#fedora-meeting log

15:03:25 <jreznik> #startmeeting kde-sig -- http://fedoraproject.org/wiki/SIGs/KDE/Meetings/2011-10-04
15:03:25 <zodbot> Meeting started Tue Oct  4 15:03:25 2011 UTC.  The chair is jreznik. Information about MeetBot at http://wiki.debian.org/MeetBot.
15:03:25 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic.
15:03:45 <jreznik> #topic roll call
15:04:21 <Kevin_Kofler> Present.
15:04:29 * ltinkl here
15:04:51 * rnovacek is here
15:05:45 * nucleo here
15:06:58 <rdieter_laptop> here
15:07:15 <jreznik> #info jreznik Kevin_Kofler ltinkl rnovacek nucleo rdieter_laptop present
15:07:29 <jreznik> #chair jreznik Kevin_Kofler ltinkl rnovacek nucleo rdieter_laptop
15:07:29 <zodbot> Current chairs: Kevin_Kofler jreznik ltinkl nucleo rdieter_laptop rnovacek
15:07:39 <jreznik> ok, let's start :)
15:07:44 <jreznik> #agenda
15:07:49 <jreznik> #topic agenda
15:08:11 <Kevin_Kofler> CVE-2011-3365
15:08:25 <Kevin_Kofler> (kdelibs: input validation failure in KSSL, and AFAICT kdelibs3 too)
15:09:35 <jreznik> 4.7.1/4.7.2
15:09:44 <Kevin_Kofler> Yeah, that too.
15:10:05 <Kevin_Kofler> And any updates on "[Bug 731245] KDE fails to start inside a VM , large amount of memory [@ miCopyRegion]"…
15:11:44 <rdieter_laptop> i've got a local qt-4.8 snapshot building, we could discuss whether (or not) to pull that into rawhide.
15:11:51 <jreznik> Kevin_Kofler: no, no reaction even on email... I'll try to ping him again, just I was out at fudcon...
15:13:52 <jreznik> #topic CVE-2011-3365
15:15:23 <rdieter_laptop> looks like we've got some patches (at least for kdelibs4), just a matter of applying them, doing builds, and issuing updates, no?
15:16:03 <jreznik> .bug 743054
15:16:05 <zodbot> jreznik: Bug 743054 CVE-2011-3365 kdelibs: input validation failure in KSSL - https://bugzilla.redhat.com/show_bug.cgi?id=743054
15:16:15 * rdieter_laptop was holding out for the fun of doing 4.7.2, but can work on this too if no one else is...
15:16:53 <rdieter_laptop> Kevin_Kofler: you looked at kdelibs3 much yet?
15:17:43 <jreznik> rdieter_laptop: let 4.7.2 topic for later :)
15:18:23 <Kevin_Kofler> rdieter_laptop: Not much, only to check whether it's vulnerable, and AFAICT it is.
15:18:32 <ltinkl> I can do the kdelibs4 security fixes
15:19:15 <rdieter_laptop> I suppose it can get rolled into our existing 4.7.1 update?
15:19:18 <ltinkl> kdelibs and rekonq are vulnerable
15:19:26 <jreznik> #info Kevin_Kofler informs that kdelibs3 are probably vulnerable too
15:19:45 <jreznik> rdieter_laptop: I hope so
15:19:47 <ltinkl> think so too, the 2 patches (to kdelibs) are trivial
15:19:53 <rdieter_laptop> 4.7.1 for f16 that is.
15:20:15 <rdieter_laptop> cool, works for me.  a good excuse to get it out to stable quicker, to make room for 4.7.2
15:20:46 <ltinkl> #info ltinkl to take care of kdelibs/rekonq CVEs
15:20:56 <jreznik> #undo
15:20:56 <zodbot> Removing item from minutes: <MeetBot.items.Info object at 0x1f78346c>
15:21:02 <rdieter_laptop> ltinkl: you want kdelibs3 too?  (if not, I can do it)
15:21:11 <jreznik> #action ltinkl to take care of kdelibs/rekonq CVEs
15:21:33 <ltinkl> rdieter_laptop: would be nice if you could look at kdelibs3
15:21:48 <Kevin_Kofler> rdieter_laptop: The code in kdelibs3 is very different.
15:22:00 <Kevin_Kofler> It's not just a matter of making the patch apply.
15:22:27 <Kevin_Kofler> The file in KSSL is not called the same and the code is completely different.
15:22:48 <Kevin_Kofler> But it also seems to pass stuff to a QLabel with the default AutoText mode, so looks just as vulnerable.
15:22:58 <Kevin_Kofler> (stuff such as the hostname of the certificate)
15:23:09 <rdieter_laptop> ok, i'll definitely ask for help if I get stuck.
