21:00:25 <tdawson> #startmeeting EPEL (2022-02-16) 21:00:25 <zodbot> Meeting started Wed Feb 16 21:00:25 2022 UTC. 21:00:25 <zodbot> This meeting is logged and archived in a public location. 21:00:25 <zodbot> The chair is tdawson. Information about MeetBot at https://fedoraproject.org/wiki/Zodbot#Meeting_Functions. 21:00:25 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic. 21:00:25 <zodbot> The meeting name has been set to 'epel_(2022-02-16)' 21:00:25 <tdawson> #meetingname epel 21:00:25 <tdawson> #chair nirik tdawson pgreco carlwgeorge salimma dcavalca 21:00:25 <zodbot> The meeting name has been set to 'epel' 21:00:25 <zodbot> Current chairs: carlwgeorge dcavalca nirik pgreco salimma tdawson 21:00:26 <tdawson> #topic aloha 21:00:35 <rcallicotte> .hi 21:00:36 <zodbot> rcallicotte: rcallicotte 'Robby Callicotte' <rcallicotte@mailbox.org> 21:00:38 <davide> .hi 21:00:40 <zodbot> davide: Sorry, but user 'davide' does not exist 21:00:41 <pgreco> .hi 21:00:43 <zodbot> pgreco: pgreco 'Pablo Sebastian Greco' <pablo@fliagreco.com.ar> 21:00:47 <carlwgeorge> .hi 21:00:48 <zodbot> carlwgeorge: carlwgeorge 'Carl George' <carl@redhat.com> 21:01:20 <salimma> .hi 21:01:21 <zodbot> salimma: salimma 'Michel Alexandre Salim' <michel@michel-slm.name> 21:01:25 <davide> .hello dcavalca 21:01:27 <zodbot> davide: dcavalca 'Davide Cavalca' <dcavalca@fb.com> 21:01:46 * nirik is sort of here, but also has an outage 21:01:52 <tdawson> Hi rcallicotte 21:02:02 * davide is typing with a half dead eyboard 21:02:02 <tdawson> Hi pgreco 21:02:12 <tdawson> Hi carlwgeorge 21:02:22 <tdawson> Hi salimma 21:02:36 <tdawson> Hi davide (the real dcavalca) 21:02:40 * salimma waves to everyone 21:02:46 <tdawson> Hi partially here nirik 21:03:56 <salimma> is that a partial hi or a double hi to compensate ;)( 21:04:07 <rcallicotte> lol 21:04:11 <tdawson> :) 21:04:35 <Ebeneezer_Smooge> hrllo 21:04:58 <tdawson> Hi Ebeneezer_Smooge 21:05:36 <tdawson> #topic EPEL Issues 21:05:36 <tdawson> https://pagure.io/epel/issues 21:05:36 <tdawson> https://pagure.io/epel/issues?tags=meeting&status=Open 21:06:12 <tdawson> Hmm ... I thought we already re-visited the limited arch package policy 21:06:35 <tdawson> Let's do the pull request marked as meeting first. 21:06:37 <tdawson> https://pagure.io/epel/pull-request/156 21:06:45 <tdawson> Recommend retiring rawhide for EPEL-only packages 21:07:16 <davide> oh yeah, happy to change that as needed 21:07:19 <tdawson> carlwgeorge You marked that one for meeting. 21:07:50 <tdawson> Did you think that should be a "must" or that it shouldn't be included? 21:07:58 <carlwgeorge> hmm, i missed the follow up comments 21:08:27 <carlwgeorge> i think there was some uncertainty in irc about must vs should 21:08:42 <carlwgeorge> personally i'm fine with must 21:09:03 <tdawson> I'm ok with either, but I lean towards should 21:09:06 <salimma> if it's must then it's not really 'recommend' though 21:09:32 * nirik doesn't know why you would not do this... 21:09:41 <salimma> I'm ok with must 21:09:45 <carlwgeorge> if we don't have any know examples of when not to do it, i think must is better 21:09:56 <carlwgeorge> and we can always change it to should if we find things later 21:10:08 <salimma> right, and we can revisit when we have such a usecase (but in that case maybe it shouldn't have been -epel anyway) 21:10:08 <tdawson> True, I don't think there is a reason you wouldn't want to do it. 21:10:13 <davide> I can't really come up with a reason to have the rawhide branch in the epel-only case 21:10:18 <davide> so must is probably better 21:10:33 <davide> I can update the PR if that's the consensus 21:10:34 <salimma> oh, I guess eln 21:11:02 <salimma> but that's tricky, and the benefit of preventing branching is more anyway 21:11:07 <davide> how so? 21:11:08 <carlwgeorge> why would an epel-only package go into eln? 21:11:26 <salimma> and epel-only packages will probably need to be refactored significantly for every RHEL