#ubuntu-meeting log

15:31 <cpaelzer> #startmeeting Weekly Main Inclusion Requests status
15:31 <meetingology> Meeting started at 15:31:12 UTC.  The chair is cpaelzer.  Information about MeetBot at https://wiki.ubuntu.com/meetingology
15:31 <meetingology> Available commands: action, commands, idea, info, link, nick
15:31 <cpaelzer> Ping for MIR meeting - didrocks joalif slyon sarnold cpaelzer jamespage ( eslerm dviererbe )
15:31 <slyon> o/
15:31 <cpaelzer> hello party people
15:31 <cpaelzer> #topic current component mismatches
15:31 <cpaelzer> Mission: Identify required actions and spread the load among the teams
15:31 <cpaelzer> #link https://people.canonical.com/~ubuntu-archive/component-mismatches-proposed.svg
15:31 <cpaelzer> #link https://people.canonical.com/~ubuntu-archive/component-mismatches.svg
15:31 <cpaelzer> That is not much ...
15:32 <cpaelzer> we still have kexec-tools -> xen, I guess my ping to xnox last week might no more help as much depending on his priorities now
15:32 <cpaelzer> Let me bring this up in #kernel for awareness
15:33 <cpaelzer> done
15:34 <cpaelzer> on libcryptx I know that miriam has an upload to make he expected change up for review
15:34 <cpaelzer> so that dependency will soon be gone
15:34 <cpaelzer> #topic New MIRs
15:34 <cpaelzer> Mission: ensure to assign all incoming reviews for fast processing
15:34 <cpaelzer> #link https://bugs.launchpad.net/ubuntu/?field.searchtext=&orderby=-date_last_updated&field.status%3Alist=NEW&field.status%3Alist=CONFIRMED&assignee_option=none&field.assignee=&field.subscriber=ubuntu-mir
15:34 <cpaelzer> we had plenty last two weeks
15:34 <sarnold> good morning
15:34 <cpaelzer> let us have a look this week
15:34 <cpaelzer> hi sarnold
15:34 <cpaelzer> wow
15:35 <cpaelzer> as calm as component mismatches
15:35 <cpaelzer> well, ok
15:35 <cpaelzer> #topic Incomplete bugs / questions
15:35 <sarnold> .. is it working? :)
15:35 <cpaelzer> Mission: Identify required actions and spread the load among the teams
15:35 <cpaelzer> #link https://bugs.launchpad.net/ubuntu/?field.searchtext=&orderby=-date_last_updated&field.status%3Alist=INCOMPLETE_WITH_RESPONSE&field.status%3Alist=INCOMPLETE_WITHOUT_RESPONSE&field.subscriber=ubuntu-mir
15:35 <cpaelzer> ok I see plenty of recent updates here
15:36 <cpaelzer> https://bugs.launchpad.net/ubuntu/+source/libmail-dmarc-perl/+bug/2023971 is back on mirespace
15:36 <cpaelzer> thanks joalif for the review
15:36 <cpaelzer> https://bugs.launchpad.net/ubuntu/+source/bpfcc/+bug/2052813 I reviewed today
15:36 <cpaelzer> it is ok but with quite a few required and recommended todos
15:36 <cpaelzer> here in particular I wanted to ask eslerm and sarnold something
15:37 <cpaelzer> could you open my review and scroll to the [Security] section
15:37 <cpaelzer> In this case I'm not sure if I should say we need or do not need a security review
15:37 <cpaelzer> WDYT?
