15:03:06 #startmeeting Stewardship SIG Meeting (2019-09-03) 15:03:07 Meeting started Tue Sep 3 15:03:06 2019 UTC. 15:03:07 This meeting is logged and archived in a public location. 15:03:07 The chair is decathorpe. Information about MeetBot at http://wiki.debian.org/MeetBot. 15:03:07 Useful Commands: #action #agreed #halp #info #idea #link #topic. 15:03:07 The meeting name has been set to 'stewardship_sig_meeting_(2019-09-03)' 15:03:12 #meetingname stewardship-sig 15:03:12 The meeting name has been set to 'stewardship-sig' 15:03:13 decathorpe: \o hello! 15:03:17 #topic Roll Call 15:03:21 hi Alex 15:03:26 #chair cipherboy 15:03:26 Current chairs: cipherboy decathorpe 15:03:59 decathorpe, hello o/ 15:04:08 decathorpe: Greetings from the middle of the US :P 15:04:19 #chair sillebille 15:04:19 Current chairs: cipherboy decathorpe sillebille 15:04:22 hi Dinesh :) 15:04:55 sorry for not creating a ticket with an agenda, I completely forgot 15:05:07 not a problem at all :) 15:05:10 but I don't think there's anything important to talk about right now ... unless you have something? 15:05:43 decathorpe: I'll schedule time early this week for remaining CVE's. 15:06:38 decathorpe, cipherboyhey 15:06:40 there should be only 2 or 3 left, I think. orion fixed pdfbox :) 15:06:44 #chair mhroncok 15:06:44 Current chairs: cipherboy decathorpe mhroncok sillebille 15:06:46 hey Miro 15:06:54 and sillebille o/ 15:07:05 hi mrio! \o 15:07:06 We seem to acquire the most interesting of packages. :D Do I want to know what pdfbox does? 15:07:11 *Miro 15:07:15 mhroncok: \o 15:07:32 cipherboy: no, or you start to care :D 15:07:49 * decathorpe shrugs 15:07:59 decathorpe: I've added jvanek to google-gson and opened https://pagure.io/releng/fedora-scm-requests/pull-request/16205 15:08:24 ACK, I saw the email but didn't have time to respond yet 15:08:32 decathorpe: So I didn't quite follow ticket #40 closely enough. What happened there? -- it looks like we had a set of orphans but then needed more (because the orphans depended on more orphans)? 15:08:59 yeah 15:09:18 but I removed some optional deps from packages, which means we didn't actually have to adopt any more packages 15:09:36 decathorpe: \o/ cool! And no groovy I saw so decathorpe++ ! 15:09:37 cipherboy: Karma for decathorpe changed to 4 (for the current release cycle): https://badges.fedoraproject.org/tags/cookie/any 15:09:50 haha thanks 15:09:55 I hope it doesn't creep back in 15:11:07 alright, I created a quick-n-dirty tracking ticket for today 15:11:12 https://pagure.io/stewardship-sig/issue/47 15:11:33 #topic Open RHBZs 15:11:48 #link https://bugzilla.redhat.com/buglist.cgi?bug_status=__open__&email1=stewardship-sig%40lists.fedoraproject.org&emailassigned_to1=1&emailcc1=1&emailtype1=substring&list_id=10466112&product=Fedora&query_format=advanced 15:12:15 I tried to close all bugs that were actually fixed. does anybody have some time to check that I didn't miss anything? 15:12:40 jackson-databind has quite soem CVEs 15:13:29 mhroncok: Yeah I want to get that done early this week. We (RHCS) did that earlier in RHEL via rebase, will likely do the same downstream. 15:14:05 there's also one CVE for itext 15:14:07 **same in Fedora 15:14:11 the rest should be version updates 15:14:27 and one FTBFS for felix-bundlerepository 15:14:38 decathorpe: As in, we need to write the CVE fix for itext, or we can fix that with a version update too? 15:15:06 decathorpe: If it just needs a version bump, i'll do that with jackson-databind. 15:15:23 I haven't checked yet 15:15:30 decathorpe: Assign that AI To me then. 15:15:50 decathorpe: Looks like itext is two versions behind. 15:15:56 yeeesh 15:16:05 the CVE tracking bug was filed against fedora 26 15:16:10 decathorpe: Sorry, two *major* versions behind. 15:17:11 itext has been fixed in 5.5.12 and 7.0.3, but we are on 2.1.7 for more than a decade 😱 15:17:32 Oh, we're 3-5 major versions behind. :o OK, I"ll take AI to fix that. 15:17:46 can we get rid of this instead? it seems very very bad 15:18:00 * decathorpe shudders 15:18:04 let me check 15:19:09 itext-core is the only package that seems needed, we might want to remove everything else 15:19:20 ACK, I'll take that AI then. 15:19:44 alright, itext is required by maven-doxia, where it can be disabled by flipping a bcond 15:20:18 + flyingsaucer (orphan) 15:20:20 which should be fine, since maven-doxia-module-itext is not required by anything 15:20:27 \o/ 15:20:30 \o/ 15:20:48 I'll submit a PR and do test rebuilds just to be sure 15:21:32 any other interesting bugs? 15:23:18 a food for thought https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/ENIIVNHWHUYY6WBQVUBTH27ZHIG2FZTR/ 15:23:21 decathorpe: None that I see. 15:24:15 I was tempted to respond with "YES PLEASE LET IT BE DEAD" 15:24:20 :D 15:24:20 mhroncok: I don't understand the "module with one component" modules... 