#meeting-2:fedoraproject.org log

<@jflory7:fedora.im>

15:03:32

!startmeeting Fedora Council - 2026-03-11

<@meetbot:fedora.im>

15:03:32

Meeting started at 2026-03-11 15:03:32 UTC

<@meetbot:fedora.im>

15:03:33

The Meeting name is 'Fedora Council - 2026-03-11'

<@jflory7:fedora.im>

15:03:38

!meetingname council

<@meetbot:fedora.im>

15:03:39

The Meeting Name is now council

<@jflory7:fedora.im>

15:03:46

!topic Welcomes & Hellos

<@jflory7:fedora.im>

15:03:52

!group members Council

<@zodbot:fedora.im>

15:03:54

Members of Council: Aoife Moloney, Aleksandra Fedorova, Miro Hrončok, Dave Cantrell, jflory7 (@jflory7:fedora.im, @fca:fedoraproject.org), Jona Azizaj, Jef Spaleta, Laura Santamaria, Petr Bokoč, Peter Boy, Ryan Lerch, Akashdeep Dhar

<@jflory7:fedora.im>

15:03:55

!hi

<@zodbot:fedora.im>

15:03:57

Justin Wheeler (jflory7) - he / him / his

<@churchyard:fedora.im>

15:03:59

!hi

<@zodbot:fedora.im>

15:03:59

Miro Hrončok (churchyard) - he / him / his or they / them / theirs

<@bookwar:fedora.im>

15:04:03

!hi

<@zodbot:fedora.im>

15:04:04

Aleksandra Fedorova (bookwar) - she / her / hers

<@jflory7:fedora.im>

15:04:32

Good morning, folks! Well, good morning from here anyways. US Pacific time zone is a hard one in Fedora 😅

<@jflory7:fedora.im>

15:05:26

[@jspaleta:fedora.im](https://matrix.to/#/@jspaleta:fedora.im) I'm multitasking a breakfast while getting ready to check out of my hotel in a bit. I didn't have topics triaged yet. I know we have two new tickets of various priorities. Did you manage to identify some agenda topics of interest for today?

<@jspaleta:fedora.im>

15:05:26

sorry for that

<@jspaleta:fedora.im>

15:05:38

daylight savings is such a mess

<@jflory7:fedora.im>

15:05:47

That also doesn't help :D

<@jspaleta:fedora.im>

15:06:07

I think we need press on with the policy draft discussion around pagure as a priority

<@jflory7:fedora.im>

15:06:43

Works for me

<@jspaleta:fedora.im>

15:07:23

if we have time for anything else... then we can look over the ticket backlog after that

<@jspaleta:fedora.im>

15:07:32

bookwar: should the floor go to you?

<@jspaleta:fedora.im>

15:07:53

!hi

<@zodbot:fedora.im>

15:07:54

Jef Spaleta (jspaleta) - he / him / his

<@bookwar:fedora.im>

15:08:25

Not sure, as I was not actually doing the work, but let's try

<@bookwar:fedora.im>

15:08:32

Can you set a topic?

<@jflory7:fedora.im>

15:08:54

https://forge.fedoraproject.org/council/tickets/issues/558

<@jflory7:fedora.im>

15:08:55

https://forge.fedoraproject.org/council/tickets/issues/559

<@jflory7:fedora.im>

15:09:01

These seem like the two topics we should cover today

<@jspaleta:fedora.im>

15:09:53

Agreed lets start with the forge.. Ill set a topic

<@jflory7:fedora.im>

15:09:55

I'd like to come back to this as well, since @t0xic0der has been working on a draft. But I think I saw some review comments yesterday

<@jflory7:fedora.im>

15:09:55

<@jflory7:fedora.im>

15:09:55

https://forge.fedoraproject.org/council/tickets/issues/550

<@jflory7:fedora.im>

15:10:02

Let's see what we can get through today.

