16:12:54 <mboddu> #startmeeting RELENG (2019-12-05)
16:12:54 <zodbot> Meeting started Wed Dec  4 16:12:54 2019 UTC.
16:12:54 <zodbot> This meeting is logged and archived in a public location.
16:12:54 <zodbot> The chair is mboddu. Information about MeetBot at http://wiki.debian.org/MeetBot.
16:12:54 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic.
16:12:54 <zodbot> The meeting name has been set to 'releng_(2019-12-05)'
16:12:54 <mboddu> #meetingname releng
16:12:54 <zodbot> The meeting name has been set to 'releng'
16:12:54 <mboddu> #chair nirik sharkcz pbrobinson pingou mboddu dustymabe ksinny jednorozec
16:12:54 <zodbot> Current chairs: dustymabe jednorozec ksinny mboddu nirik pbrobinson pingou sharkcz
16:12:55 <mboddu> #topic init process
16:13:14 <mboddu> Sorry for the late start, I was helping someone and totally forgot about the time
16:14:08 <nirik> morning
16:14:13 <nirik> no worries
16:14:17 <mboddu> Morning nirik
16:14:59 <mboddu> dustymabe: You around?
16:19:42 <mboddu> In the mean time, lets talk about epel8
16:19:48 <mboddu> #topic EPEL8
16:20:07 <nirik> ok
16:20:07 <mboddu> #info epel8-playground composes are working in stage
16:20:33 <mboddu> #info epel8 bodhi composes failed due to a bug in pungi - https://pagure.io/pungi/issue/1309
16:20:41 <dustymabe> mboddu: heyo
16:20:58 <mboddu> nirik: Anything else you wanna add?
16:21:13 <nirik> when do we plan to go to prod? after that bug fixed?
16:22:12 <mboddu> nirik: It only hit that bug, because the build didn't built for s390x which was stg mbs config problem. So, we might not hit that pungi bug in prod
16:22:31 <nirik> ah right, ok.
16:22:42 <mboddu> So, we can actually push it to prod, but lsedlar said that he can have fix for it by tomorrow
16:23:26 <nirik> so once this lands in prod...
16:23:38 <nirik> do we need a mass module rebuild?
16:24:32 <mboddu> I dont think so, there are no modules yet in epel8, then how can we rebuild them?
16:25:10 <nirik> well, all the fedora ones that say [] (ie, build for all supported platforms) would build on epel8 next time they build?
16:25:38 <mboddu> Oh, thats a good point, may be we should exclude them?
16:26:34 <nirik> why not build them? ;) but I guess I don't know how many or what this would effect.
16:27:25 <nirik> I guess we need to look at all the modules, or ask modularity folks
16:27:41 <mboddu> Yeah, I have more concerns now on that part
16:27:55 <mboddu> sgallagh: Can you join here for few min?
16:28:08 <sgallagh> Hello
16:28:46 <mboddu> sgallagh: So, once we add the ability to build modules for epel8, when people start building modules with [] for run time or build time reqs, then it will also build for epel8, right?
16:28:53 <sgallagh> Yes
16:29:18 <mboddu> Is that required or should that be avoided?
16:29:18 <sgallagh> This is intentional, because we want as much content in EPEL 8 as we can manage.
16:29:47 <mboddu> Okay
16:29:52 <sgallagh> I wouldn't do a mass-rebuild though
16:30:11 <sgallagh> We'll let it trickle out as people do other rebuilds
16:30:28 <sgallagh> So if things go horribly wrong, we can address it
16:30:34 <mboddu> Okay, then what about during next mass rebuild, should we rebuild for epel8 as well or it should be excluded?
16:31:39 <sgallagh> mboddu: I thought the mass-rebuild already limited the builds to the release being built
16:32:00 <mboddu> Oh right, my bad
16:32:06 * mboddu needs more tea
16:32:35 <mboddu> So, we are good here, thanks sgallagh
16:32:52 <sgallagh> any time
16:32:53 <mboddu> Any more questions?
