14:33 #startmeeting Weekly Main Inclusion Requests status 14:33 Meeting started at 14:33:29 UTC. The chair is cpaelzer. Information about MeetBot at https://wiki.ubuntu.com/meetingology 14:33 Available commands: action, commands, idea, info, link, nick 14:34 Ping for MIR meeting - didrocks joalif slyon sarnold cpaelzer jamespage ( eslerm dviererbe ) 14:34 #topic current component mismatches 14:34 Mission: Identify required actions and spread the load among the teams 14:34 #link https://people.canonical.com/~ubuntu-archive/component-mismatches-proposed.svg 14:34 #link https://people.canonical.com/~ubuntu-archive/component-mismatches.svg 14:34 welcome to a new cycle, all the sprinting and stuff made me be late 14:34 I hope you handled all that is caused by syncs last week :-P 14:35 ok 14:35 no MIR bugs, so we need to bring them up 14:35 first: abseil -> googletest 14:35 abseil = desktop 14:35 It's a recommends, sho should probably be dropped to suggests.. 14:35 jbicha: didrocks: ^^ would you have a look there? 14:36 https://launchpad.net/ubuntu/+source/abseil/20230802.1-4 14:36 the diff only speaks about build depends 14:36 and it is probably a test dependency 14:36 next 14:37 python-pint -> requirejs and pydata-sphinx-theme 14:37 reads like documentation 14:37 jamespage: that is openstack 14:37 jamespage: could one of you have a look? 14:37 https://launchpad.net/ubuntu/+source/python-pint/0.23-1 14:38 yep 14:38 it is the doc package 14:38 https://launchpad.net/ubuntu/lunar/amd64/python-pint-doc/0.19.2-1 14:38 vs 14:38 https://launchpad.net/ubuntu/oracular/amd64/python-pint-doc/0.23-1 14:39 just an exclude rule would be enough 14:39 there is no strict reason for the doc package to be in main 14:39 next 14:39 python-inflect ->python-typeguard 14:39 jamespage: also openstack 14:40 but here it is a new real dependency 14:40 https://launchpad.net/ubuntu/oracular/amd64/python3-inflect/7.2.1-1 14:40 last but not least 14:40 python-arrow -> typeshed 14:40 and another one for openstack jamespage 14:40 I feel you just synced them all :-) 14:41 changed from https://launchpad.net/ubuntu/oracular/amd64/python3-arrow/1.2.3-1 to https://launchpad.net/ubuntu/oracular/amd64/python3-arrow/1.3.0-1 14:41 python3-typing-extensions -> python3-typeshed 14:41 ok, component mismatches done 14:42 jamespage: will wake up to a lot of pings ... :-/ 14:42 #topic New MIRs 14:42 Mission: ensure to assign all incoming reviews for fast processing 14:42 #link https://bugs.launchpad.net/ubuntu/?field.searchtext=&orderby=-date_last_updated&field.status%3Alist=NEW&field.status%3Alist=CONFIRMED&assignee_option=none&field.assignee=&field.subscriber=ubuntu-mir 14:42 two for us 14:42 https://bugs.launchpad.net/ubuntu/+source/malcontent/+bug/1892456 14:42 had a MIR and security review in the past 14:43 but the package changed a lot since 14:43 so the ask is for a re-review 14:43 I can take one 14:43 next 14:43 https://bugs.launchpad.net/ubuntu/+source/provd/+bug/2067373 14:43 I can take one for next week, too 14:44 thanks , assigned 14:44 #topic Incomplete bugs / questions 14:44 Mission: Identify required actions and spread the load among the teams 14:44 #link https://bugs.launchpad.net/ubuntu/?field.searchtext=&orderby=-date_last_updated&field.status%3Alist=INCOMPLETE_WITH_RESPONSE&field.status%3Alist=INCOMPLETE_WITHOUT_RESPONSE&field.subscriber=ubuntu-mir 14:44 sysprof is still with jbicha for now 14:44 the others are pre sprint AFAICS 14:45 #topic Process/Documentation improvements 14:45 Mission: Review pending process/documentation pull-requests or issues 14:45 #link https://github.com/canonical/ubuntu-mir/pulls 14:45 #link https://github.com/canonical/ubuntu-mir/issues 14:45 some older ones that are stuck 14:45 we might mark them as that .. hmm 14:46 we need wording for https://github.com/canonical/ubuntu-mir/issues/51 14:46 eslerm: do you think you could provide a PR that wraps the consensus mentioned by slyon into words 14:46 I can 14:46 thanks in advance 14:47 https://github.com/canonical/ubuntu-mir/issues/55 14:47 has tackled the obvious things 14:47 the rest is "looking for volunteers" to tackle more 14:47 speak up if anyone wants to ... :-) 14:48 possibly, we could add that an owning teams director needs to request late MIRs 14:48 we had a last second libyuv request, which ended up not beeing needed after ack'd 14:49 there's a few cases to care for -- one with the "the team didn't plan" and then the "oh upstream or debian has walked away from package foo because they're switching to package bar" 14:49 i think our "you get to talk to the director of security engineering" is a decent speedbump to discourage the first one, but I wish we could come up with some clever ideas to spot the overlooked packages 14:50 I'm happy with adding "bring high level for late requests" 14:50 bring wording in a PR for that for discussion please 14:50 for the other case let us brainstorm for 3 minutes ... 