#fedora-meeting-1 log

15:03:06 <decathorpe> #startmeeting Stewardship SIG Meeting (2019-09-03)
15:03:07 <zodbot> Meeting started Tue Sep  3 15:03:06 2019 UTC.
15:03:07 <zodbot> This meeting is logged and archived in a public location.
15:03:07 <zodbot> The chair is decathorpe. Information about MeetBot at http://wiki.debian.org/MeetBot.
15:03:07 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic.
15:03:07 <zodbot> The meeting name has been set to 'stewardship_sig_meeting_(2019-09-03)'
15:03:12 <decathorpe> #meetingname stewardship-sig
15:03:12 <zodbot> The meeting name has been set to 'stewardship-sig'
15:03:13 <cipherboy> decathorpe:  \o hello!
15:03:17 <decathorpe> #topic Roll Call
15:03:21 <decathorpe> hi Alex
15:03:26 <decathorpe> #chair cipherboy
15:03:26 <zodbot> Current chairs: cipherboy decathorpe
15:03:59 <sillebille> decathorpe, hello o/
15:04:08 <cipherboy> decathorpe: Greetings from the middle of the US :P
15:04:19 <decathorpe> #chair sillebille
15:04:19 <zodbot> Current chairs: cipherboy decathorpe sillebille
15:04:22 <decathorpe> hi Dinesh :)
15:04:55 <decathorpe> sorry for not creating a ticket with an agenda, I completely forgot
15:05:07 <sillebille> not a problem at all :)
15:05:10 <decathorpe> but I don't think there's anything important to talk about right now ... unless you have something?
15:05:43 <cipherboy> decathorpe: I'll schedule time early this week for remaining CVE's.
15:06:38 <mhroncok> decathorpe, cipherboyhey
15:06:40 <decathorpe> there should be only 2 or 3 left, I think. orion fixed pdfbox :)
15:06:44 <decathorpe> #chair mhroncok
15:06:44 <zodbot> Current chairs: cipherboy decathorpe mhroncok sillebille
15:06:46 <decathorpe> hey Miro
15:06:54 <mhroncok> and sillebille  o/
15:07:05 <sillebille> hi mrio! \o
15:07:06 <cipherboy> We seem to acquire the most interesting of packages. :D Do I want to know what pdfbox does?
15:07:11 <sillebille> *Miro
15:07:15 <cipherboy> mhroncok: \o
15:07:32 <mhroncok> cipherboy: no, or you start to care :D
15:07:49 * decathorpe shrugs
15:07:59 <mhroncok> decathorpe: I've added jvanek to google-gson and opened https://pagure.io/releng/fedora-scm-requests/pull-request/16205
15:08:24 <decathorpe> ACK, I saw the email but didn't have time to respond yet
15:08:32 <cipherboy> decathorpe: So I didn't quite follow ticket #40 closely enough. What happened there? -- it looks like we had a set of orphans but then needed more (because the orphans depended on more orphans)?
15:08:59 <decathorpe> yeah
15:09:18 <decathorpe> but I removed some optional deps from packages, which means we didn't actually have to adopt any more packages
15:09:36 <cipherboy> decathorpe: \o/ cool! And no groovy I saw so decathorpe++ !
15:09:37 <zodbot> cipherboy: Karma for decathorpe changed to 4 (for the current release cycle):  https://badges.fedoraproject.org/tags/cookie/any
15:09:50 <decathorpe> haha thanks
15:09:55 <decathorpe> I hope it doesn't creep back in
15:11:07 <decathorpe> alright, I created a quick-n-dirty tracking ticket for today
15:11:12 <decathorpe> https://pagure.io/stewardship-sig/issue/47
15:11:33 <decathorpe> #topic Open RHBZs
15:11:48 <decathorpe> #link https://bugzilla.redhat.com/buglist.cgi?bug_status=__open__&email1=stewardship-sig%40lists.fedoraproject.org&emailassigned_to1=1&emailcc1=1&emailtype1=substring&list_id=10466112&product=Fedora&query_format=advanced
15:12:15 <decathorpe> I tried to close all bugs that were actually fixed. does anybody have some time to check that I didn't miss anything?
