#meeting-1:fedoraproject.org log

<@tdawson:fedora.im>

18:01:19

!startmeeting EPEL (2025-04-2)

<@meetbot:fedora.im>

18:01:21

Meeting started at 2025-04-09 18:01:19 UTC

<@meetbot:fedora.im>

18:01:21

The Meeting name is 'EPEL (2025-04-2)'

<@salimma:fedora.im>

18:01:25

!hi

<@zodbot:fedora.im>

18:01:26

Michel Lind (salimma) - he / him / his

<@tdawson:fedora.im>

18:01:28

!meetingname epel

<@tdawson:fedora.im>

18:01:28

!topic aloha

<@meetbot:fedora.im>

18:01:29

The Meeting Name is now epel

<@rcallicotte:fedora.im>

18:01:37

!hi

<@zodbot:fedora.im>

18:01:38

Robby Callicotte (rcallicotte) - he / him / his

<@tdawson:fedora.im>

18:01:54

Hi Michel Lind UTC-6 and Robby Callicotte

<@conan_kudo:matrix.org>

18:02:27

!hi

<@zodbot:fedora.im>

18:02:29

Neal Gompa (ngompa) - he / him / his

<@nirik:matrix.scrye.com>

18:03:20

morning

<@dherrera:fedora.im>

18:03:42

!hi

<@zodbot:fedora.im>

18:03:43

Diego Herrera (dherrera) - he / him / his

<@tdawson:fedora.im>

18:04:07

Morning nirik

<@tdawson:fedora.im>

18:04:14

Hi Conan Kudo and Diego Herrera

<@carlwgeorge:fedora.im>

18:05:32

!hi

<@zodbot:fedora.im>

18:05:33

Carl George (carlwgeorge) - he / him / his

<@tdawson:fedora.im>

18:05:43

Hi Carl George

<@tdawson:fedora.im>

18:05:57

!link https://pagure.io/epel/issues?tags=meeting&status=Open

<@tdawson:fedora.im>

18:05:57

!topic EPEL Issues https://pagure.io/epel/issues

<@davide:cavalca.name>

18:06:13

!hi

<@zodbot:fedora.im>

18:06:15

Davide Cavalca (dcavalca) - he / him / his

<@tdawson:fedora.im>

18:06:24

Hi Davide Cavalca

<@tdawson:fedora.im>

18:06:38

We have two issues ... I'm hopefully going to pick the shorted one first.

<@tdawson:fedora.im>

18:06:48

!epel 324

<@zodbot:fedora.im>

18:06:49

<@zodbot:fedora.im>

18:06:49

● **Opened:** 3 weeks ago by carlwgeorge

<@zodbot:fedora.im>

18:06:49

● **Last Updated:** a day ago

<@zodbot:fedora.im>

18:06:49

● **Assignee:** carlwgeorge

<@zodbot:fedora.im>

18:06:49

**epel #324** (https://pagure.io/epel/issue/324):**EPEL 10 minor version upgrade path**

<@tdawson:fedora.im>

18:07:25

Carl George: I've seen progress ... would you like to expand on what's happened, and happening.

<@carlwgeorge:fedora.im>

18:08:00

so the plan we laid out is mostly implemented. everything in mirrormanager is done.

<@carlwgeorge:fedora.im>

18:08:24

the epel-release changes are here https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2025-c37fe4fbd9

<@carlwgeorge:fedora.im>

18:08:57

once that moves to stable, i'll tag the same build for epel10.1 to avoid the symlink churn problem we previously discussed

<@carlwgeorge:fedora.im>

18:09:45

i've got a pr open to tweak the wording on the branches doc since we're not publishing to a pub/epel/10 repo anymore https://pagure.io/epel/pull-request/326#

<@carlwgeorge:fedora.im>

18:09:48

i've got a pr open to tweak the wording on the branches doc since we're not publishing to a pub/epel/10 repo anymore https://pagure.io/epel/pull-request/326

<@carlwgeorge:fedora.im>

18:11:38

the last piece i think will be putting the 10 symlink back, which i plan to do today at 5pm my time (about four hours) to give mirrors a full 48 hours to sync the 10 directory removal

<@carlwgeorge:fedora.im>

18:12:11

looking forward to all of this being done and going back to just adding packages 😀

<@tdawson:fedora.im>

18:12:34

Yep ... it needed to be done, but I agree, it will be nice to have it finished.

