17:00:35 <geppetto> #startmeeting fpc
17:00:35 <zodbot> Meeting started Thu Mar  5 17:00:35 2015 UTC.  The chair is geppetto. Information about MeetBot at http://wiki.debian.org/MeetBot.
17:00:35 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic.
17:00:36 <geppetto> #meetingname fpc
17:00:36 <zodbot> The meeting name has been set to 'fpc'
17:00:36 <geppetto> #topic Roll Call
17:00:40 <tibbs|w> Howdy.
17:00:51 <tomspur> Ho.
17:01:10 <sgallagh> /me lurks for the eventual discussion of his draft
17:01:25 * limburgher here with occasional sprinklings of AFK
17:01:50 <geppetto> #chair tibbs
17:01:50 <zodbot> Current chairs: geppetto tibbs
17:01:53 <geppetto> #chair tomspur
17:01:53 <zodbot> Current chairs: geppetto tibbs tomspur
17:01:55 <geppetto> #chair limburgher
17:01:55 <zodbot> Current chairs: geppetto limburgher tibbs tomspur
17:02:17 <geppetto> mbooth and Rathan said they couldn't make it
17:02:57 * leamas wonders if #505 reallu is a duplicate
17:03:08 <orionp> Morning
17:03:14 <geppetto> #chair orionp
17:03:14 <zodbot> Current chairs: geppetto limburgher orionp tibbs tomspur
17:04:13 <geppetto> leamas: we normally do one ticket per. package
17:04:16 <limburgher> leamas:  On cursory reading I don't *think* so.
17:04:47 <geppetto> leamas: but I didn't realize that it was different bundles … so feel free to reopen
17:04:50 <leamas> They are very different situations...
17:04:55 <geppetto> ok, sorry
17:05:36 <leamas> geppetto: NP. Any chanbce we can make it today?
17:05:41 <geppetto> maybe
17:05:59 <geppetto> we got a bunch of new tickets this week, but we usually give priority to people who are here :)
17:06:19 <geppetto> Ok, going to start … as we have 5
17:06:27 <geppetto> #topic Schedule
17:06:30 <geppetto> https://lists.fedoraproject.org/pipermail/packaging/2015-March/010493.html
17:06:45 <geppetto> #info Also adding 505 to that
17:07:14 <geppetto> #topic #506 	Guideline Draft: Service First-Time Setup
17:07:19 <geppetto> https://fedorahosted.org/fpc/ticket/506
17:07:23 <geppetto> sgallagh: you up :)
17:07:46 <sgallagh> OK, co-attending Go/No-Go
17:07:59 <geppetto> you want us to come back to this?
17:08:06 <sgallagh> Yeah, would you mind?
17:08:09 <geppetto> no problem
17:08:24 <geppetto> #topic #507 	Bundled library exception request: acme files in tonto
17:08:29 <geppetto> https://fedorahosted.org/fpc/ticket/507
17:08:39 <geppetto> leamas: Ok, you up :)
17:09:19 <leamas> To be fair, I could see i teither way, But packaging this old pile of code just for this dependency - well
17:09:32 <leamas> And to me, it actually looks like a copy-lib
17:09:40 <tibbs|w> I don't know; we still usually want things packaged like that.
17:09:45 <tibbs|w> I guess it's kind of a toss-up.
17:09:46 <orionp> There isn't a better image encoding library tonto could use?
17:10:19 <geppetto> yeh, that's the bit that worries me
17:10:27 <geppetto> IntHashtable seems like a no brainer
17:10:27 <leamas> probably dozens. But am I the right man to patch this java code
17:11:16 <leamas> You see some I don't with this encoding?
17:11:27 <leamas> s/some/something/
17:11:28 <tibbs|w> If this was an image _decoder_ I'd object pretty strongly.
17:11:36 <tibbs|w> As is, for Java, this isn't really much code.
17:11:40 * geppetto nods
17:11:49 <geppetto> Java code from 1996 :-o
17:12:01 <tibbs|w> However, the whole package is actually pretty large.
17:12:30 <geppetto> tibbs: which bit?
17:12:44 <tibbs|w> All of the acme library.
