16:00:37 <geppetto> #startmeeting fpc
16:00:38 <zodbot> Meeting started Thu Jul 16 16:00:37 2015 UTC.  The chair is geppetto. Information about MeetBot at http://wiki.debian.org/MeetBot.
16:00:38 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic.
16:00:38 <geppetto> #meetingname fpc
16:00:38 <geppetto> #topic Roll Call
16:00:38 <zodbot> The meeting name has been set to 'fpc'
16:00:45 <gbcox> Good morning... sitting in the back row today
16:00:50 <geppetto> ok :)
16:01:59 <geppetto> geppetto limburgher mbooth orionp racor Rathann SmootherFr0gZ tibbs|w tomspur: FPC ping
16:02:06 <tibbs|w> Howdy.
16:02:08 <geppetto> hey
16:02:10 <orionp> morning
16:02:13 <geppetto> #chair tibbs
16:02:13 <zodbot> Current chairs: geppetto tibbs
16:02:16 <geppetto> #chair orionp
16:02:16 <zodbot> Current chairs: geppetto orionp tibbs
16:02:24 <tibbs|w> No tomspur today.
16:02:28 * geppetto nods
16:02:38 <geppetto> I just paste that from the page
16:03:01 <tibbs|w> I haven't finished writing up the python stuff.  Seems more stuff will be changing soon.
16:03:28 <mbooth> Hi
16:03:34 <geppetto> #chair mbooth
16:03:34 <zodbot> Current chairs: geppetto mbooth orionp tibbs
16:04:37 <geppetto> Hmm, none of the other 4 are on IRC atm.
16:05:21 <tibbs|w> Seems to be the trend lately.
16:05:42 <geppetto> I guess people are enjoying the summer?
16:06:35 <mbooth> Maybe, it is grande vacance time of year
16:06:55 * geppetto nods
16:07:19 <geppetto> There's only one new ticket this week anyway:
16:07:22 <geppetto> #topic Schedule
16:07:26 <geppetto> https://lists.fedoraproject.org/pipermail/packaging/2015-July/010846.html
16:07:32 <geppetto> #topic #506 	Guideline Draft: Service First-Time Setup
16:07:32 <geppetto> .fpc 506
16:07:32 <geppetto> https://fedorahosted.org/fpc/ticket/506
16:07:33 <zodbot> geppetto: #506 (Guideline Draft: Service First-Time Setup) – fpc - https://fedorahosted.org/fpc/ticket/506
16:07:34 <tibbs|w> It's 37 outside today, so to enjoy the summer I have to stay insidde.
16:08:07 <tibbs|w> Oh, nice, I get fedmsg notifications for stuff we do on IRC now.
16:08:14 <tibbs|w> More mail to turn off.
16:08:18 <geppetto> Ahh 98.6
16:08:22 <geppetto> That is warm
16:08:44 <tibbs|w> Americans and their units....
16:08:52 <geppetto> Freedom units!
16:08:59 <gbcox> ROFL
16:09:14 <geppetto> google is also happy to tell me that 37 is the internal rectal temp.
16:09:24 <tibbs|w> Indeed it is.
16:09:34 <mbooth> Good to know...
16:09:51 <tibbs|w> When we say 98.6 we think we're being super-precise.
16:10:32 <tibbs|w> So this draft is two big pages.
16:11:08 <tibbs|w> The first one is about how to structure systemd units to make sure that self-signed certs get generated on demand.
16:11:39 <tibbs|w> Well, or anything else that needs to get setup once at the first service startup.
16:11:49 <tibbs|w> Like ssh keys.
16:11:57 <orionp> Looks good to me
16:12:59 <tibbs|w> Note that the mentioned /usr/bin/sscg isn't there yet.
16:13:04 <tibbs|w> Or at least, it isn't in F22 yet.