<@jflory7:fedora.im>

15:10:13

!topic Ticket #558: Fedora Forge usage policy

<@churchyard:fedora.im>

15:10:15

the EU CRA Stewardship ticket landed not even 24 our ago. I didn't even have time to read it

<@jflory7:fedora.im>

15:10:18

!link https://forge.fedoraproject.org/council/tickets/issues/558

<@jflory7:fedora.im>

15:10:26

Me either

<@bookwar:fedora.im>

15:10:30

As I understand it we have a draft of a Fedora Forge policy and a draft of a Fedora Forge article. The draft of the policy is in the ticket 558. The draft of an article I haven't seen

<@jflory7:fedora.im>

15:10:31

I haven't even had time to read this one 😄

<@pboy:fedora.im>

15:10:47

!hi

<@zodbot:fedora.im>

15:10:49

Peter Boy (pboy)

<@jspaleta:fedora.im>

15:11:10

jednorozec: are you here?

<@bookwar:fedora.im>

15:11:38

Secondly, again, as i understand, we want to publish an article referring to the policy. But we are not going to be able to approve a policy withn next two weeks

<@jflory7:fedora.im>

15:11:41

!link https://forge.fedoraproject.org/forge/forge/wiki/Fedora-Forge-Usage-Policy

<@bookwar:fedora.im>

15:11:56

Is this correct understanding?

<@jflory7:fedora.im>

15:12:07

!link https://docs.fedoraproject.org/en-US/council/policy/policy-change-policy/

<@bookwar:fedora.im>

15:12:47

My proposal is - Do not rush the approval of the policy, refer to the draft of the policy in the article.

<@jflory7:fedora.im>

15:13:10

We have to follow our own rules

<@jspaleta:fedora.im>

15:13:19

Without putting words in jednorozec mouth. My understanding is he wants leadership to cosign on what the article says concerning timelines. If there is a fully understood policy with regard to what is allowed to migrate to our forge and what is not.. it helps

<@bookwar:fedora.im>

15:13:23

Draft is already in a good shape, and an article will help spread the news and collect final feedback.

<@bookwar:fedora.im>

15:14:05

That's the second part we need to decide today. The review of an article by a council I think can be done faster than the review of the policy

<@jspaleta:fedora.im>

15:14:14

I need to get the article draft to yall to read over.. but you know google doc permissions...

<@bookwar:fedora.im>

15:14:32

But how do we actually do it in practice? I haven't seen the link to the draft of an article yet?

<@bookwar:fedora.im>

15:15:06

Can't you make a draft in fedora magazin and give us a previe link?

<@bookwar:fedora.im>

15:15:13

Can't you make a draft in fedora magazine and give us a preview link?

<@jspaleta:fedora.im>

15:16:14

that we can do. I'll work with jednorozec on that

<@jspaleta:fedora.im>

15:16:29

and put the link in the ticket for the policy

<@bookwar:fedora.im>

15:16:34

So if I get a text of an article in some form, I can commit to prioritize reviewing it and give feedback within a day

<@jspaleta:fedora.im>

15:16:34

or open a new ticket?

<@jspaleta:fedora.im>

15:17:21

ill take that action.. ill get the draft into the magazine so it can be previewed to us for review and open a ticket that we can async +1 on

<@jflory7:fedora.im>

15:17:49

<@jflory7:fedora.im>

15:17:49

I wonder how this works for issues with PII, e.g., reimbursement reports, Code of Conduct tickets, etc.

<@jflory7:fedora.im>

15:17:49

> "Exposing Secrets: Committing sensitive information such as passwords, API tokens, private SSH keys, or Personally Identifiable Information (PII)."

<@bookwar:fedora.im>

15:17:51

I guess if we want the overall council approval and fast, a council ticket is the way. It should link to the article somehow, and we should appove it in the ticket in async way. Does it sound ok?

<@bookwar:fedora.im>

15:18:07

I guess if we want the overall council approval and fast, a council ticket is the way. It should link to the article somehow, and we should approve it in the ticket in async way. Does it sound ok?

<@jflory7:fedora.im>

15:18:21

!info Policy unclear about PII in the context of monetary reimbursement requests and Code of Conduct reports

<@jflory7:fedora.im>

15:18:35

A new ticket? Beyond #558?