17:12:57 <tibbs|w> Well, "the entire Acme package".
17:13:06 <geppetto> tibbs: yeh, but just the bits they want to bundle seem small enough.
17:13:37 <tibbs|w> Other potential copies which are bundled:
17:13:39 <tibbs|w> moin
17:13:50 <tibbs|w> libitext (but we dropped that)
17:13:56 <tibbs|w> jas-plotter
17:14:29 * orionp remembers why he gave up packaging java code....
17:14:41 <tibbs|w> So I guess only the copy in moin.  Let me pull that apart.
17:15:30 <tibbs|w> Yep, IntHashTable.java is bundled in moin, but it's contrib and I'm not sure it makes it into the package.  Let me check.
17:15:48 <orionp> leamas - is tonto upstream responsive to requests?
17:15:55 <geppetto> I'm shocked that you can't have int hashtables in std. Java :-o
17:16:14 <leamas> Nope, he doesn't reply in any way :(
17:16:40 <leamas> And please, I didn't write that ...
17:16:48 <tibbs|w> Yeah, it makes it into the final package: /usr/lib/python2.7/site-packages/MoinMoin/web/static/htdocs/applets/TWikiDrawPlugin/twikidraw.jar
17:17:09 <tibbs|w> So, yeah, this I think would perhaps benefit from being packaged separately.
17:17:22 <leamas> tibbs: Are yoy saying that jar has IntHashtable?
17:17:26 <tibbs|w> And that's only what codesearch.debian.net turns up.
17:17:34 <tibbs|w> Yes, that jar has IntHashtable bundled.
17:17:44 <tibbs|w> https://codesearch.debian.net/results/Acme.IntHashtable/page_0
17:18:08 <tibbs|w> Or prep the moin package and look in moin-1.9.7/contrib/TWikiDrawPlugin/packages/Acme/
17:18:15 <leamas> I could live with packaging IntHashtable. But please, don't make me package the complete acme...'
17:18:52 <orionp> no, we'd only package what we need
17:18:58 <tibbs|w> There's more acme stuff bundled, too.
17:19:29 <leamas> I was actually looknig for a tool for scanning fedora sources.. you seem to have one?
17:19:31 <tibbs|w> scilab, jmol, xpilot-ng
17:21:00 <tibbs|w> So those four packages, at least.  And again, that's only what codesearch.debian.net finds.
17:21:16 <tibbs|w> One day maybe we'll have our own codesearch instance.
17:21:19 <tibbs|w> Anyway, so....
17:21:43 <tibbs|w> https://codesearch.debian.net/results/Acme.JPM/page_0 is the list.
17:22:41 <tibbs|w> Any other info I can provide?  Sorry I didn't run this before the meeting.
17:23:26 * orionp really wishes people didn't use "com.acme" as generic examples in coments....
17:23:33 <tibbs|w> I think doing this or something involving summershum should be part of the bundled lib application process.
17:24:04 <tibbs|w> But that's a different discussion.  What do we do here?
17:24:38 <tibbs|w> I can get behind a temporary exception while folks look into packaging this stuff, but I know so little about Java.
17:24:50 <geppetto> Well at the least all those packages should have bundle* provides
17:25:13 <geppetto> If they should actually package acme-inthashtable … meh
17:25:49 <geppetto> I'm certainly happy to +1 a 6 month exception while leamas speaks with the other package maintainers who are using this website
17:25:57 <tibbs|w> Yeah, I see the point.  But there's more stuff than just the hash table, and some of that is actual image decoding.
17:26:07 <geppetto> yeh
17:26:25 <geppetto> and on the other side inthashtable should be one of the easiest packages in the world :)
17:26:36 <tibbs|w> And image decoding with 20 year old bundled code scares me.  But that's not really the tonto packager's fault or business.
17:26:51 <geppetto> so I'm also happy to encourage everyone to package the bits of acme that they need
17:27:33 <tibbs|w> So, I'll +1 a one-release exemption (so revisit before F23 relase) and at least get the bundled() provides on the affected packages.
17:27:37 <geppetto> Anyone want to vote on a 6 month exception for tonto while leamas speaks with other maintainers?
