Meeting
Who: SecurityTeam
End: 17:00 UTC
Where: #ubuntu-meeting on irc.freenode.net
Chaired By: JamieStrandboge (jdstrand)
Attendance
- jdstrand
- mdeslaur
- sbeattie
- tyhicks
- jjohansen
- sarnold
Not present
- chrisccoulson
Agenda
- Announcements
Thanks to Stefan Bader (smb) provided updates for precise-saucy for xen . Your work is very much appreciated and will keep Ubuntu users secure. Great job!
- Actions
- [ACTION] chrisccoulson to benchmark oxide and qtwebkit
- benchmarks: DONE
- mailing list: TODO
- [ACTION] chrisccoulson to benchmark oxide and qtwebkit
- Weekly stand-up report (each member discusses any pending and planned future work for the week)
- jdstrand
- weekly role: happy place
- pending updates
- infographic and scopes reviews
- miscellaneous catch up
- mdeslaur
- weekly role: triage
- ca-certificates updates
- pending updates
- sbeattie
AppArmor
- help integrate python tools
- ipc testing
- help sarnold with apparmor upload
- tyhicks
- kernel keyring investigation
- finish up dbus-daemon patches (ie, v2 based on upstream comments)
- ppc testsuite failures
- jjohansen
AppArmor
- test ipc kernels-- if they pass, upload to PPA
- revising around namespaces, especially a bug that breaks non-ns x transitions
- couple of other bugs and testing to work out
- apparmor 2.9 coordination
- sarnold
upload AppArmor 2.8.95 to Ubuntu
- back to MIRs
- chrisccoulson
- jdstrand
- Highlighted packages
The Ubuntu Security team will highlight some community-supported packages that might be good candidates for updating and or triaging. If you would like to help Ubuntu and not sure where to start, this is a great way to do so. See https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures for details and if you have any questions, feel free to ask in #ubuntu-security. To find out other ways of helping out, please see https://wiki.ubuntu.com/SecurityTeam/GettingInvolved. The highlighted packages for this week are:
The Ubuntu Security team suggests that contributors look into merging Debian security updates in community-supported packages. If you would like to help Ubuntu but are not sure where to start, this is a great way to do so. See the available merges and SecurityTeam/UpdateProcedures for details on preparing Ubuntu security updates. If you have any questions, feel free to ask in #ubuntu-hardened. To find out other ways of helping out, please see SecurityTeam/GettingInvolved.
- Miscellaneous and Questions
Log
Meeting bot unavailable at time of meeting.
Log listed here:
12:00 < jdstrand> #startmeeting 12:00 < jdstrand> seems we don't have our bot 12:00 < jdstrand> The meeting agenda can be found at: 12:00 < jdstrand> [LINK] https://wiki.ubuntu.com/SecurityTeam/Meeting 12:00 < jdstrand> [TOPIC] Announcements 12:01 < jdstrand> Thanks to Stefan Bader (smb) provided updates for precise-saucy for xen . Your work is very much appreciated and will keep Ubuntu users secure. Great job! :) 12:01 -!- howefield [~howefield@pdpc/supporter/active/howefield] has quit [Write error: Broken pipe] 12:01 < mdeslaur> smb rocks \m/ \m/ 12:01 < jdstrand> [TOPIC] Review of any previous action items 12:01 < jdstrand> [ACTION] chrisccoulson to benchmark oxide and qtwebkit 12:01 < jdstrand> I know the benchmarks are done 12:02 < jdstrand> I didn't see the email, but could have missed it 12:03 < jdstrand> I think chrisccoulson may have stepped away since this is well past the sceduled time of the meeting, so I'll just add a new action 12:03 < jdstrand> [ACTION] chrisccoulson to send benchmarks email to list 12:03 < jdstrand> [TOPIC] Weekly stand-up report 12:03 < jdstrand> I'll go first 12:03 < jdstrand> I'm in the happy place this week 12:03 < jdstrand> I've got quite a few updates assigned to me that I'll be working on 12:03 -!- toddy [~torsten@ubuntu/member/toddyhb] has quit [Excess Flood] 12:04 < jdstrand> and I've gotten a lot of miscellaneous stuff piled up to catch up on judging by my inbox 12:05 -!