16:00:14 #startmeeting fpc 16:00:14 Meeting started Thu Oct 27 16:00:14 2016 UTC. The chair is geppetto. Information about MeetBot at http://wiki.debian.org/MeetBot. 16:00:14 Useful Commands: #action #agreed #halp #info #idea #link #topic. 16:00:14 The meeting name has been set to 'fpc' 16:00:14 #meetingname fpc 16:00:14 #topic Roll Call 16:00:14 The meeting name has been set to 'fpc' 16:00:28 hello 16:00:29 #chair tibbs 16:00:29 Current chairs: geppetto tibbs 16:00:31 #chair orionp 16:00:31 Current chairs: geppetto orionp tibbs 16:00:35 #chair limburgher 16:00:35 Current chairs: geppetto limburgher orionp tibbs 16:00:51 I can't believe it's Thursday again. Feels like it's been three days at most. I really should sleep occasionally. 16:01:03 * geppetto nods 16:02:42 Lost a day's worth of edits to the versioning draft when I logged out without ever actually clicking the save button on the page. 16:02:45 tibbs: On the upside, no new tickets 16:02:53 tibbs: :( 16:02:53 Oh $_DEITY. . . 16:03:12 tibbs: I thought you'd changed to writing in a text file and pasting when done now? 16:03:14 And spent four hours yesterday which I intended to spend on FPC stuff instead tracking down four separate anaconda backtraces. 16:03:29 Ouch 16:03:39 I really should do that consistently. Sometimes you think you're just going to make a minor change. 16:03:51 * geppetto nods 16:04:22 But then you have to think about how best to word something. And then a line of people show up at the office. And then somehow it's 9PM and it's either leave or fall asleep in the office. 16:04:43 * geppetto nods 16:05:40 Haven't attended these meetings for maybe 8 years. Just curious who participates these days as I need to raise a weird exception to the rules sometime in the next few months. 16:06:02 * limburgher squints 16:06:07 hey stranger! 16:06:32 warren: Well I'm still here for some weird reason. 16:06:53 Is there an agenda for today's meeting? 16:07:22 yeh, but no 5 yet 16:07:32 for quorum I'm guessing? 16:07:34 warren: https://lists.fedoraproject.org/archives/list/packaging@lists.fedoraproject.org/message/6NKPOVP7KSISKH4HRPLLNOECKX2CQ5DW/ 16:07:40 warren: Yeh 16:10:08 warren: bitcoin? 16:11:10 limburgher: yes, but more specifically related topics like Deterministic/Reproducible Builds and alternative build toolchains 16:12:15 warren: Cool. Should be interesting. 16:13:34 #chair racor 16:13:34 Current chairs: geppetto limburgher orionp racor tibbs 16:13:50 #topic Schedule 16:13:53 https://lists.fedoraproject.org/archives/list/packaging@lists.fedoraproject.org/message/6NKPOVP7KSISKH4HRPLLNOECKX2CQ5DW/ 16:14:17 Not going into a lot of detail now, but the motivation here is security sensitive software where the bounty for compromising an Linux distro's build infrastructure could be billions of dollars. There's a way to take away the incentive of an attacker to compromise the distro's infrastructure as reproducible builds made by a reproducible alternative toolchain would make such an attack infeasible. Only it's a gigantic and weird thing that wo 16:14:17 uld give FPC heartburn in how weird it is. 16:14:25 I'll bring this up in a later meeting. 16:14:41 #topic Deterministic/Reproducible Builds and alternative build toolchains 16:14:58 I don't think this is really an FPC issue. 16:15:03 err, not prepared to explain this now 16:15:14 If someone wants to package a toolchain needed to build something, I welcome them to do it. 16:15:24 * limburgher helps warren down off of hook 16:15:37 I'd think that there's more of an infrastructure or releng issue involve, from the sound of things. 16:15:50 Yeh, there are a lot of people looking at what Debian is doing 16:15:54 It's a FPC issue in that it also bundles a lot of redundant stuff that is already shipped in Fedora. 16:16:13 It doesn't have to bundle it. 16:16:15 But from what I've seen rel-eng people don't seem convinced, on either side 16:16:17 It also cannot avoid static building lots of stuff. 16:16:26 tibbs: I actually sort of does some times. 16:16:32 * limburgher drinks 16:16:40 Bundling isn't even our call any more, so.... 16:16:56 Yeh, and esp. build time bundling. 16:17:04 When did the bundling policy change? 16:17:14 warren: 6 months ago, or so? 16:17:17 I forget. . .a year maybe? 16:17:18 maybe a bit longer 16:17:19 While back, fesco did a big override. 16:17:29 *cough*chromium*cough* 16:17:29 Their prerogative. 16:18:06 Thank you ever so much for the earworm. 