17:27:55 <tomspur> +1
17:28:08 <geppetto> orionp: limburgher: vote?
17:28:10 <orionp> packages like scilab seem to integrate ImageEncoder into their namespace
17:28:30 <tibbs|w> orionp: Yeah, it might be difficult to unbundle them, but it would be something that at least needs looking at.
17:28:30 <limburgher> +1
17:28:46 <geppetto> orionp: is it hard to do that if you don't bundle it?
17:28:54 <tibbs|w> Bundling requests always pull the worst stuff out of the woodwork.
17:28:55 * geppetto knows about as much Java as tibbs
17:29:11 <orionp> would require a patch to unbundle
17:29:36 <orionp> class package location changes
17:30:03 <leamas> Also, we don't know if they have changed it in this case.
17:30:51 <tibbs|w> Yes, that's  something that we'll have to look into.
17:30:56 <orionp> I guess I'm fine with an exception, but I'm skeptical this will get revisted/resolved
17:31:24 <tibbs|w> We can kick the can down a bit, get some bugs filed and at least shake the tree a bit.
17:32:13 <geppetto> orionp: So that a +1?
17:33:14 <orionp> yeah, +1
17:33:16 <geppetto> #action Temporary exception until F23 to bundle Acme in tonto, leamas to speak to other packages bundling Acme stuff. (+1:5, 0:0, -1:0)
17:33:40 <geppetto> #topic #505 	Bundling exception request: osbaldeston BMP library in tonto
17:33:51 <geppetto> https://fedorahosted.org/fpc/ticket/505
17:34:29 <leamas> Well, contrary to 507, in my eyes this is clear-cut
17:34:36 <tibbs|w> So no way to even see the upstram.
17:34:37 <geppetto> So this reads/parses BMP files?
17:34:51 <tibbs|w> How can I see the files involved?
17:35:12 <leamas> wait...
17:35:49 <tibbs|w> There's kind of a paucity of info in the bundling request ticket.
17:36:21 <leamas> http://ur1.ca/jusnp
17:36:37 <tibbs|w> Just the one file?
17:36:42 <leamas> http://ur1.ca/jusnu
17:36:49 <geppetto> I guess given the fact that the upstream is gone, it's not really bundling anymore (as nobody else will be bundling it, so it's just part of tonto at this point)
17:36:59 <tibbs|w> I would tend to agree.
17:37:07 <tibbs|w> leamas: What are the actual filenames?
17:37:14 <geppetto> But I can't help but think that tonto should be using some better graphics APIs
17:37:14 <leamas> http://ur1.ca/juso1
17:37:24 <leamas> Three files, as sted in ticket
17:38:04 <tibbs|w> Oh, sorry, I needed to scroll down.
17:38:07 <geppetto> wow, 1998 again
17:38:13 <limburgher> I seconf geppetto.
17:38:16 <limburgher> seond
17:38:19 <limburgher> SECOND
17:38:21 <limburgher> Jesus. . .
17:38:25 <geppetto> limburgher: 3rd time the charm :)
17:38:41 <tibbs|w> +1 for an exemption.  I can't find anything at all about this on the Internet.
17:39:11 <geppetto> Yeh, I doubt I'd have even filed a bundling request ticket ;)
17:39:40 <tibbs|w> But the thing is bundled in other software packages.
17:39:49 <geppetto> it is?
17:39:57 <orionp> what's the license?
17:39:59 <geppetto> damn you and your software searching skills ;)
17:40:00 <tibbs|w> Yeah, just nothing we appear to package.
17:40:03 <geppetto> ahh
17:40:21 <tibbs|w> I mean, just ask google for PCBinaryOutputStream
17:40:41 <orionp> * @copyright Richard J.Osbaldeston (http://www.osbald.co.uk)
17:41:25 <tibbs|w> Yeah, that seems to be something Legal should look at if we approve the bundling on other grounds.
