| *** rajm has joined #cip | 05:54 | |
| *** eduardas has joined #cip | 07:30 | |
| *** tpollard has joined #cip | 07:54 | |
| *** masashi910 has joined #cip | 08:41 | |
| *** fujita has joined #cip | 08:48 | |
| *** pave1 has joined #cip | 08:59 | |
| masashi910 | #startmeeting CIP IRC weekly meeting | 08:59 |
|---|---|---|
| brlogger | Meeting started Thu Oct 22 08:59:59 2020 UTC and is due to finish in 60 minutes. The chair is masashi910. Information about MeetBot at http://wiki.debian.org/MeetBot. | 08:59 |
| brlogger | Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. | 08:59 |
| brlogger | The meeting name has been set to 'cip_irc_weekly_meeting' | 08:59 |
| *** brlogger changes topic to " (Meeting topic: CIP IRC weekly meeting)" | 09:00 | |
| masashi910 | #topic rollcall | 09:00 |
| *** brlogger changes topic to "rollcall (Meeting topic: CIP IRC weekly meeting)" | 09:00 | |
| masashi910 | please say hi if you're around | 09:00 |
| patersonc | hi | 09:00 |
| wens | hi | 09:00 |
| fujita | hi | 09:00 |
| iwamatsu | hi | 09:00 |
| masashi910 | #topic AI review | 09:01 |
| *** brlogger changes topic to "AI review (Meeting topic: CIP IRC weekly meeting)" | 09:01 | |
| masashi910 | 1. Combine root filesystem with kselftest binary - iwamatsu | 09:01 |
| iwamatsu | no update for this. | 09:01 |
| masashi910 | iwamatsu: Noted. Thanks. | 09:01 |
| masashi910 | 2. Check whether CVE-2019-0145, CVE-2019-0147, CVE-2019-0148 needs to be backported to 4.4 - masashi910 | 09:01 |
| pave1 | hi | 09:01 |
| masashi910 | Pavel-san, Chen-Yu-san, thanks for your follow-up discussions on this. | 09:01 |
| masashi910 | https://lore.kernel.org/cip-dev/20201014141355.GA16362@duo.ucw.cz/ | 09:01 |
| masashi910 | https://lore.kernel.org/cip-dev/CAGb2v66aPu3wn_0PwRsp3V=LV5aFPwxEO8Rhzsz-bCeF2PDv-g@mail.gmail.com/ | 09:01 |
| masashi910 | Do you have any suggestions how to proceed or conclude this? | 09:02 |
| wens | there's another new CVE (or old, since it's from 2019) for i40e :( | 09:02 |
| masashi910 | wens: Oh... | 09:02 |
| wens | I'd say just backport the commits Intel listed. | 09:02 |
| iwamatsu | what CVE number? | 09:02 |
| pave1 | From the commits we identified, there was nothing that looked like worth backporting. | 09:02 |
| wens | iwamatsu: CVE-2019-0149 | 09:02 |
| iwamatsu | wens: thanks | 09:03 |
| pave1 | Memory leaks in error paths... | 09:03 |
| iwamatsu | I see. | 09:04 |
| masashi910 | pave1: Please let me confirm. Not worth backporting for CVE-2019-0145, CVE-2019-0147, CVE-2019-0148? | 09:04 |
| pave1 | I guess I would need to take another look. But it certainly did not look urgent. | 09:05 |
| pave1 | 7015ca3df965378bcef072cca9cd63ed098665b5 -- can malicious user trigger this at all? | 09:05 |
| masashi910 | pave1: Thanks for your comments. Then, shall I keep this AI open and follow at the next IRC meeting? | 09:06 |
| pave1 | 147: references the same CVE. | 09:06 |
| pave1 | If wens has time, perhaps we can talk after the meeting? | 09:06 |
| wens | sure | 09:07 |
| *** hungtran has joined #cip | 09:07 | |
| pave1 | Thanks :-). | 09:07 |
| masashi910 | pave1, wens: Thanks! | 09:07 |
| masashi910 | So, let's move on. | 09:07 |
| masashi910 | #topic Kernel maintenance updates | 09:07 |
| *** brlogger changes topic to "Kernel maintenance updates (Meeting topic: CIP IRC weekly meeting)" | 09:07 | |
