2025-03-27 16:00:22 <@james:fedora.im> !startmeeting fpc

2025-03-27 16:00:24 <@meetbot:fedora.im> Meeting started at 2025-03-27 16:00:22 UTC
2025-03-27 16:00:24 <@meetbot:fedora.im> The Meeting name is 'fpc'
2025-03-27 16:00:25 <@james:fedora.im> !topic Roll Call
2025-03-27 16:00:57 <@decathorpe:fedora.im> !hi
2025-03-27 16:00:58 <@zodbot:fedora.im> Fabio Valentini (decathorpe) - he / him / his
2025-03-27 16:01:04 <@james:fedora.im> !hi
2025-03-27 16:01:06 <@zodbot:fedora.im> James Antill (james)
2025-03-27 16:01:42 <@salimma:fedora.im> !hi
2025-03-27 16:01:44 <@zodbot:fedora.im> Michel Lind (salimma) - he / him / his
2025-03-27 16:02:10 <@conan_kudo:matrix.org> !hi
2025-03-27 16:02:12 <@zodbot:fedora.im> Neal Gompa (ngompa) - he / him / his
2025-03-27 16:02:20 <@carlwgeorge:fedora.im> !hi
2025-03-27 16:02:21 <@zodbot:fedora.im> Carl George (carlwgeorge) - he / him / his
2025-03-27 16:02:58 <@conan_kudo:matrix.org> my 2014 MBP is finally retired to just be used for Fedora on Intel Mac testing/dev
2025-03-27 16:03:55 <@salimma:fedora.im> I have had to purge my old Macs from my account just to be able to turn on ADP :P
2025-03-27 16:04:22 <@conan_kudo:matrix.org> I haven't done that yet 😅
2025-03-27 16:04:26 <@james:fedora.im> Paychecks?
2025-03-27 16:05:18 <@salimma:fedora.im> advanced data protection
2025-03-27 16:05:39 <@salimma:fedora.im> if you're in the UK you really want to turn it on now before it's too late (it probably already is) - Apple agreed to turn it off iirc because govt likes your data
2025-03-27 16:05:56 <@salimma:fedora.im> basically E2EE backup. which to my chagrin is not on by default
2025-03-27 16:07:19 <@james:fedora.im> Not living in the UK, or using iPhone/iCloud ... I guess I'm blissfully ignorant.
2025-03-27 16:07:51 <@salimma:fedora.im> Element is already fielding questions from users about how they're affected
2025-03-27 16:07:59 <@salimma:fedora.im> so we're all affected too really. EMS is a UK company
2025-03-27 16:08:13 <@salimma:fedora.im> but anyway
2025-03-27 16:08:41 <@james:fedora.im> Interesting.
2025-03-27 16:08:52 <@james:fedora.im> But, yeh, let's re-topic ...
2025-03-27 16:08:54 <@salimma:fedora.im> https://i.kym-cdn.com/entries/icons/original/000/019/304/Old_Man_Yells_at_cloud_cover.jpg
2025-03-27 16:09:04 <@james:fedora.im> !topic FPC#1444 https://pagure.io/packaging-committee/issue/1444
2025-03-27 16:12:21 <@james:fedora.im> Anyone have any thoughts?
2025-03-27 16:12:32 <@james:fedora.im> Fabio Valentini: is +1
2025-03-27 16:12:40 <@carlwgeorge:fedora.im> don't containers do magic stuff with uid remapping?
2025-03-27 16:12:58 <@conan_kudo:matrix.org> only to create a uid namespace for the executing user
2025-03-27 16:13:11 <@conan_kudo:matrix.org> e.g. mapping current user to the namespaced root user
2025-03-27 16:13:16 <@salimma:fedora.im> pagure is down, I can't open it
2025-03-27 16:13:27 <@conan_kudo:matrix.org> it's broken on firefox works in chrome
2025-03-27 16:13:29 <@conan_kudo:matrix.org> why dunno
2025-03-27 16:13:38 <@salimma:fedora.im> so yesterday it worked for me on the same Firefox. odd
2025-03-27 16:13:42 <@conan_kudo:matrix.org> been like this since yesterday
2025-03-27 16:13:46 <@conan_kudo:matrix.org> for me
2025-03-27 16:13:50 <@salimma:fedora.im> oh I just upgraded this box yesterday. sigh. maybe now this is broken
2025-03-27 16:14:01 <@salimma:fedora.im> maybe we should resort to creating PDFs of meeting tickets. or archive.is :P
2025-03-27 16:14:11 <@salimma:fedora.im> oh it works on incognito
2025-03-27 16:14:16 <@james:fedora.im> Michel Lind UTC-6: It's been weird for at least a day ... try a different window or a private tab or something. Sometimes it just fixes itself after a wait.