17:42:01 <tomspur> What is "HideInfo.rar": http://read.pudn.com/downloads54/sourcecode/crypt/187597/HideInfo/src/hideInfo/PCBinaryInputStream.java__.htm
17:42:20 <tomspur> Exact same code with copyright removed
17:42:30 <orionp> nice
17:42:41 <tibbs|w> prepared by the use of LSB image information hidden algorithm demo program, can be any size restrictions with the document for a split hidden bit of a non-compressed bmp image. Support for the hidden by the former category right zip compressed files
17:42:49 * tomspur knows, why not to look at java
17:43:02 <geppetto> :)
17:43:55 <geppetto> I'm still leaning toward just shrugging and +1'ing
17:43:57 <tibbs|w> Java went for a long time without a proper system for dealing with any kind of "module" in the sense that perl or python have, so people just embed whatever from wherever.
17:44:18 <tibbs|w> Yeah, still +1 here given the total lack of any upstream.
17:44:25 <tibbs|w> But it may not matter because of Legal.
17:44:33 <tomspur> http://lgdzjc.googlecode.com/svn/trunk/JCSystem/src/com/tjsoft/util/io/PCBinaryInputStream.java has copyright of 2003 and different author...
17:45:32 <limburgher> If the licensing is suspect and the author is in the wind we can't ship it at all. . .
17:45:36 <tibbs|w> If we can't come to a decision, we can revisit if Legal clear this.  Which they won't.
17:46:03 <orionp> I'm +1 for bundling, but obviously it's really a legal issue
17:46:48 <limburgher> Yeah, we can't really resolve this without legal's input.
17:47:01 <geppetto> limburgher: to be fair there may have been a giant "do what you want with it" on his website at some point
17:47:25 <tibbs|w> I'd really like to know why it falls on us to find this stuff.
17:47:39 <limburgher> geppetto:  True.  And if someone finds it in the Wayback Machine we're golden.
17:47:43 * geppetto shrugs … I'm happy to +1 it and have leamas speak with legal and upstream to see if it's usable
17:47:53 <orionp> we're the closest to the issue
17:48:06 <limburgher> tibbs|w: Because it gets missed in reviews, often buried deep inside the source.
17:48:22 <tomspur> geppetto: +1
17:48:39 <tibbs|w> I guess I'm just used to doing really thorough reviews.
17:49:21 <tibbs|w> So what else can we do here?
17:49:24 <limburgher> Me too.
17:49:42 <tibbs|w> I'd say close and reopen if legal clear this, unless we can somehow get to 5.
17:49:58 <tibbs|w> I think we're at +4.
17:50:08 <geppetto> tibbs: If you and limburgher +1 my proposal we can just close it and not think about it again :)
17:50:35 <tibbs|w> I did +1 six minutes ago.
17:50:39 <geppetto> fair enough
17:50:40 <limburgher> +1 then.
17:51:26 <leamas> And I thought this was clear cut "blushes"
17:51:26 <geppetto> #action leamas Bundling exception granted, but you need to speak with upstream and legal to see if we can ship it at all (+1:5, 0:0, -1:0)
17:51:48 <geppetto> #topic #500 	Request for bundling exception: numptyphysics bundles Box2D = 2.0.1
17:51:48 <leamas> Thanks for your time
17:51:52 <geppetto> https://fedorahosted.org/fpc/ticket/500
17:51:54 <tomspur> leamas: on github seems to be version 1.48, which is newer than on the upstream webpage
17:51:57 <tomspur> leamas: https://github.com/stewartoallen/tonto
17:52:39 <tibbs|w> Heh, github links to http://giantlaser.com/tonto/ which has expired.
17:52:50 <tibbs|w> Dead upstreams bundling dead upstreams.
17:53:37 <limburgher> Sort of like the turducken of software.
17:53:42 <geppetto> limburgher: So you know what's going on with 500/221 ?
17:53:50 <limburgher> geppetto: headdesk
17:53:54 <geppetto> :) :)
17:54:03 <geppetto> https://fedorahosted.org/fpc/ticket/221
17:54:12 <tibbs|w> We were done, and then we weren't.
17:54:26 <geppetto> It looks like we kind of gave up, because it just went away
17:54:26 <limburgher> Yes, I do.  Like stated in the ticket, numptyphysics bundles a modified Box2D 2.0.1.
