15:03:25 #startmeeting kde-sig -- http://fedoraproject.org/wiki/SIGs/KDE/Meetings/2011-10-04 15:03:25 Meeting started Tue Oct 4 15:03:25 2011 UTC. The chair is jreznik. Information about MeetBot at http://wiki.debian.org/MeetBot. 15:03:25 Useful Commands: #action #agreed #halp #info #idea #link #topic. 15:03:45 #topic roll call 15:04:21 Present. 15:04:29 * ltinkl here 15:04:51 * rnovacek is here 15:05:45 * nucleo here 15:06:58 here 15:07:15 #info jreznik Kevin_Kofler ltinkl rnovacek nucleo rdieter_laptop present 15:07:29 #chair jreznik Kevin_Kofler ltinkl rnovacek nucleo rdieter_laptop 15:07:29 Current chairs: Kevin_Kofler jreznik ltinkl nucleo rdieter_laptop rnovacek 15:07:39 ok, let's start :) 15:07:44 #agenda 15:07:49 #topic agenda 15:08:11 CVE-2011-3365 15:08:25 (kdelibs: input validation failure in KSSL, and AFAICT kdelibs3 too) 15:09:35 4.7.1/4.7.2 15:09:44 Yeah, that too. 15:10:05 And any updates on "[Bug 731245] KDE fails to start inside a VM , large amount of memory [@ miCopyRegion]"… 15:11:44 i've got a local qt-4.8 snapshot building, we could discuss whether (or not) to pull that into rawhide. 15:11:51 Kevin_Kofler: no, no reaction even on email... I'll try to ping him again, just I was out at fudcon... 15:13:52 #topic CVE-2011-3365 15:15:23 looks like we've got some patches (at least for kdelibs4), just a matter of applying them, doing builds, and issuing updates, no? 15:16:03 .bug 743054 15:16:05 jreznik: Bug 743054 CVE-2011-3365 kdelibs: input validation failure in KSSL - https://bugzilla.redhat.com/show_bug.cgi?id=743054 15:16:15 * rdieter_laptop was holding out for the fun of doing 4.7.2, but can work on this too if no one else is... 15:16:53 Kevin_Kofler: you looked at kdelibs3 much yet? 15:17:43 rdieter_laptop: let 4.7.2 topic for later :) 15:18:23 rdieter_laptop: Not much, only to check whether it's vulnerable, and AFAICT it is. 15:18:32 I can do the kdelibs4 security fixes 15:19:15 I suppose it can get rolled into our existing 4.7.1 update? 15:19:18 kdelibs and rekonq are vulnerable 15:19:26 #info Kevin_Kofler informs that kdelibs3 are probably vulnerable too 15:19:45 rdieter_laptop: I hope so 15:19:47 think so too, the 2 patches (to kdelibs) are trivial 15:19:53 4.7.1 for f16 that is. 15:20:15 cool, works for me. a good excuse to get it out to stable quicker, to make room for 4.7.2 15:20:46 #info ltinkl to take care of kdelibs/rekonq CVEs 15:20:56 #undo 15:20:56 Removing item from minutes: 15:21:02 ltinkl: you want kdelibs3 too? (if not, I can do it) 15:21:11 #action ltinkl to take care of kdelibs/rekonq CVEs 15:21:33 rdieter_laptop: would be nice if you could look at kdelibs3 15:21:48 rdieter_laptop: The code in kdelibs3 is very different. 15:22:00 It's not just a matter of making the patch apply. 15:22:27 The file in KSSL is not called the same and the code is completely different. 15:22:48 But it also seems to pass stuff to a QLabel with the default AutoText mode, so looks just as vulnerable. 15:22:58 (stuff such as the hostname of the certificate) 15:23:09 ok, i'll definitely ask for help if I get stuck. 15:24:44 The kio_http code is also somewhat different, but at least not completely rewritten like the KSSL one. 15:26:35 ok, we can probably move on now. 15:26:49 I can also have a look at kdelibs3 (after all, I'm the one who wants to keep the legacy KDE 3 stuff alive), but most likely not before Thursday evening. 15:27:32 BTW, any news from the RH folks, whether RH wants this fixed in RHEL? 15:28:51 Kevin_Kofler: yes 15:29:05 Kevin_Kofler: handled in a separate bug, as usual :) 15:29:06 ok, let's move on... Kevin_Kofler maybe me or ltinkl can help too as you know... 15:29:32 ltinkl: Unfortunately, I can't read those RHEL bugs. :-( 15:29:48 that's intentional :p 15:29:55 #action Kevin_Kofler to look at kdelibs3 fix (and hopefully with some RH guys help :) 15:30:30 #topic 4.7.1 status 15:31:50 I tested 4.7.1 on F16, looks good except kmail1 to kmail2 migration (which is not 4.7.1 specific as I understand) 15:32:26 https://admin.fedoraproject.org/updates/FEDORA-2011-13417 15:33:21 once we have the kdelibs CVE added here, can probably queue for stable 15:33:46 rdieter_laptop: yup, I'll add the kdelibs fixes tomorrow 15:34:09 How about we queue it for stable now and file a separate update for the CVE? 15:34:10 #info https://admin.fedoraproject.org/updates/FEDORA-2011-13417 15:34:44 what's going to be faster? with all waiting stuff? 15:34:59 probably editing current update? 15:35:43 imho yes 15:36:00 depends on when pushes happen. 15:36:16 *if* there's a push before ltinkl is done... but otherwise, probably doesn't matter much 15:37:50 simplest just to add it to the existing update probably. 15:38:43 I don't have a preference here... 15:39:15 * nirik is happy to adjust pushes if it helps you guys... 15:41:38 ltinkl: could you try to build it now and update current one? and if nirik can adjust push it's not before this is done, it would be great 15:41:50 jreznik: already doing it 15:43:17 btw: http://labs.qt.nokia.com/2011/10/04/security-considerations-regarding-qlabel-and-friends/ 15:44:36 I assume you mean for a stable push? or for testing? 