16:33:19 <mboddu> Okay, moving on
16:33:33 <mboddu> #topic #9057 Ability and permission to sign applications for download using Fedora Releng keys
16:33:37 <mboddu> #link https://pagure.io/releng/issue/9057
16:33:43 <mboddu> dustymabe: You are up
16:34:23 <dustymabe> mboddu: nirik: I'm working on a list of requests from the CoreOS team for infra/releng over the next 6 months
16:34:32 <nirik> ok
16:34:33 <dustymabe> i'm going through and creating tickets
16:34:37 <dustymabe> this was one of those
16:34:43 <dustymabe> we can discuss it now if you like, or we can punt
16:34:46 <mboddu> dustymabe: If the binaries are built in koji, then we can sign them using fedora keys
16:35:18 <mboddu> Probably provide a different target, tags and use robosig to sign them
16:35:38 <dustymabe> mboddu: do you know of anything that we do that targets platforms like apple and windows ?
16:35:38 * nirik needs more details on how they are built, from what, etc.
16:35:57 <nirik> sadly, yes, the fedora media writer.
16:36:12 <dustymabe> nirik: perfect.. do you have any more information about how that is built ?
16:36:14 <nirik> for win -> mingw in koji like any other package
16:36:23 <dustymabe> maybe we could follow that same model
16:36:25 <mboddu> But they are not signed as part of robosig, they are signed independently
16:36:26 <nirik> for mac -> built on some mac mini's that releng has
16:36:36 <nirik> and yeah, signed seperately curretly
16:37:05 <mboddu> Patrick was working on it, to sign them using robosig
16:37:10 <mboddu> At least the win builds
16:37:14 <dustymabe> nirik: ahh, so windows is build in koji, but macs stuff is built on mac hardware ?
16:37:16 <nirik> although we haven't done that in a while? or have you mboddu ?
16:37:25 <nirik> dustymabe: yeah.
16:38:11 <mboddu> nirik: Nope, Patrick picked that work since win requires a hardware token and only Patrick has it
16:38:25 <dustymabe> either way it sounds like it's pretty manual at the moment ?
16:38:35 <mboddu> Not sure if he signed any recently, but I haven't seen a releng ticket though
16:38:38 <nirik> dustymabe: yeah. ;(
16:38:38 <mboddu> dustymabe: Yes
16:38:56 <nirik> there was some talk a while back about koji adding support for other oses...
16:39:05 <nirik> but I don't know if that went anywhere.
16:39:26 <dustymabe> yeah probably not
16:40:00 <nirik> so, perhaps we need to ponder and see if there's any better way to do this...
16:40:01 <dustymabe> so what we're mostly trying to do is use a signing key other than a personal developer gpg key
16:40:23 <dustymabe> is there a way we could issue a new key that has less expectations
16:40:30 <nirik> dustymabe: yeah, for FMW, we needed to sign them so they would run on macs and windows without nasty warnings/errors
16:40:44 <mboddu> dustymabe: You also mentioned that the binaries can be for other linux variants as well (like .deb?) and for them, I dont think we ever signed .deb's
16:41:19 <nirik> it might be worth investigating what other projects do...
16:41:46 <dustymabe> mboddu: well we wouldn't distribute debs, but rather an executable file
16:41:59 <mboddu> dustymabe: Okay
16:42:21 <dustymabe> mboddu: nirik FYI: https://github.com/coreos/ignition/releases/tag/v2.0.1
16:42:30 <mboddu> nirik: Internally there is a win signing box, I dont know what its running and how it signs them, but I can check
16:42:33 <dustymabe> we basically want to be able to sign those artifacts and upload them to github
16:42:50 <dustymabe> and by "sign" I just mean, create the signature files
16:42:57 <dustymabe> like the .asc files that are there
16:42:57 <nirik> dustymabe: where were those built currently? just on developers boxes?
16:43:44 <nirik> oh, just gpg detached sigs?
