#fedora-meeting-1 log

16:01:51 <geppetto> #startmeeting fpc
16:01:51 <zodbot> Meeting started Thu Jun 25 16:01:51 2015 UTC.  The chair is geppetto. Information about MeetBot at http://wiki.debian.org/MeetBot.
16:01:51 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic.
16:01:51 <geppetto> #meetingname fpc
16:01:52 <geppetto> #topic Roll Call
16:01:52 <zodbot> The meeting name has been set to 'fpc'
16:02:29 <gbcox> sitting in the back row today
16:02:49 <geppetto> tibbs: I've seen you this morning, you can't hide ;)
16:02:59 <tibbs|w> Howdy.
16:03:07 <tomspur> Hi
16:03:07 <tibbs|w> I know orion was around, too.
16:03:14 <orionp> hello
16:03:16 <geppetto> #chair tibbs
16:03:16 <zodbot> Current chairs: geppetto tibbs
16:03:19 <geppetto> #chair orionp
16:03:19 <zodbot> Current chairs: geppetto orionp tibbs
16:03:23 <geppetto> #chair tomspur
16:03:23 <zodbot> Current chairs: geppetto orionp tibbs tomspur
16:04:28 <geppetto> limburgher mbooth racor Rathann SmootherFr0gZ: FPC ping
16:04:42 * geppetto aware mbooth said he couldn't make it
16:05:12 * SmootherFrOgZ here
16:05:26 <geppetto> #chair SmootherFrOgZ
16:05:26 <zodbot> Current chairs: SmootherFrOgZ geppetto orionp tibbs tomspur
16:06:04 <geppetto> #topic Schedule
16:06:08 <geppetto> https://lists.fedoraproject.org/pipermail/packaging/2015-June/010749.html
16:06:35 <tibbs|w> I actually did some things last week, but not enough.
16:06:35 <geppetto> Ok, can the people not here quickly vote on 281, 541, 542
16:06:48 <geppetto> That's orionp and SmootherFrOgZ  … I think
16:06:52 <tibbs|w> I mostly wrapped up my project for the moment, so I do have some more time.
16:06:59 <geppetto> #topic #281 	New Python Macros for Easier Packaging
16:07:00 <geppetto> .fpc 281
16:07:00 <geppetto> https://fedorahosted.org/fpc/ticket/281
16:07:02 <zodbot> geppetto: #281 (New Python Macros for Easier Packaging) – fpc - https://fedorahosted.org/fpc/ticket/281
16:07:47 <geppetto> see the diff. in comment 24:
16:07:55 <geppetto> https://fedoraproject.org/w/index.php?title=User%3ATomspur%2FPackaging%3APython&diff=cur&oldid=414855
16:08:38 <SmootherFrOgZ> I recall of this one and still +1
16:08:38 <tibbs|w> Though, remember, the big chunks of that diff are already applied.
16:09:07 <tibbs|w> The first two bits and the last one are all gone from the guidelines already.
16:09:44 <geppetto> ahh
16:10:19 <geppetto> orionp: vote?
16:10:59 <orionp> Shoulldn't we document py_shbang?
16:11:22 <tibbs|w> We should, but we're sort of doing an incremental thing.
16:11:51 <orionp> So another round of cleanup/clarifications coming?
16:12:00 <tibbs|w> "another".
16:12:09 <tibbs|w> More like three or four.
16:12:32 <tibbs|w> I'm batching the announcements so as to not have packagers on a treadmill.
16:13:11 <tibbs|w> Since this wholly bones EPEL at the moment, too, I'm working with them to get these macros down into their packaging as well.
16:13:34 * tomspur thought we can push it to the epel-macros package?
16:13:47 <tibbs|w> Yes, maybe.
16:13:50 <orionp> So I don't quite follow this partcular update - we're voting on the python macros, but not actually documenting using them except for in an admonition?
16:14:13 <tibbs|w> I don't think we really have to fully expand them in the guideline.
16:14:55 <tomspur> Yeah, I should really add them into an admonition. Yet it would be nice to get this trough, so that I'm able to push a new python package with the macros (this will also quite some time to set everything up)
16:14:57 <tibbs|w> But, yeah, once this all gets settled, doing a documentation block for all of them will be a good idea.
16:15:12 <tibbs|w> tomspur: I don't think getting these pushed should wait on FPC.