15:24:22 :D 15:24:24 decathorpe++ 15:24:34 ;) 15:24:58 I'll also check if we can disable fop support in maven-doxia*. it'd let us drop some more packages 15:25:24 #topic Open Pull Requests 15:25:28 #link https://decathorpe.fedorapeople.org/stewardship-sig-prs.html 15:25:41 I've been working with mkoncek on getting some of his PRs merged 15:25:56 decathorpe: A lot of these PRs seem familiar when Iwas looking earlier. Are they ready for review or still mostly blocked on rebases? 15:26:11 some need to be rebased, yes 15:26:26 others break some packages and I didn't want to merge them yet 15:27:03 most of the PRs are targeted against master. What happens to F31? 15:27:12 are some of them reducing our package set? 15:27:19 sillebille: nothing 15:27:22 decathorpe: ACK. If you get to a point with a bunch of open PRs, I'd gladly take a day to review them if you want a second pair of eyes. 15:27:54 cipherboy: great, thanks 15:28:14 sillebille: I won't merge version updates back into f31 anymore, only fixes 15:28:17 i can take sometime from my cycle to review the open PRs too :) 15:28:24 decathorpe, mhroncok ACK 15:28:56 although if there's interest in getting some versions into f31 still, we can certainly decide that on a case-by-case basis 15:30:30 cipherboy: the PRs that are most likely to get merged soon are maven-doxia* updates and maven-invoker* plus porting xmvn to maven-invoker 3.0.1 15:32:32 decathorpe: ACK. 15:32:56 any other PRs you want to talk about? 15:33:22 decathorpe: None from me. :) 15:35:25 #topic Open Floor 15:36:24 I'll run the the full SIG leaf checks later today with the 20190903 rawhide compose, then I'll update the corresponding pagure ticket 15:36:34 there should be some packages we can drop again :) 15:37:05 awesome 15:37:32 Cool! 15:37:48 there's also something else I've been working on, originally for my flock talk (youtube video should be public soon) 15:38:47 cool :) 15:39:05 decathorpe: what is it? 15:39:13 if you're interested in statistics and graphs: 15:39:14 https://decathorpe.fedorapeople.org/stewardship/ 15:39:53 these are generated from the adoption, orphaning, release, and update data in data/events.json 15:40:14 decathorpe: what about a dependency graph? :) 15:40:58 I tried. the graph got too big ... 15:41:01 And gamify it! :D 15:42:17 hehe 15:43:24 this one is slightly encouraging: https://decathorpe.fedorapeople.org/stewardship/od_pkgs_rel.png 15:43:51 we started with almost 70% of packages being out of date, now we're almost down to 40% 15:44:14 which means we're now updating packages faster than they are released. which is something :) 15:44:48 Yeah, that graph is nice. :) 15:45:33 that's some good news :) 15:45:53 we're getting to a point where rawhide is more up to date than modular branches 15:46:38 there's only a few more updates missing, and I'm working on those 15:47:19 I wonder what happens with the modular branches if modularity dies 15:47:49 And who takes ownership of the master/fed-tracking branches... 15:48:25 honestly, I don't care 15:48:38 I disabled the *-modular repos on all my systems anyway 15:48:54 decathorpe: hehe, I'd love t do that, but I like rust apps 15:49:06 "cargo install exa" 15:49:12 ;) 15:50:32 well, I think that's everything I got for today 15:51:17 I'll push a PR for removing itext from maven-doxia if it doesn't cause issues 15:51:27 decathorpe: Same, thanks very much! I've got my AIs. 15:51:45 cipherboy++ 15:51:46 decathorpe: I'll try to review it if it arrives soon 15:52:07 mhroncok: thanks! it's a small change, just flipping a bcond in maven-doxia 15:52:39 decathorpe: so basically all we need is to see the copr-cross-builds 15:53:33 yep. they're already running: https://copr.fedorainfracloud.org/coprs/decathorpe/maven-doxia-pr2/monitor/ 15:53:46 but I like to do my homework *before* submitting PRs :) 15:54:05 decathorpe: nice 15:54:30 decathorpe: after the meeting, please ping me in #fedora-python 15:54:38 sure 15:56:10 alright, thanks for showing up, everybody! 15:56:13 #endmeeting