15:00:01 <contyk> #startmeeting FESCO (2018-07-30)
15:00:01 <zodbot> Meeting started Mon Jul 30 15:00:01 2018 UTC.
15:00:01 <zodbot> This meeting is logged and archived in a public location.
15:00:01 <zodbot> The chair is contyk. Information about MeetBot at http://wiki.debian.org/MeetBot.
15:00:01 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic.
15:00:01 <zodbot> The meeting name has been set to 'fesco_(2018-07-30)'
15:00:04 <contyk> #meetingname fesco
15:00:04 <zodbot> The meeting name has been set to 'fesco'
15:00:06 <bowlofeggs> .hello2
15:00:08 <contyk> #chair nirik, maxamillion, jsmith, jwb, zbyszek, tyll, sgallagh, contyk, bowlofeggs
15:00:08 <zodbot> Current chairs: bowlofeggs contyk jsmith jwb maxamillion nirik sgallagh tyll zbyszek
15:00:10 <zodbot> bowlofeggs: bowlofeggs 'Randy Barlow' <rbarlow@redhat.com>
15:00:12 <contyk> #topic init process
15:00:15 <contyk> .hello psabata
15:00:16 <zodbot> contyk: psabata 'Petr Šabata' <psabata@redhat.com>
15:00:24 <nirik> .hello kevin
15:00:25 <zodbot> nirik: kevin 'Kevin Fenzi' <kevin@scrye.com>
15:00:27 <contyk> let's see how many people we get today
15:00:28 <bcotton> .hello2
15:00:29 <zodbot> bcotton: bcotton 'Ben Cotton' <bcotton@redhat.com>
15:00:33 <bowlofeggs> are you ready to rumble
15:00:53 <ignatenkobrain> .hello2
15:00:54 <zodbot> ignatenkobrain: ignatenkobrain 'Igor Gnatenko' <i.gnatenko.brain@gmail.com>
15:01:19 <contyk> it's unclear whether jakub is coming today
15:01:27 <contyk> so I'd start with the "new" business and see if he makes it later
15:01:45 <ignatenkobrain> I think he doesn't
15:01:50 <contyk> #topic #1946 Updates process is broken
15:01:54 <contyk> .fesco 1946
15:01:56 <zodbot> contyk: Issue #1946: Updates process is broken - fesco - Pagure - https://pagure.io/fesco/issue/1946
15:01:58 <contyk> https://pagure.io/fesco/issue/1946
15:02:11 <sgallagh> I'm double-booked, but sort of here
15:02:21 <contyk> so I put this one on the agenda because at least to me it's unclear what the next steps are
15:02:24 <contyk> sgallagh: yeah, the same
15:02:39 <bowlofeggs> yeah there's not really a specific proposal here
15:03:09 <nirik> not sure why the abi check failed... that would be nice to know/fix.
15:03:30 <jsmith> .hello2
15:03:32 <zodbot> jsmith: jsmith 'Jared Smith' <jsmith.fedora@gmail.com>
15:04:03 <contyk> who could investigate?
15:04:16 <bowlofeggs> should this really be a fesco issue?
15:04:59 <contyk> probably not; we could probably pass it to infra
15:05:24 <bowlofeggs> or QA?
15:05:32 <nirik> well, kparal asked in ticket... but I havent seen a reply there yet
15:05:53 <nirik> dodji might be on vacation or something.
15:06:13 <nirik> so if things had worked, there would have been a failed abi test.
15:06:32 <tyll> .hello till
15:06:33 <zodbot> tyll: till 'Till Maas' <opensource@till.name>
15:06:38 <bowlofeggs> should we just refile it with the abicheck folks?
15:06:49 <bowlofeggs> is that QA?
15:06:53 <nirik> yes
15:07:17 <bowlofeggs> proposal: this should be filed with QA instead of FESCo.
15:07:21 <contyk> +1
15:07:22 <bowlofeggs> +1
15:07:32 <nirik> +1
15:08:13 <sgallagh> +1
15:08:15 <tyll> +1
15:08:37 <contyk> jsmith: ?
15:08:49 <tyll> I guess the problem is anyhow that there needs to be someone willing to work on it
15:08:50 <jsmith> +1
15:08:56 <jsmith> tyll: Agreed.
15:09:06 <contyk> let the QA figure that out
15:09:29 <contyk> #agree The issues should be filed with QA instead of FESCo (+6, 0, -0)
15:09:49 <contyk> did that work? :)
15:09:55 <sgallagh> Does #agree work or does it need to be #agreed?
