15:31 <cpaelzer> #startmeeting Weekly Main Inclusion Requests status 15:31 <meetingology> Meeting started at 15:31:12 UTC. The chair is cpaelzer. Information about MeetBot at https://wiki.ubuntu.com/meetingology 15:31 <meetingology> Available commands: action, commands, idea, info, link, nick 15:31 <cpaelzer> Ping for MIR meeting - didrocks joalif slyon sarnold cpaelzer jamespage ( eslerm dviererbe ) 15:31 <slyon> o/ 15:31 <cpaelzer> hello party people 15:31 <cpaelzer> #topic current component mismatches 15:31 <cpaelzer> Mission: Identify required actions and spread the load among the teams 15:31 <cpaelzer> #link https://people.canonical.com/~ubuntu-archive/component-mismatches-proposed.svg 15:31 <cpaelzer> #link https://people.canonical.com/~ubuntu-archive/component-mismatches.svg 15:31 <cpaelzer> That is not much ... 15:32 <cpaelzer> we still have kexec-tools -> xen, I guess my ping to xnox last week might no more help as much depending on his priorities now 15:32 <cpaelzer> Let me bring this up in #kernel for awareness 15:33 <cpaelzer> done 15:34 <cpaelzer> on libcryptx I know that miriam has an upload to make he expected change up for review 15:34 <cpaelzer> so that dependency will soon be gone 15:34 <cpaelzer> #topic New MIRs 15:34 <cpaelzer> Mission: ensure to assign all incoming reviews for fast processing 15:34 <cpaelzer> #link https://bugs.launchpad.net/ubuntu/?field.searchtext=&orderby=-date_last_updated&field.status%3Alist=NEW&field.status%3Alist=CONFIRMED&assignee_option=none&field.assignee=&field.subscriber=ubuntu-mir 15:34 <cpaelzer> we had plenty last two weeks 15:34 <sarnold> good morning 15:34 <cpaelzer> let us have a look this week 15:34 <cpaelzer> hi sarnold 15:34 <cpaelzer> wow 15:35 <cpaelzer> as calm as component mismatches 15:35 <cpaelzer> well, ok 15:35 <cpaelzer> #topic Incomplete bugs / questions 15:35 <sarnold> .. is it working? :) 15:35 <cpaelzer> Mission: Identify required actions and spread the load among the teams 15:35 <cpaelzer> #link https://bugs.launchpad.net/ubuntu/?field.searchtext=&orderby=-date_last_updated&field.status%3Alist=INCOMPLETE_WITH_RESPONSE&field.status%3Alist=INCOMPLETE_WITHOUT_RESPONSE&field.subscriber=ubuntu-mir 15:35 <cpaelzer> ok I see plenty of recent updates here 15:36 <cpaelzer> https://bugs.launchpad.net/ubuntu/+source/libmail-dmarc-perl/+bug/2023971 is back on mirespace 15:36 <cpaelzer> thanks joalif for the review 15:36 <cpaelzer> https://bugs.launchpad.net/ubuntu/+source/bpfcc/+bug/2052813 I reviewed today 15:36 <cpaelzer> it is ok but with quite a few required and recommended todos 15:36 <cpaelzer> here in particular I wanted to ask eslerm and sarnold something 15:37 <cpaelzer> could you open my review and scroll to the [Security] section 15:37 <cpaelzer> In this case I'm not sure if I should say we need or do not need a security review 15:37 <cpaelzer> WDYT? 15:38 <sarnold> I'm 15:38 <cpaelzer> yes you are 15:38 <sarnold> :D 15:38 <sarnold> I'm not sure either; on the one hand, administrative privilege is required to run these, so there's a thin barrier at best 15:38 <sarnold> most of the security layer happens in the kernel 15:38 <cpaelzer> yes, by BPF being in isolation there 15:39 <cpaelzer> some isolation 15:39 <cpaelzer> here is the deal, if you say you do not think it is needed, my call will be it is not needed 15:39 <eslerm> I'll let sarnold decide 15:39 <cpaelzer> and then we are fine 15:39 <eslerm> a quick review might remove some footguns 15:39 <cpaelzer> if you say, no you want - then I go that way 15:39 <sarnold> I believe that this package itself is very little risk to the security team, but the kernel portion might -- so, I'm inclined to say that this doesn't need security team review 15:40 <cpaelzer> eslerm: is there a good way to express "we should have a quick check but not a full reivew" 15:40 <eslerm> likely :) 15:41 <cpaelzer> hehe 15:41 <cpaelzer> how about you volunteer for that "quick but not full" check 15:41 <cpaelzer> then the solution is that I'll assign you 15:41 <cpaelzer> actually it is back with mkukri so I'd subscribe you 15:41 <eslerm> a short audit might find something useful to report upstream, it might just be bugs, if the security context cannot be made worse by bugs 15:42 <eslerm> I can do that 15:42 <cpaelzer> thank you 15:42 <eslerm> (i.e., only bugs exist if you are already root, not vulnerabilities) 15:42 <cpaelzer> you are subscvribed 15:42 <cpaelzer> "subscribed" 15:42 <cpaelzer> next is https://bugs.launchpad.net/ubuntu/+source/dbus-broker/+bug/2015538 15:42 <mkukri> oh anything is fine by me as far as these MIRs go 15:43 <mkukri> current plan is for me to address the TODOs next week and hopefully get it uploaded by FF 15:43 <cpaelzer> thanks mkukri if only we'd have known that we could dump anything on you as part of this :-P 15:43 <slyon> cpaelzer: so you helped get the apparmor delta upstreamed into Debian dbus-broker? We should be able to drop the Ubuntu delta then, right? 15:43 <mkukri> "these MIRs" as in the ones already assigned, anything extra will have to go through foundations managers, am afraid :) 15:44 <cpaelzer> yes slyon the Debian maintainer is helpful and friendly, he asked for that delta even 15:44 <cpaelzer> and on the bug he helped to explain to resolve some of the discussions 15:44 <cpaelzer> like not ever fully replacing dbus anyway because dbus-run-session from the src:dbus package works just fine 15:44 <cpaelzer> that directly addresses a concern of eslerm 15:45 <cpaelzer> and overall makes this more likely to work out 15:45 <cpaelzer> I have no good overview of what else is left open here, but it could go back to seb128 to reconsider 15:45 <cpaelzer> jbicha: ^^ could you pass that info on please as seb seems to not be around atm 15:45 <sarnold> should we then ask for a split of src:dbus into one package for dbus-run-session, one package for the policy/config/deps that bluca mentions, and one package (for universe) for the daemon that we want to demote? 15:46 <cpaelzer> sarnold: IMHO no, we have packages where we explicitly say "this binary in main, the rest not" 15:46 <sarnold> cpaelzer: hah, I see I forgot the word 'binary' in there 15:46 <cpaelzer> doing that here is much smaller maintenance effort than keeping a huge delta splitting the source 15:46 <cpaelzer> oh 15:47 <cpaelzer> yeah, that "splitting the binaries to just keep what we want in main" would be a good next step then 15:47 <eslerm> +1 15:48 <slyon> +1 15:48 <cpaelzer> I added a comment on the bug 15:48 <eslerm> a rust vendored version of dbus-broker-session is also needed, right? 15:48 <slyon> I also just synced the dbus-broker package 15:48 <cpaelzer> thank you for the discussion 15:48 <cpaelzer> yes eslerm, that is one of the known required todos 15:48 <eslerm> dbus-broker-session is still in PR iiuc 15:49 <cpaelzer> interesting 15:49 <eslerm> https://github.com/bus1/dbus-broker/pull/321 15:49 <cpaelzer> wow 15:49 <cpaelzer> next incomplete is https://bugs.launchpad.net/ubuntu/+source/gnome-snapshot/+bug/2052652 15:49 <slyon> but bluca mentions we could keep using dbus-run-session (if it is split into an separate binary anyway) 15:49 <cpaelzer> got a review by slyon 15:49 <cpaelzer> ack slyon, that is how I understood it too 15:50 <eslerm> ah, ack 15:50 <cpaelzer> So I guess this is just back to the requesting team to resolve required TODOs 15:50 <slyon> gnome-snapshot has quite some TODOs for jbicha. I wonder if we should already get this into security-queue, as it seems time sensitive? 