<@tdawson:fedora.im>

18:12:51

(says the person who hasn't done any of the work)

<@carlwgeorge:fedora.im>

18:13:22

i know you're absorbing some of the impact of rh internal folks asking about this, that helps

<@tdawson:fedora.im>

18:14:11

I also found that removing the epel10 link breaks CRB (CentOS SIG) builds ... but ... eh ... it's just two days.

<@carlwgeorge:fedora.im>

18:14:40

i saw one comment about it being "pretty bad this wasn't already dealt with", and i'm like, how did any of this work when epel8 came out months after rhel8

<@salimma:fedora.im>

18:14:44

yeah, some of our systemd devs were asking about it earlier this week

<@smooge:fedora.im>

18:15:15

Carl George: very little did work and I was providing private rpms for people

<@carlwgeorge:fedora.im>

18:15:20

oh that's a good call out, apparently cbs uses the mirror baseurl directly, not mirrormanager or a local mirror

<@carlwgeorge:fedora.im>

18:15:54

i'm sure that was stressful

<@smooge:fedora.im>

18:16:16

nah.. I had nothing but love and affection

<@nirik:matrix.scrye.com>

18:16:22

oof. Can we convince them to move to the metalink?

<@carlwgeorge:fedora.im>

18:16:28

anyone happen to know how often the fcix mirrors sync? they're the only ones i've found so far that don't have the 10 directory gone

<@nirik:matrix.scrye.com>

18:16:29

(but there's probibly reasons)

<@smooge:fedora.im>

18:16:36

cbs is koji

<@nirik:matrix.scrye.com>

18:16:52

oh, I read that as csb... sorry

<@smooge:fedora.im>

18:16:54

and an old version and didn't work well with metalink at one point

<@carlwgeorge:fedora.im>

18:17:12

that's a question for @arrfab

<@smooge:fedora.im>

18:17:30

no I think its a question for koji :)

<@carlwgeorge:fedora.im>

18:18:14

it's fine, as troy said it's a temporary problem that will go away soon

<@nirik:matrix.scrye.com>

18:18:18

it won't work there.

<@nirik:matrix.scrye.com>

18:18:29

koji has no concept of metalink processing.

<@tdawson:fedora.im>

18:18:32

I figure the link will get back before CBS Koji would get fixed ... so ya ... Fabian has alot on his plate right now.

<@tdawson:fedora.im>

18:19:43

Beyond the link ... and perhaps another pair of eyes on the documentation (my re-write isn't the best) ... anything else to report?

<@carlwgeorge:fedora.im>

18:19:47

anyone else want to +1 the epel-release update? i wouldn't mind manually kicking off a compose to push it so i can do the manual tagging step right after

<@tdawson:fedora.im>

18:20:18

Oh, I had a RHEL 10.0 machine I was going to test it on ... then I'll +1 it if nobody else has.

<@carlwgeorge:fedora.im>

18:20:49

i guess technically i can already push it to stable

<@salimma:fedora.im>

18:21:24

I need to set up a RHEL 10 machine this week

<@tdawson:fedora.im>

18:22:05

Thank you very much Carl (and anyone who worked with you) for getting this done. It is greatly appreciated.

<@tdawson:fedora.im>

18:22:24

I'm going to move on to the next issue, because I'm betting it's going to take some time.

<@tdawson:fedora.im>

18:22:40

!epel 320

<@zodbot:fedora.im>

18:22:41

**epel #320** (https://pagure.io/epel/issue/320):**Proposing (semi-)incompatible update of fish to version 3.7.x for EPEL 9**

<@zodbot:fedora.im>

18:22:41

● **Opened:** a month ago by salimma

<@zodbot:fedora.im>

18:22:41

● **Last Updated:** a day ago

<@zodbot:fedora.im>

18:22:41

● **Assignee:** Not Assigned

<@zodbot:fedora.im>

18:22:41

<@tdawson:fedora.im>

18:23:08

Michel Lind UTC-6: Do you mind starting us off on that.

