19:59:58 #startmeeting EPEL (2023-06-07) 19:59:58 Meeting started Wed Jun 7 19:59:58 2023 UTC. 19:59:58 This meeting is logged and archived in a public location. 19:59:58 The chair is tdawson. Information about MeetBot at https://fedoraproject.org/wiki/Zodbot#Meeting_Functions. 19:59:58 Useful Commands: #action #agreed #halp #info #idea #link #topic. 19:59:58 The meeting name has been set to 'epel_(2023-06-07)' 20:00:00 #meetingname epel 20:00:00 The meeting name has been set to 'epel' 20:00:01 #chair nirik tdawson pgreco carlwgeorge salimma dcavalca dherrera gotmax23 smooge 20:00:01 Current chairs: carlwgeorge dcavalca dherrera gotmax23 nirik pgreco salimma smooge tdawson 20:00:03 #topic aloha 20:00:07 hello 20:00:07 .hi 20:00:08 carlwgeorge: carlwgeorge 'Carl George' 20:00:21 .hi 20:00:22 dherrera: dherrera 'Diego Herrera' 20:00:27 .hi 20:00:28 smooge: smooge 'Stephen Smoogen' 20:00:50 Hello smooge 20:00:55 Hi carlwgeorge and dherrera 20:02:45 morning 20:02:50 Morning nirik 20:04:21 Hmm ... a little light today ... is the matric / irc bridge working? 20:04:54 at the very least i'm on matrix rn 20:05:02 ¯\_(ツ)_/¯ who can say 20:05:05 seems fine 20:05:13 #topic End Of Life (EOL) 20:05:15 RHEL 7 / epel-7 will go EOL on 2024-06-30 20:05:16 CentOS Stream 8 / epel-8-next goes EOL in 2024-05-31 20:05:18 CentOS Stream 9 / epel-9-next goes EOL in 2027-05-31 20:05:36 #topic EPEL Issues https://pagure.io/epel/issues 20:05:37 https://pagure.io/epel/issues?tags=meeting&status=Open 20:05:42 for all matrix users please read the front page of 'https://libera.chat/' as the bridge is limited usage 20:05:44 .hi 20:05:45 jonathanspw: jonathanspw 'Jonathan Wright' 20:06:00 .hello salimma 20:06:01 michel-slm: salimma 'Michel Alexandre Salim' 20:06:24 Sporadic, need to pick up our kid from daycare soon 20:06:36 Hello michel-slm 20:06:43 .hello robert 20:06:44 rsc: robert 'Robert Scheck' 20:06:47 I'm around but still at lunch 20:07:07 So, we have several items for the meeting this week ... I'm going to try to do the ones I think are short first. 20:07:20 .epel 230 20:07:21 tdawson: Issue #230: old epel7/8 updates in testing - epel - Pagure.io - https://pagure.io/epel/issue/230 20:07:54 dherrera: You've made good progress on this ... anything you wanted to say and/or ask ? 20:08:18 I've been going through this slowly, I first queried the APIs and found that there are many updates that are related to obsolete projects 20:08:35 obsolete as in dead upstream? 20:08:38 there are also some that are related to retired projects that are not orphaned 20:08:42 I think unpushing/revoking all the orphaned ones makes sense. we shouldn't push orphaned packages out to stable. 20:08:46 *obsolete -> orphaned 20:08:51 * carlwgeorge nods 20:09:03 i agree with nirik 20:09:15 I do too 20:10:54 the list of orphaned ones are on the ticket, the rest i'm going through them 1 by 1, i've seen that some correspond to incompatible upgrades, so i'm sugesting to follow the process instead of waiting for kudos as the policy establishes, but since they have been stalled in there for years, IDK if we will get any answer 20:11:24 .hello ngompa 20:11:25 Eighth_Doctor: ngompa 'Neal Gompa' 20:11:43 Hello Eighth_Doctor 20:11:52 if everyone is ok unpushing all those listed ones, I can do that at some point... 20:12:43 dewit.gif 20:13:01 if listed = "orphaned packages that dherrera listed in the ticket" then yep, sounds good to me. 20:13:01 👍️ 20:13:08 dherrera++ 20:13:13 thanks for working on this 20:13:22 dherrera thanks 20:13:22 dherrera++ 20:13:22 tdawson: Karma for dherrera changed to 3 (for the release cycle f38): https://badges.fedoraproject.org/tags/cookie/any 20:13:26 yeah, thanks much! 20:13:27 dherrera++ 20:13:27 smooge: Karma for dherrera changed to 4 (for the release cycle f38): https://badges.fedoraproject.org/tags/cookie/any 20:13:30 dherrera++ 20:13:46 .hi 20:13:47 rcallicotte: rcallicotte 'Robby Callicotte' 20:13:54 Anything else before we move to the next issue? 20:13:59 question, should I list the retired packages ones that are not orphaned? 20:14:00 Hi rcallicotte and rsc 20:14:56 I've found a couple of those, but if they are more I might just filter them out 20:15:38 Ya ... if the package is retired, getting those unpushed would be good too. 20:15:55 +1 20:17:04 ok, just an example of one so we are on the same page https://src.fedoraproject.org/rpms/cherokee 20:17:17 thats all from me on this topic for today 20:18:05 Thank you very much 20:18:24 I think the next one that hopefully will be short is 20:18:33 .epel 233 20:18:34 tdawson: Issue #233: Drop reference to modules in recommendation re multiple versions - epel - Pagure.io - https://pagure.io/epel/issue/233 20:19:11 In short, our SCL page says to use modules. 