#meeting-1:fedoraproject.org log

<@ydesouza:fedora.im>

16:30:52

!startmeeting fedora_coreos_meeting

<@meetbot:fedora.im>

16:30:53

Meeting started at 2025-05-21 16:30:52 UTC

<@meetbot:fedora.im>

16:30:53

The Meeting name is 'fedora_coreos_meeting'

<@ydesouza:fedora.im>

16:31:31

!topic roll call

<@hricky:fedora.im>

16:32:21

!hi

<@zodbot:fedora.im>

16:32:22

Hristo Marinov (hricky) - he / him / his

<@apiaseck:matrix.org>

16:32:57

!hi

<@zodbot:fedora.im>

16:32:59

Adam Piasecki (c4rt0) - he / him / his

<@marmijo:fedora.im>

16:33:15

!hi

<@mnguyen:fedora.im>

16:33:17

!hi mnguyen

<@zodbot:fedora.im>

16:33:17

Michael Armijo (marmijo)

<@zodbot:fedora.im>

16:33:18

Michael Nguyen (mnguyen)

<@ydesouza:fedora.im>

16:34:47

!topic Action items from last meeting

<@ydesouza:fedora.im>

16:35:53

We don't have any actions items from the last meeting, so lets go ahead

<@ydesouza:fedora.im>

16:36:08

!topic Review Fedora 43 Release Schedule

<@ydesouza:fedora.im>

16:36:08

!link https://fedorapeople.org/groups/schedule/f-43/f-43-key-tasks.html

<@ydesouza:fedora.im>

16:36:51

Do we have any new stuff to review about Fedora 43?

<@aaradhak:matrix.org>

16:37:30

!hi aaradhak

<@zodbot:fedora.im>

16:37:32

Aashish Radhakrishnan (aaradhak)

<@marmijo:fedora.im>

16:37:43

I dont believe so for this meeting. We'll probably discuss the change considerations as a separate topic.

<@ydesouza:fedora.im>

16:38:18

Nice! Let's go aheada!

<@ydesouza:fedora.im>

16:38:32

!topic New Package Request: trustee-guest-components

<@ydesouza:fedora.im>

16:38:32

!link https://github.com/coreos/fedora-coreos-tracker/issues/1956

<@dustymabe:matrix.org>

16:38:42

!hi

<@zodbot:fedora.im>

16:38:44

Dusty Mabe (dustymabe) - he / him / his

<@dustymabe:matrix.org>

16:38:44

sorry I'm late

<@ydesouza:fedora.im>

16:38:44

Nice! Let's go ahead!

<@ydesouza:fedora.im>

16:39:12

NP! dustymabe

<@ydesouza:fedora.im>

16:40:01

apiaseck do you want to talk about this package request?

<@apiaseck:matrix.org>

16:40:17

Sure

<@jlebon:fedora.im>

16:40:31

!hi

<@zodbot:fedora.im>

16:40:32

None (jlebon)

<@apiaseck:matrix.org>

16:40:47

!topic New Package Request: trustee-guest-components

<@apiaseck:matrix.org>

16:40:58

!link https://github.com/coreos/fedora-coreos-tracker/issues/1956

<@apiaseck:matrix.org>

16:41:35

trustee-guest-components was requested on the rhcos side, I was curious what is our stand on it and should we include it in fcos?

<@dustymabe:matrix.org>

16:42:40

> This package provides tools that run in a confidential VM

<@dustymabe:matrix.org>

16:43:08

<@dustymabe:matrix.org>

16:43:08

> This package provides tools that run in a confidential VM

<@dustymabe:matrix.org>

16:43:08

but we don't really provide any confidential VM (outside of cloud providers anyway) artifacts today

<@dustymabe:matrix.org>

16:44:24

at least in my mind there's a big open question of how we're going to implement those artifacts and even if they will be more of a toy/PoC or not

<@siosm:matrix.org>

16:44:49

Yeah, sorry, I should have reached out earlier, it's not ready for inclusion and it's likely to be included only for the confidential cases when ready

<@dustymabe:matrix.org>

16:44:51

i.e. the artifacts we ship could be a PoC, but if someone really wanted to use them they'd use a tool to "build their own" with their keys

<@siosm:matrix.org>

16:45:59

yes, it's likely that this will be manually added for specific image for a while. It would also be most useful in the initrd and we are already tight on space there.

