20140623

Meeting

Attendance

  • jdstrand
  • mdeslaur
  • sbeattie
  • tyhicks
  • jjohansen
  • sarnold
  • chrisccoulson

Not present

  • None

Agenda

  • Announcements
    • Rohan Garg (rohangarg) provided debdiffs for saucy and trusty for kde4libs (LP: #1332064). Your work is very much appreciated and will keep Ubuntu users secure. Great job!
  • Weekly stand-up report (each member discusses any pending and planned future work for the week)
    • jdstrand
      • off next week
      • weekly role: triage
      • ofono profiles
      • AppArmor landing with mdeslaur

      • pending updates
      • work items for June
    • mdeslaur
      • short week
      • weekly role: community
      • pending updates
      • apparmor upload for utopic
      • wiki page on click store package singing
    • sbeattie
      • still working on pie by default for gcc/amd64
      • mod_apparmor
    • tyhicks
      • rtm work items
        • kernel pull request for touch kernel config changes should be done soon
        • update QRT for the above
    • jjohansen
      • kernel pull request for signal/ptrace
      • apparmor extended mediation of unix sockets
    • sarnold
      • sponsored updates
      • qrt test-django script
      • AppArmor patch reviews

    • chrisccoulson
  • Highlighted packages

    The Ubuntu Security team will highlight some community-supported packages that might be good candidates for updating and or triaging. If you would like to help Ubuntu and not sure where to start, this is a great way to do so. See https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures for details and if you have any questions, feel free to ask in #ubuntu-security. To find out other ways of helping out, please see https://wiki.ubuntu.com/SecurityTeam/GettingInvolved. The highlighted packages for this week are:

    The Ubuntu Security team suggests that contributors look into merging Debian security updates in community-supported packages. If you would like to help Ubuntu but are not sure where to start, this is a great way to do so. See the available merges and SecurityTeam/UpdateProcedures for details on preparing Ubuntu security updates. If you have any questions, feel free to ask in #ubuntu-hardened. To find out other ways of helping out, please see SecurityTeam/GettingInvolved.

  • Miscellaneous and Questions

Log

Logbot was unavailable at the time of the meeting. Here is the irc log:

11:31 < jdstrand> #startmeeting
11:31 < jdstrand> huh, the bot seems dead
11:31 < jdstrand> The meeting agenda can be found at:
11:31 < chrisccoulson> hi!
11:31 < jdstrand> [LINK] https://wiki.ubuntu.com/SecurityTeam/Meeting
11:31 < jdstrand> [TOPIC] Announcements
11:31 < jdstrand> Rohan Garg (rohangarg) provided debdiffs for saucy and trusty for kde4libs (LP: #1332064). Your work is very much appreciated and will keep Ubuntu users secure. Great job!
11:32 < ubottu> Launchpad bug 1332064 in kde4libs (Ubuntu Trusty) "[CVE-2014-3494] KMail/KIO POP3 SSL MITM Flaw" [Undecided,New] https://launchpad.net/bugs/1332064
11:32 < jdstrand> [TOPIC] Weekly stand-up report
11:32 < jdstrand> I'll go first
11:32 < jdstrand> fyi, I'm off all next week
11:32 < jdstrand> I'm on triage this week
11:33 < jdstrand> I'm helping test/coordinate the apparmor landing with mdeslaur today. I expect it to be pushed to the archive in a little while
11:33 < mdeslaur> \o/
11:33 < tyhicks> nice
11:33 < jdstrand> I will be working on the ofono profiles bug this week, and any other June work items I can get to
11:33 < jdstrand> I have a pending update I will hopefully get out later today
11:33 < jdstrand> that's it from me
11:33 < jdstrand> mdeslaur: you're up
11:34 < mdeslaur> I'm on community this week
11:34 < mdeslaur> I just pushed out a few updates
11:34 < mdeslaur> and am currently testing the apparmor and other packages that will get published
11:34 < mdeslaur> I plan on taking a bite out of the long list of accumulating CVEs
11:34 < mdeslaur> tomorrow, I'm on national holiday
11:35 < mdeslaur> and I also have to write a wiki page about click store package signing
11:35 < mdeslaur> that's it from me
11:35 < mdeslaur> sbeattie: you're up
11:35 < tyhicks> so you're planning on uploading the new apparmor and then splitting for day?? ;)
11:35 < mdeslaur> tyhicks: SUCKS TO BE YOU!
11:35 < mdeslaur> :)
11:36 < sbeattie> I'm still working on pie by default for gcc/amd64.
11:36 < tyhicks> heh :)
11:36 < sbeattie> (mdeslaur: heh)
11:36 < jjohansen1> tyhicks: don't be surprised if he is sick tomorrow
11:36 < mdeslaur> sbeattie: any progress there?
11:37 < sbeattie> One thing I discovered is that if an otherwise dynamically linked binary includes a libxxx.a, the object files in that .a file need to be compiled with -fPIE as well, which isn't a big deal when they're in the same package, but could introduce an ordering issue for situations where they're in different source packages.
11:38 < sarnold> interesting, I hadn't heard that before.
11:38 < sbeattie> (the apparmor parser does this, but since it's just internal to the source, it's not a big deal)
11:38 < sbeattie> sarnold: yeah. I get a link time failure if they're not.
11:40 < sbeattie> anyway. Other things for this week: I need to look at a mod_apparmor issue รข<80><94> I missed a note in the 2.2 -> 2.4 transition about the authentication hooks changing, which is causing some of people's problems with the HANDLING_UNTRUSTED_INPUT hat, I think
11:40 < sbeattie> and other misc apparmor stuff.
11:41 < sbeattie> that's pretty much it for my week. tyhicks?
11:41 < tyhicks> I'm wanting to wrap up my rtm work items this week
11:41 < tyhicks> "review trust session and lp:trust-store for pid/APP_ID/apparmor/etc" has turned into a design discussion
11:42 < tyhicks> and "verify kernel security features in phablet image (besides ufw and apparmor)" just needs a little bit of testing today before I send out the kernel config patches
11:43 < tyhicks> I had done one swoop at verifying the kernel security features and enabled everything that we test for in QRT, but there's other things that we don't test for
11:43 < tyhicks> things that we're interested in but are not enabled in all of the touch kernels
11:43 < tyhicks> (like ecryptfs)
11:43 < tyhicks> so I'll add those config tests to QRT after I send out the patches
11:44 < sbeattie> tyhicks: thanks for that.
11:44 < tyhicks> np
11:44 < tyhicks> that's it for me
11:44 < tyhicks> jjohansen1: you're up
11:44 < jdstrand> tyhicks: design discussion?
11:44 < jjohansen1> I'm working on my rtm WIs this week
11:44 < jdstrand> tyhicks: does that mean you are blocked?
11:45 < jjohansen1> I also have the latest revision for the touch kernels to land this week, as soon as the new userspace lands
11:45 < jjohansen1> and I am off tuesday
11:46 < jdstrand> jjohansen1: that should land today. does that mean as soon as it lands you can do the pull request?
11:46 < jjohansen1> rtm WIs == apparmor extended mediation of unix sockets
