security Review Queue === Discussion started by slyon at 14:41. * ''LINK:'' https://bugs.launchpad.net/~ubuntu-security/+bugs?field.searchtext=%5BMIR%5D&assignee_option=choose&field.assignee=ubuntu-security&field.bug_reporter=&field.bug_commenter=&field.subscriber=ubuntu-mir (slyon, 14:41) * ''LINK:'' https://bugs.launchpad.net/~ubuntu-security/+bugs?field.searchtext=[MIR]&assignee_option=choose&field.assignee=ubuntu-security&field.bug_reporter=&field.bug_commenter=&field.subscriber=ubuntu-mir (slyon, 14:41) * ''LINK:'' https://warthogs.atlassian.net/jira/software/c/projects/SEC/boards/594 (slyon, 14:43) === Any other business? === Discussion started by slyon at 14:49. == People present (lines said) == * slyon (44) * cpaelzer (19) * eslerm (13) * meetingology (2) * joalif (1) == Full log == 14:36 #startmeeting Weekly Main Inclusion Requests status 14:36 Meeting started at 14:36:08 UTC. The chair is slyon. Information about MeetBot at https://wiki.ubuntu.com/meetingology 14:36 Ping for MIR meeting - didrocks joalif slyon sarnold cpaelzer jamespage ( eslerm dviererbe ) 14:36 #topic current component mismatches 14:36 Missio 14:36 Available commands: action, commands, idea, info, link, nick 14:36 Mission: Identify required actions and spread the load among the teams 14:36 #link https://people.canonical.com/~ubuntu-archive/component-mismatches-proposed.svg 14:36 #link https://people.canonical.com/~ubuntu-archive/component-mismatches.svg 14:37 This looks all very common. Mostly known false-positives. Except for jaraco.text, which apparently didn't make it this cycle, again. :( 14:37 #topic New MIRs 14:37 Mission: ensure to assign all incoming reviews for fast processing 14:37 #link https://bugs.launchpad.net/ubuntu/?field.searchtext=&orderby=-date_last_updated&field.status%3Alist=NEW&field.status%3Alist=CONFIRMED&assignee_option=none&field.assignee=&field.subscriber=ubuntu-mir 14:37 empty. 14:37 I'm here now, but not the full length 14:37 thanks for driving the meeting slyon 14:37 #topic Incomplete bugs / questions 14:37 Mission: Identify required actions and spread the load among the teams 14:37 #link https://bugs.launchpad.net/ubuntu/?field.searchtext=&orderby=-date_last_updated&field.status%3Alist=INCOMPLETE_WITH_RESPONSE&field.status%3Alist=INCOMPLETE_WITHOUT_RESPONSE&field.subscriber=ubuntu-mir 14:38 going back one week 2023-10-03, we have only one update in bug #2023971 14:38 * slyon reading 14:39 I know that mirespace follows some leads I have given her 14:39 which will cut down the list of packages needed a lot 14:39 essentially she is trying to save us all 40 more MIR packages 14:39 nice! 14:40 Seems there are some clear next steps defined on her side 14:40 Nothing to do for us, right now. 14:40 #topic Process/Documentation improvements 14:40 Mission: Review pending process/documentation pull-requests or issues 14:40 #link https://github.com/canonical/ubuntu-mir/pulls 14:40 #link https://github.com/canonical/ubuntu-mir/issues 14:40 PR is a draft and held back for better times 14:41 the issues are also old news 14:41 I think we can go on 14:41 ack. 14:41 #topic MIR related Security Review Queue 14:41 Simon asked for clarification on when tools in main needed re-review, as we had fro s390-tools 14:41 Mission: Check on progress, do deadlines seem doable? 14:41 Some clients can only work with one, some with the other escaping - the URLs point to the same place. 14:41 #link https://bugs.launchpad.net/~ubuntu-security/+bugs?field.searchtext=%5BMIR%5D&assignee_option=choose&field.assignee=ubuntu-security&field.bug_reporter=&field.bug_commenter=&field.subscriber=ubuntu-mir 14:41 eslerm: you know the discussion on re-review as a process 14:41 #link https://bugs.launchpad.net/~ubuntu-security/+bugs?field.searchtext=[MIR]&assignee_option=choose&field.assignee=ubuntu-security&field.bug_reporter=&field.bug_commenter=&field.subscriber=ubuntu-mir 14:42 which has thoughts, but everyone saying "no resources for that, please do not add it atm" 14:42 eslerm: cpaelzer: and for s390-tools it was also a (hidden) component-mismatch 14:42 the reason for s390-tools has been because it was a voluntary (appreciated) "there is a massive change" 14:42 as it was pulling in new non-reviewed dependencies. (even though vendored) 14:42 exactly - ack to slyon 14:43 thank you 14:43 Internal link 14:43 #link https://warthogs.atlassian.net/jira/software/c/projects/SEC/boards/594 14:43 So eslerm, do you want to give and update on the security review process? 14:43 or rather s/process/progress/ :-) 14:43 non-reviewed dependencies sounds like the whole process in general ? 14:44 it is the whole process, but they could have sneaked them in as they would have been vendored 14:44 Security doesn't have a great way to work through all vendoreded dependencies, rustc has ~700 and we can't review them all 14:44 so the tooling would not have stopped them 14:45 eslerm: you mean rustc itself has 700 other things? 14:45 ah, understood, I'll add a task to the jira board above 14:45 rustc/cargo has ~700 vendored packages 14:46 issues in those packages should be tracked too 14:46 rustc 1.70.0 has 532 folders in ./vendor/ 14:47 I agree. I'll start a discussion at the next engineering sprint about having toolchain maintainers provide a set of "base" dependencies (tiny but ubiquitous) for their ecosystem and help maintaining them in "main". Hopefully that should cover many of those 532 folders 14:48 thank you slyon 14:48 overlap with rustc is appreciated 14:48 which is one of the issues you see in github 14:48 talk about these base sets 14:48 any other update from the security team? 14:49 none, except s390-tools being ack'd last week 14:49 eslerm: Thanks and kudos. That's much appreciated! I know timing was very tight. 14:49 #topic Any other business? 14:50 cpaelzer: did you want to bring up anything? 14:50 no 14:50 none 14:50 ok. Nothing from my side either. 14:50 none 14:50 Alright. I guess that's it then for today. 14:50 thank you all! 14:50 thanks slyon, all o/ 14:51 #endmeeting Generated by MeetBot 0.4.0 (https://wiki.ubuntu.com/meetingology)