#fedora-meeting log

21:00:24 <tdawson> #startmeeting EPEL (2022-02-23)
21:00:24 <zodbot> Meeting started Wed Feb 23 21:00:24 2022 UTC.
21:00:24 <zodbot> This meeting is logged and archived in a public location.
21:00:24 <zodbot> The chair is tdawson. Information about MeetBot at https://fedoraproject.org/wiki/Zodbot#Meeting_Functions.
21:00:24 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic.
21:00:24 <zodbot> The meeting name has been set to 'epel_(2022-02-23)'
21:00:24 <tdawson> #meetingname epel
21:00:24 <tdawson> #chair nirik tdawson pgreco carlwgeorge salimma dcavalca
21:00:24 <tdawson> #topic aloha
21:00:24 <zodbot> The meeting name has been set to 'epel'
21:00:24 <zodbot> Current chairs: carlwgeorge dcavalca nirik pgreco salimma tdawson
21:00:33 <pgreco> .hi
21:00:34 <zodbot> pgreco: pgreco 'Pablo Sebastian Greco' <pablo@fliagreco.com.ar>
21:00:48 <dcavalca> .hi
21:00:48 <zodbot> dcavalca: dcavalca 'Davide Cavalca' <dcavalca@fb.com>
21:00:51 <tdawson> Hi pgreco
21:00:53 <carlwgeorge> .hi
21:00:55 <zodbot> carlwgeorge: carlwgeorge 'Carl George' <carl@redhat.com>
21:00:58 <tdawson> Hi dcavalca
21:01:01 <salimma> .hello
21:01:01 <zodbot> salimma: (hello <an alias, 1 argument>) -- Alias for "hellomynameis $1".
21:01:03 <tdawson> Hi carlwgeorge
21:01:05 <salimma> .hi
21:01:06 <zodbot> salimma: salimma 'Michel Alexandre Salim' <michel@michel-slm.name>
21:01:09 <tdawson> Hi salimma
21:01:11 <rsc> .hello robert
21:01:12 <zodbot> rsc: robert 'Robert Scheck' <redhat@linuxnetz.de>
21:01:24 <dherrera> .hi
21:01:25 <zodbot> dherrera: dherrera 'None' <dherrera@redhat.com>
21:01:26 <tdawson> Hi rsc
21:01:32 <tdawson> Hi dherrera
21:02:12 <Ebeneezer_Smooge> hllo
21:02:32 <tdawson> Hi Ebeneezer_Smooge
21:02:34 <nirik> morning
21:03:12 <tdawson> Morning nirik
21:04:46 <Ebeneezer_Smooge> so we are all wondering why you called us here together.. and why there is a knife sticking in the back of carlwgeorge
21:05:13 <tdawson> *laughs*
21:05:24 <tdawson> #topic EPEL Issues
21:05:24 <tdawson> https://pagure.io/epel/issues
21:05:24 <tdawson> https://pagure.io/epel/issues?tags=meeting&status=Open
21:06:04 <tdawson> I think carlwgeorge is tough enough to handle a knife or two in his back.
21:06:19 <tdawson> but lets start with what hopefully will be the shorter issue
21:06:23 <tdawson> .epel152
21:06:35 * carlwgeorge chuckles
21:06:52 <tdawson> https://pagure.io/epel/issue/152
21:07:15 <tdawson> last week this was able to be successfully tested.
21:07:34 <nirik> cool.
21:07:39 <tdawson> imagemagick built on all arches using the libRaw-epel build that was only for some arches
21:08:01 <nirik> so imagemagick on x86_64 installs the libraw from stream right?
21:08:51 <tdawson> nirik correct
21:09:09 <pgreco> builds from -epel, installs from the original one
21:09:18 <nirik> great. Glad it all works. I hope we don't cause too much work for rhel/stream maintainers. ;)
21:10:05 <tdawson> Getting imagemagick in epel9 unblocked two of my packages.  I was happy for that.
21:10:16 <salimma> if/when they want to ungate the devel packages I'm sure we're happy to retire libRaw-epel :)
21:10:28 <nirik> pgreco: it doesn't even build from epel one on x86_64
21:10:30 <Ebeneezer_Smooge> now I just need to work on getting pandoc in <cries>
21:11:00 <tdawson> Oh ... pandoc is the legend of nightmares ...
