16:00:21 <geppetto> #startmeeting fpc
16:00:21 <zodbot> Meeting started Thu Oct  2 16:00:21 2014 UTC.  The chair is geppetto. Information about MeetBot at http://wiki.debian.org/MeetBot.
16:00:21 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic.
16:00:21 <geppetto> #meetingname fpc
16:00:21 <zodbot> The meeting name has been set to 'fpc'
16:00:21 <geppetto> #topic Roll Call
16:00:35 <geppetto> abadger1999 geppetto tibbs|w limburgher Rathann SmootherFr0gZ RemiFedora racor spot: FPC ping
16:00:38 <tibbs|w> Howdy.
16:02:39 <geppetto> #chari tibbs|w
16:02:42 <geppetto> #chair tibbs|w
16:02:42 <zodbot> Current chairs: geppetto tibbs|w
16:02:47 <geppetto> hey
16:03:19 <tibbs|w> Yeah.  Looks like another exciting meeting.
16:03:25 <geppetto> Yeh, I won't be shocked if we don't get qurom
16:03:34 <geppetto> FPC ticket didn't come up at the FESCO meeting
16:04:02 <geppetto> not sure if nirik spoke to people outside the meeting and they decided to drop it, or just ran out of time
16:04:15 <nirik> oh, might not have had meeting keyword?
16:04:21 <nirik> so it got missed. ;)
16:04:22 <geppetto> ahh, maybe
16:04:25 * geppetto nods
16:05:12 <geppetto> #chair racor
16:05:12 <zodbot> Current chairs: geppetto racor tibbs|w
16:05:50 <tibbs|w> We really need to get Orion on board sooner rather than later.  I just don't know what else needs to happen before that's done.
16:05:59 <geppetto> abadger1999 limburgher Rathann SmootherFr0gZ spot: FPC ping
16:06:00 * racor is here, but it's not unlikely, I'll have to quit suddenly and early.
16:06:34 <geppetto> tibbs|w: yeh, rathann was dealing with it right?
16:06:45 <geppetto> wasn't here last week either
16:07:08 <geppetto> Not sure what's happened to limburgher or SmootherFr0gZ either
16:07:19 <geppetto> #chair Rathann
16:07:19 <zodbot> Current chairs: Rathann geppetto racor tibbs|w
16:07:28 <geppetto> hey … just the man we needed :)
16:07:30 <Rathann> hi
16:07:38 <Rathann> yes
16:07:54 <geppetto> What else needs to happen for Orion to get his seat?
16:08:29 <racor> in the past, we conducted a formal vote on email
16:08:51 <geppetto> racor: We already did that, right?
16:08:51 <tibbs|w> I thought that's what all of the +1s were.
16:09:06 <Rathann> well, the question is do we vote again on Orion's application? I have another three candidates to vote on (I'll send their applications to current FPC members shortly)
16:09:33 <geppetto> I thought we'd already voted on Orion
16:09:37 <Rathann> yes we did
16:09:55 <racor> Well, we can treat it as such.
16:09:57 <Rathann> and I'm perfectly fine with that
16:10:08 <geppetto> me too
16:10:15 <Rathann> ok
16:10:22 <geppetto> Feel free to send the other three to the list
16:10:32 <geppetto> well, list of people
16:10:34 <Rathann> I've been gathering some additional info on the other three applicants
16:10:38 <geppetto> cool
16:11:18 <racor> my original posting actually was to announce orion had agreed to be nominate as a candidate.
16:13:04 <geppetto> fair enough … but from the response it seemed like that was a "yes, give that man a seat" ;)
16:14:13 <racor> geppetto: ACK
16:16:13 <tibbs|w> So what do?
16:16:41 <geppetto> We have 3 new tickets
16:16:48 <geppetto> but we can only give them +4 at most
16:17:38 <tibbs|w> I guess just toss them out, so we can at least get something done.
16:18:03 <geppetto> #topic #456	Packaging:Guidelines#Configuration_of_Package_Managers does not mention fedora-repos or epel-release
16:18:07 <geppetto> https://fedorahosted.org/fpc/ticket/456
16:18:42 <tibbs|w> Certainly mention fedora-repos.  Not sure why the EPEL folks can't add their package to their guidelines.
16:18:44 <geppetto> this seems a pretty trivial case of rel-eng changing the package names
16:19:00 <tibbs|w> Yes, definitely just fix this for fedora-repos.
16:19:58 <geppetto> #action Rel-eng Package rename, trivial: #456 Packaging:Guidelines#Configuration_of_Package_Managers does not mention fedora-repos or epel-release
16:20:26 <geppetto> tibbs|w: Can you do the change on the wiki?
