#ubuntu-meeting log

14:29 <slyon> #startmeeting Weekly Main Inclusion Requests status
14:29 <meetingology> Meeting started at 14:29:08 UTC.  The chair is slyon.  Information about MeetBot at https://wiki.ubuntu.com/meetingology
14:29 <meetingology> Available commands: action, commands, idea, info, link, nick
14:29 <slyon> Ping for MIR meeting - didrocks joalif slyon sarnold cpaelzer jamespage ( eslerm dviererbe )
14:29 <dviererbe> o/
14:29 <slyon> Still a bit early. Let's give it a minute or two
14:30 <slyon> #topic current component mismatches
14:30 <joalif> o/
14:30 <slyon> Mission: Identify required actions and spread the load among the teams
14:31 <slyon> #link https://people.canonical.com/~ubuntu-archive/component-mismatches-proposed.svg
14:31 <slyon> #link https://people.canonical.com/~ubuntu-archive/component-mismatches.svg
14:31 <slyon> This is looking very good. *bpf* got promoted. *trace* is making nice progress, just pending some work on libtracefs
14:31 <slyon> #topic New MIRs
14:31 <slyon> Mission: ensure to assign all incoming reviews for fast processing
14:32 <slyon> #link https://bugs.launchpad.net/ubuntu/?field.searchtext=&orderby=-date_last_updated&field.status%3Alist=NEW&field.status%3Alist=CONFIRMED&assignee_option=none&field.assignee=&field.subscriber=ubuntu-mir
14:32 <cpaelzer> I managed to be free - hello (keep going slyon and thank you!)
14:32 <slyon> just bug #2060056 from dviererbe
14:32 <slyon> just-in-time cpaelzer :)
14:32 <slyon> I'd like to ask cpaelzer to check this ^ as I think you have the most context.
14:32 <cpaelzer> ack on bpf, I resolved that
14:32 <cpaelzer> trace-cmd ack on looking good but needing a bit
14:32 <slyon> It should be a quick "versioned package" upgrade, I assume. Correct, dviererbe?
14:33 <dviererbe> Yes
14:33 <cpaelzer> on dotnet8 I didn't feel there was much open other than asking "do we need a full process again"
14:33 <cpaelzer> reading ...
14:33 <cpaelzer> spoiler: the answer is no - not full again
14:33 <cpaelzer> Oh I see, that is the new bug
14:33 <sarnold> good morning
14:33 <cpaelzer> I can give this a review tomorrow morning, expect this to be 99% a yes
14:34 <dviererbe> Thanks! :)
14:34 <slyon> cool, thanks!
14:34 <slyon> assigned
14:34 <slyon> #topic Incomplete bugs / questions
14:34 <slyon> Mission: Identify required actions and spread the load among the teams
14:34 <slyon> #link https://bugs.launchpad.net/ubuntu/?field.searchtext=&orderby=-date_last_updated&field.status%3Alist=INCOMPLETE_WITH_RESPONSE&field.status%3Alist=INCOMPLETE_WITHOUT_RESPONSE&field.subscriber=ubuntu-mir
14:36 <cpaelzer> so many recent updates
14:36 <cpaelzer> should we go top to bottom?
14:36 <slyon> ok. bug #2004516
14:36 <cpaelzer> ok, that says escalate to have a chance
14:36 <cpaelzer> which I think is reasonable
14:37 <slyon> This is blocked on security-review. but it's too late. I think it's not high priority and not necessarily needed for 24.04. So probably no need for escalation. I'll double check with ravikant_
14:37 <slyon> bug #2051925
14:37 <cpaelzer> yes
14:37 <cpaelzer> and update the case either way
14:37 <slyon> will do
14:37 <cpaelzer> part of the bigger "perf tools for ubuntu by default" movement
14:38 <cpaelzer> "I'm working on this and mostly finishing the changes." sounds good
14:38 <slyon> right. that should be the last missing piece for trace-cmd
14:38 <cpaelzer> ok, wait for the final update
14:38 <slyon> bug #2004449
14:38 <slyon> cpaelzer: you were the original reviewer. This is part of the libgd2 -> libheif -> ... chain, which is moving closer to completion
14:38 <cpaelzer> same as libyuv - although I'd love to have that in next LTS
14:39 <slyon> Vladimir told me he did the work on this in Debian an it's sync'ed, can you double-check the requirements, cpaelzer ?
