#meeting-1:fedoraproject.org log

<@james:fedora.im>

16:00:22

!startmeeting fpc

<@meetbot:fedora.im>

16:00:24

Meeting started at 2025-03-27 16:00:22 UTC

<@meetbot:fedora.im>

16:00:24

The Meeting name is 'fpc'

<@james:fedora.im>

16:00:25

!topic Roll Call

<@decathorpe:fedora.im>

16:00:57

!hi

<@zodbot:fedora.im>

16:00:58

Fabio Valentini (decathorpe) - he / him / his

<@james:fedora.im>

16:01:04

!hi

<@zodbot:fedora.im>

16:01:06

James Antill (james)

<@salimma:fedora.im>

16:01:42

!hi

<@zodbot:fedora.im>

16:01:44

Michel Lind (salimma) - he / him / his

<@conan_kudo:matrix.org>

16:02:10

!hi

<@zodbot:fedora.im>

16:02:12

Neal Gompa (ngompa) - he / him / his

<@carlwgeorge:fedora.im>

16:02:20

!hi

<@zodbot:fedora.im>

16:02:21

Carl George (carlwgeorge) - he / him / his

<@conan_kudo:matrix.org>

16:02:58

my 2014 MBP is finally retired to just be used for Fedora on Intel Mac testing/dev

<@salimma:fedora.im>

16:03:55

I have had to purge my old Macs from my account just to be able to turn on ADP :P

<@conan_kudo:matrix.org>

16:04:22

I haven't done that yet 😅

<@james:fedora.im>

16:04:26

Paychecks?

<@salimma:fedora.im>

16:05:18

advanced data protection

<@salimma:fedora.im>

16:05:39

if you're in the UK you really want to turn it on now before it's too late (it probably already is) - Apple agreed to turn it off iirc because govt likes your data

<@salimma:fedora.im>

16:05:56

basically E2EE backup. which to my chagrin is not on by default

<@james:fedora.im>

16:07:19

Not living in the UK, or using iPhone/iCloud ... I guess I'm blissfully ignorant.

<@salimma:fedora.im>

16:07:51

Element is already fielding questions from users about how they're affected

<@salimma:fedora.im>

16:07:59

so we're all affected too really. EMS is a UK company

<@salimma:fedora.im>

16:08:13

but anyway

<@james:fedora.im>

16:08:41

Interesting.

<@james:fedora.im>

16:08:52

But, yeh, let's re-topic ...

<@salimma:fedora.im>

16:08:54

https://i.kym-cdn.com/entries/icons/original/000/019/304/Old_Man_Yells_at_cloud_cover.jpg

<@james:fedora.im>

16:09:04

!topic FPC#1444 https://pagure.io/packaging-committee/issue/1444

<@james:fedora.im>

16:12:21

Anyone have any thoughts?

<@james:fedora.im>

16:12:32

Fabio Valentini: is +1

<@carlwgeorge:fedora.im>

16:12:40

don't containers do magic stuff with uid remapping?

<@conan_kudo:matrix.org>

16:12:58

only to create a uid namespace for the executing user

<@conan_kudo:matrix.org>

16:13:11

e.g. mapping current user to the namespaced root user

<@salimma:fedora.im>

16:13:16

pagure is down, I can't open it

<@conan_kudo:matrix.org>

16:13:27

it's broken on firefox works in chrome

<@conan_kudo:matrix.org>

16:13:29

why dunno

<@salimma:fedora.im>

16:13:38

so yesterday it worked for me on the same Firefox. odd

<@conan_kudo:matrix.org>

16:13:42

been like this since yesterday

<@conan_kudo:matrix.org>

16:13:46

for me

<@salimma:fedora.im>

16:13:50

oh I just upgraded this box yesterday. sigh. maybe now this is broken

<@salimma:fedora.im>

16:14:01

maybe we should resort to creating PDFs of meeting tickets. or archive.is :P

<@salimma:fedora.im>

16:14:11

oh it works on incognito

<@james:fedora.im>

16:14:16

Michel Lind UTC-6: It's been weird for at least a day ... try a different window or a private tab or something. Sometimes it just fixes itself after a wait.

<@salimma:fedora.im>

16:14:34

yeah I'm +1 too

<@conan_kudo:matrix.org>

16:14:35

I'm fine with granting a static allocation here

<@conan_kudo:matrix.org>

16:14:35

<@salimma:fedora.im>

16:14:48

but I wonder if the packager has a plan to migrate existing installs to the new uid/gid

<@carlwgeorge:fedora.im>

16:14:53

i'm overall indifferent on this one, but the container example they're giving still sounds fishy to me

<@carlwgeorge:fedora.im>

16:15:02

> Just this week we hit an issue where the system UID for xrootd did not match the container UID for xrootd, causing failures in having xrootd access SMB/CIFS-based filesystems (this is because the kernel invokes cifs-upcall in the system namespace while the access occurred from the container).