| wens | 5 new CVEs this week, including the i40e one: | 09:08 |
| wens | - CVE-2019-0149 [net/i40e] | 09:08 |
| wens | - CVE-2020-0423 [binder] - fixed in mainline | 09:08 |
| wens | - CVE-2020-25656 [vt_do_kdgkb_ioctl use after free] | 09:08 |
| wens | - CVE-2020-27152 [KVM] | 09:08 |
| wens | - CVE-2020-27194 [bpf verifier] - fixed in mainline and 5.8 (introduced in v5.7) | 09:08 |
| iwamatsu | I revewed 4.4.240. | 09:08 |
| pave1 | Investigating CVEs, reviewing PCIe EP changes, few patches reviewed for 4.19.153. | 09:08 |
| wens | I haven't finished this week's merge request, so the details aren't on gitlab yet. | 09:09 |
| masashi910 | wens: Are there any urgent patches among 5 CVEs? | 09:09 |
| wens | no. | 09:09 |
| wens | I don't believe we need to care about binder. | 09:09 |
| masashi910 | wens: I see. Thanks. | 09:09 |
| wens | KVM and vt don't have fixes yet | 09:10 |
| masashi910 | wens, iwamatsu, pave1: Thanks for your works! | 09:10 |
| masashi910 | any other topics? | 09:11 |
| masashi910 | 3 | 09:11 |
| wens | I haven't included pave1's investigation into the Bluetooth patches either. | 09:11 |
| wens | hopefully I will get everything done by this weekend. | 09:11 |
| pave1 | wens: AFAICT, Bluetooth is now solved. | 09:12 |
| wens | pave1: thanks. I will make sure they are documented properly, instead of the big mess it is right now. | 09:12 |
| masashi910 | wens, pave1: Thanks for additional info and works. | 09:13 |
| masashi910 | Any other topics? | 09:13 |
| masashi910 | 3 | 09:13 |
| masashi910 | 2 | 09:14 |
| masashi910 | 1 | 09:14 |
| masashi910 | #topic Kernel testing | 09:14 |
| *** brlogger changes topic to "Kernel testing (Meeting topic: CIP IRC weekly meeting)" | 09:14 | |
| patersonc | Hello | 09:14 |
| patersonc | Not much done since last week. | 09:14 |
| patersonc | I recorded a presentation for ELC-E with Kudo-san. That's probably about it. | 09:14 |
| masashi910 | patersonc: Thanks! | 09:15 |
| pave1 | I wanted to follow up to zoom meeting... | 09:15 |
| masashi910 | pave1: please/ | 09:15 |
| pave1 | I submit kernel for testing, then I look for the green tick marks. | 09:15 |
| pave1 | ...on gitlab. | 09:16 |
| pave1 | But I should be really going deeper into the test results to see what really failed, right? | 09:16 |
| patersonc | Yea | 09:17 |
| pave1 | Are there some long term plans to fix that? | 09:17 |
| patersonc | Yea. I plan to start using KernelCI's front end | 09:17 |
| pave1 | Great, thanks. | 09:17 |
| masashi910 | Thanks for the discussion. Any other topics? | 09:18 |
| masashi910 | 3 | 09:18 |
| masashi910 | 2 | 09:18 |
| masashi910 | 1 | 09:18 |
| masashi910 | #topic CIP Security | 09:18 |
| *** brlogger changes topic to "CIP Security (Meeting topic: CIP IRC weekly meeting)" | 09:18 | |
| masashi910 | Today, Yoshida-san is not here. | 09:18 |
| masashi910 | As was reported, the WG started the discussion with the certification body. | 09:18 |
| masashi910 | We are discussing both IEC62443-4-1 (process requirements) and -4-2 (feature requirements). | 09:18 |
| patersonc | For example pave1: from the test run you ran yesterday, you can see results like this for each individual test job: https://lava.ciplatform.org/results/68202 | 09:19 |