<@bookwar:fedora.im>

15:18:53

yes, article approval is a separate ticket

<@jspaleta:fedora.im>

15:19:05

yeah... its related via a possible blocker relationship

<@jspaleta:fedora.im>

15:20:30

okay actioned... now about that actual draft policy.. how do we move forward

<@bookwar:fedora.im>

15:20:46

I don't think article should wait. I think it will actually needs to go out before we approve the policy

<@jflory7:fedora.im>

15:20:46

<@jflory7:fedora.im>

15:20:46

Likely need to consider that we are directing people to Pagure?

<@jflory7:fedora.im>

15:20:46

> "Reporting Code of Conduct Violations: To report a CoC violation occurring on the Forge, please contact the Fedora Code of Conduct Committee."

<@jflory7:fedora.im>

15:20:54

Yes.

<@jflory7:fedora.im>

15:21:07

Article + two weeks of feedback.

<@jflory7:fedora.im>

15:21:18

From the publishing date

<@bookwar:fedora.im>

15:21:22

I don't think article should wait. I think it actually needs to go out before we approve the policy

<@jflory7:fedora.im>

15:21:38

https://docs.fedoraproject.org/en-US/council/policy/policy-change-policy/

<@jflory7:fedora.im>

15:21:41

^^ This is the guide

<@jspaleta:fedora.im>

15:21:47

so we have the article reference a draft policy and start the feedback process?

<@jflory7:fedora.im>

15:22:02

!info "Proposed changes to Fedora Council policies must be publicly announced on the #council tag on Fedora Discussion and in a Fedora Community Blog post in order to get feedback from the community. After a minimum of two calendar weeks, the Fedora Council may vote on the proposed change using the full consensus voting model. After approval, the change is reflected on the Fedora Council policies page."

<@bookwar:fedora.im>

15:23:09

Note - we will be asking for the feedback on the draft policy, not on the decision or timeline for the migration.

<@jspaleta:fedora.im>

15:23:18

So is the draft at the point where we should start the clock on it?

<@jflory7:fedora.im>

15:23:21

!action @jspaleta Draft and publish the Policy Change Policy notification article for the Community Blog

<@jflory7:fedora.im>

15:23:33

Publishing on the CommBlog == timer start

<@bookwar:fedora.im>

15:23:34

Yes, I think so

<@bookwar:fedora.im>

15:24:11

Justin Wheeler: I think we are talking about two different articles now

<@jflory7:fedora.im>

15:24:14

!info Note, the two-week countdown clock on feedback begins from the day of publishing of the Community Blog article

<@jflory7:fedora.im>

15:24:21

bookwar: We are?

<@jspaleta:fedora.im>

15:24:27

then I'm good with this topic. We have a way forward. I'll double back with jednorozec make article draft changes that add language to indicate that the draft policy is ready for feedback

<@bookwar:fedora.im>

15:24:43

Afaiu, the article Jef is proposing is going to Fedora Magazine

<@jflory7:fedora.im>

15:24:53

Why the Magazine?

<@jspaleta:fedora.im>

15:24:56

i think what I am proposing is coordinating things

<@jspaleta:fedora.im>

15:25:08

so that the migration article is able to reference the draft policy comms

<@jflory7:fedora.im>

15:25:34

I might be getting more confused

<@jspaleta:fedora.im>

15:25:45

I'll take whatever necessary action items to put that in motion for both so they can be coordinated

<@jflory7:fedora.im>

15:26:16

It might help to spell out what is being proposed to write and where we are publishing it

<@bookwar:fedora.im>

15:26:25

I think that Fedora Forge migration is a big newsworthy topic and deserves the article in the Magazine. The article in the communicty blog as required by the policy of policies is more of the internal project communication

<@jflory7:fedora.im>

15:26:33

I thought we were discussing the CommBlog policy change notification article

<@jspaleta:fedora.im>

15:27:19

1. There is a draft of a magazine article by jednorozec concerning the timeline to sunst pagure and reminding people to migrate. I have to action that into a magazine article draft that council can review and choose to cosign.

<@jspaleta:fedora.im>

15:27:19

sure...