17:54:32 <geppetto> but then it rose from the dead
17:54:44 <limburgher> tibbs|w: Blame lkundrak. :)
17:54:45 <geppetto> does anything else?
17:55:12 <tibbs|w> Ticket says "unmodified".
17:55:17 <limburgher> I don't think so.  I tried making a compat-Box2D but numptyphysics couldn't use it.  Too much was changed.
17:56:13 <limburgher> Huh.  So now my memory is highly suspect.
17:56:15 <geppetto> Can't we just ship the version of Box2D that numpty uses (or is that what you tried to do)?
17:56:24 <limburgher> That's what I tried to do.
17:56:28 * geppetto nods
17:56:50 <limburgher> I had to unbundle freeglut, glui. . .
17:57:03 <tomspur> of which numptyphysics are we talking here?
17:57:15 <tomspur> This _looks_ newer: https://github.com/thp/numptyphysics
17:57:15 <limburgher> You mean the old version or the new one?
17:57:54 <sgallagh> Go/No-Go is over. Ping me when you're ready for me.
17:58:09 <geppetto> sgallagh: ok, prob. next up :)
17:58:19 <sgallagh> Cool
17:59:34 <tomspur> limburgher: where is the old or the new version...
18:00:26 <limburgher> The new is here: http://thp.io/2015/numptyphysics/
18:00:52 <limburgher> Old was here: http://numptyphysics.garage.maemo.org/
18:01:27 <limburgher> We were shipping the harmattan port which is gone.
18:01:31 <limburgher> https://github.com/harmattan/numptyphysics
18:03:38 <tomspur> thp seems to have a own repository, which is still active
18:04:51 <geppetto> We don't really need to go down the road of github forks of the week, unless one has fixed the Box2D thing
18:05:27 <tibbs|w> I'm +1 to bundling; this doesn't appear to be security sensitive and it's obviously modified.
18:05:59 <tibbs|w> Plus the "no stable ABI" think makes it seem more like a copylib, though it's really too big for that.
18:06:18 <geppetto> And I'm still not sure what to do here … Box2D is pretty damn big, noone else is bundling/using it atm. … so I guess meh., ok and just add a bundle provide … and we can hope we don't get a second user :-o
18:07:23 <limburgher> No, it's not a copylib, it's one of those annoying "copy this into your codebase and do whatever because solibs are HARD" "libraries".
18:07:27 <geppetto> Ok, +1 … add the provide and hope we don't have to deal with a second user
18:07:34 <geppetto> limburgher: yeh
18:07:47 <orionp> +1
18:07:54 <limburgher> As the current POC I'll recuse myself unless I'm numerically required to vote.
18:08:35 <geppetto> limburgher: Well there are only 5 of us here today, so if you don't vote that's gonna be a problem for you :)
18:09:03 <limburgher> Ok.  I'll try to overcome my nausea.  What's the current tally?
18:09:04 <tomspur_> +1
18:09:15 <geppetto> +3 atm.
18:09:19 <tibbs|w> We need to decide on the bundled(???) tag for these when we approve them and get that into the action item.
18:09:38 <geppetto> tibbs: I assume bundled(Box2D) here
18:09:40 <limburgher> That was my next question.  And I seem to recall there's a wiki page to be updated.
18:10:00 <tibbs|w> geppetto: I just want to make sure we can all find these later without having to grep the meeting logs.
18:10:31 <limburgher> Agreed.
18:10:40 * geppetto nods … it should help now that I'm pasting the minutes in the ticket, so we can at least find the meeting it was discussed in easily
18:11:04 <tibbs|w> limburgher: When it gets to the writeup stage I generally put it all in the proper place in the wiki.
18:11:09 <geppetto> tibbs: I think you are the last to vote
18:11:19 <limburgher> tibbs|w: Cool.
18:11:26 <limburgher> geppetto: Other than me.
18:11:27 <tibbs|w> Sorry, voted +1 six minutes ago.
18:11:32 <limburgher> So it's +4?