14:51 It plays into the "re-evaluate things in main" TBH 14:51 which we asked for but got denied for resourcing 14:51 that's not what I mean with #22 14:51 storm idea one, look for new Replaces: or maybe dropped Depends: from other packages? 14:52 it is for cases where there is ack for the MIR, but then owning team goes idle for a long period of time (say 2 years) 14:52 I am okay dropping issue though 14:52 storm idea two, look for new packages with small levenstein distances from packages already in main 14:52 sarnold: I think we usually get signal by bugs, the cases I see crashing as where responsibility and ownership is unclear. 14:52 sarnold: which does not mean I'd not like a scanner that provides extra signal 14:53 eslerm: now I got you - like "what is the consequence if they make us busy and then walk away" ? 14:53 eslerm: I'm not sure, but things change - so that can not always be prevented IMHO. 14:54 eslerm: not sure if defining negative consequences would help, or did you have something completely different in mind? 14:54 mostly, this occured and then a package was added to main, and I believe it should have had a quick re-review first 14:54 it's not about negative consequences for us doing the work, just that more work is needed if a review has gone "stale" 14:55 so adding something like a timeout on an ACK? 14:55 yes, I proposed 2 years 14:56 sounds reasonable to me. 14:56 I'm +1 on timeout on an Ack 14:56 cpaelzer: that would be like our re-review idea, but only for things that didn't make it into "main" yet. 14:57 While we do not get a re-review, if it didn't make it into main it is fine to time out 14:57 slyon: exactly 14:57 anyone willing to provide a wording PR for that? 14:57 I can propose a PR 14:57 thank you 14:57 uh, time flies 14:57 let us go on ... 14:57 #topic MIR related Security Review Queue 14:57 Mission: Check on progress, do deadlines seem doable? 14:57 Some clients can only work with one, some with the other escaping - the URLs point to the same place. 14:57 #link https://bugs.launchpad.net/~ubuntu-security/+bugs?field.searchtext=%5BMIR%5D&assignee_option=choose&field.assignee=ubuntu-security&field.bug_reporter=&field.bug_commenter=&field.subscriber=ubuntu-mir 14:57 #link https://bugs.launchpad.net/~ubuntu-security/+bugs?field.searchtext=[MIR]&assignee_option=choose&field.assignee=ubuntu-security&field.bug_reporter=&field.bug_commenter=&field.subscriber=ubuntu-mir 14:57 Internal link 14:57 - ensure your teams items are prioritized among each other as you'd expect 14:57 - ensure community requests do not get stomped by teams calling for favors too much 14:57 #link https://warthogs.atlassian.net/jira/software/c/projects/SEC/boards/594 14:58 I am stepping down from helping manage MIRs for Security 14:58 my focus has changed to help coordinate CVEs 14:58 I've really enjoyed working on MIRs with all of you 🙏 14:58 we have the back to the future simplestreams reviews 14:58 (I'll of course followup on GH PRs) 14:58 oh no, we have upset eslerm with our back and forth 14:58 eslerm: please know that you will always be welcome to contribute and discuss 14:58 :( Thanks a lot for your awesome work as part of the MIR process! 14:59 sarnold: does that mean it is back to just you, or will you train another security-buddy? 14:59 eslerm: and thanks for your many great contributions 14:59 cpaelzer: that hasn't been discussed yet, I'm hoping for another buddy, but it will be a real challenge to step into eslerm's shoes 14:59 fair 14:59 ok, the queue looks good 14:59 #topic Any other business? 14:59 see above :-) 14:59 nothing else from me 15:00 I fixed python-pint quickly https://git.launchpad.net/~ubuntu-core-dev/ubuntu-seeds/+git/ubuntu/commit/?id=f9ce523d40c3ec774fc67eac1c0db5e85fc9f186 (cc jamespage) 15:00 nothing from me 15:00 I've really enjoyed these meetings :,) 15:00 nothing else :) 15:00 eslerm: you will still do reviews, juts not corodinate - right? 15:00 slyon: nice :) 15:00 I will do some reviews, but possibly not many this cycle 15:00 slyon: still needs a demotion I guess 15:00 ok, thanks eslerm 15:00 sorry for the rush, but I need to jump 15:01 happy hopping :) 15:01 see you next week 15:01 #endmeeting