<@jflory7:fedora.im>

15:27:25

Hmm, yes, but I don't think we need to invite the entire world to add commentary at this time. We value contributor feedback most of all, and if we go to the Magazine, we are casting a much wider net with people who are less connected to Fedora. More bike-shedding encouraged

<@jflory7:fedora.im>

15:27:49

This should come after we have the policy in-hand?

<@jspaleta:fedora.im>

15:27:56

2. We have a policy draft concerning the use of the new forge.. which materially impacts how people make choices to migrate. We need to commjnicate that draft via normal policy comms process

<@jflory7:fedora.im>

15:28:19

Doing #1 before #2 implies to me that the policy is set

<@jspaleta:fedora.im>

15:28:34

we can coordinate so that the migration article can reference the draft policy... and have a call to action for feedback on that policy draft

<@bookwar:fedora.im>

15:28:47

Justin Wheeler: The Fedora Magazine article is about Pagure sunsetting, it should go wider than Fedora COmm blog. It will additionally *reference* the draft policy, but the draft policy won't be the main topic there.

<@jspaleta:fedora.im>

15:28:54

#1 is a ticking clock.. we already know the timescale...

<@jspaleta:fedora.im>

15:29:17

if we dont have a policy.. people migrate to something not our forge as the default action

<@jflory7:fedora.im>

15:29:20

OK, I see. It makes sense, but need to be very mindful about our audiences, the Magazine and CommBlog get different eyeballs

<@jflory7:fedora.im>

15:30:11

I guess I have no preference for which comes first, but if the Magazine article gets expedited, we need to make sure the editors in #magazine:fedoraproject.org are aware of our urgent publishing plans, and there needs to be a clear disclaimer that policy discussion is forthcoming

<@jflory7:fedora.im>

15:31:04

I am cautious to avoid a feeling of "an emergency on your part is not an emergency on our part" in the community 🙂

<@bookwar:fedora.im>

15:31:29

So the steps A.1) review the magazine article -> A.2) publish the magazine article referring yet unapproved policy draft B.1) publish community blog article as per policy -> B.2) Approve the policy.

<@jflory7:fedora.im>

15:31:46

LGTM. And two weeks between B.1 and B.2

<@jspaleta:fedora.im>

15:31:49

the longer we way to communicate what jednorozec wants to communicate.. the likelihood that we create an emergency for someone

<@bookwar:fedora.im>

15:32:19

A.1 we want to prioritize. B.1 can happen in parallel to A, but not necessarily

<@jflory7:fedora.im>

15:32:50

Yes, but I mean, the Council ticket was opened yesterday and we are trying to leap into action on volunteer contributor time… I get that postponing causes problems, but TBH, it would be better to publish earlier in the week than toward the end of the week, because Fridays are typically lower readership days

<@jflory7:fedora.im>

15:33:24

There is a reason why we have historically done releases on Tuesday mornings in UTC 🙂 Doesn't have to be Tuesday morning, but for things we want the full week's cycle to promote, better to publish earlier in the week than right before a weekend

<@jflory7:fedora.im>

15:33:42

I don't want to stress the Magazine editors out after an already stressful week with a midnight-oil burning F44 Beta Release announcement

<@jspaleta:fedora.im>

15:33:43

the only reason why im talking about a draft in the magazine system... is because the blasted redhat google docs settings make it impossible to share the current draft with everyone here easily.

<@bookwar:fedora.im>

15:34:00

Let's do the A1 asap. Hitting the publish button on Magazine can be done by Magazine editors, and they can choose to do it on Monday or whenever

<@jflory7:fedora.im>

15:34:08

<@bookwar:fedora.im>

15:34:13

Let's do the A1 asap. Hitting the publish button on Magazine (A2) can be done by Magazine editors, and they can choose to do it on Monday or whenever

<@jspaleta:fedora.im>

15:34:18

right... im not trying to quick fire publish.. just get review from council

<@jflory7:fedora.im>

15:34:38

Honestly, I don't think we _need_ to sign off on the Magazine article as Council

<@jflory7:fedora.im>

15:34:47

I trust Jef Spaleta and jednorozec to rep this appropriately

<@jspaleta:fedora.im>

15:34:59

jednorozec: would like leadership to cosign

<@jflory7:fedora.im>

15:35:00

The policy discussion is where we need to devote Council attention, during those two weeks of input