14:39 <cpaelzer> oh no, security has passed that already
14:39 <cpaelzer> yeah I can check against my requests from the review
14:39 <slyon> thanks
14:39 <sarnold> can this move forward if libyuv doesn't?
14:39 <slyon> no it can't
14:40 <slyon> well... it could probably, but doesn't make a lot of sense I think
14:40 <cpaelzer> well,  libde265 could - but there is no point for the final use case without the other
14:40 <adrien> for libtracefs, I think I'm only left waiting on test results (I think I triggered the tests too early and it didn't pick the version in the PPA sadly)
14:40 <slyon> exactly
14:41 <slyon> thanks adrien! please re-ping the MIR bug once it's ready
14:41 <slyon> bug #1977614
14:41 <adrien> sure
14:41 <slyon> tracking update from security team. Nothing to do for us
14:41 <cpaelzer> ack
14:41 <slyon> bug #2058192
14:41 <cpaelzer> not yet ready
14:42 <slyon> ack
14:42 <slyon> bug #2054480
14:43 <slyon> this is a case of "to re-review security" or "not to re-review security"
14:43 <cpaelzer> +1 vote on should-be-reviewed
14:43 <slyon> It would be useful, but we're past the point where we can make it happen for 24.04 I assume? I'll double-check with waveform to see how critical this is
14:43 <cpaelzer> or is this "needs to be in noble in main asap" panic (still review but later then)?
14:44 <slyon> I'll try to find out
14:44 <cpaelzer> and if you need it
14:44 <cpaelzer> go the "escalate with security" path
14:44 <waveform> slyon, it's one of the items on my roadmap but it's not going to "break the image" if it has to go red
14:44 <cpaelzer> See the update by Seth on the other bug
14:44 <cpaelzer> if you (and mclemenceau_) think we should have it
14:44 <cpaelzer> escalate it now
14:44 <cpaelzer> and we might
14:45 <cpaelzer> waveform: can this be "added to main later" ?
14:45 <cpaelzer> we have done component moves after the release, that isn't impossible
14:45 <cpaelzer> so could it be ready for 24.04.1 ?
14:45 <waveform> well, the idea of including it in the image was to enable netboot of the release image, so if we add it to main later it'll only really benefit .1 onwards
14:45 <cpaelzer> or is - after that is approved - a "major revamp how everything works" needed?
14:46 <cpaelzer> I'm mostly, is this a "safe addition" later or is this "to be used break the world" change
14:46 <cpaelzer> if it is the former, we can make it happen toward 24.04.1 and that should be our goal then IMHO
14:46 <waveform> oh, safe addition -- it's basically just enabling the initramfs to support nbd boot (assuming the necessary kernel param is present)
14:46 <cpaelzer> ok, how about that - not giving up on the item but timing it towards that?
14:46 <eslerm_> o/
14:46 <sarnold> given that this package had been in main itself, it's 'just'a binary package move, and I don't recall seeing it as a source of work, and that the attack surface is largely in the kernel, I think I'd encourage this to go to main in time for 24.04 release
14:47 <cpaelzer> update the bug in that case and security can review without panic-priority
14:47 <waveform> I'm fine with that (enabling for .1)
14:47 <adrien> I do have a question for libtracefs btw: I've addressed comments; does the MIR team still needs to be involved or could a regular review before upload do it? (sorry to come back late to this)
14:47 <cpaelzer> sarnold: sure, if you consider this a quick security review - let us make the change for 24.04
14:47 <cpaelzer> I'm sure waveform will be happy
14:47 <waveform> I would love it to go into 24.04 but if it has to be shunted, I'm okay with that too
14:47 <cpaelzer> how about this - sarnold spends 20 minutes, and gives a shallow security review based on this being in main in the past kind of alreay
14:48 <cpaelzer> if that outcome is good, get it into 24.04
14:48 <sarnold> wfm
14:48 <cpaelzer> if not, see former plan for 24.04.1
14:48 <cpaelzer> great
14:48 <waveform> sure
14:48 <slyon> very nice! thanks
14:48 <cpaelzer> waveform: sarnold: work together and make my Pi NBD boot!