16:20:58 * limburgher is here, finally.
16:21:02 <tibbs|w> Yeah, let me take care of that now..
16:21:03 <geppetto> #chair limburgher
16:21:03 <zodbot> Current chairs: Rathann geppetto limburgher racor tibbs|w
16:21:14 <geppetto> And then there were 5!
16:21:48 <geppetto> #topic #457 	Wiki page about 'Starting services by default' is not linked
16:21:53 <geppetto> https://fedorahosted.org/fpc/ticket/457
16:22:52 * nirik notes he can add/remove FPC folks to edit the packaging part of the wiki. Just let me know if anyone needs added/removed.
16:22:55 <geppetto> pretty sure this is an old page that hasn't been updated in forever
16:24:30 <geppetto> I know it's not correct for current systemd … so is that going through FESCo and on another page, or just up to the whims of systemd devs?
16:24:56 <tibbs|w> Yeah, anyone can make any random page they want.  I don't see the point in this ticket at all.
16:25:13 <geppetto> Well, it was last editted in 2012 by notting
16:25:32 <geppetto> So it was probably proposed to be an official page
16:25:33 <limburgher> Is the list still current?
16:25:42 <Rathann> someone also noticed that the second condition is a subset of the first one
16:25:47 <limburgher> I though there had been updates since then.
16:25:48 <geppetto> limburgher: see my comments above … tl;dr no
16:25:57 <tibbs|w> I really doubt that list is correct.  But it's not really our business.
16:26:10 <racor> I could be wrong, but IIRC we once agreed upon to leaving which services to be "enabled/disabled by default" undefined in the FPG and the final decisions to FESCO?
16:26:20 <geppetto> yeh
16:26:34 <tibbs|w> Yes, that's the case.
16:26:59 <Rathann> i.e. runs once then goes away without listening on network sockets is a subset of "doesn't listen on network sockets"
16:27:07 <tibbs|w> Anyway, the only real answer to this ticket is "no, we don't need to link to that old page".  I guess we could be kind and delete the page, even though it's not one of ours.
16:27:08 <limburgher> Is there a more current page we *could* link to and make this one go away?
16:27:18 <Rathann> racor: true, but it still should be documented I guess?
16:27:51 <Rathann> reminder for the voters: we have two seats to fill
16:29:58 <geppetto> limburgher: appears not … https://fedoraproject.org/wiki/Features/PackagePresets
16:30:06 <geppetto> limburgher: Seems it's just inside systemd
16:30:32 <limburgher> Frick.
16:31:31 <limburgher> So is the list not documented at all?  Would we be able to get someone from FESCO to research and update?  Once that happened I'd be ok with linking from say, here: https://fedoraproject.org/wiki/Packaging:Guidelines#Systemd
16:31:58 <geppetto> yeh, it'd be nice if it was more visible
16:32:26 <geppetto> but we'd need some way to make sure the systemd data wasn't different anyway
16:33:11 <Rathann> geppetto: systemd presets, you mean
16:33:18 <geppetto> yeh
16:33:25 <geppetto> the data for the presets shipped in systemd
16:34:02 <geppetto> or maybe it's shipped in the release package?
16:35:18 <tibbs|w> All I know is that it isn't controlled by us.  We should certainly note in the ticket that there's no value in linking to that page because it doesn't reflect reality.
16:37:28 * geppetto nods
16:37:46 <nirik> note that the systemd folks are fine with moving it somewhere else.
16:37:51 <nirik> that just never happened. ;)
16:37:52 <limburgher> Since it's FESCO's job, should we file a trac with them to update it?
16:38:12 <Rathann> yes
16:38:14 <geppetto> #action Close ticket, old unused page: #topic #457  Wiki page about 'Starting services by default' is not linked
16:38:29 <geppetto> I closed the ticket
16:38:48 <Rathann> and probably add presets to fedora-release{,-server,-workstation,-cloud}
16:38:52 <geppetto> If someone knows how to mark the page as "don't believe anything here" that'd probably be nice.
16:39:01 <Rathann> and move them out of systemd package
16:39:12 * geppetto nods
16:39:28 <geppetto> #topic #458 	Man page scriplets
16:39:29 <geppetto> https://fedorahosted.org/fpc/ticket/458
16:39:48 <tibbs|w> I don't know about this.
16:40:01 <tibbs|w> How often do you have to manually install manpages?
16:40:19 <tibbs|w> In my experience it's pretty rare.
16:40:35 <limburgher> I've had to do it a fair bit but it's not the norm.