21:11:00 <pgreco> nirik, right, on the specific arches only
21:11:14 <salimma> Ebeneezer_Smooge: you're my hero if you do that, several packages now have docs disabled because of missing pandoc
21:11:31 <Ebeneezer_Smooge> yeah.. most of the packages I have for auto require it
21:11:37 * nirik waves Ebeneezer_Smooge on from a safe distance. :)
21:11:53 <Ebeneezer_Smooge> that said.. I am probably going to just say 'yeah sorry'
21:12:27 <tdawson> So, to finish up the arch ticket, I'll leave the missing arch parts in the documentation.
21:12:29 <Ebeneezer_Smooge> like getting fedpkg in.. it looks like it might as well be its own repo
21:12:50 <tdawson> Wait ... what I just said came out wrong.  In the new draft, I will have the missing arch parts in.
21:14:19 <tdawson> Anyway ... let's move on to the other issue
21:14:35 <tdawson> .epel 159
21:14:36 <zodbot> tdawson: Issue #159: Follow up on EPEL CVEs - epel - Pagure.io - https://pagure.io/epel/issue/159
21:15:03 <salimma> oh fun
21:15:29 <tdawson> salimma: You did some work on this, do you think we are at a point that we can discuss it properly?
21:15:31 <salimma> so yeah, last week I didn't have time to crunch the data, so it got delayed to today. The EPEL 7 state is indeed quite bad
21:16:08 <pgreco> wondering how many of the nodejs ones will be easier with the new nodejs16 there
21:16:22 <salimma> I think we can start discussing it now. the only missing data I've not computed is average bug age (p50, p90) per release
21:16:22 <salimma> Also, for the next time we do this (whether weekly or monthly) I want to start doing diffs to see if we make progress
21:16:55 <tdawson> Ya ... For nodejs, stephen just cut his losses and retired the old nodejs ... but it looks like he didn't close the CVE's.
21:17:31 <nirik> fedora isn't in super shape either. ;( Sadly there's a policy there thats not been implemented yet to retire things...
21:17:43 <salimma> any volunteer for helping to triage this? we can probably close many of these
21:17:59 <salimma> also on related note... do we know if the security team looks at epel*-next?
21:18:20 <carlwgeorge> i can take a stab at the syncthing one, via go sig membership
21:18:27 <salimma> nirik: on the Fedora side - will this be a releng or FPC thing?
21:18:56 <nirik> there was a policy, releng hasn't implemented it... let me find the ticket/issue
21:19:14 <tdawson> salimma: Would you be able to put your bugzilla search in the issue.  I'm curious how I would look up all the nodejs CVE bugs, as well as the chromium ones.
21:19:25 <nirik> https://pagure.io/releng/issue/7793
21:19:27 <salimma> tdawson: yes, one sec
21:19:47 <salimma> I'll put up the scripts too once they're ready, and the raw data JSON, but the query is simple enough. ugh, on my other laptop
21:20:03 <tdawson> I'm in the nodejs-sig, so I sorta feel obligated to help with those ones.
21:20:30 <Ebeneezer_Smooge> carlwgeorge, I would be interested in helping on this but I think we are going to need the equivalent of an activity day to focus efforts
21:20:44 * salimma sent a code block: https://libera.ems.host/_matrix/media/r0/download/libera.chat/e07796b304acbb3aec846199ab602963ca1f00f6
21:21:24 <tdawson> salimma: Cool, thanks.
21:22:15 <salimma> Ebeneezer_Smooge: activity day sounds good. double-plus-good if it involves a drinking game
21:23:03 <nirik> ha ha ha
21:23:14 <Ebeneezer_Smooge> From years of experience drinking games and CVE's tend to lead to bigger CVE's and bad headaches
21:23:22 <tdawson> *laughs*
21:23:54 <salimma> Ebeneezer_Smooge: nah, you just need to stop before your Ballmer peak :)
21:24:03 <tdawson> Part of me wants to send the list to the -devel list, but another part of me wants to wait until we've had a chance to go through things.
21:24:04 <salimma> agreed on the bad headaches though
21:25:09 <salimma> yeah, I wasn't sure if I should send it out yet. I'm hoping we have time to take a pass, and I'll also make my reporter generate a human-readable version of the report, and then we can report and say "yeah, things look bad, but it already improved quite a bit since we started looking!"
21:25:18 <Ebeneezer_Smooge> agreed.
21:25:24 <salimma> esp since... I don't want to know what Phoronix will say about this
21:25:43 <tdawson> Yep
21:25:45 <salimma> any idea on whether RH security takes a look at epel-next?