15:24:44 <Kevin_Kofler> The kio_http code is also somewhat different, but at least not completely rewritten like the KSSL one.
15:26:35 <rdieter_laptop> ok, we can probably move on now.
15:26:49 <Kevin_Kofler> I can also have a look at kdelibs3 (after all, I'm the one who wants to keep the legacy KDE 3 stuff alive), but most likely not before Thursday evening.
15:27:32 <Kevin_Kofler> BTW, any news from the RH folks, whether RH wants this fixed in RHEL?
15:28:51 <ltinkl> Kevin_Kofler: yes
15:29:05 <ltinkl> Kevin_Kofler: handled in a separate bug, as usual :)
15:29:06 <jreznik> ok, let's move on... Kevin_Kofler maybe me or ltinkl can help too as you know...
15:29:32 <Kevin_Kofler> ltinkl: Unfortunately, I can't read those RHEL bugs. :-(
15:29:48 <ltinkl> that's intentional :p
15:29:55 <jreznik> #action Kevin_Kofler to look at kdelibs3 fix (and hopefully with some RH guys help :)
15:30:30 <jreznik> #topic 4.7.1 status
15:31:50 <nucleo> I tested 4.7.1 on F16, looks good except kmail1 to kmail2 migration (which is not 4.7.1 specific as I understand)
15:32:26 <rdieter_laptop> https://admin.fedoraproject.org/updates/FEDORA-2011-13417
15:33:21 <rdieter_laptop> once we have the kdelibs CVE added here, can probably queue for stable
15:33:46 <ltinkl> rdieter_laptop: yup, I'll add the kdelibs fixes tomorrow
15:34:09 <Kevin_Kofler> How about we queue it for stable now and file a separate update for the CVE?
15:34:10 <jreznik> #info https://admin.fedoraproject.org/updates/FEDORA-2011-13417
15:34:44 <jreznik> what's going to be faster? with all waiting stuff?
15:34:59 <jreznik> probably editing current update?
15:35:43 <ltinkl> imho yes
15:36:00 <rdieter_laptop> depends on when pushes happen.
15:36:16 <rdieter_laptop> *if* there's a push before ltinkl is done... but otherwise, probably doesn't matter much
15:37:50 <rdieter_laptop> simplest just to add it to the existing update probably.
15:38:43 <jreznik> I don't have a preference here...
15:39:15 * nirik is happy to adjust pushes if it helps you guys...
15:41:38 <jreznik> ltinkl: could you try to build it now and update current one? and if nirik can adjust push it's not before this is done, it would be great
15:41:50 <ltinkl> jreznik: already doing it
15:43:17 <rnovacek> btw: http://labs.qt.nokia.com/2011/10/04/security-considerations-regarding-qlabel-and-friends/
15:44:36 <nirik> I assume you mean for a stable push? or for testing?
15:44:57 <rnovacek> and Qt 4.8 string freeze happens today
15:45:58 <ltinkl> nirik: stable
15:46:12 <nirik> ltinkl: ok, let me know.
15:46:22 <ltinkl> nirik: thanks
15:47:18 <jreznik> #info ltinkl to finish kdelibs builds and modify current update in cooperation with nirik (thx) to make push happen in the right time
15:47:40 <jreznik> anything else for 4.7.1?
15:47:52 <Kevin_Kofler> No.
15:48:10 <jreznik> #topic 4.7.2
15:48:22 <jreznik> anyone working on this? otherwise I can take care
15:48:35 <rdieter_laptop> jreznik: go for it
15:48:50 <rnovacek> jreznik: I can help you with that
15:48:50 <jreznik> #action jreznik to start with 4.7.2
15:48:51 <Kevin_Kofler> We're finally about to get 4.7.1 out and wham, there's 4.7.2… :-/
15:48:54 <Kevin_Kofler> Work never ends.
15:49:02 <jreznik> Kevin_Kofler: neverending story :)
15:50:00 <jreznik> we were quite slow with 4.7.1 - maybe time to work on some sort of automation for updates, I'll try to ask other teams with bunch of packages (like perl) for help
15:50:13 <jreznik> quick one, let's move
15:50:30 * Kevin_Kofler blames split packaging for it, thinks we should have stuck with monolithic and hacked things to build in that setup.
15:51:00 <jreznik> Kevin_Kofler: I know, split packaging but with the right tools we can be fast again :)
15:51:10 <jreznik> #topic qt 4.8 snapshot
15:51:17 <jreznik> rdieter_laptop: ?
15:51:48 <rdieter_laptop> I took a git snapshot from oct 2, and got it built in kde-unstable, fwiw.
15:51:52 <jreznik> and as rnovacek already pointed out - 4.8 is knocking on the door - with string freeze but it can still take some time...