<@jflory7:fedora.im>

15:35:07

That's you! 😉

<@jflory7:fedora.im>

15:35:15

The Council is "co-signing" the policy

<@jspaleta:fedora.im>

15:35:29

we dont NEED to. he wants broad leadership.. council and fesco

<@jspaleta:fedora.im>

15:35:42

so im making the opportunity for that to happen here

<@jflory7:fedora.im>

15:35:44

I don't think I need to approve this Magazine article personally, we are all on the same page here generally and the details have been discussed among us already. This is about moving the conversation into community

<@jspaleta:fedora.im>

15:35:48

if we dont want to.. fine

<@jflory7:fedora.im>

15:35:55

Well, I am in support! Let's go!

<@jflory7:fedora.im>

15:36:02

No discussion needed from me 🙂 Let's just get it done

<@bookwar:fedora.im>

15:36:11

I think Council should provide support on this change, even if just moral. So let's get that draft and help if we can

<@jflory7:fedora.im>

15:37:03

!info Note, it was clarified that there are actually _two_ articles being discussed. One is a general Fedora Magazine article, announcing the intent to sunset Pagure.io, the ongoing discussion about Fedora Forge usage policy, and the Flock 2026 timeline. The other article is a Community Blog article, which is the Policy Change Policy process for adopting a new Fedora Forge Usage Policy.

<@jflory7:fedora.im>

15:37:23

!idea Fedora Forge Usage Policy may need to go into Fedora Legal docs instead of Fedora Council policy docs; will revisit

<@jflory7:fedora.im>

15:37:32

Also, do we need RH Legal input on the policy text?

<@jflory7:fedora.im>

15:37:41

That might be something to consider before running the CommBlog article

<@jspaleta:fedora.im>

15:38:09

do we have legal opinion concerning pagure right now documented?

<@jflory7:fedora.im>

15:38:37

!action @jspaleta Work with @humaton to draft a Fedora Magazine article by Friday morning, 13 March 2026, to deliver to the Fedora Magazine editors for early-week publishing in the week of March 16th

<@jflory7:fedora.im>

15:39:07

!action @jspaleta In the week of March 16th, work on the Community Blog article draft for the policy change policy discussion in the community about the Fedora Forge usage policy

<@jflory7:fedora.im>

15:39:33

Good question. I presume we have something? But the answer is probably in Fedora Infrastructure. We don't have existing Fedora Legal docs today for Pagure.io policy.

<@jspaleta:fedora.im>

15:39:46

I dont want to borrow trouble

<@jflory7:fedora.im>

15:39:53

You might have to do some historical digging with people like Kevin Fenzi and Paul Frields

<@jspaleta:fedora.im>

15:40:00

if we have legal documentation concerning pagure use.. we should rely on that

<@jflory7:fedora.im>

15:40:04

There is an answer, but I don't know it

<@jspaleta:fedora.im>

15:40:12

and understand if we are stepping over the bounds of that document

<@jflory7:fedora.im>

15:40:44

I get a hunch that this might be it 🙂

<@jflory7:fedora.im>

15:40:45

!link https://pagure.io/about/

<@jflory7:fedora.im>

15:41:46

Do we have anything else to discuss here?

<@jflory7:fedora.im>

15:41:53

I think the actions are clear

<@jflory7:fedora.im>

15:41:58

There is a Fedora Magazine article urgently coming

<@jflory7:fedora.im>

15:42:12

I won't be able to review, I am on PTO Thursday and Friday this week, but I trust y'all to get this done 👍️

<@jflory7:fedora.im>

15:42:36

Last call, git forge policy or Pagure.io topics?

