15:00:19 <sgallagh> #startmeeting FESCO (2021-01-20) 15:00:19 <zodbot> Meeting started Wed Jan 20 15:00:19 2021 UTC. 15:00:19 <zodbot> This meeting is logged and archived in a public location. 15:00:19 <zodbot> The chair is sgallagh. Information about MeetBot at http://wiki.debian.org/MeetBot. 15:00:19 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic. 15:00:19 <zodbot> The meeting name has been set to 'fesco_(2021-01-20)' 15:00:19 <sgallagh> #meetingname fesco 15:00:19 <sgallagh> #chair nirik, ignatenkobrain, decathorpe, zbyszek, sgallagh, mhroncok, dcantrell, cverna, Conan_Kudo, Pharaoh_Atem, Son_Goku, King_InuYasha, Sir_Gallantmon, Eighth_Doctor 15:00:19 <sgallagh> #topic init process 15:00:19 <zodbot> The meeting name has been set to 'fesco' 15:00:19 <zodbot> Current chairs: Conan_Kudo Eighth_Doctor King_InuYasha Pharaoh_Atem Sir_Gallantmon Son_Goku cverna dcantrell decathorpe ignatenkobrain mhroncok nirik sgallagh zbyszek 15:00:30 <nirik> morning 15:00:34 <sgallagh> .hello2 15:00:35 <zodbot> sgallagh: sgallagh 'Stephen Gallagher' <sgallagh@redhat.com> 15:00:39 <decathorpe> .hello2 15:00:40 <zodbot> decathorpe: decathorpe 'Fabio Valentini' <decathorpe@gmail.com> 15:00:47 <nirik> .hello kevin 15:00:48 <zodbot> nirik: kevin 'Kevin Fenzi' <kevin@scrye.com> 15:01:39 <sgallagh> I'm glad to be here; half an hour ago I was banned from Freenode for pinging you all about the meeting. :-P 15:01:51 <nirik> ha. spammer! 15:02:05 <cverna> hello 15:02:12 * sgallagh has a shame 15:02:27 <zbyszek> .hello2 15:02:29 <zodbot> zbyszek: zbyszek 'Zbigniew Jędrzejewski-Szmek' <zbyszek@in.waw.pl> 15:03:17 <King_InuYasha> .hello ngompa 15:03:18 <zodbot> King_InuYasha: ngompa 'Neal Gompa' <ngompa13@gmail.com> 15:03:19 * King_InuYasha waves 15:04:44 <sgallagh> That makes quorum. Just. 15:05:07 <sgallagh> Oh, I missed cverna. So that's 6 15:05:16 <sgallagh> Shall we begin? 15:05:28 <zbyszek> Yeah! 15:05:37 <cverna> +1 15:05:44 <sgallagh> #topic #2547 F34 Change: Signed RPM Contents 15:05:44 <sgallagh> .fesco 2547 15:05:45 <zodbot> sgallagh: Issue #2547: F34 Change: Signed RPM Contents - fesco - Pagure.io - https://pagure.io/fesco/issue/2547 15:06:38 <puiterwijk> Hi 15:06:46 <sgallagh> So this has been somewhat controversial due to concerns that it increases disk usage for unclear (to us) benefit. 15:06:53 <sgallagh> puiterwijk: Thanks for joining us. 15:07:04 <zbyszek> Hi puiterwijk 15:07:18 <dcantrell> .hello2 15:07:19 <zodbot> dcantrell: dcantrell 'David Cantrell' <dcantrell@redhat.com> 15:07:20 <nirik> I'm in favor, but I understand the concerns about space... 15:07:22 <dcantrell> sorry I'm late 15:07:26 <sgallagh> In general, I'm all for improving trust and provenance. 15:07:30 * King_InuYasha shrugs 15:07:50 <King_InuYasha> when we can't get simple things people can use now, I'm a lot less enthusiastic about stuff like this 15:07:56 <sgallagh> But there also seem to be concerns that those aren't particularly improved by it either. I'm not sure I agree, but I don't understand the plan well enough to be certain. 15:08:14 <mhroncok> sorry for being late, I forgot to join the channel 15:08:15 <sgallagh> King_InuYasha: Let's not derail the topic, please. 15:08:24 * King_InuYasha shrugs 15:08:36 <nirik> well, this just empowers people to build their own policies... but I agree some examples might be nice but that could come after. 15:08:38 <puiterwijk> sgallagh: so, this would integrate with for example Keylime to enable (remote) attestation. Or just with a local IMA policy to require signed files 15:08:39 <King_InuYasha> there's no explanation of how to use IMA at all 15:09:02 <puiterwijk> We absolutely intend to add documentation for IMA policies and how to use it to docs.fp.o 15:09:03 <King_InuYasha> and there's no way to strip it at install-time either 15:09:16 <sgallagh> puiterwijk: Could you indicate that on the Change page? 15:09:17 <King_InuYasha> because it basically doubles the size of the content on disk 15:09:22 <puiterwijk> sgallagh: will do 15:09:24 <zbyszek> Also, no explanation why this couldn't be handled similarly to -debuginfo files. 15:09:26 <sgallagh> Thank you 15:09:28 <puiterwijk> King_InuYasha: well, it doesn't really 15:09:34 <dcantrell> are there any special case packages where this proposal won't work? 15:10:21 <decathorpe> or does this conflict with the btrfs dnf/rpm cow functionality that was already approved? 