21:01:30 <misc> #startmeeting 21:01:30 <Inigo_Montoya> Meeting started Wed Jan 4 21:01:30 2012 UTC. The chair is misc. Information about MeetBot at http://wiki.debian.org/MeetBot. 21:01:30 <Inigo_Montoya> Useful Commands: #action #agreed #help #info #idea #link #topic. 21:01:31 <erzulie> [ MeetBot - Debian Wiki ] 21:03:14 <misc> so besides me, who is here for the meeting ? 21:03:20 <rindolf> misc: I am. 21:03:32 <rindolf> misc: though I may go to sleep soon. 21:03:38 <leuhmanu> o/ 21:03:51 * doktor5000_ raises arm 21:04:10 <ryoshu> I'm listening to you 21:04:11 <misc> rindolf:yep, sorry about mixed up time 21:04:32 <bkor> me 21:04:49 <misc> ok 21:04:55 <misc> #topic alpha 3 21:05:12 <misc> so the only thing to announce is that we are near alpha 3 21:05:29 * Stormi here too 21:05:47 <rindolf> Bye all. 21:05:49 <rindolf> Good night. 21:05:58 <misc> https://wiki.mageia.org/en/Mageia_2_development 21:05:59 <erzulie> [ Mageia 2 development - Mageia wiki ] 21:06:37 <misc> the publication is planned on 12/01/12 21:06:53 <misc> #info alpha 3 is still planned for 12/01 21:07:33 <misc> as usual , we do a freeze before, and we ask to people to postpone heavy change after the alpha 3 release 21:08:45 <misc> anne has more info than me, but she is not here tonight 21:09:58 <misc> anyway, i do not have more to add on the topic :/, so if people have questions, try to direct them on the ml 21:10:27 <misc> leuhmanu: bug triage ? 21:10:38 <misc> or Stormi, coincoin, qa ? 21:10:56 <leuhmanu> nothing to add for the bugsquad 21:11:04 <Stormi> about QA, the number of update candidates has raised recently 21:11:07 <misc> #topic bugsquad 21:11:13 <misc> #info nothing to say 21:11:16 <misc> #topic QA 21:11:48 <Stormi> maybe because of a lot of recent security updates 21:11:53 <leuhmanu> yep thanks to a lot of missing security bugs 21:12:28 <Stormi> so any help is welcome to reduce the number to a more sustainable one 21:12:41 <Stormi> otherwise there can be some delay in security updates 21:13:04 <misc> #info help is needed to cope with numerous security updates 21:13:14 <misc> what kind of help, to be precise ? 21:13:20 <leuhmanu> #url for the buglist https://bugs.mageia.org/buglist.cgi?cmdtype=dorem&remaction=run&namedcmd=waiting%20for%20QA%20test&sharer_id=22 21:13:22 <erzulie> [ Log in to Bugzilla ] 21:13:41 <Stormi> testing update candidates 21:13:48 <Stormi> following https://wiki.mageia.org/en/QA_process_for_validating_updates 21:13:49 <erzulie> [ QA process for validating updates - Mageia wiki ] 21:15:40 <misc> ok 21:15:42 <doktor5000> if we're at it, is there any progress/change about security team? 21:15:58 <leuhmanu> I guess no 21:16:49 <misc> nothing to add for QA team ? 21:17:20 <Stormi> The other topic would be the alpha 21:17:31 <misc> yep, but i guess that's the same as usual ? 21:17:36 <Stormi> I think so 21:17:45 <misc> so you can explain :) 21:18:27 <Stormi> Well, I haven't participated in the alpha 2 tests, but globally a limited number of people are given links to the ISOs in advance and test them in a timely manner 21:18:35 <Stormi> and report blocking bugs 21:19:05 <Stormi> the qa-discuss mailing list is used for discussion 21:19:10 <Stormi> as well as #mageia-qa 21:19:31 <Stormi> so anyone really wanting to test before release of alpha3 can hang there and show their interest 21:20:45 <misc> #info same process as usual for alpha 3, tester for iso before the release, irc on #mageia-qa, ml on qa-discuss 21:20:46 <Stormi> for those kind of tests, what's really needed is a few people available for a few days, rather than lots of testers with only minutes to spare 21:21:32 <doktor5000> out of curiosity, wouldn't it be generally better for more widespread testing in the same timeframe to make them directly available to the public? 