Ubuntu Wiki

Meeting

• Who: SecurityTeam

• When: Mon July 13th 2015 16:32 UTC

• End: 16:56 UTC

• Where: #ubuntu-meeting on irc.freenode.net

• Chaired By: Tyler Hicks (tyhicks)

Attendance

• jdstrand
• mdeslaur
• sbeattie
• tyhicks
• sarnold
• chrisccoulson

Not present

• jjohansen

Agenda

• Announcements
  • Otto Kekäläinen (otto) provided a debdiff for vivid for mariadb-10.0 (LP: #1451677)
• Weekly stand-up report (each member discusses any pending and planned future work for the week)
  • jdstrand
    • Discussed out of box experience with design team
    • Continue reviewing IoM sprint summaries and takeaways
    • Embargoed item
    • Finish ubuntu-personal-security policy
  • mdeslaur
    • weekly role: bug triage
    • Fix certificate issue in ca-certificates
    • Security updates
  • sbeattie
    • weekly role: cve triage
    • Review doko's gcc-5 plans and how they intersect with -fPIE on amd64

    • AppArmor patch review in prep for the 2.10 release

    • Finish fixing QRT kernel failures on arm64
  • tyhicks
    • weekly role: happy place
    • Leftover community sponsoring
    • Review the kdbus LSM hook patch set
    • Determine the best way to fix in auditing bug in the phone images
    • Restart work on the UCT-to-trello bridge
    • embargoed issues (2)
    • jjohansen

      • Advising on the work to add dconf mediation to AppArmor

      • look at the overlayfs LSM interaction patches sent upstream

      • finish AppArmor 2.10 patch reviews/responses

      • email catchup

      • AppArmor kernel delta upstreaming

  • sarnold
    • weekly role: community
    • ppc64-diag MIR (and depends)
  • chriscoulson
    • fix firefox 39 crashing on precise and trusty
    • embargoed update
    • thunderbird update
• Highlighted packages

  The Ubuntu Security team will highlight some community-supported packages that might be good candidates for updating and or triaging. If you would like to help Ubuntu and not sure where to start, this is a great way to do so. See https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures for details and if you have any questions, feel free to ask in #ubuntu-security. To find out other ways of helping out, please see https://wiki.ubuntu.com/SecurityTeam/GettingInvolved. The highlighted packages for this week are:

  The Ubuntu Security team suggests that contributors look into merging Debian security updates in community-supported packages. If you would like to help Ubuntu but are not sure where to start, this is a great way to do so. See the available merges and SecurityTeam/UpdateProcedures for details on preparing Ubuntu security updates. If you have any questions, feel free to ask in #ubuntu-hardened. To find out other ways of helping out, please see SecurityTeam/GettingInvolved.