16:13:26 <geppetto> sgallagh_afk: ping
16:13:26 <zodbot> geppetto: Ping with data, please: https://fedoraproject.org/wiki/No_naked_pings
16:14:06 <geppetto> I kind of understand why zodbot does that, but in at least 98%+ of cases I do those pings I want to punch it in the face and the other person didn't need more info.
16:14:07 <tibbs|w> I'm OK with this draft, though I haven't actually tried to implement it.
16:14:40 <geppetto> I'm somewhat confused by the second examplke of what shouldn't be considered system config.
16:15:12 <tibbs|w> Was waiting for sgallagh_afk to finish it before converting cyrus.
16:15:50 <geppetto> Oh, I guess it's saying that if the daemon/service itself generates the data then you don't need to move that generation into another systemd service.
16:15:52 <tibbs|w> geppetto: I assume he means any configuration that the daemon itself will create.
16:16:17 <tibbs|w> Could probably be clarified with a slight rewording.
16:16:50 <tibbs|w> As for the second page, do we want that as a guideline or just some tips page elsewhere on the wiki?
16:17:27 <tibbs|w> Because if we just say "use sscg" in the first page, the rest is kind of academic.
16:17:44 <geppetto> yeh the second part feels like it should go somewhere else
16:17:58 <geppetto> not sure where though
16:18:10 <tibbs|w> We can remove the "Do-it-yourself" bit from the first draft and pretend we never saw the second.
16:18:25 <geppetto> ha
16:18:44 <tibbs|w> Also, I don't think we need the sscg usage output.
16:18:52 <tibbs|w> I mean, anyone can run it and get that.
16:19:01 <tibbs|w> Well, assuming it's actually in the OS.
16:19:40 <geppetto> it's not there by default
16:19:52 <tibbs|w> I don't know if that's intentional.
16:20:09 <tibbs|w> We'll need to document the additional dependencies in any case.
16:20:29 <tibbs|w> So, my suggestions so far:
16:20:34 <tibbs|w> Nuke the last two sections.
16:20:45 <tibbs|w> Reword what's now the last section a bit.
16:20:52 <geppetto> it probably is … except I suspect that people won't find it because it isn't there, and will end up running some random openssl script from the internet instead
16:21:10 <tibbs|w> Add note about the additional dependencies required.
16:21:39 <tibbs|w> Also, how does sscg know where to put the generated certificate files?
16:21:58 <tibbs|w> In the example it somehow knows to put them in /etc/Pegasus.
16:22:01 <geppetto> I assume it does it in PWD
16:22:20 <geppetto> although I can't find sscg atm. … even in F21
16:22:36 <tibbs|w> I assume you'd have to look at F23 or rawhide.
16:22:40 <geppetto> is it just a radnom binary in tog-pegasus package?
16:22:52 <tibbs|w> No, it's supposed to be somewhere separate.
16:23:07 <geppetto> I meant F22, not F21
16:23:24 <geppetto> I assumed it'd be in latest stable release, if we had it in policy
16:23:52 <tibbs|w> I would assume he just hasn't pushed it yet.  Maybe it's in testing.
16:24:07 <tibbs|w> Anyway, I can't figure out how it would know where to put the certs.
16:24:30 <tibbs|w> There's no specification of the working directory in the unit files and hardcoding that into sscg would be dumb.
16:26:35 <geppetto> weird
16:26:52 <tibbs|w> It's probably just an oversight; it needs an outdir option or something.
16:26:58 <geppetto> It doesn't matter much if we are just going to +1 everything before the special case section.
16:28:03 <tibbs|w> I wasn't suggesting removing anything other than "Easy implementation with sscg" and below.
16:28:13 <tibbs|w> The examples sure need to be in there.
16:28:27 <geppetto> yeh, the examples are fine
16:28:32 <tibbs|w> And of course they need to be correct.
16:28:55 <geppetto> I just wasn't sure about the special case bit …
16:30:28 <tibbs|w> I can hack on the draft a little bit and maybe talk to sgallagh_afk when he's back, but I can't think of anything else to say about this currently.
