<@tdawson:fedora.im>
18:00:20
!startmeeting EPEL (2024-07-31)
<@meetbot:fedora.im>
18:00:21
Meeting started at 2024-07-31 18:00:20 UTC
<@meetbot:fedora.im>
18:00:21
The Meeting name is 'EPEL (2024-07-31)'
<@tdawson:fedora.im>
18:00:24
!meetingname epel
<@meetbot:fedora.im>
18:00:25
The Meeting Name is now epel
<@tdawson:fedora.im>
18:00:27
!topic aloha
<@nirik:matrix.scrye.com>
18:00:29
morning
<@carlwgeorge:matrix.org>
18:00:33
!hi
<@zodbot:fedora.im>
18:00:35
Carl George (carlwgeorge) - he / him / his
<@smooge:fedora.im>
18:00:46
hello
<@jonathanspw:fedora.im>
18:01:17
!hi
<@zodbot:fedora.im>
18:01:17
Jonathan Wright (jonathanspw)
<@salimma:fedora.im>
18:01:20
!hi
<@nhanlon:beeper.com>
18:01:21
!hi
<@zodbot:fedora.im>
18:01:21
Michel Lind (salimma) - he / him / his
<@zodbot:fedora.im>
18:01:22
Neil Hanlon (neil) - he / him / his
<@davide:cavalca.name>
18:02:34
!hi
<@zodbot:fedora.im>
18:02:35
Davide Cavalca (dcavalca) - he / him / his
<@tdawson:fedora.im>
18:03:57
Hi Davide Cavalca Neil Hanlon Michel Lind π© Jonathan Wright Carl George
<@salimma:fedora.im>
18:04:04
hello all
<@tdawson:fedora.im>
18:04:04
Morning nirik
<@tdawson:fedora.im>
18:04:09
Hello Stephen J Smoogen
<@tdawson:fedora.im>
18:05:15
!topic EPEL Issues https://pagure.io/epel/issues
<@tdawson:fedora.im>
18:05:21
https://pagure.io/epel/issues?tags=meeting&status=Open
<@tdawson:fedora.im>
18:05:35
We just have the one open issue
<@tdawson:fedora.im>
18:05:51
!epel 284
<@zodbot:fedora.im>
18:05:52
β **Assignee:** Not Assigned
<@zodbot:fedora.im>
18:05:52
β **Last Updated:** 4 days ago
<@zodbot:fedora.im>
18:05:52
**epel #284** (https://pagure.io/epel/issue/284):**Proposing incompatible upgrade of Zeek to the latest LTS version**
<@zodbot:fedora.im>
18:05:52
<@zodbot:fedora.im>
18:05:52
β **Opened:** a week ago by salimma
<@tdawson:fedora.im>
18:05:59
Oooh ... it's working now. :)
<@dherrera:fedora.im>
18:06:32
hi!
<@tdawson:fedora.im>
18:06:39
Hi Diego Herrera
<@salimma:fedora.im>
18:06:50
so yeah, TLDR zeek has LTS and feature releases, and LTS is only supported for a year
<@salimma:fedora.im>
18:06:50
The previous maintainer didn't work on it after leaving the company, so it's... very stale right now (3 years IIRC)
<@salimma:fedora.im>
18:06:50
<@dherrera:fedora.im>
18:06:50
!hi
<@zodbot:fedora.im>
18:06:51
Diego Herrera (dherrera) - he / him / his
<@salimma:fedora.im>
18:07:02
two years plus, sorry, form version 4 to 6
<@salimma:fedora.im>
18:07:13
two years plus, sorry, from version 4 to 6
<@carlwgeorge:matrix.org>
18:07:36
stale alone isn't necessarily sufficient to do an incompat upgrade
<@carlwgeorge:matrix.org>
18:07:44
are there any outstanding cves that can't be backported?
<@nhanlon:beeper.com>
18:08:01
thank you for finalizing zeek btw Michel Lind π© -- I kept running into brick walls in some form or another...
<@tdawson:fedora.im>
18:08:04
It doesn't say on the ticket, if there are any configuration and/or manual user changes.
<@salimma:fedora.im>
18:08:15
I... need to look that up
<@salimma:fedora.im>
18:08:35
the other way I can do it is make it like Django, have a new package for each LTS series, and leave the old one there untouched
<@salimma:fedora.im>
18:09:19
oh, most of the arch-specific problems turns out to be from a new tool from the same project that is now bundled by default. if you turn it off it builds cross-platform again :P
<@nhanlon:beeper.com>
18:09:37
IMO, we should allow this and bump to 6.0
<@tdawson:fedora.im>
18:09:41
Nothing else is using it in EPEL, so I'm not sure it's necessary. But I don't know zeek enough to know if that's something people would want. (Meaning having a new packager for each LTS release)
<@nhanlon:beeper.com>
18:09:45
lol of course it was something simple...