20:19:30 so basically remove the mention of modules there? 20:19:37 i agree with your comment there, the right answer it following fedora's multiple guidelines 20:20:29 I was hopeing that someone could/would do a first draft of a re-write of the page. 20:20:32 i for one would like to see us go back to SCL's 20:20:38 yeah, but we might also mention the -epel path? 20:20:39 * smooge will see himself out 20:21:12 smooge: scl only looks "good" compared to modularity 20:21:31 I have to say, I do like the gcc-toolset way of using SCL's. It works fairly well. 20:22:06 But, I also feel the way I have in the ticket, we should follow what Fedora is doing. 20:22:13 .hello 20:22:13 neil: (hello ) -- Alias for "hellomynameis $1". 20:22:19 .hi 20:22:20 neil: neil 'Neil Hanlon' 20:22:34 If someone wants to get SCL's moving again, then work with Fedora, and we can follow their lead. 20:22:34 apologies for tardiness, busy week 20:22:36 i am just saying two methods walked into the Thunderdome, and one of them is still standing 20:22:39 Hi neil 20:22:47 *laughs* 20:23:11 barely standing, i believe gcc-toolset is the only one still going 20:23:30 but scl's arent really standing. ;) 20:23:34 yeah, that. 20:23:50 I think the new/current way is just compat packages (which of course has it's own issues) 20:24:03 Yep, and if you look at gcc-toolset, you'll notice they don't even use scl ... it's just scl-ish 20:24:16 this is a great precursor to what i think is the next topic 20:24:43 Anyway, does anyone want to do the first draft of a page re-write? 20:25:00 I'll do it if nobody else wants to, just want to give others a chance. 20:25:25 if it's not pressing, i can incorporate it into the big docs overhaul. if we want to clarify the existing stuff sooner, someone else should probably jump on it 20:26:03 I'd prefer it get done before the big doc overhaul ... and I'm not against doing it. 20:26:08 I'll take it then. 20:26:12 that'll work 20:26:30 OK, moving onto something that might take longer ... 20:26:53 .epel 227 20:26:54 tdawson: Issue #227: Modify incompatible upgrades policy to have fast-track for security updates - epel - Pagure.io - https://pagure.io/epel/issue/227 20:27:18 welp i guessed wrong 20:27:32 For the most part, most people have liked my draft 20:27:46 https://pagure.io/epel/pull-request/231 20:27:54 #link https://pagure.io/epel/pull-request/231 20:28:19 one thing that occurred to me... what about critical non security updates? :) 20:28:27 I do like carls re-wording, and I'm going to implement that. 20:28:40 nirik: Can you give an example? 20:28:44 ie, say a program has a bug that causes data loss. It's not a security issue (really)... 20:29:33 well severity isn't linked to type of update in bodhi 20:29:45 so I guess a high severity bugfix update is possible 20:29:45 but then it comes down to a judgement call... 20:29:55 right. 20:30:07 fwiw we can always grant exceptions past this policy, this is just the baseline really 20:30:16 Yep 20:30:27 yeah. agreed. I just thought I would bring that up since it occured to me. 20:31:05 like i would feel comfortable in nirik's data loss example to tell the maintainer to go ahead and build without waiting for a week of discussion or waiting for a meeting 20:32:02 sure, or we could even vote on exceptions out of meeting if it was time critical. 20:32:04 carlwgeorge's second comment is asking if things should just be for critical issues only, and not high severity. 20:32:14 Correct 20:32:21 troy asked me to show up with the definition of high 20:32:47 red hat's rating system doesn't actually have high, it has low/moderate/important/critical 20:32:49 https://access.redhat.com/security/updates/classification/ 20:33:11 nvd has high and it's based on a number scale (the cvss rating) 20:33:12 and as we have seen sometimes it takes a little while to rate. 20:33:15 https://nvd.nist.gov/vuln-metrics/cvss 20:33:49 red hat will also issue a cvss rating, that is usually similar but not necessarily identical to the nvd one 20:33:54 so under Redhat... Important = High... ish 20:34:09 that's my take, yes 20:34:19 red hat's cvss rating and it's overall rating are not directly linked, but of course the former influences the later 20:34:26 * nirik thniks this is getting overcomplex. ;) 20:34:56 example, here is a thunderbird update that scored 8.8 under both nvd cvss and rh cvss. but rh rated it as critical. https://access.redhat.com/security/cve/CVE-2022-1802 20:35:09 under nvd it was only high 20:35:45 my suggestion for the policy is that if either red hat or nvd rate the vulnerability as critical, the maintainer can do the bypass. but not important/high. 20:36:52 seems fine to me. I really don't expect this would be used all that often... 