2026-03-11 15:03:32 <@jflory7:fedora.im> !startmeeting Fedora Council - 2026-03-11
2026-03-11 15:03:32 <@meetbot:fedora.im> Meeting started at 2026-03-11 15:03:32 UTC
2026-03-11 15:03:33 <@meetbot:fedora.im> The Meeting name is 'Fedora Council - 2026-03-11'
2026-03-11 15:03:38 <@jflory7:fedora.im> !meetingname council
2026-03-11 15:03:39 <@meetbot:fedora.im> The Meeting Name is now council
2026-03-11 15:03:46 <@jflory7:fedora.im> !topic Welcomes & Hellos
2026-03-11 15:03:52 <@jflory7:fedora.im> !group members Council 
2026-03-11 15:03:54 <@zodbot:fedora.im> Members of Council: Aoife Moloney, Aleksandra Fedorova, Miro Hrončok, Dave Cantrell, jflory7 (@jflory7:fedora.im, @fca:fedoraproject.org), Jona Azizaj, Jef Spaleta, Laura Santamaria, Petr Bokoč, Peter Boy, Ryan Lerch, Akashdeep Dhar
2026-03-11 15:03:55 <@jflory7:fedora.im> !hi 
2026-03-11 15:03:57 <@zodbot:fedora.im> Justin Wheeler (jflory7) - he / him / his
2026-03-11 15:03:59 <@churchyard:fedora.im> !hi
2026-03-11 15:03:59 <@zodbot:fedora.im> Miro Hrončok (churchyard) - he / him / his or they / them / theirs
2026-03-11 15:04:03 <@bookwar:fedora.im> !hi
2026-03-11 15:04:04 <@zodbot:fedora.im> Aleksandra Fedorova (bookwar) - she / her / hers
2026-03-11 15:04:32 <@jflory7:fedora.im> Good morning, folks! Well, good morning from here anyways. US Pacific time zone is a hard one in Fedora 😅
2026-03-11 15:05:26 <@jflory7:fedora.im> [@jspaleta:fedora.im](https://matrix.to/#/@jspaleta:fedora.im) I'm multitasking a breakfast while getting ready to check out of my hotel in a bit. I didn't have topics triaged yet. I know we have two new tickets of various priorities. Did you manage to identify some agenda topics of interest for today? 
2026-03-11 15:05:26 <@jspaleta:fedora.im> sorry for that
2026-03-11 15:05:38 <@jspaleta:fedora.im> daylight savings is such a mess
2026-03-11 15:05:47 <@jflory7:fedora.im> That also doesn't help :D
2026-03-11 15:06:07 <@jspaleta:fedora.im> I think we need press on with the policy draft discussion around pagure as a priority
2026-03-11 15:06:43 <@jflory7:fedora.im> Works for me 
2026-03-11 15:07:23 <@jspaleta:fedora.im> if we have time for anything else... then we can look over the ticket backlog after that
2026-03-11 15:07:32 <@jspaleta:fedora.im> bookwar: should the floor go to you?
2026-03-11 15:07:53 <@jspaleta:fedora.im> !hi
2026-03-11 15:07:54 <@zodbot:fedora.im> Jef Spaleta (jspaleta) - he / him / his
2026-03-11 15:08:25 <@bookwar:fedora.im> Not sure, as I was not actually doing the work, but let's try
2026-03-11 15:08:32 <@bookwar:fedora.im> Can you set a topic?
2026-03-11 15:08:54 <@jflory7:fedora.im> https://forge.fedoraproject.org/council/tickets/issues/558
2026-03-11 15:08:55 <@jflory7:fedora.im> https://forge.fedoraproject.org/council/tickets/issues/559
2026-03-11 15:09:01 <@jflory7:fedora.im> These seem like the two topics we should cover today
2026-03-11 15:09:53 <@jspaleta:fedora.im> Agreed lets start with the forge.. Ill set a topic
2026-03-11 15:09:55 <@jflory7:fedora.im> I'd like to come back to this as well, since @t0xic0der has been working on a draft. But I think I saw some review comments yesterday
2026-03-11 15:09:55 <@jflory7:fedora.im> 
2026-03-11 15:09:55 <@jflory7:fedora.im> https://forge.fedoraproject.org/council/tickets/issues/550
2026-03-11 15:10:02 <@jflory7:fedora.im> Let's see what we can get through today.