anyway 21:11:28 <tdawson> If it's adding packages that are never built in RHEL. 21:11:32 <salimma> not ELN itself, but ELN extras 21:12:08 <salimma> (whenever that comes into existence). but on balance, I'm still voting for 'must retire' 21:12:45 <Ebeneezer_Smooge> must 21:13:13 <rcallicotte> +1 for must retire 21:13:14 <tdawson> Ya, ELN extras is still a little ways out (hopefully soon), and we don't have anything yet that would need to go into it ... so at least for now, "must" 21:13:28 <tdawson> +1 must 21:13:30 <Ebeneezer_Smooge> If ELN changes greatly what spec files it uses for builds.. then revisit 21:13:42 <tdawson> Yep 21:13:43 <pgreco> I'm not sure it will make much of a difference for non-native English speakers, but I'll follow whatever is decided... 21:14:07 * Eighth_Doctor waves 21:14:24 <tdawson> Hi Eighth_Doctor 21:14:52 <tdawson> Sounds like we are in agreement. davide do you mind changing the pull request? 21:15:02 <salimma> pgreco: hmm, if this causes issues for non-native speakers, maybe we should consider (Fedora as a whole) having some sort of legend box for common terminologies 21:15:23 <Ebeneezer_Smooge> pgreco, it is because we add the addendum https://datatracker.ietf.org/doc/html/rfc6919 in addition to RFC2119 21:15:30 <davide> yup, will do 21:15:56 <pgreco> salimma: what I mean is that the difference might be too subtle, that's why I'm not sure it will change much 21:16:20 <davide> I never got the impression that Fedora followed the strict RFC interpretation (SHALL MUST etc) 21:16:25 <pgreco> but I'm ok either way, no worries ;) 21:16:38 <davide> but if that's what we want, we should definitely have it documented somewhere 21:16:47 <davide> as I doubt many people even remember it exists these days 21:16:52 <salimma> yeah 21:17:11 * salimma has a topic to bring up for EPEL Packaging later 21:17:22 <tdawson> Moving on to the other thing tagged as "meeting" https://pagure.io/epel/issue/152 21:17:26 <tdawson> .epel 152 21:17:27 <zodbot> tdawson: Issue #152: Revisiting policy for limited arch packages - epel - Pagure.io - https://pagure.io/epel/issue/152 21:18:04 <tdawson> I believe after the discussion, the discussion was going to move to the pull request on the policy 21:18:25 <tdawson> https://pagure.io/epel/pull-request/155 21:18:37 <tdawson> But that was never put into the ticket. 21:18:50 <tdawson> Am I remembering that correctly? 21:19:50 <salimma> I think nirik wanted to see this tested, and Conan Kudo was testing it on libraw 21:19:57 <salimma> libraw-epel, I mean. which is now built, right? 21:19:57 <Eighth_Doctor> it's out in EPEL now 21:20:01 <Eighth_Doctor> yes 21:20:03 <tdawson> Ah, that's right. 21:20:14 <Eighth_Doctor> the test dependency case is with ImageMagick, but it's stalled :( 21:20:35 <salimma> yeah, that's a few days away from a rel-eng escalation so we should be good by next week 21:20:36 <tdawson> https://koji.fedoraproject.org/koji/buildinfo?buildID=1915952 21:21:05 <salimma> (it's a bit confusing because the primary maintainer /did/ respond, commented that dependencies are not available yet, then hasn't responded since) 21:21:41 <tdawson> That get's a little frustrating when that happens. It's happened to me at least once. 21:21:44 <carlwgeorge> same 21:22:18 <salimma> my packaging topic is actually related to this, so we can segue to it if people want 21:22:22 <salimma> or wait for that topic 21:22:52 <tdawson> So, I'm going to update the ticket saying that we are testing if we can do arch specific packages ... 21:23:04 <salimma> tdawson: +1 21:24:40 <tdawson> OK, sorry, had to type that in. 21:25:06 <tdawson> Then, let's leave that one for next week, or whenever we are able to test build ImageMagick 21:25:36 <tdawson> That brings us to ... 