16:44:00 <dustymabe> nirik: yeah, right now just on developers boxes
16:44:14 <dustymabe> and yes, just gpg detached sigs
16:44:18 <nirik> we were talking about the binaries themselves being signed...
16:44:18 <dustymabe> i.e. verifying the download
16:44:30 <mboddu> Exactly, I thought the same
16:44:50 <dustymabe> ahh - yeah I think we don't need that. or at least it's not something we've considered, but I could be wrong
16:44:55 <mboddu> If just detached sigs, we can use sigul for that
16:44:57 <dustymabe> I can ask andrew
16:45:00 <nirik> if they aren't... I am pretty sure when you run them on windows or macs it will say 'oh no! this is unsigned! abort danger! don;'t trust it!' and you have to do things to get it to run
16:45:25 <nirik> yeah, detached sigs can just be done via sigul.
16:45:44 <dustymabe> ok. it might be worth us clarifying this all in the ticket
16:45:50 <mboddu> dustymabe: Can you update the ticket?
16:45:55 <nirik> but ideally we would also know how they were built so we could make sure to sign the right stuff
16:46:00 <mboddu> After checking with Andrew
16:46:14 <mboddu> nirik: +1
16:46:16 <dustymabe> nirik: I agree. I was wondering what the releng requirements were for the "build"
16:46:36 <dustymabe> could we create a new key that has less requirements?
16:46:54 <dustymabe> i.e. developer laptop is OK?
16:47:23 <mboddu> dustymabe: Probably not, for FMW mac, we built them on our macs
16:47:24 <dustymabe> or maybe there is some way to build all those binaries as part of the rpm build process
16:47:44 <nirik> for windows mingw might work well...
16:47:50 <nirik> for macs tho... :(
16:47:56 <dustymabe> and then we could split the files out from the rpm and detached sign them
16:48:10 <mboddu> For win, using mingw, they can be built in koji
16:49:10 <dustymabe> https://github.com/coreos/ignition/blob/v2.0.1/build_releases#L36-L50
16:49:15 <mboddu> dustymabe: So, in short, either koji has to build it or we have to build it from source on our boxes
16:49:58 <dustymabe> check out that link.. looks like maybe we could just build them as part of the rpm build
16:50:24 <dustymabe> anyways, something to investigate
16:50:58 <mboddu> dustymabe: But koji has to support it, right?
16:51:07 <nirik> yeah, dunno. can go build for other platforms from the linux one?
16:51:21 <dustymabe> not sure
16:51:27 * nirik either
16:51:34 <dustymabe> mboddu: I would just do those extra steps in the rpm build
16:51:37 * mboddu too as well
16:51:40 <dustymabe> and maybe ship them in a subpackage
16:52:09 <nirik> if that works, then awesome... we can detached sign them manually and profit.
16:52:19 <mboddu> Yup
16:53:00 <mboddu> So, two things here:
16:53:21 <mboddu> 1. Check with Andrew if detached sigs are okay, dustymabe will update the ticket
16:53:54 <mboddu> 2. If detached sigs are fine, then look at making the binaries as part of subpackage
16:54:13 <mboddu> ANything else?
16:54:27 <dustymabe> mboddu: =12
16:54:30 <dustymabe> +1
16:54:38 <dustymabe> I'll update the ticket
16:54:56 <mboddu> #info Check with Andrew if detached sigs are okay, dustymabe will update the ticket. If detached sigs are fine, then look at making the binaries as part of subpackage
16:55:08 <mboddu> So, I got to run now
16:55:13 <mboddu> #topic Open Floor
16:55:24 <mboddu> I will give 1 min if anybody has to share anything
16:55:39 <mboddu> 5
16:55:41 <mboddu> 4
16:55:42 <mboddu> 3
16:55:43 <mboddu> 2
16:55:47 <mboddu> 1
16:55:50 * dustymabe waves
16:55:59 * mboddu waves back at dustymabe
16:56:49 <mboddu> Okay, thanks everyone for joining
16:56:51 <mboddu> #endmeeting