20140707

Meeting

Attendance

  • jdstrand
  • mdeslaur
  • sbeattie
  • tyhicks
  • jjohansen
  • sarnold
  • chrisccoulson

Not present

  • None

Agenda

  • Announcements
    • Andrew Starr-Bochicchio (andrewsomething) provided a debdiff for trusty for libtorrent-rasterbar (LP: #1330703)
    • James Page (jamespage) provided an update for trusty for percona-xtradb-cluster-5.5 (LP: #1325916)
    • Louis Bouchard (caribou) provided a debdiff for precise-utopic for openssl098 (LP: #1331452)
    • Felix Geyer (debfx) provided a debdiff for trusty for mumble (LP: #1335597)
    Your work is very much appreciated and will keep Ubuntu users secure. Great job!
  • Weekly stand-up report (each member discusses any pending and planned future work for the week)
    • jdstrand
      • off Wednesday
      • weekly role: happy place

      • AppArmor testing

      • RTM work items
      • performance reviews
      • catch up
    • mdeslaur
      • weekly role: triage
      • pending updates (php5 and dbus) then work down the list
    • sbeattie
      • catch up

      • AppArmor in support of abstract socket mediation

      • PIE by default on amd64 as have time
    • tyhicks
    • jjohansen
      • !Apparmor
        • abstract socket mediation
        • sync up with sbeattie, tyhicks and jdstrand
        • push patches to the list
        • iterate, push upstream
        • discuss risk and upload ordering
    • sarnold
      • weekly role: community
      • trust-store MIR
      • phone password handling merge request

      • AppArmor review

      • RTM work items
    • chrisccoulson
      • oxide daily builds
      • chromium-browser sponsored upload
      • oxide update for 14.04
      • blog about chromium and oxide release cadence
  • Highlighted packages

    The Ubuntu Security team will highlight some community-supported packages that might be good candidates for updating and or triaging. If you would like to help Ubuntu and not sure where to start, this is a great way to do so. See https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures for details and if you have any questions, feel free to ask in #ubuntu-security. To find out other ways of helping out, please see https://wiki.ubuntu.com/SecurityTeam/GettingInvolved. The highlighted packages for this week are:

    The Ubuntu Security team suggests that contributors look into merging Debian security updates in community-supported packages. If you would like to help Ubuntu but are not sure where to start, this is a great way to do so. See the available merges and SecurityTeam/UpdateProcedures for details on preparing Ubuntu security updates. If you have any questions, feel free to ask in #ubuntu-hardened. To find out other ways of helping out, please see SecurityTeam/GettingInvolved.

  • Miscellaneous and Questions
    • RTM work items - reiterate prioritizing them to land soon

Log

Meeting bot not available at time of meeting. Here are the logs:

11:54 < jdstrand> #startmeeting
11:54 < jdstrand> The meeting agenda can be found at:
11:54 < jdstrand> [LINK] https://wiki.ubuntu.com/SecurityTeam/Meeting
11:54 < mdeslaur> hello!
11:54 < jdstrand> [TOPIC] Announcements
11:54 < jdstrand> Andrew Starr-Bochicchio (andrewsomething) provided a debdiff for trusty for libtorrent-rasterbar (LP: #1330703)
11:54 < ubottu> Launchpad bug 1330703 in libtorrent-rasterbar (Ubuntu Trusty) "[Security] UPNP opens port 0 which fully exposes PC to the internet." [High,Fix released] https://launchpad.net/bugs/1330703
11:54 < jdstrand> James Page (jamespage) provided an update for trusty for percona-xtradb-cluster-5.5 (LP: #1325916)
11:54 < ubottu> Launchpad bug 1325916 in percona-xtradb-cluster-5.5 (Ubuntu Utopic) "Update to 5.5.37 for security updates" [Undecided,Fix released] https://launchpad.net/bugs/1325916
11:54 < jdstrand> Felix Geyer (debfx) provided a debdiff for trusty for mumble (LP: #1335597)
11:54 < ubottu> Launchpad bug 1335597 in mumble (Ubuntu Saucy) "CVE-2014-3755 and CVE-2014-3756" [Undecided,Confirmed] https://launchpad.net/bugs/1335597
11:54 -!- brendand [~brendand@5751f17e.skybroadband.com] has quit [Quit: Leaving]
11:54 < jdstrand> Louis Bouchard (caribou) provided a debdiff for precise-utopic for openssl098 (LP: #1331452)
11:54 < ubottu> Launchpad bug 1331452 in openssl098 (Ubuntu Utopic) "Please backport current CVEs for Precise LTS openssl098" [High,Fix released] https://launchpad.net/bugs/1331452
11:54 < jdstrand> Your work is very much appreciated and will keep Ubuntu users secure. Great job!
11:54 < jdstrand> [TOPIC] Weekly stand-up report
11:54 < jdstrand> I'll go first
11:55 < jdstrand> I'm back from vacation so am catching up on what I missed
11:55 < jdstrand> seems to be going ok so far
11:55 < jdstrand> thank you for covering for me
11:55 < jdstrand> I'm off Wednesday
11:55 < jdstrand> I plan to do apparmor testing of jjohansen's abstract socket mediation patch set
11:55 < mdeslaur> jdstrand: it was easy, I just did /nick jdstrand "I don't know." all week
11:55 < jdstrand> hehe
11:56 < jdstrand> I have an rtm work item I will be working on for click-apparmor
11:56 < jdstrand> and I need to really get cracking on the performance reviews
11:56 < jdstrand> mdeslaur: you're up
11:56 < mdeslaur> I'm on triage this week
11:56 < mdeslaur> I've got a few updates to test and release, including dbus
11:56 < mdeslaur> and am currently working on php5 updates
11:57 < mdeslaur> the list is getting long, so that's what I'll be doing the rest of the week also
11:57 < mdeslaur> that's it for me! sbeattie, you're up
11:57 < sbeattie> I'm also back from vacation and catching up on what I missed
11:57 < sbeattie> I digging back into the gcc pie stuff
11:58 < mdeslaur> ah crud, I forgot about smb's xen updates last week...I'll be sponsoring that too
11:58 < sbeattie> I need to sync up with jjohansen
11:58 < mdeslaur> sbeattie: hrm, please ask if jj has anything for you to help with before looking at gcc again
11:59 < sbeattie> mdeslaur: heh, yeah, that's what I'm trying to say.
11:59 < mdeslaur> cool
11:59 < sbeattie> mdeslaur: but ack
11:59 < sbeattie> anyway, that's pretty much it for me
11:59 < sbeattie> tyhicks: you're up
11:59 < tyhicks> I'm currently fixing an eCryptfs kernel bug
12:00 < tyhicks> it doesn't yet have an official bug, but it is mentioned in another bug: https://bugzilla.kernel.org/show_bug.cgi?id=41692#c2
12:00 < ubottu> bugzilla.kernel.org bug 41692 in ecryptfs "Obscure improper EACCES with ecryptfs_xattr_metadata" [Normal,New]
12:01 < tyhicks> I also plan to review a patch for an upcoming file encryption kernel feature
12:01 < tyhicks> I need to rebase my dbus merge against the latest version debian testing
12:02 < tyhicks> and then push it through
12:02 < tyhicks> and then I'd like to take a look at my outstanding work items
12:02 < mdeslaur> tyhicks: helping jj with whatever tasks he has to land the stuff for rtm has priority
12:02 < tyhicks> I think "implement kernel postinst policy compiles" work item from last month would be a good one to start on
12:02 < jdstrand> so, jjohansen said earlier that he would likely have some abstract patches
12:02 < tyhicks> ok
12:03 < jdstrand> mdeslaur: perhaps tyhicks can help with the Ubuntu packaging/testing?
12:03 < tyhicks> jjohansen: give me anything you'd like and I'll drop whatever I'm working on
12:03 < mdeslaur> definitely
12:03 < tyhicks> ok
12:03 < jdstrand> cool, yeah, let's have tyhicks take the lead on the Ubuntu landing.
12:03  * tyhicks nods
12:03 < jdstrand> tyhicks: I'll work with you on that like last time
12:03 < tyhicks> ok