21:25:38 <davide> if we don't hear by Fri from the maintainer I'll file a stalled request for it 21:25:47 <tdawson> #topic Old Business 21:25:50 <davide> ImageMagick I mean 21:25:55 <tdawson> Yep 21:26:07 <tdawson> pgreco: I think you are the only one with old business ... at the moment 21:26:31 <pgreco> Eighth_Doctor: gave some feedback haven't had time to check it yet :( 21:27:01 <tdawson> Sounds good. Feedback is progress, even if it isn't read yet :) 21:27:22 <tdawson> #topic EPEL-7 21:27:54 <tdawson> I didn't see any epel7 stuff this week ... did anyone else? 21:28:37 <tdawson> #topic EPEL-8 21:28:51 <Ebeneezer_Smooge> EPEL-7, you have 2 years until END of Life. Start PLANNING 21:28:57 <tdawson> :) 21:29:08 <Eighth_Doctor> man, it's already so close to the end? 21:29:14 <salimma> Conan Kudo mentioned that VFX folks are still mostly on 7 :( 21:29:18 <tdawson> Is it really just 2 years? I was thinking three 21:29:20 <pgreco> Ebeneezer_Smooge: skipping 8 and going straight to 9, that's my plan :) 21:29:22 <rcallicotte> crazy huh? 21:29:26 <Ebeneezer_Smooge> EPEL-8, the great dive of usage happened on Feb 1st. 21:29:33 <salimma> I remember 2024 too and... man that's 2 years 21:29:38 <Eighth_Doctor> I got my job just shortly after RHEL 7 GA'd 21:29:48 <Ebeneezer_Smooge> [2022-02-16-16:29] <centbot> CentOS 7 will go EOL on 30 June, 2024 -- in 2 years, 19 weeks, 1 day, 2 hours, 30 minutes, and 22 seconds 21:29:53 <Eighth_Doctor> (I also lost my old job just before it GA'd) 21:29:59 <salimma> yeah, I remember getting a CentOS 7 tshirt for helping with our internal migration 21:31:18 <tdawson> Anything for epel8 ? 21:31:19 <davide> still have a box of those somewhere :) 21:31:39 <salimma> davide: we definitely need to make one for 9 21:31:43 <salimma> make it as spiffy as the RH ones 21:31:57 <davide> yup 21:32:07 <pgreco> salimma: I'm planning on being in SF soon, save one for me!! 21:32:21 <salimma> pgreco: I'm not in SF, tell Davide Cavalca that :D 21:32:46 <pgreco> yeah, I plan on doing so when I'm there ;) 21:32:48 * salimma will totally jump on a plane if only the kid is in pre-K already 21:33:02 <tdawson> And ... moving on 21:33:09 <davide> pgreco: sure, I'll try to find where it ended up when I go to the office 21:33:09 <tdawson> #topic EPEL-9 21:33:30 <pgreco> davide: office? what's that? ;) 21:33:35 <Ebeneezer_Smooge> tdawson, I had something for EPEL-8 21:33:41 * davide is filing a bunch more branch requests for 9 as usual 21:33:44 <Ebeneezer_Smooge> bt it can wait until new bus 21:33:45 <carlwgeorge> I've got some fun stats for 9 21:33:48 <salimma> EPEL9: anyone knonws much about dwarf? 21:34:07 <Ebeneezer_Smooge> start with carlwgeorge 21:34:36 <carlwgeorge> epel9 is on pace to have more srpms than c9s in 3 weeks, and more than epel8 by June (assuming the current pace is sustained) 21:34:49 <rcallicotte> nice 21:35:09 <salimma> in F36+ libdwarf now has a sane versioning system (which means epoch). that version... fails some tests on epel9. I'm going to just use the F35 spec unless anyone wants to take a look first 21:36:55 <tdawson> salimma: Isn't dwarf already in RHEL ? 21:37:07 <tdawson> carlwgeorge Very cool :) 21:37:28 <Ebeneezer_Smooge> i think it is a different type of dwarf format 21:38:02 <davide> iirc F34+ uses dwarf5 21:38:04 <tdawson> Ah ... ok. And, I don't see it in RHEL9, so ... nice. 21:38:11 <davide> so I'd assume RHEL 9 inherited it too] 21:38:17 <salimma> surprisingly it's not 21:38:18 <salimma> yeah 21:38:33 <salimma> or something is wrong because I did check and the fedpkg request-branch also succeeded :) 21:39:15 <tdawson> Nope, I'm not seeing it anywhere. 21:39:40 <tdawson> Not even as sub-packages. 21:39:56 <salimma> I'm going to try and see if rawhide's libdwarf also fails to pass its tests on f34, if so, then I'll just use f34/35's older libdwarf 21:40:24 <tdawson> carlwgeorge How many source packages are in CentOS Stream 9 ? 21:40:32 <salimma> I only started needing it recently, turns out when Meta's folly lib is built without libdwarf, some functionality needed by some dependent packages are not there 21:40:41 * salimma not looking forward to it being renamed to molly 21:41:02 <Eighth_Doctor> ... 