2026-03-11 15:10:13 <@jflory7:fedora.im> !topic Ticket #558: Fedora Forge usage policy
2026-03-11 15:10:15 <@churchyard:fedora.im> the EU CRA Stewardship ticket landed not even 24 our ago. I didn't even have time to read it
2026-03-11 15:10:18 <@jflory7:fedora.im> !link https://forge.fedoraproject.org/council/tickets/issues/558
2026-03-11 15:10:26 <@jflory7:fedora.im> Me either
2026-03-11 15:10:30 <@bookwar:fedora.im> As I understand it we have a draft of a Fedora Forge policy and a draft of a Fedora Forge article. The draft of the policy is in the ticket 558. The draft of an article I haven't seen
2026-03-11 15:10:31 <@jflory7:fedora.im> I haven't even had time to read this one 😄 
2026-03-11 15:10:47 <@pboy:fedora.im> !hi
2026-03-11 15:10:49 <@zodbot:fedora.im> Peter Boy (pboy)
2026-03-11 15:11:10 <@jspaleta:fedora.im> jednorozec:  are you here?
2026-03-11 15:11:38 <@bookwar:fedora.im> Secondly, again, as i understand, we want to publish an article referring to the policy. But we are not going to be able to approve a policy withn next two weeks
2026-03-11 15:11:41 <@jflory7:fedora.im> !link https://forge.fedoraproject.org/forge/forge/wiki/Fedora-Forge-Usage-Policy
2026-03-11 15:11:56 <@bookwar:fedora.im> Is this correct understanding?
2026-03-11 15:12:07 <@jflory7:fedora.im> !link https://docs.fedoraproject.org/en-US/council/policy/policy-change-policy/
2026-03-11 15:12:47 <@bookwar:fedora.im> My proposal is - Do not rush the approval of the policy, refer to the draft of the policy in the article.
2026-03-11 15:13:10 <@jflory7:fedora.im> We have to follow our own rules
2026-03-11 15:13:19 <@jspaleta:fedora.im> Without putting words in jednorozec  mouth.  My understanding is he wants leadership to cosign on what the article says concerning timelines. If there is a fully understood policy with regard to what is allowed to migrate to our forge and what is not.. it helps
2026-03-11 15:13:23 <@bookwar:fedora.im> Draft is already in a good shape, and an article will help spread the news and collect final feedback.
2026-03-11 15:14:05 <@bookwar:fedora.im> That's the second part we need to decide today. The review of an article by a council I think can be done faster than the review of the policy 
2026-03-11 15:14:14 <@jspaleta:fedora.im> I need to get the article draft to yall to read over.. but you know google doc permissions...
2026-03-11 15:14:32 <@bookwar:fedora.im> But how do we actually do it in practice? I haven't seen the link to the draft of an article yet?
2026-03-11 15:15:06 <@bookwar:fedora.im> Can't you make a draft in fedora magazin and give us a previe link?
2026-03-11 15:15:13 <@bookwar:fedora.im> Can't you make a draft in fedora magazine and give us a preview link?
2026-03-11 15:16:14 <@jspaleta:fedora.im> that we can do. I'll work with jednorozec on that
2026-03-11 15:16:29 <@jspaleta:fedora.im> and put the link in the ticket for the policy
2026-03-11 15:16:34 <@bookwar:fedora.im> So if I get a text of an article in some form, I can commit to prioritize reviewing it and give feedback within a day
2026-03-11 15:16:34 <@jspaleta:fedora.im> or open a new ticket?
2026-03-11 15:17:21 <@jspaleta:fedora.im> ill take that action.. ill get the draft into the magazine so it can be previewed to us for review and open a ticket that we can async +1 on
2026-03-11 15:17:49 <@jflory7:fedora.im> 
2026-03-11 15:17:49 <@jflory7:fedora.im> I wonder how this works for issues with PII, e.g., reimbursement reports, Code of Conduct tickets, etc.
2026-03-11 15:17:49 <@jflory7:fedora.im> > "Exposing Secrets: Committing sensitive information such as passwords, API tokens, private SSH keys, or Personally Identifiable Information (PII)."
2026-03-11 15:17:51 <@bookwar:fedora.im> I guess if we want the overall council approval and fast, a council ticket is the way. It should link to the article somehow, and we should appove it in the ticket in async way. Does it sound ok?
2026-03-11 15:18:07 <@bookwar:fedora.im> I guess if we want the overall council approval and fast, a council ticket is the way. It should link to the article somehow, and we should approve it in the ticket in async way. Does it sound ok?
2026-03-11 15:18:21 <@jflory7:fedora.im> !info Policy unclear about PII in the context of monetary reimbursement requests and Code of Conduct reports
2026-03-11 15:18:35 <@jflory7:fedora.im> A new ticket? Beyond #558?