14:48 <sarnold> :D
14:48 <waveform> o7
14:48 <slyon> I guess that's all for MIR updates. dbus-broker is stuck for now and needs some additional (upstream) work
14:49 <slyon> #topic Process/Documentation improvements
14:49 <slyon> Mission: Review pending process/documentation pull-requests or issues
14:49 <slyon> #link https://github.com/canonical/ubuntu-mir/pulls
14:49 <slyon> #link https://github.com/canonical/ubuntu-mir/issues
14:49 <slyon> no updates as of last week AFAICT
14:49 <slyon> #topic MIR related Security Review Queue
14:49 <slyon> Mission: Check on progress, do deadlines seem doable?
14:49 <slyon> Some clients can only work with one, some with the other escaping - the URLs point to the same place.
14:49 <slyon> #link https://bugs.launchpad.net/~ubuntu-security/+bugs?field.searchtext=%5BMIR%5D&assignee_option=choose&field.assignee=ubuntu-security&field.bug_reporter=&field.bug_commenter=&field.subscriber=ubuntu-mir
14:49 <slyon> #link https://bugs.launchpad.net/~ubuntu-security/+bugs?field.searchtext=[MIR]&assignee_option=choose&field.assignee=ubuntu-security&field.bug_reporter=&field.bug_commenter=&field.subscriber=ubuntu-mir
14:49 <slyon> Internal link
14:49 <slyon> #link https://warthogs.atlassian.net/jira/software/c/projects/SEC/boards/594
14:50 <cpaelzer> no more looks front-loaded which is good given the time we are in the cycle
14:50 <slyon> bug #2004516 was discussed above and should not get a sec-* tag for now
14:50 <cpaelzer> slyon: it should
14:51 <slyon> bug #2060035 is targeted for 24.04.1
14:51 <cpaelzer> just not an urgent one
14:51 <slyon> wfm
14:51 <cpaelzer> BTW - I know we all feel pressure atm, please all remember how bad this often was in the past, and be happy. Then take a breath and thank security for making it happen!
14:51 <sarnold> <3
14:51 <eslerm_> <3
14:51 <cpaelzer> thanks sarnold and eslerm_ - pass the thanks to all that helped please
14:51 <slyon> Yes.. we have enough fires in other places this cycle :)
14:51 * slyon looking at t64 & xz
14:51 <cpaelzer> oh so true slyon
14:51 <sarnold> yes
14:52 <slyon> sarnold: eslerm_: OK so can we get msgraph and libyuv imported in Jira?
14:52 <eslerm_> can do
14:52 <slyon> for non-urgent processing
14:53 <slyon> #topic Any other business?
14:53 <dviererbe> A follow up question to the dotnet6 MIR: Do I need to find an Archive Admin to do the promotion or will someone take care of this eventually before 24.04 GA?
14:53 <slyon> adrien: can you please repeat your question from above?
14:53 <slyon> dviererbe: AAs usually pick it up from the report, once the MIR status is "Fix Committed"
14:54 <slyon> and it is seeded/pulled as a dependency
14:54 <sarnold> dviererbe: the last comment from cpaelzer is "ready for you to change seeds" -- do know if this step has been done yet?
14:54 <cpaelzer> I do not see it in component mismatches
14:54 <slyon> neither do I
14:54 <dviererbe> No, I don't think so
14:55 <mirespace> o/ for the DMARC perl, do you need anything from me to decide about libmime-tools vs libemail-mime ?
14:55 <cpaelzer> Hi mirespace -  who are you asking in particular?
14:55 <cpaelzer> security, MIR in general, ... ?
