18:36 < bspencer> the one thing that lingers is mobile-basic-flash --> xul 1.9
18:36 < lool> bspencer: I don't quite now what we will be pulling; certainly security updates will need to be prepared and uploaded to ppa, I don't know which stability fixes will go in
18:37 < lool> bspencer: This is a terribly missing transition indeed
18:38 -!- ToddBrandt [i=GeneralB@pool-71-182-72-37.ptldor.fios.verizon.net] has joined #ubuntu-mobile
18:40 < ToddBrandt> is the weekly ubuntu meeting already over?
18:41 < lool> Yes
18:41 < lool> bspencer: By the way, did you talk to asac on the topic?
18:41 < bspencer> I've sent a few emails, yes.
18:41 < lool> bspencer: He explained to me where his research brought him, and I can explain what I understood of it if it can help
18:41 < bspencer> ok
18:41 < lool> bspencer: How far are you now?
18:41 < davidm> ToddBrandt, it was very short.  No opens, and no new opens to speak of.
18:41 < ToddBrandt> lool: any ARs for me?
18:42 < ToddBrandt> davidm: ahh, thx
18:42 < bspencer> everything builds, seems ready to go... except that javascript calls from C  don't come through
18:42 < lool> ToddBrandt: I don't think so; however I would be happy to give you some work :)
18:42 < davidm> ToddBrandt, no there was one for us and it's been done.
18:42 < bspencer> the same code that worked with gecko 1.8 doesn't seem to fail, but the Javascript methods don't get called
18:42 < lool> ToddBrandt: You handle moblin-applets IIRC?  One of our archive admins made comments on a couple of security issues in moblin-applets source code
18:43 < lool> It's in the main promotion request bug for moblin-applets
18:43 < bspencer> this means that no apps get shown on the home screen.  It loads without error but is just black.
18:43 < ToddBrandt> lool: oh, right, I remember a mail on that
18:43 < ToddBrandt> what's the URL?
18:43 < lool> bspencer: So the reason it's not called is because the javascript receives blank values for all data becasue the data seems to come from an unsafe source
18:44 < lool> bspencer: One way to fix this would be to use XUL at the toplevel rather than HTML (and it would make sense anyway)
18:44 < bspencer> "make sense" perhaps, but is a bigger change. 
18:44 < bspencer> is there a smaller change that doesn't make as much sense?
18:45 < lool> bspencer: I don't think it's that big a change
18:45 < bspencer> Having written a couple of simple xul apps, it is tedious debugging
18:45 < bspencer> with no clear reason why the seemingly perfect xul page doesn't work
18:45 < bspencer> and when you figure it out, it is very simple
18:45 < lool> bspencer: For any other solution, I think asac waits for input from upstream as it's a very sensitive code path and we don't want to endanger the security of e.g. midbrowser...
18:45 < bspencer> true
18:46 < bspencer> so convert home.html to home.xul
18:46 < lool> bspencer: You can have a toplevel xul and mostly HTML below, you don't need to rewrite the whole UI in xul
18:46 < lool> the toplevel xul container will help from a security context PoV IIUC
18:46 < bspencer> I will play with it and see if I can get that to work
18:46 < lool> ToddBrandt: https://bugs.launchpad.net/ubuntu/+source/moblin-applets/+bug/219087
18:47 < lool> bspencer: At least that's the only way forward I know about for xul 1.9
18:47 < lool> bspencer: Oh and did people from your team organize for the next 18 months?
18:48 < lool> bspencer: We will setup a security contact here; we'd be happy to use a security contact in case we need to discuss moblin security holes too, but we also need a channel for security and/or stable updates from moblin
18:49 < bspencer> organize:  we have had a bit of restructuring to prepare for sustaining and future development
18:49 < lool> e.g. if you discover a security hole in moblin 1.0 software, we'd like to know about it, we need a patch, preferably against released version of the software; we need a separate channel to ensure proper urgency and discretion is used
18:49 < bspencer> Mauri can help clarify the details
18:49 < bspencer> security:  sure, who is organizing this ?
18:49 -!- asac [n=asac@e177163182.adsl.alicedsl.de] has joined #ubuntu-mobile
18:50 < bspencer> asac: hello.  got a sec?
18:50 < asac> bspencer: yes
18:50 < lool> bspencer: Who is organizing on which side?
18:50 < asac> 10 min to be precise :)
18:50 < lool> bspencer: On the UME side, Canonical people are finalizing this and will probably announce it
18:50 < bspencer> lool: who is organizing what the separate channel is for security messages and delivering that message to community
18:51 < bspencer> asac: lool was explaining that for security reasons the C-->Javascript calls are failing
18:51 < bspencer> and that we probably need to change our top-level HTML to XUL
18:51 < asac> bspencer: thats my current story
18:51 < asac> i have to verify that with upstream still