11:46 < jjohansen1> jdstrand: yes
11:46 < jdstrand> cool
11:47 < jdstrand> re your rtm work items-- would it help if tyhicks or sbeattie helped you if they put aside non-rtm work items?
11:48 < jdstrand> if so, we can take that offline (just putting it out there)
11:49 < tyhicks> jdstrand: no, I'm not blocked - my WI was to review the code and I guess that is technically done
11:49 < tyhicks> jdstrand: now it has turned into a discussion on how to improve things
11:50 < jdstrand> tyhicks: I see. update the work item as you see fit and continue guiding them as necessary :) thanks for taking that on
11:50 < jjohansen1> that is it for me sarnold you are up
11:50 < jdstrand> jjohansen1: did you see my question about help?
11:52 < jjohansen1> jdstrand: not yet but soon, I'll poke them later in the week, wednesday, thursday,
11:52 < sarnold> I'm in the happy place this week, there's an openssl098 community update I'm still working on from last week, I'm still working on the qrt test-django script, and I'm hopeful for some apparmor patch reviews to distract me from the test-django work :)
11:52 < jjohansen1> jdstrand: don't worry I'll poke you to join the party too
11:53 -!- davidcalle [~david@LAubervilliers-151-13-11-89.w217-128.abo.wanadoo.fr] has quit [Quit: Ex-Chat]
11:53 < jdstrand> jjohansen1: ok, thanks
11:53 < sarnold> I think that's it for me, chrisccoulson?
11:54 < chrisccoulson> so, bug 1312082 is finished. I'm just waiting on something olivier is finishing before I merge it, so that I don't break his work
11:54 < ubottu> bug 1312082 in Oxide "Stop using deprecated compositing paths" [High,In progress] https://launchpad.net/bugs/1312082
11:54 < chrisccoulson> i've got through some of my review queue :)
11:55 < chrisccoulson> today, I started on bug 1332754, which should hopefully improve our memory usage a bit
11:55 < ubottu> bug 1332754 in Oxide "Evict frames for hidden webviews" [High,In progress] https://launchpad.net/bugs/1332754
11:55 < chrisccoulson> other than that, it's business as usual :)
11:56 < chrisccoulson> i think that's me done
11:58 < jdstrand> sarnold: there were some other reviews that are listed as work items that we talked about last week-- did you work on those, where are they prioritized for you?
11:58 < jdstrand> chrisccoulson: re 1312082> nice!
11:59 < jdstrand> chrisccoulson: seems like the media-hub/oxide integration is progressing well (which is part of your reviews I think)
11:59 < mdeslaur> jdstrand, tyhicks, jjohansen1, chrisccoulson, sarnold, sbeattie: we're nearing the end of june. Please look at your assigned work items, and if anything is marked may or june and you won't be done in the next week, please let me know
11:59 < tyhicks> ack
11:59 < sbeattie> mdeslaur: okay
11:59 < sarnold> jdstrand: I'd really like to be out from underneath this test-django script, so I was hoping to get it done. I'm sick of it. :)
12:00 < jdstrand> sarnold: sure. how close are you?
12:00 < sarnold> jdstrand: it feels like another day or two
12:01 < sarnold> mdeslaur: ack
12:01 < jdstrand> ok, cool
12:03 < jdstrand> I'm going to proceed-- chrisccoulson feel free to interrupt to answer my question whenever
12:03 < jdstrand> [TOPIC] Highlighted packages
12:03 < jdstrand> The Ubuntu Security team will highlight some community-supported packages that might be good candidates for updating and or triaging. If you would like to help Ubuntu and not sure where to start, this is a great way to do so.
12:03 < jdstrand> See https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures for details and if you have any questions, feel free to ask in #ubuntu-security. To find out other ways of helping out, please see https://wiki.ubuntu.com/SecurityTeam/GettingInvolved.
12:03 < jdstrand> http://people.canonical.com/~ubuntu-security/cve/pkg/merkaartor.html
12:03 < jdstrand> http://people.canonical.com/~ubuntu-security/cve/pkg/libipc-pubsub-perl.html
12:03 < jdstrand> http://people.canonical.com/~ubuntu-security/cve/pkg/gridengine.html
12:03 < jdstrand> http://people.canonical.com/~ubuntu-security/cve/pkg/autotrace.html
12:03 < jdstrand> http://people.canonical.com/~ubuntu-security/cve/pkg/gajim.html
12:03 < jdstrand> [TOPIC] Miscellaneous and Questions
12:03 < jdstrand> Does anyone have any other questions or items to discuss?
12:07 < jdstrand> #endmeeting
12:07 < jdstrand> mdeslaur, sbeattie, tyhicks, jjohansen, sarnold, ChrisCoulson: thanks! 

MeetingLogs/Security/20140623 (last edited 2014-06-23 17:08:43 by jdstrand)