16:40:57 <Rathann> relatively rare IME as well
16:41:09 <geppetto> yeh, I mean it's not even much of a snippet … one line obvious install command
16:41:17 <tibbs|w> Now, I think it's worth mentioning the files section, and noting that you must not compress manpages.
16:41:36 <tibbs|w> Is there really a need to mention that foo.1 goes in man1?
16:41:56 <limburgher> You'd be amazed.
16:42:11 <Rathann> in theory, saying that package must be FHS-compliant should take care of that
16:44:39 <Rathann> I'm +1 to mentioning that manpages must not be compressed manually in %install or anywhere else, but 0 to adding the scriptlet
16:44:59 <tibbs|w> Let me see if I can bodge something together.
16:45:07 <geppetto> yeh, also +1 to mentioning that man pages in %files should have * as a suffix
16:45:21 <geppetto> as I can't find that mentioned explicitly anywhere
16:48:34 <tibbs|w> So I'll try and come up with a short revamp of that guideline section tonight.
16:48:43 <geppetto> ok, fair enough
16:49:17 <geppetto> #action Tibbs to write changes for policy: #458  Man page scriplets
16:49:31 <geppetto> #topic #453     Changes/SystemdSysusers updates for Packaging:UsersAndGroups
16:49:38 <geppetto> https://fedorahosted.org/fpc/ticket/453
16:49:47 <geppetto> limburgher: this one is just for you, as everyone else has voted
16:50:22 <geppetto> proposal was:
16:50:23 <geppetto> PROPOSAL: We don't mind moving from calling adduser, to having files installed that specify that information (maybe this implementation, maybe another). Also we don't mind someone testing a small number of packages to shake problems out of this implementation, and then they can come back with a real policy change. Would also be helpful to have a better revert plan than change all the rpms again.
16:50:39 <Rathann> ah, that
16:50:50 <limburgher> Sorry, got called away a moment. . .
16:50:54 <geppetto> no problem
16:50:56 <Rathann> +1 to that proposal
16:51:09 <geppetto> Rathann: Yeh, you already voted :)
16:51:17 <limburgher> +1
16:51:19 <Rathann> right...
16:51:25 <geppetto> limburgher: http://meetbot.fedoraproject.org/fedora-meeting-1/2014-09-11/fpc.2014-09-11-16.03.log.html and search for 453, if you want to see everything said
16:51:28 <geppetto> cool
16:51:54 <geppetto> #action #453     Small number of packages to test new sysusers user creation code (+1:5, 0:1, -1:0)
16:52:21 <geppetto> #topic #452     Crypto policies packaging guideline
16:52:30 <geppetto> https://fedorahosted.org/fpc/ticket/452
16:52:31 <tibbs|w> Progress!
16:52:45 <geppetto> There were some responses here
16:53:56 <geppetto> Remi was the one who thought PHP couldn't be made compliant, right?
16:54:31 <geppetto> yeh
16:55:49 <limburgher> What was the issue there, in a nutshell?
16:56:57 <geppetto> they want everyone to call openssl/gnutls in a specific way for the codecs
16:57:16 <geppetto> for the codecs configuration, that is
16:59:41 <tibbs|w> So what to do here?
16:59:52 <geppetto> trying to run the repoquery
16:59:59 <geppetto> see how many packages are affected
17:00:03 <tibbs|w> I'm still of the opinion that this is sufficiently easy to get wrong that we shouldn't leave this to the package review process.
17:00:33 <limburgher> Yeah, if bundled libs get through, crypto issues certainly will.
17:01:40 <tibbs|w> The thing is, bundled libs are a bad issue but not as directly security-impacting as this crypto thing.
17:01:49 <limburgher> Exactly.
17:02:01 <tibbs|w> So someone's still going to have to scan the collection for vulnerabilities.
17:02:03 <limburgher> Reinforcing your point.
17:02:49 <tibbs|w> Which means that either than can hand over their tool for use in package reviews, or there's not much point in trying really hard to do this at review time.
17:03:58 <geppetto> So I don't think I mind the policy apart from the line "Each application being added in Fedora must be checked to comply with the policies"
17:04:28 <geppetto> Which implies that package reviewers can easily do this
17:05:21 <tibbs|w> So, a checklist that package reviewers can follow would be reasonable.
17:05:25 <geppetto> If they just put it as "this is what a crypto using app. should do in Fedora" … and then security or whoever checks occasionally
17:05:51 <geppetto> that seems … fine, I guess. Although Remi said he didn't think PHP could comply
17:06:02 <tibbs|w> "Does it buildrequire one of these packages?"  "If so, run this grep over an unpacked source tree."
17:06:19 <limburgher> It's not like we could just add a feature to rpmlint to scan code, there have got to be a large number of wrong ways to use crypto. . .
