15:33 #startmeeting Weekly Main Inclusion Requests status 15:33 Meeting started at 15:33:47 UTC. The chair is slyon. Information about MeetBot at https://wiki.ubuntu.com/meetingology 15:33 Available commands: action, commands, idea, info, link, nick 15:33 Ping for MIR meeting - didrocks joalif slyon sarnold cpaelzer jamespage ( eslerm dviererbe ) 15:33 #topic current component mismatches 15:33 Mission: Identify required actions and spread the load among the teams 15:33 #link https://people.canonical.com/~ubuntu-archive/component-mismatches-proposed.svg 15:34 #link https://people.canonical.com/~ubuntu-archive/component-mismatches.svg 15:34 *trace* got re-assigned within Foundations this week and is actively being worked on this pulse. 15:35 bpf* Got security ACK. Needs double-checking by cpaelzer to validate the MIR remarks are resolved 15:35 jaraco.text and python-openstacksdk seem ready 15:36 nice nice 15:36 Needs an AA for promotion 15:37 * slyon subscribing ~ubuntu-archive 15:38 gnome-snapshort seems to be ready, too. Already got promoted. 15:38 seb128: on the gnome-snapshot MIR: It looks like you demoted "cheese", but it is back in main again. Could you please double-check? 15:38 #topic New MIRs 15:38 Mission: ensure to assign all incoming reviews for fast processing 15:39 #link https://bugs.launchpad.net/ubuntu/?field.searchtext=&orderby=-date_last_updated&field.status%3Alist=NEW&field.status%3Alist=CONFIRMED&assignee_option=none&field.assignee=&field.subscriber=ubuntu-mir 15:39 nice catch re cheese 15:39 slyon, I think we need an upload of ubuntu-desktop which didn't happen yet 15:39 seb128: ok. I assume your team will be tracking this 15:39 yes 15:39 thx! 15:40 * slyon left a comment on that bug 15:40 bug #2058242 is mostly FYI 15:41 Also needs an AA for demotion. ~ubuntu-archive is subscribed. 15:41 nothing to do for us 15:41 bug #2004442 15:42 Requested changes got landed in Debian. It should be ready once they land in Ubuntu, but are not a priority right now, IIUC. I'd like to see didrocks' confirmation on this. 15:42 #topic Incomplete bugs / questions 15:43 Mission: Identify required actions and spread the load among the teams 15:43 #link https://bugs.launchpad.net/ubuntu/?field.searchtext=&orderby=-date_last_updated&field.status%3Alist=INCOMPLETE_WITH_RESPONSE&field.status%3Alist=INCOMPLETE_WITHOUT_RESPONSE&field.subscriber=ubuntu-mir 15:43 bug #2023971 15:44 libmail-dmarc-perl is an interesting one. 15:45 Security is aiming to complete a review for libemail-mime-perl by Thursday 15:45 eslerm_: That's great. thanks! 15:45 unless using libmail-dmarc-perl as packaged in proposed is preferred 15:45 The only thing remaining IIUC would be the duplication issue: libemail-mime-perl & libmime-tools-perl in main 15:46 well well... I don't know. We can make a call between duplicated work because of two similar packages in "main". Or extra work because of carrying non-mainstream patches. 15:46 one of the comments on https://github.com/msimerson/mail-dmarc/pull/217 suggested that the original requirements are also requirements for spamassassin 4.0, so suddenly it feels more plausible to use the original requirements.. 15:47 I don't know what's better and would like to deferr that call to the server team, as they own both of those packages. 15:47 (CC cpaelzer ^) 15:48 sarnold: that suggests we should be using libemail-mime-perl after all? 15:48 slyon: yeah. it's a complex choice. 15:49 I'll update the case on LP, as I'd like to wait for server-team input 15:49 I was really impressed with mirespace's patch to switch out the dependencies, it looked ideal, but then it felt like we'll eventually need the original packages "soon" anyway.. 