15:33 <slyon> #startmeeting Weekly Main Inclusion Requests status 15:33 <meetingology> Meeting started at 15:33:47 UTC. The chair is slyon. Information about MeetBot at https://wiki.ubuntu.com/meetingology 15:33 <meetingology> Available commands: action, commands, idea, info, link, nick 15:33 <slyon> Ping for MIR meeting - didrocks joalif slyon sarnold cpaelzer jamespage ( eslerm dviererbe ) 15:33 <slyon> #topic current component mismatches 15:33 <slyon> Mission: Identify required actions and spread the load among the teams 15:33 <slyon> #link https://people.canonical.com/~ubuntu-archive/component-mismatches-proposed.svg 15:34 <slyon> #link https://people.canonical.com/~ubuntu-archive/component-mismatches.svg 15:34 <slyon> *trace* got re-assigned within Foundations this week and is actively being worked on this pulse. 15:35 <slyon> bpf* Got security ACK. Needs double-checking by cpaelzer to validate the MIR remarks are resolved 15:35 <slyon> jaraco.text and python-openstacksdk seem ready 15:36 <sarnold> nice nice 15:36 <slyon> Needs an AA for promotion 15:37 * slyon subscribing ~ubuntu-archive 15:38 <slyon> gnome-snapshort seems to be ready, too. Already got promoted. 15:38 <slyon> seb128: on the gnome-snapshot MIR: It looks like you demoted "cheese", but it is back in main again. Could you please double-check? 15:38 <slyon> #topic New MIRs 15:38 <slyon> Mission: ensure to assign all incoming reviews for fast processing 15:39 <slyon> #link https://bugs.launchpad.net/ubuntu/?field.searchtext=&orderby=-date_last_updated&field.status%3Alist=NEW&field.status%3Alist=CONFIRMED&assignee_option=none&field.assignee=&field.subscriber=ubuntu-mir 15:39 <sarnold> nice catch re cheese 15:39 <seb128> slyon, I think we need an upload of ubuntu-desktop which didn't happen yet 15:39 <slyon> seb128: ok. I assume your team will be tracking this 15:39 <seb128> yes 15:39 <slyon> thx! 15:40 * slyon left a comment on that bug 15:40 <slyon> bug #2058242 is mostly FYI 15:41 <slyon> Also needs an AA for demotion. ~ubuntu-archive is subscribed. 15:41 <slyon> nothing to do for us 15:41 <slyon> bug #2004442 15:42 <slyon> Requested changes got landed in Debian. It should be ready once they land in Ubuntu, but are not a priority right now, IIUC. I'd like to see didrocks' confirmation on this. 15:42 <slyon> #topic Incomplete bugs / questions 15:43 <slyon> Mission: Identify required actions and spread the load among the teams 15:43 <slyon> #link https://bugs.launchpad.net/ubuntu/?field.searchtext=&orderby=-date_last_updated&field.status%3Alist=INCOMPLETE_WITH_RESPONSE&field.status%3Alist=INCOMPLETE_WITHOUT_RESPONSE&field.subscriber=ubuntu-mir 15:43 <slyon> bug #2023971 15:44 <slyon> libmail-dmarc-perl is an interesting one. 15:45 <eslerm_> Security is aiming to complete a review for libemail-mime-perl by Thursday 15:45 <slyon> eslerm_: That's great. thanks! 15:45 <eslerm_> unless using libmail-dmarc-perl as packaged in proposed is preferred 15:45 <slyon> The only thing remaining IIUC would be the duplication issue: libemail-mime-perl & libmime-tools-perl in main 15:46 <slyon> well well... I don't know. We can make a call between duplicated work because of two similar packages in "main". Or extra work because of carrying non-mainstream patches. 15:46 <sarnold> one of the comments on https://github.com/msimerson/mail-dmarc/pull/217 suggested that the original requirements are also requirements for spamassassin 4.0, so suddenly it feels more plausible to use the original requirements.. 15:47 <slyon> I don't know what's better and would like to deferr that call to the server team, as they own both of those packages. 15:47 <slyon> (CC cpaelzer ^) 15:48 <slyon> sarnold: that suggests we should be using libemail-mime-perl after all? 15:48 <sarnold> slyon: yeah. it's a complex choice. 15:49 <slyon> I'll update the case on LP, as I'd like to wait for server-team input 15:49 <sarnold> I was really impressed with mirespace's patch to switch out the dependencies, it looked ideal, but then it felt like we'll eventually need the original packages "soon" anyway.. 