2025-05-21 16:30:52 <@ydesouza:fedora.im> !startmeeting fedora_coreos_meeting

2025-05-21 16:30:53 <@meetbot:fedora.im> Meeting started at 2025-05-21 16:30:52 UTC
2025-05-21 16:30:53 <@meetbot:fedora.im> The Meeting name is 'fedora_coreos_meeting'
2025-05-21 16:31:31 <@ydesouza:fedora.im> !topic roll call
2025-05-21 16:32:21 <@hricky:fedora.im> !hi
2025-05-21 16:32:22 <@zodbot:fedora.im> Hristo Marinov (hricky) - he / him / his
2025-05-21 16:32:57 <@apiaseck:matrix.org> !hi
2025-05-21 16:32:59 <@zodbot:fedora.im> Adam Piasecki (c4rt0) - he / him / his
2025-05-21 16:33:15 <@marmijo:fedora.im> !hi
2025-05-21 16:33:17 <@mnguyen:fedora.im> !hi mnguyen
2025-05-21 16:33:17 <@zodbot:fedora.im> Michael Armijo (marmijo)
2025-05-21 16:33:18 <@zodbot:fedora.im> Michael Nguyen (mnguyen)
2025-05-21 16:34:47 <@ydesouza:fedora.im> !topic Action items from last meeting
2025-05-21 16:35:53 <@ydesouza:fedora.im> We don't have any actions items from the last meeting, so lets go ahead
2025-05-21 16:36:08 <@ydesouza:fedora.im> !topic Review Fedora 43 Release Schedule
2025-05-21 16:36:08 <@ydesouza:fedora.im> !link https://fedorapeople.org/groups/schedule/f-43/f-43-key-tasks.html
2025-05-21 16:36:51 <@ydesouza:fedora.im> Do we have any new stuff to review about Fedora 43?
2025-05-21 16:37:30 <@aaradhak:matrix.org> !hi aaradhak
2025-05-21 16:37:32 <@zodbot:fedora.im> Aashish Radhakrishnan (aaradhak)
2025-05-21 16:37:43 <@marmijo:fedora.im> I dont believe so for this meeting. We'll probably discuss the change considerations as a separate topic.
2025-05-21 16:38:18 <@ydesouza:fedora.im> Nice! Let's go aheada!
2025-05-21 16:38:32 <@ydesouza:fedora.im> !topic New Package Request: trustee-guest-components
2025-05-21 16:38:32 <@ydesouza:fedora.im> !link https://github.com/coreos/fedora-coreos-tracker/issues/1956
2025-05-21 16:38:42 <@dustymabe:matrix.org> !hi
2025-05-21 16:38:44 <@zodbot:fedora.im> Dusty Mabe (dustymabe) - he / him / his
2025-05-21 16:38:44 <@dustymabe:matrix.org> sorry I'm late
2025-05-21 16:38:44 <@ydesouza:fedora.im> Nice! Let's go ahead!
2025-05-21 16:39:12 <@ydesouza:fedora.im> NP! dustymabe 
2025-05-21 16:40:01 <@ydesouza:fedora.im> apiaseck do you want to talk about this package request?
2025-05-21 16:40:17 <@apiaseck:matrix.org> Sure
2025-05-21 16:40:31 <@jlebon:fedora.im> !hi
2025-05-21 16:40:32 <@zodbot:fedora.im> None (jlebon)
2025-05-21 16:40:47 <@apiaseck:matrix.org> !topic New Package Request: trustee-guest-components
2025-05-21 16:40:58 <@apiaseck:matrix.org> !link https://github.com/coreos/fedora-coreos-tracker/issues/1956
2025-05-21 16:41:35 <@apiaseck:matrix.org> trustee-guest-components was requested on the rhcos side, I was curious what is our stand on it and should we include it in fcos?
2025-05-21 16:42:40 <@dustymabe:matrix.org> > This package provides tools that run in a confidential VM
2025-05-21 16:43:08 <@dustymabe:matrix.org> 
2025-05-21 16:43:08 <@dustymabe:matrix.org> > This package provides tools that run in a confidential VM
2025-05-21 16:43:08 <@dustymabe:matrix.org> but we don't really provide any confidential VM (outside of cloud providers anyway) artifacts today
2025-05-21 16:44:24 <@dustymabe:matrix.org> at least in my mind there's a big open question of how we're going to implement those artifacts and even if they will be more of a toy/PoC or not 
2025-05-21 16:44:49 <@siosm:matrix.org> Yeah, sorry, I should have reached out earlier, it's not ready for inclusion and it's likely to be included only for the confidential cases when ready
2025-05-21 16:44:51 <@dustymabe:matrix.org> i.e. the artifacts we ship could be a PoC, but if someone really wanted to use them they'd use a tool to "build their own" with their keys
2025-05-21 16:45:59 <@siosm:matrix.org> yes, it's likely that this will be manually added for specific image for a while. It would also be most useful in the initrd and we are already tight on space there.
