1 IRC_meeting_2021 07 13

John Johansen edited this page 2021-07-13 19:01:15 +00:00

(11:01:53 AM) jjohansen: cboltz, sarnold, sbeattie, georgiag, jont meeting time
(11:02:06 AM) jontourville [~jontourvi@136.53.37.162] entered the room.
(11:02:13 AM) sarnold: I don't want to go to school today
(11:02:21 AM) ***sarnold turns over and buries under the pillow
(11:02:33 AM) ***cboltz steals sarnold's pillow
(11:02:55 AM) jjohansen: pillow fight?
(11:03:51 AM) jjohansen: welcome jontourville
(11:03:54 AM) cboltz: if sarnold has a pillow left... ;-)
(11:04:05 AM) sarnold: *two* pillows, so there's always a cool one to switch to
(11:04:07 AM) ***sbeattie waves hello
(11:04:11 AM) sarnold: it's like hot-swap pillows but cold-swap..
(11:05:06 AM) georgiag: hehe
(11:06:30 AM) jjohansen: Lets get started
(11:06:53 AM) jjohansen: I don't have anything on the meeting agenda, so this might actually be a quick meeting
(11:07:28 AM) jjohansen: First up I would like to introduce georgiag and jontourville who are both going to be doing some apparmor work for Canonical
(11:07:32 AM) jjohansen: welcome
(11:07:50 AM) sbeattie: woohoo, welcome georgiag and jontourville!
(11:07:58 AM) cboltz: welcome!
(11:08:03 AM) georgiag: thank you! :)
(11:08:07 AM) jontourville: thanks!
(11:10:24 AM) sarnold: \o/
(11:11:56 AM) jjohansen: Next up the 3.0.2 release. We are going to land the library interface patch
(11:12:02 AM) jjohansen: this needs more testing
(11:12:09 AM) finsternis [~Y@00026e28.user.oftc.net] entered the room.
(11:12:40 AM) jjohansen: so please test so we can have a solid release
(11:12:54 AM) jjohansen: Is there anything else we need to try to land before the release?
(11:13:13 AM) sbeattie: right, we've verified the library intarface patch on ubuntu kernels, I don't think I tested the latest version on debian...
(11:13:23 AM) jjohansen: or suse
(11:14:07 AM) sbeattie: right, I never got that far.
(11:14:28 AM) sbeattie: does suse carry the stacking patches?
(11:14:58 AM) jjohansen: no
(11:15:21 AM) jjohansen: but they do have the new proc interface and so flag info in newer kernels
(11:15:26 AM) jjohansen: ie. what is upstream
(11:15:34 AM) jjohansen: so it is a different combo
(11:15:37 AM) jjohansen: than ubuntu
(11:15:59 AM) sbeattie: ack
(11:15:59 AM) jjohansen: closer to debian but different again because they do carry a couple out of tree patches
(11:18:10 AM) sbeattie: I can't think of anything else to want to land in 3.0.2
(11:19:01 AM) jjohansen: cboltz: anything important on your end?
(11:19:06 AM) cboltz: what about https://gitlab.com/apparmor/apparmor/-/merge_requests/721 ? This simple patch is pending since months, and adds a rule that is needed in real-world programs
(11:19:56 AM) cboltz: I'm not 100% sure if abstractions/base is the perfect place, but we should come to a decision ;-)
(11:20:20 AM) jjohansen: it is not
(11:20:39 AM) jjohansen: I can live with it having a new abstraction
(11:20:47 AM) jjohansen: and the application including that
(11:20:51 AM) sarnold: I liked the abstractions/crypto suggestion
(11:21:02 AM) jjohansen: or even base including that if it is used by multiple applications
(11:21:11 AM) jjohansen: but it should not be directly in base
(11:21:15 AM) jjohansen: yeah
(11:22:06 AM) sarnold: this and the crypto policies stuff would be an ideal starting point
(11:23:13 AM) cboltz: ok, so abstractions/crypto - I'll update the MR
(11:23:57 AM) cboltz: should I also _move_ (or copy?) crypto-policies rules there? If yes/move, should ssl_certs (where they live now) include crypto?