- toddy [~torsten@ubuntu/member/toddyhb] has joined #ubuntu-meeting 12:05 < jdstrand> two of those is updating the infographic confinement spec (it is changing again) 12:05 < jdstrand> and updating the scopes spec and following up with the scopes team 12:05 < jdstrand> mdeslaur: you're up 12:05 < mdeslaur> I'm on triage this week 12:06 < mdeslaur> I have some ca-certificates updates that I need to double-check, and then I'll get the copied to -proposed for a couple of weeks 12:06 < mdeslaur> after that, I'm working on the CVE list which has gotten bigger since last week 12:06 < mdeslaur> I may also poke at debcompare some more...it's pretty good now 12:07 < mdeslaur> oh, btw, I've converted uvt to python3, so if it breaks, let me know 12:07 -!- pcwhite [~PaulW2U@pdpc/supporter/active/paulw2u] has joined #ubuntu-meeting 12:07 < mdeslaur> that's it from me 12:07 < mdeslaur> sbeattie: you're up 12:07 < sbeattie> I'm on apparmor again this week. 12:08 < sbeattie> I'm working on a bit of fallout from landing the python tools to help sarnold with landing the updated package in ubuntu 12:09 < sbeattie> As well as the usual kernel testing bits for jjohansen's work 12:09 < sbeattie> I also need to update the apparmor daily recipe ppa, as it's failing due to the python stuff landing upstream 12:10 < sbeattie> I think that's it from me. 12:10 < sbeattie> tyhicks: you're up 12:10 < tyhicks> I'm currently looking into some kernel keyring oddities in Trusty 12:11 < tyhicks> it was noticed after the ecryptfs test suite started failing 12:11 -!- pcwhite is now known as PaulW2U 12:11 < mdeslaur> hrm 12:11 < tyhicks> I've got a workaround in the test suite but now I'm working with dhowells (kernel keyring upstream) to figure out what is going on 12:12 < tyhicks> after that, I'll go back to getting a v2 of the dbus-daemon patches attached the upstream AA mediation bug 12:12 < tyhicks> I'm almost done with addressing all of Simon's feedback 12:12 < tyhicks> there's a lot of changes, but I've been testing as I go so there's not too much left 12:13 < jdstrand> tyhicks: I didn't follow along last week. I saw that the kdbus guys were like "it's fine for you to propose this for dbus-daemon, but it ain't gonna work for us", but didn't see dbus-daemon's comments 12:13 < tyhicks> if I can get all of that done, I want to circle back around and make sure we've got all of our kernel test failures on ppc straightened out 12:13 < jdstrand> tyhicks: so dbus-daemon upstream is generally ok with it? just need some touchups? 12:13 < tyhicks> jdstrand: yes, they seem to be ok with it 12:13 < tyhicks> jdstrand: all of the comments are in the bug 12:14 < jdstrand> ok 12:14 < jdstrand> tyhicks: re kdbus-- we still are going to propose our small patch, correct? 12:14 < mdeslaur> should we? 12:14 < tyhicks> jdstrand: it is something that we need to discuss - they are still very opposed to it 12:14 < jdstrand> right, so lets not discuss that here 12:15 < tyhicks> that's it for me 12:15 < jdstrand> we can take it to #ubuntu-hardened after the meeting 12:15 * tyhicks nods 12:15 < tyhicks> jjohansen: you're up 12:16 < jjohansen> so I'm working on apparmor this week, I've got another round of test kernels building atm, and if it passes basic testing I will shove it up to the ppa 12:17 -!- noy [~Noy@wesnoth/developer/noy] has quit [Quit: noy] 12:17 < jjohansen> I've got revising to do around namespaces, especially a bug that breaks non-ns x transitions 12:18 -!- genii [~quassel@ubuntu/member/genii] has joined #ubuntu-meeting 12:20 < jjohansen> and a couple of other bugs and testing to work out. We have a new method for detecting which kernel userspace combination we are in, so that we can drop the config patch for backports. Which was breaking containers, ... 