15:12:40 <mhroncok> jackson-databind has quite soem CVEs
15:13:29 <cipherboy> mhroncok:  Yeah I want to get that done early this week. We (RHCS) did that earlier in RHEL via rebase, will likely do the same downstream.
15:14:05 <decathorpe> there's also one CVE for itext
15:14:07 <cipherboy> **same in Fedora
15:14:11 <decathorpe> the rest should be version updates
15:14:27 <decathorpe> and one FTBFS for felix-bundlerepository
15:14:38 <cipherboy> decathorpe: As in, we need to write the CVE fix for itext, or we can fix that with a version update too?
15:15:06 <cipherboy> decathorpe:  If it just needs a version bump, i'll do that with jackson-databind.
15:15:23 <decathorpe> I haven't checked yet
15:15:30 <cipherboy> decathorpe:  Assign that AI To me then.
15:15:50 <cipherboy> decathorpe:  Looks like itext is two versions behind.
15:15:56 <decathorpe> yeeesh
15:16:05 <decathorpe> the CVE tracking bug was filed against fedora 26
15:16:10 <cipherboy> decathorpe:  Sorry, two *major* versions behind.
15:17:11 <mhroncok> itext has been fixed in 5.5.12 and 7.0.3, but we are on 2.1.7 for more than a decade 😱
15:17:32 <cipherboy> Oh, we're 3-5 major versions behind. :o OK, I"ll take AI to fix that.
15:17:46 <mhroncok> can we get rid of this instead? it seems very very bad
15:18:00 * decathorpe shudders
15:18:04 <decathorpe> let me check
15:19:09 <mhroncok> itext-core is the only package that seems needed, we might want to remove everything else
15:19:20 <cipherboy> ACK, I'll take that AI then.
15:19:44 <decathorpe> alright, itext is required by maven-doxia, where it can be disabled by flipping a bcond
15:20:18 <mhroncok> + flyingsaucer (orphan)
15:20:20 <decathorpe> which should be fine, since maven-doxia-module-itext is not required by anything
15:20:27 <mhroncok> \o/
15:20:30 <cipherboy> \o/
15:20:48 <decathorpe> I'll submit a PR and do test rebuilds just to be sure
15:21:32 <decathorpe> any other interesting bugs?
15:23:18 <mhroncok> a food for thought https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/ENIIVNHWHUYY6WBQVUBTH27ZHIG2FZTR/
15:23:21 <cipherboy> decathorpe:  None that I see.
15:24:15 <decathorpe> I was tempted to respond with "YES PLEASE LET IT BE DEAD"
15:24:20 <mhroncok> :D
15:24:20 <cipherboy> mhroncok: I don't understand the "module with one component" modules...
15:24:22 <cipherboy> :D
15:24:24 <mhroncok> decathorpe++
15:24:34 <decathorpe> ;)
15:24:58 <decathorpe> I'll also check if we can disable fop support in maven-doxia*. it'd let us drop some more packages
15:25:24 <decathorpe> #topic Open Pull Requests
15:25:28 <decathorpe> #link https://decathorpe.fedorapeople.org/stewardship-sig-prs.html
15:25:41 <decathorpe> I've been working with mkoncek on getting some of his PRs merged
15:25:56 <cipherboy> decathorpe:  A lot of these PRs seem familiar when Iwas looking earlier. Are they ready for review or still mostly blocked on rebases?
15:26:11 <decathorpe> some need to be rebased, yes
15:26:26 <decathorpe> others break some packages and I didn't want to merge them yet
15:27:03 <sillebille> most of the PRs are targeted against master. What happens to F31?
15:27:12 <mhroncok> are some of them reducing our package set?
15:27:19 <mhroncok> sillebille: nothing
15:27:22 <cipherboy> decathorpe:  ACK. If you get to a point with a bunch of open PRs, I'd gladly take a day to review them if you want a second pair of eyes.