15:10:22 <King_InuYasha> well, custom packages won't work if IMA is active 15:10:24 <puiterwijk> King_InuYasha: only the RPMDB increases (sligthly) in size (numbers in the thread), the files itself don't, and the attr's aren't put in place unless you have rpm-plugins-ima. So if you don't have that installed, there's no extra disk space other than rpmdb 15:10:28 <sgallagh> Point of order: there are many of us and only one puiterwijk. For this meeting, I recommend we use the o/ "hand raising" approach to asking questions. 15:10:32 <puiterwijk> King_InuYasha: they absolutely will 15:10:45 <King_InuYasha> puiterwijk: that plugin is installed by default 15:11:17 <King_InuYasha> at least, it is on my systems 15:11:20 <puiterwijk> King_InuYasha: okay. In that case, the disk space still isn't that much more. It's a single (binary) xattr per file with 81 bytes 15:12:04 <puiterwijk> Also, custom packages totally still work. Theyj ust won't have signatures. And that then depends on the policy you put in place 15:12:39 <dcantrell> reading through the proposal here, I would like to see some more concrete examples especially around the benefits of this proposal 15:12:45 <puiterwijk> zbyszek: so, I have a trial that adds the signatures in a -file-signatures subpackage. The problem with that is that the data needs to be in an xattr, so that IMA can actually use it 15:12:50 <decathorpe> .o/ 15:13:54 <zbyszek> puiterwijk: would it be possible to order the installation so that the -file-signatures package is installed earlier? 15:13:56 <puiterwijk> And honestly, having an RPM plugin that automagically injects things from a side-package as an xattr seems.... really ugly to me 15:14:44 <nirik> might it help for examples/use cases to more explain what iot would like to use this for? 15:14:45 <sgallagh> decathorpe: Go ahead 15:15:08 <zbyszek> .o/ 15:15:09 * nirik didn't raise his hand, sorry. 15:15:15 <zbyszek> bad nirik 15:15:25 <decathorpe> I see that this affects rpmdb and install size only minimally, but how does it change binary RPM size? some numbers shared by panu make this seem really bad 15:15:30 <puiterwijk> nirik: I can absolutely give examples now and put them in docs. That is a next part. The reason I put in the change now is so we can get the signatures before the mass rebuild 15:15:43 <decathorpe> which makes me concerned about storage use in koji and on mirrors. 15:16:20 <puiterwijk> decathorpe: it adds +- 162 bytes per file in an RPM. The "100% increase" is the very worst case if you have an RPM with a single tiny file 15:16:24 <zbyszek> It'd be good to put the full information about size increases (and instalation time changes) in the wiki. 15:16:42 <puiterwijk> I actually had those numbers, and then dropped them from the research notes I guess, since I can't see them right now. Sorry 15:16:45 <sgallagh> . /o (after zbyszek) 15:16:57 <sgallagh> zbyszek: Go ahead 15:17:21 <puiterwijk> But basically, it was a +- 10-15% increase on the entirety of the base container, iirc. 15:18:11 <zbyszek> I'm coming up short on the motivation. The policy (the way I imagine it), cannot cover things like .bashrc and other scripts. So I wonder how useful it is in practice. The Motivation part is somewhat lacking in the Change page. 15:19:01 <puiterwijk> zbyszek: it could cover things like .bashrc, it just means that system owners need to deliver their own signatures for files they intend to change from the Fedora default 15:19:49 <puiterwijk> This is less for your personal workstation, and more for e.g. servers where you want to make sure that what's actually running is what you intended to put in place 15:19:53 <zbyszek> puiterwijk: does it cover systemd unit files and other "config"? 15:20:24 <puiterwijk> zbyszek: we sign them, and if you set an RPM macro, it puts them in place. And then you can define a policy on whether it will cover that, yes 15:20:25 <sgallagh> puiterwijk: Could you give us a specific example of a case that is being solved for IoT? Such as a market demand that this satisfies (not just a checkmark, but a real security concern). 15:21:26 <puiterwijk> sgallagh: in the case of IoT: I want to ensure that a system "out in the field" (i.e. no physical protection) only starts authorized code. Normally, the "trusted code" ends with the kernel (with secure boot). With IMA, you can extend the trust out to the actual binaries of all the daemons and their configuration 15:22:07 <zbyszek> puiterwijk: if you have a link to some docs about ima that I could look at. I don't quite see how this is supposed to cover a real system, but I don't want to waste everyone's time here. 15:22:29 <puiterwijk> For that, you can define a policy that says "any binary that runs needs to be fully signed, and all configuration files need to be fully signed". After which the kernel would refuse to load any of them that is not correctly signed (or measured) 15:22:34 <puiterwijk> zbyszek: yes, one minute. 