<@carlwgeorge:fedora.im>

16:15:33

maybe i just don't understand the software

<@james:fedora.im>

16:16:21

I feel like forever these are all the same problem ... we use this app. over NFS and thus. need a static uid, we use this in ostree, we use this in containers, etc.

<@james:fedora.im>

16:17:09

And to be fair, each thing is much easier to solve with a static uid for those 6, 666, or 666k users.

<@conan_kudo:matrix.org>

16:17:25

tbh static allocations probably need to become more of a default for network connected services

<@james:fedora.im>

16:17:32

I've no idea how popular xrootd is.

<@conan_kudo:matrix.org>

16:17:37

there are so many things that go wrong when you don't

<@salimma:fedora.im>

16:17:48

yup. container is just the new manifestation

<@conan_kudo:matrix.org>

16:19:42

it's a networked data storage system, so meh, let's give it the allocation

<@salimma:fedora.im>

16:20:22

we have enough to pass it right? who has not voted

<@salimma:fedora.im>

16:20:25

let's just move on

<@james:fedora.im>

16:21:05

Yeh, I read the github page ... although I'm still not really sure if it's useful for normal people, or if it's competing with lustre and thus. the people using it should be able to configure their dynamic uids.

<@james:fedora.im>

16:21:30

I'd like one LHC, so I can test if you need this feature. Please and thank you. ;)

<@james:fedora.im>

16:22:06

!topic FPC#1445

<@james:fedora.im>

16:22:14

https://pagure.io/packaging-committee/issue/1445

<@conan_kudo:matrix.org>

16:23:36

this seems like things are happening now

<@conan_kudo:matrix.org>

16:23:41

so I don't think we need to do anything yet

<@james:fedora.im>

16:24:27

Yeh. Low traffic lists get 666 spams for every real email, and it sucks.

<@james:fedora.im>

16:25:19

I'm not sure if Fabio Valentini wants to keep it open for after the crypto teams looks at it, or close this issue to do with the initial problems and open another later?

<@salimma:fedora.im>

16:25:26

sorry - what's that got to do with this topic?

<@salimma:fedora.im>

16:25:54

but yes agreed, we need to get rid of most mailing lists sadly given the spam issue

<@james:fedora.im>

16:26:12

That looked like what happened ... someone sent a real email to a low traffic list and it ended up in a moderation queue and nobody knew a real email was there.

<@decathorpe:fedora.im>

16:26:37

I got responses from Simo

<@decathorpe:fedora.im>

16:27:16

though I'm not sure if the mailing list is just broken or if they just started responding me off-list and left all emails in the moderation queue anyway

<@james:fedora.im>

16:28:18

Any desires on what to do with the issue?

<@salimma:fedora.im>

16:28:32

oh, I just saw the comment you're referring to

<@salimma:fedora.im>

16:28:57

fwiw I mean get rid of the crypto list, not the rust list :)

<@decathorpe:fedora.im>

16:29:01

there's nothing to do for FPC *yet*, I'll get back to it once I know what I need to do

<@salimma:fedora.im>

16:29:04

the latter is trafficked enough to be useful

<@james:fedora.im>

16:29:30

Okay, I'll close it as fixed then ... we can all fill our TPS reports in with an extra win ;)

<@carlwgeorge:fedora.im>

16:29:47

a quick skim of the policy indicates that the requirement isn't just to consult with the crypto team, but to get their approval

<@tibbs:fedora.im>

16:30:10

Yeah that is what we were asked to implement.

<@tibbs:fedora.im>

16:30:15

(Sorry for my lateness.)

<@james:fedora.im>

16:30:16

Yeh, but that's more difficult if you can't speak with them.

<@carlwgeorge:fedora.im>

16:30:33

sure, but now that simo is replying on this issue ideally he can indicate approval there

<@conan_kudo:matrix.org>

16:31:03

some kind of remediation will need to occur to ensure this doesn't happen again, since all crypto library packages are blocked on Simo

<@tibbs:fedora.im>

16:31:24

The problem with all of this is that we were asked to put a policy in place, and then the rest of the structure needed to support that policy didn't really keep existing properly over time.

<@conan_kudo:matrix.org>

16:31:45

Tomas Mraz left Red Hat and is no longer paying attention to the crypto lists

<@carlwgeorge:fedora.im>

16:31:45

this broader issue seems like something to escalate to fesco

<@james:fedora.im>

16:31:50

My understanding is that we don't approve that many, and the crypto team does not want to start approving many.