2025-03-27 16:14:34 <@salimma:fedora.im> yeah I'm +1 too
2025-03-27 16:14:35 <@conan_kudo:matrix.org> I'm fine with granting a static allocation here
2025-03-27 16:14:35 <@conan_kudo:matrix.org> +1
2025-03-27 16:14:48 <@salimma:fedora.im> but I wonder if the packager has a plan to migrate existing installs to the new uid/gid
2025-03-27 16:14:53 <@carlwgeorge:fedora.im> i'm overall indifferent on this one, but the container example they're giving still sounds fishy to me
2025-03-27 16:15:02 <@carlwgeorge:fedora.im> > Just this week we hit an issue where the system UID for xrootd did not match the container UID for xrootd, causing failures in having xrootd access SMB/CIFS-based filesystems (this is because the kernel invokes cifs-upcall in the system namespace while the access occurred from the container).
2025-03-27 16:15:33 <@carlwgeorge:fedora.im> maybe i just don't understand the software
2025-03-27 16:16:21 <@james:fedora.im> I feel like forever these are all the same problem ... we use this app. over NFS and thus. need a static uid, we use this in ostree, we use this in containers, etc.
2025-03-27 16:17:09 <@james:fedora.im> And to be fair, each thing is much easier to solve with a static uid for those 6, 666, or 666k users.
2025-03-27 16:17:25 <@conan_kudo:matrix.org> tbh static allocations probably need to become more of a default for network connected services
2025-03-27 16:17:32 <@james:fedora.im> I've no idea how popular xrootd is.
2025-03-27 16:17:37 <@conan_kudo:matrix.org> there are so many things that go wrong when you don't
2025-03-27 16:17:48 <@salimma:fedora.im> yup. container is just the new manifestation
2025-03-27 16:19:42 <@conan_kudo:matrix.org> it's a networked data storage system, so meh, let's give it the allocation
2025-03-27 16:20:22 <@salimma:fedora.im> we have enough to pass it right? who has not voted
2025-03-27 16:20:25 <@salimma:fedora.im> let's just move on
2025-03-27 16:21:05 <@james:fedora.im> Yeh, I read the github page ... although I'm still not really sure if it's useful for normal people, or if it's competing with lustre and thus. the people using it should be able to configure their dynamic uids. 
2025-03-27 16:21:30 <@james:fedora.im> I'd like one LHC, so I can test if you need this feature. Please and thank you. ;)
2025-03-27 16:22:06 <@james:fedora.im> !topic FPC#1445
2025-03-27 16:22:14 <@james:fedora.im> https://pagure.io/packaging-committee/issue/1445
2025-03-27 16:23:36 <@conan_kudo:matrix.org> this seems like things are happening now
2025-03-27 16:23:41 <@conan_kudo:matrix.org> so I don't think we need to do anything yet
2025-03-27 16:24:27 <@james:fedora.im> Yeh. Low traffic lists get 666 spams for every real email, and it sucks.
2025-03-27 16:25:19 <@james:fedora.im> I'm not sure if Fabio Valentini wants to keep it open for after the crypto teams looks at it, or close this issue to do with the initial problems and open another later?
2025-03-27 16:25:26 <@salimma:fedora.im> sorry - what's that got to do with this topic?
2025-03-27 16:25:54 <@salimma:fedora.im> but yes agreed, we need to get rid of most mailing lists sadly given the spam issue
2025-03-27 16:26:12 <@james:fedora.im> That looked like what happened ... someone sent a real email to a low traffic list and it ended up in a moderation queue and nobody knew a real email was there.