<@dustymabe:matrix.org>

16:46:33

> useful in the initrd and we are already tight on space there

<@dustymabe:matrix.org>

16:46:33

indeed

<@dustymabe:matrix.org>

16:46:33

<@apiaseck:matrix.org>

16:46:46

Thank you for the above - that's sufficient, I believe we can move on to the next.

<@dustymabe:matrix.org>

16:47:25

apiaseck: I think the request is a good one, but just depends on answers to other questions :)

<@ydesouza:fedora.im>

16:47:46

!link https://github.com/coreos/fedora-coreos-tracker/issues/1934

<@ydesouza:fedora.im>

16:47:46

!topic tracker: Fedora 43 changes considerations

<@siosm:matrix.org>

16:48:45

!hi

<@zodbot:fedora.im>

16:48:47

Timothée Ravier (siosm) - he / him / his

<@siosm:matrix.org>

16:48:51

(forgot to say hello)

<@siosm:matrix.org>

16:49:02

is marmijo here today?

<@siosm:matrix.org>

16:49:25

not sure if we have an update :)

<@marmijo:fedora.im>

16:49:40

I ran the script this morning and no new changes were reported

<@siosm:matrix.org>

16:49:50

thanks!

<@ydesouza:fedora.im>

16:50:00

Thakns marmijo

<@dustymabe:matrix.org>

16:50:06

There are a few in the list that don't have a check mark, though?

<@dustymabe:matrix.org>

16:50:10

should we cover those?

<@siosm:matrix.org>

16:50:20

oh indeed

<@marmijo:fedora.im>

16:50:25

Yes, there are. We haven't gotten to those yet.

<@siosm:matrix.org>

16:50:39

115, 116 & 213

<@siosm:matrix.org>

16:50:54

114 as well

<@marmijo:fedora.im>

16:51:24

208 and 213 as well

<@ydesouza:fedora.im>

16:51:34

Let's talk about them?

<@ydesouza:fedora.im>

16:51:56

Lets start with 115 first

<@ydesouza:fedora.im>

16:52:24

gpgverify is a wrapper around gpgv designed to make it easy for packagers to do source file verification correctly. By accident it has some limitations that a few unusual packages have to work around. This change removes those limitations, reducing the need for workarounds.

<@ydesouza:fedora.im>

16:52:24

!link https://fedoraproject.org/wiki/Changes/Fix_limitations_in_gpgverify

<@ydesouza:fedora.im>

16:52:24

<@dustymabe:matrix.org>

16:52:25

114

<@dustymabe:matrix.org>

16:52:45

well I guess we can go back to 114 :)

<@ydesouza:fedora.im>

16:52:57

!link https://fedoraproject.org/wiki/Changes/dropingOfCertPemFile

<@ydesouza:fedora.im>

16:53:06

In order to increase the performance of OpenSSL by default using directory-hash format we need to drop the /etc/pki/tls/cert.pem file to prevent it from being loaded by default. This also includes the certificate bundles in /etc/pki/tls/certs/ folder(ca-certificates.crt, ca-bundle.crt).

<@dustymabe:matrix.org>

16:56:06

Do we have any software that use the certs directly?

<@dustymabe:matrix.org>

16:56:06

<@dustymabe:matrix.org>

16:56:06

How does something like say zincati, communicate with cincinnati and have all the TLS verified?

<@marmijo:fedora.im>

16:58:35

I really don't know but I can try to take a look

<@ydesouza:fedora.im>

16:59:20

Can we do a action item for that, marmijo ?