<@conan_kudo:matrix.org>
18:10:02
!hi
<@zodbot:fedora.im>
18:10:03
Neal Gompa (ngompa) - he / him / his
<@nhanlon:beeper.com>
18:10:10
I will write something more eloquent in the ticket :)
<@salimma:fedora.im>
18:10:16
upstream changelog - https://github.com/zeek/zeek/blob/master/CHANGES - sadly it's a firehose
<@tdawson:fedora.im>
18:10:25
If users can just do a "dnf upgrade" and not have to do anything, I'm totally fine with the incompatible update.
<@tdawson:fedora.im>
18:10:34
Hi Conan Kudo
<@nhanlon:beeper.com>
18:10:41
the last 4.x release was nearly 2 years ago (just under)
<@carlwgeorge:matrix.org>
18:10:44
we generally approve incompat requests when cves are involved, but it's a bit murkier otherwise
<@salimma:fedora.im>
18:10:54
I don't know zeek that much too, but the team at work that does use it seem very keen on using v6 (so it turns out they never used the v4 that their old member packaged :P)
<@salimma:fedora.im>
18:11:11
yeah, I could not actually find a CVE, only for one of the Zeek plugins
<@conan_kudo:matrix.org>
18:11:15
the choice between unmaintained and not unmaintained for a leaf package makes things pretty easy
<@nhanlon:beeper.com>
18:11:18
Yeah. I'm like 99% sure there's not actually anyone _using_ Zeek in EPEL right now
<@carlwgeorge:matrix.org>
18:11:27
reminder of the general epel policy:
<@carlwgeorge:matrix.org>
18:11:27
> The packages in the repository should, if possible, be maintained in similar ways to the Enterprise Packages they were built against. In other words: have a mostly stable set of packages that normally do not change at all and only changes if there are good reasons for itβββso no "hey, there is a new version, it builds, letβs ship it" mentality.
<@carlwgeorge:matrix.org>
18:11:27
<@conan_kudo:matrix.org>
18:11:49
that's not fair... in this case we're talking about a package with effectively a dead upstream
<@tdawson:fedora.im>
18:11:51
Ah, good point.
<@nhanlon:beeper.com>
18:11:51
6.x is, itself, 18 months old
<@conan_kudo:matrix.org>
18:11:59
and no resources to do work downstream on
<@carlwgeorge:matrix.org>
18:12:11
does fixing the cve in the zeek plugin require rebasing zeek? that could be a justifiable angle.
<@salimma:fedora.im>
18:12:26
yeah, I agree with both of you. ideally we do the same thing as RHEL, but we don't actually have the bandwith backport fixes
<@carlwgeorge:matrix.org>
18:12:34
that's the policy, fairness isn't a factor
<@salimma:fedora.im>
18:12:38
good question. I can circle back later
<@conan_kudo:matrix.org>
18:12:57
fairness is a factor for us as arbiters of the policy
<@salimma:fedora.im>
18:13:00
fwiw if it's easier I'm ok with creating a zeek6 package then we can wait until there is a CVE to retire the old zeek
<@carlwgeorge:matrix.org>
18:13:36
judging how hard backporting fixes is requires specifying what fixes (i.e. cves) are desired
<@nhanlon:beeper.com>
18:14:09
particularly when this package was, effectively, a false start. e.g., it never actually made it into Fedora before it was built and released in EPEL (iirc)
<@jonathanspw:fedora.im>
18:14:17
Do major things change between versions that make the tool more/less useful with current traffic/web standards?
<@salimma:fedora.im>
18:14:22
disclosure: if someone at work does not need this I would drop it like a hot potato and wash my hands off it. it's... not enjoyable to work on Neil Hanlon can attest)
<@conan_kudo:matrix.org>
18:14:31
if zeek was a package that other things depended on, I think there would be a stronger argument (ie like Django)
<@jonathanspw:fedora.im>
18:14:32
Such as new patterns or something to grab modern traffic types.
<@jonathanspw:fedora.im>
18:14:36
(not familiar with zeek)
<@davide:cavalca.name>
18:15:14
I think for a leaf package on this these constraints it's probably ok to upgrade, but I'm with Carl George that's not what the policy actually says
<@conan_kudo:matrix.org>
18:15:17
but as a leaf application package, I think proceeding with an incompatible update notice is fine to bring the package into a maintainable state
<@davide:cavalca.name>
18:15:23
so we may want to consider amending the policy to cover this usecase
<@salimma:fedora.im>
18:15:35
ok, turns out there are security issues. just not CVE. and easiest way to find them is to go through the release notes on github one by one :(
<@carlwgeorge:matrix.org>
18:15:35
if it's in epel, someone we're not aware of could be depending on it, and a disruptive update would not be nice. that's why we have the policy as it is.