17:06:20 <geppetto> Yeh, maybe
17:06:33 <geppetto> I mean I'm not sure I'd trust what comes out of that … but it's something
17:06:52 <geppetto> Also http://fedoraproject.org/wiki/Changes/CryptoPolicy implies configuration, which is directly opposite of what they said in the ticket
17:07:47 <geppetto> Hmm … their feature even says "There should be no upgrade/compatibility issues. Programs that use their own strings will continue to work as before, although they will not adhere to system's policy. "
17:09:24 <tibbs|w> I guess this isn't as clear cut as the ticket indicates.
17:10:59 <tibbs|w> I'm not sure what to do here.  I'm generally against placing really complicated security stuff in the hands of package reviewers.  With a checklist it could be reasonable to flag a package for review by someone who understands what's going on, and I'd support that kind of thing.
17:11:01 <geppetto> so a --whatrequires on openssl-libs on unique package names gives me over 800 packages in F20
17:11:15 <tibbs|w> Yep.
17:12:25 <tibbs|w> I mean, for something as difficult as licensing, we have the legal list and the FE-Legal blocker so if a package reviewer sees anything they don't understand, it's easy to get trained help.
17:12:38 * geppetto nods
17:13:35 <tibbs|w> But previous comments indicated that this kind of thing "cancels the change request".  So....
17:14:53 <geppetto> yeh, I can kind of understand their desire … but you can't really say "your code must look like this, and you guys have fun changing all the packages to do that"
17:15:27 <geppetto> I guess they can propose a similar policy as a "should"
17:15:41 <geppetto> or they can come up with a few people who will help out?
17:16:16 <geppetto> anyone else have ideas?
17:17:16 <tibbs|w> I think I've said all I can.  If someone wants me to summarize, I could do that.
17:18:27 <Rathann> security is a complex issue and our guidelines are complex enough as they are
17:18:36 <Rathann> not all package maintainers are programmers
17:19:10 <Rathann> and of those that are, not all are proficient in crypto library APIs
17:19:41 * geppetto nods
17:20:50 <geppetto> So do we just say no? … or you need to come up with GCC patches like -Wsystem-crypto or something?
17:22:30 <limburgher> So we could have a hardened_build sort of thing?  Only mandatory, without the macro?
17:22:50 <tibbs|w> If there was a tool (or even an rpmlint  extension) that we could reasonably trust to get this right, along with a documented avenue for getting expert help, I'd be perfectly happy with mandating it.
17:23:14 <geppetto> #action Need different policy that's easier to comply to or just advice, all reviewers/packagers aren't C programers and there are a lot of openssl using packages.
17:23:18 <geppetto> Ok, I'll update the ticket
17:23:21 <Rathann> well, assuming these (https://fedoraproject.org/wiki/User:Nmav/CryptoPolicies) are the only API calls to set ciphersuite in openssl and gnutls, I'd be +1 to adding that to FPG, provided the text about configuration files is clarified with an example and that help venues are given (i.e. link to fedora-securit mailing list)
17:24:52 <geppetto> #topic Open Floor
17:25:24 <Rathann> I'd like to welcome orionp
17:25:29 <geppetto> orionp: Hey, welcome
17:25:37 <geppetto> Rathann: jinx ;)
17:25:39 <orionp> Hello
17:25:40 <racor> orionp: Welcome
17:27:33 <geppetto> orionp: So you'll be here at 16:00 UTC next week?
17:27:34 <limburgher> orionp: Norm!
17:27:40 <tibbs|w> Time to update my watched nick list.
17:27:50 <orionp> Sorry, I missed most of the meeting today - I take it I've been accepted?
17:28:09 <geppetto> I think it's all but publically official atm.
17:28:34 <orionp> Shouldn't be a problem making the meetings
17:28:41 * geppetto nods … cool.
17:31:05 <geppetto> Anything else?
17:31:27 <geppetto> If not I'll close the meeting at 17:35
17:32:11 <limburgher> I have nothing.
17:32:20 <tibbs|w> Nothing from me.
17:32:35 <limburgher> Just my apologize for flaking out on so many meetings lately, life's been complicated.
17:32:54 <Rathann> same here
17:33:06 <limburgher> And my apparently inability to use English.
17:33:11 <limburgher> Or apparent.
17:33:13 <limburgher> Jeebus.
17:33:35 <geppetto> :)
17:34:51 <geppetto> Well hopefully with orionp we'll be able to have quorum every week
17:35:12 <geppetto> Esp. so if we pickup 2 more people
17:35:32 <geppetto> Anyway, thanks for turning up this week and discussing / voting :)
17:35:40 <geppetto> #endmeeting