21:00:25 <tdawson> #startmeeting EPEL (2022-02-16)
21:00:25 <zodbot> Meeting started Wed Feb 16 21:00:25 2022 UTC.
21:00:25 <zodbot> This meeting is logged and archived in a public location.
21:00:25 <zodbot> The chair is tdawson. Information about MeetBot at https://fedoraproject.org/wiki/Zodbot#Meeting_Functions.
21:00:25 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic.
21:00:25 <zodbot> The meeting name has been set to 'epel_(2022-02-16)'
21:00:25 <tdawson> #meetingname epel
21:00:25 <tdawson> #chair nirik tdawson pgreco carlwgeorge salimma dcavalca
21:00:25 <zodbot> The meeting name has been set to 'epel'
21:00:25 <zodbot> Current chairs: carlwgeorge dcavalca nirik pgreco salimma tdawson
21:00:26 <tdawson> #topic aloha
21:00:35 <rcallicotte> .hi
21:00:36 <zodbot> rcallicotte: rcallicotte 'Robby Callicotte' <rcallicotte@mailbox.org>
21:00:38 <davide> .hi
21:00:40 <zodbot> davide: Sorry, but user 'davide' does not exist
21:00:41 <pgreco> .hi
21:00:43 <zodbot> pgreco: pgreco 'Pablo Sebastian Greco' <pablo@fliagreco.com.ar>
21:00:47 <carlwgeorge> .hi
21:00:48 <zodbot> carlwgeorge: carlwgeorge 'Carl George' <carl@redhat.com>
21:01:20 <salimma> .hi
21:01:21 <zodbot> salimma: salimma 'Michel Alexandre Salim' <michel@michel-slm.name>
21:01:25 <davide> .hello dcavalca
21:01:27 <zodbot> davide: dcavalca 'Davide Cavalca' <dcavalca@fb.com>
21:01:46 * nirik is sort of here, but also has an outage
21:01:52 <tdawson> Hi rcallicotte
21:02:02 * davide is typing with a half dead eyboard
21:02:02 <tdawson> Hi pgreco
21:02:12 <tdawson> Hi carlwgeorge
21:02:22 <tdawson> Hi salimma
21:02:36 <tdawson> Hi davide (the real dcavalca)
21:02:40 * salimma waves to everyone
21:02:46 <tdawson> Hi partially here nirik
21:03:56 <salimma> is that a partial hi or a double hi to compensate ;)(
21:04:07 <rcallicotte> lol
21:04:11 <tdawson> :)
21:04:35 <Ebeneezer_Smooge> hrllo
21:04:58 <tdawson> Hi Ebeneezer_Smooge
21:05:36 <tdawson> #topic EPEL Issues
21:05:36 <tdawson> https://pagure.io/epel/issues
21:05:36 <tdawson> https://pagure.io/epel/issues?tags=meeting&status=Open
21:06:12 <tdawson> Hmm ... I thought we already re-visited the limited arch package policy
21:06:35 <tdawson> Let's do the pull request marked as meeting first.
21:06:37 <tdawson> https://pagure.io/epel/pull-request/156
21:06:45 <tdawson> Recommend retiring rawhide for EPEL-only packages
21:07:16 <davide> oh yeah, happy to change that as needed
21:07:19 <tdawson> carlwgeorge You marked that one for meeting.
21:07:50 <tdawson> Did you think that should be a "must" or that it shouldn't be included?
21:07:58 <carlwgeorge> hmm, i missed the follow up comments
21:08:27 <carlwgeorge> i think there was some uncertainty in irc about must vs should
21:08:42 <carlwgeorge> personally i'm fine with must
21:09:03 <tdawson> I'm ok with either, but I lean towards should
21:09:06 <salimma> if it's must then it's not really 'recommend' though
21:09:32 * nirik doesn't know why you would not do this...
21:09:41 <salimma> I'm ok with must
21:09:45 <carlwgeorge> if we don't have any know examples of when not to do it, i think must is better
21:09:56 <carlwgeorge> and we can always change it to should if we find things later
21:10:08 <salimma> right, and we can revisit when we have such a usecase (but in that case maybe it shouldn't have been -epel anyway)
21:10:08 <tdawson> True, I don't think there is a reason you wouldn't want to do it.
21:10:13 <davide> I can't really come up with a reason to have the rawhide branch in the epel-only case
21:10:18 <davide> so must is probably better
21:10:33 <davide> I can update the PR if that's the consensus
21:10:34 <salimma> oh, I guess eln
21:11:02 <salimma> but that's tricky, and the benefit of preventing branching is more anyway
21:11:07 <davide> how so?