<@jflory7:fedora.im>

15:42:57

## Fedora Forge usage policy & Pagure, going once…

<@jflory7:fedora.im>

15:43:10

## Fedora Forge usage policy & Pagure, going twice…

<@jflory7:fedora.im>

15:43:25

## Fedora Forge usage policy & Pagure, going thrice…

<@jflory7:fedora.im>

15:43:40

💥

<@jflory7:fedora.im>

15:43:48

!topic Ticket #559: The EU CRA Stewardship and Readiness proposal for Fedora community

<@jflory7:fedora.im>

15:43:54

!link https://forge.fedoraproject.org/council/tickets/issues/559

<@jflory7:fedora.im>

15:46:32

Hmm, so, the ticket is more a theory of collaboration than an actual statement of worj

<@jflory7:fedora.im>

15:46:37

Hmm, so, the ticket is more a theory of collaboration than an actual statement of work.

<@jflory7:fedora.im>

15:46:51

I think the theory is sound and good, but it does not really cover the actual work needed to be done.

<@churchyard:fedora.im>

15:46:53

I skimmed trouh it and I am not sure what is expected of us

<@bookwar:fedora.im>

15:46:56

For me with CRA it is still not clear whether Fedora Project is a separate entity, or is a tool/framework for implementation of the Red Hat's role as a Steward.

<@jflory7:fedora.im>

15:46:56

I know some of this will be uncovered as we go

<@bookwar:fedora.im>

15:47:27

The text in the ticket doesn't make difference between Fedora Project and Red Hat and I think it is a mistake

<@jspaleta:fedora.im>

15:48:00

Okay I garuntee this ticket is in response to internal discussions we've been having inside of Red Hat about the CRA and their role as steward for projects like Fedora in the language of that legislation

<@jflory7:fedora.im>

15:48:01

So, I am not a lawyer and this is not legal advice, but I believe that there is no "separate entity" for Fedora since we a project legally funded and registered to Red Hat. The trademarks for the project are owned by Red Hat, the infrastructure is largely hosted by Red Hat, so to EU regulators, Fedora is closely tied to Red Hat

<@jflory7:fedora.im>

15:48:30

For sure. It is a fair point to mention that me and Jef have been speaking internally with CRA folks for a bit now, and we are trying to think through the ideal process for working in Fedora

<@jflory7:fedora.im>

15:48:51

There was some discussion I needed to catch up on from SCaLE during last week, which led to this ticket, so I am running a bit behind on context

<@jflory7:fedora.im>

15:49:11

So, there is, but Red Hat assumes some legal obligations as the "Steward" of Fedora

<@jflory7:fedora.im>

15:49:22

Fedora needs some legally-accountable anchor in the EU policy space

<@jflory7:fedora.im>

15:49:41

s/some legal obligations/all CRA legal obligations/

<@bookwar:fedora.im>

15:49:56

Afaik Red Hat can be a Steward without Fedora Council involved.

<@jspaleta:fedora.im>

15:49:58

In those discussions i said that we need to start having public discussions about this because ultimately a lot of what stewards do are best practices around security.. and its not clear at all what is actually legally required..or even if we technically need a steward. My interpreation of the conversation is Red Hat is offering to be our project steward so we can be a best practices citizen in the context of the CRA

<@jflory7:fedora.im>

15:50:19

Well, I think there will be discussions we need to have about security processes, which unfortunately was not really spelled out in the ticket

<@jflory7:fedora.im>

15:50:44

The ticket is more of a theory of change for me, which I am supportive of… but I want the proposed actions and tangible, concrete things we can expect to happen as part of this process

<@bookwar:fedora.im>

15:50:52

Security processes of Red Hat as a Steward, not Fedora as a project

<@pboy:fedora.im>

15:50:56

I'm not sure it it is relevant for Fedora at all. We have thousends of volunteer projects in Europe. Some are operating as a "registered foundation" others are not. Do we know how SusE / OpenSuSe will handle that?

<@jflory7:fedora.im>

15:51:07

There were some unfinished conversations about Red Hat Product Security wanting to help and get more involved in Fedora to fulfill Red Hat's legal obligations as Open Source Steward of Fedora

<@jspaleta:fedora.im>

15:51:18

ulltimately stewards function to set down policy that must be abided by. Right now we dont have a governance model that anticipates that

<@jflory7:fedora.im>

15:51:41

I hope we can leverage the volunteered time by cybersecurity folks at Red Hat to spend some time in Fedora, but it does not seem like we, or the ticket, is ready to discuss that yet

<@bookwar:fedora.im>

15:52:06

The situation is (one possible interpretation): Fedora Project is a FOSS software not offering commercial services, so it doesn't need to have a stance with respect to CRA. Red Hat uses Fedora code to provide commercial services. As such Red Hat has steward obligations towards Fedora.