15:22:58 <puiterwijk> zbyszek: https://sourceforge.net/p/linux-ima/wiki/Home/ is the main doc 15:24:35 <nirik> ✋ 15:24:35 <sgallagh> puiterwijk: And the IMA configuration itself is signed by the Secure Boot key? 15:24:43 <King_InuYasha> hold up 15:24:47 <zbyszek> puiterwijk: right, but right now our systems have lots of files which are not distributed as static rpm contents. Basically anything that requires a scriptlet in %post. E.g. /ets/nsswitch.conf is generated on the end system, and it loads arbitrary dlls into the address space of every process. 15:24:54 <King_InuYasha> Secure Boot has to be involved?! 15:25:03 <puiterwijk> King_InuYasha: no. This is not tied in to secure boo. 15:25:05 <puiterwijk> boot* 15:25:15 <King_InuYasha> good 15:25:18 <sgallagh> nirik: go ahead 15:25:22 <puiterwijk> King_InuYasha: The secure boot part is just an example of how to get the trust of the system from the moment the power button is pressed 15:25:35 <sgallagh> (Also, I give up on the hand-raising idea; it's not working) 15:25:36 <King_InuYasha> yeah, no, that is a terrible strategy and we should not endorse that 15:25:38 <dcantrell> .o/ 15:25:41 <puiterwijk> sgallagh: it is signed by a customer key that they enroll on the system (that is a patch that I'm discussing with the kernel upstream right now) 15:25:46 <mhroncok> sgallagh: you've tried 15:25:48 <nirik> ha, yeah, it doesn't tend to work. ;) 15:25:50 <dcantrell> sgallagh: sorry 15:26:48 <sgallagh> puiterwijk: Without secure boot, how would the customer key be protected? 15:27:01 <mhroncok> o/ 15:27:10 <nirik> I was going to note that we worked with puiterwijk to confirm this was all working in infra... it's currently working on rawhide builds, so in fact you can see size differences in the rawhide report. Of course those are due to other changes in the packages, so it's not caused all by this, but in general it's not seemed to cause too much size issues 15:27:29 <puiterwijk> sgallagh: so, the current patch that we have is to use the TPM NV to enroll the keys on the system. 15:27:59 <sgallagh> OK, so regardless of secure boot, it must use some sort of HSM. 15:28:04 <puiterwijk> sgallagh: but without secure boot, you can add your own key to the .ima kernel keyring, and it will work from there. systemd also has support to automatically do that 15:28:15 <sgallagh> mhroncok: go ahead 15:28:24 <puiterwijk> sgallagh: no. If you don't have that, systemd will grab /etc/...something.pem and load that on boot 15:28:31 <puiterwijk> (in pre-pivot, so initrd) 15:28:53 <dcantrell> what does IMA give us that we can't get through additional SELinux policies? 15:29:18 <mhroncok> obviously, we have a lot of questions. the change proposal detailed description is one sentence. maybe we should step back and actually have the change proposal updated with actual details, before we have meetings like this? 15:29:28 <puiterwijk> dcantrell: that you can be sure the files were not modified since they were shipped from Fedora, i.e. an attacker can't extract the disk, change a file, and shove it back in. 15:29:30 <zbyszek> sgallagh: yeah, I don't think hsm is *required*. This provides (some) runtime security as long as the machine is not compromised. It doesn't provide offline security. 15:29:43 <King_InuYasha> puiterwijk: wouldn't rpm -V work for that? 15:30:00 <puiterwijk> zbyszek: there's no hsm rewquired. But the use without that is limited. The signatures help 15:30:08 <King_InuYasha> we already have cryptographically strong checksums of all files, and we can derive trust from GPG signed payloads 15:30:39 <puiterwijk> King_InuYasha: if you trust rpm, sure. IMA pulls the trusted chain into the kernel, which you can use secure-boot with to trust. 15:30:44 <dcantrell> King_InuYasha: right 15:30:46 <nirik> that doesn't work for things like runtime tho... 15:31:14 <sgallagh> It also doesn't prevent you from running binaries that weren't delivered by RPM 15:31:25 <puiterwijk> Yes, that too 15:31:28 <nirik> rpm -V foo, looks ok, /usr/bin/foo, but during 'looks ok' attacker swaps in different one 15:31:36 <sgallagh> OK, we've been on this topic for 30 minutes. 15:32:20 <zbyszek> mhroncok: +1 15:32:44 <decathorpe> mhroncok: +1 15:32:54 <sgallagh> I'm going to raise the proposal for acceptance (with the understanding that puiterwijk will be adding more details to the Change page). A majority of +1 votes accepts the Change, any other result will be revisited next week after the Change Proposal is updated. 