(11:25:06 AM) jjohansen: I would make crypto include, instead of moving/copying
(11:25:56 AM) jjohansen: ideally I want the abstractions to carry as much semantic meaning as possible, I uhhh have plans for auto extracting some typing info from them
(11:26:04 AM) sarnold: ooooo
(11:27:44 AM) cboltz: looking at the original MR again (especially the diff) - abstractions/base already allows   @{PROC}/sys/crypto/* r,   with a comment saying that libgcrypt needs it, so technically base already has a libgcrypt-related rule ;-)
(11:28:35 AM) jjohansen: well we can move that into crypto, and include crypto into base
(11:29:19 AM) cboltz: sounds good
(11:30:35 AM) sbeattie: there's also the hmac stuff that I added for FIPS 140-2 support that could probably go there as well.
(11:31:21 AM) sbeattie: (since they are consumed by FIPSified openssl and libgcrypt)
(11:32:05 AM) jjohansen: oh yeah
(11:32:26 AM) cboltz: no objections, but - should all that go into one MR?
(11:33:23 AM) jjohansen: we can break into multiple commits in one MR
(11:33:32 AM) jjohansen: or do separate MRs
(11:33:34 AM) jjohansen: either works
(11:34:00 AM) sbeattie: 928249
(11:34:22 AM) sbeattie: bah
(11:36:12 AM) sbeattie: okay, so besides that bit of abstraction rework and the library interface patch, anything else for 3.0.2?
(11:37:01 AM) cboltz: hmm, maybe !760 ?
(11:37:19 AM) sarnold: https://gitlab.com/apparmor/apparmor/-/merge_requests/760
(11:37:53 AM) sarnold: ah seems probably good
(11:43:38 AM) jjohansen: ah yeah, I have been meaning to merge that
(11:44:08 AM) jjohansen: okay, lets get things Merged today and give it a week for testing and try to release next week
(11:44:24 AM) sbeattie: +1
(11:44:44 AM) jjohansen: does anyone have anything else to bring up?
(11:45:03 AM) pfsmorigo left the room (quit: Quit: :wq).
(11:45:05 AM) pfsmorigo [~pfsmorigo@189-46-63-213.dsl.telesp.net.br] entered the room.
(11:45:28 AM) cboltz: yes, another MR (master only) ;-)
(11:45:30 AM) cboltz: https://gitlab.com/apparmor/apparmor/-/merge_requests/677
(11:46:01 AM) cboltz: I still think that detecting early if a profile can't be parsed by the tools is better than not checking (and earning angry users ;-)
(11:46:29 AM) jjohansen: how did I know this one was going to come up?
(11:46:36 AM) cboltz: ;-)
(11:47:00 AM) jjohansen: I am very hesitant to merge this one, at least as test that is run as part of distro packaging
(11:47:11 AM) jjohansen: its fine for dev
(11:48:08 AM) cboltz: yes, it might annoy distro packagers, but adding a profile to the skip list isn't hard (simple patch) and IMHO is worth more than earning angry users unknowingly
(11:48:13 AM) jjohansen: I am even more hesitant to introduce in a 3.0.x release
(11:48:28 AM) cboltz: I'm fine with master only
(11:48:51 AM) jjohansen: sbeattie: what are your thoughts?
(11:50:14 AM) sbeattie: Oh I missed that skip list support got added.
(11:52:48 AM) sbeattie: Hrm, on master I guess it could be okay.
(11:53:41 AM) sbeattie: I have to think about whether we'd want to drop it back out when we cut a release/release branch.
(11:54:31 AM) jjohansen: okay. so lets get it merged with a note to think about this is something we disable as part of the release process
(11:55:17 AM) jjohansen: is there anything else to raise?
(11:55:21 AM) cboltz: wearing my openSUSE packager hat - I want to know if a profile I add directly to the apparmor package breaks the tools, therefore I vote to keep it when doing a release
(11:55:23 AM) sarnold: nothing from me
(11:58:20 AM) cboltz: I'm also running out of old MRs ;-)
(11:59:59 AM) sarnold: hah :)
(12:00:23 PM) jjohansen: alright, next meeting is tentatively scheduled for Tues Aug 10 at 18:00 UTC. If this is a problem for anyone let us know so the meeting can be rescheduled
(12:00:23 PM) jjohansen: thanks everyone
(12:00:23 PM) jjohansen: meeting adjourned