15:38 <sarnold> I'm
15:38 <cpaelzer> yes you are
15:38 <sarnold> :D
15:38 <sarnold> I'm not sure either; on the one hand, administrative privilege is required to run these, so there's a thin barrier at best
15:38 <sarnold> most of the security layer happens in the kernel
15:38 <cpaelzer> yes, by BPF being in isolation there
15:39 <cpaelzer> some isolation
15:39 <cpaelzer> here is the deal, if you say you do not think it is needed, my call will be it is not needed
15:39 <eslerm> I'll let sarnold decide
15:39 <cpaelzer> and then we are fine
15:39 <eslerm> a quick review might remove some footguns
15:39 <cpaelzer> if you say, no you want - then I go that way
15:39 <sarnold> I believe that this package itself is very little risk to the security team, but the kernel portion might -- so, I'm inclined to say that this doesn't need security team review
15:40 <cpaelzer> eslerm: is there a good way to express "we should have a quick check but not a full reivew"
15:40 <eslerm> likely :)
15:41 <cpaelzer> hehe
15:41 <cpaelzer> how about you volunteer for that "quick but not full" check
15:41 <cpaelzer> then the solution is that I'll assign you
15:41 <cpaelzer> actually it is back with mkukri so I'd subscribe you
15:41 <eslerm> a short audit might find something useful to report upstream, it might just be bugs, if the security context cannot be made worse by bugs
15:42 <eslerm> I can do that
15:42 <cpaelzer> thank you
15:42 <eslerm> (i.e., only bugs exist if you are already root, not vulnerabilities)
15:42 <cpaelzer> you are subscvribed
15:42 <cpaelzer> "subscribed"
15:42 <cpaelzer> next is https://bugs.launchpad.net/ubuntu/+source/dbus-broker/+bug/2015538
15:42 <mkukri> oh anything is fine by me as far as these MIRs go
15:43 <mkukri> current plan is for me to address the TODOs next week and hopefully get it uploaded by FF
15:43 <cpaelzer> thanks mkukri if only we'd have known that we could dump anything on you as part of this :-P
15:43 <slyon> cpaelzer: so you helped get the apparmor delta upstreamed into Debian dbus-broker? We should be able to drop the Ubuntu delta then, right?
15:43 <mkukri> "these MIRs" as in the ones already assigned, anything extra will have to go through foundations managers, am afraid :)
15:44 <cpaelzer> yes slyon the Debian maintainer is helpful and friendly, he asked for that delta even
15:44 <cpaelzer> and on the bug he helped to explain to resolve some of the discussions
15:44 <cpaelzer> like not ever fully replacing dbus anyway because dbus-run-session from the src:dbus package works just fine
15:44 <cpaelzer> that directly addresses a concern of eslerm
15:45 <cpaelzer> and overall makes this more likely to work out
15:45 <cpaelzer> I have no good overview of what else is left open here, but it could go back to seb128 to reconsider
15:45 <cpaelzer> jbicha: ^^ could you pass that info on please as seb seems to not be around atm
15:45 <sarnold> should we then ask for a split of src:dbus into one package for dbus-run-session, one package for the policy/config/deps that bluca mentions, and one package (for universe) for the daemon that we want to demote?
15:46 <cpaelzer> sarnold: IMHO no, we have packages where we explicitly say "this binary in main, the rest not"
15:46 <sarnold> cpaelzer: hah, I see I forgot the word 'binary' in there
15:46 <cpaelzer> doing that here is much smaller maintenance effort than keeping a huge delta splitting the source
15:46 <cpaelzer> oh
15:47 <cpaelzer> yeah, that "splitting the binaries to just keep what we want in main" would be a good next step then
15:47 <eslerm> +1
15:48 <slyon> +1
15:48 <cpaelzer> I added a comment on the bug
15:48 <eslerm> a rust vendored version of dbus-broker-session is also needed, right?
15:48 <slyon> I also just synced the dbus-broker package
15:48 <cpaelzer> thank you for the discussion
15:48 <cpaelzer> yes eslerm, that is one of the known required todos
15:48 <eslerm> dbus-broker-session is still in PR iiuc
15:49 <cpaelzer> interesting
15:49 <eslerm> https://github.com/bus1/dbus-broker/pull/321
15:49 <cpaelzer> wow
15:49 <cpaelzer> next incomplete is https://bugs.launchpad.net/ubuntu/+source/gnome-snapshot/+bug/2052652
15:49 <slyon> but bluca mentions we could keep using dbus-run-session (if it is split into an separate binary anyway)
15:49 <cpaelzer> got a review by slyon
15:49 <cpaelzer> ack slyon, that is how I understood it too
15:50 <eslerm> ah, ack
15:50 <cpaelzer> So I guess this is just back to the requesting team to resolve required TODOs
15:50 <slyon> gnome-snapshot has quite some TODOs for jbicha. I wonder if we should already get this into security-queue, as it seems time sensitive?