15:32:55 * King_InuYasha shrugs 15:33:11 <zbyszek> sgallagh: I'm not ready to vote. Not enough info. 15:33:15 <dcantrell> same 15:33:20 <nirik> +1 here 15:33:22 <dcantrell> I want to read the revised change proposal and the sf page 15:33:28 <puiterwijk> Also, note that the intention of this change is just to get the files signed with keys under Fedora control. The thought being that after that, users can use it if they want to. Or ignore it if they don't. 15:33:29 <mhroncok> I am ready to vote -1 for the current one sentence proposal 15:33:43 <King_InuYasha> I'm +1 to this with the proviso that we *don't* endorse rooting it in secure boot trust *and* rpm-plugin-ima is not included on media by default 15:33:45 <nirik> but note if we move to next week, it will likely mean it will have to move to f35 15:34:00 <sgallagh> nirik: Good point. 15:34:27 <zbyszek> Right now it's not clear what the overhead is. "10-15% in the base image" sounds like a lot. 15:34:35 <sgallagh> FTR, I am +1 to adding this feature, but I would agree to King_InuYasha 's conditions. 15:34:36 <puiterwijk> zbyszek: base container* 15:34:53 <puiterwijk> And yes, King_InuYasha's conditions sound reasonable to me. 15:34:57 <zbyszek> puiterwijk: right, "base container". And it's the image where size matters a lot. 15:35:15 <King_InuYasha> we'll need to block rpm-plugin-ima from Mock bootstrap image builds 15:35:17 <puiterwijk> zbyszek: also, note that the 10-15% is on the rpmdb size of that 15:35:34 <zbyszek> puiterwijk: ah, OK. That's not an issue then. 15:35:47 <sgallagh> puiterwijk: meaning not 10-15% of the rpmdb, not 10-15% of the whole image size? 15:35:52 <sgallagh> (Just to be clear) 15:35:55 <puiterwijk> sgallagh: 10-15% rpmdb size 15:36:15 * nirik doesn't have rpm-plugin-ima here... workstation install 15:36:26 <King_InuYasha> nirik: I think we block it already for live media composes 15:36:47 <King_InuYasha> because I have been netinstalling my systems and I have it for some reason 15:37:05 <King_InuYasha> unless something else is pulling it in 15:37:06 <sgallagh> OK, I'll rephrase the formal proposal. 15:37:52 <sgallagh> Proposal: Signed RPM Contents for IMA are accepted, contingent upon additional details added to the Change Proposal and that the implementation may not require secure boot nor include rpm-plugin-ima in a default install. 15:37:54 <sgallagh> +1 15:38:04 <mhroncok> -1 15:38:08 <zbyszek> -1 15:38:09 <dcantrell> -1 15:38:17 <decathorpe> I stand by my -1 vote as well 15:38:37 <cverna> 0 15:38:38 <nirik> +1 15:38:51 <sgallagh> cverna: a 0 vote is equivalent to a -1 in this situation. 15:39:12 <nirik> nothing seems to require or mention rpm-plugin-ima that I can see. 15:39:22 <cverna> I have to catch up on the change, so I can't really vote now 15:39:34 <cverna> so I stand by my 0 15:39:44 <mhroncok> nirik: neither does the change proposal mention rpm-plugin-ima 15:39:45 <King_InuYasha> sgallagh: +1 15:40:22 <sgallagh> I count (+3, 1, -4) with no ignatenkobrain present. 15:40:30 * decathorpe also grumbles about this being enabled in production before it was approved 15:40:39 <mboddu> I think all the -1's are for lack of information, can we create a hackmd doc with all the questions that they may have and vote on the ticket by end of the today, provided puiterwijk answers those questions? 15:40:53 <mhroncok> not for me 15:41:10 <dcantrell> that won't work for me either 15:41:16 <sgallagh> Let's ask the question differently: what would be needed to change your vote to a +1? 15:41:42 <mboddu> Or that, thanks sgallagh 15:41:44 <zbyszek> mboddu: it's hard. I expect the document to be ready at best by 20:00 european time. 15:41:55 <decathorpe> Significantly shift the cost-benefit balance towards benefit, which I do not see happennig 15:41:56 <nirik> sadly our stg env isn't really up to testing this sort of thing... 15:42:08 <mhroncok> sgallagh: an actual detailed description being in the proposal, going trough the coomunity review on the devel mailing list 15:43:08 <zbyszek> sgallagh: what decathorpe said. A careful analysis of costs (not just "no effect", which is clearly not true, even if the effect is small), and an analysis of the benefits. Checking off "have ima" is not a benefit. 15:43:35 <sgallagh> puiterwijk: Do we have any partners lined up planning to take advantage of this? 15:43:46 <sgallagh> That would count heavily towards a benefit. 15:43:50 <mboddu> I can tell from releng/mass rebuild POV, mass rebuild isn't going to start today (gcc issues), do you guys think having two days is good enough for answering all the concerns? 