16:00:20 <decathorpe> #startmeeting Stewardship SIG Meeting (2020-01-07)
16:00:20 <zodbot> Meeting started Tue Jan  7 16:00:20 2020 UTC.
16:00:20 <zodbot> This meeting is logged and archived in a public location.
16:00:20 <zodbot> The chair is decathorpe. Information about MeetBot at http://wiki.debian.org/MeetBot.
16:00:20 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic.
16:00:20 <zodbot> The meeting name has been set to 'stewardship_sig_meeting_(2020-01-07)'
16:00:25 <decathorpe> #meetingname stewardship-sig
16:00:25 <zodbot> The meeting name has been set to 'stewardship-sig'
16:00:33 <decathorpe> #topic Roll Call
16:03:17 <cipherboy> \o
16:03:23 <cipherboy> Sorry I'm late.
16:03:26 <decathorpe> hello!
16:03:31 <decathorpe> #chair cipherboy
16:03:31 <zodbot> Current chairs: cipherboy decathorpe
16:03:47 <cipherboy> sillebille: o/ Are you joining this meeting?
16:04:13 <sillebille> yes, I'm here! \o
16:04:24 <decathorpe> hey :)
16:04:27 <decathorpe> #chair sillebille
16:04:27 <zodbot> Current chairs: cipherboy decathorpe sillebille
16:04:39 <sillebille> Sorry, I was distracted with another meeting :)
16:05:09 <cipherboy> Meeting agenda looked fine to me
16:05:31 <sillebille> seemed much simpler than before :-)
16:06:20 <decathorpe> #link https://pagure.io/stewardship-sig/issue/69 Agenda
16:06:36 <decathorpe> #topic Open Floor
16:06:49 <cipherboy> Let's start with BZs and CVEs?
16:06:49 <decathorpe> cipherboy: thanks for the log4j PR, I haven't had time to look at it yet
16:07:06 <decathorpe> #topic Open Bugz
16:07:22 <decathorpe> #link https://bugzilla.redhat.com/buglist.cgi?bug_status=__open__&email1=stewardship-sig%40lists.fedoraproject.org&emailassigned_to1=1&emailcc1=1&emailtype1=substring&list_id=10281127&product=Fedora&query_format=advanced BugZilla
16:07:25 <cipherboy> decathorpe: np, I did it while looking at the CVEs. I had an old 2.12.0 upgrade from June that I hadn't pushed because it was broken, your fixes to do 2.12.1 was what I needed to get 2.13 working :-)
16:07:44 <decathorpe> oh, nice
16:07:46 <cipherboy> decathorpe: I closed the log4j CVE as NOTABUG since we're not affected (our versions are too new) -- but we still need to update log4j12
16:08:10 <decathorpe> cipherboy: is there an upstream patch?
16:08:21 <decathorpe> I really don't want to have to patch it myself
16:08:26 <cipherboy> I'm not sure, I'll take a look and get to that early this week.
16:08:36 <decathorpe> that would be great. thanks
16:08:51 <decathorpe> I think the snakeyaml CVE is ... *shrug*, WONTFIX?
16:09:52 <cipherboy> I think so. I got a reply from the prodsec person, saying they need to look at it more, but... I haven't heard a response.
16:10:02 <cipherboy> I'll poke them again to see if what they think.
16:10:11 <cipherboy> *see if they've had time to look at it and what they think.
16:10:20 <decathorpe> +1
16:11:07 <decathorpe> we've accumulated a few "New Version available" bugs since I didn't do anything over the holidays :D
16:11:32 <cipherboy> Rest I think looks fine. I had planned to do more work over break but I got busy, so I'll try and take a look at that next week.
16:11:58 <cipherboy> My brother is visiting this weekend, so Friday will be a short day and I'll be back Tuesday.
16:12:04 <decathorpe> nice
16:12:05 <decathorpe> great :)
16:12:24 <decathorpe> I'll try to open PRs for jackson 2.10.2 if I have the time.
16:12:39 <cipherboy> I thought we were on 2.11 for some reason, but perhaps not?
16:13:00 <cipherboy> Ah, 2.10.1 != 2.11 != 2.10.2
16:13:03 <cipherboy> :-)
16:13:13 <decathorpe> yes :)
16:13:57 <decathorpe> everything else is just new version bugs
16:14:10 <decathorpe> #topic Open Pull Requests
16:14:23 <decathorpe> #link https://decathorpe.fedorapeople.org/stewardship-sig-prs.html Open Pull Requests
16:14:58 <cipherboy> A lot of these PRs have sat for a while...
16:15:07 <decathorpe> yeah some have merge conflicts
16:15:13 <decathorpe> sisu 0.3.4 should be fine though.
16:15:25 <decathorpe> testng 7.0.0 is blocked by other packages IIRC
16:16:05 <decathorpe> so I guess there's not much to talk about
16:16:07 <cipherboy> What about slf4j? Should we rebase and continue, or is there a newer version we should rebase to?
16:16:15 <cipherboy> **rebase mkonceks?
16:16:23 <decathorpe> I think there's 1.7.28 now
16:16:31 <decathorpe> and it needs to be coordinated with maven
16:17:06 <cipherboy> Ah, ok. We are a consumer of slf4j, so I could take that on if we wanted (and close mkoncek's PR)
16:17:27 <decathorpe> you, as in dogtag team?
16:17:43 <cipherboy> What coordination with maven is required?
16:18:10 <decathorpe> maven has hard-coded version dep on slf4j since it uses the slf4j sources jar
16:18:18 <cipherboy> And yes, Dogtag PKI and JSS both require slf4j, so I could take a look at it.