16:18:07 So I guess FPC is only a small part of this, need to talk to FESCO and rel-eng for most of this. 16:18:15 There's two separate but related pieces here. 16:18:27 It sounds like it should be FESCO for yes/no, then if yes, FPC for how. 16:18:34 Yeah, basically, don't involve FPC if you don't have to. 16:18:49 1. changes to buildsystems to do deterministic builds of everything, which Debian is proving is possible on a grand scale 16:18:50 I mean, even I avoid me. 16:19:09 2. changes to the toolchains to prove that they aren't compromised 16:19:35 As this is clearly off-topic and I didn't intend to raise here, it's time to move on. =) 16:19:38 Unless there's something you just know is going to conflict, which I'm not really seeing as a thing. 16:20:02 Of course since what you're trying to do is completely impossible anyway, I'm happy not to think about it. 16:20:04 It's a strict security upgrade to the entire distro to achieve these goals. 16:20:18 completely impossible? =) 16:20:46 What's in that SMM code inside the CPU which built the thing you believe is provably.. anything? 16:21:09 You can't see it without so many NDAs and lawyers involved. 16:21:53 But don't let me stop you from trying, of course. 16:21:54 That's a good point, you can' t trust hardware these days at all. There is OpenPower and RISC-V with their entirely open source, binary blob-free hardware though .. just they are too expensive for most people. 16:22:30 That's kind of the point of reproducible builds, right? You can't trust anyone, so you build N times on different configurations and make sure they match 16:22:51 It is possible however to achieve bit-for-bit identical toolchains, bootstrapped from ancient x86 machines and compilers from long ago 16:23:10 if you can reach the same endpoint from different lineages then they're probably ok 16:24:01 anyway, off-topic, I would appreciate your folks advice on who to approach in other teams/committees, but outside of this meeting. 16:24:04 * geppetto nods … but speak to rel-en and/or FESCo :) 16:24:34 warren, i think you would be wasting your time. 16:25:06 jwboyer: I'm glad to hear why, but not in this meeting where it's in the weeds? 16:25:55 * geppetto nods … ok, moving on? 16:26:30 In any case, I realize convincing Fedora to build the entire distro this way is going to be difficult. But it sounds like policy would be a lot easier these days to allow an alternative toolchain for specific packages, so I'm glad to hear that. 16:27:31 #topic #647 No mention of macros for systemd scriptlets for user units 16:27:35 .fpc 647 16:27:37 geppetto: #647 (No mention of macros for systemd scriptlets for user units) – fpc - https://fedorahosted.org/fpc/ticket/647 16:28:40 Are there any examples of these? 16:28:53 I still understand very little about this. Is the thing in comment 4 the actual draft? It seems reasonable to me but with no knowledge it's hard to say. 16:29:23 I think that's most of the draft in comment 4 16:29:54 yeah, that seems to be the suggestion 16:30:09 seems fine by my I guess 16:30:25 looks like bluez on my system has one 16:30:26 Yeh, I'm fine with it … but would have prefered a diff. 16:30:45 A diff for that would basically just tell me where to put it. 16:31:05 * geppetto nods 16:31:22 Just noticed that https://fedoraproject.org/wiki/Packaging:Systemd is kind of out of date. 16:31:55 It says to use BuildRequires: systemd-units but on F18 and newer to just use BuildRequires: systemd 16:32:22 F18 was a bit ago :) 16:32:51 for #647, I'd insert between the mention of Fedora preset policy and "For details" 16:32:51 OK, fixed that up at least. 16:33:04 Assuming that BuildRequires: systemd is actually what we're supposed to do. 16:33:20 yes, it is 16:33:31 tibbs: that's what is in 647 too 16:33:55 So this new bit would go in https://fedoraproject.org/wiki/Packaging:Scriptlets#Systemd 16:34:19 Which also prompts me to ask if we can get rid of the bit about " Packages migrating to a systemd unit file from a SysV initscript" yet. 16:34:52 probably 16:35:57 yeh 16:36:26 Yeah, I seem to recall the last few initscripts being migrated or retired. 16:36:35 I thought we had blocked all of the packages which hadn't converted some time ago. And even if there are a couple, it should still be safe to drop that bit as I'd expect those packages to be pretty much impervious to policy anyway. 16:37:21 OK, I nuked the section. 16:39:47 looks like systemtap and tetrinetx are the last holdouts 16:40:21 Yep, impervious to policy. I thought that fesco was going to force-retire them, but anyway.... 16:43:22 It'll still be great telling the tale one day. "Grandma, what's /etc/rc.d/init.d?" "Well, Timmy, let me tell you a story. . ." 16:43:52 Well, crap, I'm editing the page and I realize that I can't show what it looks like without saving it because I'm dumb and didn't make a copy in my user page first. 