2026-03-11 15:18:53 <@bookwar:fedora.im> yes, article approval is a separate ticket
2026-03-11 15:19:05 <@jspaleta:fedora.im> yeah... its related via a possible blocker relationship
2026-03-11 15:20:30 <@jspaleta:fedora.im> okay actioned... now about that actual draft policy.. how do we move forward
2026-03-11 15:20:46 <@bookwar:fedora.im> I don't think article should wait. I think it will actually needs to go out before we approve the policy
2026-03-11 15:20:46 <@jflory7:fedora.im> 
2026-03-11 15:20:46 <@jflory7:fedora.im> Likely need to consider that we are directing people to Pagure?
2026-03-11 15:20:46 <@jflory7:fedora.im> > "Reporting Code of Conduct Violations: To report a CoC violation occurring on the Forge, please contact the Fedora Code of Conduct Committee."
2026-03-11 15:20:54 <@jflory7:fedora.im> Yes.
2026-03-11 15:21:07 <@jflory7:fedora.im> Article + two weeks of feedback.
2026-03-11 15:21:18 <@jflory7:fedora.im> From the publishing date
2026-03-11 15:21:22 <@bookwar:fedora.im> I don't think article should wait. I think it actually needs to go out before we approve the policy
2026-03-11 15:21:38 <@jflory7:fedora.im> https://docs.fedoraproject.org/en-US/council/policy/policy-change-policy/
2026-03-11 15:21:41 <@jflory7:fedora.im> ^^ This is the guide
2026-03-11 15:21:47 <@jspaleta:fedora.im> so we have the article reference a draft policy and start the feedback process?
2026-03-11 15:22:02 <@jflory7:fedora.im> !info "Proposed changes to Fedora Council policies must be publicly announced on the #council tag on Fedora Discussion and in a Fedora Community Blog post in order to get feedback from the community. After a minimum of two calendar weeks, the Fedora Council may vote on the proposed change using the full consensus voting model. After approval, the change is reflected on the Fedora Council policies page."
2026-03-11 15:23:09 <@bookwar:fedora.im> Note - we will be asking for the feedback on the draft policy, not on the decision or timeline for the migration.
2026-03-11 15:23:18 <@jspaleta:fedora.im> So is the draft at the point where we should start the clock on it?
2026-03-11 15:23:21 <@jflory7:fedora.im> !action @jspaleta Draft and publish the Policy Change Policy notification article for the Community Blog
2026-03-11 15:23:33 <@jflory7:fedora.im> Publishing on the CommBlog == timer start
2026-03-11 15:23:34 <@bookwar:fedora.im> Yes, I think so
2026-03-11 15:24:11 <@bookwar:fedora.im> Justin Wheeler: I think we are talking about two different articles now
2026-03-11 15:24:14 <@jflory7:fedora.im> !info Note, the two-week countdown clock on feedback begins from the day of publishing of the Community Blog article
2026-03-11 15:24:21 <@jflory7:fedora.im> bookwar: We are?
2026-03-11 15:24:27 <@jspaleta:fedora.im> then I'm good with this topic. We have a way forward. I'll double back with jednorozec  make article draft changes that add language to indicate that the draft policy is ready for feedback
2026-03-11 15:24:43 <@bookwar:fedora.im> Afaiu, the article Jef is proposing is going to Fedora Magazine
2026-03-11 15:24:53 <@jflory7:fedora.im> Why the Magazine?
2026-03-11 15:24:56 <@jspaleta:fedora.im> i think what I am proposing is coordinating things
2026-03-11 15:25:08 <@jspaleta:fedora.im> so that the migration article is able to reference the draft policy comms
2026-03-11 15:25:34 <@jflory7:fedora.im> I might be getting more confused
2026-03-11 15:25:45 <@jspaleta:fedora.im> I'll take whatever necessary action items to put that in motion for both so they can be coordinated
2026-03-11 15:26:16 <@jflory7:fedora.im> It might help to spell out what is being proposed to write and where we are publishing it
2026-03-11 15:26:25 <@bookwar:fedora.im> I think that Fedora Forge migration is a big newsworthy topic and deserves the article in the Magazine. The article in the communicty blog as required by the policy of policies is more of the internal project communication
2026-03-11 15:26:33 <@jflory7:fedora.im> I thought we were discussing the CommBlog policy change notification article
2026-03-11 15:27:19 <@jspaleta:fedora.im> 1. There is a draft of a magazine article by jednorozec  concerning the timeline to sunst pagure and reminding people to migrate.  I have to action that into a magazine article draft that council can review and choose to cosign.
2026-03-11 15:27:19 <@jspaleta:fedora.im> sure...  