15:50 <cpaelzer> it will go to the security reivew 15:50 <cpaelzer> so you might want to add that to the queue already despite being back for open tasks 15:50 <cpaelzer> hehe 15:50 <cpaelzer> we thought alike slyon 15:50 <slyon> hehe 15:50 <cpaelzer> sarnold: eslerm: WDYT? 15:51 <sarnold> yeah, we should be pulling things forward as we can 15:51 <eslerm> I prefer things hitting our queue early 15:51 <jbicha> I'll forward this conversation to Seb but I believe he won't be able to respond this week 15:51 <cpaelzer> ok, do it! 15:52 <cpaelzer> jbicha: thank you, feel free to respond in his name or pull in others as you see appropriate (or don't - really up to you) 15:52 <cpaelzer> next recent incomplete is https://bugs.launchpad.net/ubuntu/+source/libtraceevent/+bug/2051916 15:52 <cpaelzer> yet another review done, thanks didrocks 15:52 <cpaelzer> again having lots of required and some recommended TODOs 15:52 <cpaelzer> that is back on Paul for now 15:52 <eslerm> should security review this while others are working on TODOs? 15:52 <cpaelzer> a bit symbols, plenty of testing .- just like bpfcc actually 15:53 <cpaelzer> this again was called to need a review 15:53 <cpaelzer> so yes, to bring things forward I think it would be great to add that to the queue already as well 15:53 <slyon> upils: is working on this actively 15:53 <cpaelzer> I need to keep time in mind, so I'll go on 15:53 <cpaelzer> but this section was very worthwhile today 15:54 <cpaelzer> bringing a lot of things forwards 15:54 <cpaelzer> #topic Process/Documentation improvements 15:54 <cpaelzer> Mission: Review pending process/documentation pull-requests or issues 15:54 <cpaelzer> #link https://github.com/canonical/ubuntu-mir/pulls 15:54 <cpaelzer> #link https://github.com/canonical/ubuntu-mir/issues 15:54 <cpaelzer> nothing new 15:54 <cpaelzer> #topic MIR related Security Review Queue 15:54 <cpaelzer> Mission: Check on progress, do deadlines seem doable? 15:54 <cpaelzer> Some clients can only work with one, some with the other escaping - the URLs point to the same place. 15:54 <cpaelzer> #link https://bugs.launchpad.net/~ubuntu-security/+bugs?field.searchtext=%5BMIR%5D&assignee_option=choose&field.assignee=ubuntu-security&field.bug_reporter=&field.bug_commenter=&field.subscriber=ubuntu-mir 15:54 <cpaelzer> #link https://bugs.launchpad.net/~ubuntu-security/+bugs?field.searchtext=[MIR]&assignee_option=choose&field.assignee=ubuntu-security&field.bug_reporter=&field.bug_commenter=&field.subscriber=ubuntu-mir 15:54 <cpaelzer> Internal link 15:54 <slyon> we fixed the graph last week with dviererbe :) 15:54 <cpaelzer> - ensure your teams items are prioritized among each other as you'd expect 15:54 <cpaelzer> - ensure community requests do not get stomped by teams calling for favors too much 15:54 <cpaelzer> #link https://warthogs.atlassian.net/jira/software/c/projects/SEC/boards/594 15:54 <cpaelzer> we just said we will add two 15:54 <cpaelzer> awesome slyon and dviererbe 15:54 <eslerm> I added a comment to https://bugs.launchpad.net/ubuntu/+source/fdk-aac-free/+bug/1977614 15:54 <sarnold> slyon woo! :) thanks 15:55 <cpaelzer> thanks eslerm 15:55 <cpaelzer> that was jbicha requesting that, he might know if that is of current priority or not 15:56 <cpaelzer> I'll go on in the agenda ... 15:56 <cpaelzer> #topic Any other business? 