16:30:47 <geppetto> it seems like a lot of text to say "we'll generate self signed certs, but they might not help you anyway"
16:31:17 <geppetto> which I'd expect most packagers know
16:31:20 * geppetto shrugs
16:31:37 <geppetto> I'm happy to +1 that too, if you want.
16:32:09 <geppetto> mbooth: orionp: Any questions/concerns?
16:32:37 <orionp> Not really.  I agree with your points
16:32:52 <mbooth> No, actually this draft if pretty fine
16:33:26 <tibbs|w> I see your point about the "Special Case" section.
16:33:58 <tibbs|w> Maybe just say "you should use the sscg tool to generate self-signed certificates" or something in there.
16:34:15 <geppetto> Well I still can't find it in F22
16:34:26 <geppetto> So I'm not desperate to mention it :)
16:34:37 <tibbs|w> It is sufficiently complicated and security-sensitive that we should mandate using the tool if it's available.
16:34:45 * geppetto nods
16:34:46 <tibbs|w> But not having the tool currently is kind of a blocker.
16:35:08 <tibbs|w> Maybe we should just table this until the tool is actually in there.
16:35:31 <geppetto> Sure, I mean we can't pass it today anyway
16:35:33 <tibbs|w> sscg is in rawhide.
16:35:37 <geppetto> ahh
16:35:47 * geppetto looks in updates-testing
16:36:06 <tibbs|w> No updates that I can see.
16:36:28 <tibbs|w> Hmm, the repo is four months old.
16:36:36 <geppetto> yeh, whatprovides gives 0 results
16:36:49 <geppetto> which repo?
16:37:00 <tibbs|w> sscg in git.
16:37:13 <tibbs|w> It's branched for f21 and el6 (and newer).
16:37:20 <tibbs|w> But I guess it was never pushed.
16:37:39 <tibbs|w> Or even built for anything other than f23.
16:38:02 <tibbs|w> There isn't even a spec in the f21 or f22 branches, so....
16:38:12 <geppetto> yeh, that's a bad sign :)
16:38:19 <tibbs|w> I guess we'll see what sgallagh says.
16:38:57 <geppetto> Yeh, koji says 2 builds both for rawhide/f23
16:39:00 <sgallagh> I'm here now.
16:39:01 <sgallagh> Sorry, had a family conflict
16:39:29 <geppetto> ok, give you a few minutes to catch up :)
16:39:41 <geppetto> This is the only real ticket today anyway
16:41:36 <sgallagh> OK, yeah. I haven't built sscg for F22 or earlier yet because IIRC I only made it py3 compatible thus far.
16:41:53 <geppetto> ahh
16:41:56 <sgallagh> I need to make it dual-stack before we should mandate it on Py2 default platforms
16:41:58 <tibbs|w> Something wrong with python3 in F22?
16:42:22 <sgallagh> tibbs|w: Only that we're not supposed to be having the /usr/bin/<blah> stuff require py3
16:42:23 <tibbs|w> I guess people would complain about dependencies.
16:42:42 <tibbs|w> I'm not familiar with that rule.
16:43:26 <sgallagh> Maybe I misinterpreted the Python guidelines on that point
16:43:32 <tibbs|w> I guess the server folks might complain about having to pull in py3+modules just to generate a cert.
16:43:45 <sgallagh> But yeah; I need to finish the dual-stack work
16:43:56 <tibbs|w> I don't think anyone's going to switch over existing services do this in F22 anyway.
16:44:06 <sgallagh> /me nods
16:44:25 <tibbs|w> If it were me I wouldn't bother, but perhaps that's because I can never remember what I have to change to make things work in old python.
16:44:35 <geppetto> Well … it'd be nice to just merge any updates back if you change this in rawhide and then have a fix for something
16:44:51 <sgallagh> "(12:38:12 PM) tibbs|w: [12:21:38] Also, how does sscg know where to put the generated certificate files?": The destination is a mandatory argument
16:45:04 <tibbs|w> Am I missing that in the example?