21:21:35 <misc> ( for those, there is security ipdate ) 21:22:03 <Stormi> doktor5000: it makes the pre-release testing phase hard to handle 21:22:11 <misc> doktor5000: well, I would be in favor, but people must not think that's the real alpha 21:22:31 <misc> and as Stormi say, this force people to contact the team 21:23:09 <Stormi> yep, someone who wants to test can come in and join, usually they'll be given access to the isos 21:24:01 <stblack> could be useful to say what to test, I mean only the install process or other or all. 21:24:36 <misc> I didn't particpate but that's explained, i think 21:24:49 <Stormi> there's a wiki page : https://wiki.mageia.org/en/QA_process_for_testing_installations 21:24:50 <erzulie> [ QA process for testing installations - Mageia wiki ] 21:26:25 <Stormi> and there's usually a collaborative pad where people report their testing results (qa-discuss ML is good for that too) 21:29:00 <Stormi> I think that's all for QA 21:29:47 <misc> ok 21:29:54 <misc> no one for mentoring ? 21:29:56 <AL13N> about alpha3, i'll still submit the fixes for mariadb, but i'm just correctly trying to get readline to become GPLv2 + GPLv3 21:30:39 <Stormi> For mentoring I think what we can infer from the mailing list is that there are still candidates coming, and need mentors for them 21:31:31 <Stormi> one of them having been waiting for one month and having packaging background 21:31:45 <leuhmanu> speaking about mentoring 21:31:59 <leuhmanu> is there a plan to fix some bugs https://wiki.mageia.org/en/Packagers_Howto_start#Work_suggestions_for_apprentices ? 21:32:02 <erzulie> [ Packagers Howto start - Mageia wiki ] 21:33:25 <misc> leuhmanu: ie ? 21:33:45 <leuhmanu> resolving bugs with a patch :) 21:33:51 <leuhmanu> or easy to fix 21:34:32 <leuhmanu> we have keyword in the bugzilla 21:35:31 <misc> just add them, and notify mentor 21:35:39 <leuhmanu> but know people/padawan that there are some nice jobs ? 21:36:04 <leuhmanu> ok I will ping andre then 21:38:20 <misc> #topic mentoring 21:38:42 <misc> #action leuhmanu remind mentors to use the junior job keyword bugs for apprentice 21:44:50 <doktor5000> about security team, IMHO we need someone who is dedicated to opening security bugreports, links to CVEs, maybe gives links to POCs, and maybe even gives a link to upstream commits for that, and checks which distro version is susceptible to a given security issue 21:45:16 <doktor5000> like what stewb did 21:45:19 <misc> doktor5000: that was the point 21:45:28 <misc> but nothing prevent anyone from doing it now 21:46:04 <doktor5000> misc: well, if anyone can do it, usually that translates to nobody does it regularly 21:46:08 <pterjan> I do it every few months for a few bugs 21:46:23 <misc> doktor5000: yes, but i mean we just need to ask to someone to do 21:46:36 <pterjan> I think we need several people 21:47:00 <pterjan> there are several to investigate everyday 21:47:15 <doktor5000> misc: pterjan: well at least one dedicated person only for this, maybe two would be better 21:47:18 <pterjan> I had started looking at ways to script it 21:47:27 <pterjan> (checking versions) 21:47:33 <pterjan> but did not progress much 21:47:59 <doktor5000> pterjan: i think that's what fedora is doing, they usually get the cve's directly into their bugzilla, IINM 21:48:30 <doktor5000> maybe someone can ask vdanen about that? anyone still in contact with him? 21:48:41 <misc> I think vdanen is rather busy 21:48:50 <pterjan> no but ask if they have scripts 21:49:07 <misc> I guess I can ask, I think vdanen still remember me 21:49:17 <pterjan> I am sure he remembers me :] 21:49:50 <misc> pterjan: that's the problem I think, he still remember you 21:50:12 <misc> #topic security 21:50:33 <ryoshu> is cjw alive? 