16:44:20 Can't you preview, or am I misunderstanding? 16:44:32 How about initscripts? I still see /etc/rc.d/init.d/network and /etc/rc.d/init.d/netconsole in fc25 16:44:51 I think that those are "special". 16:44:59 limburgher: I can preview; I can't show you the preview. 16:45:31 tibbs: /me pouts 16:46:00 I'm guessing network is still there because people want ifcfg scripts to work without NetworkManager, and it really isn't a service, and nobody wants to risk changing those old scripts? 16:46:56 https://fedoraproject.org/wiki/User:Tibbs/systemdscriptlets 16:46:58 Whatever happened to a couple of glasses of wine, sed, and a sense of adventure? 16:47:33 Sadly I slightly screwed up so the diff shows that I deleted an entire section, but I'm not really intending to delete that section. 16:47:34 tibbs: Ooh, it looks so clean! :) 16:47:56 +1 16:48:15 Basically I just pasted in his draft, stuck it in a separate section (===== is to many, though) and stick the bit about the source of the macros in its own sesction. 16:48:50 Personally I'd just delete that last section, though; people have --showrc and the actual macro files on their systems if they want to see them. 16:49:25 I dunno, I forget about --showrc all the time, and sometimes people like a clicky. 16:50:43 Right, but this is perhaps the only place in the guidelines where we give people a link to the source of the macros. 16:52:06 True. 16:52:52 Anyway, not worth wasting time over. Eventually that whole document will get much shorter. 16:53:05 Interesting that there are macros for these scriptlets, but not almost any of the others 16:53:17 Historical reasons, I think. 16:53:31 true, our new filetrigger future awaits.. 16:53:44 It's like how sudo dnf install cvs still does something. 16:54:11 I think we will probably end up doing additional macroization because of the whole issue with epel not having file triggers. 16:54:19 limburgher: ? There is a cvs package, so I'm not sure I understand 16:54:33 Anyway, https://fedoraproject.org/w/index.php?title=User%3ATibbs%2Fsystemdscriptlets&diff=478095&oldid=478094 is the diff. 16:54:40 geppetto: Yes, but do you use it? :) 16:54:47 file triggers is something added by rpm recently? 16:54:50 Ignore the fact that a whole section is missing, because I pasted the wrong thing initially. 16:55:20 warren: Yeah. Look up %transfiletriggerin; that should give you a description of them all. 16:55:34 Hi 16:55:38 We'll probably get back around to the glibc file triggers eventually. 16:55:44 tomspur: Howdy. 16:55:49 #chair tomspur 16:55:49 Current chairs: geppetto limburgher orionp racor tibbs tomspur 16:56:02 tibbs: Did you remove the bit about sysv scripts? 16:56:18 But, yeh, +1 for line 22 onwards 16:56:21 Anyway, I think that diff is the thing to vote on for #647. 16:56:32 geppetto: I did that earlier. 16:56:38 * geppetto nods 16:56:44 I'm +1. 16:59:23 So that's only +3 … orionp racor tomspur: vote? 16:59:33 I'm still +1 16:59:45 +1 17:00:25 I still don't know _why_ you'd use these, but if this is what the systemd folks say should be used then I'm not going to argue. 17:01:15 +1 17:01:16 user services are like gnome-session type stuff … except outside the GUI 17:01:27 +1 17:01:31 Basically my understanding is that when you log in, systemd fires up a user session. 17:01:58 The thing that loginctl shows, and the thing that gets totally screwed up if you ever kill the user-specific systemd process. 17:02:08 #action No mention of macros for systemd scriptlets for user units (+1:6, 0:0, -1:0) 17:02:24 tibbs: yeh 17:02:27 Systemd can have special units that it starts inside of user sessions. 17:03:13 * geppetto nods 17:03:25 BTW, somehow we never set the topic 17:03:34 yeh, I'm confused about that 17:03:43 was hoping it was just my xchat 17:04:01 hopefully the bot didn't die, or we'll have no meeting minutes 17:04:17 .ping 17:04:17 pong 17:04:17 #topic Open Floor 17:04:21 I still see Deterministic 17:04:24 And you changed it. 17:04:27 Yeh 17:04:53 So I believe I did what I can for the glibc file triggers. 17:04:54 Looking at https://lists.fedoraproject.org/archives/list/packaging@lists.fedoraproject.org/message/6NKPOVP7KSISKH4HRPLLNOECKX2CQ5DW/ were a few of those topics skipped? 17:05:22 warren: It's sort of autogenerated; sometimes there just isn't anything to say about those. 17:05:24 Yeh, I looked at all of them … maybe talk about 650? Nothing seems to hve happened on any of them though 17:06:01 Well, 654 did have some movement. 