16:15:15 <Rathann> hi, sorry for being late
16:15:22 <geppetto> #chair Rathann
16:15:23 <zodbot> Current chairs: Rathann SmootherFrOgZ geppetto orionp tibbs tomspur
16:15:24 <geppetto> no problem
16:15:24 <tibbs|w> I mean, we don't disagree on the macros themselves.
16:15:45 <tomspur> tibbs|w: I thought if the macros are not approved, they should not get pushed
16:15:45 <geppetto> Rathann: starting out getting the remaining votes on the couple of tickets from last week
16:15:59 <geppetto> Rathann: So not much to do for another 5-10 mins.
16:16:01 <tibbs|w> Rathann: scrollback at http://fpaste.org/236636/52489531/
16:16:12 <Rathann> thanks
16:16:35 <orionp> Yeah, the macros are fine, as are the changes to the guidelines.  But we have approved some macros, but have no documentation on how they are used
16:17:55 <tibbs|w> Except the sample spec.
16:17:56 <orionp> oh, wait, bad searching
16:18:20 <tibbs|w> For now that's sufficient documentation for me but you're right that we should probably expand on it a bit once things settle down.
16:18:33 <orionp> Sorry, I'm +1
16:19:03 <orionp> god, there's so much to clean up here....
16:19:03 <geppetto> #action New Python Macros for Easier Packaging, py2_build/py2_install/etc. (+1:6, 0:1, -1:0)
16:19:22 <geppetto> #topic #541 	Package Naming Guidelines - Clarification Required
16:19:23 <geppetto> .fpc 541
16:19:23 <geppetto> https://fedorahosted.org/fpc/ticket/541
16:19:24 <zodbot> geppetto: #541 (Package Naming Guidelines - Clarification Required) – fpc - https://fedorahosted.org/fpc/ticket/541
16:19:54 <geppetto> This one seemed trivial … can put packages into Fedora all lowercase when upstream uses mixedcase.
16:20:21 <geppetto> But that's IMO.
16:20:26 <tibbs|w> It's slightly stronger than "can".  The proposal is linked in comment 8.
16:20:39 <Rathann> tomspur: you removed the note about pygtk2 missing a numpy dependency and I see the gnome bug is still open
16:20:57 <tibbs|w> Rathann: that was me; that bit has been gone for a while.
16:21:01 <Rathann> ah
16:21:01 * Corey84 hangs out in back
16:21:03 <tibbs|w> He just didn't re-diff.
16:21:20 <Rathann> ok, but the issue in the note is still valid
16:21:23 <Rathann> isn't it?
16:21:50 <tibbs|w> Rathann: I talked to the people involved and the consensus was that yes, it's still a bug but not worth bloating the guidelines over it.
16:21:59 <Rathann> ok
16:22:10 <Rathann> +1 from me as well, then
16:22:28 <tibbs|w> It's come up precisely zero times since we added that thing years ago.
16:22:31 <SmootherFrOgZ> +1 here too
16:25:35 <geppetto> orionp: vote?
16:25:52 <geppetto> Rathann: Not sure what your +1 is for … you voted on both of these last week, right?
16:26:00 <orionp> I think I'm -1
16:26:00 <Rathann> no
16:26:08 <Rathann> geppetto: I was absent last week
16:26:12 <geppetto> Oh, sorry
16:26:29 <Rathann> geppetto: my +1 was for #281
16:26:35 <geppetto> So your +1 is for 541?
16:26:38 <geppetto> Ok
16:26:55 <geppetto> #undo
16:26:55 <zodbot> Removing item from minutes: <MeetBot.items.Link object at 0xa043b50>
16:27:08 * geppetto has no idea what that did :(
16:27:40 <geppetto> orionp: You are -1 on the lowercase naming?
16:27:55 <orionp> yeah
16:28:02 <geppetto> Why?
16:28:36 <orionp> Why should they be lower case?
16:28:37 <tibbs|w> I didn't really intend to change the meaning, just move the bit about case to the front.
16:28:58 <tibbs|w> Command line user experience is far better with consistent casing.
16:29:09 <geppetto> Yeh, that
16:29:19 <Rathann> I'm +1 to #541
16:29:31 <geppetto> And it's not like it would be sane to have MySQL package and a mysql package.
16:29:39 <orionp> But we're not consistent - and I don't ever see us there (NetworkManager)
16:30:03 <tibbs|w> The fact that dumb things have been done in the past is no reason to keep doing dumb things in the future.