12:20 < jjohansen> there is some coordination around apparmor 2.9 that will happen today in the upstream meeting 12:20 < jjohansen> I think thats it sarnold your u 12:20 < jjohansen> s/u/up 12:21 < sarnold> I'm on community this week 12:22 < sarnold> I have some new apparmor packages for trusty that use a trunk snapshot that we're calling 2.8.95, since it's not quite ready to be called a 2.9, and as a result of the snapshot and testing I've got a teeny patch for apparmor to update the libapparmor1 version number to libapparmor2 in an auto*something file 12:22 < sarnold> the new trusty packages are a mixed bag; on the one hand, the large accumulated patch set is now significantly smaller and we've dropped the old perl tools which none of us felt capable of supporting for five years 12:22 < sarnold> on the other hand, the new python tools are still a bit thin and need more testing. 12:23 < sarnold> i don't know how much we want to improve the python tools before proposing the new apparmor for landing 12:23 < sarnold> but it feels like we need at least aa-disable to work correctly before asking for a landing 12:24 < sbeattie> sarnold: I have a couple of small patches that make aa-disable work without aborting because of not understanding dbus rules 12:24 < jdstrand> we should have aa-enforce too then 12:24 < jdstrand> I assume 12:25 < sarnold> I've also got a large stack of MIRs, some fairly important pacakges that many people are waiting on (nginx, juju, etc.) -- that alone could fill the week.. so here's hoping the release team won't mind me blocking progress too much.. 12:25 < jdstrand> do I understand correctly that we are only blocked on the python tools? 12:25 < sarnold> sbeattie: Yay! :D thanks! 12:25 < sarnold> jdstrand: moment, let me go re-find that email.. 12:26 < sarnold> jdstrand: there's a handful of other qrt test failures not relaated to the python tools that also need investigation 12:26 -!- dholbach [~daniel@ubuntu/member/dholbach] has quit [Quit: Ex-Chat] 12:26 < sarnold> jdstrand: it could be that some (most?) are due to a kernel that hasn't yet picked up all the apparmor patches, I think I heard jjohansen mention that lsat week 12:27 < jdstrand> ok, we need to get all that sorted so we can get this uploaded 12:27 * jdstrand stating the obvious 12:27 < sbeattie> sarnold, jdstrand: I'll take a look at the QRT failures. 12:27 < sarnold> yeah, I'm looking forward to retrying with sbeattie's latest fixes, that'll hopefully be half of QRT.. :) 12:28 < jdstrand> thanks-- I'd help there, but have a lot of updates I need to get to 12:28 < sarnold> heh, yeah, I recall triage last week... 12:28 < sarnold> what a week 12:28 < jjohansen> sarnold: ? the kernel shouldn't really have anything to do with the userspace failures. It needs to support old and new kernels 12:29 < sarnold> I think that's me done, chrisccoulson if you're around you're up :) 12:29 < jdstrand> if it was only the new stuff from last week... 12:29 < sarnold> jjohansen: ah, ok. darn. 12:31 < jdstrand> ok, I think chrisccoulson is away (which is fine) 12:31 < jdstrand> [TOPIC] Highlighted packages 12:31 < jdstrand> The Ubuntu Security team will highlight some community-supported packages that might be good candidates for updating and or triaging. If you would like to help Ubuntu and not sure where to start, this is a great way to do so. 12:31 < jdstrand> See https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures for details and if you have any questions, feel free to ask in #ubuntu-security. To find out other ways of helping out, please see https://wiki.ubuntu.com/SecurityTeam/GettingInvolved. 12:31 < jdstrand> http://people.canonical.com/~ubuntu-security/cve/pkg/turba2.html 12:31 < jdstrand> http://people.canonical.com/~ubuntu-security/cve/pkg/proftpd-dfsg.html 12:31 < jdstrand> http://people.canonical.com/~ubuntu-security/cve/pkg/sleuthkit.html 12:31 < jdstrand> http://people.canonical.com/~ubuntu-security/cve/pkg/ganglia-web.html 12:31 < jdstrand> http://people.canonical.com/~ubuntu-security/cve/pkg/dhcpcd.html 12:31 < jdstrand> [TOPIC] Miscellaneous and Questions 12:33 < jdstrand> mdeslaur, sbeattie, tyhicks, jjohansen, sarnold, ChrisCoulson: thanks! 12:33 < jdstrand> #endmeeting