2026-03-11 15:27:25 <@jflory7:fedora.im> Hmm, yes, but I don't think we need to invite the entire world to add commentary at this time. We value contributor feedback most of all, and if we go to the Magazine, we are casting a much wider net with people who are less connected to Fedora. More bike-shedding encouraged
2026-03-11 15:27:49 <@jflory7:fedora.im> This should come after we have the policy in-hand?
2026-03-11 15:27:56 <@jspaleta:fedora.im> 2. We have a policy draft concerning the use of the new forge.. which materially impacts how people make choices to migrate.  We need to commjnicate that draft via normal policy comms process
2026-03-11 15:28:19 <@jflory7:fedora.im> Doing #1 before #2 implies to me that the policy is set
2026-03-11 15:28:34 <@jspaleta:fedora.im> we can coordinate so that the migration article can reference the draft policy... and have a call to action for feedback on that policy draft
2026-03-11 15:28:47 <@bookwar:fedora.im> Justin Wheeler: The Fedora Magazine article is about Pagure sunsetting, it should go wider than Fedora COmm blog. It will additionally *reference* the draft policy, but the draft policy won't be the main topic there.
2026-03-11 15:28:54 <@jspaleta:fedora.im> #1 is a ticking clock.. we already know the timescale...
2026-03-11 15:29:17 <@jspaleta:fedora.im> if we dont have a policy.. people migrate to something not our forge as the default action
2026-03-11 15:29:20 <@jflory7:fedora.im> OK, I see. It makes sense, but need to be very mindful about our audiences, the Magazine and CommBlog get different eyeballs
2026-03-11 15:30:11 <@jflory7:fedora.im> I guess I have no preference for which comes first, but if the Magazine article gets expedited, we need to make sure the editors in #magazine:fedoraproject.org are aware of our urgent publishing plans, and there needs to be a clear disclaimer that policy discussion is forthcoming
2026-03-11 15:31:04 <@jflory7:fedora.im> I am cautious to avoid a feeling of "an emergency on your part is not an emergency on our part" in the community 🙂 
2026-03-11 15:31:29 <@bookwar:fedora.im> So the steps  A.1) review the magazine article -> A.2) publish the magazine article referring yet unapproved policy draft B.1) publish community blog article as per policy -> B.2) Approve the policy.
2026-03-11 15:31:46 <@jflory7:fedora.im> LGTM. And two weeks between B.1 and B.2
2026-03-11 15:31:49 <@jspaleta:fedora.im> the longer we way to communicate what jednorozec wants to communicate.. the likelihood that we create an emergency for someone
2026-03-11 15:32:19 <@bookwar:fedora.im> A.1 we want to prioritize. B.1 can happen in parallel to A, but not necessarily
2026-03-11 15:32:50 <@jflory7:fedora.im> Yes, but I mean, the Council ticket was opened yesterday and we are trying to leap into action on volunteer contributor time… I get that postponing causes problems, but TBH, it would be better to publish earlier in the week than toward the end of the week, because Fridays are typically lower readership days
2026-03-11 15:33:24 <@jflory7:fedora.im> There is a reason why we have historically done releases on Tuesday mornings in UTC 🙂 Doesn't have to be Tuesday morning, but for things we want the full week's cycle to promote, better to publish earlier in the week than right before a weekend
2026-03-11 15:33:42 <@jflory7:fedora.im> I don't want to stress the Magazine editors out after an already stressful week with a midnight-oil burning F44 Beta Release announcement
2026-03-11 15:33:43 <@jspaleta:fedora.im> the only reason why im talking about a draft in the magazine system... is because the blasted redhat google docs settings make it impossible to share the current draft with everyone here easily.
