19:00:02 <alexsaezm> #startmeeting Go SIG meeting 19:00:02 <zodbot> Meeting started Mon Feb 27 19:00:02 2023 UTC. 19:00:02 <zodbot> This meeting is logged and archived in a public location. 19:00:02 <zodbot> The chair is alexsaezm. Information about MeetBot at https://fedoraproject.org/wiki/Zodbot#Meeting_Functions. 19:00:02 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic. 19:00:02 <zodbot> The meeting name has been set to 'go_sig_meeting' 19:00:08 <alexsaezm> #topic Roll Call 19:00:12 <alexsaezm> Hi everyone! 19:02:08 <gotmax23> .hi 19:02:08 <zodbot> gotmax23: gotmax23 'Maxwell G' <maxwell@gtmx.me> 19:02:54 <gotmax23> Hi Álex! 19:03:00 <alexsaezm> Hi there :) 19:03:25 <alexsaezm> (i'll give a few more minutes till 05 and we can start :D) 19:03:34 <mikelo_m[m]> .hi 19:03:35 <zodbot> mikelo_m[m]: Sorry, but user 'mikelo_m [m]' does not exist 19:03:46 <mikelo_m[m]> .hello mikelo2 19:03:51 <zodbot> mikelo_m[m]: mikelo2 'Mikel Olasagasti Uranga' <mikel@olasagasti.info> 19:03:54 * mikelo_m[m] always forgets how to do it :D 19:04:35 <alexsaezm> funny that hi and hello are two different things... 19:04:37 <gotmax23> BTW, I'm sponsoring dghuble to help maintain containerd. 19:04:58 <alexsaezm> <3 19:06:02 <alexsaezm> we have a bunch of stuff in the issue tracker tragged with meeting: https://pagure.io/GoSIG/go-sig/issues?status=Open&tags=meeting&close_status= 19:06:03 * gotmax23 is a bit preoccupied with other tasks 19:06:08 <alexsaezm> any preferences? 19:08:10 <gotmax23> I just untagged the golang-race and leaves issues. 19:08:48 <gotmax23> I'm not sure if you've done any work towards #49. I have no updates about the other two. 19:09:19 <alexsaezm> thanks, yeah #50 and #48 I think they are not part of the meeting. Also, no, no updates on #49 yet 19:09:58 <alexsaezm> open floor then? 19:10:05 <gotmax23> Ack 19:10:07 <alexsaezm> #topic Open floor 19:10:21 <alexsaezm> zodbot seems to be sleepy 19:10:49 <alexsaezm> I updated f36 go package (https://pagure.io/fesco/issue/2941) 19:10:51 <alexsaezm> and that's it :D 19:11:36 <gotmax23> Thanks! 19:12:11 <alexsaezm> also, the http2 cve might require a mass-rebuild (kinda, 696 packages so far) 19:12:16 <mikelo_m[m]> that may break rclone stack due to the quic package version dep 19:12:28 <alexsaezm> mikelo_m: yay :-/ 19:12:33 <gotmax23> How serious is the CVE? 19:13:32 <alexsaezm> gotmax23: Medium 19:13:37 <alexsaezm> it's not critical 19:14:21 <gotmax23> Perhaps we should discuss a policy for CVE rebuilds. 19:14:35 <gotmax23> It's non trivial to rebuild everything after every Go release 19:15:21 <alexsaezm> I think that it's not feasible to do a mass-rebuild with every single CVE, so probably only critical ones should trigger that 19:15:47 <gotmax23> :nod: 19:16:25 <alexsaezm> and if it's less than critical, well, we can wait for a normal update 19:16:43 <alexsaezm> we have tons of packages and in this case, it's a quarter of the whole golang packages 19:16:50 <gotmax23> We could consider doing them on a scheduled basis. Every couple releases or something. It's not that bad in rawhide, but stable branches are more difficult to mass rebuild. 19:17:31 <alexsaezm> you mean to do a mass rebuild after a couple of go updates? 19:17:32 <mikelo_m[m]> it says it's been fixed since 1.19.4 and that was pushed to Fedora 2 months ago https://src.fedoraproject.org/rpms/golang/c/67a51aa259eea7f853f3b9d72b88139ec85bfb55?branch=f37 19:17:35 <mikelo_m[m]> so there should be a bunch of packages that have been recompiled sine 19:17:38 <mikelo_m[m]> s/sine/since/ 19:18:01 <alexsaezm> good point 19:18:02 <gotmax23> alexsaezm: that was the suggestion 19:18:24 <gotmax23> yeah, some packages that are regularly updated so this isn't as much of a problem 19:19:12 <alexsaezm> well, it makes sense, we know that once a go version reaches a Y release (1.20 for example) no new features are going to be added until N+1 so every Z update is a fix (CVE or not)... I like the idea 19:19:52 <alexsaezm> or wait for a specific point in time 19:19:54 <alexsaezm> like each 3 months 19:21:11 <gotmax23> I could refine my scripts and make this easier, but in any case, the rebuild needs to be announced and the script to rebuild everything needs to be monitored, so this takes time. In stable releases, you have to avoid divergences from rawhide. 19:21:24 <gotmax23> Every 3 months seems reasonable 19:21:30 <gotmax23> Do you want to create a ticket? 19:22:05 <gotmax23> Perhaps every 3 months and only in the latest stable and rawhide releases 19:23:18 <alexsaezm> hmmmm so we need a ticket to discuss this with fesco, as a policy in general, and I understand that we will need a ticket every time we do the thing right? 19:23:24 <alexsaezm> I can create the ticket, yes 19:23:36 <gotmax23> I meant file a ticket on the go-sig tracker 19:23:44 <gotmax23> I don't think we necessarily need FESCo approval 19:24:18 <alexsaezm> yeah, I'll create it 19:24:18 <alexsaezm> oh ok 19:26:35 <alexsaezm> https://pagure.io/GoSIG/go-sig/issue/51 19:26:37 <alexsaezm> created 19:29:22 <alexsaezm> anything else to discuss? :) 19:29:39 <gotmax23> I think we can close out 19:30:54 <alexsaezm> epic 19:30:58 <alexsaezm> thanks a lot to everyone!!! 19:31:07 <alexsaezm> #endmeeting