15:49 sounds good 15:52 * slyon commented 15:52 bug #2015538 15:53 oh lots of conversation since I last looked 15:53 turns out there is a hard dependency between dbus-run-session and dbus-daemon. So we cannot do a simple package split 15:53 So this needs to be postponed to next cycle, as we need extra engineering time to come up with a solution. 15:54 eslerm_: can you clarify your comment on bug #2056099 ? 15:54 Are you saying we don't need security ACK for NN promotion? 15:55 this might explain best: https://bugs.launchpad.net/ubuntu/+source/nbd/+bug/2054480/comments/7 15:55 I just wanted to note these for future cycles 15:56 I understand for nbd, which was in main for a long time and probably never got security review. 15:57 but for src:tree it's a new decision, no? 15:57 I'll leave it to Seth if Security wants to review 15:58 Oh! It's because of the MIR assessment: "This does not need a security review" 15:58 yes :) 15:58 I'm not saying we need to review these for NN 15:58 joalif: is that something you'd be willing to change for the "tree" MIR? 15:58 ok 15:58 I just don't want it to be a pattern for OO 15:58 joalif: nvm :) 15:59 Well it's always a hard call for us MIR reviewers, as we don't have a security background. But we try to rather be safe and ask for security-review if in doubt 16:00 register void *value = malloc (size); 16:00 it's understandable :pray: 16:00 oh wow this thing is *ancient* :) 16:01 at least it's using ansi c prototypes, but 'register', I haven't seen that in live code in ages, hehe 16:01 eslerm_: sarnold: If you have bad feelings about security-review bypassing of a specific package, please always reach out to the MIR reviewer. We might not always be aware of the side-effects. 16:02 ++1 16:02 ack, thanks slyon 16:02 ok. I left a quick comments on the "tree" MIR, as it's still lacking tests 16:02 moving on.. 16:02 bug #2054480 16:04 I'd like to get didrocks opinion on nbd-client, to see if his concerns are resolved. 16:04 bug #2048781 16:04 very nice add to authd didrocks :) 16:05 Here Didier added a ncie "cargo-vendor-filterer" tool, to get rid of windows* crates during package build 16:05 I think this is a good approach for now, until we can come up with a centralized solution 16:06 pending security review. 16:06 awesome <3 16:06 #topic Process/Documentation improvements 16:06 Mission: Review pending process/documentation pull-requests or issues 16:06 #link https://github.com/canonical/ubuntu-mir/pulls 16:06 #link https://github.com/canonical/ubuntu-mir/issues 16:06 only one update to https://github.com/canonical/ubuntu-mir/issues/35 16:06 which describes the same "cargo-vendor-filterer" solution as above 16:07 #topic MIR related Security Review Queue 16:07 Mission: Check on progress, do deadlines seem doable? 16:07 Some clients can only work with one, some with the other escaping - the URLs point to the same place. 16:07 #link https://bugs.launchpad.net/~ubuntu-security/+bugs?field.searchtext=%5BMIR%5D&assignee_option=choose&field.assignee=ubuntu-security&field.bug_reporter=&field.bug_commenter=&field.subscriber=ubuntu-mir 16:07 #link https://bugs.launchpad.net/~ubuntu-security/+bugs?field.searchtext=[MIR]&assignee_option=choose&field.assignee=ubuntu-security&field.bug_reporter=&field.bug_commenter=&field.subscriber=ubuntu-mir 16:07 Internal link 16:07 #link https://warthogs.atlassian.net/jira/software/c/projects/SEC/boards/594 16:07 all assigned security MIRs are in-review (except libemail-mime-perl) 16:07 I need to do some wrangling to get them posted 16:07 as a reminder, after beta freeze (Monday) Security is not taking new MIRs for noble 16:07 thx! Looking pretty good. Kudos to the security-team! 16:07 #topic Any other business? 16:08 nothing from me 16:08 If nothing else... sorry for running over time and thanks all! 16:08 thanks slyon, everyone o/ 16:08 #endmeeting