15:52:43 <rdieter_laptop> unfortunately, didn't help the kde apps on gnome-shell loosing mouse events problem
15:53:02 <Kevin_Kofler> I guess we should try to get it into F16, to ship something less old and hopefully closer to release quality.
15:53:22 <nucleo> when will be release?
15:53:22 <Kevin_Kofler> It was probably a mistake to ship 4.8 in the first place, but there's no practical way to change that now.
15:53:27 <rdieter_laptop> anyway, any objections to importing into rawhide at least?  with a wee bit more testing, can do a f16 build too.
15:53:52 <Kevin_Kofler> rdieter_laptop: No objections here, IMHO, get it into Rawhide right now.
15:53:53 <rdieter_laptop> nucleo: when it's ready, the estimate was Q4 2011
15:54:04 <jreznik> +1 for rawhide
15:54:21 <jreznik> without schedules it would be always lottery
15:54:26 <rdieter_laptop> (actually the expected date may have been even earlier, not sure now)
15:54:26 <jreznik> (and it was)
15:55:21 <Kevin_Kofler> Now what does Q4 mean here? To me, it means Oct-Dec, but I've seen US companies count in fiscal quarters where Q1 is Mar-May or Apr-Jun or something like that, so Q4 2011 would already be in 2012.
15:56:13 <Kevin_Kofler> I think a month range would be much more transparent to normal, non-business people than quarter numbers. :-/
15:57:35 <rdieter_laptop> ok, I'll import it after meeting (last chance to yell not to. :) )
15:57:41 <jreznik> last time the difference between 4.7 string freeze and release was two months
15:57:50 <jreznik> july 22 to sep 21
15:57:52 <rdieter_laptop> jreznik: ouch, that's a long time. :(
15:58:45 <jreznik> it is, so let's try your snapshot
15:58:45 <Kevin_Kofler> We've known for quite some time that there'd be no way 4.8 final would be out in time for F16.
15:59:11 <rdieter_laptop> Kevin_Kofler: I'd been hoping there'd be another pre-release or rc though, but meh.
15:59:12 <jreznik> at least kde-unstable, rawhide and we will see how it works
15:59:26 <jreznik> rdieter_laptop: same here, rc would make our life much more easier
15:59:52 <jreznik> and open governance with schedules is wish over reality, even thiago is not in nokia anymore...
16:00:35 <jreznik> string freeze and rc was about one month
16:00:42 <jreznik> last time
16:01:02 <Kevin_Kofler> I think we really need a snapshot for F16.
16:01:10 <jreznik> but with qt 5 thing it could take more (or less if they want to get rid of two versions developed in parallel)
16:01:13 <rdieter_laptop> Kevin_Kofler: probably so
16:02:00 <jreznik> #info rdieter_laptop prepared qt 4.8 snapshot (oct 2) - kde-unstable
16:02:22 <jreznik> #info qt 4.8 is in string freeze phase
16:02:47 <jreznik> #info difference between string freeze and rc last time was one month, another month to release
16:03:19 <jreznik> rdieter_laptop: ok, makes sense, could you take care?
16:03:35 <rdieter_laptop> to do a f16 build too you mean?
16:04:36 <jreznik> rdieter_laptop: yep, because it can take a long time to get at least rc... the question is - now or rawhide/kde-unstable only to test it a few days?
16:04:54 <rdieter_laptop> may as well be sooner rather than later
16:05:35 <jreznik> of course...
16:05:47 <rdieter_laptop> snapshots are sometimes more prone to regressions though, but hopefully nokia (and other qt committers) are being more carefull the closer we approach release time. (ha)
16:06:15 <jreznik> :)
16:06:28 <jreznik> well? decision? ltinkl, Kevin_Kofler?
16:06:44 <rdieter_laptop> well, rawhide build going now anyway.
16:07:04 <rdieter_laptop> i'll do f16 too a little later.
16:07:28 <rnovacek> rdieter_laptop: +1
16:07:45 <rnovacek> wait a few day to see if somethink breaks
16:07:51 <rnovacek> *days
16:07:58 <rnovacek> *something
16:08:03 <jreznik> ok
16:08:27 <jreznik> #action rdieter_laptop is building snapshot for rawhide right now, f16 a little later
16:08:47 <rdieter_laptop> fyi, qt-4.8.0-0.12.20111002 is in f15 kde-unstable now
16:09:05 <jreznik> #info qt-4.8.0-0.12.20111002 is in f15 kde-unstable now
16:09:06 * rdieter_laptop has been using it for 1/2 day so far
16:09:35 <jreznik> ok, lets wrap it up today, thank you guys!
16:09:44 <jreznik> #endmeeting