16:00:25 <decathorpe> #startmeeting Stewardship SIG Meeting (2019-11-12)
16:00:25 <zodbot> Meeting started Tue Nov 12 16:00:25 2019 UTC.
16:00:25 <zodbot> This meeting is logged and archived in a public location.
16:00:25 <zodbot> The chair is decathorpe. Information about MeetBot at http://wiki.debian.org/MeetBot.
16:00:25 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic.
16:00:25 <zodbot> The meeting name has been set to 'stewardship_sig_meeting_(2019-11-12)'
16:00:32 <decathorpe> #meetingname stewardship-sig
16:00:32 <zodbot> The meeting name has been set to 'stewardship-sig'
16:00:38 <decathorpe> #topic Roll Call
16:00:44 * cipherboy is present
16:00:50 * decathorpe knows
16:00:55 <decathorpe> #chair cipherboy
16:00:55 <zodbot> Current chairs: cipherboy decathorpe
16:01:11 <cipherboy> decathorpe:  Roll call implies I have to speak up to be counted as present, right? ;-)
16:01:37 <decathorpe> aye!
16:02:48 <sillebille> \o greeings
16:03:04 <sillebille> let me try that again, greetings SIG! \o
16:03:05 <decathorpe> sillebille: o/
16:03:13 <decathorpe> #chair sillebille
16:03:13 <zodbot> Current chairs: cipherboy decathorpe sillebille
16:03:47 <cipherboy> sillebille:  \o
16:04:27 <mhroncok> o/
16:04:43 <sillebille> mhroncok, hello \o
16:04:53 <decathorpe> hello! :)
16:04:56 <decathorpe> #chair mhroncok
16:04:56 <zodbot> Current chairs: cipherboy decathorpe mhroncok sillebille
16:05:19 <decathorpe> #link https://pagure.io/stewardship-sig/issue/60 Agenda
16:06:01 <cipherboy> decathorpe: Agenda looks good to me.
16:06:33 <decathorpe> I don't have an updates SIG report ready for discussing new SIG leaves. I wanted to either get data from the latest rawhide compose, or get the latest koji builds in. neither happened, since no compose and koji is being terribly slow today
16:06:49 <decathorpe> so we can drop that topic
16:07:54 <cipherboy> decathorpe: Ah I forgot, I had another agenda item if we wanted to discuss at the end.
16:08:15 <sillebille> cipherboy, the plan for jdeparser? ;-)
16:08:29 <cipherboy> sillebille: That's your agenda item. I was thinking JBoss response.
16:08:49 <decathorpe> we can start with either of these
16:09:24 <sillebille> cipherboy, you can go first :)
16:09:55 <cipherboy> decathorpe: So the key points from JBoss is they're hesitant to go with Packit (no surprise there).
16:10:17 <decathorpe> yeah, shocker :D
16:10:22 <mhroncok> oh, really?
16:11:20 <cipherboy> But the other thing is if we want support (and likely, CVE tracking via prodsec), we need to follow JBoss EAP. So EAP 7.2 is current supported release, means RESTeasy 3.6.1.
16:12:00 <decathorpe> wow. that's ... bad
16:12:17 <decathorpe> well, less work for us
16:12:29 <cipherboy> And we should be able to bump some of the older mvn(...) depends to newer package-versions-in-name while we're at it.
16:13:00 <cipherboy> So we can likely move resteasy from dep on jboss-servlet-2.5-api -to-> dep on jboss-servlet-3.0-api
16:13:22 <cipherboy> So that _should_ help us reduce the number of packages we packge.
16:13:34 * decathorpe nods
16:14:00 <cipherboy> I'm not entirely sure about the prodsec portion, but we haven't really seen many CVEs anywhere (and nobody writes perfect software)...
16:14:10 <cipherboy> Anyhow, I'll check this against Dogtag and start filing PRs.
16:14:49 <decathorpe> sounds good
16:14:53 <cipherboy> Just wanted to give y'all a heads up on that. :)
16:15:46 <decathorpe> yeah, that's good to know
16:15:54 <decathorpe> sillebille: what was your topic?
16:16:25 <sillebille> decathorpe, i was wondering if I can add jdeparser to SIG? :-)
16:16:34 <decathorpe> #topic jdeparser?
16:16:41 <sillebille> jdeparser was recently revived and it is up-todate with upstream version.
16:16:47 <decathorpe> that's the one I reviewed for you, right?
16:16:51 <sillebille> yeah
16:16:59 <decathorpe> yeah that's fine I think
16:17:06 <sillebille> \o/
16:17:51 <sillebille> i guess, that's the end of my topic :)
16:18:03 <decathorpe> yeah it only needs jboss-parent, maven, junit
16:18:07 <decathorpe> that's completely fine
16:18:30 <sillebille> it's a pretty simple package. So, it won't be too much weight on our back
16:18:49 <mhroncok> sure, why not. but we need to note it as a permanent sig leaf
16:19:08 <decathorpe> I think it's required by dogtag-pki, so we won't break it anyway
16:19:34 <cipherboy> decathorpe:  It is also a resteasy dependency I thought
16:19:42 <decathorpe> or that.
16:19:46 <decathorpe> so it's not a leaf :)
16:19:48 <cipherboy> decathorpe: mhroncok: So it shouldn't be a leaf, just something we forgot to move over.
16:20:01 <decathorpe> right. feel free to add the SIG group as admin
16:20:19 <decathorpe> I'll update the data in pagure later
16:20:25 <mhroncok> oh, ok
16:20:40 <sillebille> it's a direct dep of resteasy which is a dep of dogtag-pki :)
16:21:16 <decathorpe> alright!