| masashi910 | When the requirements become clear, they will be shared with each team how to deal with them. | 09:19 |
| patersonc | pave1: And then at a lower level: https://lava.ciplatform.org/results/68202/0_spectre-meltdown-checker-test | 09:19 |
| masashi910 | ok, let's move on. | 09:21 |
| masashi910 | #topic AOB | 09:21 |
| *** brlogger changes topic to "AOB (Meeting topic: CIP IRC weekly meeting)" | 09:21 | |
| masashi910 | I would like to propose to skip the IRC meeting next week because of ELCE2020. | 09:21 |
| masashi910 | Any objections? | 09:21 |
| masashi910 | 3 | 09:22 |
| masashi910 | 2 | 09:22 |
| masashi910 | 1 | 09:22 |
| masashi910 | Thanks, then there is no IRC meeting next week. | 09:22 |
| masashi910 | Are there any business to discuss? | 09:22 |
| masashi910 | If no, let's close the meeting today. | 09:22 |
| masashi910 | #endmeeting | 09:23 |
| brlogger | Meeting ended Thu Oct 22 09:23:00 2020 UTC. Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4) | 09:23 |
| brlogger | Minutes: https://irclogs.baserock.org/meetings/cip/2020/10/cip.2020-10-22-08.59.html | 09:23 |
| brlogger | Minutes (text): https://irclogs.baserock.org/meetings/cip/2020/10/cip.2020-10-22-08.59.txt | 09:23 |
| brlogger | Log: https://irclogs.baserock.org/meetings/cip/2020/10/cip.2020-10-22-08.59.log.html | 09:23 |
| *** brlogger changes topic to "Civil Infrastructure Platform Project. Find the logs at https://irclogs.baserock.org/cip/" | 09:23 | |
| masashi910 | Thank you, and stay safe! | 09:23 |
| pave1 | Thank you! | 09:23 |
| wens | Thank you! | 09:23 |
| pave1 | patersonc: Yes, I have dim understanding that something exists at lower level. | 09:23 |
| iwamatsu | thank you | 09:23 |
| pave1 | patersonc: But it would be really good to propagate failures from test to gitlab, because they are hard to see at the lower levels. | 09:24 |
| pave1 | wens: I see that currently merges to cip-kernel-sec are approved, etc... which adds a delay. | 09:25 |
| pave1 | wens: Would it be possible to direct pushes, so we can colaborate in the repository? | 09:25 |
| wens | pave1: I don't have push access to cip-kernel-sec | 09:25 |
| pave1 | wens: Who can I talk to to get you one? | 09:26 |
| pave1 | wens: Because repository that is delayed like this... is not too useful. | 09:26 |
| pave1 | With the Bluetooth stuff... it looks like fixes are queued in -stable, so we should not need to do anything there. | 09:27 |
| wens | not sure who has admin access, maybe szlin would know. | 09:28 |
| iwamatsu | wens: I can add permisson, maybe | 09:28 |
| pave1 | iwamatsu: That would be nice. cip-kernel-sec is kind of dashboard, not a code repository. | 09:28 |
| pave1 | iwamatsu: So approving commits only delays stuff... | 09:28 |
| wens | right, we are mostly pulling in data from other projects. | 09:29 |
| pave1 | wens: Right. Plus, you announce CVEs here, and it would be very nice to be able to git pull and have the information available. | 09:29 |
| wens | occasionally we have to fill in data ourselves, but maybe we could do those separately with review, while having the automated scripts just push directly? | 09:29 |
| iwamatsu | wens: I just send invite. | 09:30 |
| pave1 | wens: I'd prefer not to do reviews. It is our internal status, it does not go into product. | 09:30 |