21:26:01 <salimma> in Bugzilla they're lumped together, so I'm not sure if that's already happening or not.
21:26:10 * nirik has no idea.
21:26:14 <tdawson> I have no idea
21:26:32 <tdawson> The good thing is that epel-next is fairly small.
21:26:40 <salimma> yeah
21:27:50 <nirik> seems like perhaps working on fedora and epel both could be a good thing...
21:28:03 <nirik> some things might need fixing in both, or the like
21:28:20 <nirik> but it's a big job I am sure.
21:28:25 <salimma> yeah, true. should I just change the script to also report on Fedora too?
21:28:30 <salimma> no reason it's EPEL only, after all
21:28:43 <salimma> probably report separately though
21:28:53 <tdawson> Ugg ... just looking at one of the nodejs bugs, all it has is the CVE, no extra information about even what version of nodejs it's against.
21:29:06 <salimma> on the Fedora side, I think more of the CVEs would actually just be mistriaged (maintainer upgrading without closing the bug, for instance)
21:29:33 <salimma> yeah, the CVE bugs are normally quite bad, for the ones assigned to me I normally look up the CVE on mitre
21:29:51 <salimma> the newer ones are quite good though. we just have a lot of super old bugs to clean up :(
21:31:07 <tdawson> Anything else on this?   Do people think bringing it up once a month is a good thing?  See how we do?
21:31:24 <Ebeneezer_Smooge> not from me. time to move on?
21:31:37 <tdawson> OK, old business
21:31:51 <tdawson> #topic Old Business
21:32:02 <salimma> yeah, once a month seems fine
21:32:13 <tdawson> pgreco: macros ... how are they coming?
21:32:26 <pgreco> I think I addressed Eighth_Doctor's comments today
21:32:38 <pgreco> waiting on re-review, progresss...
21:32:42 <tdawson> salimma: OK, I think I can do that.
21:32:50 <Eighth_Doctor> 👋
21:32:50 <tdawson> pgreco: awesome
21:33:46 <tdawson> That's getting close.
21:34:07 <Eighth_Doctor> pgreco: I left feedback that hasn't been addressed
21:34:12 <Eighth_Doctor> also left some new feedback just now
21:34:53 <pgreco> ack, I'll take a look
21:35:11 <tdawson> The only other old business I have is documentation ... I'm almost done with my second draft of the missing packages documentation.  I (hopefully) have gotten everyones comments addressed.
21:35:34 <tdawson> pgreco: Sorry, didn't mean to cut you off, anything else for the macros?
21:36:34 <tdawson> #topic EPEL-7
21:36:34 <tdawson> CentOS 7 will go EOL on 30 June, 2024
21:36:55 <pgreco> tdawson: no, that was it ;)
21:37:10 <tdawson> pgreco: Cool.  Thanks for your work on that.
21:37:22 <tdawson> Other than the CVE's, do we have anything for EPEL7 ?
21:38:12 <Ebeneezer_Smooge> not from me
21:38:14 <tdawson> #topic EPEL-8
21:38:43 <tdawson> I know that CVE's in epel8 came up the past couple of days, but I believe that package is now being addressed.
21:39:19 <tdawson> I'm also trying to get the epel8-playground repo cleared out.
21:39:42 <tdawson> I should have untagged everything before having the tags and targets removed ...
21:40:29 <nirik> do we really want to remove it entirely?
21:40:32 <tdawson> I've got a releng ticket open for that, but things would have been simpler if I did it in the other way around.
21:40:38 <nirik> shouldn't we archive it in case someone wants something from it?
21:40:44 <tdawson> nirik Well, I really just want an empty repo.
21:41:18 <tdawson> Yep, archiving would be good.
21:41:27 <nirik> I wonder how many people will show up and ask what happened...
21:41:28 <tdawson> right now it's sorta stuck in limbo.
21:41:36 <nirik> probibly not many
21:42:15 <Ebeneezer_Smooge> if they ask they get the same answer .. please subscribe to our newsletter to keep up with what is going on
21:42:36 <tdawson> Which reminds me ... I still need to send that email about saying it's gone.
21:43:05 <tdawson> I said I'd get that out yesterday, and didn't make it.
21:43:23 <Ebeneezer_Smooge> well you have until tomorrow. its only a day a waaaaaaay
21:43:47 <tdawson> tomorrow ... tomorrow ... it's always ... tomorrow ..