15:09:56 <bowlofeggs> i think so
15:10:00 <bowlofeggs> oh i dunno
15:10:04 * sgallagh has always used the latter
15:10:19 <contyk> let's try that
15:10:22 <contyk> #agreed The issues should be filed with QA instead of FESCo (+6, 0, -0)
15:10:30 <contyk> worst case we'll have it twice
15:10:34 * sgallagh nods
15:10:36 <nirik> yeah, it's agreed... it doesn't send anything to channel, just the logs
15:10:42 <contyk> #topic #1945 Nonresponsive maintainer policy: stalled pull requests
15:10:46 <contyk> .fesco 1945
15:10:48 <zodbot> contyk: Issue #1945: Nonresponsive maintainer policy: stalled pull requests - fesco - Pagure - https://pagure.io/fesco/issue/1945
15:10:52 <contyk> https://pagure.io/fesco/issue/1945
15:11:02 <contyk> similar to the previous topic
15:11:13 <contyk> I wondwe what the next steps for FESCo would be?
15:11:26 <contyk> I agree with adding PRs to the policy
15:11:34 <contyk> I also agree that PRs need to be made more visible
15:11:39 <contyk> preferrably before we update the policy
15:11:55 <tyll> for the notifications we need to file an infra ticket I believe
15:12:04 <sgallagh> It looks like at least "adding to the policy" is approved in the ticket
15:12:10 <nirik> sure.
15:12:13 <sgallagh> Notifications would be a request to infra, yeah
15:12:31 <tyll> but I think the policy can be updated anyhow since the non-responsive maintainer procedure will act as a notification as long as there is no other notification
15:12:44 <contyk> that makes sense
15:13:18 <tyll> There is not too much harm except that maintainers might be surprised to be considered non-responsive which is unfortunate but I do not know of a better word for this
15:13:57 <contyk> who would be filing the infra request?
15:14:03 <sgallagh> tyll: Well, the non-responsive process still requires a direct contact attempt
15:14:05 <sgallagh> So I think it's okay
15:14:45 <nirik> so do we just want a weekly email to maintainers on their outstanding prs? or also to the devel list?
15:14:49 * jsmith_2 had a network outage, and has re-joined
15:15:05 <jsmith_2> nirik: Is it too much to ask for both?
15:15:21 <nirik> we can, but it means more devel mail...
15:15:49 * nirik can file the infra ticket, just want to clairify what we want
15:15:58 <contyk> alright
15:16:04 * jsmith_2 wishes for a developer portal that would highlight all the things that a packager needs to focus on (BZ, PRs, FTBFS, etc.)
15:16:21 <contyk> proposal: Let's update the policy and nirik will file an infra ticket to make PRs more visible
15:16:33 <jsmith_2> +1 to contyk's proposal
15:16:51 <bowlofeggs> i don't think we need a devel mail
15:17:03 <bowlofeggs> i think just somethnign like bz's outstanding requests notification would be enough
15:17:31 <bowlofeggs> jsmith_2: yeah, i think that hubs was supposed to make that possible but it got funding pulled
15:18:46 <nirik> I could go either way... on the one hand devel list mail would let people see who is overworked/has too many outstanding pr's...
15:18:49 <contyk> I think the implementation can be discussed in the infra ticket
15:18:51 <sgallagh> Could we do weekly ones to the maintainers and a monthly one to devel?
15:19:12 <jsmith_2> sgallagh: Seems like a reasonable compromise
15:19:36 <nirik> I wonder if this could be a RFE for pagure...
15:20:32 <jsmith_2> nirik: Not sure I follow -- you mean Pagure send these itself, rather than having an external process query Pagure via its REST API to build the body of the email?
15:20:45 <nirik> right.
15:20:55 <nirik> so ie, pagure.io could also send them...
15:21:07 <jsmith_2> nirik: That's fine with me too
15:21:08 <nirik> and users could disable that if they didn't want it in their prefs
15:21:37 <nirik> I can discuss with pingou and figure out where it is best. that doesn't need to be in this meeting.
15:22:01 <jsmith_2> Sounds good -- let's move on :-)
15:22:17 <contyk> any more votes on the proposal?
15:22:28 <contyk> although I could change it a bit to reflect the last bit
15:22:54 <contyk> proposal: Let's update the policy; nirik will discuss a method of highlighting PRs with pingou
15:23:02 <nirik> +1
15:23:07 <jsmith> +1
15:23:24 <contyk> +1 :)
15:23:28 <tyll> +1
15:23:34 <sgallagh> +1
15:23:45 <contyk> bowlofeggs: ?
