15:00:03 <sgallagh> #startmeeting FESCO (2020-02-10)
15:00:03 <sgallagh> #meetingname fesco
15:00:03 <sgallagh> #chair nirik, ignatenkobrain, decathorpe, zbyszek, bookwar, sgallagh, contyk, mhroncok, dcantrel
15:00:03 <sgallagh> #topic init process
15:00:03 <zodbot> Meeting started Mon Feb 10 15:00:03 2020 UTC.
15:00:03 <zodbot> This meeting is logged and archived in a public location.
15:00:03 <zodbot> The chair is sgallagh. Information about MeetBot at http://wiki.debian.org/MeetBot.
15:00:03 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic.
15:00:03 <zodbot> The meeting name has been set to 'fesco_(2020-02-10)'
15:00:03 <zodbot> The meeting name has been set to 'fesco'
15:00:03 <zodbot> Current chairs: bookwar contyk dcantrel decathorpe ignatenkobrain mhroncok nirik sgallagh zbyszek
15:00:12 <bookwar> .hello2
15:00:12 <zodbot> bookwar: bookwar 'Aleksandra Fedorova' <alpha@bookwar.info>
15:00:13 <sgallagh> .hello2
15:00:15 <zodbot> sgallagh: sgallagh 'Stephen Gallagher' <sgallagh@redhat.com>
15:00:16 <zbyszek> .hello2
15:00:17 <dcantrell> .hello dcantrel
15:00:18 <zodbot> zbyszek: zbyszek 'Zbigniew Jędrzejewski-Szmek' <zbyszek@in.waw.pl>
15:00:21 <zodbot> dcantrell: dcantrel 'David Cantrell' <dcantrell@redhat.com>
15:00:36 <bookwar> sorry for missing the last time, got my after-fosdem pto
15:00:43 <bookwar> with flu included
15:00:48 <sgallagh> Ouch
15:00:56 <sgallagh> I'm glad you are feeling better
15:01:02 <decathorpe> .hello2
15:01:03 <zodbot> decathorpe: decathorpe 'Fabio Valentini' <decathorpe@gmail.com>
15:01:05 <nirik> morning
15:01:21 <zbyszek> afternoon
15:01:47 <sgallagh> OK, we have quorum.
15:02:20 <sgallagh> I only put one ticket on the agenda today (I left off the alt-buildroot topic because there are open questions on the ticket)
15:02:21 <dcantrell> yeah, this isn't the Iowa caucus
15:02:30 <sgallagh> #topic #2339 Proposal to change ARM Release Blocking Criteria - Drop XFCE (32bit), Add Workstation(64bit)
15:02:31 <sgallagh> .fesco 2339
15:02:33 <zodbot> sgallagh: Issue #2339: Proposal to change ARM Release Blocking Criteria - Drop XFCE (32bit), Add Workstation(64bit) - fesco - Pagure.io - https://pagure.io/fesco/issue/2339
15:02:48 * nirik is ok with that change.
15:03:06 <dcantrell> I am fine with this change
15:03:18 <mhroncok> hey. I'm here, but I forgot to scroll and I was still waiting for the meeting to start :D
15:03:53 * mhroncok wants at least a week of discussion on devel
15:04:11 <nirik> it was already discussed on test and arm lists a fair pile
15:04:15 <mhroncok> the reson to have a change proposal wasn't to vote on it immediatelly but to allow commmunity feedback
15:04:20 <sgallagh> I'm reserving my vote on this issue until we hear from the Workstation WG. Even if ARM SIG is going to handle all the ARM-related issues, they're going to be using the Workstation branding
15:04:43 * sgallagh nods
15:04:53 <pwhalen> sgallagh, we've been using the branding for some time
15:04:55 <dcantrell> I also think that's reasonable
15:04:57 <mhroncok> nirik: discussion on arm list is possibly biased - ony poeple interested in arm are there
15:05:21 <nirik> sure. If we want to wait a bit more thats fine...
15:05:32 <sgallagh> pwhalen: Yes, but if we're blocking on it, we'll want their buy-in, because they may need to fix issues.