2025-03-27 16:26:37 <@decathorpe:fedora.im> I got responses from Simo
2025-03-27 16:27:16 <@decathorpe:fedora.im> though I'm not sure if the mailing list is just broken or if they just started responding me off-list and left all emails in the moderation queue anyway
2025-03-27 16:28:18 <@james:fedora.im> Any desires on what to do with the issue?
2025-03-27 16:28:32 <@salimma:fedora.im> oh, I just saw the comment you're referring to
2025-03-27 16:28:57 <@salimma:fedora.im> fwiw I mean get rid of the crypto list, not the rust list :)
2025-03-27 16:29:01 <@decathorpe:fedora.im> there's nothing to do for FPC *yet*, I'll get back to it once I know what I need to do 
2025-03-27 16:29:04 <@salimma:fedora.im> the latter is trafficked enough to be useful
2025-03-27 16:29:30 <@james:fedora.im> Okay, I'll close it as fixed then ... we can all fill our TPS reports in with an extra win ;)
2025-03-27 16:29:47 <@carlwgeorge:fedora.im> a quick skim of the policy indicates that the requirement isn't just to consult with the crypto team, but to get their approval
2025-03-27 16:30:10 <@tibbs:fedora.im> Yeah that is what we were asked to implement.
2025-03-27 16:30:15 <@tibbs:fedora.im> (Sorry for my lateness.)
2025-03-27 16:30:16 <@james:fedora.im> Yeh, but that's more difficult if you can't speak with them.
2025-03-27 16:30:33 <@carlwgeorge:fedora.im> sure, but now that simo is replying on this issue ideally he can indicate approval there
2025-03-27 16:31:03 <@conan_kudo:matrix.org> some kind of remediation will need to occur to ensure this doesn't happen again, since all crypto library packages are blocked on Simo
2025-03-27 16:31:24 <@tibbs:fedora.im> The problem with all of this is that we were asked to put a policy in place, and then the rest of the structure needed to support that policy didn't really keep existing properly over time.
2025-03-27 16:31:45 <@conan_kudo:matrix.org> Tomas Mraz left Red Hat and is no longer paying attention to the crypto lists
2025-03-27 16:31:45 <@carlwgeorge:fedora.im> this broader issue seems like something to escalate to fesco
2025-03-27 16:31:50 <@james:fedora.im> My understanding is that we don't approve that many, and the crypto team does not want to start approving many.
2025-03-27 16:31:53 <@conan_kudo:matrix.org> he was the one who used to do most of the this work
2025-03-27 16:32:06 <@salimma:fedora.im> these sort of things sound like they should be run by SIGs
2025-03-27 16:32:09 <@conan_kudo:matrix.org> (he works for OpenSSL now)
2025-03-27 16:32:12 <@salimma:fedora.im> and SIGs should actively manage their memberships
2025-03-27 16:32:14 <@james:fedora.im> But I'm fine if anyone wants to escalate.
2025-03-27 16:32:52 <@tibbs:fedora.im> Personally I think we should avoid the precautionary principle and instead let these things in without additional review.
2025-03-27 16:33:28 <@conan_kudo:matrix.org> the track record for blocking on Red Hat teams makes me lean that way as well
2025-03-27 16:33:39 <@carlwgeorge:fedora.im> do we have a record anywhere of the original justification for the policy?
2025-03-27 16:33:59 <@james:fedora.im> I'm not sure how public it was, but I'm somewhat aware of it.
2025-03-27 16:34:13 <@conan_kudo:matrix.org> I'm not sure, but I think it came into existence with the attempt to do crypto unification 15 years ago
2025-03-27 16:34:21 <@carlwgeorge:fedora.im> i'm also leaning towards relaxing this, but am slightly concerned that having no review at all could go badly
2025-03-27 16:35:30 <@james:fedora.im> Basically every crypto library that needs to pass govt. inspection requires a very large amount of money. Spending that money the smallest number of times means it can be spent on interesting things.