<@jflory7:fedora.im>

15:52:29

I hypothesize SUSE employees and lawyers are openSUSE is having similar conversations too. I don't think we are alone in this at all

<@jflory7:fedora.im>

15:52:42

I hypothesize SUSE employees and lawyers are similar conversations about openSUSE too. I don't think we are alone in this at all

<@bookwar:fedora.im>

15:53:12

Steward's policy is set on their own stewards workflows. SO it says "Red Hat security folks must report all downstream CVEs to Fedora within 2 days". It doesn't say, Fedora as a FOSS project must react to reported CVEs within 2 days"

<@jspaleta:fedora.im>

15:53:15

Ive had a sidebar discussion with someone from the Eclipse foundation... individual projects are feeling pressure to get inside of a foundation that can act as a stewerd... its a weird situation. because under the law its actually not clear that projects can say no if some vendor that depends on them says they want to be a project steward.

<@jflory7:fedora.im>

15:53:49

Hmmm, I am not a lawyer, but I don't think the first interpretation is the one being interpreted in the policy space. But I think the fact that this is unclear _to us_ means it will be unclear to the community, and therefore, we need a more concrete proposal in this ticket to know what we are voting.

<@jflory7:fedora.im>

15:53:59

I can take the action to deliver this feedback in the Forgejo ticket.

<@jflory7:fedora.im>

15:54:07

If we agree that this action makes sense as a next step

<@jflory7:fedora.im>

15:54:14

Because I don't think we have anything to vote on today

<@jflory7:fedora.im>

15:54:24

This is a collaboration theory, not a proposal of changes

<@jflory7:fedora.im>

15:54:42

I think we want the collaboration, but let's get into the details of what actually is being proposed to change

<@jspaleta:fedora.im>

15:54:44

that is an interpretation and one I'm currently leaning on. But utilimately if we were to have a steward they are only going to be effective if projects adopt practices.

<@jonatoni:fedora.im>

15:56:06

in the ticket they have asked for feedback + time from our next Council meeting to join and answer any questions we might have, so maybe we can invite them in our next meeting?

<@jflory7:fedora.im>

15:56:29

Security processes for Red Hat to be able to legally speak to EU policy regulators about security status of Fedora components. I don't think we want EU regulators pursuing individual packagers, not that I think they would even know how to do that, but I think the risk we are trying to avoid is removing policy liability from individual contributors to Red Hat, the business entity

<@jflory7:fedora.im>

15:56:40

Nice idea

<@jflory7:fedora.im>

15:56:45

I think a video meeting could work well for this format

<@bookwar:fedora.im>

15:56:50

They can fulfill their obligations by the EU law without us as a project enforcing policies on volunteers maintaining Fedora packages. And I think this is the direction I want it to go. It is also what CRA is for: setting requirements on those who profit from FOSS, not for those who do it

<@jflory7:fedora.im>

15:56:55

The topic is really big, it is a very new thing, and I know we all must have questions

<@jflory7:fedora.im>

15:57:17

And obviously, there are lots of questions about how much Fedora is tied into all of this, and I think we need some CRA experts on the line to help us dig into this

<@bookwar:fedora.im>

15:57:18

There is no need to speak to EU about security of Fedora components

<@jspaleta:fedora.im>

15:57:34

So right now the way im viewing this is for Fedora.. a steward fits in as an advisory capacity that can _help_ us adopt best practices around security. Its up to us to decide how far deep into the practices bucket makes sense for us to adopt.

<@bookwar:fedora.im>

15:57:36

EU doesn't care about Fedora components and their security because it is not a commercial offering

<@jflory7:fedora.im>

15:57:44

I have been led to believe this is not entirely true, at least not for Red Hat

<@jflory7:fedora.im>

15:58:00

The connection into the commercial products is what I think an expert needs to help us better understand

<@bookwar:fedora.im>

15:58:09

EU cares that when Red Hat creates commercial offering out of Fedora components and that commerical offering has security issues, those issues are reported upstream to Fedora.

