16:00:25 <decathorpe> #startmeeting Stewardship SIG Meeting (2019-11-12) 16:00:25 <zodbot> Meeting started Tue Nov 12 16:00:25 2019 UTC. 16:00:25 <zodbot> This meeting is logged and archived in a public location. 16:00:25 <zodbot> The chair is decathorpe. Information about MeetBot at http://wiki.debian.org/MeetBot. 16:00:25 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic. 16:00:25 <zodbot> The meeting name has been set to 'stewardship_sig_meeting_(2019-11-12)' 16:00:32 <decathorpe> #meetingname stewardship-sig 16:00:32 <zodbot> The meeting name has been set to 'stewardship-sig' 16:00:38 <decathorpe> #topic Roll Call 16:00:44 * cipherboy is present 16:00:50 * decathorpe knows 16:00:55 <decathorpe> #chair cipherboy 16:00:55 <zodbot> Current chairs: cipherboy decathorpe 16:01:11 <cipherboy> decathorpe: Roll call implies I have to speak up to be counted as present, right? ;-) 16:01:37 <decathorpe> aye! 16:02:48 <sillebille> \o greeings 16:03:04 <sillebille> let me try that again, greetings SIG! \o 16:03:05 <decathorpe> sillebille: o/ 16:03:13 <decathorpe> #chair sillebille 16:03:13 <zodbot> Current chairs: cipherboy decathorpe sillebille 16:03:47 <cipherboy> sillebille: \o 16:04:27 <mhroncok> o/ 16:04:43 <sillebille> mhroncok, hello \o 16:04:53 <decathorpe> hello! :) 16:04:56 <decathorpe> #chair mhroncok 16:04:56 <zodbot> Current chairs: cipherboy decathorpe mhroncok sillebille 16:05:19 <decathorpe> #link https://pagure.io/stewardship-sig/issue/60 Agenda 16:06:01 <cipherboy> decathorpe: Agenda looks good to me. 16:06:33 <decathorpe> I don't have an updates SIG report ready for discussing new SIG leaves. I wanted to either get data from the latest rawhide compose, or get the latest koji builds in. neither happened, since no compose and koji is being terribly slow today 16:06:49 <decathorpe> so we can drop that topic 16:07:54 <cipherboy> decathorpe: Ah I forgot, I had another agenda item if we wanted to discuss at the end. 16:08:15 <sillebille> cipherboy, the plan for jdeparser? ;-) 16:08:29 <cipherboy> sillebille: That's your agenda item. I was thinking JBoss response. 16:08:49 <decathorpe> we can start with either of these 16:09:24 <sillebille> cipherboy, you can go first :) 16:09:55 <cipherboy> decathorpe: So the key points from JBoss is they're hesitant to go with Packit (no surprise there). 16:10:17 <decathorpe> yeah, shocker :D 16:10:22 <mhroncok> oh, really? 16:11:20 <cipherboy> But the other thing is if we want support (and likely, CVE tracking via prodsec), we need to follow JBoss EAP. So EAP 7.2 is current supported release, means RESTeasy 3.6.1. 16:12:00 <decathorpe> wow. that's ... bad 16:12:17 <decathorpe> well, less work for us 16:12:29 <cipherboy> And we should be able to bump some of the older mvn(...) depends to newer package-versions-in-name while we're at it. 16:13:00 <cipherboy> So we can likely move resteasy from dep on jboss-servlet-2.5-api -to-> dep on jboss-servlet-3.0-api 16:13:22 <cipherboy> So that _should_ help us reduce the number of packages we packge. 16:13:34 * decathorpe nods 16:14:00 <cipherboy> I'm not entirely sure about the prodsec portion, but we haven't really seen many CVEs anywhere (and nobody writes perfect software)... 16:14:10 <cipherboy> Anyhow, I'll check this against Dogtag and start filing PRs. 16:14:49 <decathorpe> sounds good 16:14:53 <cipherboy> Just wanted to give y'all a heads up on that. :) 16:15:46 <decathorpe> yeah, that's good to know 16:15:54 <decathorpe> sillebille: what was your topic? 16:16:25 <sillebille> decathorpe, i was wondering if I can add jdeparser to SIG? :-) 16:16:34 <decathorpe> #topic jdeparser? 16:16:41 <sillebille> jdeparser was recently revived and it is up-todate with upstream version. 16:16:47 <decathorpe> that's the one I reviewed for you, right? 16:16:51 <sillebille> yeah 16:16:59 <decathorpe> yeah that's fine I think 16:17:06 <sillebille> \o/ 16:17:51 <sillebille> i guess, that's the end of my topic :) 16:18:03 <decathorpe> yeah it only needs jboss-parent, maven, junit 16:18:07 <decathorpe> that's completely fine 16:18:30 <sillebille> it's a pretty simple package. So, it won't be too much weight on our back 16:18:49 <mhroncok> sure, why not. but we need to note it as a permanent sig leaf 16:19:08 <decathorpe> I think it's required by dogtag-pki, so we won't break it anyway 16:19:34 <cipherboy> decathorpe: It is also a resteasy dependency I thought 16:19:42 <decathorpe> or that. 16:19:46 <decathorpe> so it's not a leaf :) 16:19:48 <cipherboy> decathorpe: mhroncok: So it shouldn't be a leaf, just something we forgot to move over. 16:20:01 <decathorpe> right. feel free to add the SIG group as admin 16:20:19 <decathorpe> I'll update the data in pagure later 16:20:25 <mhroncok> oh, ok 16:20:40 <sillebille> it's a direct dep of resteasy which is a dep of dogtag-pki :) 16:21:16 <decathorpe> alright! 