<@salimma:fedora.im>
18:15:42
first I found, going backwards, for 6.0.3: https://github.com/zeek/zeek/releases/tag/v6.0.3
<@salimma:fedora.im>
18:15:55
that limits the depth the parser will attempt to follow the entity nesting. If
<@salimma:fedora.im>
18:15:55
the limit is reached an exceeded_mime_max_depth weird is generated.
<@salimma:fedora.im>
18:15:55
risk.The fix included adds a new option (MIME::max_depth) to the MIME parser
<@salimma:fedora.im>
18:15:55
possibility of receiving these packets from remote hosts, this is a DoS
<@salimma:fedora.im>
18:15:55
cause Zeek to spend large amounts of time parsing the entities. Due to the
<@salimma:fedora.im>
18:15:55
A specially-crafted series of packets containing nested MIME entities can
<@conan_kudo:matrix.org>
18:16:01
that's why we require the incompatible update notices
<@salimma:fedora.im>
18:16:46
6.0.2 has even more security fixes https://github.com/zeek/zeek/releases/tag/v6.0.2
<@carlwgeorge:matrix.org>
18:16:58
ok then i'm on board. we don't actually require assigned cve numbers, just security fixes that aren't easily backported.
<@salimma:fedora.im>
18:17:05
5 of them so I won't copy paste. ugh these really should be CVEs :(
<@conan_kudo:matrix.org>
18:17:29
it's security software, I think it is perfectly in line similar to clamav
<@salimma:fedora.im>
18:17:31
thanks! from the release notes looks like they fix both the LTS and the feature release (e.g. 6.0.3 and the parallel 6.1.x release have the same notice)
<@conan_kudo:matrix.org>
18:17:55
and I'm also not terribly surprised at the lack of CVE declarations
<@carlwgeorge:matrix.org>
18:17:57
this is something i actually have in mind for epel10. relax the rebase policy in the epel10 branch only, which defers changes for rhel users till the next minor version.
<@salimma:fedora.im>
18:18:04
If we don't have enough to decide on we can just make it a one off and circle back when zeek 7 is out - if there's a track record of needing security fixes maybe we can make this permanent?
<@conan_kudo:matrix.org>
18:18:12
not many people know you can declare CVEs right from GitHuba
<@conan_kudo:matrix.org>
18:18:17
not many people know you can declare CVEs right from GitHub
<@conan_kudo:matrix.org>
18:18:38
or rather security advisories that can be turned into CVEs
<@salimma:fedora.im>
18:18:41
yeah, epel10 being more visible than epel9-next should help with "this is a heads up that breakages are coming"
<@conan_kudo:matrix.org>
18:18:55
that would make things _considerably_ easier
<@salimma:fedora.im>
18:19:08
I certainly would still not upgrade willy-nilly :)
<@conan_kudo:matrix.org>
18:19:38
certainly not, but it makes dealing with various forcing functions less painful
<@carlwgeorge:matrix.org>
18:19:42
i would say that if it's not terribly difficult, i'd be in favor of versioned packages like zeek6 and zeek7, which avoids the policy problem entirely. just retire the old ones when you don't feel like maintaining them anymore.
<@carlwgeorge:matrix.org>
18:19:57
i think zabbix is set up that way
<@jonathanspw:fedora.im>
18:20:08
it is
<@salimma:fedora.im>
18:20:09
I am on board with that, but can we start doing versioned package for zeek 7 instead?
<@conan_kudo:matrix.org>
18:20:30
that's probably a good idea
<@conan_kudo:matrix.org>
18:20:33
7 is the next LTS, right?
<@carlwgeorge:matrix.org>
18:20:43
if version 6 is going to stick around for a while, why not go ahead and get it in as zeek6?
<@salimma:fedora.im>
18:20:43
how does zabbix do it? I see an unversioned zabbix in Fedora https://src.fedoraproject.org/rpms/zabbix
<@tdawson:fedora.im>
18:20:47
Are you meaning, update the current one to 6, and then make a zeek7 ?
<@salimma:fedora.im>
18:20:52
yeah, LTS is always x.0.z for Zeek
<@salimma:fedora.im>
18:21:06
yup, update the current one to 6, start only having versioned packages when zeek 7 is out
<@conan_kudo:matrix.org>
18:21:46
zabbix is not multiversioned as far as I know
<@salimma:fedora.im>
18:22:01
we do have versioned packages for Django now, so zeek will just be done the same way
<@tdawson:fedora.im>
18:22:02
Since the current one has CVE's, I'm good with starting versioned on zeek7. My only concern is when you would retire unversioned zeek.