12:04 < tyhicks> that's it for me
12:04 < tyhicks> jjohansen: you're up
12:04 < jjohansen> well gee, I think its all been covered already :)
12:04 < jdstrand> hehe
12:04 < jdstrand> jjohansen: you are the man of the hour :)
12:04 < jjohansen> I need to sync up with sbeattie, and jdstrand
12:05 < jjohansen> I need to push out the abstract socket patches, I am currently doing some revisions on them
12:05 < tyhicks> jjohansen: are you revising the kernel or userspace patches? (or both?)
12:05 < jjohansen> tyhicks: both
12:05 < tyhicks> ok
12:06 < tyhicks> I'll watch the list for the userspace patches and then start packaging them up
12:06 < jjohansen> tyhicks: I'll start kicking stuff out today, I'll push the userspace first
12:06 < tyhicks> sounds good
12:06 -!- bbcmicrocomputer [~bbcmicroc@unaffiliated/bbcmicrocomputer] has quit [Quit: Leaving]
12:07 < jdstrand> jjohansen: will this include the backports for the touch kernels?
12:07 < jjohansen> once the abstract/anonymous socket mediation patches look good, I have to get some patches together to push upstream
12:08 < jjohansen> jdstrand: uh sort of
12:09 < jdstrand> ?
12:09 < jjohansen> jdstrand: its a set of changes on top of the current stuff. I expect we are going to just drop it as a diff on top of the current set. So now rebase etc is needed
12:09 < jdstrand> ok, that's sounds fine
12:09 < jjohansen> I can certainly build touch kernels with the diff on top of the current
12:10 < jdstrand> we can't consider this landed until it is both userspace and the touch kernels
12:10 < jjohansen> jdstrand: correct
12:10 < jdstrand> so I just wanted to ask
12:10 < jdstrand> jjohansen: for tyhicks and myself, we'll need generic amd64 (at least, perhaps i386), mako and goldfish
12:10 < jjohansen> jdstrand: for landing there is some dependency ordering on policy
12:10 < jdstrand> sure
12:10 < jjohansen> right
12:10 < jdstrand> like last time
12:11 < jjohansen> kernel is not dependent on userspace and userspace on kernel, so just policy
12:11 < jjohansen> yep
12:11 < jdstrand> so we don't have to hash that our all here. sounds like things are in order, we just need to execute
12:11  * jdstrand is excited, but slightly worried about the policy changes
12:12 < jdstrand> jjohansen: have you seen anything scary wrt policy changes?
12:12 < jjohansen> define scary :)
12:12 < mdeslaur> scary as in "breaks everything"
12:12 < jdstrand> I'm hoping it'll be a more or less non-event for upgraders (ie, we can tweak base and apparmor-easyprof-ubuntu accordingly)
12:13 < jdstrand> I'm also hoping that we don't have bad required policy
12:13 < jjohansen> uh yeah if rules aren't in place you can break things that are using abstract sockets
12:13 < jdstrand> like apps have to talk to the upstart abstract socket for some reason
12:14 < jjohansen> think just like with the unix socket fix that was done with saucy, without certain rules in place you fail to boot
12:14 < jdstrand> jjohansen: right, I meant in your work, have you seen anything that was obvious that it couldn't be handled well by adjusting base, etc
12:14 < jdstrand> or do we expect things to be similar to signal/ptrace mediation
12:15 < jdstrand> (which went very well)
12:15 < jjohansen> jdstrand: hrmmm, I haven't really thought about where the best place for the additions is, we certainly can add to base
12:15 < jjohansen> yep
12:15 < jdstrand> ok, that's fine. just wondering if you had a feel for it yet. we certainly will once the patches go up :)
12:16  * jdstrand is done with his questions
12:17 < jjohansen> jdstrand: so my feel is we will stuff some of it in base. which is fine, its just a matter of tuning how tight you want things
12:17  * jjohansen is done, sarnold you're up
12:17 < jdstrand> cool, sounds great
12:17 < jdstrand> we'll discuss all that in #apparmor when the time is right
12:17  * sarnold hides
12:18 < sarnold> I'm on community this week; I have a MIR for trust-store to work on, blueprint items to work on, and it sounds like jj's going to give me a giant gift-wrapped bow-tied balloon-festooned box of new patches to review! \o/
12:19 < mdeslaur> sarnold: are you still working with mterry on phone password handling?
12:19 < sarnold> mdeslaur: let me go reload that bug :)
12:19 < sarnold> s/bug/merge request/
12:20 -!- marrusl [~mark@nat/canonical/x-eoerduednboafkun] has quit [Quit: sync && halt]
12:20 < mdeslaur> sarnold: I believe he had some follow up questions about how to handle empty passwords, etc, and I told him to work that out with you
12:20 < sarnold> mdeslaur: ah, looks like he's got wonderful answers to my questions, no new questions, looks like he's probably good :D