21:41:24 <tdawson> Well, we have two different subjects we need to get to, so I'm going to move on. 21:41:32 <Ebeneezer_Smooge> sounds good 21:41:35 <tdawson> #topic EPEL-Packaging-SIG 21:41:56 <carlwgeorge> tdawson: 1907 21:42:01 <tdawson> salimma: You said you had something with the sig? Or was it actually the dwarf thing ? 21:43:35 * tdawson never knows if we lost someone, or they are just typing a long sentance. 21:44:07 <Ebeneezer_Smooge> I think it was needing some packages that were in review 21:44:17 <salimma> yup 21:44:28 <salimma> this is related to ImageMagick, but I think it's a wider topic 21:44:46 <salimma> sorry, switched away to a different room and lost track 21:45:19 <salimma> ImageMagick (and I bet a lot of other packages, but I didn't have time to grab the numbers) seem to have a lot of open CVEs on EPEL 7 21:45:44 <Ebeneezer_Smooge> yep that is probably true 21:46:16 <salimma> is this... something we need to watch more carefully? and in what circumstance is it actionable (e.g. can we decide to retire them if the maintainer doesn't pay attention, or update it without needing a provenpackager) 21:46:51 <Ebeneezer_Smooge> normally I look at the kind of CVE's. I used to get bugged by Red Hat security and would get someone to proven package them 21:46:51 <tdawson> I think it depends on the severity of the CVE's. 21:47:41 <Ebeneezer_Smooge> we normally give EPEL packages the same level as RH packages. For EL7, if it is greater than moderate, then it needs to be fixed. If it is less or equal to moderate, meh 21:47:49 <salimma> do the auto-filed bugs map the severity to the bug severity? if so we can easily do a query for the severe ones 21:48:03 <Eighth_Doctor> ImageMagick just grows CVEs like crazy, it feels like a package that needs epel-packager-sig care to better hope for maintenance 21:48:23 <Eighth_Doctor> esp given what's going on right now with existing epel branches 21:48:27 <salimma> yeah so in a way the maintainer not responding is the best scenario here 21:48:33 <salimma> because that makes it more likely we get access 21:48:54 <salimma> so yeah, I volunteer to do a 'security watch' update next week and we can see how that goes 21:50:00 <davide> it'd be useful to have some automation around this I think 21:50:11 <davide> like, reporting on packages in EPEL with CVEs open for more than X weeks 21:50:32 <tdawson> Well, like Ebeneezer_Smooge said, it would need to be above a medium ... 21:50:55 <rcallicotte> how would one query for that? datagrepper? another tool? 21:50:58 <salimma> yeah, I'll limit it to high for now 21:51:05 <salimma> we can see about automating if the result is useful 21:51:11 <tdawson> I'm looking at the two I have, and they are both marked priority "Medium" ... but I don't know if that's just cuz that's the default, or if that's what the CVE is set to. 21:51:34 <salimma> hmm. we need to find a really bad CVE like polkit, let's see 21:52:03 <salimma> oh wow polkit has another CVE update? https://bodhi.fedoraproject.org/updates/FEDORA-2022-353b7254fd 21:52:35 <davide> yeah I was mostly thinking about getting the data to see how much of a problem this really is 21:52:45 <davide> and then once we have that, we can think about potential mitigations 21:52:48 <salimma> https://bugzilla.redhat.com/show_bug.cgi?id=2045563 21:52:54 <salimma> severity and priority do seem to be higher on this 21:53:05 <davide> I wouldn't be opposed to using this as a lever for getting epel-packaging-sig into more packages 21:53:09 <Ebeneezer_Smooge> tdawson, I normally go look up the CVE itself and check 21:53:31 <tdawson> Hum ... both of polkit's CVE's are marked as medium ... so that must be the default. so searching on that isn't a good thing. 