<@salimma:fedora.im>
18:22:08
starting from next version
<@salimma:fedora.im>
18:22:25
oh, if we do versioned I think we can evaluate based on unfixed security issues if we want to retire it or not
<@salimma:fedora.im>
18:22:29
once it's EOL
<@salimma:fedora.im>
18:23:11
I'm happy leaving it in the repo until we discover issues. but for Fedora I'll retire it from Rawhide as soon as its EOL upstream
<@jonathanspw:fedora.im>
18:23:15
it is
<@carlwgeorge:matrix.org>
18:23:25
i still think that starting the versioning now with a zeek6 package would avoid the need to do an incompat upgrade, so it would be worthwhile
<@salimma:fedora.im>
18:23:33
can you point to the multiversioned zabbix spec? I have the dump of all packages and I don't see it
<@conan_kudo:matrix.org>
18:23:46
yeah I don't see it either
<@jonathanspw:fedora.im>
18:23:52
https://src.fedoraproject.org/rpms/zabbix50
<@jonathanspw:fedora.im>
18:23:52
https://src.fedoraproject.org/rpms/zabbix
<@jonathanspw:fedora.im>
18:23:52
https://src.fedoraproject.org/rpms/zabbix6.0
<@carlwgeorge:matrix.org>
18:24:00
looks like in epel8 it's zabbix6.0, but in epel9 it's just zabbix
<@salimma:fedora.im>
18:24:00
Carl George: fair. I can do that (just copy paste, and mark it as conflicting the main package I guess)
<@carlwgeorge:matrix.org>
18:24:19
yeah we allow conflicts between epel packages
<@conan_kudo:matrix.org>
18:24:30
it looks like it's legacy versioned, not true multiversioned
<@salimma:fedora.im>
18:24:30
interestingly the main zabbix is also in EPEL9. I wonder if that one has ever been upgraded from 5 to 6
<@jonathanspw:fedora.im>
18:24:40
yeah there's def some weird stuff going on here
<@jonathanspw:fedora.im>
18:24:45
between multiple maintainers
<@salimma:fedora.im>
18:25:09
oh well
<@conan_kudo:matrix.org>
18:25:15
oh, this is orionp doing his own thing
<@conan_kudo:matrix.org>
18:25:24
so I wouldn't count this the same as what Carl George is suggesting
<@carlwgeorge:matrix.org>
18:26:06
if a versioned package is hard now, i doubt it would get easier for zeek7
<@carlwgeorge:matrix.org>
18:26:30
this probably needs more investigation, so lets do the rest of the meeting and then pick this back up in the main channel
<@salimma:fedora.im>
18:26:33
yeah, it just frontloads the work
<@salimma:fedora.im>
18:26:37
right
<@salimma:fedora.im>
18:26:40
let's move on first
<@tdawson:fedora.im>
18:26:51
Sounds good ... moving on.
<@tdawson:fedora.im>
18:27:11
That was our last issue marked with Meeting, so loving on to epel10
<@tdawson:fedora.im>
18:27:20
!topic EPEL 10
<@salimma:fedora.im>
18:27:26
I like loving on more than moving on :)
<@tdawson:fedora.im>
18:28:14
Do we have any progress on epel10? (He says, knowing that the answer is yes)
<@salimma:fedora.im>
18:28:31
the lawyer way of asking. only ask what you know the answer to :)
<@tdawson:fedora.im>
18:28:34
!link https://hackmd.io/q6TNkYjJT82EtzhlyPGpog
<@carlwgeorge:matrix.org>
18:29:10
couple of cool milestones. we've got epel10.0 in bodhi, confirmed signing works, our first successful epel10 branch request, an lots of fixes for owner-sync-pagure.
<@carlwgeorge:matrix.org>
18:29:27
oh and fedpkg-minimal has been bootstrapped https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2024-6c5e7c0cdf
<@conan_kudo:matrix.org>
18:30:08
wait, wait, WAAAIT
<@conan_kudo:matrix.org>
18:30:13
does that mean we can make packages now?!
<@carlwgeorge:matrix.org>
18:30:15
next i need to figure out why that update didn't get marked stable, how to publish the repo somewhere like rawhide does, and build epel-release and epel-rpm-macros
<@carlwgeorge:matrix.org>
18:30:18
NO
<@conan_kudo:matrix.org>
18:30:26
awww βΉοΈ
<@carlwgeorge:matrix.org>
18:30:46
as previously stated in the epel10 status update, don't start doing packages until i give the all clear (likely during the flock hackfest)
<@nirik:matrix.scrye.com>
18:31:20
publishing the repo like rawhide is means a nightly.sh script that calls pungi and pungi config.
<@carlwgeorge:matrix.org>
18:31:39
but at this point it does look likely that the hackfest can involve actual packaging work, not just releng stuff
<@salimma:fedora.im>
18:32:01
whee
<@conan_kudo:matrix.org>
18:32:06
like the one that was just added for eln, right?