15:50 <cpaelzer> it will go to the security reivew
15:50 <cpaelzer> so you might want to add that to the queue already despite being back for open tasks
15:50 <cpaelzer> hehe
15:50 <cpaelzer> we thought alike slyon
15:50 <slyon> hehe
15:50 <cpaelzer> sarnold: eslerm: WDYT?
15:51 <sarnold> yeah, we should be pulling things forward as we can
15:51 <eslerm> I prefer things hitting our queue early
15:51 <jbicha> I'll forward this conversation to Seb but I believe he won't be able to respond this week
15:51 <cpaelzer> ok, do it!
15:52 <cpaelzer> jbicha: thank you, feel free to respond in his name or pull in others as you see appropriate (or don't - really up to you)
15:52 <cpaelzer> next recent incomplete is https://bugs.launchpad.net/ubuntu/+source/libtraceevent/+bug/2051916
15:52 <cpaelzer> yet another review done, thanks didrocks
15:52 <cpaelzer> again having lots of required and some recommended TODOs
15:52 <cpaelzer> that is back on Paul for now
15:52 <eslerm> should security review this while others are working on TODOs?
15:52 <cpaelzer> a bit symbols, plenty of testing .- just like bpfcc actually
15:53 <cpaelzer> this again was called to need a review
15:53 <cpaelzer> so yes, to bring things forward I think it would be great to add that to the queue already as well
15:53 <slyon> upils: is working on this actively
15:53 <cpaelzer> I need to keep time in mind, so I'll go on
15:53 <cpaelzer> but this section was very worthwhile today
15:54 <cpaelzer> bringing a lot of things forwards
15:54 <cpaelzer> #topic Process/Documentation improvements
15:54 <cpaelzer> Mission: Review pending process/documentation pull-requests or issues
15:54 <cpaelzer> #link https://github.com/canonical/ubuntu-mir/pulls
15:54 <cpaelzer> #link https://github.com/canonical/ubuntu-mir/issues
15:54 <cpaelzer> nothing new
15:54 <cpaelzer> #topic MIR related Security Review Queue
15:54 <cpaelzer> Mission: Check on progress, do deadlines seem doable?
15:54 <cpaelzer> Some clients can only work with one, some with the other escaping - the URLs point to the same place.
15:54 <cpaelzer> #link https://bugs.launchpad.net/~ubuntu-security/+bugs?field.searchtext=%5BMIR%5D&assignee_option=choose&field.assignee=ubuntu-security&field.bug_reporter=&field.bug_commenter=&field.subscriber=ubuntu-mir
15:54 <cpaelzer> #link https://bugs.launchpad.net/~ubuntu-security/+bugs?field.searchtext=[MIR]&assignee_option=choose&field.assignee=ubuntu-security&field.bug_reporter=&field.bug_commenter=&field.subscriber=ubuntu-mir
15:54 <cpaelzer> Internal link
15:54 <slyon> we fixed the graph last week with dviererbe :)
15:54 <cpaelzer> - ensure your teams items are prioritized among each other as you'd expect
15:54 <cpaelzer> - ensure community requests do not get stomped by teams calling for favors too much
15:54 <cpaelzer> #link https://warthogs.atlassian.net/jira/software/c/projects/SEC/boards/594
15:54 <cpaelzer> we just said we will add two
15:54 <cpaelzer> awesome slyon and dviererbe
15:54 <eslerm> I added a comment to https://bugs.launchpad.net/ubuntu/+source/fdk-aac-free/+bug/1977614
15:54 <sarnold> slyon woo! :) thanks
15:55 <cpaelzer> thanks eslerm
15:55 <cpaelzer> that was jbicha requesting that, he might know if that is of current priority or not
15:56 <cpaelzer> I'll go on in the agenda ...
15:56 <cpaelzer> #topic Any other business?