2026-03-11 15:34:00 <@bookwar:fedora.im> Let's do the A1 asap. Hitting the publish button on Magazine can be done by Magazine editors, and they can choose to do it on Monday or whenever
2026-03-11 15:34:08 <@jflory7:fedora.im> +1
2026-03-11 15:34:13 <@bookwar:fedora.im> Let's do the A1 asap. Hitting the publish button on Magazine (A2) can be done by Magazine editors, and they can choose to do it on Monday or whenever
2026-03-11 15:34:18 <@jspaleta:fedora.im> right... im not trying to quick fire publish.. just get review from council
2026-03-11 15:34:38 <@jflory7:fedora.im> Honestly, I don't think we _need_ to sign off on the Magazine article as Council
2026-03-11 15:34:47 <@jflory7:fedora.im> I trust Jef Spaleta and jednorozec to rep this appropriately
2026-03-11 15:34:59 <@jspaleta:fedora.im> jednorozec: would like leadership to cosign
2026-03-11 15:35:00 <@jflory7:fedora.im> The policy discussion is where we need to devote Council attention, during those two weeks of input
2026-03-11 15:35:07 <@jflory7:fedora.im> That's you! 😉 
2026-03-11 15:35:15 <@jflory7:fedora.im> The Council is "co-signing" the policy
2026-03-11 15:35:29 <@jspaleta:fedora.im> we dont NEED to.  he wants broad leadership.. council and fesco
2026-03-11 15:35:42 <@jspaleta:fedora.im> so im making the opportunity for that to happen here
2026-03-11 15:35:44 <@jflory7:fedora.im> I don't think I need to approve this Magazine article personally, we are all on the same page here generally and the details have been discussed among us already. This is about moving the conversation into community
2026-03-11 15:35:48 <@jspaleta:fedora.im> if we dont want to.. fine
2026-03-11 15:35:55 <@jflory7:fedora.im> Well, I am in support! Let's go!
2026-03-11 15:36:02 <@jflory7:fedora.im> No discussion needed from me 🙂 Let's just get it done
2026-03-11 15:36:11 <@bookwar:fedora.im> I think Council should provide support on this change, even if just moral. So let's get that draft and help if we can
2026-03-11 15:37:03 <@jflory7:fedora.im> !info Note, it was clarified that there are actually _two_ articles being discussed. One is a general Fedora Magazine article, announcing the intent to sunset Pagure.io, the ongoing discussion about Fedora Forge usage policy, and the Flock 2026 timeline. The other article is a Community Blog article, which is the Policy Change Policy process for adopting a new Fedora Forge Usage Policy.
2026-03-11 15:37:23 <@jflory7:fedora.im> !idea Fedora Forge Usage Policy may need to go into Fedora Legal docs instead of Fedora Council policy docs; will revisit
2026-03-11 15:37:32 <@jflory7:fedora.im> Also, do we need RH Legal input on the policy text?
2026-03-11 15:37:41 <@jflory7:fedora.im> That might be something to consider before running the CommBlog article
2026-03-11 15:38:09 <@jspaleta:fedora.im> do we have legal opinion concerning pagure right now documented?
2026-03-11 15:38:37 <@jflory7:fedora.im> !action @jspaleta Work with @humaton to draft a Fedora Magazine article by Friday morning, 13 March 2026, to deliver to the Fedora Magazine editors for early-week publishing in the week of March 16th
2026-03-11 15:39:07 <@jflory7:fedora.im> !action @jspaleta In the week of March 16th, work on the Community Blog article draft for the policy change policy discussion in the community about the Fedora Forge usage policy
2026-03-11 15:39:33 <@jflory7:fedora.im> Good question. I presume we have something? But the answer is probably in Fedora Infrastructure. We don't have existing Fedora Legal docs today for Pagure.io policy.
2026-03-11 15:39:46 <@jspaleta:fedora.im> I dont want to borrow trouble
2026-03-11 15:39:53 <@jflory7:fedora.im> You might have to do some historical digging with people like Kevin Fenzi and Paul Frields
2026-03-11 15:40:00 <@jspaleta:fedora.im> if we have legal documentation concerning pagure use.. we should rely on that
2026-03-11 15:40:04 <@jflory7:fedora.im> There is an answer, but I don't know it
2026-03-11 15:40:12 <@jspaleta:fedora.im> and understand if we are stepping over the bounds of that document
2026-03-11 15:40:44 <@jflory7:fedora.im> I get a hunch that this might be it 🙂 
2026-03-11 15:40:45 <@jflory7:fedora.im> !link https://pagure.io/about/
2026-03-11 15:41:46 <@jflory7:fedora.im> Do we have anything else to discuss here?
2026-03-11 15:41:53 <@jflory7:fedora.im> I think the actions are clear
2026-03-11 15:41:58 <@jflory7:fedora.im> There is a Fedora Magazine article urgently coming
2026-03-11 15:42:12 <@jflory7:fedora.im> I won't be able to review, I am on PTO Thursday and Friday this week, but I trust y'all to get this done 👍️
2026-03-11 15:42:36 <@jflory7:fedora.im> Last call, git forge policy or Pagure.io topics?