16:30:03 <geppetto> yeh, but this is a step in the direction of not being more inconsistent
16:30:23 <geppetto> or what tibbs said
16:30:32 <tibbs|w> And every bloody time I have to type NetWorKManaGer or whatever, I get slightly more annoyed.
16:30:56 <tibbs|w> And people used to run into the mysql thing all the time.
16:31:14 <tibbs|w> Now, there are still huge exceptions.  Like Perl will always have mixed-case package names.
16:31:15 <geppetto> Anyway … still a -1 orionp ?
16:31:17 <orionp> I'm not sold that being inconsistent with upstream is preferable
16:31:26 <geppetto> Ok, fair enough
16:31:36 <orionp> If you're going to change the guidelines, make it a *MUST*
16:31:39 <geppetto> #action Package Naming Guidelines - Clarification. Lowercase better than mixedcase package names. (+1:6, 0:0, -1:2)
16:31:43 <tibbs|w> Usually upstream isn't consistent, either.
16:31:47 <tibbs|w> Which is doubly fun.
16:32:00 <orionp> yeah, I've run into that plenty
16:32:10 <geppetto> #topic #281 	New Python Macros for Easier Packaging
16:32:10 <geppetto> .fpc 281
16:32:10 <geppetto> https://fedorahosted.org/fpc/ticket/281
16:32:12 <zodbot> geppetto: #281 (New Python Macros for Easier Packaging) – fpc - https://fedorahosted.org/fpc/ticket/281
16:32:21 <geppetto> #action New Python Macros for Easier Packaging, py2_build/py2_install/etc. (+1:7, 0:1, -1:0)
16:32:28 <geppetto> #topic #542 	Forbid "python -OO" for Python < 3.5
16:32:28 <geppetto> .fpc 542
16:32:28 <geppetto> https://fedorahosted.org/fpc/ticket/542
16:32:30 <zodbot> geppetto: #542 (Forbid "python -OO" for Python < 3.5) – fpc - https://fedorahosted.org/fpc/ticket/542
16:32:49 <geppetto> This one is a bit more complicated
16:32:56 <orionp> I might actually be +1 for making names lowercase a must, but having it a should is just going to lead to more arguments
16:33:56 <geppetto> We left it at should just in case there was a weird upstream who insisted that the name be mixedcase
16:33:57 <tibbs|w> orionp: I understand, but I don't think we're going to get away from having arguments regardless of what we put in the guidelines.
16:34:07 <geppetto> but I'm not against using MUST
16:34:26 <geppetto> Anyway … onto 542
16:34:28 <tibbs|w> Can do another ticket for must if we want to take it up.
16:34:40 <tibbs|w> I'm not even sure why we're doing 542.
16:34:46 <geppetto> tomspur tibbs: You want to explain this to SmootherFrOgZ orionp and Rathann ?
16:35:07 <tibbs|w> Uh, well, if you add -OO then things break, so don't do it.
16:35:13 <geppetto> Because stuff stops working in some cases if people use -O0
16:35:19 <geppetto> yeh
16:35:20 <tibbs|w> Which seems kind of 107% obvious but that's just me.
16:35:29 <geppetto> I know :(
16:35:37 <Rathann> I remember reading about it, and I agree, so +1 to #542
16:35:45 <geppetto> And yet the dnf devs. did it and don't want to change anything to fix things
16:35:53 * geppetto shrugs
16:35:54 <tomspur> IIUC, programs break, if you have some modules using -O and some using -OO we should stick to one version, which is -O
16:37:08 <geppetto> yeh … seemed obvious to me. But then racor also voted against it. So *shrugs*
16:37:08 <SmootherFrOgZ> yup,
16:37:12 <SmootherFrOgZ> +1
16:37:17 <geppetto> orionp: vote?
16:37:21 <orionp> +1
16:37:24 <geppetto> #action Forbid "python -OO" for all versions of Python, no need for rationale in policy (+1:7, 0:1, -1:0)
16:37:47 <geppetto> Ok, that's it for last weeks need votes.
16:37:49 <geppetto> #topic #543 	secure config and log permissions
16:37:49 <geppetto> .fpc 543
16:37:49 <geppetto> https://fedorahosted.org/fpc/ticket/543
16:37:50 <zodbot> geppetto: #543 (secure config and log permissions) – fpc - https://fedorahosted.org/fpc/ticket/543
16:39:28 <tibbs|w> Seems kind of up in the air still.