15:44:02 <puiterwijk> sgallagh: yes. We have several projects ongoing that want to use this. 15:44:03 <nirik> well, I think it's clear (but perhaps not from the change) that iot wants to use this to secure iot devices and make it available for other parts of fedora to use 15:44:17 <puiterwijk> Among which Keylime, for which Luke Hinds also commented on the devel-list 15:44:18 <dcantrell> sgallagh: what the others have said. examples and links to where I can find information on this upstream. I am hesitant to believe a change like this won't have a huge impact somewhere, so I'd like to understand it more 15:44:25 <zbyszek> puiterwijk: then this should be part of the description! 15:44:28 <puiterwijk> And we really want this for IoT 15:44:54 <nirik> so, perhaps update change, ask for more feed back on list and vote in ticket? 15:45:01 <puiterwijk> (which was on the change page, in fact, as "aligns with IoT") 15:45:01 <zbyszek> mboddu: it's hard to say 15:45:01 <decathorpe> puiterwijk: IoT is not mentioned once in the Change proposal :) 15:45:07 <zbyszek> nirik: +1 15:45:09 <puiterwijk> decathorpe: pretty sure it is mentioned there 15:45:14 <cverna> nirik: +1 15:45:34 <puiterwijk> huh... It was in my draft 15:45:40 <decathorpe> ok, it's "Internet of Things", but not IoT 15:46:08 <puiterwijk> Right. Since it's the objective name that I think I copied 15:48:08 <sgallagh> nirik: OK, but given that this is heavily dependent upon the mass rebuild, can we also get the ticket treated under the FastTrack process? 15:48:11 <zbyszek> puiterwijk: I think the feedback seems more negative then it really is. The problem is that this change has a distro-wide impact, and people like to have time to dig through details for something like that. 15:48:40 <nirik> sgallagh: that sounds good to me. 15:49:18 <nirik> I would personally like to get this in... I hope everyone with -1's can review/ask questions as soon as things are updated and that puiterwijk can update things soon. ;) 15:49:34 <sgallagh> puiterwijk: Can you get that updated ASAP (like, within the next couple hours?) 15:49:36 <dcantrell> zbyszek: true. it's usually not a good idea to rush distro-wide changes. kind of part of the whole reason we do the change process is to think through all the impact scenarios and arrive at plans on how to deal with them. 15:49:40 <puiterwijk> sgallagh: yep, absolutely. 15:50:16 <mhroncok> to clarify: I cannot vote +1 until this change proposal has some details and until the details go thru community feedback 15:50:22 <mhroncok> that won't happen today 15:50:25 <sgallagh> OK, then please send a message to devel@ when it's ready and I'll open the FastTrack voting on the ticket. 15:50:44 <decathorpe> and if you find the data for size increase regarding FS / rpmdb / binary RPMs again, that would be great 15:50:44 <puiterwijk> sgallagh: will do 15:50:45 <dcantrell> I agree with mhroncok here. This is the kind of change that really does need some time on the devel list for wide feedback 15:50:59 <puiterwijk> decathorpe: absolutely, will do. 15:51:00 <mhroncok> that's why system wide changes have deadlines 15:51:26 <sgallagh> mhroncok: If this doesn't go in this week, it misses F34 and, by extension, likely RHEL 9 15:51:41 <mhroncok> if we want this for f34 mass rebuild, the only option would be to delay the mass rebuild 15:52:00 <mhroncok> sgallagh: not good reasone nough to vote +1 15:52:05 <mhroncok> *reason enough 15:52:34 <puiterwijk> mhroncok: well, or delay the signing of the mass rebuild, technically. We could easily just turn off signing for it until we have votes, and then enable it when a decision is made. It would allow at least the mass rebuild itself to continue. 15:52:35 <sgallagh> mhroncok: That's worth exploring as well. 15:52:35 <nirik> well, the mass rebuild is already delayed a bit... 15:52:43 <puiterwijk> (since it's at sign moment) 15:52:44 <sgallagh> Also with GCC issues, we may have some delay anyway, 15:52:57 <sgallagh> But I'd prefer not to push it a full week and wait until the next meeting. 15:53:09 * nirik nods. sgallagh +1 15:53:17 <dcantrell> sgallagh: I would rather see us focusing on what the proposal needs and when the discussion will land on the mailing list than holding ourselves hostage to various deadlines 15:53:32 <mhroncok> my +1 requires a full week communtiy review of a detailed change proposal 15:54:00 <mhroncok> you are obviously free to rush things, but without my +1 15:54:07 <sgallagh> mhroncok:understood 15:55:24 * nirik notes it has been on the list... perhaps people didn't ask questions they had? or did they not get answers? 