<@jflory7:fedora.im>

15:58:19

So, I could take an action item to follow up on the ticket with our questions and doubts, and to schedule a video Council meeting.

<@jflory7:fedora.im>

15:58:32

I don't know if we want to take over the next Council meeting as a video meeting, but we could schedule something separately.

<@bookwar:fedora.im>

15:58:41

That's responsibility on Red Hat to disclosure stuff, not on Fedora to fix the stuff diclosured

<@jflory7:fedora.im>

15:58:42

It doesn't have to be our usual Council meeting slot, especially since we don't meet weekly anymore

<@jspaleta:fedora.im>

15:58:52

i dont think there is anywhere near enough clarity on that. If that were true, foundatins like eclipse would be giving this a yawn.

<@jflory7:fedora.im>

15:59:08

Right! Disclosure/reporting seems to be the biggest load that I can see, but yeah, I think we need more discussion and our meeting slot ends in one minute 🙂

<@jflory7:fedora.im>

15:59:31

I don't see as much, so far, about actually _fixing_ things, but it seems like being able to _speak_ about the state of things is part of the compliance puzzle

<@jflory7:fedora.im>

15:59:37

But I am not a lawyer and this is not legal advice 😛

<@jflory7:fedora.im>

15:59:45

OK, we are pretty much at the hour…

<@jflory7:fedora.im>

15:59:50

Let me write those actions, then we can wrap

<@jflory7:fedora.im>

16:00:12

Oh, heh, and we also need to fix the meeting time zone stuff

<@bookwar:fedora.im>

16:00:20

I have a contact for a person from German BSI or smth who offered to talk about CRA for us. I do want us to talk about CRA from the perspective of the FOSS project and not from a perspective of Red Hat legal.

<@pboy:fedora.im>

16:00:30

Under European law, voluntary, non-profit-oriented services do not give rise to any claims or claims for damages, except in cases of gross negligence.

<@jflory7:fedora.im>

16:00:39

!action @jflory7 Comment on Ticket #559 to clarify the general reaction, questions, and thoughts by the Council on CRA compliance in the context of Fedora Project and Red Hat's responsibilities as Open Source Steward.

<@pboy:fedora.im>

16:00:57

So, Fedora packagers are not a tarbget.

<@jflory7:fedora.im>

16:01:07

!action @jflory7 Pitch a Fedora Council Video Meeting sometime in March to invite the CRA folks to come and discuss this topic with the Fedora Council and Fedora community

<@jspaleta:fedora.im>

16:01:19

Just to be clear the practises coming up in these discussion are not invented by Red Hat.. there is work going on to establish practices that foundations can adopt and I expect they will adopt. We shouldnt be out of step with the security practises of things like the Eclipse foundation.

<@jflory7:fedora.im>

16:01:33

Peter Boy (ServerWG, Docs): One tricky aspect to consider is that Fedora is not a nonprofit, a legal entity, or anything. Fedora is a logo, a registered trademark, owned by a commercial, for-profit company.

<@jflory7:fedora.im>

16:01:44

Of course, this is not the full picture 🙂

<@jflory7:fedora.im>

16:01:47

As we all know

<@jflory7:fedora.im>

16:01:55

But regulators have one idea and we may have another

<@jflory7:fedora.im>

16:01:59

Anyways, the actions are all set!

<@jflory7:fedora.im>

16:02:07

I think we will have an engaging follow-up here later in March

<@jflory7:fedora.im>

16:02:20

!halp Council members, please add your CRA-related questions to Ticket #559 in the meantime

<@jflory7:fedora.im>

16:02:25

Let's wrap up here.

<@jflory7:fedora.im>

16:02:30

Thanks folks for your attention today!

<@churchyard:fedora.im>

16:02:40

see you

<@jflory7:fedora.im>

16:02:42

Let's figure out the time zone stuff for the next meeting in #council:fedoraproject.org.

<@jflory7:fedora.im>

16:02:46

Bye! 👋

<@jflory7:fedora.im>

16:02:48

!endmeeting