16:21:22 <decathorpe> #topic Broken Dependencies 16:21:23 <sillebille> added the group! 16:21:38 <decathorpe> #link https://pagure.io/stewardship-sig/issue/59 16:24:24 <mhroncok> are those "abandoned" or mainatined packages? 16:24:38 <mhroncok> will they be orphaned with F31FTBFS? 16:24:46 <decathorpe> let me check 16:25:21 <decathorpe> forbidden-apis: no F31FTBFS bug 16:25:50 <decathorpe> jetty: no F31FTBFS bug 16:26:17 <decathorpe> maven-war-plugin: no F31FTBFS bug 16:26:56 <mhroncok> oh 16:26:57 <decathorpe> I think they were all broken after the F31 mass rebuild 16:28:14 <cipherboy> Jetty I don't think we are about any more in rawhide (post my changes merging). 16:28:30 <cipherboy> At least, nothing in the SIG still deps on it. 16:29:20 <decathorpe> I think so 16:30:24 <decathorpe> and as I noted, if forbidden-apis / randomizedtesting becomes a problem, we can just disable (parts of) the test suite in lz4-java 16:30:48 <mhroncok> so, maven-war-plugin is th eonly problem? 16:31:14 <decathorpe> maven-war-plugin is only a problem because of jetty. if we don't need jetty, then it's not a problem for us 16:31:38 <mhroncok> so, no problem at all actually? \o/ 16:31:55 <decathorpe> yes. just wanted to have it documented that we rely on some broken packages right now :) 16:32:02 <decathorpe> cipherboy: can I merge and build the jackson-jaxrs-providers PR? ;) 16:33:22 <cipherboy> decathorpe: Sure. 16:33:43 <cipherboy> decathorpe: Unless you want me to do the builds. 16:33:53 <decathorpe> I can do it. I've already done the xmvn 3.1.0 stuff :) 16:35:07 <decathorpe> #topic Open Pull Requests 16:35:16 <decathorpe> #link https://gist.github.com/decathorpe/6d67ffd8b78ae622601725ac8e400260 16:35:39 <decathorpe> this is an up-to-date list 16:36:32 <decathorpe> we already merged some PRs today, so this stuff is not urgent ... though I would like to get the plexus/maven stuff done soon-ish :) 16:37:29 * mhroncok won't be able to review plenty of PRs, but is interested in the templating-maven-plugin problem 16:37:41 <cipherboy> decathorpe: Ok, I'll start pruning down that list some more as I get time. 16:37:50 <cipherboy> What's the templating-maven-plugin problem, btw? 16:37:53 <decathorpe> yeah I have no idea how to solve that. and I don't know why gson would start depending on some ancient maven plugin ... 16:37:59 <decathorpe> it's using maven2 APIs 16:38:01 <cipherboy> Ah 16:38:58 <decathorpe> apache-commons-logging is not our package, but dropping support for avalon stuff there should let us drop two packages 16:39:19 <decathorpe> everything else is pretty straight-forward. 16:41:43 <cipherboy> Cool \o/ 16:42:09 <mhroncok> can we bisect gson and revert the commit that added the depndency? 16:43:43 <decathorpe> hm. good idea. 16:43:50 <decathorpe> it was added here to fix some android bugs ... https://github.com/google/gson/commit/d84e26d 16:44:40 <cipherboy> Can we just add a patch which reverts that one commit? 16:44:56 <cipherboy> Seems unlikely that anyone will be running gson from Fedora on Android... 16:45:19 <decathorpe> yeah I'll try :) 16:45:21 <decathorpe> good idea 16:46:30 <decathorpe> can RPM apply patches with -R? 16:46:35 <mhroncok> it can 16:46:47 <mhroncok> but you can just revertt the patch and use autosetup 16:46:58 <mhroncok> I can do that if you'd like 16:47:16 <decathorpe> eeeh using autosetup is weird with some Java stuff 16:48:30 <mhroncok> oh 16:48:41 <decathorpe> in this case it would work 16:48:55 <decathorpe> but in some specs, macros to modify sources are run before patches are applied ... 16:49:52 <decathorpe> alright, I'll work on getting gson fixed. there's nothing else from my side 16:49:56 <decathorpe> #topic Open Floor 16:50:27 <mhroncok> decathorpe: I'm testing gson 16:52:42 <cipherboy> decathorpe: I don't think I have anything else. 16:53:37 <sillebille> i did the package review on the templating-maven-plugin. This was my first review. So, that's good to be approved? 16:53:53 <sillebille> there was 1 issue reported by the fedora-review tool 16:54:04 <decathorpe> sillebille: yeah thanks, but we'll see if we actually need that package after all 16:54:27 <sillebille> okie dokie. I have nothing else! :-) 16:54:46 <decathorpe> mhroncok: yeah, I'm trying as well. but the revert doesn't apply cleanly 16:56:09 <mhroncok> decathorpe: I got it 16:56:40 <decathorpe> oh, great :) 16:58:47 <mhroncok> decathorpe: in https://src.fedoraproject.org/rpms/google-gson/pull-request/1 16:59:54 <decathorpe> thanks! squash how? 17:00:35 <mhroncok> decathorpe: git rebase -i origin/master --autosquah 17:00:43 <mhroncok> --autosquash 17:00:46 <decathorpe> heh. TIL :) 17:00:58 <decathorpe> so, time's up. thanks, guys! 17:01:01 <decathorpe> #endmeeting