<@marmijo:fedora.im>

16:59:45

sure!

<@jlebon:fedora.im>

16:59:48

i don't think we need to worry about this

<@jlebon:fedora.im>

17:00:20

everything should be using either certs via libraries or at worst the extracted/ bundle

<@dustymabe:matrix.org>

17:00:35

Jonathan Lebon: fair..

<@dustymabe:matrix.org>

17:00:50

do you know where the certs via libraries come from? are they just compiled into the libraries?

<@jlebon:fedora.im>

17:01:54

if it's openssl, it should come from that extracted bundle

<@jlebon:fedora.im>

17:02:45

other things like java might have their own mechanism, but AIUI they should all be using bits in extracted/

<@jlebon:fedora.im>

17:03:19

e.g. `/etc/pki/java/cacerts` is a symlink to /etc/pki/ca-trust/extracted/java/cacerts`

<@jlebon:fedora.im>

17:03:23

e.g. `/etc/pki/java/cacerts` is a symlink to `/etc/pki/ca-trust/extracted/java/cacerts\`

<@siosm:matrix.org>

17:03:37

agree, I don't think this will impact us. We can do a quick check removing the files and seeing if all our tests pass

<@siosm:matrix.org>

17:04:27

but checking that zincati still works would be good :)

<@siosm:matrix.org>

17:04:56

so let's make a create a small issue for someone to try it?

<@jlebon:fedora.im>

17:05:58

wouldn't rawhide CI exercise this though?

<@siosm:matrix.org>

17:07:37

ah indeed, true

<@marmijo:fedora.im>

17:09:03

Maybe I can add a note to this one that it should be transparent to FCOS, but we should be aware of it and watch for any CI failures in rawhide

<@siosm:matrix.org>

17:11:32

agree, let's move to the next one

<@ydesouza:fedora.im>

17:11:38

It looks like a nice idea, marmijo

<@ydesouza:fedora.im>

17:11:38

Can we go ahead to try to discuss at least one more change before go to open floor?

<@ydesouza:fedora.im>

17:11:53

<@ydesouza:fedora.im>

17:11:53

!link https://fedoraproject.org/wiki/Changes/Fix_limitations_in_gpgverify

<@ydesouza:fedora.im>

17:11:53

<@dustymabe:matrix.org>

17:14:26

Looks like it won't affect us as `redhat-rpm-config` (current provider of gpgverify) isn't in FCOS

<@dustymabe:matrix.org>

17:14:36

Looks like it won't affect us as `redhat-rpm-config` (current provider of `gpgverify`) isn't in FCOS

<@marmijo:fedora.im>

17:14:57

the impact also states it's fully backwards compatible and no spec file will break

<@ydesouza:fedora.im>

17:16:09

Nice, I guess we can go to open floor now!

<@ydesouza:fedora.im>

17:16:13

!topic Open Floor

<@ydesouza:fedora.im>

17:16:27

Anyone has some topic to discuss today?

<@nemric:relativit.fr>

17:17:24

Are there any plans to make systexts "official" ?

<@nemric:relativit.fr>

17:18:07

It's not a problem for me to rely on travier's repo ;)

<@dustymabe:matrix.org>

17:20:16

Nemric: nothing official right now. Not unless travier has more plans :)

<@siosm:matrix.org>

17:21:00

They need work on the update side to be more reliable.

<@nemric:relativit.fr>

17:23:15

ok, sysexts are great improvement !

<@ydesouza:fedora.im>

17:24:30

Great! Any other topics, folks?

<@dustymabe:matrix.org>

17:26:06

None from me

<@ydesouza:fedora.im>

17:27:02

We are almost finishing our time and I think there is no more topics for today so it's time to say goodbye.

<@ydesouza:fedora.im>

17:27:14

Thank you all for participate and see you next week!

<@ydesouza:fedora.im>

17:27:41

!endmeeting