<@nirik:matrix.scrye.com>
18:32:07
perhaps.
<@nirik:matrix.scrye.com>
18:32:52
yep
<@carlwgeorge:matrix.org>
18:33:01
more good news, Aoife Moloney adjusted the schedule so nirik can attend both the infra/releng and epel10 hackfests
<@nirik:matrix.scrye.com>
18:34:00
yeah, looks good to me...
<@jonathanspw:fedora.im>
18:34:06
Aoife Moloney++
<@zodbot:fedora.im>
18:34:08
jonathanspw gave a cookie to amoloney. They now have 51 cookies, 18 of which were obtained in the Fedora 40 release cycle
<@conan_kudo:matrix.org>
18:34:30
looks like it's parallel to the multimedia hackfest that Davide Cavalca and I will be running
<@carlwgeorge:matrix.org>
18:34:31
i think that covers it for epel10 updates, we can move on
<@conan_kudo:matrix.org>
18:34:39
so there's gonna probably be some sprinting :P
<@nirik:matrix.scrye.com>
18:34:50
hopefully the rooms are close together
<@tdawson:fedora.im>
18:34:55
Thank you Carl George , and everyone else helping out with epel10.
<@tdawson:fedora.im>
18:35:06
!topic Old Business
<@tdawson:fedora.im>
18:35:18
Does anyone have any old Business they would like to bring up?
<@tdawson:fedora.im>
18:36:20
I'll take the silence as a no ... moving on.
<@tdawson:fedora.im>
18:36:30
!topic General Issues / Open Floor
<@carlwgeorge:matrix.org>
18:37:11
one small fyi, after our last docs adjustment i realized it wasn't documented anywhere how to request epel branches, so i sent https://pagure.io/fedora-docs/package-maintainer-docs/pull-request/165
<@carlwgeorge:matrix.org>
18:37:19
(which our docs already reference)
<@tdawson:fedora.im>
18:37:53
One thing I'd like to bring up is just a reminder that we will not have our EPEL Steering Committee meeting or EPEL Office hours next week.
<@rcallicotte:fedora.im>
18:38:12
!hi
<@zodbot:fedora.im>
18:38:13
Robby Callicotte (rcallicotte) - he / him / his
<@tdawson:fedora.im>
18:38:53
Hi Robby Callicotte
<@rcallicotte:fedora.im>
18:39:13
Michel Lind π© I almost said hi in the EPEL room too hehe
<@tdawson:fedora.im>
18:39:31
Thank you Carl George ... I didn't realize that wasn't documented.
<@carlwgeorge:matrix.org>
18:39:53
yeah i was surprised too, so i fixed it
<@tdawson:fedora.im>
18:40:28
Anything else for Open Floor?
<@tdawson:fedora.im>
18:42:22
If nobody objects, then I'm going to close the meeting early.
<@jonathanspw:fedora.im>
18:42:35
See most of y'all in a week :)
<@tdawson:fedora.im>
18:42:41
Yep.
<@nirik:matrix.scrye.com>
18:42:49
safe travels everyone
<@smooge:fedora.im>
18:43:14
have a good trip to people
<@rcallicotte:fedora.im>
18:43:16
yay!! see y'all next week
<@carlwgeorge:matrix.org>
18:43:16
oh i had one more thing
<@tdawson:fedora.im>
18:43:19
Thank you all for comming today and the good discussions. Thank you all for all you do for EPEL and it's community. And I look forward to seeing many of you in person next week.
<@smooge:fedora.im>
18:43:22
and see you in 2 wekes online
<@tdawson:fedora.im>
18:43:30
Carl George: Go for it.
<@salimma:fedora.im>
18:44:00
thanks Troy!
<@salimma:fedora.im>
18:44:06
oh, one more thing
<@salimma:fedora.im>
18:44:10
(Carl's I mean)
<@carlwgeorge:matrix.org>
18:44:30
it occurred to me that our current epel-release is marked as gpl2, and indicates that the overall epel collective work is gpl2. that seems to be carried forward all the way from epel4. the fedora collective work is mit, so i think for epel10 we can align with fedora and say that collective work is mit.
<@salimma:fedora.im>
18:44:47
+1
<@rcallicotte:fedora.im>
18:44:58
lol
<@salimma:fedora.im>
18:45:00
we should not make this retroactive, but for EPEL10+ that sounds like a good idea
<@carlwgeorge:matrix.org>
18:45:13
we should probably also have an equivalent file to https://src.fedoraproject.org/rpms/fedora-release/blob/rawhide/f/Fedora-Legal-README.txt
<@nirik:matrix.scrye.com>
18:45:17
I am not sure that the release package implies everything in epel has some license or other
<@salimma:fedora.im>
18:45:19
isn't black turtlene... oh epel, apple
<@salimma:fedora.im>
18:45:29
π€¦ββοΈ
<@conan_kudo:matrix.org>
18:45:37
π€¦ββοΈ
<@smooge:fedora.im>
18:45:46
the 'one more thing' at the end of a meeting was also an Steve Jobs thing
<@nirik:matrix.scrye.com>
18:45:50
and... relicensing should have everyone who contibuted say ok, no?