2026-03-11 15:42:57 <@jflory7:fedora.im> ## Fedora Forge usage policy & Pagure, going once…
2026-03-11 15:43:10 <@jflory7:fedora.im> ## Fedora Forge usage policy & Pagure, going twice…
2026-03-11 15:43:25 <@jflory7:fedora.im> ## Fedora Forge usage policy & Pagure, going thrice…
2026-03-11 15:43:40 <@jflory7:fedora.im> 💥
2026-03-11 15:43:48 <@jflory7:fedora.im> !topic Ticket #559: The EU CRA Stewardship and Readiness proposal for Fedora community
2026-03-11 15:43:54 <@jflory7:fedora.im> !link https://forge.fedoraproject.org/council/tickets/issues/559
2026-03-11 15:46:32 <@jflory7:fedora.im> Hmm, so, the ticket is more a theory of collaboration than an actual statement of worj
2026-03-11 15:46:37 <@jflory7:fedora.im> Hmm, so, the ticket is more a theory of collaboration than an actual statement of work.
2026-03-11 15:46:51 <@jflory7:fedora.im> I think the theory is sound and good, but it does not really cover the actual work needed to be done.
2026-03-11 15:46:53 <@churchyard:fedora.im> I skimmed trouh it and I am not sure what is expected of us
2026-03-11 15:46:56 <@bookwar:fedora.im> For me with CRA it is still not clear whether Fedora Project is a separate entity, or is a tool/framework for implementation of the Red Hat's role as a Steward.
2026-03-11 15:46:56 <@jflory7:fedora.im> I know some of this will be uncovered as we go
2026-03-11 15:47:27 <@bookwar:fedora.im> The text in the ticket doesn't make difference between Fedora Project and Red Hat and I think it is a mistake
2026-03-11 15:48:00 <@jspaleta:fedora.im> Okay I garuntee this ticket is in response to internal discussions we've been having inside of Red Hat about the CRA and their role as steward for projects like Fedora in the language of that legislation
2026-03-11 15:48:01 <@jflory7:fedora.im> So, I am not a lawyer and this is not legal advice, but I believe that there is no "separate entity" for Fedora since we a project legally funded and registered to Red Hat. The trademarks for the project are owned by Red Hat, the infrastructure is largely hosted by Red Hat, so to EU regulators, Fedora is closely tied to Red Hat
2026-03-11 15:48:30 <@jflory7:fedora.im> For sure. It is a fair point to mention that me and Jef have been speaking internally with CRA folks for a bit now, and we are trying to think through the ideal process for working in Fedora
2026-03-11 15:48:51 <@jflory7:fedora.im> There was some discussion I needed to catch up on from SCaLE during last week, which led to this ticket, so I am running a bit behind on context
2026-03-11 15:49:11 <@jflory7:fedora.im> So, there is, but Red Hat assumes some legal obligations as the "Steward" of Fedora
2026-03-11 15:49:22 <@jflory7:fedora.im> Fedora needs some legally-accountable anchor in the EU policy space
2026-03-11 15:49:41 <@jflory7:fedora.im> s/some legal obligations/all CRA legal obligations/
2026-03-11 15:49:56 <@bookwar:fedora.im> Afaik Red Hat can be a Steward without Fedora Council involved.
2026-03-11 15:49:58 <@jspaleta:fedora.im> In those discussions i said that we need to start having public discussions about this because ultimately a lot of what stewards do are best practices around security.. and its not clear at all what is actually legally required..or even if we technically need a steward. My interpreation of the conversation is Red Hat is offering to be our project steward so we can be a best practices citizen in the context of the CRA
2026-03-11 15:50:19 <@jflory7:fedora.im> Well, I think there will be discussions we need to have about security processes, which unfortunately was not really spelled out in the ticket
2026-03-11 15:50:44 <@jflory7:fedora.im> The ticket is more of a theory of change for me, which I am supportive of… but I want the proposed actions and tangible, concrete things we can expect to happen as part of this process
2026-03-11 15:50:52 <@bookwar:fedora.im> Security processes of Red Hat as a Steward, not Fedora as a project
2026-03-11 15:50:56 <@pboy:fedora.im> I'm not sure it it is relevant for Fedora at all. We have thousends of volunteer projects in Europe. Some are operating as a "registered foundation" others are not. Do we know how SusE / OpenSuSe will handle that? 
2026-03-11 15:51:07 <@jflory7:fedora.im> There were some unfinished conversations about Red Hat Product Security wanting to help and get more involved in Fedora to fulfill Red Hat's legal obligations as Open Source Steward of Fedora
2026-03-11 15:51:18 <@jspaleta:fedora.im> ulltimately stewards function to set down policy that must be abided by.  Right now we dont have a governance model that anticipates that
2026-03-11 15:51:41 <@jflory7:fedora.im> I hope we can leverage the volunteered time by cybersecurity folks at Red Hat to spend some time in Fedora, but it does not seem like we, or the ticket, is ready to discuss that yet
2026-03-11 15:52:06 <@bookwar:fedora.im> The situation is (one possible interpretation): Fedora Project is a FOSS software not offering commercial services, so it doesn't need to have a stance with respect to CRA. Red Hat uses Fedora code to provide commercial services. As such Red Hat has steward obligations towards Fedora.
