15:03:25 <jreznik> #startmeeting kde-sig -- http://fedoraproject.org/wiki/SIGs/KDE/Meetings/2011-10-04 15:03:25 <zodbot> Meeting started Tue Oct 4 15:03:25 2011 UTC. The chair is jreznik. Information about MeetBot at http://wiki.debian.org/MeetBot. 15:03:25 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic. 15:03:45 <jreznik> #topic roll call 15:04:21 <Kevin_Kofler> Present. 15:04:29 * ltinkl here 15:04:51 * rnovacek is here 15:05:45 * nucleo here 15:06:58 <rdieter_laptop> here 15:07:15 <jreznik> #info jreznik Kevin_Kofler ltinkl rnovacek nucleo rdieter_laptop present 15:07:29 <jreznik> #chair jreznik Kevin_Kofler ltinkl rnovacek nucleo rdieter_laptop 15:07:29 <zodbot> Current chairs: Kevin_Kofler jreznik ltinkl nucleo rdieter_laptop rnovacek 15:07:39 <jreznik> ok, let's start :) 15:07:44 <jreznik> #agenda 15:07:49 <jreznik> #topic agenda 15:08:11 <Kevin_Kofler> CVE-2011-3365 15:08:25 <Kevin_Kofler> (kdelibs: input validation failure in KSSL, and AFAICT kdelibs3 too) 15:09:35 <jreznik> 4.7.1/4.7.2 15:09:44 <Kevin_Kofler> Yeah, that too. 15:10:05 <Kevin_Kofler> And any updates on "[Bug 731245] KDE fails to start inside a VM , large amount of memory [@ miCopyRegion]"… 15:11:44 <rdieter_laptop> i've got a local qt-4.8 snapshot building, we could discuss whether (or not) to pull that into rawhide. 15:11:51 <jreznik> Kevin_Kofler: no, no reaction even on email... I'll try to ping him again, just I was out at fudcon... 15:13:52 <jreznik> #topic CVE-2011-3365 15:15:23 <rdieter_laptop> looks like we've got some patches (at least for kdelibs4), just a matter of applying them, doing builds, and issuing updates, no? 15:16:03 <jreznik> .bug 743054 15:16:05 <zodbot> jreznik: Bug 743054 CVE-2011-3365 kdelibs: input validation failure in KSSL - https://bugzilla.redhat.com/show_bug.cgi?id=743054 15:16:15 * rdieter_laptop was holding out for the fun of doing 4.7.2, but can work on this too if no one else is... 15:16:53 <rdieter_laptop> Kevin_Kofler: you looked at kdelibs3 much yet? 15:17:43 <jreznik> rdieter_laptop: let 4.7.2 topic for later :) 15:18:23 <Kevin_Kofler> rdieter_laptop: Not much, only to check whether it's vulnerable, and AFAICT it is. 15:18:32 <ltinkl> I can do the kdelibs4 security fixes 15:19:15 <rdieter_laptop> I suppose it can get rolled into our existing 4.7.1 update? 15:19:18 <ltinkl> kdelibs and rekonq are vulnerable 15:19:26 <jreznik> #info Kevin_Kofler informs that kdelibs3 are probably vulnerable too 15:19:45 <jreznik> rdieter_laptop: I hope so 15:19:47 <ltinkl> think so too, the 2 patches (to kdelibs) are trivial 15:19:53 <rdieter_laptop> 4.7.1 for f16 that is. 15:20:15 <rdieter_laptop> cool, works for me. a good excuse to get it out to stable quicker, to make room for 4.7.2 15:20:46 <ltinkl> #info ltinkl to take care of kdelibs/rekonq CVEs 15:20:56 <jreznik> #undo 15:20:56 <zodbot> Removing item from minutes: <MeetBot.items.Info object at 0x1f78346c> 15:21:02 <rdieter_laptop> ltinkl: you want kdelibs3 too? (if not, I can do it) 15:21:11 <jreznik> #action ltinkl to take care of kdelibs/rekonq CVEs 15:21:33 <ltinkl> rdieter_laptop: would be nice if you could look at kdelibs3 15:21:48 <Kevin_Kofler> rdieter_laptop: The code in kdelibs3 is very different. 15:22:00 <Kevin_Kofler> It's not just a matter of making the patch apply. 15:22:27 <Kevin_Kofler> The file in KSSL is not called the same and the code is completely different. 15:22:48 <Kevin_Kofler> But it also seems to pass stuff to a QLabel with the default AutoText mode, so looks just as vulnerable. 15:22:58 <Kevin_Kofler> (stuff such as the hostname of the certificate) 15:23:09 <rdieter_laptop> ok, i'll definitely ask for help if I get stuck. 15:24:44 <Kevin_Kofler> The kio_http code is also somewhat different, but at least not completely rewritten like the KSSL one. 15:26:35 <rdieter_laptop> ok, we can probably move on now. 15:26:49 <Kevin_Kofler> I can also have a look at kdelibs3 (after all, I'm the one who wants to keep the legacy KDE 3 stuff alive), but most likely not before Thursday evening. 