20150713

Meeting

  • Who: SecurityTeam

  • When: Mon July 13th 2015 16:32 UTC

  • End: 16:56 UTC

  • Where: #ubuntu-meeting on irc.freenode.net

  • Chaired By: Tyler Hicks (tyhicks)

Attendance

  • jdstrand
  • mdeslaur
  • sbeattie
  • tyhicks
  • sarnold
  • chrisccoulson

Not present

  • jjohansen

Agenda

  • Announcements
    • Otto Kekäläinen (otto) provided a debdiff for vivid for mariadb-10.0 (LP: #1451677)
  • Weekly stand-up report (each member discusses any pending and planned future work for the week)
    • jdstrand
      • Discussed out of box experience with design team
      • Continue reviewing IoM sprint summaries and takeaways
      • Embargoed item
      • Finish ubuntu-personal-security policy
    • mdeslaur
      • weekly role: bug triage
      • Fix certificate issue in ca-certificates
      • Security updates
    • sbeattie
      • weekly role: cve triage
      • Review doko's gcc-5 plans and how they intersect with -fPIE on amd64
      • AppArmor patch review in prep for the 2.10 release

      • Finish fixing QRT kernel failures on arm64
    • tyhicks
      • weekly role: happy place
      • Leftover community sponsoring
      • Review the kdbus LSM hook patch set
      • Determine the best way to fix in auditing bug in the phone images
      • Restart work on the UCT-to-trello bridge
      • embargoed issues (2)
    • sarnold
      • weekly role: community
      • ppc64-diag MIR (and depends)
    • chriscoulson
      • fix firefox 39 crashing on precise and trusty
      • embargoed update
      • thunderbird update
  • Highlighted packages

    The Ubuntu Security team will highlight some community-supported packages that might be good candidates for updating and or triaging. If you would like to help Ubuntu and not sure where to start, this is a great way to do so. See https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures for details and if you have any questions, feel free to ask in #ubuntu-security. To find out other ways of helping out, please see https://wiki.ubuntu.com/SecurityTeam/GettingInvolved. The highlighted packages for this week are:

    The Ubuntu Security team suggests that contributors look into merging Debian security updates in community-supported packages. If you would like to help Ubuntu but are not sure where to start, this is a great way to do so. See the available merges and SecurityTeam/UpdateProcedures for details on preparing Ubuntu security updates. If you have any questions, feel free to ask in #ubuntu-hardened. To find out other ways of helping out, please see SecurityTeam/GettingInvolved.