16:39:28 <geppetto> I mostly agree with matt
16:39:40 <geppetto> But maybe for selfish reasons
16:39:40 <tomspur> Same here
16:39:56 <tomspur> And I cannot foresee what else this would/could break...
16:40:00 <tibbs|w> I'm not opposed as long as there's some kind of "log-reading user" that isn't root.
16:40:08 <tibbs|w> s/user/group
16:40:23 <geppetto> what does the adm group give you?
16:40:34 <tibbs|w> In what context?
16:40:49 <geppetto> like if you get the adm group now, what privs. does that give you?
16:40:51 <tibbs|w> With journalctl it gives you access to all of the logs there.
16:41:02 <tibbs|w> I'm not sure what else in the system might use it.
16:41:18 * geppetto nods
16:41:30 <tibbs|w> Part of the issue is that many people don't understand ACLs.
16:41:30 <geppetto> I'm happy to restrict all logs to adm, I guess
16:41:51 <tibbs|w> I just don't think having people go to root every time they view a log is a good idea.
16:41:58 <geppetto> I'd kind of prefer that random config. file changes not be restricted
16:42:14 <tibbs|w> This is how httpd works now, and it bugs the hell out of me.
16:42:17 <geppetto> but I'm not sure how to do that, without having the problem the ticket was for.
16:42:26 <tibbs|w> I keep changing the perms, apache updates, and I have to change the perms back.
16:42:36 * geppetto nods
16:43:25 <SmootherFrOgZ> hm, I tend to be +1 on files in /etc not /log.
16:43:32 <tibbs|w> So, basically, I would happily vote for putting the same ACL on /var/log that we currently have on /var/log/journal.
16:43:48 <tibbs|w> But that assumes that putting an ACL there actually works.
16:43:49 <geppetto> SmootherFrOgZ: why not the logs?
16:43:53 <orionp> I'm not sure this is in our scope
16:44:01 <geppetto> tibbs: How does that happen from rpm?
16:44:15 <tibbs|w> geppetto: Exactly the question to which I have no answer.
16:44:32 <SmootherFrOgZ> geppetto: I don't see potential risk in reading them
16:44:38 <geppetto> My guess is systemd does something "clever" from a scriptlet
16:44:45 <tibbs|w> orionp: If we wanted to force permissions like that, it should be in the guidelines.
16:45:00 <tibbs|w> Otherwise how are people going to know what permissions to put on log files?
16:45:08 <tibbs|w> I mean, yes, currently they do what makes sense.
16:45:11 <Rathann> # Apply ACL to the journal directory
16:45:11 <Rathann> setfacl -Rnm g:wheel:rx,d:g:wheel:rx,g:adm:rx,d:g:adm:rx /var/log/journal/ >/dev/null 2>&1 || :
16:45:20 <SmootherFrOgZ> and we talking only about files located at the top level of /var/log
16:45:22 <Rathann> is what systemd does
16:45:25 <tibbs|w> But the security folks seem to disagree about what makes sense.
16:45:26 <geppetto> Rathann: Thanks for the confirm.
16:45:30 <SmootherFrOgZ> or all?
16:45:31 <geppetto> Rathann: that from %post?
16:45:40 <orionp> Sure, but I don't think we can declare that it's desired - I see that as a FESCO decision and a System Wide change thing
16:45:50 <tibbs|w> orionp: I can agree with that.
16:45:57 <SmootherFrOgZ> orionp: you're right
16:45:59 <Rathann> yes, in %post
16:46:11 <geppetto> Ok, I'm happy to punt it to FESCO
16:46:17 <tibbs|w> Yeah, let's table this.
16:46:21 <orionp> This is big stuff that's going to break a lot
16:46:34 <SmootherFrOgZ> I think this is about what packager should do in %files
16:46:55 <geppetto> #action Seems like too big a change for FPC to just accept it, needs systemwide change and FESCO sign off.
16:47:10 <geppetto> #topic #544 	Case of package names
16:47:10 <geppetto> .fpc 544
16:47:11 <geppetto> https://fedorahosted.org/fpc/ticket/544
16:47:12 <zodbot> geppetto: #544 (Case of package names) – fpc - https://fedorahosted.org/fpc/ticket/544
16:47:16 * geppetto is getting deja vu
16:47:21 <Rathann> huh wat
16:47:39 <tibbs|w> Oh, sorry, we had talked about getting this out of the other ticket.
16:47:53 <tibbs|w> It's the same diff though I need to fix the typo.
16:48:02 <tibbs|w> I should close it as a dup.