15:05:33 <pwhalen> the aarch64 spin has been produced for years. The change would be the release blocking status
15:05:50 <sgallagh> I'm not saying "no". I think it's a good change.
15:06:01 <mhroncok> exactly
15:06:18 <sgallagh> I'm saying "let's make sure everyone who needs to gets a say"
15:06:27 <mhroncok> sgallagh++
15:06:30 <dcantrell> one thing not mentioned is does this have a potential negative impact to any users and if so, what is it
15:06:36 <pwhalen> sgallagh, of course.
15:07:04 <sgallagh> dcantrell: The primary negative impact is risk of release slippage
15:07:21 <nirik> well, and armv7 xfce image could be broken...
15:07:21 <mhroncok> or risk of release with broken xfce
15:07:28 <sgallagh> Oh, right
15:07:32 * bcotton sneaks into the back row
15:07:34 * sgallagh wasn't thinking
15:07:48 <nirik> but if those are important to people they can help test them. :)
15:08:25 <dcantrell> ok, so in the case of a broken armv7 release, does that have any impact on users that we want to be usable for?  I'm not entirely familiar with the arm space, but I'm thinking raspberry pi systems and if a broken desktop makes Fedora on ARM less appealing than Ubuntu, maybe that's worth considering?
15:08:52 <mhroncok> that's what I asked on the test list basically
15:08:54 <sgallagh> dcantrell: Current RPi models are aarch64-capable
15:09:02 <dcantrell> mhroncok: ok, cool
15:09:09 <mhroncok> are we Ok ditching "lowcost" arm devices with xfce for workstation on aarch64?
15:09:21 <nirik> but we aren't ditching them
15:09:26 <mhroncok> sure
15:09:28 <dcantrell> what mhroncok is saying...I guess that's what I want more feedback on
15:09:29 <mhroncok> I mean, stop blocking
15:09:33 <nirik> we are just no longer blocking, ie, changing focus
15:09:33 <dcantrell> right
15:09:36 <sgallagh> We're not guaranteeing that they work
15:09:48 <pwhalen> not ditching, just no longer blocking. We still block on minimal and many prefer to use that than have a full desktop
15:09:56 <mhroncok> I realize that we need to move to the future and aarch64 indeed is the future
15:10:01 <mhroncok> but is the future now? IDK
15:10:04 <smooge> I will say that to the usual suspects, not blocking on them is the same as ditching and 1 step away from 'why are we even spending resources on this if you aren't blocking'
15:10:20 <sgallagh> If the minimal arm32 image is still in production, then there's less to be worried about, I think
15:10:32 <pwhalen> sgallagh, it is and still blocking.
15:10:42 <nirik> I think it's been about... 6 or so releases since there was a issue on the armv7 xfce image...
15:10:53 <mhroncok> I am more worried about the xfce desktop no longer being blocking than arm32 desktop
15:11:09 <mhroncok> nirik: mostly because xfce is not changing much
15:11:15 <nirik> Xfce is slow to change
15:11:19 <mhroncok> that
15:11:29 <dcantrell> xfce only recently made a gtk3-based release
15:11:39 <dcantrell> and it's relatively stable, but still needs work
15:11:44 <dcantrell> that took them a long time to get done
15:12:02 <nirik> they don't have all that many deveopers either.
15:12:03 <dcantrell> (on the other hand, firefox still requires gtk2, python2, and freaking autoconf-2.13 to build...but that's another story)
15:12:47 <mhroncok> anyway, are we Ok giving this the proper change process?
15:12:52 <mhroncok> even if late
15:12:56 <sgallagh> aye
15:12:59 <dcantrell> yeah
15:13:02 <nirik> anyhow, I am perfectly fine with Xfce not being blocking (like it was for many years before the armv7 image was)
15:13:32 <mhroncok> nirik: I am personally also OK with that. I just wanted to point out what are the downsides
15:14:28 <nirik> revisit next week after devel feedback, move on?
15:14:44 <bookwar> +1
15:15:05 <sgallagh> Any disagreements?