15:56:05 <decathorpe> AFAICT the concerns that were raised during today's meeting were not addressed on the list. 15:56:16 <mhroncok> well, the proposal has not been updated at all since announcng 15:56:20 <zbyszek> so... the deadline for changes requires mass rebuild was 29/12, and the change page was submitted in early January. Thus the time squeeze is not unexpected. 15:56:33 <mhroncok> zbyszek: for system wide changes even sooner 15:56:54 <zbyszek> mhroncok: according https://fedorapeople.org/groups/schedule/f-34/f-34-key-tasks.html it's the same 15:57:06 <mhroncok> appologies 15:57:18 <mhroncok> I've mixed it with Changes requiring infrastructure changes 15:57:33 <mhroncok> which arguably this one is, but the changes were ready, so meh 15:58:06 <nirik> decathorpe: not addressed on the list or not raised on the list? 15:58:16 <decathorpe> the former. 15:59:03 <mboddu> I just wanna add that the mass rebuild is delayed and the full rebuild takes about 3-4 days, so we sorta have about a week for this 15:59:42 <sgallagh> mboddu: How so? 15:59:43 <nirik> mboddu: I did not think the delay was a week... 15:59:53 <sgallagh> It needs to be ready before the rebuild *starts* 16:00:05 <mboddu> sgallagh: Nope, it needs to be ready before we mass tag them 16:00:35 <sgallagh> oh? 16:00:39 <nirik> mboddu: oh, you are saying to wait and sign them all at the end? thats gonna make it slow, no? 16:00:47 <mhroncok> technically, this can land in RHEL 9 even if it gets delayed to F35, if that's the reason to rush this 16:01:00 <mboddu> So, we generally sign the rebuilds while we rebuild, but if we sign after the rebuild it might be slow, but it gives time 16:01:06 <mboddu> What nirik said 16:01:15 <King_InuYasha> but IMA is signed during the build 16:01:21 <nirik> yeah, that would add a day or so. 16:01:22 <King_InuYasha> since it's the contents of the RPM 16:01:31 <nirik> or mroe 16:01:40 <nirik> puiterwijk: ^ can you address the above? 16:01:51 <puiterwijk> King_InuYasha: no, IMA signatures are added to the rpm during rpm-sign operation 16:01:58 <King_InuYasha> how? 16:02:03 <puiterwijk> It's in the RPM signature header, and RPM puts them in place during install 16:02:12 <King_InuYasha> X_X 16:02:19 <puiterwijk> The file signatures are in the rpm headers 16:02:30 <King_InuYasha> wait, that means robosignatory and sigul need adjustments 16:02:40 <puiterwijk> They already have those. But yes 16:02:53 * King_InuYasha grumbles 16:03:11 <King_InuYasha> that means this requires infra changes too to enable it, where are those? 16:03:26 <sgallagh> OK, we're an hour into this topic and we have enough votes to table it for the moment. 16:03:55 <sgallagh> #action puiterwijk to update the Change Proposal with more details 16:04:21 <sgallagh> #info Once the Change is updated, FESCo will re-evaluate and may vote on the ticket following the FastTrack process 16:04:35 <zbyszek> ... and notify fedora-devel 16:04:46 <mhroncok> proposal: Once the Change is updated, it goes for one week review on devel 16:04:57 <decathorpe> sgallagh: we'd have had enough votes to reject it, too, but apparently people still want this in F34 at all cost ... 16:05:04 <sgallagh> zbyszek: +1 16:05:13 <nirik> zbyszek: +1 16:05:15 <nirik> mhroncok: -1 16:05:29 <cverna> zbyszek: +1 16:05:51 <sgallagh> @action puiterwijk will notify fedora-devel when the Change is updated 16:05:54 <sgallagh> #action puiterwijk will notify fedora-devel when the Change is updated 16:06:17 <sgallagh> mhroncok: -1 16:06:38 <dcantrell> I give mhroncok +1 here 16:06:57 <dcantrell> if we don't give the community time to review the revised proposal, then what's the point of updating the change proposal? 16:07:18 <nirik> We have not in the past required a week additional feedback on other changes, why here? 16:07:24 <King_InuYasha> we could just delay mass rebuild by another week 16:07:30 <King_InuYasha> it's not like it'll make a difference 16:07:32 <nirik> we have often asked people to update things and re-reviewed them... 16:07:36 <mhroncok> nirik: becasue this change is (close to) empty now 16:07:38 <dcantrell> nirik: I would say the distro impact by this change warrants the additional time 16:07:53 <mhroncok> it needs to be written, not slightly adapted 16:07:58 <zbyszek> I'll vote -1 for mhroncok's proposal: I think fedora-devel *might* be fine with a shorter discussion period. Let's see where it goes. If there are outstanding questions, I'll vote -1 preventing fasttrack approval. 