21:43:51 <nirik> The future moves into the past, with only a moment between. ;)
21:44:19 <tdawson> Anyway .... summary, -playground isn't quite dead yet.
21:44:27 <salimma> yesterday....
21:44:27 <tdawson> Anything else for EPEL8 ?
21:44:31 <salimma> is it undead?
21:44:39 <salimma> or mostly dead
21:44:45 <tdawson> mostly dead
21:44:56 <salimma> oh, not sure if we discussed this, but gflags has landed in cs8
21:45:04 <salimma> so it's unblocking some of my packages
21:45:07 <tdawson> But nobody better give it a chocolate covered pill.
21:45:14 <tdawson> salimma: Ya!!!
21:46:08 <tdawson> I'm going to move on to epel9 so we have time for open floor.
21:46:16 <tdawson> #topic EPEL-9
21:46:18 * nirik misread that as bzflag. :)
21:46:23 <carlwgeorge> by this time next week the c9s mirror that epel9 builds against will be frozen
21:46:37 <nirik> carlwgeorge: nice. :)
21:47:12 <tdawson> Here's hoping that my final missing package requests make it in before that freeze.
21:47:38 <salimma> ouch, time flies
21:47:52 <carlwgeorge> if it hasn't by now, i doubt it will make it, and thus probably not make it into rhel 9.0 either
21:48:32 <tdawson> carlwgeorge I'm the person who's putting those packages in .... there has been quite the flurry this past week.
21:48:39 <tdawson> Although, I don't touch CRB
21:48:39 <carlwgeorge> oh nice
21:49:04 <carlwgeorge> maintainers getting stuff in in the 11th hour
21:49:12 <Ebeneezer_Smooge> well good luck future-week tdawson. be kind to past tdawson who needs those packages
21:49:53 <salimma> it will be annoying if we can get packages in epel9-next (because the dependency is in c9s) but not in epel9
21:49:54 <tdawson> I just found one that needs to go into AppStream ... today  ... it has been very hard to not just put it in, but follow the documentation.
21:50:35 <tdawson> Anyway ... sorry for detracting.  Thanks for letting us know carlwgeorge
21:50:45 <carlwgeorge> salimma: no more than epel8-next and c8s today, so not a unique or even long lived issue :P
21:50:46 <tdawson> Anything else for epel9 ?
21:51:06 <carlwgeorge> i added caddy if anyone likes to use that
21:51:57 <tdawson> cool
21:52:06 <tdawson> #topic EPEL-Packaging-SIG
21:52:26 <dcavalca> I filed stalled package tickets for a bunch more things and got them built
21:52:34 <tdawson> Ya!!
21:52:36 <dcavalca> tpm-tools in epel9 is probably the most interesting/useful
21:52:50 <tdawson> I saw that there were quite a few stalled tickets that went through.
21:53:02 <dcavalca> this process seems to be working fairly well fwiw
21:53:18 <dcavalca> I also ended up filing a bunch of CRB tickets due to missing dependencies
21:53:28 <dcavalca> see https://bugzilla.redhat.com/show_bug.cgi?id=2057005 for a recent example
21:53:29 <nirik> I wish we could make it less manual, but it's a complex workflow
21:53:52 <dcavalca> salimma is working on automating some of the toil at least
21:54:32 <dcavalca> one package I was looking at is azure-cli, as we have an internal user that needs it
21:54:45 <dcavalca> but it looks particularly painful due to the large web of dependencies and the use of the new pyproject macros
21:54:53 <dcavalca> so I haven't filed a ticket for it yet
21:54:57 <tdawson> Yep.  Although the process is manual ... at least there is now a process.  Before it was alot of waiting, and pinging, and waiting some more.
21:55:15 * nirik nods
21:55:28 <dcavalca> oh also, I meant to ask, what should we do for cases like https://bugzilla.redhat.com/show_bug.cgi?id=2041315 where the maintainer engages but then just stops?
21:56:18 <tdawson> dcavalca: You can file a rel-eng ticket for that.   That's why we changed the wording to "no action" instead of "no resonse"
21:56:31 <dcavalca> got it, thanks tdawson
21:56:39 <carlwgeorge> dcavalca: i'm curious what's painful about the pyproject macros?  if anything would think they make things more robust, making sure no runtime deps are missing (as they are added as buildrequires automatically).