2025-03-27 16:35:34 <@decathorpe:fedora.im> fwiw I am fine with having more than "just" a normal package review for sensitive stuff like this, so long as it works and doesn't unnecessarily block stuff 
2025-03-27 16:35:41 <@carlwgeorge:fedora.im> a compromise could be asking for the crypto team input, and if they don't reply within say a month it's approved.  clearly the mailing list is not working well for that process, so perhaps it can be handled in an issue tracker somewhere.
2025-03-27 16:36:08 <@salimma:fedora.im> yeah, we have seen people trying to ram through alternate SSL libraries, so I don't think a normal review is sufficient
2025-03-27 16:36:11 <@conan_kudo:matrix.org> a month would be too long
2025-03-27 16:36:22 <@james:fedora.im> Yeh, or they could have some kind of autoQA type thing that looks at requirements.
2025-03-27 16:36:23 <@carlwgeorge:fedora.im> basically give them a chance to veto bad stuff, but not block forever
2025-03-27 16:36:35 <@salimma:fedora.im> agreed with Carl that we should not block indefinitely too. but an analogy with how the legal team does review is probably useful
2025-03-27 16:36:36 <@conan_kudo:matrix.org> at most I'd be okay with two weeks
2025-03-27 16:36:49 <@carlwgeorge:fedora.im> arbitrary duration for the example, that can be decided later if we go that route
2025-03-27 16:36:50 <@decathorpe:fedora.im> I also feel somewhat "punished" for going through the process with aws-lc-rs whereas "ring" (which is what I'm trying to replace) just didn't go through the process at all 🤷‍♂️
2025-03-27 16:36:54 <@conan_kudo:matrix.org> FE-Legal is nonfunctional right now
2025-03-27 16:36:56 <@salimma:fedora.im> block on a tracker (FE-CRYPTO maybe?), file an issue somewhere, etc.
2025-03-27 16:37:16 <@salimma:fedora.im> well FE-Legal is a nice marker that "hey this package has something wrong with it" but you should still file the issue on their gitlab :)
2025-03-27 16:37:28 <@conan_kudo:matrix.org> yeah
2025-03-27 16:37:41 <@james:fedora.im> Yeh, that sucks ... and it's def. worth escalating that somewhere.
2025-03-27 16:37:46 <@conan_kudo:matrix.org> we could probably start having the Fedora Security SIG actually do some of this review too
2025-03-27 16:37:48 <@salimma:fedora.im> yeah, the inconsistency is not great
2025-03-27 16:37:52 <@conan_kudo:matrix.org> that way it does something
2025-03-27 16:37:59 <@salimma:fedora.im> that needs to be re-bootstrapped
2025-03-27 16:38:00 <@james:fedora.im> As FPC we have much less power than say fesco, for that kind of problem.
2025-03-27 16:38:29 <@salimma:fedora.im> and carefully, since we've seen things brought back to existence that I shall not named where the people involved suddenly stop participating and lost control
2025-03-27 16:38:39 <@conan_kudo:matrix.org> right
2025-03-27 16:38:52 <@james:fedora.im> Carl George: For EPEL do you just rely on the Fedora review process?
2025-03-27 16:38:58 <@carlwgeorge:fedora.im> yup
2025-03-27 16:39:33 <@carlwgeorge:fedora.im> the standing orders for epel are "do what fedora does, and document any exceptions"
2025-03-27 16:40:17 <@carlwgeorge:fedora.im> "orders" sounds more rigid that i wanted, blame my military background for the lingo
2025-03-27 16:42:36 <@james:fedora.im> !topic Open Floor
2025-03-27 16:43:25 <@james:fedora.im> I'll be away from a computer again next week, although you are free to close issues without me :)
2025-03-27 16:43:43 <@james:fedora.im> Anything else anyone wants to talk about?
2025-03-27 16:43:58 <@decathorpe:fedora.im> I have nothing (yet) :)
2025-03-27 16:45:29 <@conan_kudo:matrix.org> nothing from me
2025-03-27 16:45:57 <@james:fedora.im> !info James out next week.
2025-03-27 16:46:00 <@james:fedora.im> !endmeeting