15:23:53 <bowlofeggs> +1
15:24:08 <contyk> #agreed Let's update the policy; nirik will discuss a method of highlighting PRs with pingou
15:24:15 <contyk> alright
15:24:18 <contyk> #topic #1935 [Security] Remove packages which has a consistent bad security record from the distribution
15:24:22 <contyk> .fesco 1935
15:24:24 <zodbot> contyk: Issue #1935: [Security] Remove packages which has a consistent bad security record from the distribution. - fesco - Pagure - https://pagure.io/fesco/issue/1935
15:24:26 <contyk> https://pagure.io/fesco/issue/1935
15:26:02 <sgallagh> So we're dropping Firefox?
15:26:03 <bowlofeggs> for this one, i would like us to consider that not all CVEs are important
15:26:04 * sgallagh ducks
15:26:07 <bowlofeggs> in fact, most probably are not
15:26:44 <nirik> sgallagh: the kernel is first. ;)
15:26:49 <sgallagh> I'd prefer not to make a general proposal on this and instead consider any such cases individually in FESCo
15:27:04 <sgallagh> actually, call the above my formal proposal for response
15:27:16 <contyk> +1
15:27:58 <nirik> well, who brings cases? whoever is interested I guess? so no systematic list?
15:27:58 <bowlofeggs> sgallagh: yeah i was considering a similar proposal
15:27:59 <bowlofeggs> +1
15:28:09 <jsmith> sgallagh: +1
15:28:29 <sgallagh> nirik: In practice, I'd assume the Fedora Security Team
15:28:43 <sgallagh> But I figure anyone interested enough should just be permitted to
15:29:01 <contyk> bet the first one will be Firefox
15:29:03 <sgallagh> I'll rephrase my proposal
15:29:38 <ignatenkobrain> .members gitfedora-security-team
15:29:39 <zodbot> ignatenkobrain: Members of gitfedora-security-team: dcafaro @ignatenkobrain jtaylor mhayden pjp siddharths @sparks
15:29:40 <sgallagh> Proposal: FESCo does not want to set a general policy on this matter but will consider cases on an individual basis when any Fedora contributor raises the issue.
15:30:04 <nirik> there really isn't an active fedora security team. ;)
15:30:05 <contyk> +1
15:30:11 <jsmith> sgallagh: +1
15:30:12 <nirik> +1
15:30:27 <jsmith> nirik: Yeah, I agree -- the security team is not functional at this point in time
15:30:42 <bowlofeggs> sgallagh: +1
15:31:02 <contyk> tyll: ?
15:31:19 <tyll> there is currenlty the request for all issues in https://bugzilla.redhat.com/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&classification=Fedora&keywords=SecurityTracking%2C%20&keywords_type=allwords&list_id=9188023&order=changeddate%2Cpriority%2Cbug_id&product=Fedora&query_format=advanced
15:31:33 <tyll> not sure that we as FESCo want to discuss every one individually
15:32:01 <orc_fedo> tyll: the problem and question as to production of a non-exempt list remains, though
15:32:15 <sgallagh> tyll: I'm going to formally suggest that if they want something reviewed, they need to select important cases and present them
15:32:30 <sgallagh> If they ask for a blanket removal, I'll vote "no"
15:32:45 <nirik> tyll: "This result was limited to 1000 bugs" thats going to take a while. ;)
15:32:49 <jsmith> Might be interesting to order that list based on highest CVSS score.... but otherwise, the list is too long to effectively deal with as-is.
15:33:19 <tyll> I guess the problem is that it is too much to do manually, therefore they request some kind of cleanup to make it manageable
15:34:04 <tyll> it is the same with FTBFS packages or like it was with orphaned pkgs in the past, there needs to be some kind of automatic removal threat to make sure that the important pkgs remain
15:36:14 <jsmith> tyll: I agree with the need to to put emphasis on the right packages... I think the key will be to come up with a shorter list of things that need to be addressed manually.
15:36:42 <jsmith> tyll: Maybe a list of the top ten or twenty offenders that we can start with -- and maybe go through several each FESCo meeting.