21:53:57 <tdawson> salimma or davide Do either of you mind creating an issue for this? 21:54:22 <salimma> the bugzilla is OK though. priority urgent, severity high (for the older privilege escalation CVE) 21:54:30 <salimma> the bodhi update is for the newer CVE, ignore it 21:54:32 <salimma> yeah, I can file an issue 21:54:43 <tdawson> salimma: Thanks 21:54:46 <salimma> is it 'follow up on EPEL CVEs' basically? 21:55:14 <tdawson> salimma: Basically, so we can work on some type of policy and/or automation and/or scripts. 21:56:01 <tdawson> I don't want to downplay this, but I'm going to move on cuz someone said they had something for open floor 21:56:04 <tdawson> #topic General Issues / Open Floor 21:56:11 <salimma> https://pagure.io/epel/issue/159 21:56:16 <tdawson> Ebeneezer_Smooge: Did you have something ? 21:56:20 <tdawson> salimma: Thank You 21:56:22 <salimma> tdawson: yeah, we don't have raw data yet so we should follow up anyway 21:56:50 <Ebeneezer_Smooge> basically it was the opposite of good statistics.. 21:57:14 <tdawson> Oh boy ... what is the opposite of good stats ? 21:57:36 <salimma> horrible fake news 21:57:42 <Ebeneezer_Smooge> On Feb 1st, about 600k CentOS systems stopped getting EPEL-8 updates and 500k systems (Amazon?) stopped getting EPEL-7 systems 21:58:00 <Ebeneezer_Smooge> s/EPEL-7 systems/EPEL-7 updates/ 21:58:08 <rcallicotte> wowsers 21:58:10 <salimma> the EPEL-8 is expected, the EPEL-7.. what 21:58:18 <Ebeneezer_Smooge> the EPEL-8 was expected due to the deletion of CentOS 8, but the EPEL-7 I have no idea on 21:58:18 <carlwgeorge> dnf does repos alphabetically, appstream fails, it never hits epel 21:58:45 <carlwgeorge> for 7 perhaps a really large aws deployment was shut off 21:58:47 <tdawson> Hmm ... carlwgeorge and I had a theory that those epel7 machines are actually CentOS Linux 8 machines, but they are pointing at the epel7 repo to get some packages that aren't in epel8 21:59:02 <carlwgeorge> yeah, that too 21:59:32 <Ebeneezer_Smooge> I would need to double check on that as those would show up as dnf updates versus yum updates 21:59:39 <carlwgeorge> it's far too common for people to just add whatever repos (epel7 on el8, epel8 on el9, etc) and crossing their fingers 21:59:53 <tdawson> But it's still a rather large number. 21:59:54 * Eighth_Doctor grimaces 21:59:59 <salimma> ugh 22:00:00 <salimma> so wrong 22:00:02 <rcallicotte> I've seen it sa many times :( 22:00:04 <Eighth_Doctor> that sounds like Amazon Linux actually 22:00:09 <rcallicotte> so** 22:00:19 <Eighth_Doctor> I've heard of folks mixing EPEL 7 and EPEL 8 on AL systems 22:00:20 <Ebeneezer_Smooge> the third alternative is that they moved to Oracle Enterprise Linux and are using their EPEL 22:00:57 <Ebeneezer_Smooge> but in any case, expect a lot of vertical | in any charts at future events 22:01:02 <pgreco> I'm more inclined to believe it is C8 removal, but no idea what to make of epel7 22:01:27 <Eighth_Doctor> epel7 sounds like Amazon Linux 1 systems going away 22:01:45 <tdawson> Yep ... but at least verticle lines make people look closer ... see what's happening. 22:01:49 <Ebeneezer_Smooge> the 'funny' part was it happened on the same day 22:02:22 <Ebeneezer_Smooge> that said, there has been an uptick of C9stream and C8stream systems 22:02:44 <carlwgeorge> yeah the AL thing sounded most likely to me at first, but no reason that should happen on the same day as the c8 removal off the mirrors 22:02:54 <salimma> and.. nobody raised a stink? 22:03:26 <tdawson> Well people, it looks like our time is up 22:03:43 <Ebeneezer_Smooge> anyway, I wanted to let you know the bad news before it came out when someone looks at the public data 22:03:49 <tdawson> Thank you all for all your work, and the good discussion we had. 22:03:57 <dherrera> thx (and hi) 22:04:00 <tdawson> Ebeneezer_Smooge: Thanks 22:04:02 <rcallicotte> thanks 22:04:03 <salimma> thanks all 22:04:06 <tdawson> Hi dherrera 22:04:08 <salimma> thanks tdawson 22:04:09 <pgreco> talk next week, thanks all!! 22:04:11 <salimma> hi Diego Herrera ! 22:04:12 <tdawson> Talk to ya'll next week. 22:04:20 <rcallicotte> ttyl! 22:04:20 <tdawson> #endmeeting