21:11:08 <carlwgeorge> why would an epel-only package go into eln?
21:11:26 <salimma> and epel-only packages will probably need to be refactored significantly for every RHEL anyway
21:11:28 <tdawson> If it's adding packages that are never built in RHEL.
21:11:32 <salimma> not ELN itself, but ELN extras
21:12:08 <salimma> (whenever that comes into existence). but on balance, I'm still voting for 'must retire'
21:12:45 <Ebeneezer_Smooge> must
21:13:13 <rcallicotte> +1 for must retire
21:13:14 <tdawson> Ya, ELN extras is still a little ways out (hopefully soon), and we don't have anything yet that would need to go into it ... so at least for now, "must"
21:13:28 <tdawson> +1 must
21:13:30 <Ebeneezer_Smooge> If ELN changes greatly what spec files it uses for builds.. then revisit
21:13:42 <tdawson> Yep
21:13:43 <pgreco> I'm not sure it will make much of a difference for non-native English speakers, but I'll follow whatever is decided...
21:14:07 * Eighth_Doctor waves
21:14:24 <tdawson> Hi Eighth_Doctor
21:14:52 <tdawson> Sounds like we are in agreement.  davide do you mind changing the pull request?
21:15:02 <salimma> pgreco: hmm, if this causes issues for non-native speakers, maybe we should consider (Fedora as a whole) having some sort of legend box for common terminologies
21:15:23 <Ebeneezer_Smooge> pgreco, it is because we add the addendum https://datatracker.ietf.org/doc/html/rfc6919 in addition to RFC2119
21:15:30 <davide> yup, will do
21:15:56 <pgreco> salimma: what I mean is that the difference might be too subtle, that's why I'm not sure it will change much
21:16:20 <davide> I never got the impression that Fedora followed the strict RFC interpretation (SHALL MUST etc)
21:16:25 <pgreco> but I'm ok either way, no worries ;)
21:16:38 <davide> but if that's what we want, we should definitely have it documented somewhere
21:16:47 <davide> as I doubt many people even remember it exists these days
21:16:52 <salimma> yeah
21:17:11 * salimma has a topic to bring up for EPEL Packaging later
21:17:22 <tdawson> Moving on to the other thing tagged as "meeting"  https://pagure.io/epel/issue/152
21:17:26 <tdawson> .epel 152
21:17:27 <zodbot> tdawson: Issue #152: Revisiting policy for limited arch packages - epel - Pagure.io - https://pagure.io/epel/issue/152
21:18:04 <tdawson> I believe after the discussion, the discussion was going to move to the pull request on the policy
21:18:25 <tdawson> https://pagure.io/epel/pull-request/155
21:18:37 <tdawson> But that was never put into the ticket.
21:18:50 <tdawson> Am I remembering that correctly?
21:19:50 <salimma> I think nirik wanted to see this tested, and Conan Kudo was testing it on libraw
21:19:57 <salimma> libraw-epel, I mean. which is now built, right?
21:19:57 <Eighth_Doctor> it's out in EPEL now
21:20:01 <Eighth_Doctor> yes
21:20:03 <tdawson> Ah, that's right.
21:20:14 <Eighth_Doctor> the test dependency case is with ImageMagick, but it's stalled :(
21:20:35 <salimma> yeah, that's a few days away from a rel-eng escalation so we should be good by next week
21:20:36 <tdawson> https://koji.fedoraproject.org/koji/buildinfo?buildID=1915952
21:21:05 <salimma> (it's a bit confusing because the primary maintainer /did/ respond, commented that dependencies are not available yet, then hasn't responded since)
21:21:41 <tdawson> That get's a little frustrating when that happens.  It's happened to me at least once.
21:21:44 <carlwgeorge> same
21:22:18 <salimma> my packaging topic is actually related to this, so we can segue to it if people want
21:22:22 <salimma> or wait for that topic
21:22:52 <tdawson> So, I'm going to update the ticket saying that we are testing if we can do arch specific packages ...
21:23:04 <salimma> tdawson: +1
21:24:40 <tdawson> OK, sorry, had to type that in.
21:25:06 <tdawson> Then, let's leave that one for next week, or whenever we are able to test build ImageMagick
21:25:36 <tdawson> That brings us to ...