12:20 < sarnold> mdeslaur: ah right, and the securetty bits. i'm sorry I forgot about those.
12:21 < mdeslaur> sarnold: ping him when you get a chance and follow up to make sure all is resolved, please
12:21 < sarnold> mdeslaur: ack :)
12:22 < sarnold> I think that's me done, chrisccoulson?
12:22 < chrisccoulson> hi :)
12:22 -!- xequence [~zequence@ubuntu/member/zequence] has joined #ubuntu-meeting
12:23 < chrisccoulson> this week, I'm looking at getting daily builds going for oxide (I did a hangout last week with oSoMoN and psivaa, and we decided to separate the CI and daily builds tasks, with me taking the latter)
12:23 < chrisccoulson> also, will hopefully be testing and publishing a chromium update from chad :)
12:24 < mdeslaur> \o/
12:24 < chrisccoulson> and, there'll be an oxide update too (with the new chromium release in)
12:24 < chrisccoulson> so, if you're using webapps in trusty, please do install the oxide build from https://launchpad.net/~ubuntu-mozilla-security/+archive/ppa/
12:25 < mdeslaur> sweet
12:26 < jdstrand> chrisccoulson: re daily builds> oh nice :)
12:26 < chrisccoulson> also, when I did our hangout last week, I did a little diagram explaining the release cycle: https://docs.google.com/a/canonical.com/presentation/d/1cJ_2nhHgv1A4tMUy4-7Tc1kt5r861a0CnYaG9GiOqIo/edit?usp=sharing
12:26 < jdstrand> very nice on oxide update for trusty too
12:27 < mdeslaur> cool
12:27 < chrisccoulson> I'll put that in a blog post soon (the diagram is currently not publically shared, although there's no reason it shouldn't be)
12:27 < chrisccoulson> so the link won't work for anyone outside of canonical atm
12:27 < jdstrand> cool
12:28 < chrisccoulson> I think that's me done
12:29 < jdstrand> chrisccoulson: so, I think we need some sort of MRE like thing for oxide
12:29 < jdstrand> https://wiki.ubuntu.com/StableReleaseUpdates/MicroReleaseExceptions
12:29 < sarnold> meal ready to eat?
12:29 < sarnold> oh jeeze
12:29 < chrisccoulson> aha :)
12:30 < jdstrand> chrisccoulson: perhaps mdeslaur can help there since he is on the TB
12:30 < jdstrand> it is the plan of action, but it hasn't been ratified by the TB
12:30 < mdeslaur> since there are security fixes included, no need for a mre
12:31 < mdeslaur> if you ever want to publish new versions with only fixes, you need an mre
12:31 < jdstrand> this will have more than security updates aiui
12:31 < jdstrand> just like firefox and chromium-browser
12:31 < mdeslaur> doesn't matter, the mres are only for SRUs
12:31 < jdstrand> (which have MREs)
12:31 < jdstrand> ok, fair enough
12:31 < jdstrand> makes it easier :)
12:32 < mdeslaur> I mean, we still should probably ask for one, in case there are updates that don't include security fixes
12:32  * jdstrand nods
12:33 -!- coolbhavi [~bhavani@ubuntu/member/coolbhavi] has joined #ubuntu-meeting
12:33 < mdeslaur> once we've done a couple via security updates, chrisccoulson can ask for the MRE
12:33 < jdstrand> sounds like a plan
12:33 < jdstrand> [TOPIC] Highlighted packages
12:34 < jdstrand> http://people.canonical.com/~ubuntu-security/cve/pkg/redis.html
12:34 < jdstrand> http://people.canonical.com/~ubuntu-security/cve/pkg/sup-mail.html
12:34 < jdstrand> http://people.canonical.com/~ubuntu-security/cve/pkg/forked-daapd.html
12:34 < jdstrand> http://people.canonical.com/~ubuntu-security/cve/pkg/syncevolution.html
12:34 < jdstrand> http://people.canonical.com/~ubuntu-security/cve/pkg/libjboss-cache3-java.html
12:34 < jdstrand> The Ubuntu Security team will highlight some community-supported packages (^) that might be good candidates for updating and or triaging. If you would like to help Ubuntu and not sure where to start, this is a great way to do so.
12:34 < jdstrand> See https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures for details and if you have any questions, feel free to ask in #ubuntu-security. To find out other ways of helping out, please see https://wiki.ubuntu.com/SecurityTeam/GettingInvolved.
12:34 < jdstrand> [TOPIC] Miscellaneous and Questions
12:35 < jdstrand> I only have one thing: if you have RTM work items, please work with mdeslaur on finding time to do them. we are rapidly approaching bug fixes only on the phone
12:36 < jdstrand> otoh, I have one and then there is the abstract sockets
12:36 < jdstrand> (mine is small and should be done this week)
12:36 < jdstrand> if you aren't sure if it is for rtm, ask me and mdeslaur
12:36 < jdstrand> Does anyone have any other questions or items to discuss?
12:38 -!- vladk is now known as vladk|offline
12:39 < jdstrand> #endmeeting

MeetingLogs/Security/20140707 (last edited 2014-07-07 17:42:58 by jdstrand)