  • Miscellaneous and Questions
    • None

Log

11:33 < tyhicks> The meeting agenda can be found at:
11:33 < tyhicks> [LINK] https://wiki.ubuntu.com/SecurityTeam/Meeting
11:33 < tyhicks> [TOPIC] Announcements
11:33  * tyhicks kicks the meeting bot
11:34 < teward> tyhicks: possible it's down with all the other bots?
11:35 < teward> if you'd like i'll drop Archangel (my bot) in here, then provide a publicly accessible copy of the logs for you for the meeting.
11:35 < teward> or pull it from my raw logs here on my client
11:35 < tyhicks> teward: possibly - I'm not aware of any others being down
11:35 < tyhicks> teward: thanks but I've got a logger going
11:35 < teward> ack
11:36 < tyhicks> I guess I'll just proceed
11:36  * teward lurks
11:36 < tyhicks> [TOPIC] Announcements
11:36 < tyhicks> Thanks to Otto Kekäläinen (otto) for providing a debdiff to update mariadb-10.0 in vivid (LP: #1451677)
11:36 < ubottu> Launchpad bug 1451677 in mariadb-10.0 (Ubuntu) "USN-2575-1: MySQL vulnerabilities partially also applies to MariaDB" [Medium,Fix released] https://launchpad.net/bugs/1451677
11:36 < jdstrand> fyi, in the past when the bot was down I just pasted the irc into the wiki page rather than pointing it somewhere else
11:36 < tyhicks> ok
11:36 < jdstrand> (at the end of the meeting)
11:36 < tyhicks> [TOPIC] Weekly stand-up report
11:36 < tyhicks> jdstrand: you're up
11:37 < jdstrand> today we had the oobe meeting with design. it went well, there are followups and discussions that need to be had that we'll capture in trello
11:37 < jdstrand> I need to continue going over the IoM summaries and takeaways
11:37 < jdstrand> I've got an embargoed item I am working on
11:38 < jdstrand> I'd like to finish up the ubuntu-personal-security policy bits
11:38 < jdstrand> then pick up a card as have time
11:38 < jdstrand> mdeslaur: you're up
11:39 < mdeslaur> I'm on bug triage this week
11:39 < mdeslaur> it's a short week for me as I'm on holiday friday and monday
11:39 < mdeslaur> I'm working on a certificate issue in the ca-certificates package which I hope will be fixed soon
11:39 < mdeslaur> and I'm going down the CVE list
11:40 < mdeslaur> I'll probably be stealing the in-progress nbd updates from sbeattie
11:40 < mdeslaur> that's about it, sbeattie, you're up
11:40 < sbeattie> I'm on cve triage this week
11:40 < sbeattie> I'm trying to finish up the last patch reviews needed for an apparmor 2.10 release that we can pull into wily
11:41 < sbeattie> I need to look at doko's gcc-5 plans
11:41 < sbeattie> and that will probably consume my week
11:41 < sbeattie> tyhicks: you're up
11:42 < tyhicks> I'm in the happy place this week
11:42 < tyhicks> I had a little bit of community sponsoring work left over from last week that I did this morning (smoke test and publish mariadb-10.0)
11:42 < tyhicks> I will review the kdbus LSM hook patch set this week
11:43 < tyhicks> I need to determine the best way to fix an auditing bug in the phone images (I've already sent a patch that will fix the issue in new kernels)
11:43 < tyhicks> I want to get back to my UCT-to-trello bridge
11:43 < tyhicks> and I have several embargoed issues
11:44 < tyhicks> I think that's it for me
11:44 < tyhicks> sarnold: skipping to you as I don't see jj
11:45 < sarnold> I'm on community this week, if someone wants to tackle updates for http://people.canonical.com/~ubuntu-security/cve/pkg/proftpd-dfsg.html I know a few users would appreciate the fixes; I'll also be working on the 
                 ppc64-diag "follow-on" package auditing; upstream suggested that we audit git instead, which makes some sense, I hope they can be repackaged for our 14.04.3 release quickly enough.
11:45 < sarnold> that's it for me, chrisccoulson?
11:46 < chrisccoulson> After last week, I was hoping to get through some Oxide reviews this week and carry on with https://launchpad.net/oxide/+milestone/branch-1.9
11:46 < chrisccoulson> But Firefox has something to say about that
11:47 < tyhicks> :/
11:47 < chrisccoulson> I've got 1 embargoed update to do, and I also need to do the thunderbird update
11:47 < chrisccoulson> that's me done
11:47 < sarnold> would it make sense at some point to revert precise back to a firefox ESR release?
11:47 < jdstrand> chrisccoulson: I asked in the other channel. is there something I/we can do to help with firefox?
11:48 < chrisccoulson> I'm not sure atm. I'd like to be able to reproduce this crash, but I can't
11:48 < tyhicks> the 14.04 crash?
11:48 < chrisccoulson> Yeah
11:49 < tyhicks> I can try in a VM
11:49 < chrisccoulson> That's what I'm doing at the moment too
11:49 < doko> sbeattie, please delay any config changes until the GCC 5 transition is done
11:49 < doko> it's already ugly enough
11:49 < sbeattie> doko: okay
11:50 < tyhicks> chrisccoulson: ok, I'll get my trusty-amd64 vm updated and let you know what happens
11:50 < chrisccoulson> thanks
11:50 < tyhicks> sbeattie: I guess that means you should have full focus on aa 2.10 and getting it uploaded to wily this week
11:51 < tyhicks> sbeattie: if that goes quickly, picking up a MIR would be a good idea
11:52 < sbeattie> tyhicks: I forgot I had another thing on my plate, finishing up fixing QART issues on arm64
11:52 < tyhicks> ah, ok
11:52 < tyhicks> sbeattie: those are seccomp test failures, right?
11:53 < tyhicks> (due to symbol craziness)
11:54 < tyhicks> you can tell me later
11:54 < sbeattie> no, this is the test-kernel-security.py stuff, dealing with and testing for different configs
11:54 < tyhicks> oh
11:54 < tyhicks> ok
11:54 < tyhicks> moving on
11:54 < tyhicks> [TOPIC] Highlighted packages
11:54 < tyhicks> The Ubuntu Security team will highlight some community-supported packages that might be good candidates for updating and or triaging. If you would like to help Ubuntu and not sure where to start, this is a great way 
                 to do so.
11:54 < tyhicks> See https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures for details and if you have any questions, feel free to ask in #ubuntu-security. To find out other ways of helping out, please see 
                 https://wiki.ubuntu.com/SecurityTeam/GettingInvolved.
11:54 < tyhicks> http://people.canonical.com/~ubuntu-security/cve/pkg/boost1.48.html
11:54 < tyhicks> http://people.canonical.com/~ubuntu-security/cve/pkg/jython.html
11:54 < tyhicks> http://people.canonical.com/~ubuntu-security/cve/pkg/dhcpcd5.html
11:54 < tyhicks> http://people.canonical.com/~ubuntu-security/cve/pkg/charybdis.html
11:54 < tyhicks> http://people.canonical.com/~ubuntu-security/cve/pkg/texmacs.html
11:54 < tyhicks> [TOPIC] Miscellaneous and Questions
11:54 < tyhicks> Does anyone have any other questions or items to discuss?
11:56 < tyhicks> jdstrand, mdeslaur, sbeattie, sarnold, ChrisCoulson (and teward): Thanks!

MeetingLogs/Security/20150713 (last edited 2015-07-13 17:01:05 by tyhicks)