16:45:16 <tibbs|w> Or in the usage info (which we don't really want, but still....)
16:45:48 <tibbs|w> I swear it isn't mentioned in either.
16:45:58 <geppetto> --cert-file
16:46:08 <geppetto> and --cert-key-file
16:46:13 * geppetto assumes
16:46:18 <tibbs|w> Which... don't have directories in the example.
16:46:24 <sgallagh> oops, the example should have had an absolute path
16:46:33 <tibbs|w> Ah, that makes more sense.
16:46:41 <sgallagh> /me fixes
16:47:02 <sgallagh> Otherwise it'll be relative to the $CWD, which would be wrong for a unit file
16:47:28 * geppetto nods
16:47:35 <tibbs|w> It _would_ be shorter to take the directory as an argument.
16:48:05 <sgallagh> tibbs|w: True; the alternative would be to set CWD in the unit file and use that, I suppose
16:53:09 <sgallagh> So what are the remaining questions?
16:53:49 <geppetto> The wording on "A few examples that should not be considered system-specific configuration: " is a bit confusing
16:55:08 <geppetto> I initially read it as "this stuff isn't configuration" … but it's actually "this stuff doesn't need a special service to create it"
16:55:24 <geppetto> Not sure how to reword it though
16:56:21 <sgallagh> geppetto: Well, I was trying to differentiate "stuff that is configuration but not system-specific"
16:56:28 <sgallagh> And yeah, words is hard :-P
16:57:05 <geppetto> Yeh, but often stuff created by the daemon will be system-specific … it's just that it's fine for it to be created by the daemon
16:58:01 <sgallagh> Right
16:58:17 <geppetto> Maybe "A few examples that should not be considered for a new system-specific configuration service: "
16:58:24 <sgallagh> This is attempting to solve problems like all of the cloud images having the same UUID :)
16:58:28 <geppetto> yeh
16:58:52 <geppetto> also just further down the long hard road of removing %post entirely
17:00:05 <tibbs|w> Wouldn't that be nice.
17:00:12 <tibbs|w> No more ldconfig.
17:00:42 <sgallagh> geppetto: That would be the stealth benefit, yes :)
17:02:00 <geppetto> So … I think that was it for the bits before "special case"
17:02:23 <geppetto> Did you want to keep the last 3 sections, or put them somewhere else?
17:02:47 <mbooth> Afraid my time is up, but y'all look like you're on top of it :-)
17:02:51 <sgallagh> geppetto: Well, considering the certificate case was one of the primary drivers of this, I think scrapping it is kind of problematic
17:03:11 <mbooth> And there's not enough of us for quorum anyway, I think
17:03:18 <geppetto> no, there isn't
17:03:31 <geppetto> Was going to vote anyway and put it in need more votes state
17:03:37 <geppetto> but we can just do it next week
17:04:05 <geppetto> sgallagh: If you could get sscg in F22 for next week that that'd be cool
17:04:19 <sgallagh> geppetto: I'll see what I can do
17:04:37 <sgallagh> My dance card already looks like I let my two-year-old color on it
17:04:42 <geppetto> Having it work but require py3 is probably fine … just so that packagers can see it and run it
17:04:49 <tibbs|w> Welcome to the club.
17:04:58 <tibbs|w> But yeah, if the dependencies get smaller later then great.
17:05:21 <geppetto> If they shout about wanting to use it and prefering py2 … you can deal with that when you get them (or never ;)
17:05:34 <sgallagh> Fair enough
17:07:07 <sgallagh> Feel free to #action me
17:07:52 <geppetto> #action sgallagh sscg should be in F22 before we publish policy saying to use it.
17:08:24 <geppetto> Also … do you call all your packages ss<something>? ;)
17:08:45 <sgallagh> geppetto: No, that was just an amusing coincidence
17:08:53 <sgallagh> Self-Signed Certificate Generator
17:08:57 * geppetto nods
17:09:20 <geppetto> #topic Open Floor
17:09:28 <geppetto> Anyone want to talk about anything?