2025-05-21 16:46:33 <@dustymabe:matrix.org> > useful in the initrd and we are already tight on space there
2025-05-21 16:46:33 <@dustymabe:matrix.org> indeed 
2025-05-21 16:46:33 <@dustymabe:matrix.org> 
2025-05-21 16:46:46 <@apiaseck:matrix.org> Thank you for the above - that's sufficient, I believe we can move on to the next.
2025-05-21 16:47:25 <@dustymabe:matrix.org> apiaseck: I think the request is a good one, but just depends on answers to other questions :) 
2025-05-21 16:47:46 <@ydesouza:fedora.im> !link https://github.com/coreos/fedora-coreos-tracker/issues/1934
2025-05-21 16:47:46 <@ydesouza:fedora.im> !topic tracker: Fedora 43 changes considerations
2025-05-21 16:48:45 <@siosm:matrix.org> !hi
2025-05-21 16:48:47 <@zodbot:fedora.im> Timothée Ravier (siosm) - he / him / his
2025-05-21 16:48:51 <@siosm:matrix.org> (forgot to say hello)
2025-05-21 16:49:02 <@siosm:matrix.org> is marmijo here today?
2025-05-21 16:49:25 <@siosm:matrix.org> not sure if we have an update :)
2025-05-21 16:49:40 <@marmijo:fedora.im> I ran the script this morning and no new changes were reported
2025-05-21 16:49:50 <@siosm:matrix.org> thanks!
2025-05-21 16:50:00 <@ydesouza:fedora.im> Thakns marmijo 
2025-05-21 16:50:06 <@dustymabe:matrix.org> There are a few in the list that don't have a check mark, though?
2025-05-21 16:50:10 <@dustymabe:matrix.org> should we cover those?
2025-05-21 16:50:20 <@siosm:matrix.org> oh indeed
2025-05-21 16:50:25 <@marmijo:fedora.im> Yes, there are. We haven't gotten to those yet.
2025-05-21 16:50:39 <@siosm:matrix.org> 115, 116 & 213
2025-05-21 16:50:54 <@siosm:matrix.org> 114 as well
2025-05-21 16:51:24 <@marmijo:fedora.im> 208 and 213 as well
2025-05-21 16:51:34 <@ydesouza:fedora.im> Let's talk about them?
2025-05-21 16:51:56 <@ydesouza:fedora.im> Lets start with 115 first
2025-05-21 16:52:24 <@ydesouza:fedora.im> gpgverify is a wrapper around gpgv designed to make it easy for packagers to do source file verification correctly. By accident it has some limitations that a few unusual packages have to work around. This change removes those limitations, reducing the need for workarounds.
2025-05-21 16:52:24 <@ydesouza:fedora.im> !link https://fedoraproject.org/wiki/Changes/Fix_limitations_in_gpgverify
2025-05-21 16:52:24 <@ydesouza:fedora.im> 
2025-05-21 16:52:25 <@dustymabe:matrix.org> 114
2025-05-21 16:52:45 <@dustymabe:matrix.org> well I guess we can go back to 114 :) 
2025-05-21 16:52:57 <@ydesouza:fedora.im> !link https://fedoraproject.org/wiki/Changes/dropingOfCertPemFile
2025-05-21 16:53:06 <@ydesouza:fedora.im> In order to increase the performance of OpenSSL by default using directory-hash format we need to drop the /etc/pki/tls/cert.pem file to prevent it from being loaded by default. This also includes the certificate bundles in /etc/pki/tls/certs/ folder(ca-certificates.crt, ca-bundle.crt).
2025-05-21 16:56:06 <@dustymabe:matrix.org> Do we have any software that use the certs directly?
2025-05-21 16:56:06 <@dustymabe:matrix.org> 
2025-05-21 16:56:06 <@dustymabe:matrix.org> How does something like say zincati, communicate with cincinnati and have all the TLS verified? 
2025-05-21 16:58:35 <@marmijo:fedora.im> I really don't know but I can try to take a look
2025-05-21 16:59:20 <@ydesouza:fedora.im> Can we do a action item for that, marmijo ?
2025-05-21 16:59:45 <@marmijo:fedora.im> sure!