15:44:57 and Qt 4.8 string freeze happens today 15:45:58 nirik: stable 15:46:12 ltinkl: ok, let me know. 15:46:22 nirik: thanks 15:47:18 #info ltinkl to finish kdelibs builds and modify current update in cooperation with nirik (thx) to make push happen in the right time 15:47:40 anything else for 4.7.1? 15:47:52 No. 15:48:10 #topic 4.7.2 15:48:22 anyone working on this? otherwise I can take care 15:48:35 jreznik: go for it 15:48:50 jreznik: I can help you with that 15:48:50 #action jreznik to start with 4.7.2 15:48:51 We're finally about to get 4.7.1 out and wham, there's 4.7.2… :-/ 15:48:54 Work never ends. 15:49:02 Kevin_Kofler: neverending story :) 15:50:00 we were quite slow with 4.7.1 - maybe time to work on some sort of automation for updates, I'll try to ask other teams with bunch of packages (like perl) for help 15:50:13 quick one, let's move 15:50:30 * Kevin_Kofler blames split packaging for it, thinks we should have stuck with monolithic and hacked things to build in that setup. 15:51:00 Kevin_Kofler: I know, split packaging but with the right tools we can be fast again :) 15:51:10 #topic qt 4.8 snapshot 15:51:17 rdieter_laptop: ? 15:51:48 I took a git snapshot from oct 2, and got it built in kde-unstable, fwiw. 15:51:52 and as rnovacek already pointed out - 4.8 is knocking on the door - with string freeze but it can still take some time... 15:52:43 unfortunately, didn't help the kde apps on gnome-shell loosing mouse events problem 15:53:02 I guess we should try to get it into F16, to ship something less old and hopefully closer to release quality. 15:53:22 when will be release? 15:53:22 It was probably a mistake to ship 4.8 in the first place, but there's no practical way to change that now. 15:53:27 anyway, any objections to importing into rawhide at least? with a wee bit more testing, can do a f16 build too. 15:53:52 rdieter_laptop: No objections here, IMHO, get it into Rawhide right now. 15:53:53 nucleo: when it's ready, the estimate was Q4 2011 15:54:04 +1 for rawhide 15:54:21 without schedules it would be always lottery 15:54:26 (actually the expected date may have been even earlier, not sure now) 15:54:26 (and it was) 15:55:21 Now what does Q4 mean here? To me, it means Oct-Dec, but I've seen US companies count in fiscal quarters where Q1 is Mar-May or Apr-Jun or something like that, so Q4 2011 would already be in 2012. 15:56:13 I think a month range would be much more transparent to normal, non-business people than quarter numbers. :-/ 15:57:35 ok, I'll import it after meeting (last chance to yell not to. :) ) 15:57:41 last time the difference between 4.7 string freeze and release was two months 15:57:50 july 22 to sep 21 15:57:52 jreznik: ouch, that's a long time. :( 15:58:45 it is, so let's try your snapshot 15:58:45 We've known for quite some time that there'd be no way 4.8 final would be out in time for F16. 15:59:11 Kevin_Kofler: I'd been hoping there'd be another pre-release or rc though, but meh. 15:59:12 at least kde-unstable, rawhide and we will see how it works 15:59:26 rdieter_laptop: same here, rc would make our life much more easier 15:59:52 and open governance with schedules is wish over reality, even thiago is not in nokia anymore... 16:00:35 string freeze and rc was about one month 16:00:42 last time 16:01:02 I think we really need a snapshot for F16. 16:01:10 but with qt 5 thing it could take more (or less if they want to get rid of two versions developed in parallel) 16:01:13 Kevin_Kofler: probably so 16:02:00 #info rdieter_laptop prepared qt 4.8 snapshot (oct 2) - kde-unstable 16:02:22 #info qt 4.8 is in string freeze phase 16:02:47 #info difference between string freeze and rc last time was one month, another month to release 16:03:19 rdieter_laptop: ok, makes sense, could you take care? 16:03:35 to do a f16 build too you mean? 16:04:36 rdieter_laptop: yep, because it can take a long time to get at least rc... the question is - now or rawhide/kde-unstable only to test it a few days? 16:04:54 may as well be sooner rather than later 16:05:35 of course... 16:05:47 snapshots are sometimes more prone to regressions though, but hopefully nokia (and other qt committers) are being more carefull the closer we approach release time. (ha) 16:06:15 :) 16:06:28 well? decision? ltinkl, Kevin_Kofler? 16:06:44 well, rawhide build going now anyway. 16:07:04 i'll do f16 too a little later. 16:07:28 rdieter_laptop: +1 16:07:45 wait a few day to see if somethink breaks 16:07:51 *days 16:07:58 *something 16:08:03 ok 16:08:27 #action rdieter_laptop is building snapshot for rawhide right now, f16 a little later 16:08:47 fyi, qt-4.8.0-0.12.20111002 is in f15 kde-unstable now 16:09:05 #info qt-4.8.0-0.12.20111002 is in f15 kde-unstable now 16:09:06 * rdieter_laptop has been using it for 1/2 day so far 16:09:35 ok, lets wrap it up today, thank you guys! 16:09:44 #endmeeting