15:15:19 <dcantrell> no
15:15:35 <mhroncok> move on
15:15:37 <zbyszek> ack
15:15:44 <sgallagh> Propopsed: #info FESCo will wait one more week for feedback on the Change Proposal but is generally in favor
15:15:52 <zbyszek> ack
15:16:20 <mhroncok> ack
15:16:22 <dcantrell> ack
15:16:23 <sgallagh> #info FESCo will wait one more week for feedback on the Change Proposal but is generally in favor
15:16:33 <sgallagh> #topic Next week's chair
15:16:41 <sgallagh> dcantrell: Do I remember that you volunteered for that?
15:16:49 <dcantrell> yes
15:16:50 * mhroncok is on holiday, no sure if attending
15:16:56 <dcantrell> I don't mind running next week's meeting
15:17:03 <mhroncok> dcantrell++
15:17:16 <sgallagh> #action dcantrell to chair Feb 17 meeting
15:17:28 <sgallagh> I'll also be on holiday next week, for the record
15:17:39 <sgallagh> #topic Open Floor
15:17:43 <dcantrell> sgallagh: it's presidents day, but that's not a RH holiday, right?
15:17:51 <mhroncok> I have a thing
15:18:04 <sgallagh> dcantrell: No, but it's school vacation week and I took it off
15:18:12 <dcantrell> sgallagh: gotcha
15:18:19 <mhroncok> https://pagure.io/fesco/issue/2338
15:18:41 <mhroncok> I was confused and acted one week early
15:19:00 <sgallagh> Mostly because I wasn't following the non-responsive policy correctly.
15:19:06 <sgallagh> I processed it like a regular ticket by mistake
15:19:07 <nirik> IMHO, just leave iit for another week and see if they show up... likely they won't and it will just be done
15:19:09 <sgallagh> Sorry about that
15:19:13 <mhroncok> I think it is unlikely that the maintainer would came back, so I decided not to revert, but simply tell them to speak up
15:19:15 <decathorpe> nirik: +1
15:19:24 <zbyszek> There's been no comment so far from ddick, so let's do what nirik said.
15:19:28 <sgallagh> mhroncok/nirik: +1
15:19:38 <mhroncok> but since this is not following the policy, I wanted some formal support here. thanks
15:20:19 <sgallagh> mhroncok: Well, two members each made mistakes, so you were certainly getting at least those two votes :)
15:20:21 <mhroncok> sgallagh: np. I was so confused by the "retirement" call that I orphaned the packages right away wrongly
15:20:41 <mhroncok> I think we are OK
15:20:46 * nirik hands everyone some mondays
15:21:01 <sgallagh> No thanks, I've got a whole case right here
15:21:17 <mhroncok> another thing
15:21:29 <mhroncok> I started collecting feedback on our security policy on devel
15:22:08 <mhroncok> https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/IN5GRXPY6AP5C4WNOV7GNDQ3Z5NRMTSJ/
15:22:11 * sgallagh missed that discussion
15:22:20 <sgallagh> mhroncok: Quick summary for the meeting notes?
15:22:48 <mhroncok> I want to post a summary of feedback received later, but wanted to ask fesco members to provide their feedbakc first
15:22:56 <mhroncok> sgallagh: ... typing it
15:23:11 <sgallagh> Thanks
15:23:56 <sgallagh> mhroncok: My biggest issue with managing CVEs is that there are too many bugs to keep track of
15:24:05 * nirik nods.
15:24:13 <mhroncok> FESCo is collecting feedback about our security policy. The current policy has not been followed yet, and we want to start doing that but also be more friendly to the maintainers.
15:24:17 <sgallagh> Between the clones and the fact that a separate BZ gets filed for every CVE, even when they're discovered and fixed in the same upstream release.