16:21:22 <decathorpe> #topic Broken Dependencies
16:21:23 <sillebille> added the group!
16:21:38 <decathorpe> #link https://pagure.io/stewardship-sig/issue/59
16:24:24 <mhroncok> are those "abandoned" or mainatined packages?
16:24:38 <mhroncok> will they be orphaned with F31FTBFS?
16:24:46 <decathorpe> let me check
16:25:21 <decathorpe> forbidden-apis: no F31FTBFS bug
16:25:50 <decathorpe> jetty: no F31FTBFS bug
16:26:17 <decathorpe> maven-war-plugin: no F31FTBFS bug
16:26:56 <mhroncok> oh
16:26:57 <decathorpe> I think they were all broken after the F31 mass rebuild
16:28:14 <cipherboy> Jetty I don't think we are about any more in rawhide (post my changes merging).
16:28:30 <cipherboy> At least, nothing in the SIG still deps on it.
16:29:20 <decathorpe> I think so
16:30:24 <decathorpe> and as I noted, if forbidden-apis / randomizedtesting becomes a problem, we can just disable (parts of) the test suite in lz4-java
16:30:48 <mhroncok> so, maven-war-plugin is th eonly problem?
16:31:14 <decathorpe> maven-war-plugin is only a problem because of jetty. if we don't need jetty, then it's not a problem for us
16:31:38 <mhroncok> so, no problem at all actually? \o/
16:31:55 <decathorpe> yes. just wanted to have it documented that we rely on some broken packages right now :)
16:32:02 <decathorpe> cipherboy: can I merge and build the jackson-jaxrs-providers PR? ;)
16:33:22 <cipherboy> decathorpe:  Sure.
16:33:43 <cipherboy> decathorpe:  Unless you want me to do the builds.
16:33:53 <decathorpe> I can do it. I've already done the xmvn 3.1.0 stuff :)
16:35:07 <decathorpe> #topic Open Pull Requests
16:35:16 <decathorpe> #link https://gist.github.com/decathorpe/6d67ffd8b78ae622601725ac8e400260
16:35:39 <decathorpe> this is an up-to-date list
16:36:32 <decathorpe> we already merged some PRs today, so this stuff is not urgent ... though I would like to get the plexus/maven stuff done soon-ish :)
16:37:29 * mhroncok won't be able to review plenty of PRs, but is interested in the templating-maven-plugin problem
16:37:41 <cipherboy> decathorpe:  Ok, I'll start pruning down that list some more as I get time.
16:37:50 <cipherboy> What's the templating-maven-plugin problem, btw?
16:37:53 <decathorpe> yeah I have no idea how to solve that. and I don't know why gson would start depending on some ancient maven plugin ...
16:37:59 <decathorpe> it's using maven2 APIs
16:38:01 <cipherboy> Ah
16:38:58 <decathorpe> apache-commons-logging is not our package, but dropping support for avalon stuff there should let us drop two packages
16:39:19 <decathorpe> everything else is pretty straight-forward.
16:41:43 <cipherboy> Cool \o/
16:42:09 <mhroncok> can we bisect gson and revert the commit that added the depndency?
16:43:43 <decathorpe> hm. good idea.
16:43:50 <decathorpe> it was added here to fix some android bugs ... https://github.com/google/gson/commit/d84e26d
16:44:40 <cipherboy> Can we just add a patch which reverts that one commit?
16:44:56 <cipherboy> Seems unlikely that anyone will be running gson from Fedora on Android...
16:45:19 <decathorpe> yeah I'll try :)
16:45:21 <decathorpe> good idea
16:46:30 <decathorpe> can RPM apply patches with -R?
16:46:35 <mhroncok> it can
16:46:47 <mhroncok> but you can just revertt the patch and use autosetup
16:46:58 <mhroncok> I can do that if you'd like
16:47:16 <decathorpe> eeeh using autosetup is weird with some Java stuff
16:48:30 <mhroncok> oh
16:48:41 <decathorpe> in this case it would work
16:48:55 <decathorpe> but in some specs, macros to modify sources are run before patches are applied ...
16:49:52 <decathorpe> alright, I'll work on getting gson fixed. there's nothing else from my side
16:49:56 <decathorpe> #topic Open Floor
16:50:27 <mhroncok> decathorpe: I'm testing gson
16:52:42 <cipherboy> decathorpe:  I don't think I have anything else.
16:53:37 <sillebille> i did the package review on the templating-maven-plugin. This was my first review. So, that's good to be approved?
16:53:53 <sillebille> there was 1 issue reported by the fedora-review tool
16:54:04 <decathorpe> sillebille: yeah thanks, but we'll see if we actually need that package after all
16:54:27 <sillebille> okie dokie. I have nothing else! :-)
16:54:46 <decathorpe> mhroncok: yeah, I'm trying as well. but the revert doesn't apply cleanly
16:56:09 <mhroncok> decathorpe: I got it
16:56:40 <decathorpe> oh, great :)
16:58:47 <mhroncok> decathorpe: in https://src.fedoraproject.org/rpms/google-gson/pull-request/1
16:59:54 <decathorpe> thanks! squash how?
17:00:35 <mhroncok> decathorpe: git rebase -i origin/master --autosquah
17:00:43 <mhroncok> --autosquash
17:00:46 <decathorpe> heh. TIL :)
17:00:58 <decathorpe> so, time's up. thanks, guys!
17:01:01 <decathorpe> #endmeeting