#ubuntu-meeting log

15:33 <slyon> #startmeeting Weekly Main Inclusion Requests status
15:33 <meetingology> Meeting started at 15:33:47 UTC.  The chair is slyon.  Information about MeetBot at https://wiki.ubuntu.com/meetingology
15:33 <meetingology> Available commands: action, commands, idea, info, link, nick
15:33 <slyon> Ping for MIR meeting - didrocks joalif slyon sarnold cpaelzer jamespage ( eslerm dviererbe )
15:33 <slyon> #topic current component mismatches
15:33 <slyon> Mission: Identify required actions and spread the load among the teams
15:33 <slyon> #link https://people.canonical.com/~ubuntu-archive/component-mismatches-proposed.svg
15:34 <slyon> #link https://people.canonical.com/~ubuntu-archive/component-mismatches.svg
15:34 <slyon> *trace* got re-assigned within Foundations this week and is actively being worked on this pulse.
15:35 <slyon> bpf* Got security ACK. Needs double-checking by cpaelzer to validate the MIR remarks are resolved
15:35 <slyon> jaraco.text and python-openstacksdk seem ready
15:36 <sarnold> nice nice
15:36 <slyon> Needs an AA for promotion
15:37 * slyon subscribing ~ubuntu-archive
15:38 <slyon> gnome-snapshort seems to be ready, too. Already got promoted.
15:38 <slyon> seb128: on the gnome-snapshot MIR: It looks like you demoted "cheese", but it is back in main again. Could you please double-check?
15:38 <slyon> #topic New MIRs
15:38 <slyon> Mission: ensure to assign all incoming reviews for fast processing
15:39 <slyon> #link https://bugs.launchpad.net/ubuntu/?field.searchtext=&orderby=-date_last_updated&field.status%3Alist=NEW&field.status%3Alist=CONFIRMED&assignee_option=none&field.assignee=&field.subscriber=ubuntu-mir
15:39 <sarnold> nice catch re cheese
15:39 <seb128> slyon, I think we need an upload of ubuntu-desktop which didn't happen yet
15:39 <slyon> seb128: ok. I assume your team will be tracking this
15:39 <seb128> yes
15:39 <slyon> thx!
15:40 * slyon left a comment on that bug
15:40 <slyon> bug #2058242 is mostly FYI
15:41 <slyon> Also needs an AA for demotion. ~ubuntu-archive is subscribed.
15:41 <slyon> nothing to do for us
15:41 <slyon> bug #2004442
15:42 <slyon> Requested changes got landed in Debian. It should be ready once they land in Ubuntu, but are not a priority right now, IIUC. I'd like to see didrocks' confirmation on this.
15:42 <slyon> #topic Incomplete bugs / questions
15:43 <slyon> Mission: Identify required actions and spread the load among the teams
15:43 <slyon> #link https://bugs.launchpad.net/ubuntu/?field.searchtext=&orderby=-date_last_updated&field.status%3Alist=INCOMPLETE_WITH_RESPONSE&field.status%3Alist=INCOMPLETE_WITHOUT_RESPONSE&field.subscriber=ubuntu-mir
15:43 <slyon> bug #2023971
15:44 <slyon> libmail-dmarc-perl is an interesting one.
15:45 <eslerm_> Security is aiming to complete a review for libemail-mime-perl by Thursday
15:45 <slyon> eslerm_: That's great. thanks!
15:45 <eslerm_> unless using libmail-dmarc-perl as packaged in proposed is preferred
15:45 <slyon> The only thing remaining IIUC would be the duplication issue: libemail-mime-perl & libmime-tools-perl in main
15:46 <slyon> well well... I don't know. We can make a call between duplicated work because of two similar packages in "main". Or extra work because of carrying non-mainstream patches.
15:46 <sarnold> one of the comments on https://github.com/msimerson/mail-dmarc/pull/217 suggested that the original requirements are also requirements for spamassassin 4.0, so suddenly it feels more plausible to use the original requirements..
15:47 <slyon> I don't know what's better and would like to deferr that call to the server team, as they own both of those packages.
15:47 <slyon> (CC cpaelzer ^)
15:48 <slyon> sarnold: that suggests we should be using libemail-mime-perl after all?
15:48 <sarnold> slyon: yeah. it's a complex choice.
15:49 <slyon> I'll update the case on LP, as I'd like to wait for server-team input
15:49 <sarnold> I was really impressed with mirespace's patch to switch out the dependencies, it looked ideal, but then it felt like we'll eventually need the original packages "soon" anyway..