14:55 <slyon> mirespace: did you see this update? https://github.com/rjbs/Email-MIME/issues/66#issuecomment-2024085120 (cc eslerm_)
14:55 <cpaelzer> there is so much context that sadly left my memory
14:55 <adrien> slyon: my question is whether the MIR team expects to have further MIR-specific comments for libtracefs or if any uploader/reviewer could check the open items effectively
14:56 <cpaelzer> dviererbe: for your case, do you know what is expected from you to change seeds for this?
14:56 <mirespace> _checking that link_
14:56 <dviererbe> cpaelzer: not really, I have never done this so far
14:56 <adrien> I've been addressing all the open comments and I'm almost done (it looks like something still isn't ready but it shouldn't take much longer)
14:56 <cpaelzer> dviererbe: and you can be bold, and do it for dotnet6 and dotnet8 (for noble) to make them supported (but do not pre-install them anywhere)
14:56 <slyon> adrien: you get the upload done and then a MIR team member needs to approve the bug report by changing to the relevant status
14:56 <cpaelzer> slyon: can you teach dviererbe or organize that someone else does?
14:57 <cpaelzer> foundations internal I mean
14:57 <slyon> sure dviererbe. I can help with that. please reach out to me on MM
14:57 <adrien> slyon: hmmm, right, the question is mostly moot indeed
14:57 <dviererbe> slyon: ack
14:57 <cpaelzer> adrien: once you think it is ready, update the case. And for urgency get in touch with me or slyon (to not wait for next Tue)
14:57 <mirespace> :O ... so the MIME DoS issue is not toatally resolved...
14:57 <adrien> cpaelzer: thanks
14:58 <mirespace> cpaelzer: I was worried that the debate between mime-tools and email-mime could make the MIR being stuck
14:59 <eslerm_> I would like to see rjbs/Email-MIME in 24.04, the upstream devs do great work at fastmail
14:59 <cpaelzer> I'm worried as well, but too far from it to have a good understanding atm
14:59 <slyon> mirespace: can you remind us of the LP bug number?
14:59 <slyon> it didn't show up in today's lists
14:59 <cpaelzer> also collision and I need to leave for the next meeting
14:59 <cpaelzer> slyon: it is an older incomplete somewhere
14:59 <mirespace> https://bugs.launchpad.net/ubuntu/+source/libmail-dmarc-perl/+bug/2023971
14:59 <slyon> cpaelzer: I have one question for you, regarding libgoa-* depdency
15:00 <slyon> cpaelzer: see https://bugs.launchpad.net/ubuntu/+source/msgraph/+bug/2060035 (you can reply on that bug later)
15:00 <slyon> Not sure what to do about the libgoa-* dependency or why we check for it during the MIR review. It's been there for historical reasons. But we need it in this case
15:01 <cpaelzer> eslerm_: to what extend it rjibs/Email-MIME and similar good wishes for the future but no blockers for now
15:01 <cpaelzer> after all time for 24.04 runs out and I understand mirespace getting concerned
15:01 <cpaelzer> mirespace:  what are the options we have there
15:01 <cpaelzer> is it:
15:01 <eslerm_> libmail-dmarc-perl does have an ack, the open issue needs to be solved, but *might* not be a blocker (Seth?)
