18:36:25 <TheSnide> #startmeeting
18:36:25 <MeetBot> Meeting started Tue Dec  3 18:36:25 2013 UTC.  The chair is TheSnide. Information about MeetBot at http://wiki.debian.org/MeetBot.
18:36:25 <MeetBot> Useful Commands: #action #agreed #help #info #idea #link #topic.
18:36:37 <ToBeFree> MeetBot pings itself :D
18:36:37 <MeetBot> ToBeFree: Error: "pings" is not a valid command.
18:36:40 <TheSnide> #info sorry for lateness.
18:37:20 <GrumpyFux> jojoo: To be continued after the meeting, stay tuned
18:37:21 <TheSnide> #topic agenda
18:37:45 <GrumpyFux> For the agenda, CVE aftermath
18:38:12 <TheSnide> today, usual topic (2.2, munin-c) and CVE *fiasco*
18:38:31 <TheSnide> #topic 2.2
18:39:34 <TheSnide> i contacted the guy from the ml with munin bootstrap templates earlier today, he might come
18:41:00 <TheSnide> i didnt look much at these templates, but janl *highly* insisted for them to be in 2.2 if possible, so i'll do my best. (he's usually of good advice)
18:41:51 <TheSnide> #info 2.2 might ship with new bootstrap templates
18:42:08 <GrumpyFux> Erm, what's that?
18:43:14 * TheSnide searchs the linl
18:43:18 <TheSnide> url
18:44:40 <TheSnide> #info "munstrap" is at http://blog.redbranch.net/2013/11/28/munin-bootstrap-template-munstrap/
18:46:06 <TheSnide> the sql branch is now mostly functional. only special pages are missing (problems, categories, ...) and some navigation extras in pages.
18:46:10 <GrumpyFux> So, it's a different theming
18:46:15 <TheSnide> yup.
18:46:57 <TheSnide> i think it's nice to be default. with "orig" an opt-in feat if some prefers that one.
18:47:07 <GrumpyFux> Didn't get the sql branch working here but I'll continue trying
18:48:04 <TheSnide> #action TheSnide has to write something about a tuto for setting an dev sandbox easily.
18:48:40 <TheSnide> ok. next
18:48:47 <TheSnide> #topic munin-c
18:49:31 * helmut catches up
18:49:58 <TheSnide> the "cpu.field.max" issue has been sorted up. It is the recent chips that exibits this behavior, but only on cygwin+win2k8.
18:50:19 <TheSnide> (at least according to my tests)
18:50:58 <TheSnide> it is because of the "turbo" feat that make chips go overclock
18:51:29 <TheSnide> as helmut suggested, it should either be #ifdef away, or be mainline.
18:52:43 <TheSnide> IHMO i think having a .max on those fields is dangerous anyway, as when rounding errors occurs it might be ignored.
18:52:58 <helmut> then remove them in mainline?
18:54:27 <TheSnide> so, as the .max is only for protection against obviously bad values, i'd advocate about it being 300 instead of current 100. in mainline.
18:54:52 <TheSnide> 300 being quite arbitrary indeed.
18:55:27 <TheSnide> noone vetoes ?
18:55:40 <TheSnide> ...
18:55:47 <helmut> so if you really get a spike of 250, you'll see little of the actual graph anymore.
18:56:05 <helmut> maybe 150 is a bit more useful, since 2/3 of the space will remain useful.
18:57:04 <helmut> the more important aspect is to raise this value and to explain in the source why we're doing it. the actual value is subject to colouring bike sheds. ;-)
18:57:33 <TheSnide> note that the .max is not used for graphing. only to protect rrd from bad values
18:58:25 <TheSnide> but ok.
18:59:25 <helmut> it is indirectly used for graphing
18:59:32 <TheSnide> #agreed the cpu.f.max value will be increased mainline with a comment. actual value will be decided outside meeting, and subject to change.
19:00:20 <TheSnide> so, next ?
19:00:40 <helmut> well, it works. ;-)
19:01:17 <TheSnide> #topic cve
19:02:29 <TheSnide> (unleash grumpyfux)
19:10:15 <TheSnide> brb, sorry
19:10:54 <cbiedl> re
19:11:18 <cbiedl> sorry, appearently some folks are playing network. Without telling
19:14:37 <helmut> TheSnide: I think GrumpyFux has quit, can you summarize?
19:16:33 <GrumpyFux> re
19:17:29 <GrumpyFux> .oO (Being in the executive board doesn't imply I might be informed ahead of network outages)
19:17:50 <helmut> do you mean munin#1397 aka CVE-2013-6359?
19:18:04 <GrumpyFux> Yes, and the other, bigger one too
19:18:45 <GrumpyFux> My question is, are the distributions working on it, mostly Debian oldstable?
19:21:33 <helmut> could you be more precise than "bigger one"?
19:22:41 <GrumpyFux> 2. A malicious node might drive the master into an endless loop with memory exhaustion.
19:22:44 <GrumpyFux> This has been assigned CVE-2013-6048
19:24:28 <GrumpyFux> Want a reproducer, too? :)
19:25:35 * helmut should start fuzz-testing node and master. ;-)
19:27:04 <GrumpyFux> helmut: Well, I tripped over that while checking some different weirdness ... but that's something for a beer
19:27:21 * TheSnide is back
19:29:05 <TheSnide> so, basically the content is as intersting as the form
19:29:48 <TheSnide> (i wont discuss the content here, more the handling of it)
19:29:49 <GrumpyFux> Aftermath: There's a big mess in plugin handling and I'll show up with a proposal to restrict some things, clarify other
19:30:02 <GrumpyFux> This might break some plugins, but they don't deserve better
19:30:45 <TheSnide> GrumpyFux: would you agree to propose some protocol restriction next meeting ?