21:25:38 <davide> if we don't hear by Fri from the maintainer I'll file a stalled request for it
21:25:47 <tdawson> #topic Old Business
21:25:50 <davide> ImageMagick I mean
21:25:55 <tdawson> Yep
21:26:07 <tdawson> pgreco: I think you are the only one with old business ... at the moment
21:26:31 <pgreco> Eighth_Doctor: gave some feedback haven't had time to check it yet :(
21:27:01 <tdawson> Sounds good.  Feedback is progress, even if it isn't read yet :)
21:27:22 <tdawson> #topic EPEL-7
21:27:54 <tdawson> I didn't see any epel7 stuff this week ... did anyone else?
21:28:37 <tdawson> #topic EPEL-8
21:28:51 <Ebeneezer_Smooge> EPEL-7, you have 2 years until END of Life. Start PLANNING
21:28:57 <tdawson> :)
21:29:08 <Eighth_Doctor> man, it's already so close to the end?
21:29:14 <salimma> Conan Kudo mentioned that VFX folks are still mostly on 7 :(
21:29:18 <tdawson> Is it really just 2 years?  I was thinking three
21:29:20 <pgreco> Ebeneezer_Smooge: skipping 8 and going straight to 9, that's my plan :)
21:29:22 <rcallicotte> crazy huh?
21:29:26 <Ebeneezer_Smooge> EPEL-8, the great dive of usage happened on Feb 1st.
21:29:33 <salimma> I remember 2024 too and... man that's 2 years
21:29:38 <Eighth_Doctor> I got my job just shortly after RHEL 7 GA'd
21:29:48 <Ebeneezer_Smooge> [2022-02-16-16:29] <centbot> CentOS 7 will go EOL on 30 June, 2024 -- in 2 years, 19 weeks, 1 day, 2 hours, 30 minutes, and 22 seconds
21:29:53 <Eighth_Doctor> (I also lost my old job just before it GA'd)
21:29:59 <salimma> yeah, I remember getting a CentOS 7 tshirt for helping with our internal migration
21:31:18 <tdawson> Anything for epel8 ?
21:31:19 <davide> still have a box of those somewhere :)
21:31:39 <salimma> davide: we definitely need to make one for 9
21:31:43 <salimma> make it as spiffy as the RH ones
21:31:57 <davide> yup
21:32:07 <pgreco> salimma: I'm planning on being in SF soon, save one for me!!
21:32:21 <salimma> pgreco: I'm not in SF, tell Davide Cavalca that :D
21:32:46 <pgreco> yeah, I plan on doing so when I'm there ;)
21:32:48 * salimma will totally jump on a plane if only the kid is in pre-K already
21:33:02 <tdawson> And ... moving on
21:33:09 <davide> pgreco: sure, I'll try to find where it ended up when I go to the office
21:33:09 <tdawson> #topic EPEL-9
21:33:30 <pgreco> davide: office? what's that? ;)
21:33:35 <Ebeneezer_Smooge> tdawson, I had something for EPEL-8
21:33:41 * davide is filing a bunch more branch requests for 9 as usual
21:33:44 <Ebeneezer_Smooge> bt it can wait until new bus
21:33:45 <carlwgeorge> I've got some fun stats for 9
21:33:48 <salimma> EPEL9: anyone knonws much about dwarf?
21:34:07 <Ebeneezer_Smooge> start with carlwgeorge
21:34:36 <carlwgeorge> epel9 is on pace to have more srpms than c9s in 3 weeks, and more than epel8 by June (assuming the current pace is sustained)
21:34:49 <rcallicotte> nice
21:35:09 <salimma> in F36+ libdwarf now has a sane versioning system (which means epoch). that version... fails some tests on epel9. I'm going to just use the F35 spec unless anyone wants to take a look first
21:36:55 <tdawson> salimma: Isn't dwarf already in RHEL ?
21:37:07 <tdawson> carlwgeorge Very cool :)
21:37:28 <Ebeneezer_Smooge> i think it is a different type of dwarf format
21:38:02 <davide> iirc F34+ uses dwarf5
21:38:04 <tdawson> Ah ... ok.  And, I don't see it in RHEL9, so ... nice.
21:38:11 <davide> so I'd assume RHEL 9 inherited it too]
21:38:17 <salimma> surprisingly it's not
21:38:18 <salimma> yeah
21:38:33 <salimma> or something is wrong because I did check and the fedpkg request-branch also succeeded :)
21:39:15 <tdawson> Nope, I'm not seeing it anywhere.
21:39:40 <tdawson> Not even as sub-packages.
21:39:56 <salimma> I'm going to try and see if rawhide's libdwarf also fails to pass its tests on f34, if so, then I'll just use f34/35's older libdwarf
21:40:24 <tdawson> carlwgeorge How many source packages are in CentOS Stream 9 ?