<@conan_kudo:matrix.org>
18:45:59
yup
<@salimma:fedora.im>
18:46:07
true. though I recently saw it taken over by Rivian's CEO so that's the one I remembered
<@smooge:fedora.im>
18:46:07
So I would say we talk to legal first
<@carlwgeorge:matrix.org>
18:46:23
well this wouldn't be a relicense, it would be for epel10 from the start going forward
<@conan_kudo:matrix.org>
18:46:26
well, technically for epel10 it's carrying the Fedora collection license over
<@salimma:fedora.im>
18:46:26
but if we only do it for the new epel10 it should be fine right?
<@salimma:fedora.im>
18:46:28
exactly
<@carlwgeorge:matrix.org>
18:46:39
obligatory ianal
<@smooge:fedora.im>
18:46:45
The 'overall' collection thing was something that Fedora had for a long time but the interpretation of the legal reason changed
<@salimma:fedora.im>
18:46:45
I would rather not touch epel9 and open the can of worms of "does this apply to other specs or not?"
<@conan_kudo:matrix.org>
18:46:46
I definitely don't want to touch the older ones
<@smooge:fedora.im>
18:47:00
so please ask fedora-legal
<@carlwgeorge:matrix.org>
18:47:18
yeah i was planning to run this by the fedora legal folks who wrote this policy file
<@smooge:fedora.im>
18:47:20
it may be that the 'whole' collection idea is invalid
<@salimma:fedora.im>
18:47:20
so there is a tension even in epel9 I guess
<@salimma:fedora.im>
18:47:33
since we mostly get package specs inherited from Fedora but the license declared in epel-release is different
<@nirik:matrix.scrye.com>
18:47:42
yeah, needs some reviewing. I am not sure either
<@jonathanspw:fedora.im>
18:48:08
I'm not making the connection on how epel-release's license has anything to do with package licenses from EPEL.
<@carlwgeorge:matrix.org>
18:48:09
bringing this up for awareness, no decision needed yet. will include it in the initial epel-release pr for the epel10 branch.
<@nirik:matrix.scrye.com>
18:48:10
but if we are starting with a copy, I would think it would retain it's license.
<@rcallicotte:fedora.im>
18:48:17
does the license specified in epel-release only account for the epel-release package or the whole collection??
<@nirik:matrix.scrye.com>
18:48:23
Jonathan Wright: same here
<@smooge:fedora.im>
18:48:31
The issue is if the entire 'collection' is GPL2 we would have to drop many packages from EPEL (anything without a GPL exception)
<@jonathanspw:fedora.im>
18:48:45
'collection' being all of EPEL?
<@smooge:fedora.im>
18:48:49
so talk to legal.. and find out what needs to be done
<@salimma:fedora.im>
18:48:56
epel's is gpl2 because centos stream / RHEL release packages are also GPLv2 right?
<@nirik:matrix.scrye.com>
18:48:58
They are different things.
<@salimma:fedora.im>
18:49:04
we just copied theirs at some point
<@conan_kudo:matrix.org>
18:49:11
Michel Lind π©: EPEL 4 is when we copied it
<@conan_kudo:matrix.org>
18:49:30
so fairly early on
<@carlwgeorge:matrix.org>
18:49:36
normally the license field applies to the packaged software, but release packages don't have such software, they're self contained. existing ones like fedora-release and redhat-release sorta repurpose the license field to describe the "collective work".
<@salimma:fedora.im>
18:49:39
maybe after we make epel's MIT we can see about making the RH one MIT too (opened Pandora's box)
<@nirik:matrix.scrye.com>
18:49:55
that is not at all my understanding. ;)
<@smooge:fedora.im>
18:49:59
back in the pre-billion licenses day, Red Hat Linux was under a 'GPLv2' collection idea that everything was seen as GPLv2 to say we were 'FLOSS' that turned into problems over the years and the interpretation of that being valid was the difference between what engineers think is possible and what is actually legally possible
<@davide:cavalca.name>
18:50:00
Is this documented somewhere?
<@carlwgeorge:matrix.org>
18:50:04
our currently GPL file references red hat linux
<@nirik:matrix.scrye.com>
18:50:07
epel-release is a package it has files, it's under the license it is.