15:49 <sarnold> sounds good
15:52 * slyon commented
15:52 <slyon> bug #2015538
15:53 <sarnold> oh lots of conversation since I last looked
15:53 <slyon> turns out there is a hard dependency between dbus-run-session and dbus-daemon. So we cannot do a simple package split
15:53 <slyon> So this needs to be postponed to next cycle, as we need extra engineering time to come up with a solution.
15:54 <slyon> eslerm_: can you clarify your comment on bug #2056099 ?
15:54 <slyon> Are you saying we don't need security ACK for NN promotion?
15:55 <eslerm_> this might explain best: https://bugs.launchpad.net/ubuntu/+source/nbd/+bug/2054480/comments/7
15:55 <eslerm_> I just wanted to note these for future cycles
15:56 <slyon> I understand for nbd, which was in main for a long time and probably never got security review.
15:57 <slyon> but for src:tree it's a new decision, no?
15:57 <eslerm_> I'll leave it to Seth if Security wants to review
15:58 <slyon> Oh! It's because of the MIR assessment: "This does not need a security review"
15:58 <eslerm_> yes :)
15:58 <eslerm_> I'm not saying we need to review these for NN
15:58 <slyon> joalif: is that something you'd be willing to change for the "tree" MIR?
15:58 <slyon> ok
15:58 <eslerm_> I just don't want it to be a pattern for OO
15:58 <slyon> joalif: nvm :)
15:59 <slyon> Well it's always a hard call for us MIR reviewers, as we don't have a security background. But we try to rather be safe and ask for security-review if in doubt
16:00 <sarnold> register void *value = malloc (size);
16:00 <eslerm_> it's understandable :pray:
16:00 <sarnold> oh wow this thing is *ancient* :)
16:01 <sarnold> at least it's using ansi c prototypes, but 'register', I haven't seen that in live code in ages, hehe
16:01 <slyon> eslerm_: sarnold: If you have bad feelings about security-review bypassing of a specific package, please always reach out to the MIR reviewer. We might not always be aware of the side-effects.
16:02 <eslerm_> ++1
16:02 <sarnold> ack, thanks slyon
16:02 <slyon> ok. I left a quick comments on the "tree" MIR, as it's still lacking tests
16:02 <slyon> moving on..
16:02 <slyon> bug #2054480
16:04 <slyon> I'd like to get didrocks opinion on nbd-client, to see if his concerns are resolved.
16:04 <slyon> bug #2048781
16:04 <eslerm_> very nice add to authd didrocks :)
16:05 <slyon> Here Didier added a ncie "cargo-vendor-filterer" tool, to get rid of windows* crates during package build
16:05 <slyon> I think this is a good approach for now, until we can come up with a centralized solution
16:06 <slyon> pending security review.
16:06 <sarnold> awesome <3
16:06 <slyon> #topic Process/Documentation improvements
16:06 <slyon> Mission: Review pending process/documentation pull-requests or issues
16:06 <slyon> #link https://github.com/canonical/ubuntu-mir/pulls
16:06 <slyon> #link https://github.com/canonical/ubuntu-mir/issues
16:06 <slyon> only one update to https://github.com/canonical/ubuntu-mir/issues/35
16:06 <slyon> which describes the same "cargo-vendor-filterer" solution as above
16:07 <slyon> #topic MIR related Security Review Queue
16:07 <slyon> Mission: Check on progress, do deadlines seem doable?
16:07 <slyon> Some clients can only work with one, some with the other escaping - the URLs point to the same place.
16:07 <slyon> #link https://bugs.launchpad.net/~ubuntu-security/+bugs?field.searchtext=%5BMIR%5D&assignee_option=choose&field.assignee=ubuntu-security&field.bug_reporter=&field.bug_commenter=&field.subscriber=ubuntu-mir
16:07 <slyon> #link https://bugs.launchpad.net/~ubuntu-security/+bugs?field.searchtext=[MIR]&assignee_option=choose&field.assignee=ubuntu-security&field.bug_reporter=&field.bug_commenter=&field.subscriber=ubuntu-mir
16:07 <slyon> Internal link
16:07 <slyon> #link https://warthogs.atlassian.net/jira/software/c/projects/SEC/boards/594
16:07 <eslerm_> all assigned security MIRs are in-review (except libemail-mime-perl)
16:07 <eslerm_> I need to do some wrangling to get them posted
16:07 <eslerm_> as a reminder, after beta freeze (Monday) Security is not taking new MIRs for noble
16:07 <slyon> thx! Looking pretty good. Kudos to the security-team!
16:07 <slyon> #topic Any other business?
16:08 <sarnold> nothing from me
16:08 <slyon> If nothing else... sorry for running over time and thanks all!
16:08 <eslerm_> thanks slyon, everyone o/
16:08 <slyon> #endmeeting