15:36:47 * jsmith is just throwing out ideas
15:37:03 <bowlofeggs> yeah this isn't quite like FTBFS
15:37:10 <bowlofeggs> because FTBFS is a binary
15:37:17 <bowlofeggs> but CVEs aren't always important
15:37:23 <bowlofeggs> they are a range of importance
15:37:42 <bowlofeggs> so FTBFS seems to be always important to fix to me, but CVEs depend on the score
15:38:01 <bowlofeggs> and BZ doesn't make it easy to search by score it seems
15:38:14 <misc> the score is not enough, context do matter
15:38:17 <sgallagh> I wish we had a way to associate CVEs to upstream commits
15:38:32 <tyll> AFAIU the problem is not that there is disagreement about whether they are important but that the issues are not triaged and there is no clear signal from maintainers that shows that certain CVEs are not important instead of just ignored
15:38:36 <sgallagh> Then we could at least invoke the non-responsive maintainer policy on those that were fixed upstream but not in Fedora
15:38:45 <misc> (and for library, a CVE depend on who use it)
15:40:47 * nirik isn't sure we are going to solve this here... might be we need more discussion/ideas?
15:41:14 <contyk> I think what was just said just confirms that we need to assess these individually
15:41:27 <sgallagh> contyk: I agree
15:41:38 <sgallagh> For now, the problem is intractible
15:41:54 <contyk> I'm still +1 to sgallagh's original proposal
15:42:38 <bowlofeggs> yeah me too
15:43:17 <contyk> tyll: so what do you say? do you have an alternative proposal or do you think this needs more discussion?
15:43:55 * nirik notes it was never discussed on devel.
15:44:25 <tyll> contyk: My would like a process more where the pkgs are announced to be removed with a deadline and then maintainers/people can object to them to be removed. Then they can stay and all the pkgs nobody cares about will be removed
15:45:30 <sgallagh> tyll: At a quick glance, it looks like we'd be doing that for nearly every package in the distro...
15:48:09 <nirik> yeah, so we would want some critera... but I am not sure what that should be
15:48:51 <contyk> so how about we move this to the devel list and revisit next week?
15:49:03 <sgallagh> +1
15:49:31 <tyll> sgallagh: most of the bugs seem to be rather new, so they might still be handled (not sure if Bugzilla hides the old bugs)
15:49:35 <bowlofeggs> contyk: +1
15:50:50 <nirik> contyk: +1
15:51:03 <tyll> contyk: +1
15:51:12 <contyk> jsmith: ?
15:51:29 <jsmith> +1
15:52:24 <contyk> #agreed Let's discuss this matter on the devel list before revisiting the topic next week (+6, 0, -0)
15:52:36 <contyk> and then we have one followup
15:52:41 <contyk> #topic #1942 F29 System Wide Change: Remove Excessive Linking
15:52:44 <contyk> .fesco 1942
15:52:45 <zodbot> contyk: Issue #1942: F29 System Wide Change: Remove Excessive Linking - fesco - Pagure - https://pagure.io/fesco/issue/1942
15:52:47 <contyk> https://pagure.io/fesco/issue/1942
15:52:56 <contyk> but since jakub isn't here, I think we can just postpone it again
15:53:27 <ignatenkobrain> when is the f29 branching?
15:53:34 * nirik looks
15:53:56 <nirik> 2018-08-14
15:54:01 <nirik> just after flock
15:55:02 <ignatenkobrain> are we going to have meeting next week?
15:55:04 <ignatenkobrain> or during flock?
15:55:24 <sgallagh> I remain opposed to this for F29. I'm fine with flipping the switch right after F29 branches from Rawhide.
15:55:39 <ignatenkobrain> we are talking about f30 ehre
15:55:39 <ignatenkobrain> I suppose
15:56:01 <sgallagh> ignatenkobrain: It was submitted for F29
15:56:09 <sgallagh> If you want to retarget it for F30, that would make me happier
15:56:23 <contyk> I think that was the plan
15:56:29 <bowlofeggs> yeah i also think it should be switched to F30
15:56:34 <ignatenkobrain> but there is written proposal in ticket
15:56:35 <contyk> but jakub was supposed to provide some input whether we should be doing it at all
15:56:36 <bcotton> just from a schedule standpoint, if it's not approved today it becomes F30 almost by default
15:57:15 <bcotton> we don't really have a deadline for change _approval_ in the schedule, but it seems too late for F29 at this point for reasons this group has raised
15:57:24 <ignatenkobrain> https://pagure.io/fesco/issue/1942#comment-523147
15:57:25 <ignatenkobrain> I mean here
15:57:57 <bowlofeggs> i do think we should get more feedback from jakub - perhaps we need to contact him to ask if he intends to come to a fesco meeting
15:58:14 <bowlofeggs> we might not have given him very good notice for the two so far
15:58:22 * nirik nods.