<@jonathanspw:fedora.im>
18:50:08
Is there something inherently wrong with GPLv2 that we're trying to solve, or just to align better with fedora?
<@smooge:fedora.im>
18:50:15
hi guys one sec
<@smooge:fedora.im>
18:50:20
I explained aboe
<@carlwgeorge:matrix.org>
18:50:33
the latter
<@rcallicotte:fedora.im>
18:50:35
whoa!
<@conan_kudo:matrix.org>
18:50:35
not particularly anything wrong with it other than alignment with the broader Fedora side of things
<@smooge:fedora.im>
18:50:41
yes..
<@jonathanspw:fedora.im>
18:50:50
Ok. also I see your reply now Stephen J Smoogen
<@conan_kudo:matrix.org>
18:51:01
my copy of Red Hat Linux proudly says the _distribution_ is GPLv2 :P
<@carlwgeorge:matrix.org>
18:51:08
https://src.fedoraproject.org/rpms/epel-release/blob/epel9/f/GPL#_2-5
<@nirik:matrix.scrye.com>
18:51:16
MIT is the default for the FPCA (and before it the predecesors...)
<@jonathanspw:fedora.im>
18:51:17
I mean, if legal checks off on it I'd be +1 I guess
<@conan_kudo:matrix.org>
18:51:19
one of my really old copies even says a portion of the sale is donated to FSF :P
<@smooge:fedora.im>
18:51:21
the epel came from extras which came from the older RHL release
<@jonathanspw:fedora.im>
18:51:29
(for 10+)
<@davide:cavalca.name>
18:51:43
I would highly recommend just deferring to legal here
<@salimma:fedora.im>
18:52:09
yeah, the amount of confusion even among us here kind of heavily suggests let's just get legal involved
<@carlwgeorge:matrix.org>
18:52:18
https://src.fedoraproject.org/rpms/fedora-release/blob/rawhide/f/Fedora-Legal-README.txt
<@salimma:fedora.im>
18:52:27
because if we change it for 10 someone will ask "what does this mean for 9"
<@salimma:fedora.im>
18:52:37
so we better have an answer :)
<@smooge:fedora.im>
18:52:50
8 is still a valid release people
<@salimma:fedora.im>
18:52:57
and 8, yes
<@carlwgeorge:matrix.org>
18:52:57
i can't imagine a different answer than "just follow fedora's example", but will certainly do my due diligence and contact legal
<@smooge:fedora.im>
18:53:20
i can imagine a couple of different answers
<@jonathanspw:fedora.im>
18:53:29
Can I commit the change of the license and then when legal gets mad I can finally get my badge for legal having to override something I did?
<@nirik:matrix.scrye.com>
18:53:38
I suspect no one has looked at this in a long time and asking will get it looked at. ;) for good or bad.
<@salimma:fedora.im>
18:53:44
wait, is there a badge for that?
<@smooge:fedora.im>
18:53:51
there used to be
<@jonathanspw:fedora.im>
18:53:54
yep. Carl George has it, that turd
<@carlwgeorge:matrix.org>
18:53:57
fedora legal badge of doom, or something
<@conan_kudo:matrix.org>
18:53:58
can I pretend it isn't?
<@smooge:fedora.im>
18:54:03
nope
<@rcallicotte:fedora.im>
18:54:07
hehe
<@smooge:fedora.im>
18:54:09
you have 4 more years of 8
<@conan_kudo:matrix.org>
18:54:15
noooo
<@conan_kudo:matrix.org>
18:54:34
yup, I got it for... things :P
<@carlwgeorge:matrix.org>
18:54:36
to be clear i'm suggesting epel8 and epel9 stay as is, and we start epel10 as an mit "collection"
<@conan_kudo:matrix.org>
18:54:39
this is probably one of those "things"
<@salimma:fedora.im>
18:54:54
this is also a nice benefit of versioned packages, you don't get swamped with papercut bugs for older releases that are valid but hard to fix :)
<@jonathanspw:fedora.im>
18:55:08
Best course of action is probably for us to all +1 the *idea*, and then defer to legal if it's kosher.
<@smooge:fedora.im>
18:55:14
I would serious check on all of them
<@carlwgeorge:matrix.org>
18:55:39
hopefully i'll have an answer in time for flock, along with an initial epel-release build for 10
<@salimma:fedora.im>
18:55:41
Proposal: epel-release 10 switching to MIT license, subject to clarification from legal
<@smooge:fedora.im>
18:55:49
but not my circus, and not my monkeys π
<@nirik:matrix.scrye.com>
18:56:01
-1
<@conan_kudo:matrix.org>
18:56:21
the rabid monkeys are potentially not worth it
<@jonathanspw:fedora.im>
18:56:26
TBH I'm kind of indifferent, but I wouldn't fight against it. abstain?