16:48:13 <Rathann> phew :)
16:48:15 <geppetto> ok
16:48:24 <geppetto> #action DUP of 541
16:48:33 <geppetto> #topic #545 	Python guidelines cleanup
16:48:34 <geppetto> .fpc 545
16:48:34 <geppetto> https://fedorahosted.org/fpc/ticket/545
16:48:35 <zodbot> geppetto: #545 (Python guidelines cleanup) – fpc - https://fedorahosted.org/fpc/ticket/545
16:48:40 * geppetto is getting more deja vu
16:49:00 <tibbs|w> This is just a tracking thing.
16:49:05 <geppetto> ok
16:49:15 <tibbs|w> There were so many tickets that it's getting tough for everyone to keep up.
16:49:22 <geppetto> yeh, fair enough
16:49:33 <geppetto> #info This isn't a real ticket.
16:49:45 <geppetto> #topic #546 	Review/clarity on minor fork of nghttp2; b64.c
16:49:45 <geppetto> .fpc 546
16:49:45 <geppetto> https://fedorahosted.org/fpc/ticket/546
16:49:47 <zodbot> geppetto: #546 (Review/clarity on minor fork of nghttp2; b64.c) – fpc - https://fedorahosted.org/fpc/ticket/546
16:50:04 <Rathann> oh, b64.c again?
16:50:17 <Rathann> is that the one copied from glibc?
16:51:10 <geppetto> I believe so
16:51:11 <tibbs|w> Have we cared about b64 in the past?
16:51:50 <geppetto> Well I think a lot of people reimplment it, as opposed to md5/etc. where they copy code
16:52:23 <tibbs|w> It's just crazy that we don't have a library for these things.
16:52:29 <tibbs|w> I mean 100% nuts.
16:52:36 <geppetto> * This code originally came from here
16:52:36 <geppetto> *
16:52:36 <geppetto> * http://base64.sourceforge.net/b64.c
16:52:45 <geppetto> guess it's not the glibc one then
16:52:46 <geppetto> maybe
16:53:08 <geppetto> the other one is sha1 … and they can use the openssl version
16:53:09 <Rathann> yep
16:53:18 <Rathann> haven't seen this one (b64.c) yet
16:53:34 <Rathann> these things should be in glibc *shrug*
16:54:19 <geppetto> I guess the sha1 isn't what they are talking about as there's a number #3 in the BZ:
16:54:26 <geppetto> 3) The code taken from nghttp2 is a trivial amount around correct openssl apis for using alpn, not exported standalone from the original lib.  ssl-http2 has this notice with lgpl-compatible terms
16:54:43 <geppetto> That one probably worries me the most.
16:55:04 <tibbs|w> Without diffs and links to source and stuff it's really hard to make much of a decision.
16:55:12 <geppetto> yeh
16:58:00 <tibbs|w> I suggest we table until we get the info we need.
16:58:03 <geppetto> Ok, I think this is the ssl bit:
16:58:04 <geppetto> http://git.libwebsockets.org/cgi-bin/cgit/libwebsockets/tree/lib/ssl-http2.c#n111
16:58:33 <geppetto> This is the sha1: http://git.libwebsockets.org/cgi-bin/cgit/libwebsockets/tree/lib/sha-1.c
16:58:47 <geppetto> And this is b64: http://git.libwebsockets.org/cgi-bin/cgit/libwebsockets/tree/lib/base64-decode.c
16:58:55 <geppetto> All three look fine
16:59:16 <geppetto> But it would have been nicer for the ticket to include this info.
17:00:17 <Rathann> ah, found my old bug report about base64 API not being public in glibc: https://sourceware.org/bugzilla/show_bug.cgi?id=14118
17:00:51 <geppetto> it's still in new state
17:00:53 <geppetto> cool
17:00:55 <Rathann> yep
17:01:08 <Rathann> only 3 years old
17:01:26 <Rathann> bugs are like wine
17:01:29 <Rathann> ;)
17:02:25 <gholms> Left on the shelf so long they're sour when people finally get to them?
17:02:53 <geppetto> If you drink them too long you go all wobbly?
17:03:05 <geppetto> Anyway … I'm +1 on 546
17:04:21 <orionp> +1 here
17:05:08 <Rathann> hm the base64-decode.c claims to come from that sourceforge project but the code is not the same or even similar
17:05:11 <tibbs|w> So you're good with the sha1 thing?