17:06:15 I'm not a FPC member, but I wrote most of https://fedoraproject.org/wiki/Packaging:Versioning#Pre-Release_packages maybe 13 years ago ... I think the diff in #656 goes too far in "simplification" and should instead add only git examples. 17:06:37 tibbs: Not in the ticket … you want to talk about it? 17:06:53 But I think I've done all that I can there, without actually just committing the extra check to redhat-rpm-config. 17:07:00 * geppetto nods 17:07:21 I mean, they stopped talking so I guess I pissed them off or they lost interest. 17:07:30 :( 17:07:52 I think I divined the proper way to check these things and did all of the implementation there. 17:08:16 I'm surprised to learn that the tilde thing was added to Fedora, and even more surprised that it was backported to RHEL6. 17:08:21 I could of course just push it to redhat-rpm-config bit I'm sure that would piss someone off somewhere (and not just because it might break one or two things). 17:08:32 warren: RPM works in mysterious ways. 17:09:01 Doesn't mean we're going to use it, though; I don't believe that proposal is going to pass. 17:09:26 And in any case I am rewriting the Versioning document to try and make it less confusing to people. 17:09:50 The reasons for it don't seem compelling to me, and that automagic example that somebody wrote is bullshit. Anything that isn't a number you can't assume is a pre-release. 17:10:16 And once I manage to finish that and get something that doesn't anger someone, somewhere, then I get to do the same transform to the tilde draft, and then, well, it probably won't pass. 17:10:48 But we discussed that draft for probably twelve solid hours so far, and.... 17:11:01 I'm sorry. 17:11:28 geppetto: So if you have any hints about how to progress with the glibc thing? I'm just going to leave it alone for now. 17:11:41 Maybe we can target some other source of scriptlets, like texinvo. 17:11:44 texinfo. 17:12:13 Also, I already wrote up 647 since I just had to paste and save. 17:12:30 how will you handle compat where packagers want to maintain identical specs with EPEL? 17:12:45 Not care. 17:12:54 EPEL guidelines can get those scriptlets. 17:13:05 Packagers, if they like the junk, can wrap it all in a big %if 17:13:10 RHEL rpm supports file triggers? 17:13:25 Never said it did. 17:13:32 ok, %if's 17:13:54 tibbs: yeh, leave it for a bit … they might just be busy/etc. … will ping them if it goes too long 17:14:25 We could macroize some of it, with macros that expand to %nil on Fedora and to the whole scriptlet thing including the "%post" on epel, but... I'd really just prefer not to see them. 17:14:50 Would be helpful if the agenda URL were auto-appended to the current meeting topic, something the bot could do in the future. 17:14:57 And if people keep them in their rawhide specs, well, they're going to get some email about it because I will eventually do a big bunch of reports and an auto-removal. 17:15:35 * geppetto nods … seems fine 17:16:50 Did fesco ever hand us anything back on 650 (the alternate python interpreter thing)? 17:17:14 * geppetto looks at https://pagure.io/fesco/issue/1634 17:17:59 Interesting; that sort of mutated. 17:18:59 It doesn't appear they're going to hand down any guidance on whether packages should be allowed to depend on those. 17:19:24 I do still think we need a general way to say that a package can exist but nothing is permitted to depend upon it. 17:19:26 It looks like they can 17:19:42 Given the wording about the packager taking over security updates from upstream etc. 17:20:13 I think that the python people who were packaging these did actually want to make sure that nobody would depend on them, though. 17:20:59 Well FESCo sure didn't say that 17:21:12 If anything it looks like you can, to me 17:21:22 "If it is too much burden" one is "encouraged" to orphan it. So one can still just ignore it and go ahead. Or am I reading that wrong? 17:21:24 * geppetto shrugs 17:21:52 yeh 17:22:50 But lets assume that fesco allows this in general. 17:23:43 The python folks came to us asking to write something into the guidelines banning dependencies on the alternative python packages they want to add. 17:25:15 I have to go now.. 17:25:25 Take care. 17:26:02 See ya 17:26:10 Anyway, we will still have to consider their request, but I guess it can wait until we have to do so. 17:27:07 maybe 17:27:24 Anyway … is there anything else, or we good until next week? 17:27:31 Yeah, I'm done. 17:27:35 I will note that two weeks from now I won't be here 17:27:47 Probably just for one week 17:28:00 Nothing here. 17:28:09 * geppetto nods 17:28:14 Panic. 17:28:49 add "INSECURE" to the release tag? =) 17:29:25 "DONOTUSEINPRODUCTION" 17:31:02 #endmeeting