<@salimma:fedora.im>
18:56:35
I'm fine either way but just wanted to table what Jonathan suggested
<@carlwgeorge:matrix.org>
18:56:51
my outlook was that if the fedora collection is mit, and we derive from that, are we even allowed to relicense the collection as gpl?
<@conan_kudo:matrix.org>
18:56:56
yes
<@nirik:matrix.scrye.com>
18:56:59
If we want to say the epel collection is mit, thats one thing, but changing epel-release license seems different and much more difficult
<@conan_kudo:matrix.org>
18:57:05
it's the other way that isn't necessarily allowed
<@carlwgeorge:matrix.org>
18:57:16
no need for an explicit motion or vote now, let me see what legal says
<@salimma:fedora.im>
18:57:26
but the prob is MIT requires attribution and we don't stick a copy of the MIT license on every Fedora repo :P
<@conan_kudo:matrix.org>
18:57:44
there's one shipped in fedora-release, IIRC
<@salimma:fedora.im>
18:57:52
so.. depending on if this 'collection' thing is valid or not, we might or might not be relicensing the specs from MIT to GPL
<@conan_kudo:matrix.org>
18:57:59
since you can't actually install fedora without it, you generally have it
<@carlwgeorge:matrix.org>
18:58:01
indeed https://src.fedoraproject.org/rpms/fedora-release/blob/rawhide/f/LICENSE
<@salimma:fedora.im>
18:58:06
yeah, but I mean individual package dist-gits don't have that
<@conan_kudo:matrix.org>
18:58:11
it's also in generic-release too, I think
<@tdawson:fedora.im>
18:58:27
Carl George: Just realize, that if you change it to MIT, you need to re-write the whole epel-release package. Otherwise you have to get a release from all past contributors.
<@conan_kudo:matrix.org>
18:58:27
Michel Lind π©: it's not explicitly required as long as the license and attribution is _somewhere_
<@salimma:fedora.im>
18:58:36
Carl is asking legal so let's not bash our heads here :)
<@conan_kudo:matrix.org>
18:58:40
we have a license file on disk, the changelogs contain attribution, ergo it's fine
<@nirik:matrix.scrye.com>
18:58:46
https://docs.fedoraproject.org/en-US/legal/misc/#_license_of_fedora_spec_files
<@carlwgeorge:matrix.org>
18:59:09
individual dist-git repos don't, but when missing they roll up to the overall fpca or whatever it's called, that says the default is mit
<@salimma:fedora.im>
18:59:27
I guess EPEL specs are still Fedora specs since it's Fedora EPEL
<@salimma:fedora.im>
18:59:38
so Fedora specs even in the epel* branches are actually MIT licensed
<@carlwgeorge:matrix.org>
18:59:41
sure, that's easy enough
<@conan_kudo:matrix.org>
18:59:42
yes
<@conan_kudo:matrix.org>
18:59:47
so actually epel-release needs both GPL and MIT
<@salimma:fedora.im>
18:59:48
in which case, ok I'm a weak +1 to making epel-release MIT
<@salimma:fedora.im>
18:59:52
just to avoid the confusion
<@conan_kudo:matrix.org>
19:00:14
regardless of this, we do actually need to add an MIT license file to epel-release
<@nirik:matrix.scrye.com>
19:00:20
why?
<@salimma:fedora.im>
19:00:38
I don't think we need to, it's not statically linked or anything
<@conan_kudo:matrix.org>
19:00:42
because that's how we deliver the license of the spec files to people
<@conan_kudo:matrix.org>
19:00:54
even when you relicense, the old license is still valid
<@nirik:matrix.scrye.com>
19:01:08
they just default to MIT
<@carlwgeorge:matrix.org>
19:01:10
no need to litigate (hehe) it here, i'll get an answer from fedora legal and report back
<@salimma:fedora.im>
19:01:12
I would not mind at the very least adding a notice that individual EPEL spec files are MIT unless stated otherwise
<@salimma:fedora.im>
19:01:24
so there's no confusion that GPL only applies to files in epel-release itself
<@tdawson:fedora.im>
19:01:41
Looks like our time is up. I think we're going to have to put this conversation on pause, while Carl George talks to Legal.
<@salimma:fedora.im>
19:01:41
and... we're at the hour
<@tdawson:fedora.im>
19:02:25
That you all for the discussion ... I'm pretty sure it will continue next week and on Matrix and elsewhere.
<@salimma:fedora.im>
19:02:35
thanks Troy!
<@rcallicotte:fedora.im>
19:02:51
thanks Troy. See yall next week!
<@tdawson:fedora.im>
19:03:04
I've already said my usual closing stuff ... so this time I'm just closing in 20 seconds.
<@smooge:fedora.im>
19:03:27
go for it
<@tdawson:fedora.im>
19:03:31
!endmeeting