20:37:20 What about the idea of getting permission from one steering committee member. 20:38:12 if we word it as critical only from rh or nvd, then permission wouldn't be needed for those 20:38:44 and if it's not critical, then it can wait till the next meeting and doesn't need single committee member permission either 20:38:54 carlwgeorge: Correct ... but I was wondering about putting something in that covers niriks idea. 20:39:46 I also don't like the idea of "single committee members permission" 20:40:25 I think if we just document the case then it should be fine 20:40:27 we don't need to make this hard 20:40:27 this is all about permissionless cases 20:40:37 if we find someone abusing this, then we can deal with it then 20:40:51 but I'd rather just simplify people's lives ehre 20:40:51 *here 20:42:43 tdawson: compromise, we make the progress we can here on just the bypass for critical security stuff. leave the data loss scenario for a separate proposal. 20:42:57 (once someone can find a good way to put it into words) 20:43:13 carlwgeorge: I'm good with that. 20:44:07 I'll make the changes to this pull request with what everyones agree to. And I'll probrubly do a second pull request with what I have in my head. 20:44:53 Anything else before we move on? 20:45:39 OK, moving on 20:45:45 .epel 228 20:45:48 tdawson: Issue #228: Recommended way to follow new upstream releases in EPEL - epel - Pagure.io - https://pagure.io/epel/issue/228 20:45:58 i can speak to this one 20:46:47 there is another bz besides the linked review, but sadly it's private because it started as a rhel bug and has mentions of customers in it so we can't make it public 20:48:03 the gpsd software bumps library soname regularly. it's not clear if this is actually due to breaking changes or not, as the upstream commits have no additional details past "bumping soname". 20:49:03 epel9 has 3.23, but the maintainer wants to ship 3.25. he wanted to ship it as gpsd-latest, and myself and others discouraged that because the guidelines discourage it. 20:49:28 perhaps copr is a better fit here? 20:49:32 ugh, why are those guidelines still there? 20:49:42 In what way is it discouraged? 20:49:45 it's been suggested to ship gpsd3.25 (the fedora multiple naming pattern), or ship gpsd3.23 as a compat package and then update gpsd to 3.25 20:49:50 the -latest/-stable guidelines were written before we made versioned packaging guidelines 20:50:00 https://docs.fedoraproject.org/en-US/packaging-guidelines/Naming/#multiple 20:50:01 can we maybe ask FPC to drop them? 20:50:12 "Please also note that strings such as "-latest" can often become misleading over time if the package (in all active Fedora releases) is not kept updated with the latest upstream version." 20:50:32 nirik: that has also been recommended to the maintainer 20:50:51 we have only one active -latest package now: https://koji.fedoraproject.org/koji/packageinfo?packageID=30333 20:51:14 the maintainer doesn't want to do gpsd3.23/gpsd3.25 because he explicitly wants to break abi again and again 20:51:15 this package genuinely makes no sense to me, since xe-guest-utilities is retired 20:51:26 I personally prefer having versioned packages for the older version 20:51:32 and keep the unversioned one tracking the latest 20:51:34 davide: same 20:52:04 likewise 20:52:07 the maintainer's suggestion was to just exclude devel files so he could break abi. i said that's not normal and advised asking fpc if it's allowed. 20:52:07 Yeas 20:52:21 why is this shipped in EPEL in the first place? meaning, do other packages actually consume the library, or is it just its own binary? 20:52:24 instead he filed a fesco issue, which was closed in favor of an epsco issue 20:52:32 Davide Cavalca: KDE Plasma depends on it 20:52:43 hehe, it's a c library, a python library, a daemon, and multiple client tools 20:52:54 lovely 20:53:16 the maintainer only cares about the client tools, which need the python library, which need the c library. so it's all interconnected. 