21:40:32 <salimma> I only started needing it recently, turns out when Meta's folly lib is built without libdwarf, some functionality needed by some dependent packages are not there
21:40:41 * salimma not looking forward to it being renamed to molly
21:41:02 <Eighth_Doctor> ...
21:41:24 <tdawson> Well, we have two different subjects we need to get to, so I'm going to move on.
21:41:32 <Ebeneezer_Smooge> sounds good
21:41:35 <tdawson> #topic EPEL-Packaging-SIG
21:41:56 <carlwgeorge> tdawson: 1907
21:42:01 <tdawson> salimma: You said you had something with the sig?   Or was it actually the dwarf thing ?
21:43:35 * tdawson never knows if we lost someone, or they are just typing a long sentance.
21:44:07 <Ebeneezer_Smooge> I think it was needing some packages that were in review
21:44:17 <salimma> yup
21:44:28 <salimma> this is related to ImageMagick, but I think it's a wider topic
21:44:46 <salimma> sorry, switched away to a different room and lost track
21:45:19 <salimma> ImageMagick (and I bet a lot of other packages, but I didn't have time to grab the numbers) seem to have a lot of open CVEs on EPEL 7
21:45:44 <Ebeneezer_Smooge> yep that is probably true
21:46:16 <salimma> is this... something we need to watch more carefully? and in what circumstance is it actionable (e.g. can we decide to retire them if the maintainer doesn't pay attention, or update it without needing a provenpackager)
21:46:51 <Ebeneezer_Smooge> normally I look at the kind of CVE's. I used to get bugged by Red Hat security and would get someone to proven package them
21:46:51 <tdawson> I think it depends on the severity of the CVE's.
21:47:41 <Ebeneezer_Smooge> we normally give EPEL packages the same level as RH packages. For EL7, if it is greater than moderate, then it needs to be fixed. If it is less or equal to moderate, meh
21:47:49 <salimma> do the auto-filed bugs map the severity to the bug severity? if so we can easily do a query for the severe ones
21:48:03 <Eighth_Doctor> ImageMagick just grows CVEs like crazy, it feels like a package that needs epel-packager-sig care to better hope for maintenance
21:48:23 <Eighth_Doctor> esp given what's going on right now with existing epel branches
21:48:27 <salimma> yeah so in a way the maintainer not responding is the best scenario here
21:48:33 <salimma> because that makes it more likely we get access
21:48:54 <salimma> so yeah, I volunteer to do a 'security watch' update next week and we can see how that goes
21:50:00 <davide> it'd be useful to  have some automation around this I think
21:50:11 <davide> like, reporting on packages in EPEL with CVEs open for more than X weeks
21:50:32 <tdawson> Well, like Ebeneezer_Smooge said, it would need to be above a medium ...
21:50:55 <rcallicotte> how would one query for that? datagrepper? another tool?
21:50:58 <salimma> yeah, I'll limit it to high for now
21:51:05 <salimma> we can see about automating if the result is useful
21:51:11 <tdawson> I'm looking at the two I have, and they are both marked priority "Medium" ... but I don't know if that's just cuz that's the default, or if that's what the CVE is set to.
21:51:34 <salimma> hmm. we need to find a really bad CVE like polkit, let's see
21:52:03 <salimma> oh wow polkit has another CVE update? https://bodhi.fedoraproject.org/updates/FEDORA-2022-353b7254fd
21:52:35 <davide> yeah I was mostly thinking about getting the data to see how much of a problem this really is
21:52:45 <davide> and then once we have that, we can think about potential mitigations
21:52:48 <salimma> https://bugzilla.redhat.com/show_bug.cgi?id=2045563
21:52:54 <salimma> severity and priority do seem to be higher on this
21:53:05 <davide> I wouldn't be opposed to using this as a lever for getting epel-packaging-sig into more packages
21:53:09 <Ebeneezer_Smooge> tdawson, I normally go look up the CVE itself and check
21:53:31 <tdawson> Hum ... both of polkit's CVE's are marked as medium ... so that must be the default.   so searching on that isn't a good thing.
21:53:57 <tdawson> salimma or davide Do either of you mind creating an issue for this?
21:54:22 <salimma> the bugzilla is OK though. priority urgent, severity high (for the older privilege escalation CVE)
21:54:30 <salimma> the bodhi update is for the newer CVE, ignore it
21:54:32 <salimma> yeah, I can file an issue
21:54:43 <tdawson> salimma: Thanks
21:54:46 <salimma> is it 'follow up on EPEL CVEs' basically?