18:11:37 <geppetto> tibbs: Oh, yeh, I see it now
18:11:41 <geppetto> limburgher: yeh
18:11:46 * limburgher holds nose
18:11:47 <limburgher> +1
18:12:09 <geppetto> #action limburgher Request for bundling exception: numptyphysics bundles Box2D = 2.0.1 (+1:5, 0:0, -1:0)
18:12:26 <geppetto> #topic #506 	Guideline Draft: Service First-Time Setup
18:12:30 <geppetto> https://fedorahosted.org/fpc/ticket/506
18:12:35 <geppetto> sgallagh: Ok, you up again :)
18:12:56 <sgallagh> Hi folks!
18:13:01 <geppetto> My first thought on this was "what about packages that need to do this, but aren't a service"
18:13:27 <sgallagh> geppetto: Can you cite an example?
18:14:21 <geppetto> sgallagh: Well not really … yum does some stuff like this, but I don't think anything that matches exactly.
18:14:32 <sgallagh> geppetto: In %post?
18:15:06 <geppetto> sgallagh: Usually we've integrated the init stuff, so it runs when you first use it in yum
18:15:13 <sgallagh> I don't know of any non-service that does something like this in a machine-specific way
18:15:18 <tibbs|w> Personally I would like to see a more directed "packagers, do this".
18:15:44 <sgallagh> geppetto: "Note: this requirement can be waived if the equivalent functionality is incorporated as part of the service's own standard startup." I think covers that
18:15:45 <geppetto> But that also seems natural for services … so given they all don't do that, it stands to reason that not all non-services would either
18:15:51 <tibbs|w> With specfile snippets that can be used more directly.  Or having this all hidden behind scripts, because there's way too much stuff there now.
18:16:18 <sgallagh> As I noted on the ticket, maybe I should have made this two proposals.
18:16:20 <tibbs|w> Right now this isn't really a packaging guideline.
18:16:44 <sgallagh> One is to get machine-specific stuff out of %post, the other is to make sure that when we auto-generate self-signed certs, how we do it should be standardized.
18:16:52 <geppetto> Also you mentioned having scripts/macros somewhere … and I think that would help a lot. I'd be very worrid about a bunch of packages copypasting those examples
18:17:03 <sgallagh> I *am* working on scripts, but the underlying implementation should be what's approved
18:17:12 <tibbs|w> Not by us, though.
18:17:28 <sgallagh> Let me rephrase.
18:17:43 <sgallagh> The implementation was reviewed by a couple security experts (Kai Engert and Miloslav Trmac)
18:18:08 <sgallagh> FPC's involvement should be "Yes or no: all packages should do it this way"
18:18:23 <sgallagh> or rather "all packags must do it the same way"
18:18:28 <sgallagh> /me can't type today
18:19:10 <geppetto> So, I'm happy to move this stuff out of %post
18:19:39 <geppetto> And the policy looks ok, from what I can see … though it's dense, and the examples are scary :)
18:20:07 <sgallagh> Well, the examples are heavily justified, since it's a complex topic.
18:20:08 <geppetto> But abusing ExecStartPre is def. on the meh. side
18:20:20 <sgallagh> I don't really agree with "abusing"
18:20:37 <geppetto> sgallagh: Yeh, I'm not saying to remove the examples … more like I'd be much happier if we were approving something that said "run script XYZ"
18:20:41 <sgallagh> The whole point of ExecStartPre is to handle stuff that needs to be done just before starting a service.
18:21:11 <tibbs|w> I don't think it's abusing, either.
18:21:17 <tibbs|w> This is pretty common.
18:21:17 <sgallagh> Otherwise, it would just be a different service with its own ExecStart and dependency links
18:21:33 <tibbs|w> But personally I see nothing there that says "make sure this is in my systemd unit".
18:21:43 <tibbs|w> Which is all I believe the packaging guideline should have.
18:21:43 <geppetto> Services can have multiple ExecStartPres?
18:21:47 <tibbs|w> Yes.
18:21:55 <sgallagh> geppetto: Yes, as many as you want.
18:21:56 * geppetto nods … thought so.
18:22:02 <sgallagh> Unclear if they're ordered
18:22:26 <tibbs|w> They are, but drop-ins make it less fun.
18:22:26 <geppetto> Can you think of any case where it'd matter?