• Miscellaneous and Questions
  • None

Log

11:33 < tyhicks> The meeting agenda can be found at:
11:33 < tyhicks> [LINK] https://wiki.ubuntu.com/SecurityTeam/Meeting
11:33 < tyhicks> [TOPIC] Announcements
11:33  * tyhicks kicks the meeting bot
11:34 < teward> tyhicks: possible it's down with all the other bots?
11:35 < teward> if you'd like i'll drop Archangel (my bot) in here, then provide a publicly accessible copy of the logs for you for the meeting.
11:35 < teward> or pull it from my raw logs here on my client
11:35 < tyhicks> teward: possibly - I'm not aware of any others being down
11:35 < tyhicks> teward: thanks but I've got a logger going
11:35 < teward> ack
11:36 < tyhicks> I guess I'll just proceed
11:36  * teward lurks
11:36 < tyhicks> [TOPIC] Announcements
11:36 < tyhicks> Thanks to Otto Kekäläinen (otto) for providing a debdiff to update mariadb-10.0 in vivid (LP: #1451677)
11:36 < ubottu> Launchpad bug 1451677 in mariadb-10.0 (Ubuntu) "USN-2575-1: MySQL vulnerabilities partially also applies to MariaDB" [Medium,Fix released] https://launchpad.net/bugs/1451677
11:36 < jdstrand> fyi, in the past when the bot was down I just pasted the irc into the wiki page rather than pointing it somewhere else
11:36 < tyhicks> ok
11:36 < jdstrand> (at the end of the meeting)
11:36 < tyhicks> [TOPIC] Weekly stand-up report
11:36 < tyhicks> jdstrand: you're up
11:37 < jdstrand> today we had the oobe meeting with design. it went well, there are followups and discussions that need to be had that we'll capture in trello
11:37 < jdstrand> I need to continue going over the IoM summaries and takeaways
11:37 < jdstrand> I've got an embargoed item I am working on
11:38 < jdstrand> I'd like to finish up the ubuntu-personal-security policy bits
11:38 < jdstrand> then pick up a card as have time
11:38 < jdstrand> mdeslaur: you're up
11:39 < mdeslaur> I'm on bug triage this week
11:39 < mdeslaur> it's a short week for me as I'm on holiday friday and monday
11:39 < mdeslaur> I'm working on a certificate issue in the ca-certificates package which I hope will be fixed soon
11:39 < mdeslaur> and I'm going down the CVE list
11:40 < mdeslaur> I'll probably be stealing the in-progress nbd updates from sbeattie
11:40 < mdeslaur> that's about it, sbeattie, you're up
11:40 < sbeattie> I'm on cve triage this week
11:40 < sbeattie> I'm trying to finish up the last patch reviews needed for an apparmor 2.10 release that we can pull into wily
11:41 < sbeattie> I need to look at doko's gcc-5 plans
11:41 < sbeattie> and that will probably consume my week
11:41 < sbeattie> tyhicks: you're up
11:42 < tyhicks> I'm in the happy place this week
11:42 < tyhicks> I had a little bit of community sponsoring work left over from last week that I did this morning (smoke test and publish mariadb-10.0)
11:42 < tyhicks> I will review the kdbus LSM hook patch set this week
11:43 < tyhicks> I need to determine the best way to fix an auditing bug in the phone images (I've already sent a patch that will fix the issue in new kernels)
11:43 < tyhicks> I want to get back to my UCT-to-trello bridge
11:43 < tyhicks> and I have several embargoed issues
11:44 < tyhicks> I think that's it for me
11:44 < tyhicks> sarnold: skipping to you as I don't see jj
11:45 < sarnold> I'm on community this week, if someone wants to tackle updates for http://people.canonical.com/~ubuntu-security/cve/pkg/proftpd-dfsg.html I know a few users would appreciate the fixes; I'll also be working on the 
                 ppc64-diag "follow-on" package auditing; upstream suggested that we audit git instead, which makes some sense, I hope they can be repackaged for our 14.04.3 release quickly enough.
11:45 < sarnold> that's it for me, chrisccoulson?
11:46 < chrisccoulson> After last week, I was hoping to get through some Oxide reviews this week and carry on with https://launchpad.net/oxide/+milestone/branch-1.9
11:46 < chrisccoulson> But Firefox has something to say about that
11:47 < tyhicks> :/
11:47 < chrisccoulson> I've got 1 embargoed update to do, and I also need to do the thunderbird update
11:47 < chrisccoulson> that's me done
11:47 < sarnold> would it make sense at some point to revert precise back to a firefox ESR release?
11:47 < jdstrand> chrisccoulson: I asked in the other channel. is there something I/we can do to help with firefox?
11:48 < chrisccoulson> I'm not sure atm. I'd like to be able to reproduce this crash, but I can't
11:48 < tyhicks> the 14.04 crash?
11:48 < chrisccoulson> Yeah
11:49 < tyhicks> I can try in a VM
11:49 < chrisccoulson> That's what I'm doing at the moment too
11:49 < doko> sbeattie, please delay any config changes until the GCC 5 transition is done
11:49 < doko> it's already ugly enough
11:49 < sbeattie> doko: okay
11:50 < tyhicks> chrisccoulson: ok, I'll get my trusty-amd64 vm updated and let you know what happens
11:50 < chrisccoulson> thanks
11:50 < tyhicks> sbeattie: I guess that means you should have full focus on aa 2.10 and getting it uploaded to wily this week
11:51 < tyhicks> sbeattie: if that goes quickly, picking up a MIR would be a good idea
11:52 < sbeattie> tyhicks: I forgot I had another thing on my plate, finishing up fixing QART issues on arm64
11:52 < tyhicks> ah, ok
11:52 < tyhicks> sbeattie: those are seccomp test failures, right?
11:53 < tyhicks> (due to symbol craziness)
11:54 < tyhicks> you can tell me later
11:54 < sbeattie> no, this is the test-kernel-security.py stuff, dealing with and testing for different configs
11:54 < tyhicks> oh
11:54 < tyhicks> ok
11:54 < tyhicks> moving on
11:54 < tyhicks> [TOPIC] Highlighted packages
11:54 < tyhicks> The Ubuntu Security team will highlight some community-supported packages that might be good candidates for updating and or triaging. If you would like to help Ubuntu and not sure where to start, this is a great way 
                 to do so.
11:54 < tyhicks> See https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures for details and if you have any questions, feel free to ask in #ubuntu-security. To find out other ways of helping out, please see 
                 https://wiki.ubuntu.com/SecurityTeam/GettingInvolved.
11:54 < tyhicks> http://people.canonical.com/~ubuntu-security/cve/pkg/boost1.48.html
11:54 < tyhicks> http://people.canonical.com/~ubuntu-security/cve/pkg/jython.html
11:54 < tyhicks> http://people.canonical.com/~ubuntu-security/cve/pkg/dhcpcd5.html
11:54 < tyhicks> http://people.canonical.com/~ubuntu-security/cve/pkg/charybdis.html
11:54 < tyhicks> http://people.canonical.com/~ubuntu-security/cve/pkg/texmacs.html
11:54 < tyhicks> [TOPIC] Miscellaneous and Questions
11:54 < tyhicks> Does anyone have any other questions or items to discuss?
11:56 < tyhicks> jdstrand, mdeslaur, sbeattie, sarnold, ChrisCoulson (and teward): Thanks!