2026-03-11 15:52:29 <@jflory7:fedora.im> I hypothesize SUSE employees and lawyers are openSUSE is having similar conversations too. I don't think we are alone in this at all
2026-03-11 15:52:42 <@jflory7:fedora.im> I hypothesize SUSE employees and lawyers are similar conversations about openSUSE too. I don't think we are alone in this at all
2026-03-11 15:53:12 <@bookwar:fedora.im> Steward's policy is set on their own stewards workflows. SO it says "Red Hat security folks must report all downstream CVEs to Fedora within 2 days". It doesn't say, Fedora as a FOSS project must react to reported CVEs within 2 days"
2026-03-11 15:53:15 <@jspaleta:fedora.im> Ive had a sidebar discussion with someone from the Eclipse foundation... individual projects are feeling pressure to get inside of a foundation that can act as a stewerd... its a weird situation. because under the law its actually not clear that projects can say no if some vendor that depends on them says they want to be a project steward. 
2026-03-11 15:53:49 <@jflory7:fedora.im> Hmmm, I am not a lawyer, but I don't think the first interpretation is the one being interpreted in the policy space. But I think the fact that this is unclear _to us_ means it will be unclear to the community, and therefore, we need a more concrete proposal in this ticket to know what we are voting.
2026-03-11 15:53:59 <@jflory7:fedora.im> I can take the action to deliver this feedback in the Forgejo ticket.
2026-03-11 15:54:07 <@jflory7:fedora.im> If we agree that this action makes sense as a next step
2026-03-11 15:54:14 <@jflory7:fedora.im> Because I don't think we have anything to vote on today
2026-03-11 15:54:24 <@jflory7:fedora.im> This is a collaboration theory, not a proposal of changes
2026-03-11 15:54:42 <@jflory7:fedora.im> I think we want the collaboration, but let's get into the details of what actually is being proposed to change
2026-03-11 15:54:44 <@jspaleta:fedora.im> that is an interpretation and one I'm currently leaning on. But utilimately if we were to have a steward they are only going to be effective if projects adopt practices. 
2026-03-11 15:56:06 <@jonatoni:fedora.im> in the ticket they have asked for feedback + time from our next Council meeting to join and answer any questions we might have, so maybe we can invite them in our next meeting?
2026-03-11 15:56:29 <@jflory7:fedora.im> Security processes for Red Hat to be able to legally speak to EU policy regulators about security status of Fedora components. I don't think we want EU regulators pursuing individual packagers, not that I think they would even know how to do that, but I think the risk we are trying to avoid is removing policy liability from individual contributors to Red Hat, the business entity
2026-03-11 15:56:40 <@jflory7:fedora.im> Nice idea
2026-03-11 15:56:45 <@jflory7:fedora.im> I think a video meeting could work well for this format
2026-03-11 15:56:50 <@bookwar:fedora.im> They can fulfill their obligations by the EU law without us as a project enforcing policies on volunteers maintaining Fedora packages. And I think this is the direction I want it to go. It is also what CRA is for: setting requirements on those who profit from FOSS, not for those who do it
2026-03-11 15:56:55 <@jflory7:fedora.im> The topic is really big, it is a very new thing, and I know we all must have questions
2026-03-11 15:57:17 <@jflory7:fedora.im> And obviously, there are lots of questions about how much Fedora is tied into all of this, and I think we need some CRA experts on the line to help us dig into this
2026-03-11 15:57:18 <@bookwar:fedora.im> There is no need to speak to EU about security of Fedora components
2026-03-11 15:57:34 <@jspaleta:fedora.im> So right now the way im viewing this is for Fedora.. a steward fits in as an advisory capacity that can _help_ us adopt best practices around security. Its up to us to decide how far deep into the practices bucket makes sense for us to adopt.
2026-03-11 15:57:36 <@bookwar:fedora.im> EU doesn't care about Fedora components and their security because it is not a commercial offering
2026-03-11 15:57:44 <@jflory7:fedora.im> I have been led to believe this is not entirely true, at least not for Red Hat
2026-03-11 15:58:00 <@jflory7:fedora.im> The connection into the commercial products is what I think an expert needs to help us better understand
2026-03-11 15:58:09 <@bookwar:fedora.im> EU cares that when Red Hat creates commercial offering out of Fedora components and that commerical offering has security issues, those issues are reported upstream to Fedora.