16:08:12 <sgallagh> zbyszek: Exactly as I'd hope 16:08:16 <King_InuYasha> okay then 16:08:25 <King_InuYasha> sgallagh: +1 16:08:25 <dcantrell> ok, I think that's a reasonable compromise 16:08:31 <mhroncok> so, let me clarify 16:08:50 <mhroncok> the change is updated, posted to devel and immediately voted by fesco 16:09:12 <mhroncok> in fast track. so we'll need +7 to approve it, otherwise it waits for the whole week anyway 16:09:32 <sgallagh> I think it's reasonable to assume we'll give it at least 24 hours to soak 16:09:43 <sgallagh> But we can state that explicitly if you wish 16:09:46 <mhroncok> so the +1s will be added by people who think the discussion on devel was ssignficat enough already 16:11:08 <mhroncok> but as long as at least one fesco member posts -1, we are back at "wait an extra week for the next meeting" 16:11:27 <sgallagh> mhroncok: And you plan to do so to force the delay? 16:11:48 <mhroncok> sgallagh: it has crossed my mind, but I don't want to be that person 16:12:06 <mhroncok> but obviously, if I see that the proposal lacks details, I'll vote against 16:12:18 <sgallagh> I wouldn't want you to do otherwise. 16:12:45 <mhroncok> honestly, my opinion now is that this would better be retargetted to f35 16:13:23 <sgallagh> mhroncok: I trust you to use good judgement on whether, after the proposal is updated, it should be deferred. 16:14:17 <mhroncok> anyway, we know what happens next 16:14:27 <sgallagh> I move on to the next topic>? 16:14:31 <mhroncok> yes 16:14:36 <zbyszek> yes 16:14:42 <sgallagh> #topic #2545 F34 Change: Localization measurement and tooling 16:14:42 <sgallagh> .fesco 2545 16:14:43 <zodbot> sgallagh: Issue #2545: F34 Change: Localization measurement and tooling - fesco - Pagure.io - https://pagure.io/fesco/issue/2545 16:15:01 <zbyszek> This case is similar to a large extent. 16:15:38 <zbyszek> It's a noticable commitment of resources, and it's not entirely clear how it fits into the overall picture of Fedora infrastructure. 16:16:50 <zbyszek> Releng has been shedding projects, for good reasons. So before we add one more, we should be clear on the benefits and long term support. 16:16:51 <sgallagh> I'm frankly inclined to give them approval to work towards it and leave the final decision to Infra to determine if they have the resources to deploy it. 16:17:04 <sgallagh> deploy+maintain 16:17:48 <zbyszek> Should we open a ticket to ask infra? 16:18:03 <mhroncok> we can approve conditionally 16:18:07 * nirik is in another meeting, 16:19:04 <zbyszek> I'm not ready to vote +1 yet. There has been additional talk on the mailing list and I haven't had time to process it yet. 16:19:30 <sgallagh> This isn't as urgent, so I'm okay with deferring this for a week. Anyone else? 16:19:36 <sgallagh> Proposal: defer for a week 16:19:38 <sgallagh> +1 16:19:39 <mhroncok> sgallagh: ack 16:19:41 <dcantrell> +1 16:19:47 <zbyszek> +1 16:19:57 <decathorpe> ack 16:20:19 <sgallagh> OK, let's move on 16:20:21 <mhroncok> to clarify: my ack == +1, I just didn't think such decisions require a counted vote 16:20:25 <sgallagh> #topic #2543 F34 Change: Unify the GRUB configuration files location across all supported architectures 16:20:25 <sgallagh> .fesco 2543 16:20:26 <zodbot> sgallagh: Issue #2543: F34 Change: Unify the GRUB configuration files location across all supported architectures - fesco - Pagure.io - https://pagure.io/fesco/issue/2543 16:20:56 <sgallagh> mhroncok: They don't 16:21:08 <sgallagh> Just a lack of dissent 16:21:23 <mhroncok> sgallagh++ 16:21:30 <mhroncok> about this grub change 16:21:53 <mhroncok> I abstain, 0 16:21:56 <sgallagh> I'll be honest, my eyes tend to glaze over when trying to read bootloader Changes. 16:22:07 <mhroncok> that 16:22:09 <decathorpe> I'm not sure about this one. While making things consistent, it doesn't address the worst issues of our grub setup 16:22:39 <King_InuYasha> the real reason this was filed was to unblock efforts to migrate from lorax to osbuild 16:23:10 <King_InuYasha> osbuild produces hybrid BIOS+UEFI images like other distros do, and in order for that to work properly, we need unified config locations 16:23:19 <zbyszek> I'm willing to defer to grub developers on this. I don't have a deep understanding of the tradeoffs involved. 16:23:41 <dcantrell> javier is one of our grub devs. I'm +1 16:23:47 <nirik> I am +1 here 16:23:55 <King_InuYasha> I don't like it, but I'm +1 16:24:22 <sgallagh> Yeah, my +1 in the ticket was pretty much entirely due to it coming from GRUB developers. 16:24:22 <King_InuYasha> I think this is the wrong way to do it, but there's basically no way to fix this since GRUB is half-dead upstream 16:24:43 <sgallagh> King_InuYasha: Is there a replacement for it? 16:24:54 <King_InuYasha> we're not allowed to consider replacements 16:25:04 <King_InuYasha> because of secure boot shackles 16:25:04 <sgallagh> Who is "we"? 