15:58:25 <contyk> that's true
15:58:32 <sgallagh> bowlofeggs: I'm willing to let it happen early in F30, reasoning that if it goes terribly poorly we can revert it before the mass rebuild
15:59:05 <ignatenkobrain> I would love to switch it as soon as f29 branches
15:59:28 <ignatenkobrain> because if we will be waiting for long, we might spot some issues too late and we would have to move it for f31
15:59:53 <nirik> right, so we have until the 14th to decide that...
15:59:54 <ignatenkobrain> so that's why I was asking if there will be meeting next / after next week
15:59:59 <sgallagh> I'm with ignatenkobrain here. Let's approve it for right after the branch, which gives us ample time to roll it back if we needed to
16:00:25 <sgallagh> It also gives Jakub and his team two full weeks to chime in and tell us to stop if they feel like they need to.
16:00:32 <sgallagh> We can revisit any decision.
16:00:33 <contyk> I'll definitely be around both Mondays
16:01:01 <jsmith> WORKSFORME
16:01:10 <tyll> I will not be around next Monday
16:01:14 * nirik should be around next monday
16:01:22 <tyll> Approving for early F30 sounds good to me
16:01:24 <bowlofeggs> i will not be around next monday
16:01:58 <bowlofeggs> i am inclined to also approve pending feedback from jakub, since he hasn't been particularly responsive (he may be on vacation though?)
16:02:04 <contyk> well, no reason to cancel the meeting early
16:02:08 <jsmith> I'll be around on Monday
16:04:23 <contyk> ok, so what's the proposal here?
16:05:01 <sgallagh> Proposal: Accept this change for F30, expecting it to be activated immediately after branching to provide maximum time to shake out issues or invoke the contingency plan.
16:05:04 <sgallagh> +1 FTR
16:05:15 <nirik> +1
16:05:19 <bowlofeggs> sgallagh: +1
16:05:26 <tyll> +1
16:05:30 <nirik> do announce when it's enabled so people can look for the issues...
16:05:45 <sgallagh> nirik: Yeah, good idea
16:06:09 <jsmith> +1
16:06:15 <contyk> alright, +1
16:06:40 <contyk> #agreed Accept this change for F30, expecting it to be activated immediately after branching to provide maximum time to shake out issues or invoke the contingency plan.
16:06:53 <contyk> alright, so that's for the agenda
16:06:57 <contyk> #topic Next week's chair
16:07:05 <sgallagh> I will not be around
16:07:32 <contyk> I can do that again if no one else volunteers
16:07:40 <jsmith> I can do it too
16:07:51 <contyk> thanks!
16:07:58 <bowlofeggs> i will not be here the next two meetings
16:08:02 <contyk> #action jsmith will chair next meeting
16:08:07 <jsmith> :-)
16:08:11 <contyk> #topic Open Floor
16:08:16 <contyk> anything for the open floor?
16:09:19 <nirik> looking forward to flock...
16:09:24 <contyk> oh yes
16:09:25 <nirik> is everyone going to make it?
16:09:30 <contyk> I am
16:09:31 * tyll is
16:10:01 <bowlofeggs> i'll be there
16:10:04 <sgallagh> I'd better be, I'm scheduled as a speaker for six sessions :-/
16:10:14 <bowlofeggs> and travel is why i'm misisng both of the next two meetings :)
16:10:20 <bowlofeggs> whoah six is crazy
16:10:23 * bowlofeggs is just doing 1
16:10:24 * jsmith is still only about 30% sure he'll make it to Flock
16:10:58 * nirik will be there. 1 talk and 1 workshop and 1 hackfest. :)
16:11:15 <contyk> how many beers?
16:11:28 * ignatenkobrain is going to floc ;)
16:11:29 <ignatenkobrain> glock
16:11:29 <ignatenkobrain> argh!
16:11:30 <ignatenkobrain> flock
16:12:08 <nb> jsmith, i hope you will make it
16:12:38 <sgallagh> bowlofeggs: I think I still hold the record. I had nine sessions at the first Flock
16:12:47 <bowlofeggs> wow
16:13:09 <bowlofeggs> so, endmeeting?
16:13:15 * contyk nods
16:13:19 <bowlofeggs> jcline is trying to abandon me for lunch
16:13:29 <contyk> yep, let's end it
16:13:32 <contyk> #endmeeting