2026-03-11 15:58:19 <@jflory7:fedora.im> So, I could take an action item to follow up on the ticket with our questions and doubts, and to schedule a video Council meeting.
2026-03-11 15:58:32 <@jflory7:fedora.im> I don't know if we want to take over the next Council meeting as a video meeting, but we could schedule something separately.
2026-03-11 15:58:41 <@bookwar:fedora.im> That's responsibility on Red Hat to disclosure stuff, not on Fedora  to fix the stuff diclosured
2026-03-11 15:58:42 <@jflory7:fedora.im> It doesn't have to be our usual Council meeting slot, especially since we don't meet weekly anymore
2026-03-11 15:58:52 <@jspaleta:fedora.im> i dont think there is anywhere near enough clarity on that.  If that were true, foundatins like eclipse would be giving this a yawn.
2026-03-11 15:59:08 <@jflory7:fedora.im> Right! Disclosure/reporting seems to be the biggest load that I can see, but yeah, I think we need more discussion and our meeting slot ends in one minute 🙂 
2026-03-11 15:59:31 <@jflory7:fedora.im> I don't see as much, so far, about actually _fixing_ things, but it seems like being able to _speak_ about the state of things is part of the compliance puzzle
2026-03-11 15:59:37 <@jflory7:fedora.im> But I am not a lawyer and this is not legal advice 😛 
2026-03-11 15:59:45 <@jflory7:fedora.im> OK, we are pretty much at the hour…
2026-03-11 15:59:50 <@jflory7:fedora.im> Let me write those actions, then we can wrap
2026-03-11 16:00:12 <@jflory7:fedora.im> Oh, heh, and we also need to fix the meeting time zone stuff
2026-03-11 16:00:20 <@bookwar:fedora.im> I have a contact for a person from German BSI or smth who offered to talk about CRA for us. I do want us to talk about CRA from the perspective of the FOSS project and not from a perspective of Red Hat legal.
2026-03-11 16:00:30 <@pboy:fedora.im> Under European law, voluntary, non-profit-oriented services do not give rise to any claims or claims for damages, except in cases of gross negligence.
2026-03-11 16:00:39 <@jflory7:fedora.im> !action @jflory7 Comment on Ticket #559 to clarify the general reaction, questions, and thoughts by the Council on CRA compliance in the context of Fedora Project and Red Hat's responsibilities as Open Source Steward.
2026-03-11 16:00:57 <@pboy:fedora.im> So, Fedora packagers are not a tarbget.
2026-03-11 16:01:07 <@jflory7:fedora.im> !action @jflory7 Pitch a Fedora Council Video Meeting sometime in March to invite the CRA folks to come and discuss this topic with the Fedora Council and Fedora community
2026-03-11 16:01:19 <@jspaleta:fedora.im> Just to be clear the practises coming up in these discussion are not invented by Red Hat.. there is work going on to establish practices that foundations can adopt and I expect they will adopt.  We shouldnt be out of step with the security practises of things like the Eclipse foundation.
2026-03-11 16:01:33 <@jflory7:fedora.im> Peter Boy (ServerWG, Docs): One tricky aspect to consider is that Fedora is not a nonprofit, a legal entity, or anything. Fedora is a logo, a registered trademark, owned by a commercial, for-profit company.
2026-03-11 16:01:44 <@jflory7:fedora.im> Of course, this is not the full picture 🙂 
2026-03-11 16:01:47 <@jflory7:fedora.im> As we all know
2026-03-11 16:01:55 <@jflory7:fedora.im> But regulators have one idea and we may have another
2026-03-11 16:01:59 <@jflory7:fedora.im> Anyways, the actions are all set!
2026-03-11 16:02:07 <@jflory7:fedora.im> I think we will have an engaging follow-up here later in March
2026-03-11 16:02:20 <@jflory7:fedora.im> !halp Council members, please add your CRA-related questions to Ticket #559 in the meantime
2026-03-11 16:02:25 <@jflory7:fedora.im> Let's wrap up here.
2026-03-11 16:02:30 <@jflory7:fedora.im> Thanks folks for your attention today!
2026-03-11 16:02:40 <@churchyard:fedora.im> see you
2026-03-11 16:02:42 <@jflory7:fedora.im> Let's figure out the time zone stuff for the next meeting in #council:fedoraproject.org.
2026-03-11 16:02:46 <@jflory7:fedora.im> Bye! 👋
2026-03-11 16:02:48 <@jflory7:fedora.im> !endmeeting