18:23:01 <sgallagh> geppetto: Yes, if a service had a cert-generation script and another helper script that relied on that cert.
18:23:09 <sgallagh> Though that might be contrived.
18:23:13 <geppetto> fair enough
18:23:29 <sgallagh> In that case, I'd hope they'd just turn it into a single script though
18:23:34 * geppetto nods
18:24:48 <tibbs|w> Also, the order matters if one fails.
18:25:03 <geppetto> meh
18:25:04 <tibbs|w> Unless it's marked as being allowed to fail without failing the unit.
18:25:28 <geppetto> as for the open questions … IMO:
18:25:49 <geppetto> 1. I think Fedora as org. is fine, given that we'd be supplying the code which generates the certs.
18:26:19 <geppetto> 2. Having them be machine limited seems like a good idea … but I'm not sure I'm qualified to say if that must be true.
18:26:42 <geppetto> 3. Not sure
18:26:55 <sgallagh> 2. I think can be an adjustment made down the line.
18:27:18 <sgallagh> Since the signing key is destroyed as part of the implementation, it can't be used for anything but this single certificate anyway.
18:27:23 <tibbs|w> I guess hostname as org isn't reasonable.
18:27:28 <sgallagh> (Barring theft of the key, but all bets are off anyway)
18:27:36 * geppetto nods
18:27:41 <sgallagh> (If root is a thief, I mean)
18:28:25 <sgallagh> Regarding 3. I'm leaning more towards "yes".
18:28:28 <geppetto> tibbs: Don't you have problems if hostname is generic there? (like localhost)
18:28:35 <sgallagh> The specific example I can cite being openldap
18:29:08 <sgallagh> the openldap-clients subpackage generates an NSS database
18:29:16 <geppetto> sgallagh: What's the downside to yes for #3?
18:29:23 <sgallagh> The openldap-server database will then generate a self-signed cert and store it there.
18:29:29 <sgallagh> Making it *become* machine-specific.
18:29:47 <sgallagh> geppetto: Probably means that this affects a much larger set of packages.
18:30:04 <tibbs|w> That's what I wasn't sure, though the proposal has Fedora for the service certificate org and the hostname as the org for the CA.
18:30:40 <sgallagh> tibbs|w: The org for the CA is mostly like it is in order to ensure that it's unique for every generated cert.
18:30:59 <sgallagh> And so that it's clear to an admin if they manually import it which one they are importing
18:31:11 <sgallagh> (Such as if it was added to the Firefox CA list)
18:31:17 <sgallagh> That's what would be displayed on the screen
18:31:28 <sgallagh> The service certificate is less visible than the CA org
18:31:38 <geppetto> sgallagh: what about localhost?
18:31:42 <sgallagh> It's really only ever looked at when something is wrong with it :)
18:31:50 * geppetto nods
18:31:57 <sgallagh> geppetto: Hmm, that's a good question.
18:32:25 <sgallagh> We should probably check for localhost[.localdomain] and generate a random string or something.
18:32:34 * geppetto nods
18:33:04 <sgallagh> /me adds that to the open questions.
18:33:09 <sgallagh> I don't want to solve it in this meeting
18:33:30 <tibbs|w> Have to step out for a bit.
18:33:50 <geppetto> Also, kind of related, but if you install a VM with the same name N times … is it going to be impossible to find out which CA you are using?
18:34:09 <sgallagh> That's why there's a datestamp on it
18:34:18 * geppetto nods
18:34:23 <sgallagh> Hopefully you can figure out *when* you installed it (or reinstalled it)
18:34:28 <geppetto> :)
18:35:55 <geppetto> Well I think I'm +1 on the whole thing, although a lot of that is because you wrote it and not a random person :)
18:36:11 <geppetto> orionp: limburgher: tomspur_: Any comments?
18:36:15 <tibbs|w> I agree with all of it, I just don't think that what's there is a packaging guideline.
18:36:28 <sgallagh> The localhost thing is going to be troublesome... I need to think on that.
