15:31 #startmeeting Weekly Main Inclusion Requests status 15:31 Meeting started at 15:31:15 UTC. The chair is cpaelzer. Information about MeetBot at https://wiki.ubuntu.com/meetingology 15:31 Available commands: action, commands, idea, info, link, nick 15:31 Ping for MIR meeting - didrocks joalif slyon sarnold cpaelzer jamespage ( dviererbe ) 15:31 #topic current component mismatches 15:31 o/ 15:31 Mission: Identify required actions and spread the load among the teams 15:31 #link https://people.canonical.com/~ubuntu-archive/component-mismatches-proposed.svg 15:31 #link https://people.canonical.com/~ubuntu-archive/component-mismatches.svg 15:31 good morning 15:31 in the normal mismatches we see a bunch of ruby 15:31 renanrodrigo is here today, we will discuss this in AOB 15:31 o/ 15:31 it's still on my todo to drop the fonts-inter dependency 15:32 o/ 15:32 then we have the x1e settings which is https://bugs.launchpad.net/ubuntu/+source/ubuntu-x1e-settings/+bug/2095536 15:32 ready to promote 15:32 I'll queue this for tomorrow morning 15:32 x1e-settings: Yes, at least the version in -proposed 15:32 proposed mismatches are not so different 15:32 going on 15:33 #topic New MIRs 15:33 Mission: ensure to assign all incoming reviews for fast processing 15:33 #link https://bugs.launchpad.net/ubuntu/?field.searchtext=&orderby=-date_last_updated&field.status%3Alist=NEW&field.status%3Alist=CONFIRMED&assignee_option=none&field.assignee=&field.subscriber=ubuntu-mir 15:33 OK, feature freeze frenzy it seems 15:33 let us start at the top - papers 15:33 is this more than usual? heh 15:33 curl vs nghttp3 is new IIRC? dviererbe can you carry that to Foundations? 15:33 yes 15:33 https://bugs.launchpad.net/ubuntu/+source/papers/+bug/2097727 15:33 sure :) 15:34 this is towards coming releases 15:34 so if in doubt we might skip that for other cases today AFAICS 15:34 https://bugs.launchpad.net/ubuntu/+source/ruby-sinatra/+bug/2095497 15:34 at review last week, we decided that Papers is actually a 25.04 goal. It is a fork of evince, to replace evince 15:34 dviererbe: maybe create a placeholder bug: https://launchpad.net/ubuntu/+source/nghttp3/+filebug?field.title=%5BMIR%5D+nghttp3&field.status=Incomplete&field.tags=plucky (& subscribe ~ubuntu-mir) 15:34 that is one example of what renanrodrigo will bring to AOB 15:34 slyon: ack 15:34 oh, thanks jbicha 15:34 i was going by the text 15:34 - The package papers is required in Ubuntu main no later than August 2025 due to Ubuntu 25.10 Feature Freeze and a desire to make this swap before Ubuntu 26.04 LTS 15:35 sorry I just updated the text now 15:35 thanks 15:35 ok so this one looks for a reviewer 15:35 I'm out as reviewer for many others, so I'm gonna take this one 15:35 out because I'm opart of the team driving them 15:35 ack 15:36 next we have https://bugs.launchpad.net/ubuntu/+bug/2072561 15:36 which is almost a new qeue review and MIR at once 15:36 which is fine, we recommended them to get it in shape before uploading - because then SRU rules do not apply 15:36 but since I was so involved in guiding them I consider myself a bad reviewer 15:36 yeah, it's special, because not yet in universe... I could take it, not sure about the NEW review part, though. 15:36 at the core it is a rust based packcage that wants to be in main in all releases 15:37 thanks slyon 15:37 you do not have to do literal NEW queue slyon 15:37 okay 15:37 just any packaging issue you spot, you might report as well to help them 15:37 libsass-python is not new, actually I'll post the review within the hour 15:37 thanks joalif 15:38 let me assign you on the case for correctness 15:38 did it 15:38 which leaves two more 15:38 https://bugs.launchpad.net/ubuntu/+source/python-observabilityclient/+bug/2095359 which seems to be a normal python dep for openstack 15:39 joalif: could this be your next one? 15:39 I can but "is required in Ubuntu main no later than Feb 20" is that even doable ? 