15:27:32 <Kevin_Kofler> BTW, any news from the RH folks, whether RH wants this fixed in RHEL? 15:28:51 <ltinkl> Kevin_Kofler: yes 15:29:05 <ltinkl> Kevin_Kofler: handled in a separate bug, as usual :) 15:29:06 <jreznik> ok, let's move on... Kevin_Kofler maybe me or ltinkl can help too as you know... 15:29:32 <Kevin_Kofler> ltinkl: Unfortunately, I can't read those RHEL bugs. :-( 15:29:48 <ltinkl> that's intentional :p 15:29:55 <jreznik> #action Kevin_Kofler to look at kdelibs3 fix (and hopefully with some RH guys help :) 15:30:30 <jreznik> #topic 4.7.1 status 15:31:50 <nucleo> I tested 4.7.1 on F16, looks good except kmail1 to kmail2 migration (which is not 4.7.1 specific as I understand) 15:32:26 <rdieter_laptop> https://admin.fedoraproject.org/updates/FEDORA-2011-13417 15:33:21 <rdieter_laptop> once we have the kdelibs CVE added here, can probably queue for stable 15:33:46 <ltinkl> rdieter_laptop: yup, I'll add the kdelibs fixes tomorrow 15:34:09 <Kevin_Kofler> How about we queue it for stable now and file a separate update for the CVE? 15:34:10 <jreznik> #info https://admin.fedoraproject.org/updates/FEDORA-2011-13417 15:34:44 <jreznik> what's going to be faster? with all waiting stuff? 15:34:59 <jreznik> probably editing current update? 15:35:43 <ltinkl> imho yes 15:36:00 <rdieter_laptop> depends on when pushes happen. 15:36:16 <rdieter_laptop> *if* there's a push before ltinkl is done... but otherwise, probably doesn't matter much 15:37:50 <rdieter_laptop> simplest just to add it to the existing update probably. 15:38:43 <jreznik> I don't have a preference here... 15:39:15 * nirik is happy to adjust pushes if it helps you guys... 15:41:38 <jreznik> ltinkl: could you try to build it now and update current one? and if nirik can adjust push it's not before this is done, it would be great 15:41:50 <ltinkl> jreznik: already doing it 15:43:17 <rnovacek> btw: http://labs.qt.nokia.com/2011/10/04/security-considerations-regarding-qlabel-and-friends/ 15:44:36 <nirik> I assume you mean for a stable push? or for testing? 15:44:57 <rnovacek> and Qt 4.8 string freeze happens today 15:45:58 <ltinkl> nirik: stable 15:46:12 <nirik> ltinkl: ok, let me know. 15:46:22 <ltinkl> nirik: thanks 15:47:18 <jreznik> #info ltinkl to finish kdelibs builds and modify current update in cooperation with nirik (thx) to make push happen in the right time 15:47:40 <jreznik> anything else for 4.7.1? 15:47:52 <Kevin_Kofler> No. 15:48:10 <jreznik> #topic 4.7.2 15:48:22 <jreznik> anyone working on this? otherwise I can take care 15:48:35 <rdieter_laptop> jreznik: go for it 15:48:50 <rnovacek> jreznik: I can help you with that 15:48:50 <jreznik> #action jreznik to start with 4.7.2 15:48:51 <Kevin_Kofler> We're finally about to get 4.7.1 out and wham, there's 4.7.2… :-/ 15:48:54 <Kevin_Kofler> Work never ends. 15:49:02 <jreznik> Kevin_Kofler: neverending story :) 15:50:00 <jreznik> we were quite slow with 4.7.1 - maybe time to work on some sort of automation for updates, I'll try to ask other teams with bunch of packages (like perl) for help 15:50:13 <jreznik> quick one, let's move 15:50:30 * Kevin_Kofler blames split packaging for it, thinks we should have stuck with monolithic and hacked things to build in that setup. 15:51:00 <jreznik> Kevin_Kofler: I know, split packaging but with the right tools we can be fast again :) 15:51:10 <jreznik> #topic qt 4.8 snapshot 15:51:17 <jreznik> rdieter_laptop: ? 15:51:48 <rdieter_laptop> I took a git snapshot from oct 2, and got it built in kde-unstable, fwiw. 15:51:52 <jreznik> and as rnovacek already pointed out - 4.8 is knocking on the door - with string freeze but it can still take some time... 15:52:43 <rdieter_laptop> unfortunately, didn't help the kde apps on gnome-shell loosing mouse events problem 15:53:02 <Kevin_Kofler> I guess we should try to get it into F16, to ship something less old and hopefully closer to release quality. 