<@conan_kudo:matrix.org>

16:31:53

he was the one who used to do most of the this work

<@salimma:fedora.im>

16:32:06

these sort of things sound like they should be run by SIGs

<@conan_kudo:matrix.org>

16:32:09

(he works for OpenSSL now)

<@salimma:fedora.im>

16:32:12

and SIGs should actively manage their memberships

<@james:fedora.im>

16:32:14

But I'm fine if anyone wants to escalate.

<@tibbs:fedora.im>

16:32:52

Personally I think we should avoid the precautionary principle and instead let these things in without additional review.

<@conan_kudo:matrix.org>

16:33:28

the track record for blocking on Red Hat teams makes me lean that way as well

<@carlwgeorge:fedora.im>

16:33:39

do we have a record anywhere of the original justification for the policy?

<@james:fedora.im>

16:33:59

I'm not sure how public it was, but I'm somewhat aware of it.

<@conan_kudo:matrix.org>

16:34:13

I'm not sure, but I think it came into existence with the attempt to do crypto unification 15 years ago

<@carlwgeorge:fedora.im>

16:34:21

i'm also leaning towards relaxing this, but am slightly concerned that having no review at all could go badly

<@james:fedora.im>

16:35:30

Basically every crypto library that needs to pass govt. inspection requires a very large amount of money. Spending that money the smallest number of times means it can be spent on interesting things.

<@decathorpe:fedora.im>

16:35:34

fwiw I am fine with having more than "just" a normal package review for sensitive stuff like this, so long as it works and doesn't unnecessarily block stuff

<@carlwgeorge:fedora.im>

16:35:41

a compromise could be asking for the crypto team input, and if they don't reply within say a month it's approved. clearly the mailing list is not working well for that process, so perhaps it can be handled in an issue tracker somewhere.

<@salimma:fedora.im>

16:36:08

yeah, we have seen people trying to ram through alternate SSL libraries, so I don't think a normal review is sufficient

<@conan_kudo:matrix.org>

16:36:11

a month would be too long

<@james:fedora.im>

16:36:22

Yeh, or they could have some kind of autoQA type thing that looks at requirements.

<@carlwgeorge:fedora.im>

16:36:23

basically give them a chance to veto bad stuff, but not block forever

<@salimma:fedora.im>

16:36:35

agreed with Carl that we should not block indefinitely too. but an analogy with how the legal team does review is probably useful

<@conan_kudo:matrix.org>

16:36:36

at most I'd be okay with two weeks

<@carlwgeorge:fedora.im>

16:36:49

arbitrary duration for the example, that can be decided later if we go that route

<@decathorpe:fedora.im>

16:36:50

I also feel somewhat "punished" for going through the process with aws-lc-rs whereas "ring" (which is what I'm trying to replace) just didn't go through the process at all 🤷‍♂️

<@conan_kudo:matrix.org>

16:36:54

FE-Legal is nonfunctional right now

<@salimma:fedora.im>

16:36:56

block on a tracker (FE-CRYPTO maybe?), file an issue somewhere, etc.

<@salimma:fedora.im>

16:37:16

well FE-Legal is a nice marker that "hey this package has something wrong with it" but you should still file the issue on their gitlab :)

<@conan_kudo:matrix.org>

16:37:28

yeah

<@james:fedora.im>

16:37:41

Yeh, that sucks ... and it's def. worth escalating that somewhere.

<@conan_kudo:matrix.org>

16:37:46

we could probably start having the Fedora Security SIG actually do some of this review too

<@salimma:fedora.im>

16:37:48

yeah, the inconsistency is not great

<@conan_kudo:matrix.org>

16:37:52

that way it does something

<@salimma:fedora.im>

16:37:59

that needs to be re-bootstrapped

<@james:fedora.im>

16:38:00

As FPC we have much less power than say fesco, for that kind of problem.

<@salimma:fedora.im>

16:38:29

and carefully, since we've seen things brought back to existence that I shall not named where the people involved suddenly stop participating and lost control

<@conan_kudo:matrix.org>

16:38:39

right

<@james:fedora.im>

16:38:52

Carl George: For EPEL do you just rely on the Fedora review process?

<@carlwgeorge:fedora.im>

16:38:58

yup

<@carlwgeorge:fedora.im>

16:39:33

the standing orders for epel are "do what fedora does, and document any exceptions"

<@carlwgeorge:fedora.im>

16:40:17

"orders" sounds more rigid that i wanted, blame my military background for the lingo

<@james:fedora.im>

16:42:36

!topic Open Floor

<@james:fedora.im>

16:43:25

I'll be away from a computer again next week, although you are free to close issues without me :)

<@james:fedora.im>

16:43:43

Anything else anyone wants to talk about?

<@decathorpe:fedora.im>

16:43:58

I have nothing (yet) :)

<@conan_kudo:matrix.org>

16:45:29

nothing from me

<@james:fedora.im>

16:45:57

!info James out next week.

<@james:fedora.im>

16:46:00

!endmeeting