13:02:03 #startmeeting CIP IRC weekly meeting 13:02:03 Meeting started Thu Aug 21 13:02:03 2025 UTC and is due to finish in 60 minutes. The chair is jki. Information about MeetBot at http://wiki.debian.org/MeetBot. 13:02:03 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 13:02:03 The meeting name has been set to 'cip_irc_weekly_meeting' 13:02:10 #topic AI review 13:02:23 - draft CVE handling process for CIP kernel [Jan] 13:02:38 just shared a draft with the core group 13:02:53 thanks for first feedback already, still need to read :) 13:02:58 Yep, you have some replies :-). 13:03:15 Not sure why we are talking about CVEs in the first place. 13:03:23 plan would be to put something on the wall during out Summit next week, then discuss 13:03:33 For kernel, CVEs are just another identifier for stable kernel patches. 13:03:44 right 13:04:12 will also try to make that clear 13:04:38 So you'll get stuff like "CVE-1" for kernel, and then have "CVE-2" that reverts "CVE-1". Fun :-). 13:04:47 still, we have our tracker list, and we already heard more than once that it is considered very valuable 13:05:18 everything an happen, but I would not expect that to happen with every second CVE ;) 13:05:32 This will be with about 1% of them. 13:05:47 examples always welcome 13:06:13 also to document where information is lost - and think about how annotation needs to be to reduce that risk 13:07:32 btw, no one expects upstream or the CIP kernel to be perfect in this, we should "just" apply best practices 13:08:05 ok - please provide further feedback that should go into the discussion on Thursday upfront 13:08:15 or speak up then ;) 13:08:21 no other AIs on my list 13:08:31 I'm not sure what the goal here is. 13:08:54 We don't _want_ to have 0 CVEs for cip-4.4 kernel... 13:08:57 document out process for paper work, would be one thing 13:09:10 we will never have 0 CVEs in anything 13:09:26 ...because that would mean buggy kernel. 13:09:49 please do not expect additional pressure on maintainers from writing down how things work 13:10:05 It's not only about the "CVE". It's about making sure that we are fixing known bugs in our kernels right? 13:10:39 patersonc: you first of all asked about CVEs ;) 13:11:00 I guess we should talk in person. 13:11:03 but, yes, bug handling in general is important too 13:11:11 I did - but it's just because we have tooling tracking the CVEs, we don't have tooling tracking every upstream fix 13:11:34 Although every upstream fix is a CVE now.. 13:11:42 patersonc: I believe priority is a) not add new bugs, and b) given a), fix some bugs. 13:11:49 in theory, surely not in practice 13:12:29 and some bug fixes really don't deserve CVEs, but they should still be in stable 13:12:53 patersonc: Fortunately not every upstream fix. When things are applied to _stable_, they will get CVE identifier. 13:13:14 patersonc: If it does not apply to stable (patch failed), I'd expect it is just dropped. 13:13:41 paveL: functional fixes that do not address security aspects will not get CVEs (or will get them revoked) 13:14:26 jki: I believe the policy is "if it is a bug fix it gets an CVE" and then "if someone tries to revoke the CVE we may do that". 13:14:55 jki: stable team is pretty clear about not deciding about security when assigning CVEs. 13:16:56 pavel: already due to the fact that some fixing commit may pull preperatory commits you do not have a 1:1 between stable commit and CVE 13:17:19 jki: I'm not claiming 1:1 between stable commits and CVEs. 13:17:35 but I think we should really continue this on Thursday :) 13:17:36 jki: I'm saying that "admin can crash his own machine" will get an CVE. 13:17:43 jki: yes. 13:18:08 5 13:18:10 4 13:18:12 3 13:18:13 2 13:18:15 1 13:18:16 #topic Kernel maintenance updates 13:18:32 i'm working on 4.4 13:19:09 I'm reviewing 6.12.42 and .43. 13:19:09 This week reported 118 new CVEs and 6 updated CVEs. 13:19:24 I am reviewing 6.12.42. and I released 510.y-cip and 6.1.y-cip. 13:19:58 ...and renesas patches. SPI and camera, camera is 55 patches. 13:21:23 anything to add? 13:21:36 5 13:21:37 4 13:21:39 3 13:21:41 2 13:21:43 1 13:21:44 #topic Kernel release status 13:21:55 everything green 13:22:12 any issues ahead? 13:22:32 5 13:22:34 4 13:22:36 3 13:22:37 2 13:22:39 1 13:22:42 #topic Kernel testing 13:23:14 Arisu's KernelCI PR has now been merged, adding initial test support for CIP kernels 13:23:25 Hopefully it will push out to production soon 13:23:41 There are some known issues with booting the arm32 devices, but this seems to be a kernel config issu 13:24:29 I'll update more on the specifics next week 13:26:17 more test topics? 13:26:35 Not from me 13:27:21 5 13:27:23 4 13:27:25 3 13:27:26 2 13:27:29 1 13:27:31 #topic AOB 13:28:07 first of all: we have the mini summit next week, this time, thus no irc meeting 13:28:32 skip, or should we shift? 13:29:35 skip it, imo 13:29:39 +1 13:29:40 I believe skip. We'l have enough meetings next week :-) 13:29:44 +1 13:29:55 exactly :) 13:30:30 but... should he have a lunch meetup as kernel WG again? 13:30:44 who will be there at all? 13:30:49 o/ 13:30:51 o/ 13:30:52 o/ 13:31:18 I am not there... 13:31:37 if you like to meet, I would suggest the Wednesday lunch slot 13:31:58 meet at CIP booth 13:33:01 ? 13:33:13 Sounds tasty 13:34:42 ok, be there if you like and can 13:34:54 any other topics for today? 13:35:47 5 13:35:49 4 13:35:51 3 13:35:53 2 13:35:55 1 13:35:57 #endmeeting