15:24:21 <nirik> I wish we had a better interface than bugzilla... ;(
15:24:27 <sgallagh> Also, the bugs are generally filed AFTER I've already sent the fix to Bodhi
15:24:52 <mhroncok> based on the feedback so far I also personally think that we should abandon the idea of enforcing nay policy for low impact CVEs
15:25:09 <mhroncok> s/nay/any
15:25:51 <nirik> yeah
15:25:52 <dcantrell> I think a more useful goal would be able to tie CVEs to builds that contain a fix.  We don't have a good way to determine that right now
15:26:00 <mhroncok> OTOH we really have packages with dozens of unfixed open CVEs and as long as the package builds, we keep it
15:26:04 <dcantrell> well, not necessarily more useful, just a useful goal
15:26:09 <zbyszek> I agree, though I think that in most cases it's better to fix or close the CVE anywya.
15:26:49 <nirik> I think we also have a pile of CVE bugs where the issue was in fact fixed, but the bug ignored.
15:26:50 <zbyszek> dcantrell: that's info that the maintainer has to provide. There's no way to do this automatically.
15:26:50 <sgallagh> mhroncok: Open doesn't necessarily mean unfixed.
15:27:07 <sgallagh> The ordering problem of releasing the fix before the SRT files the BZs causes a lot of hanging tickets
15:27:10 <mhroncok> sgallagh: correct, yet in cases I describe, it does
15:27:12 <dcantrell> zbyszek: sure, but Fedora could provide a policy for uniform notation of that information
15:27:42 <zbyszek> dcantrell: I think Fedora (bodhi) should automatize extraction of bug info from the changelog.
15:27:49 <sgallagh> Can we make requests of the SRT?
15:28:03 <dcantrell> zbyszek: agreed
15:28:04 <mhroncok> anyway, the problem is: we have a policy that nobody enforces and if we start enforcing as is, things blow up
15:28:13 <zbyszek> dcantrell: this would help in this case, but also make packaging easier.
15:28:25 <mhroncok> so even if the outcome is: drop the polocy, we would be in a better place
15:28:30 <zbyszek> dcantrell: I think there's even an RFE bug open for it somewhere.
15:28:31 <sgallagh> Because I'd really like to see them do some auto-detection. Like, if a CVE is fixed in a particular upstream release, close the BZ once that or a higher version lands
15:28:32 <dcantrell> yeah, I could see that
15:28:50 <mhroncok> *policy
15:29:05 * nirik hates to try and add work to them, since they don't really have to be doing this at all.
15:29:13 <mhroncok> anyway, please provide soem feedback to the thread, so I can include it in the summary, ideally in +- 14 days
15:29:22 <decathorpe> mhroncok: I think an "informative-only" warning for long-open CVE issues would be a good start / reminder for most people
15:29:41 <nirik> decathorpe: +1
15:29:52 <sgallagh> #action FESCo members are requested to chime in on the devel list thread "RFC: Security policy adjustments to make it easier to implement and more friendly to maintainers"
15:29:58 <mhroncok> decathorpe: yes, one idea I had was to start sending reminders that say "if we would follow the policy, this would ahve been retired now, please fix/close this and also provide some feedback t the policy here..."
15:30:06 <nirik> and perhaps after that a notice of the critical/high ones to devel list to get others to help
15:30:10 <decathorpe> mhroncok: yeah, that's what I was thinking of.
15:30:50 <mhroncok> #info FESCo is collecting feedback about our security policy. The current policy has not been followed yet, and we want to start doing that but also be more friendly to the maintainers. https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/IN5GRXPY6AP5C4WNOV7GNDQ3Z5NRMTSJ/
15:31:16 <sgallagh> mhroncok: Can you auto-add "needinfo" flags on such tickets as well?
15:31:26 <sgallagh> Then it will show up in the weekly reminders as well
15:31:49 <mhroncok> sgallagh: I can, but the general experince I have is that maineers who dump their bz email to /dev/null also ingore those
15:32:07 <sgallagh> understood
15:32:17 * nirik finds needinfos anoying... but perhaps that is their point
15:32:24 <sgallagh> OK, let's continue this on the list.
15:32:29 <sgallagh> nirik: Yes, that is the point.
15:32:52 <nirik> if someone needinfo'ed all the cve bugs I am cced on, I would be pretty anoyyed...
15:33:43 <sgallagh> Any other topics for the Open Floor?
15:35:22 <sgallagh> #endmeeting