15:39 if the outcome is no-security review needed - possibly 15:40 ok, I'll take it 15:40 I've done MIR reviews hours before the FeatureFreeze deadline in the past :P 15:40 These python libs often are quite straight forward and sometimes go that path 15:40 but I'm not pre-determiniing the outcome of your judgement 15:40 from our docs: > For a MIR to be considered for a release, it must be assigned to the Security team (by the MIR team) before Beta Freeze. This does not guarantee that a security review can be completed by Final Release. Ask the director of Security for exceptions. 15:40 just saying what is likely needed to make Feb 20th 15:40 yep sarnold 15:40 it can be promoted after FF 15:40 libsass it's gonna have a problem but I'll elaborate later 15:41 I think jamespage wanted to be extra correct and prep it even before FF 15:41 last is https://bugs.launchpad.net/ubuntu/+source/libimobiledevice-glue/+bug/2074086 15:41 but that got checked 15:41 security has done ... 15:41 ack 15:41 what did we demand ... 15:41 no required TODOs 15:41 sarnold had comments with this one 15:42 indeed on august 2024 15:42 sarnold: are you ok with the ack Frederico has given? 15:43 cpaelzer: I really don't know what we ought to do with the embedded crypto :( on the one hand, probably this isn't unique 15:43 it isn't :-/ 15:43 I remember tomcrypt in some places 15:43 it's just so easy to embed, heh 15:44 I think it is ok, but call to the honor of seb128 to stick to " .... goal to work over the next cycles to try to improve things" 15:44 because it is also easy to keep things as-is 15:44 I know, I'm guilty of it myself sometimes :-/ 15:44 heh, me too. so much. 15:45 ok, so we are giving it an ok then 15:45 updating the case 15:45 updated the case 15:46 let us hurry, AFAICS two bigger topics in AOB 15:46 #topic Incomplete bugs / questions 15:46 Mission: Identify required actions and spread the load among the teams 15:46 #link https://bugs.launchpad.net/ubuntu/?field.searchtext=&orderby=-date_last_updated&field.status%3Alist=INCOMPLETE_WITH_RESPONSE&field.status%3Alist=INCOMPLETE_WITHOUT_RESPONSE&field.subscriber=ubuntu-mir 15:46 1 stub https://bugs.launchpad.net/ubuntu/+source/nghttp3/+bug/2098769 15:46 as discussed above 15:46 https://bugs.launchpad.net/ubuntu/+source/automake-1.17/+bug/2098750 15:47 is one of the "let us try to be better" 15:47 it needs a review but each of us got one already 15:47 It is waiting for the foundations team to opt in and file the paperwork anyway 15:47 yes, dviererbe FYI ^ tagged rls-pp-incoming for foundations 15:47 it's probably our first case of a "regular" re-review 15:47 I'd drop the mir approval team until it is ready 15:47 slyon: I did so too 15:47 so it can come back fresh when we need to look 15:47 wfm 15:48 what is the last state on https://bugs.launchpad.net/ubuntu/+source/rust-gst-plugin-gtk4/+bug/2097804 15:48 there are a few TODOs for jbicha ^ 15:48 reviewed and back from slyon to jbicha 15:48 ok 15:48 no action right now then 15:48 #topic Process/Documentation improvements 15:48 Mission: Review pending process/documentation pull-requests or issues 15:49 #link https://github.com/canonical/ubuntu-mir/pulls 15:49 mostly looking good (no sec-review), still lacking the Rust vendoring story, which first needs to be implemented in the packaging 15:49 #link https://github.com/canonical/ubuntu-mir/issues 15:49 ack @slyon 15:49 heh, when the review looks like a stacktrace.. 15:49 nothing new here in the PRs/Issues 15:49 jbicha: give me a ping once rust-gst-plugin-gtk4 is ready from the packaging side 15:49 #topic MIR related Security Review Queue 15:49 Mission: Check on progress, do deadlines seem doable? 15:49 Some clients can only work with one, some with the other escaping - the URLs point to the same place. 15:49 #link https://bugs.launchpad.net/~ubuntu-security/+bugs?field.searchtext=%5BMIR%5D&assignee_option=choose&field.assignee=ubuntu-security&field.bug_reporter=&field.bug_commenter=&field.subscriber=ubuntu-mir 15:49 #link https://bugs.launchpad.net/~ubuntu-security/+bugs?field.searchtext=[MIR]&assignee_option=choose&field.assignee=ubuntu-security&field.bug_reporter=&field.bug_commenter=&field.subscriber=ubuntu-mir 15:49 Internal link 15:49 - ensure your teams items are prioritized among each other as you'd expect 15:49 - ensure community requests do not get stomped by teams calling for favors too much 15:49 #link https://warthogs.atlassian.net/jira/software/c/projects/SEC/boards/594 15:49 ok sarnold, we've seen a sec review complete 15:49 how are the others going 15:49 sarnold: :P that's a "nm" symobls dump 15:49 I see jpeg-xl which I think is for plucky as well right? 