17:05:23 <tomspur> It would be nice to use openssl sha-1. It seems to be possible
17:05:28 <tibbs|w> They said they rewrote it pretty much completely.
17:05:36 <geppetto> tibbs: I'm not sure exactly which implementation it is … but it looks a lot like all the other ones I've seen
17:05:46 <orionp> They said they could add an option to use it
17:05:49 <SmootherFrOgZ> +1 from me
17:05:54 <tibbs|w> I'm just really concerned because this is really security sensitive code.
17:06:01 <Rathann> gnutls would be nice
17:06:10 <geppetto> Yeh, they said if they build with openssl support then they use openssl SHA1
17:06:49 <tibbs|w> Everyone does understand that this is basically a web server, right?
17:06:53 <geppetto> yeh
17:07:07 <Rathann> yes, I'm -1 to sha1 part definitely
17:07:18 <geppetto> I'm happy to say they must build with openssl support in Fedora, and thus. not use the sha1 bundling
17:07:18 <tibbs|w> there's the door..
17:07:58 <geppetto> I mean the base64 they are decoding will also be coming over the network
17:08:16 <Rathann> but we do already have a blank exception for sha1 implementations
17:08:17 <geppetto> As will all of the HTTP protocol they are decoding manually ;)
17:08:23 <geppetto> Rathann: yeh
17:08:24 <Rathann> should we drop it?
17:08:38 <geppetto> I don't see why
17:08:42 <Rathann> eh
17:08:49 <Rathann> ok then
17:09:21 <Rathann> I guess we should add a blank exception for base64 as well, until that glibc bug gets resolved
17:09:30 <geppetto> so … forever then?
17:09:33 <Rathann> hehe
17:10:27 <geppetto> So I think we are at: +5 for everything but sha1
17:10:39 <geppetto> Is that everyone here today?
17:10:58 <geppetto> Ahh, tomspur: vote?
17:11:34 <Rathann> meh, +1 to everything
17:11:59 <Rathann> but ask that they use sha1 from openssl if possible
17:12:11 <tomspur> What exactly are the changes of nghttp2?
17:12:18 <geppetto> Yeh
17:12:35 <geppetto> tomspur: I think it's this bi: http://git.libwebsockets.org/cgi-bin/cgit/libwebsockets/tree/lib/ssl-http2.c#n111
17:12:41 <tomspur> A needinfo with a diff would be nice, but I'm leaning towards +0.5
17:12:53 <geppetto> *bit
17:14:52 <tomspur> I don't find any of those functions at https://github.com/tatsuhiro-t/nghttp2/
17:15:27 <geppetto> :(
17:16:16 <tomspur> Seems small and looks fine. But I kind of hesitate to vote on no diff... :/
17:17:11 <geppetto> Yeh, I figure that is more copy pasta than actual bundling
17:19:14 <tomspur> +0 sorry... :/
17:19:18 <Rathann> I agree that a diff for those nghttp2 code fragments against upstream would be nice
17:19:48 <geppetto> #action Bundling of base64/random SSL setup bits. (+1:5, 0:1, -1:0)
17:20:04 <geppetto> #action Bundling of "custom" sha1 implementation. (+1:3, 0:1, -1:2) … just link to the openssl functions, as you have build options for it.
17:21:11 <geppetto> #topic #538 	Bundling exception for htmlunit-core-js
17:21:12 <geppetto> .fpc 538
17:21:12 <geppetto> https://fedorahosted.org/fpc/ticket/538
17:21:14 <zodbot> geppetto: #538 (Bundling exception for htmlunit-core-js) – fpc - https://fedorahosted.org/fpc/ticket/538
17:21:22 <tibbs|w> OK, sorry.
17:22:20 <geppetto> Thius seems confusing
17:22:33 <Rathann> geppetto: please also mention that they should ask nghttp2 upstream to make those apis public so that lws doesn't have to bundle
17:22:33 <geppetto> How important is htmlunit?
17:23:14 <tibbs|w> I couldn't begin to tell you.
17:23:21 <geppetto> Rathann: AIUI it's not actual APIs but more a chunk of code calling openssl APIs in a specific order
17:23:30 <Rathann> hm
17:23:32 <Rathann> ok
17:24:12 <geppetto> Yeh, I'm not sure if we should encourage 538 to work on getting newer rhino packages he can use
17:24:18 <Rathann> why the changes aren't upstreamable?