20:53:18 excluding devel files doesn't seem acceptable, and doesn't actually solve the issue as you're still breaking ABI 20:53:24 exactly 20:53:52 i predict this will be the fpc answer as well, once the issue gets filed there. i'm hoping that our guidance can be "ask fpc". 20:53:59 carlwgeorge: So I feel that saying doing -latest is "discouraged" ... but the example is for someone who isn't keeping it up to date. But what if they do keep it up to date. 20:54:07 I personal think doing -latest is a good thing. 20:54:19 tdawson: what would be the point vs an unversioned package name? 20:54:44 I suppose to more indicate that the package was updating rapidly? 20:54:47 Oh, I'd like an unversioned package name, but we specifically say we can't do that. 20:55:02 i do not think that a package named "-latest" should just be blanket allowed to make breaking changes 20:55:17 carlwgeorge: That is exactly what -latest should be allowed to do. 20:55:30 gpsd-frequenty-incompatible 20:55:41 That is why you would use -latest ... so people know not to use it if they don't want breaking changes. 20:55:58 or to be more specific, i do not think packages should be allowed to ignore updates policies just based on special naming 20:56:15 but 'latest' doesn't really convey that... at least to me. 20:56:17 Ir that's the case, why not use cope instead? 20:56:28 *copr 20:56:29 I don't really think it's necessary either 20:56:33 so far, the maintainer has not commented on the advice to use copr instead 20:56:42 because again... those guidelines predate our versioned packaging guidelines 20:56:50 i think what we found is someone who actually wishes we kept epel-playground 20:57:04 and our guidance shutting that down was "use copr instead" 20:57:05 🤦 20:57:18 * nirik nods 20:58:50 like i mentioned, i'm perfectly happy punting this to fpc and following the guidance from them 20:59:17 Yep, but it sounds like they passed it back to us when they opened a ticket about it. 20:59:22 no, that was fesco 20:59:36 Ah, ok. 21:00:03 we could ask explicitly in the ticket about copr? 21:00:05 Oh ... in that case, yes, I misunderstood. 21:00:09 full disclosure, i'm also on fpc, but it's not like i can just make a unilateral call there 21:00:20 nirik: i have, multiple times, in that private bz 21:00:26 or... if this is needed for kde, does it need to be in epel for that? 21:00:29 but yes, in this ticket too 21:00:33 ah, bummer. 21:00:39 *we should in this ticket too 21:00:57 it's not for kde, it's for telco usage 21:01:24 nirik: Although there is a package in kde that relies on gpsd, the updating it request has nothing to do with KDE. 21:01:53 Thus it doesn't fall under the KDE exemption umbrella 21:02:27 ok. 21:02:34 i had an idea for a compromise that maybe we could break up the main package, so we could ship mutiple versioned library packages, and keep the client tools (what the maintainer actually wants) on the latest version (which ideally wouldn't have incompatible changes at the cli level) 21:02:41 but i'm not sure if it's possible 21:03:04 will need more research 21:03:11 carlwgeorge: To be honest, that's what I thought they were going to do / we doing ... until I looked at their spec file. 21:03:12 well, if you mutate the sources to link the library statically to itself, then don't ship the bindings or anything else, it's doable 21:03:28 I did something similar for python-hawkey for EPEL 7 many years ago :) 21:03:41 Eighth_Doctor: the cli tools are python and import the python lib, how would you make those static? 21:03:45 Oh shoot, I just saw the time. 21:03:57 carlwgeorge: oh crap, I thought it was in C :( 21:04:08 well it's c too lol 21:04:09 I looks like I'm the only one that likes that -latest idea ... and I'm fine with that. I just thought I'd share my view on it. 21:04:18 ack 21:04:19 ugh, I would have to think about it... it is possible though 21:04:45 anyone opposed to an answer of "ask fpc" and then going from there? 21:04:57 not me 21:05:02 go for it 21:05:06 carlwgeorge: I'm good with that. Also also add something about using copr. 21:05:22 yeah, repeated in public :) 21:05:38 should i mention epel-playground? 21:05:43 carlwgeorge: no 21:05:53 * carlwgeorge nods 21:06:10 Thank you all for comming this week, and for the good discussions. 21:06:27 We'll talk to ya'll next week, if not sooner. 21:06:45 #endmeeting