19:31:16 <GrumpyFux> TheSnide: Propose yes, but that should rather be mail. Might become a bit longer
19:32:14 <GrumpyFux> jojoo: deb#731266
19:32:51 <helmut> do I understand correctly that the big one is undisclosed?
19:33:10 <helmut> in that case you should not be mentioning it here anyway. people can easily find it with the present details
19:33:25 <GrumpyFux> helmut: It's fixed with 2.0.18 released yesterday
19:33:29 <helmut> ah ok
19:33:40 <GrumpyFux> Else I'd be as silent as i was the past five weeks
19:35:43 <GrumpyFux> So, Debian maintainers (ssm?), what's the status about oldstable?
19:36:40 <helmut> well there should be a security upload being made. the most difficult part is finding someone to test oldstable updated packages. ;-)
19:36:57 <GrumpyFux> I did, until *censored*
19:37:34 <helmut> is censored in the past or in the future?
19:38:24 <GrumpyFux> Already far in the past. I also backported the fix for CVE-2012-3512, deb#679897
19:39:08 <helmut> any debian oldstable user with munin around?
19:40:00 <GrumpyFux> Eh, wrong reference, munin#1234
19:40:58 <TheSnide> the other real bothering part is that it's our first security bug with embargo.
19:42:01 <helmut> and the webpage completely fails to explain the impact to users
19:42:14 <GrumpyFux> So the next time we'll learn whether there's space for improvement :)
19:42:28 <TheSnide> for the record, GrumpyFux sent us (security@mmo) the bug, along with a fix.
19:43:13 <TheSnide> the .18 was ready very soon.
19:43:54 <TheSnide> ... but then, it got released *very* late, as noone from mm0 did anything to contact oss.
19:43:55 <helmut> please send a mail to oss-security@lists.openwall.com with the CVE ids and munin in the title
19:44:06 <TheSnide> noone = me :-/
19:44:35 <GrumpyFux> helmut: Was sent a few days ago, did not receive the kind of reply I expected
19:44:48 <GrumpyFux> Will never do that again
19:45:03 <TheSnide> so, i think we should write up a postmortem of the handling, and write up some todo list.
19:45:22 <helmut> GrumpyFux: your mail was rejected?
19:45:44 <TheSnide> helmut: GrumpyFux was far too emotional on this, mostly due to my inactions.
19:46:26 <TheSnide> helmut: reply was factual an technically correct, but well... bad timing i'd say.
19:46:28 <helmut> really I didn't see anything on oss-sec
19:46:45 <TheSnide> helmut: (on the closed list)
19:47:25 <GrumpyFux> helmut: Ah, it went to  distros@vs.openwall.org,
19:47:29 <helmut> ok.
19:47:53 <helmut> now send the postmortem including links to the fixed version, bugs, relevant patches, cve ids to the list I told you
19:48:13 <helmut> distros@vs can be busy at times
19:50:40 * helmut is off
19:50:50 <GrumpyFux> /me looks demotivated
19:53:22 <TheSnide> GrumpyFux: i do understand.
19:53:57 <TheSnide> #action TheSnide will write a checklist for the next closed sec bug
19:54:19 <TheSnide> GrumpyFux: anything to add ?
19:55:15 <GrumpyFux> TheSnide: demotivated regarding distros@vs
19:55:22 <TheSnide> ok, so...
19:55:30 <TheSnide> GrumpyFux: i'll do :)
19:55:48 <TheSnide> #topic misc
19:55:50 <GrumpyFux> Feel free to forward my message to relevant parties
19:56:02 <TheSnide> anything #misc ?
19:56:33 * TheSnide feels the meeting is fully packed already :)
19:56:35 <GrumpyFux> Any progress in the trac2irc gateway?
19:56:38 * ssm has some input :)
19:56:53 <TheSnide> ssm: please go ahead ! (and welcome)
19:56:59 * ssm just got home…
19:57:12 <ssm> security uploads:
19:57:48 <ssm> debian unstable has an upload, debian stable has a waiting upload, but I need to know if anyone has been in contact with the debian security team.  If not I'll contact them, and ask for permission to upload to stable.
19:58:02 <ssm> haven't thought about oldstable yet, but that is handled the same way
19:58:19 <GrumpyFux> ssm: You got the mails I sent to security@mm?
19:58:36 <GrumpyFux> There's a Debian security ticket number ...
19:59:02 <ssm> ok, I'll take over that, and get munin uploaded to stable, and look at oldstable later.
19:59:11 <GrumpyFux> And also the oldstable patch
19:59:16 <ssm> ack
20:00:20 <GrumpyFux> And I tested them in all the ways I could think of (quite a few). Still, somebody else should do, too
20:00:21 <TheSnide> ssm: 2.0.18-1 is on dmmo
20:01:54 <ssm> TheSnide: thanks. :)  I used the tarball on SF to make the package, but I prefer dmmo (d=downloads, not demo)
20:02:00 <TheSnide> btw, i'm planning to test sql on dmmo once it's usable enough
20:02:05 <ssm> or did I mix that up? :D
20:02:18 <TheSnide> dlmmo == downloads
20:02:19 <TheSnide> :)
20:03:00 <TheSnide> dmmo == demo (as it was here first, in pure WHOIS tradition)
20:03:18 <ssm> . o O { echo downloads.munin-monitoring.org | md5sum }
20:03:39 <TheSnide> 0750a842c51e51be43f9faf3acb38271 ?
20:03:44 <GrumpyFux> Let's end the meeting, I'm in the mood for some snide comments
20:03:52 <TheSnide> ok.
20:03:56 <TheSnide> #endmeeting