17:24:21 <geppetto> Or just be "whatever, drop it then"
17:24:59 <tibbs|w> As I understand things, rhino is simply a javascript interpreter.  Yet another one.
17:25:12 <Rathann> it doesn't seem like a lot of changes
17:25:12 <tibbs|w> This one written in Java, of course.
17:25:16 <Rathann> of course
17:25:35 <tibbs|w> Last rhino release was 2015-04-15.
17:26:04 <tibbs|w> Also, htmlunit-core-js is already in the distro.
17:26:23 <tibbs|w> Our rhino package is from 2012.
17:26:28 <geppetto> ugh
17:26:34 <geppetto> that doesn't seem useful
17:26:48 <tibbs|w> It's maintained by some of the core Java people so they probably have a reason.
17:27:01 <geppetto> maybe
17:27:18 <geppetto> it's possible they solved a problem with it and it's now being ignored
17:27:31 <tibbs|w> Now, at least this is a real github fork, so github tracks exactly far they've diverged.
17:28:13 <tibbs|w> But rhino is large, security sensitive and actively developed.
17:28:39 <tibbs|w> They only differ by 45 commits.
17:28:42 <Rathann> I don't see any bug filed against rhino in Fedore requesting an update
17:29:11 <Rathann> so... why don't they ask for a rhino update instead of bundling exception?
17:29:20 <tibbs|w> This is one of those really dumb situations.
17:29:42 <tibbs|w> The fork probably shouldn't exist at all, but that's not my call.
17:30:29 <geppetto> yeh
17:30:30 <tibbs|w> One of the things we request is statements from upstream about why the forks exist, and even though gil says that he provided comprehensive information, I don't see anything about that.
17:31:08 <geppetto> I assume he meant that he provided urls to diffs
17:31:38 <geppetto> but also not sure if english is his first language
17:31:51 <geppetto> ofc. I might have just insulted him there
17:32:33 <Rathann> -1 from me for now
17:32:41 <geppetto> yeh, def. -1
17:33:01 <tibbs|w> So rhino has been pulling at least some things from htmlunit, according to their release notes.
17:33:03 <Rathann> no reason for forking is given
17:33:07 <tomspur> -1 also
17:33:13 <tibbs|w> -1 this just doesn't make sense.
17:33:46 <tibbs|w> If someone can point to an essential feature that has been blocked by rhino then I'd reconsider.  Otherwise fedora really just needs to update the rhino package.
17:34:41 <geppetto> #action Bundling exception for htmlunit-core-js (+1:0, 0:0, -1:4)
17:34:48 <tibbs|w> Oh, there's a newer rhino release from eight days ago.
17:34:51 <geppetto> #action Work with the rhino package in Fedora to get it updated.
17:35:15 <geppetto> #action Answer the questions in the bundling exception process about why you can't merge the diffs. into upstream rhino.
17:35:28 <geppetto> tibbs: in testing?
17:35:36 <tibbs|w> No, I mean released by upstream.
17:35:41 <geppetto> ahh
17:36:28 <tibbs|w> Our package was last touched about a year ago.
17:36:47 <geppetto> #info rhink is really big, actively maintained and security sensitive. At best you'll get permission to ship a forked copy.
17:37:02 <geppetto> #undo
17:37:02 <zodbot> Removing item from minutes: INFO by geppetto at 17:36:47 : rhink is really big, actively maintained and security sensitive. At best you'll get permission to ship a forked copy.
17:37:06 <geppetto> #info rhino is really big, actively maintained and security sensitive. At best you'll get permission to ship a forked copy.
17:37:22 <geppetto> #topic Open Floor
17:37:54 <geppetto> Ok, anything anyone wants to talk about?
17:38:03 <tibbs|w> I need to write something up about the distinction between applications and modules/libraries.
17:38:05 <Rathann> no bug was ever filed to update rhino
17:38:06 <geppetto> 547 is really new
17:38:26 <geppetto> and something I've personally hit
17:38:32 <tibbs|w> No diff in the draft, ugh.
17:38:37 <geppetto> which I think is really stupid
17:38:54 <gbcox> I'm here... and tried to clean that up regarding diff
17:38:57 <geppetto> but I can kind of see the "but it can change" POV.
17:39:22 <gholms> .fpc 547
17:39:23 <zodbot> gholms: #547 (SourceURL addition/clarification - Git Hosting Services) – fpc - https://fedorahosted.org/fpc/ticket/547
17:39:39 <tibbs|w> I think there's way too much here.