2025-05-21 16:59:48 <@jlebon:fedora.im> i don't think we need to worry about this
2025-05-21 17:00:20 <@jlebon:fedora.im> everything should be using either certs via libraries or at worst the extracted/ bundle
2025-05-21 17:00:35 <@dustymabe:matrix.org> Jonathan Lebon: fair..
2025-05-21 17:00:50 <@dustymabe:matrix.org> do you know where the certs via libraries come from? are they just compiled into the libraries? 
2025-05-21 17:01:54 <@jlebon:fedora.im> if it's openssl, it should come from that extracted bundle
2025-05-21 17:02:45 <@jlebon:fedora.im> other things like java might have their own mechanism, but AIUI they should all be using bits in extracted/
2025-05-21 17:03:19 <@jlebon:fedora.im> e.g. `/etc/pki/java/cacerts` is a symlink to /etc/pki/ca-trust/extracted/java/cacerts`
2025-05-21 17:03:23 <@jlebon:fedora.im> e.g. `/etc/pki/java/cacerts` is a symlink to `/etc/pki/ca-trust/extracted/java/cacerts\`
2025-05-21 17:03:37 <@siosm:matrix.org> agree, I don't think this will impact us. We can do a quick check removing the files and seeing if all our tests pass
2025-05-21 17:04:27 <@siosm:matrix.org> but checking that zincati still works would be good :)
2025-05-21 17:04:56 <@siosm:matrix.org> so let's make a create a small issue for someone to try it?
2025-05-21 17:05:58 <@jlebon:fedora.im> wouldn't rawhide CI exercise this though?
2025-05-21 17:07:37 <@siosm:matrix.org> ah indeed, true
2025-05-21 17:09:03 <@marmijo:fedora.im> Maybe I can add a note to this one that it should be transparent to FCOS, but we should be aware of it and watch for any CI failures in rawhide
2025-05-21 17:11:32 <@siosm:matrix.org> agree, let's move to the next one
2025-05-21 17:11:38 <@ydesouza:fedora.im> It looks like a nice idea, marmijo 
2025-05-21 17:11:38 <@ydesouza:fedora.im> Can we go ahead to try to discuss at least one more change before go to open floor?
2025-05-21 17:11:53 <@ydesouza:fedora.im> gpgverify is a wrapper around gpgv designed to make it easy for packagers to do source file verification correctly. By accident it has some limitations that a few unusual packages have to work around. This change removes those limitations, reducing the need for workarounds.
2025-05-21 17:11:53 <@ydesouza:fedora.im> !link https://fedoraproject.org/wiki/Changes/Fix_limitations_in_gpgverify
2025-05-21 17:11:53 <@ydesouza:fedora.im> 
2025-05-21 17:14:26 <@dustymabe:matrix.org> Looks like it won't affect us as `redhat-rpm-config` (current provider of gpgverify) isn't in FCOS
2025-05-21 17:14:36 <@dustymabe:matrix.org> Looks like it won't affect us as `redhat-rpm-config` (current provider of `gpgverify`) isn't in FCOS
2025-05-21 17:14:57 <@marmijo:fedora.im> the impact also states it's fully backwards compatible and no spec file will break
2025-05-21 17:16:09 <@ydesouza:fedora.im> Nice, I guess we can go to open floor now!
2025-05-21 17:16:13 <@ydesouza:fedora.im> !topic Open Floor
2025-05-21 17:16:27 <@ydesouza:fedora.im> Anyone has some topic to discuss today?
2025-05-21 17:17:24 <@nemric:relativit.fr> Are there any plans to make systexts "official" ?
2025-05-21 17:18:07 <@nemric:relativit.fr> It's not a problem for me to rely on travier's repo ;)
2025-05-21 17:20:16 <@dustymabe:matrix.org> Nemric: nothing official right now. Not unless travier has more plans :) 
2025-05-21 17:21:00 <@siosm:matrix.org> They need work on the update side to be more reliable.
2025-05-21 17:23:15 <@nemric:relativit.fr> ok, sysexts are great improvement !
2025-05-21 17:24:30 <@ydesouza:fedora.im> Great! Any other topics, folks?
2025-05-21 17:26:06 <@dustymabe:matrix.org> None from me
2025-05-21 17:27:02 <@ydesouza:fedora.im> We are almost finishing our time and I think there is no more topics for today so it's time to say goodbye.
2025-05-21 17:27:14 <@ydesouza:fedora.im> Thank you all for participate and see you next week!
2025-05-21 17:27:41 <@ydesouza:fedora.im> !endmeeting