15:02 <cpaelzer> I fail to summarize it :-/
15:02 <mclemenceau_> thanks cpaelzer sarnold, I'm ok with the plan w.r.t netboot with a preference for addition in 24.04 :)
15:02 <eslerm_> I don't mind contacting upstream and asking if they can make a plan
15:02 <mirespace> use the change we did to use libmime-tools-perl, diverging from upstream
15:02 <cpaelzer> ok, consider ^^ option (a)
15:03 <cpaelzer> what is option (b)
15:03 <cpaelzer> slyon: for libgoa - it can be a build dependency, just not a runtime dependency (and not part of the final code, no static linking tricks)
15:03 <mirespace> if (a) is libemail-mime contacting upstream, option (b)is  use libmime-tools, diverging upstream
15:04 <slyon> cpaelzer: ACK. thanks I'll update the case
15:04 <cpaelzer> slyon: but if it is used at build to get stuff done (like test tools, binary mangling helpers, ...) then it does not need to be in main
15:04 <sarnold> (or 'it's not a library it's just a .h file tricks :)
15:04 <cpaelzer> slyon: >Trusty, before it had to be
15:04 <cpaelzer> sarnold: yes, that I count as "static code active in the final binary" which would need to be in main
15:05 <cpaelzer> sarnold: just as much as any other similar trick
15:05 <cpaelzer> back to mime
15:05 <cpaelzer> eslerm_: mirespace: what is the way forward
15:05 <cpaelzer> eslerm_: you said the open issue might (tm) not be a blocker
15:05 <slyon> libgoa being gnome-online-accounts, right? I.e. https://packages.ubuntu.com/noble/libgoa-1.0-0b
15:05 <cpaelzer> just an important "we want to work thazt out in the long run"
15:06 <cpaelzer> if it is really that, can we go on with the promotion of that stack then?
15:06 <cpaelzer> as-is I mean
15:06 <mirespace> the promotion form my PPA uses libmime-tools by the moment
15:06 <eslerm_> since these are ack'd I am okay with pushing through if Seth agrees. If so, I can contact upstream and try to settle issues.
15:06 <mirespace> because emailñ-mime introduced duplicity
15:07 <cpaelzer> sounds like a good plan compromise, unblock now, do not give up on making it better
15:07 <cpaelzer> and thanks for the offer to contact upstream
15:07 <sarnold> I'm a bit worried that comment #27 on https://bugs.launchpad.net/ubuntu/+source/libmail-dmarc-perl/+bug/2023971 suggests that there's even MORE packages to MIR in order to "just ship what debian ships"
15:07 <eslerm_> (I'll message upstream today)
15:07 <sarnold> but I have to admit that this is a twisty maze of package names that all collide into one single mental hashbucket and I've long ago lost the plot
15:07 <cpaelzer> sarnold: well, we can slowly sort that out one by one >24.04
15:08 <cpaelzer> the question is can we take the current approved set for 24.04 and resolve it here?
15:09 <cpaelzer> if yes, then I'd ask mirespace to work with bryce to prepare the seed/dependency changes and prepare a session telling me what would need to be promoted and why. I could check one by one - if all good mass promotion
15:09 <cpaelzer> mirespace: will work on several follow up items anyway, like the elliptic curve lib wrapper and such
15:10 <mirespace> for me it's ok
15:11 <slyon> +1
15:12 <cpaelzer> so to summarize, eslerm_ contacts upstreams for a better path forward. mirespace will prep and lay out what we have ready and can land for 24.04
15:12 <cpaelzer> short: get what we have to noble, mid term make it better
15:12 <eslerm_> I can do that :)
15:13 <mirespace> sounds like a plan :)
15:13 <cpaelzer> mirespace: can you work with bryce to get all in line (probably some blocks by the beta freeze) and then get in touch
15:13 <cpaelzer> it is work, but better than the unclear state before
15:13 <cpaelzer> ok, we are way over time
15:13 <mirespace> yes, I do.. thank you all for unblocking this
15:13 <cpaelzer> slyon: time to get to the end :-) ?
15:13 <sarnold> i'm probably not going to come to a good udnerstanding of the whole problem space and the options quickly .. so here's a few of my general thoughts: (a) I'd prefer to not diverge from debian and the upstreams if we can (b) i'm fine with shipping mirespace's "lets change packages to meet our existing main requirements" but I'm not wedded to it (c) I'm not too worried about a 1 meg --> 2 gigs of ram
15:13 <sarnold> DOS, that'd probably be tolerable enough to fix post-release if upstream doesn't get to it sooner
15:14 <sarnold> (doesn't every mail server have 100 gigs ram? :)
15:14 <cpaelzer> almost
15:14 <slyon> thanks for the summary!
15:14 <cpaelzer> or 640k
15:14 <sarnold> :D
15:14 <slyon> do we have anything else?
15:14 <slyon> #endmeeting