21:50:51 <misc> #action misc try to contact vdanen to see if there is script for pushing cve to bugzilla 21:51:01 <ryoshu> he is mentoring kicer86... and the apprentice has no contact with the mentor 21:51:06 <Maeztro> Stormi: I have four or five apprentices from blogdrake, but they have been very busy lately and our mentoring process is kinda stalled with most of them right now, so I'll take him :) 21:51:06 <misc> #info someone is needed to take care of sec bug 21:51:19 <Stormi> Maeztro: great 21:51:51 <misc> ok so can i close the meeting ? 21:52:19 <pterjan> http://web.archiveorange.com/archive/v/lEZ53Zdetx1VBBDGM8fC 21:52:19 <erzulie> [ fedora-security/tools/scripts add-cve-bug, 1.1.2.1, 1.1.2.2 - Commit messages about changes in fedora-security module - ArchiveOrange ] 21:52:21 <Maeztro> Stormi: :) 21:53:26 <pterjan> http://jur-linux.org/git/?p=cvs-fedora-security.git;a=summary 21:53:27 <erzulie> [ jur-linux - cvs-fedora-security.git/summary ] 21:54:36 <bkor> urgh, perl 21:55:41 <pterjan> but anyway adding to bugzilla is not the difficult part 21:56:01 <misc> http://git.fedorahosted.org/git/?p=fedora-security.git;a=summary is the canonical url 21:56:03 <erzulie> [ Fedora Hosted Git Repositories - fedora-security.git/summary ] 21:56:09 <pterjan> checking if we have a package from that software, and which versions, and if they are impacted is the interesting one 21:56:35 <misc> ( http://osvdb.org/ is interesting too ) 21:56:36 <erzulie> [ OSVDB: The Open Source Vulnerability Database ] 21:56:44 <leuhmanu> nice 21:56:57 <pterjan> misc: yes I started looking at it 21:57:25 <pterjan> having a file similar to http://git.fedorahosted.org/git/?p=fedora-security.git;a=blob;f=audit/f11;h=0c2188a1594b146e3d7c65889b42ca99821259d7;hb=HEAD would be a good start actually 21:57:26 <erzulie> [ Fedora Hosted Git Repositories - fedora-security.git/blob - audit/f11 ] 21:58:24 <doktor5000> pterjan: boils down to someone dedicated auditing all packages, no? 21:58:46 <pterjan> doktor5000: no because anyone can add to this file when they have time 21:58:59 <pterjan> and the not yet looked at ones are tracked 21:59:54 <pterjan> and we can see later how to analyse some to fill part of it automatically, and create bugs from the VULNERABLE lines 22:00:05 <Stormi> better tools, less work :) 22:00:29 <misc> there is also this : http://www.awe.com/mark/blog/20110518.html 22:00:30 <erzulie> [ Mark J Cox : Red Hat Security Advisories in CVRF ] 22:01:05 <pterjan> yeah we can probably also steal from their updates and/or debian ones :) 22:01:08 <misc> in fact, i guess we should try to propose a discussion about this in fosdem, or ask to others distros how they do 22:02:50 <pterjan> I can have a look again and see the available parsable sources 22:03:12 <leuhmanu> does Oden only read the dedicated ml ? 22:03:33 <leuhmanu> (if somebody know :) ) 22:03:58 <misc> pterjan: maybe put this in youri :) 22:04:02 <misc> leuhmanu: ? 22:05:04 <pterjan> yes that could be a check 22:05:20 <pterjan> "this package has a listed cve which was not reviewed and put in the file" 22:05:52 <doktor5000> pterjan: that sounds nice 22:06:12 <AL13N> that's a good one! 22:06:47 <AL13N> blocking cauldron, until the fix for mga1 is done 22:07:53 <AL13N> i mean submissions of course 22:11:50 <misc> ok so can we close the meeting ? 22:12:01 <leuhmanu> yep 22:12:13 <misc> #endmeeting