15:50 slyon: ah yes :) 15:50 fede has been quite busy with MIRs :D 15:50 oh yeah 15:51 giampaolo also took care of jemalloc, which worried me due to its age, but it sounded pretty solid 15:51 I haven't talked with sudhakar lately, sorry, not sure onjpeg-xl :( 15:51 slyon: thanks, yes I'll let you know once I've got the gst plugin working better 15:51 .. same with noam and glycin :( 15:52 yeah, seen and appreciate jmalloc - thanks 15:52 and provd I think we had some concerns that itwasn't necessary for this cycle. I can't actually recall how those conversations went, though. hmm. 15:52 glycin is a dependency for the loupe app which we'll want for 25.10 15:52 I didn't have that on extra-urgent either 15:52 (it lives in a repo with a few other things, and something about all the recent work is on the other things in that repo..?) 15:52 but the image supprt stacks I think were meant to be in now 15:53 hence my question on jpeg-xl 15:53 If you could friendly-poke sudhakar? 15:53 will do 15:53 thanks 15:53 going into AOB 15:53 #topic Any other business? 15:53 I know of the ruby things with Renan 15:53 libsass 15:53 and it sounded libsass from joalif 15:53 ruby is simple, but I want a group ack 15:53 so let me raise this first 15:54 the TL;DR (poke renanrodrigo if you need details) is this 15:54 used to be part of the core ruby codebase and was in main 15:54 the code moved to individually packaged elements 15:54 and evolved there 15:54 so it is one of the common "fast paths" of "it was in main already, just now from a new source" 15:55 If you are ok, I'd fast process them when renan has done the paperwork, but I wanted to raise it for a team ack to not appear as preferring our own cases 15:55 opinions? 15:55 FWIW base64, as well as other gems (in the bug description) were converted from default to bundled gems in libruby; more MIR requests will come for those others as they appear in component-mismatches 15:55 sounds like we could apply the deferred re-review rule, to do opt-in MIRs after you fast-path processed them 15:55 (whenever there's capacity left) 15:56 yeah, we can keep the requests in that state 15:56 and pick up in weeks we are not all getting so many already 15:56 exactly 15:56 any objections? 15:56 +1 from me 15:56 nope 15:56 thanks 15:56 nope as in no objections, +1 15:56 I'd ask joalif to outline the problem with libsass please 15:57 yeah, I think the ruby fast-track with intended re-reviews makes sense 15:57 on my focal machine .. $ apt-file search base64.rb | wc -l 15:57 9 15:57 so tldr MIR ack with todos, assigned to james page it needs a sec-review , and before FF 15:57 oh 15:57 so the problem is timing 15:57 yes 15:57 TODOs + security 15:57 I think that is OK 15:57 for sec-team and openstack team 15:58 it isn't needed to upload the change to plucky proposed 15:58 the approval is "only" needed to migrate 15:58 jamespage: do you think that timing (upload now, migrate later) will work for you? 15:58 https://discourse.ubuntu.com/t/plucky-puffin-release-schedule/36461 15:58 only if the security review fails or the TODOs are not done - then it breaks and needs to be unrolled 15:59 beta freeze is march 24 (a monday, go figure :) 15:59 oh... does the nghttp3 vs. curl MIR issue paperwork need to be done before FF? 16:00 OK, let me summarize again 16:00 the chagne to land things in propsoed needs to be done by FF 16:00 dviererbe: it's already in -proposed, so no. But should the MIR fail, you need to somehow drop the new dependency (or get a FFe) 16:00 slyon: ack 16:00 The reviews and subsequent tasks need to be done in time towards beta 16:00 the later you get the less likely will it work out 16:01 ok 16:01 ok, so we are on time 16:01 and kind of through a lot of topics 16:01 thank you all in MIR and security for the ongoing efforts to keep quaklity up! 16:01 closing for today 16:01 let me give you some numbers as usual 16:02 5522 16:02 (head punching my num block) 16:02 bye 16:02 o/ 16:02 thanks cpaelzer, all :) 16:02 #endmeeting