21:56:48 <tdawson> #topic General Issues / Open Floor
21:57:02 <dcavalca> carlwgeorge: https://bugzilla.redhat.com/show_bug.cgi?id=2044692 is the problem
21:57:08 <salimma> carlwgeorge: epel8 compatibility I think
21:57:26 <carlwgeorge> ah, yeah pyproject is epel9 only at this point
21:57:29 <dcavalca> the macros themselves are great, but we can't use them for epel8
21:57:29 <salimma> Miro was against it for the same reason the Rust macros also don't work on epel8
21:57:48 <salimma> IIRC even in epel9 there are slight issues with pyproject macros, though I think they're getting fixed (an older version got imported)
21:57:59 <tdawson> I do have one Open Floor item.   I won't be around for the next two weeks.  So I was wondering if someone would be willing to run the meeting ?
21:58:29 <carlwgeorge> i can if someone has a cheatsheet of the special commands i can follow
21:58:56 <tdawson> Yep, I can mail them, or paste them to you.
21:59:03 <carlwgeorge> or i'll read the logs from this one and reverse engineer them
21:59:40 <tdawson> Speaking of meetings ... carlwgeorge did you find a time for our "open door" meeting, or whatever we were calling it?
21:59:59 <carlwgeorge> oh yes, meant to bring that up
22:00:18 <carlwgeorge> my tentative plan is 1st wednesday of each month at 1700 UTC
22:00:39 <salimma> fixed to UTC, or with daylight saving?
22:01:10 * salimma just moved an internal meeting from 2nd wed to 1st wed because post-DST it will clash with Stream office hour, but looks like now it might clash with this :p
22:01:49 <Eighth_Doctor> I'm fine with that time
22:02:18 <pgreco> salimma: side note on the CVEs, looks like with a few tweaks, libvncserver from rawhide can be ported into epel7, if there is no soname bump
22:02:27 <tdawson> I'm fine with that time too.
22:02:48 <carlwgeorge> sorry salimma, that time seems popular :P
22:02:51 <salimma> so preferably for me we switch it to 1600 UTC once there's daylight saving (so it's fixed at 1200 ET / 900 PT), but I can also move my internal meeting
22:03:06 <salimma> yeah, it's the first slot that's not annoyingly early for me :)
22:03:17 <carlwgeorge> 1600 UTC won't work for us CPE folks
22:03:23 <salimma> pgreco: nice, want to do that?
22:03:39 <salimma> carlwgeorge: ah, your meetings are pinned to UTC, not allowing for DST?
22:03:41 <pgreco> I'm trying to minimize the tweaks and I'll ping you
22:04:06 * salimma wishes DST dies
22:04:24 <carlwgeorge> i think that CPE weekly meeting follows dst, but currently occurs at 1600 utc
22:04:31 <nirik> yeah, we have a team meeting at 16utc
22:04:52 <salimma> carlwgeorge: oh if it follows DST then no biggie
22:04:56 <carlwgeorge> it's probably pinned to ireland dst too, not usa
22:05:11 <carlwgeorge> so slight wrinkle, as if dst wasn't already annoying enough
22:05:17 <salimma> yeah, but that's only off by a week or so, so for monthly meetings hopefully we'll get lucky
22:05:22 <salimma> blame Bush :)
22:05:32 <tdawson> The joys of finding a good time
22:05:58 <pgreco> salimma: https://paste.centos.org/view/801f2a80
22:06:10 <carlwgeorge> for the most part, 1st wednesdays works pretty well with other community meetings
22:06:19 <carlwgeorge> time could slide back a bit but not really earlier
22:06:32 <carlwgeorge> and we can always adjust later if necessary
22:06:33 <tdawson> carlwgeorge Just go for what you have already planned this month.  Send out an email, blog, or whatever is appropriate.  and thank you.
22:06:46 <carlwgeorge> yup, blog incomming, will spam in the normal places
22:07:08 <tdawson> I'm needing to close this meeting.   Not really meaning to cut you off.
22:07:30 <tdawson> Thanks everyone for comming this week, for the good disucssions, and for carlwgeorge willing to run the meeting for the next two weeks.
22:07:36 <Ebeneezer_Smooge> thanks
22:07:44 <pgreco> thanks guys
22:07:50 <tdawson> I'll talk to ya'll in a few weeks.
22:07:52 <Ebeneezer_Smooge> have a good vacation tdawson
22:07:53 <nirik> thanks everyone
22:07:58 <tdawson> #endmeeting