16:25:10 <King_InuYasha> Fedora 16:25:33 <King_InuYasha> no other bootloader in the ecosystem implements secure boot verification 16:25:34 <sgallagh> OK, topic for another day 16:25:54 <King_InuYasha> and there's the whole BIOS/UEFI thing 16:25:59 <King_InuYasha> but anyway 16:26:17 <King_InuYasha> they say this is the only thing they can do, even if it is not necessarily a good strategy 16:26:20 <King_InuYasha> so meh, +1 16:26:25 <sgallagh> zbyszek: Did your deference equate to +1? 16:26:35 <decathorpe> I agree. meh, +1 16:26:55 <King_InuYasha> (I guess refind would be another option, but we'd need a BIOS->UEFI shim) 16:27:17 <zbyszek> sgallagh: yeah, I voted +1 in the ticket 16:27:42 <sgallagh> #agreed Unification of GRUB config files is accepted (+6, 1, -0) 16:27:50 <sgallagh> #topic Next week's chair 16:28:07 <sgallagh> Who wants it? 16:28:20 <King_InuYasha> I'll do it 16:28:25 * mhroncok promises to chair some meetings in april+, after he is moved to the new house 16:30:11 <sgallagh> #action King_InuYasha to chair the next meeting 16:30:19 <sgallagh> #topic Open Floor 16:30:24 <sgallagh> Watch your step 16:30:29 * King_InuYasha falls 16:31:13 <zbyszek> .o/ 16:31:20 <zbyszek> https://pagure.io/fesco/fesco-docs/pull-request/41 16:31:55 <nirik> lets get it merged. ;) 16:32:19 <zbyszek> OK, I'll merge it tomorrow if nobody votes -1 in the pull request. 16:32:34 <zbyszek> *** Last chance *** 16:32:52 <sgallagh> I nearly merged it last night just to end the discussion 16:33:02 <sgallagh> It's not as if we can't fix it later 16:33:02 <mhroncok> :) 16:33:05 <zbyszek> (And then we can start discussing actual changes to the policy :)) 16:33:32 <nirik> thanks for taking that over the finish line. :) 16:33:41 <sgallagh> Anyone opposed to just merging it *right now*? 16:33:54 <nirik> there is one change in these changes... 16:33:54 <mhroncok> I'd like to discuss if pushing obviously broken or WIP commits to dist git should be disallowed, I'll probbaly open a topic on devel first 16:33:59 <decathorpe> crickets 16:34:16 <zbyszek> mhroncok: I think that's a separate issue. 16:34:33 <mhroncok> zbyszek: I agree, but I wonder whther it belong shere, or to packaging guidelines, or where 16:34:38 <nirik> the bit about allowing releng to untag packages that have gone out in composes if deemed needed. We could drop that if people think we should discuss it more 16:34:49 <sgallagh> mhroncok: FWIW, I agree. Pushes to dist-git should follow the same rules as Bodhi updates 16:35:02 <sgallagh> Nothing goes in except that which is expected to be pushed stable 16:35:03 <zbyszek> I think the policy should be "it's discouraged. If you need to and do it, and somebody rebuilds your package in an unwanted way, you're responsible for fixing things." 16:35:35 <zbyszek> (it == WIP commmits) 16:35:35 <mhroncok> zbyszek: obviously, side tag builds are bad with this, becasue you ned to push before building it 16:35:44 <nirik> "always have your package in a ready to build state" 16:36:13 <mhroncok> aka if I commit to python3 to update to 3.10 and do a mass side tag rebuild, a provenpackager can rebuild python for a libfoo bump and boom 16:36:21 <decathorpe> mhroncok: obviously, we need to wrap packages in Mutexes :) 16:36:23 <sgallagh> nirik: Was your question a request for me not to hit the merge button? 16:36:29 <mhroncok> decathorpe: exactly :D 16:36:30 <sgallagh> Because I've got my finger on the trigger 16:36:44 <mhroncok> hit it 16:36:58 <mhroncok> it's not like we cannot revert it entirely if there is a typo 16:37:04 <nirik> I'm fine with that change. ;) It was a chance for others to not want it. ;) 16:37:15 <sgallagh> Time's up, it's merged. 16:37:24 <sgallagh> 🥳 16:37:32 <mhroncok> \o/ 16:37:40 <nirik> if our tooling was better, side tags could build from a branch, then merge to main after the side tag is merged. 16:37:53 <decathorpe> not even joking, I thought about proposing something like "do not touch this package" locks exactly for things like making side-tag builds race-free 16:38:00 <mhroncok> nirik: it is possible to do this mnaually 16:38:06 <nirik> mhroncok: yep. 16:38:18 <mhroncok> nirik: but a merge conflict happens if somebody bumps it in the meantime 16:38:19 <nirik> just will leave you with a bunch of branches or releng requests to remove them 16:38:28 <nirik> that too yeah. 16:38:46 <nirik> because changelog/release... and so the circle is complete 16:38:50 <mhroncok> decathorpe: I can already see the problems :D 16:39:13 <decathorpe> dreaded deadlocks and starving packagers 16:39:29 <sgallagh> starving packagers with dreadlocks? 16:39:51 <sgallagh> OK, any other topics or can we call it a day? 16:40:31 <decathorpe> call it 16:40:42 <mhroncok> release us... 16:41:32 <sgallagh> #endmeeting