17:40:07 <gbcox> for the change or to discuss at once?
17:40:08 <geppetto> I think I'd rather leave it until next week
17:40:34 <geppetto> Esp. for the people talking on the ML to see/read it
17:40:37 <gbcox> yes, I didn't intend for it to be a discussion item this week... i just put it out early to give time folks to review
17:41:02 <gbcox> it's been discussed on the mailing list since Sunday
17:41:03 <geppetto> I am suspicious of this bit though "I have discovered that this does not apply to commit hash or Git Tag generated archives"
17:41:27 <geppetto> yeh, I've been reading the ML … just didn't want to step in yet. Esp. as I think I'm biased
17:41:28 <gbcox> @geppetto... I tested it...read the link, it spells it out
17:41:57 <tibbs|w> I would honestly suggest that someone put together a utility that just handles this kind of thing.
17:42:00 <geppetto> I'd heard that github specifically does break that though … it's just that they cache the result for some amount of time
17:42:12 <tibbs|w> It's unfortunate that we don't have one.
17:42:23 <geppetto> tibbs: you mean like sha1tardata ?
17:42:37 <tibbs|w> Keep your spec in a specified format, utility pulls the tag you want and gives you a tarball and updates your spec.
17:42:57 <geppetto> where it gives the sha1sum of just the data in the tarfile (so perms/etc. can change without affecting it)
17:43:13 <tibbs|w> Sorry, my comment was kin of lagged.
17:43:16 <gbcox> If that is occuring on github, it's a bug they need to address.  That isn't what the Git standard specifies
17:43:25 <geppetto> Hmm, ok
17:43:31 <tibbs|w> I just meant a utility for managing doing SCM pulls.
17:43:38 <tibbs|w> I guess I should start writing one.
17:44:21 <geppetto> yeh, on a recent upstream projectr that went into fedora I had a bunch of Makefile glue to pull the right archive and build rpms/etc.
17:44:26 <gbcox> I really started this for Git submodules, but found there is alot of people having problems understanding the intent regarding Git tags in the current guideline, so I tackled it also
17:44:43 <geppetto> Not totally sure what you mean, but more tools to remove the cruft for git upstreams would be awesome
17:45:00 <geppetto> gbcox: yeh, probably need two tickets
17:45:27 <geppetto> gbcox: And I don't think the intent is wrong … some people heavily believe that upstream tags are worthless. *sigh*
17:46:19 <gbcox> Yeah, but as I said earlier on the discussion list, you shouldn't throw the baby out with the bathwater
17:46:26 <geppetto> I agree
17:47:09 <geppetto> And some of the problem is that once your project reaches a certain size, it's much easier to do "real" tarball releases somewhere
17:47:32 <geppetto> But github tag releases are so easy, I think a lot more people will just use them for hosting in the near future.
17:47:39 <tomspur> tags are as worthless as tar balls. Both can be overwritten and people do so...
17:47:53 <RemiFedora> +1
17:47:55 <tomspur> So where is the advantage of tarbalsl?
17:48:18 <geppetto> tomspur: Yeh, but the argument does that people do it a lot more with tags than tarballs … often without any stats. either way.
17:48:32 <geppetto> *argument goes.
17:48:49 <geppetto> tarballs are traditional … and change is bad ;)
17:48:50 <Rathann> ok, I need to drop off now
17:48:53 <Rathann> sorry
17:49:00 <geppetto> ok, meeting is almost over anyway
17:49:03 <gbcox> I view that as ancedotal
17:49:06 * tomspur had a look at fedmsg to monitor tag rewriting, but it seems you need to be repo admin to do that
17:49:07 <Rathann> take care, bye
17:49:17 <tibbs|w> If we didn't have tarballs I don't know what we'd use instead.
17:49:32 <geppetto> cpio archives ?;0
17:49:54 <geppetto> with a weird header ;) ;)
17:50:07 <tibbs|w> I get the joke.
17:50:17 * geppetto hi5s
17:50:29 <geppetto> Anyway …
17:50:42 <geppetto> Anyone have anything else to bring up?
17:50:53 <tibbs|w> Nah.
17:51:03 <tibbs|w> Too much work to get to today.
17:51:09 <geppetto> Ok, I'll give it another minute or so and then close.
17:51:11 * geppetto nods
17:51:24 <geppetto> Thanks for coming everyone.
17:54:41 <tomspur> Bye see you next week
17:55:24 <geppetto> #endmeeting