15:53:22 <nucleo> when will be release? 15:53:22 <Kevin_Kofler> It was probably a mistake to ship 4.8 in the first place, but there's no practical way to change that now. 15:53:27 <rdieter_laptop> anyway, any objections to importing into rawhide at least? with a wee bit more testing, can do a f16 build too. 15:53:52 <Kevin_Kofler> rdieter_laptop: No objections here, IMHO, get it into Rawhide right now. 15:53:53 <rdieter_laptop> nucleo: when it's ready, the estimate was Q4 2011 15:54:04 <jreznik> +1 for rawhide 15:54:21 <jreznik> without schedules it would be always lottery 15:54:26 <rdieter_laptop> (actually the expected date may have been even earlier, not sure now) 15:54:26 <jreznik> (and it was) 15:55:21 <Kevin_Kofler> Now what does Q4 mean here? To me, it means Oct-Dec, but I've seen US companies count in fiscal quarters where Q1 is Mar-May or Apr-Jun or something like that, so Q4 2011 would already be in 2012. 15:56:13 <Kevin_Kofler> I think a month range would be much more transparent to normal, non-business people than quarter numbers. :-/ 15:57:35 <rdieter_laptop> ok, I'll import it after meeting (last chance to yell not to. :) ) 15:57:41 <jreznik> last time the difference between 4.7 string freeze and release was two months 15:57:50 <jreznik> july 22 to sep 21 15:57:52 <rdieter_laptop> jreznik: ouch, that's a long time. :( 15:58:45 <jreznik> it is, so let's try your snapshot 15:58:45 <Kevin_Kofler> We've known for quite some time that there'd be no way 4.8 final would be out in time for F16. 15:59:11 <rdieter_laptop> Kevin_Kofler: I'd been hoping there'd be another pre-release or rc though, but meh. 15:59:12 <jreznik> at least kde-unstable, rawhide and we will see how it works 15:59:26 <jreznik> rdieter_laptop: same here, rc would make our life much more easier 15:59:52 <jreznik> and open governance with schedules is wish over reality, even thiago is not in nokia anymore... 16:00:35 <jreznik> string freeze and rc was about one month 16:00:42 <jreznik> last time 16:01:02 <Kevin_Kofler> I think we really need a snapshot for F16. 16:01:10 <jreznik> but with qt 5 thing it could take more (or less if they want to get rid of two versions developed in parallel) 16:01:13 <rdieter_laptop> Kevin_Kofler: probably so 16:02:00 <jreznik> #info rdieter_laptop prepared qt 4.8 snapshot (oct 2) - kde-unstable 16:02:22 <jreznik> #info qt 4.8 is in string freeze phase 16:02:47 <jreznik> #info difference between string freeze and rc last time was one month, another month to release 16:03:19 <jreznik> rdieter_laptop: ok, makes sense, could you take care? 16:03:35 <rdieter_laptop> to do a f16 build too you mean? 16:04:36 <jreznik> rdieter_laptop: yep, because it can take a long time to get at least rc... the question is - now or rawhide/kde-unstable only to test it a few days? 16:04:54 <rdieter_laptop> may as well be sooner rather than later 16:05:35 <jreznik> of course... 16:05:47 <rdieter_laptop> snapshots are sometimes more prone to regressions though, but hopefully nokia (and other qt committers) are being more carefull the closer we approach release time. (ha) 16:06:15 <jreznik> :) 16:06:28 <jreznik> well? decision? ltinkl, Kevin_Kofler? 16:06:44 <rdieter_laptop> well, rawhide build going now anyway. 16:07:04 <rdieter_laptop> i'll do f16 too a little later. 16:07:28 <rnovacek> rdieter_laptop: +1 16:07:45 <rnovacek> wait a few day to see if somethink breaks 16:07:51 <rnovacek> *days 16:07:58 <rnovacek> *something 16:08:03 <jreznik> ok 16:08:27 <jreznik> #action rdieter_laptop is building snapshot for rawhide right now, f16 a little later 16:08:47 <rdieter_laptop> fyi, qt-4.8.0-0.12.20111002 is in f15 kde-unstable now 16:09:05 <jreznik> #info qt-4.8.0-0.12.20111002 is in f15 kde-unstable now 16:09:06 * rdieter_laptop has been using it for 1/2 day so far 16:09:35 <jreznik> ok, lets wrap it up today, thank you guys! 16:09:44 <jreznik> #endmeeting