| wens | iwamatsu: thanks. looks like I can merge stuff now. | 09:30 |
| pave1 | wens: if we make mistake, we fix a mistake. | 09:30 |
| pave1 | iwamatsu: Thanks a lot! | 09:31 |
| wens | pave1: so, auditing instead of reviewing | 09:31 |
| pave1 | wens: Yes, I guess. | 09:31 |
| wens | bwh isn't around right now. we should let him know. | 09:32 |
| pave1 | Yes, I guess we need to discuss that. | 09:32 |
| wens | I am in favor of pushing directly. | 09:32 |
| iwamatsu | +1 | 09:33 |
| pave1 | +1 :-) | 09:33 |
| pave1 | For the i40e issues, I wonder is we have right commit identified in CVE-2019-0145.yml . | 09:35 |
| wens | in that case, I will probably do tags for each week. | 09:35 |
| wens | pave1: the fix or the cause? | 09:36 |
| pave1 | ...and if 184 is worth handling as a security problem. Maybe the integger overflow part is. | 09:37 |
| pave1 | wens: The fix part. | 09:37 |
| wens | pave1: it was mostly a guess. I am not certain. | 09:37 |
| pave1 | Aha, ok. | 09:38 |
| wens | sorry if they confused you. There really is nothing to work from for the i40e CVEs. | 09:39 |
| pave1 | Yes, CVEs are rather hard to work from :-(. I wonder if we should be using mainline commit IDs as a bug identifiers, as Greg suggested... | 09:40 |
| wens | that only works after the fixes have landed though | 09:40 |
| iwamatsu | indeed. | 09:41 |
| pave1 | Well... we have upstream first policy, so that should not be a problem :-). | 09:41 |
| pave1 | I mean, serious bugs do get fixed rather fast. | 09:41 |
| wens | are you suggesting we identify bugs / fixes from mainline directly? | 09:43 |
| wens | sounds like Sasha's automated picker :) | 09:43 |
| pave1 | Well, maybe rather than having CVE as a primary key, have mainline ID as a primary key, and listing CVEs it is supposed to fix. | 09:44 |
| pave1 | Or perhaps that can be generated from existing data. | 09:45 |
| wens | reversing the data should be easy | 09:45 |
| wens | our data sources use CVE as the primary key though, so we should probably stick to that. | 09:46 |
| pave1 | Like... in ideal world I could run some kind of script which would tell me which mainline commits I should be looking at :-). | 09:46 |
| wens | scripts/report_affected.py but report commit hashes instead of CVE numbers? | 09:47 |
| pave1 | I'll need to take a look :-). | 09:47 |
| pave1 | Thanks! | 09:47 |
| wens | right now it just lists unfixed CVE numbers for each branch (or branches you specify) | 09:48 |
| wens | anything else? | 09:50 |
| pave1 | Ok, let me play with that. | 09:50 |
| pave1 | No, I believe I have enough to think about, thank you. | 09:50 |
| pave1 | :-) | 09:50 |
| wens | you're welcome :) | 09:50 |
| pave1 | bye for now! | 09:52 |
| *** pave1 has quit IRC | 09:53 | |
| *** masashi910 has quit IRC | 09:54 | |
| wens | I sent out an email about cip-kernel-sec just now. | 10:01 |
| *** fujita has quit IRC | 10:23 | |
| *** hungtran has quit IRC | 10:24 | |
| *** monstr has joined #cip | 12:00 | |
| *** tpollard is now known as cttpollard | 12:10 | |
| *** monstr has quit IRC | 15:15 | |
| *** eduardas has quit IRC | 15:26 | |
| *** cttpollard has quit IRC | 16:03 | |
| *** alicef has quit IRC | 18:07 | |
| *** alicef has joined #cip | 18:08 | |
| *** rajm has quit IRC | 22:01 | |
Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!