21:55:14 <tdawson> salimma: Basically, so we can work on some type of policy and/or automation and/or scripts.
21:56:01 <tdawson> I don't want to downplay this, but I'm going to move on cuz someone said they had something for open floor
21:56:04 <tdawson> #topic General Issues / Open Floor
21:56:11 <salimma> https://pagure.io/epel/issue/159
21:56:16 <tdawson> Ebeneezer_Smooge: Did you have something ?
21:56:20 <tdawson> salimma: Thank You
21:56:22 <salimma> tdawson: yeah, we don't have raw data yet so we should follow up anyway
21:56:50 <Ebeneezer_Smooge> basically it was the opposite of good statistics..
21:57:14 <tdawson> Oh boy ... what is the opposite of good stats ?
21:57:36 <salimma> horrible fake news
21:57:42 <Ebeneezer_Smooge> On Feb 1st, about 600k CentOS systems stopped getting EPEL-8 updates and 500k systems (Amazon?) stopped getting EPEL-7 systems
21:58:00 <Ebeneezer_Smooge> s/EPEL-7 systems/EPEL-7 updates/
21:58:08 <rcallicotte> wowsers
21:58:10 <salimma> the EPEL-8 is expected, the EPEL-7.. what
21:58:18 <Ebeneezer_Smooge> the EPEL-8 was expected due to the deletion of CentOS 8, but the EPEL-7 I have no idea on
21:58:18 <carlwgeorge> dnf does repos alphabetically, appstream fails, it never hits epel
21:58:45 <carlwgeorge> for 7 perhaps a really large aws deployment was shut off
21:58:47 <tdawson> Hmm ... carlwgeorge and I had a theory that those epel7 machines are actually CentOS Linux 8 machines, but they are pointing at the epel7 repo to get some packages that aren't in epel8
21:59:02 <carlwgeorge> yeah, that too
21:59:32 <Ebeneezer_Smooge> I would need to double check on that as those would show up as dnf updates versus yum updates
21:59:39 <carlwgeorge> it's far too common for people to just add whatever repos (epel7 on el8, epel8 on el9, etc) and crossing their fingers
21:59:53 <tdawson> But it's still a rather large number.
21:59:54 * Eighth_Doctor grimaces
21:59:59 <salimma> ugh
22:00:00 <salimma> so wrong
22:00:02 <rcallicotte> I've seen it sa many times :(
22:00:04 <Eighth_Doctor> that sounds like Amazon Linux actually
22:00:09 <rcallicotte> so**
22:00:19 <Eighth_Doctor> I've heard of folks mixing EPEL 7 and EPEL 8 on AL systems
22:00:20 <Ebeneezer_Smooge> the third alternative is that they moved to Oracle Enterprise Linux and are using their EPEL
22:00:57 <Ebeneezer_Smooge> but in any case, expect a lot of vertical | in any charts at future events
22:01:02 <pgreco> I'm more inclined to believe it is C8 removal, but no idea what to make of epel7
22:01:27 <Eighth_Doctor> epel7 sounds like Amazon Linux 1 systems going away
22:01:45 <tdawson> Yep ... but at least verticle lines make people look closer ... see what's happening.
22:01:49 <Ebeneezer_Smooge> the 'funny' part was it happened on the same day
22:02:22 <Ebeneezer_Smooge> that said, there has been an uptick of C9stream and C8stream systems
22:02:44 <carlwgeorge> yeah the AL thing sounded most likely to me at first, but no reason that should happen on the same day as the c8 removal off the mirrors
22:02:54 <salimma> and.. nobody raised a stink?
22:03:26 <tdawson> Well people, it looks like our time is up
22:03:43 <Ebeneezer_Smooge> anyway, I wanted to let you know the bad news before it came out when someone looks at the public data
22:03:49 <tdawson> Thank you all for all your work, and the good discussion we had.
22:03:57 <dherrera> thx (and hi)
22:04:00 <tdawson> Ebeneezer_Smooge: Thanks
22:04:02 <rcallicotte> thanks
22:04:03 <salimma> thanks all
22:04:06 <tdawson> Hi dherrera
22:04:08 <salimma> thanks tdawson
22:04:09 <pgreco> talk next week, thanks all!!
22:04:11 <salimma> hi Diego Herrera !
22:04:12 <tdawson> Talk to ya'll next week.
22:04:20 <rcallicotte> ttyl!
22:04:20 <tdawson> #endmeeting