16:18:35 <decathorpe> but bumping the slf4j version in maven should be enough ... testing that it works would be good though
16:19:03 <cipherboy> ACK, I'm fine doing that.
16:19:03 <decathorpe> ah, good to know. then at least if you break it it's not my fault for breaking critical packages :)
16:19:09 <cipherboy> >:D
16:19:20 <decathorpe> exactly ;-)
16:19:26 <cipherboy> Do we need to coordinate with modular maven or just our unmodular version?
16:19:45 <cipherboy> I'd assume modular maven is doing its own thing and building their own slf4j, so I'm inclined to only coordinate with non-modular maven.
16:19:48 <decathorpe> non-modular only. modular maven does its own thing and I don't really care
16:19:55 <cipherboy> ACK
16:20:10 <decathorpe> #topic Review Leaf Packages
16:20:17 <decathorpe> #link https://decathorpe.fedorapeople.org/stewardship-sig.html#sig-leaves Leaf Packages
16:20:29 <cipherboy> Ah, modular maven is already on 1.7.28, so we'd be fine upgrading.
16:20:35 <cipherboy> \o/
16:20:39 <decathorpe> great
16:20:45 <decathorpe> I think we ACKed the list of "total" leaves?
16:20:48 <cipherboy> I +1'd the leaves.
16:21:11 <decathorpe> maven-mapping is new because something got retired, and I have no idea why we unretired it ...
16:21:27 <decathorpe> so I'd leave that one for now, until we know that we actually won't need it anymore
16:23:02 <cipherboy> https://pagure.io/releng/issue/8988 filed 2 months ago -- "aqute-bnd in f32 to the latest version" -- but the most recent PR agains it was 8 months ago.
16:23:19 <cipherboy> Are you sitting on an unpushed PR for aqute-bnd perhaps?
16:23:27 <decathorpe> oof
16:23:54 <decathorpe> no, I closed the PR again since I couldn't keep it up to date with the latest aqute-bnd releases
16:24:11 <decathorpe> it's built with gradle upstream and there's downstream POM files for maven :(
16:24:20 <cipherboy> Ah.
16:24:23 <cipherboy> Yuck.
16:24:39 <cipherboy> Look at that project structure: https://github.com/bndtools/bnd
16:25:19 <decathorpe> yeah, I remember the nightmares
16:25:39 <cipherboy> bouncycastle... tomcat requires it? Meh.
16:25:47 <cipherboy> So we can't just drop it.
16:26:28 <decathorpe> maybe a "real Java packager" can help us.
16:26:38 * cipherboy looks around.
16:26:49 <cipherboy> Wouldn't we need gradle back though?
16:26:54 * cipherboy sighs
16:27:15 <decathorpe> nope, I think that our downstream POM files might need adjustments.
16:27:38 <cipherboy> Ah, hm.
16:27:53 <decathorpe> the modular branch has almost everything we need.
16:28:33 <cipherboy> Hmm, perhaps we'll figure it out later.
16:29:21 <decathorpe> yeah it's not time critical or anything.
16:29:27 <decathorpe> well, let's keep maven-mapping for now.
16:29:33 <cipherboy> ACK, sounds good.
16:29:58 <decathorpe> regarding SIG leaves: I think it would be good to wait until eclipse situation is resolved.
16:30:22 <cipherboy> Sure, total leaves are unlikely to decrease IMO.
16:30:55 <decathorpe> yeah. let's just see what happens.
16:31:03 * cipherboy waits :-)
16:31:19 <decathorpe> #topic Open Floor
16:31:24 <decathorpe> anything else? I have nothing
16:31:36 <cipherboy> I've got nothing.
16:31:49 <mbooth> Hmm, I've porting somethings from gradle to maven (because of lack of availability of gradle)
16:32:13 <mbooth> What was the thing aqute-bnd?
16:32:40 <mbooth> Doesn't Mikolaj maintain that modular-ly? Can it be merged into F32?
16:32:45 <decathorpe> hi Mat! yeah, aqute-bnd. the modular branch has almost everything we need, but I'm not confident enough to push the update
16:33:14 <mbooth> What is "almost"?
16:33:42 <decathorpe> javapackages-tools-201902 has 4.3.0, upstream has 4.3.1, and I think some minor modifications were necessary
16:33:51 <decathorpe> let me check
16:34:52 <decathorpe> cipherboy: you were right, I had unpushed changes locally :)
16:35:01 <cipherboy> decathorpe: :-)
16:35:20 <mbooth> TBH I wouldn't try to update it past what is in modular branch -- if there is a gradle -> maven port you are asking for pain to maintain it
16:35:54 <decathorpe> mbooth: sure
16:36:01 <decathorpe> here's what I got when I tried: https://src.fedoraproject.org/fork/decathorpe/rpms/aqute-bnd/commits/master
16:36:15 <decathorpe> I don't remember why I didn't open this as a PR, though.
16:46:55 <cipherboy> decathorpe: If you open now, we can review it.
16:48:52 <decathorpe> https://src.fedoraproject.org/rpms/aqute-bnd/pull-request/4
16:49:25 <cipherboy> Sounds good. I think that's all from me. Should we end then?
16:49:32 <decathorpe> yep
16:49:35 <decathorpe> thanks guys :)
16:49:39 <cipherboy> Thanks Fabio!
16:49:43 <decathorpe> mbooth++ cipherboy++ sillebille++
16:49:59 <decathorpe> zodbot--
16:50:25 * decathorpe tired
16:50:29 <decathorpe> mbooth++
16:50:34 <decathorpe> cipherboy++
16:50:37 <decathorpe> sillebille++
16:50:43 <decathorpe> whatever
16:50:51 <decathorpe> I give up :)
16:50:54 <decathorpe> #endmeeting