15:56 <eslerm> I have one more question
15:56 <cpaelzer> I had all mine above already
15:56 <cpaelzer> shoot eslerm
15:56 <eslerm> https://bugs.launchpad.net/ubuntu/+source/wsl-pro-service/+bug/2052495
15:56 <cpaelzer> not to be considered an order
15:56 <eslerm> is any special consideration needed for promoting to older LTS'
15:57 <cpaelzer> ok, I know a bit of that context
15:57 <jbicha> yes, we'd like to get fdk-aac-free into main for Noble. I will ping my Fedora contacts today about the fork being outdated
15:57 <slyon> eslerm: so far the package is not even available on older series... so I would ignore it for now?
15:57 <eslerm> thanks jbicha
15:57 <eslerm> ack, thanks slyon
15:57 <eslerm> so, our review would not be acking old LTS then ?
15:57 <cpaelzer> the consideration we had in the past
15:57 <slyon> the owning team should request MIR for the older series once it's ready
15:58 <eslerm> sounds good to me
15:58 <cpaelzer> slyon: but here they requested it right away
15:58 <cpaelzer> they did spell out that this will immediately go back to older releases
15:58 <cpaelzer> what we have done in that case in the past
15:58 <slyon> eslerm: yes. We'll probably have the same version backported to older LTS (I assume)... so an follow-up MIR for older LTS should be easy
15:58 <cpaelzer> was looking if that adds any special issues
15:58 <sarnold> cpaelzer: wsl currently plays no part in any of the testing anywhere in the companym, as far as I can tell: there's no britney, none of the security team tests have ever been tested in wsl, etc. it's always felt like a "well, if it works, that's neat" sort of thing
15:58 <cpaelzer> like, dependencies or the context no more working
15:59 <sarnold> cpaelzer: it's weird to me to be considering selling pro for wsl without having the basic testing story covered
15:59 <cpaelzer> and then we have said "this is ok, also for those releases"
15:59 <cpaelzer> sarnold: this is for pro in wsl as you say, and that is actually tested daily and on any change by the Desktop team owning this agent and by the pro team it is tested as well from the other POV to this
16:00 <cpaelzer> pro on wsl, does not make this story any different
16:00 <cpaelzer> we could also say we need tests on each cloud, each container stack, ... then
16:00 <cpaelzer> but we do not
16:00 <eslerm> I believe security can proceed with only Nobel in mind (a conditional ack for just 24.04 if needed) while this is all worked out
16:00 <sarnold> can windows execute systemd yet?
16:01 <sarnold> as far as I know, the clouds can, and some of the containers do, some do not..
16:01 <cpaelzer> to be clear, you can have a lot of things in WSL already, even pro works there. But it isn't called that way and this makes it able to enable it more smoothly.
16:01 <slyon> sarnold: I remember helping with systemd support for wsl in the past, so probably yes
16:01 <cpaelzer> yes, it can in some environments
16:02 <sarnold> I seem to recall lucy making it work, but does the thing that we or microsoft ship work?
16:02 <cpaelzer> it isn't as bad as you might think :-)
16:02 <sarnold> I think comparing it to a new architecture is perhaps the better comparison
16:02 <cpaelzer> but again, this request is only for an agent that makes enabling pro possible in smoother ways
16:02 <sarnold> sure
16:03 <cpaelzer> it is not "let us create Ubuntu for WSL, what should we do"
16:03 <sarnold> I'm asking the larger question
16:03 <cpaelzer> those are questions to be asked, but not as part of this MIR
16:03 <sarnold> cpaelzer: just promise me that someone is asking these questions of the right people
16:04 <cpaelzer> sarnold: you send me a mail summarize with what you want to be asked and I make it happen
16:04 <sarnold> cpaelzer: awesome, thanks :)
16:04 <cpaelzer> I have quite some ties to many people, probably all that need to hear that
16:04 <cpaelzer> ok
16:04 <cpaelzer> thank you all, I need to close
16:04 <cpaelzer> I'm too late already ...
16:04 <sarnold> thanks cpaelzer, all :)
16:04 <cpaelzer> thanks++
16:04 <eslerm> thanks everyone o/
16:04 <cpaelzer> #endmeeting