17:10:05 <tibbs|w> Right now I'm trying to stop fedmsg from spamming me every time the topic changes or something gets actioned.
17:10:37 <geppetto> "fallout" from the rawspeed bundling request was/is being talked about on the ML
17:10:56 <geppetto> it just really likes talking to you
17:11:17 <sgallagh> tibbs|w: fedmsg just thinks you're a good listener
17:12:25 <tibbs|w> Well it's throwing HTTP 500s when I try to add a rule to shut it up, so I guess it really wants me to get those notices.
17:12:52 <sgallagh> I've had relationships like that...
17:12:53 <tibbs|w> There we gol
17:13:26 <tibbs|w> Looks like I'm going to flock.
17:13:37 <geppetto> cool, see you there!
17:13:44 <sgallagh> Oh, cool. It'll be nice to see you
17:13:48 <tibbs|w> Travel request signed and everything.  Booked my room yesterday.
17:14:02 <tibbs|w> I don't think I met either of you at the last fudcons I attended.
17:14:30 <tibbs|w> Boston (BU), Raleigh, then Boston (MIT).
17:14:30 <geppetto> the last one I attended was arizona
17:15:15 <geppetto> tempe
17:15:37 <geppetto> Anyway … going to close in a minute, unless anyone has something to bring up
17:15:41 <sgallagh> tibbs|w: I was at the MIT one, but I doubt we knew each other back then
17:16:01 <tibbs|w> Well, we'll see how it goes.
17:16:20 <tibbs|w> My wife is going to fly up and we'll spend a few days after things wind down.
17:16:27 * geppetto nods
17:16:34 <orionp> I was hoping for Colorado Springs, I could have made that....
17:17:02 <geppetto> My wedding aniversary is right in the middle of this one, so my wife is going too :)
17:17:45 <tibbs|w> Mine just passed.  19 years.
17:18:05 <geppetto> congrat
17:18:10 <geppetto> +s
17:18:23 <tibbs|w> Feels like (only yesterday|an eternity).
17:18:33 <geppetto> ha
17:18:53 <sgallagh> Celebrating 11 years tomorrow :)
17:19:08 <tibbs|w> Seems like July is the month, then.
17:19:22 <racor> where will it be?
17:19:25 <geppetto> everyone likes summer weddings :)
17:19:38 <tibbs|w> racor: Flock?  It's in Rochester, NY.
17:19:41 <geppetto> racor: rochester NY
17:19:46 <tibbs|w> Not far from Niagara Falls.
17:20:10 <tibbs|w> I've been to upstate NY before (Cornell) but never went to the falls.
17:20:19 <sgallagh> tibbs|w: I think it's further than you think it is from Niagara
17:20:33 <geppetto> yeh, like 2-3 hours by car
17:20:42 <tibbs|w> Looks like arond 150KM or so.
17:20:51 <geppetto> lol with your non-freedom units
17:20:54 <geppetto> ;)
17:20:54 <tibbs|w> Was planning to drive for a few hours.
17:20:58 * geppetto nods
17:21:16 <tibbs|w> I have mostly switched my life over to metric.
17:21:28 <tibbs|w> Except for thermostats.
17:21:40 <sgallagh> My car gets 40 rods to the hogs-head and that's fine by me
17:21:40 <tibbs|w> Don't want to give up the accuracy.
17:21:51 <geppetto> sgallagh: :p
17:21:56 <orionp> 14 years last week (sorry, lagging)
17:22:03 <tibbs|w> Well shit.
17:22:45 <geppetto> I'm 16 while at flock … so double digits for everyone
17:23:29 <geppetto> Anyway … I'll see you all next week. Thanks for coming.
17:23:35 <sgallagh> Be well
17:23:42 <geppetto> #endmeeting