15:56 <eslerm> I have one more question 15:56 <cpaelzer> I had all mine above already 15:56 <cpaelzer> shoot eslerm 15:56 <eslerm> https://bugs.launchpad.net/ubuntu/+source/wsl-pro-service/+bug/2052495 15:56 <cpaelzer> not to be considered an order 15:56 <eslerm> is any special consideration needed for promoting to older LTS' 15:57 <cpaelzer> ok, I know a bit of that context 15:57 <jbicha> yes, we'd like to get fdk-aac-free into main for Noble. I will ping my Fedora contacts today about the fork being outdated 15:57 <slyon> eslerm: so far the package is not even available on older series... so I would ignore it for now? 15:57 <eslerm> thanks jbicha 15:57 <eslerm> ack, thanks slyon 15:57 <eslerm> so, our review would not be acking old LTS then ? 15:57 <cpaelzer> the consideration we had in the past 15:57 <slyon> the owning team should request MIR for the older series once it's ready 15:58 <eslerm> sounds good to me 15:58 <cpaelzer> slyon: but here they requested it right away 15:58 <cpaelzer> they did spell out that this will immediately go back to older releases 15:58 <cpaelzer> what we have done in that case in the past 15:58 <slyon> eslerm: yes. We'll probably have the same version backported to older LTS (I assume)... so an follow-up MIR for older LTS should be easy 15:58 <cpaelzer> was looking if that adds any special issues 15:58 <sarnold> cpaelzer: wsl currently plays no part in any of the testing anywhere in the companym, as far as I can tell: there's no britney, none of the security team tests have ever been tested in wsl, etc. it's always felt like a "well, if it works, that's neat" sort of thing 15:58 <cpaelzer> like, dependencies or the context no more working 15:59 <sarnold> cpaelzer: it's weird to me to be considering selling pro for wsl without having the basic testing story covered 15:59 <cpaelzer> and then we have said "this is ok, also for those releases" 15:59 <cpaelzer> sarnold: this is for pro in wsl as you say, and that is actually tested daily and on any change by the Desktop team owning this agent and by the pro team it is tested as well from the other POV to this 16:00 <cpaelzer> pro on wsl, does not make this story any different 16:00 <cpaelzer> we could also say we need tests on each cloud, each container stack, ... then 16:00 <cpaelzer> but we do not 16:00 <eslerm> I believe security can proceed with only Nobel in mind (a conditional ack for just 24.04 if needed) while this is all worked out 16:00 <sarnold> can windows execute systemd yet? 16:01 <sarnold> as far as I know, the clouds can, and some of the containers do, some do not.. 16:01 <cpaelzer> to be clear, you can have a lot of things in WSL already, even pro works there. But it isn't called that way and this makes it able to enable it more smoothly. 16:01 <slyon> sarnold: I remember helping with systemd support for wsl in the past, so probably yes 16:01 <cpaelzer> yes, it can in some environments 16:02 <sarnold> I seem to recall lucy making it work, but does the thing that we or microsoft ship work? 16:02 <cpaelzer> it isn't as bad as you might think :-) 16:02 <sarnold> I think comparing it to a new architecture is perhaps the better comparison 16:02 <cpaelzer> but again, this request is only for an agent that makes enabling pro possible in smoother ways 16:02 <sarnold> sure 16:03 <cpaelzer> it is not "let us create Ubuntu for WSL, what should we do" 16:03 <sarnold> I'm asking the larger question 16:03 <cpaelzer> those are questions to be asked, but not as part of this MIR 16:03 <sarnold> cpaelzer: just promise me that someone is asking these questions of the right people 16:04 <cpaelzer> sarnold: you send me a mail summarize with what you want to be asked and I make it happen 16:04 <sarnold> cpaelzer: awesome, thanks :) 16:04 <cpaelzer> I have quite some ties to many people, probably all that need to hear that 16:04 <cpaelzer> ok 16:04 <cpaelzer> thank you all, I need to close 16:04 <cpaelzer> I'm too late already ... 16:04 <sarnold> thanks cpaelzer, all :) 16:04 <cpaelzer> thanks++ 16:04 <eslerm> thanks everyone o/ 16:04 <cpaelzer> #endmeeting