15:49 <sarnold> sounds good 15:52 * slyon commented 15:52 <slyon> bug #2015538 15:53 <sarnold> oh lots of conversation since I last looked 15:53 <slyon> turns out there is a hard dependency between dbus-run-session and dbus-daemon. So we cannot do a simple package split 15:53 <slyon> So this needs to be postponed to next cycle, as we need extra engineering time to come up with a solution. 15:54 <slyon> eslerm_: can you clarify your comment on bug #2056099 ? 15:54 <slyon> Are you saying we don't need security ACK for NN promotion? 15:55 <eslerm_> this might explain best: https://bugs.launchpad.net/ubuntu/+source/nbd/+bug/2054480/comments/7 15:55 <eslerm_> I just wanted to note these for future cycles 15:56 <slyon> I understand for nbd, which was in main for a long time and probably never got security review. 15:57 <slyon> but for src:tree it's a new decision, no? 15:57 <eslerm_> I'll leave it to Seth if Security wants to review 15:58 <slyon> Oh! It's because of the MIR assessment: "This does not need a security review" 15:58 <eslerm_> yes :) 15:58 <eslerm_> I'm not saying we need to review these for NN 15:58 <slyon> joalif: is that something you'd be willing to change for the "tree" MIR? 15:58 <slyon> ok 15:58 <eslerm_> I just don't want it to be a pattern for OO 15:58 <slyon> joalif: nvm :) 15:59 <slyon> Well it's always a hard call for us MIR reviewers, as we don't have a security background. But we try to rather be safe and ask for security-review if in doubt 16:00 <sarnold> register void *value = malloc (size); 16:00 <eslerm_> it's understandable :pray: 16:00 <sarnold> oh wow this thing is *ancient* :) 16:01 <sarnold> at least it's using ansi c prototypes, but 'register', I haven't seen that in live code in ages, hehe 16:01 <slyon> eslerm_: sarnold: If you have bad feelings about security-review bypassing of a specific package, please always reach out to the MIR reviewer. We might not always be aware of the side-effects. 16:02 <eslerm_> ++1 16:02 <sarnold> ack, thanks slyon 16:02 <slyon> ok. I left a quick comments on the "tree" MIR, as it's still lacking tests 16:02 <slyon> moving on.. 16:02 <slyon> bug #2054480 16:04 <slyon> I'd like to get didrocks opinion on nbd-client, to see if his concerns are resolved. 16:04 <slyon> bug #2048781 16:04 <eslerm_> very nice add to authd didrocks :) 16:05 <slyon> Here Didier added a ncie "cargo-vendor-filterer" tool, to get rid of windows* crates during package build 16:05 <slyon> I think this is a good approach for now, until we can come up with a centralized solution 16:06 <slyon> pending security review. 16:06 <sarnold> awesome <3 16:06 <slyon> #topic Process/Documentation improvements 16:06 <slyon> Mission: Review pending process/documentation pull-requests or issues 16:06 <slyon> #link https://github.com/canonical/ubuntu-mir/pulls 16:06 <slyon> #link https://github.com/canonical/ubuntu-mir/issues 16:06 <slyon> only one update to https://github.com/canonical/ubuntu-mir/issues/35 16:06 <slyon> which describes the same "cargo-vendor-filterer" solution as above 16:07 <slyon> #topic MIR related Security Review Queue 16:07 <slyon> Mission: Check on progress, do deadlines seem doable? 16:07 <slyon> Some clients can only work with one, some with the other escaping - the URLs point to the same place. 16:07 <slyon> #link https://bugs.launchpad.net/~ubuntu-security/+bugs?field.searchtext=%5BMIR%5D&assignee_option=choose&field.assignee=ubuntu-security&field.bug_reporter=&field.bug_commenter=&field.subscriber=ubuntu-mir 16:07 <slyon> #link https://bugs.launchpad.net/~ubuntu-security/+bugs?field.searchtext=[MIR]&assignee_option=choose&field.assignee=ubuntu-security&field.bug_reporter=&field.bug_commenter=&field.subscriber=ubuntu-mir 16:07 <slyon> Internal link 16:07 <slyon> #link https://warthogs.atlassian.net/jira/software/c/projects/SEC/boards/594 16:07 <eslerm_> all assigned security MIRs are in-review (except libemail-mime-perl) 16:07 <eslerm_> I need to do some wrangling to get them posted 16:07 <eslerm_> as a reminder, after beta freeze (Monday) Security is not taking new MIRs for noble 16:07 <slyon> thx! Looking pretty good. Kudos to the security-team! 16:07 <slyon> #topic Any other business? 16:08 <sarnold> nothing from me 16:08 <slyon> If nothing else... sorry for running over time and thanks all! 16:08 <eslerm_> thanks slyon, everyone o/ 16:08 <slyon> #endmeeting