15:27:54 <decathorpe> cipherboy: great, thanks
15:28:14 <decathorpe> sillebille: I won't merge version updates back into f31 anymore, only fixes
15:28:17 <sillebille> i can take sometime from my cycle to review the open PRs too :)
15:28:24 <sillebille> decathorpe, mhroncok ACK
15:28:56 <decathorpe> although if there's interest in getting some versions into f31 still, we can certainly decide that on a case-by-case basis
15:30:30 <decathorpe> cipherboy: the PRs that are most likely to get merged soon are maven-doxia* updates and maven-invoker* plus porting xmvn to maven-invoker 3.0.1
15:32:32 <cipherboy> decathorpe:  ACK.
15:32:56 <decathorpe> any other PRs you want to talk about?
15:33:22 <cipherboy> decathorpe: None from me. :)
15:35:25 <decathorpe> #topic Open Floor
15:36:24 <decathorpe> I'll run the the full SIG leaf checks later today with the 20190903 rawhide compose, then I'll update the corresponding pagure ticket
15:36:34 <decathorpe> there should be some packages we can drop again :)
15:37:05 <mhroncok> awesome
15:37:32 <cipherboy> Cool!
15:37:48 <decathorpe> there's also something else I've been working on, originally for my flock talk (youtube video should be public soon)
15:38:47 <sillebille> cool :)
15:39:05 <mhroncok> decathorpe: what is it?
15:39:13 <decathorpe> if you're interested in statistics and graphs:
15:39:14 <decathorpe> https://decathorpe.fedorapeople.org/stewardship/
15:39:53 <decathorpe> these are generated from the adoption, orphaning, release, and update data in data/events.json
15:40:14 <mhroncok> decathorpe: what about a dependency graph? :)
15:40:58 <decathorpe> I tried. the graph got too big ...
15:41:01 <cipherboy> And gamify it! :D
15:42:17 <decathorpe> hehe
15:43:24 <decathorpe> this one is slightly encouraging: https://decathorpe.fedorapeople.org/stewardship/od_pkgs_rel.png
15:43:51 <decathorpe> we started with almost 70% of packages being out of date, now we're almost down to 40%
15:44:14 <decathorpe> which means we're now updating packages faster than they are released. which is something :)
15:44:48 <cipherboy> Yeah, that graph is nice. :)
15:45:33 <sillebille> that's some good news :)
15:45:53 <decathorpe> we're getting to a point where rawhide is more up to date than modular branches
15:46:38 <decathorpe> there's only a few more updates missing, and I'm working on those
15:47:19 <mhroncok> I wonder what happens with the modular branches if modularity dies
15:47:49 <cipherboy> And who takes ownership of the master/fed-tracking branches...
15:48:25 <decathorpe> honestly, I don't care
15:48:38 <decathorpe> I disabled the *-modular repos on all my systems anyway
15:48:54 <mhroncok> decathorpe: hehe, I'd love t do that, but I like rust apps
15:49:06 <decathorpe> "cargo install exa"
15:49:12 <decathorpe> ;)
15:50:32 <decathorpe> well, I think that's everything I got for today
15:51:17 <decathorpe> I'll push a PR for removing itext from maven-doxia if it doesn't cause issues
15:51:27 <cipherboy> decathorpe: Same, thanks very much! I've got my AIs.
15:51:45 <decathorpe> cipherboy++
15:51:46 <mhroncok> decathorpe: I'll try to review it if it arrives soon
15:52:07 <decathorpe> mhroncok: thanks! it's a small change, just flipping a bcond in maven-doxia
15:52:39 <mhroncok> decathorpe: so basically all we need is to see the copr-cross-builds
15:53:33 <decathorpe> yep. they're already running: https://copr.fedorainfracloud.org/coprs/decathorpe/maven-doxia-pr2/monitor/
15:53:46 <decathorpe> but I like to do my homework *before* submitting PRs :)
15:54:05 <mhroncok> decathorpe: nice
15:54:30 <mhroncok> decathorpe: after the meeting, please ping me in #fedora-python
15:54:38 <decathorpe> sure
15:56:10 <decathorpe> alright, thanks for showing up, everybody!
15:56:13 <decathorpe> #endmeeting