18:36:41 <orionp> no
18:36:43 <sgallagh> geppetto: Thanks for the vote of confidence :)
18:36:46 <geppetto> #action sgallagh Need to solve the localhost problem
18:37:04 <tibbs|w> Because if I had to do this for a service I maintain, I'd still have absolutely no idea what I would need to do.
18:37:18 <tibbs|w> And.. I actually need to do this for a service I co-maintain.
18:37:29 <sgallagh> tibbs|w: That's a fair point.
18:37:34 <geppetto> tibbs: Yeh, if you mean you worry about people being able to follow it well … but I'm not sure how much of that is just because whenever I've had to do anything with certs I wanted to hurt someone, often myself.
18:37:40 <sgallagh> I can add a "quickstart" section I suppose
18:37:57 * tomspur_ is lost and doesn't think that he can comment much here
18:38:10 <sgallagh> And like I said, I'm working on simple scripts, but I've been held up by Fedora 22 Alpha stuff this week
18:38:20 * geppetto nods
18:39:09 <geppetto> Ok, well maybe treat this as a "probably +1" and come back when you've got scripts/macros?
18:39:14 <sgallagh> OK, so how about this: I'll try to tweak it to include a better "Here's what you have to do" section for packagers and see if I can solve the localhost problem.
18:39:20 <sgallagh> And come back in a week or two.
18:39:25 <geppetto> sounds great, to me
18:40:30 <geppetto> Ok, is anyone desperate to do 502 or 503 today?
18:41:17 <geppetto> #action sgallagh include a better "Here's what you have to do" section.
18:41:19 <tibbs|w> I think 502 is probably done.
18:41:37 <tibbs|w> I mean, what they have now looks like it would work and doesn't involve is.
18:41:39 <tibbs|w> us
18:41:48 <geppetto> So we can just close it?
18:42:00 <geppetto> #topic #502 	Temporary exception for DHCP being built using bundled BIND libraries in Fedora 22+
18:42:06 <geppetto> https://fedorahosted.org/fpc/ticket/502
18:42:32 <geppetto> #action CAn just close this, as it doesn't involve us anymore.
18:42:35 <limburgher> Sorry, called away, reading. . .
18:42:44 <geppetto> #topic Open Floor
18:43:16 * tomspur__ seems to constantly reconnect today...
18:43:53 <sgallagh> tomspur__: F22?
18:44:06 <tibbs|w> geppetto: I think we can close and ask them to reopen if they decide that solution doesn't work.
18:44:16 * geppetto nods
18:44:35 <tibbs|w> But frankly I'd be open to them bundling bind as well, going from our "has an active security team upstream" exception.
18:44:43 <tibbs|w> Which, bloody hell, those never got written down.
18:44:54 <tibbs|w> I'm going to grep all of the meeting logs and find that discussion.
18:44:57 <tomspur__> sgallagh: yes
18:45:42 <sgallagh> tomspur__: Fixed in the latest NM build
18:46:18 <sgallagh> NetworkManager-1.0.0-7.fc22.x86_64 has it sorted
18:46:29 <tomspur__> sgallagh: thanks will try it out then :)
18:47:02 <tibbs|w> I will say for the record that I do not understand the issue in #503.
18:47:54 <geppetto> I think it's just about package naming
18:47:58 <geppetto> but not 100% sure
18:48:51 <geppetto> but unless you really want to dig into it, I think it can wait a week :)
18:48:53 <tibbs|w> I guess if they make a proposal...
18:49:20 <tibbs|w> I doubt we would say no unless the names are really crazy.
18:49:24 * geppetto nods
18:50:03 <geppetto> Ok, I'm going to close … thanks for coming every and enjoy your "lunch" :)
18:50:21 <tibbs|w> Thanks.  I'll continue to do writeups and hopefully finish them up today.
18:50:21 <sgallagh> Thanks for the feedback guys. It was helpful.
18:50:31 <tibbs|w> Pretty much back on my feet now.
18:51:11 <geppetto> tibbs: cool. I think everyone has been sick this year :(
18:51:37 <tibbs|w> Yeah, my wife had the flu vaccine and still got multiple flu strains at once.
18:54:04 * geppetto nods :(
18:54:11 <geppetto> #endmeeting