<@salimma:fedora.im>

18:23:16

hi! yes

<@salimma:fedora.im>

18:23:46

so - TL;DR there is a CVE affecting fish before 3.6.2 - it's just a DOS so fish rates it 3.9 iirc but NVD rates it a 6

<@salimma:fedora.im>

18:24:31

I listed the breaking changes on the ticket if we go all the way to 3.7 - it's probably not much. Carl has tried backporting the fix and finds it non-trivial - after backporting two patches that look relevant the tests are still failing

<@salimma:fedora.im>

18:24:48

so... I'm ok either way we decide, but if we decide to disallow the update, I'm asking what to do with the CVE bug

<@conan_kudo:matrix.org>

18:25:17

let's just update it

<@carlwgeorge:fedora.im>

18:25:21

!link https://nvd.nist.gov/vuln/detail/CVE-2023-49284

<@carlwgeorge:fedora.im>

18:26:08

CLOSED DEFERRED or CLOSED WONTFIX both would work, if we decide against the update

<@salimma:fedora.im>

18:26:41

hmm so if we want to know what CVE bugs are not fixed we need to search for those two I guess

<@conan_kudo:matrix.org>

18:26:58

I think NVD's assessment is more accurate

<@conan_kudo:matrix.org>

18:27:30

the low complexity and high impact

<@conan_kudo:matrix.org>

18:27:50

the low complexity and high impact rating makes sense to me

<@carlwgeorge:fedora.im>

18:28:32

the difference in the nvd and fish ratings are the availability rating (high vs low)

<@conan_kudo:matrix.org>

18:29:13

confidentiality too

<@conan_kudo:matrix.org>

18:29:21

C and A go from low to high in NVD

<@carlwgeorge:fedora.im>

18:29:31

oh yeah, one more character in that string i missed

<@carlwgeorge:fedora.im>

18:30:42

i'm still a 0 on this, i wouldn't block it but i don't think it's necessary

<@carlwgeorge:fedora.im>

18:31:07

for the rating specifics i lean towards trusting the fish devs over nvd

<@tdawson:fedora.im>

18:31:50

I'm also a 0 on it ... which is why I've been quiet.

<@salimma:fedora.im>

18:32:08

so ... anyone else, please vote or raise your concern?

<@tdawson:fedora.im>

18:32:11

If I look at the discussion, it looks like there are 3 for it, and 2 neutral.

<@salimma:fedora.im>

18:32:33

I'm an implicit +1 I guess

<@tdawson:fedora.im>

18:33:30

I'd feel better if there were 1 more for, but 3 is the majority right now.

<@salimma:fedora.im>

18:34:11

Davide Cavalca: / Jonathan Wright ?

<@salimma:fedora.im>

18:34:16

Davide is fixing lunch IIRC

<@davide:cavalca.name>

18:35:00

I don't have any strong feelings about this tbh

<@tdawson:fedora.im>

18:35:05

<@tdawson:fedora.im>

18:35:25

Well, I'm going to call it, it has the majority, even if Jonathan was against it.

<@conan_kudo:matrix.org>

18:35:45

+1 from me in case it isn't counted already from the ticket

<@tdawson:fedora.im>

18:36:48

!agreed Proposal to upgrade fish in epel9 to the latest 3.x version has passed 3(+1) 0(-1) 3(0) with one not voted.

<@tdawson:fedora.im>

18:37:48

Michel Lind UTC-6: Did you want me to update the issue with the vote, or do you want to do it?

<@salimma:fedora.im>

18:37:53

alright, thanks. just wanted closure either way but this is mildly good news :)

<@salimma:fedora.im>

18:37:56

I'll update, thanks

<@tdawson:fedora.im>

18:38:06

Sounds good. Moving on.

<@tdawson:fedora.im>

18:38:20

!topic Old Business

<@salimma:fedora.im>

18:39:03

I have a quick one

<@tdawson:fedora.im>

18:39:16

This is very old business, but since it came up, I wanted to thank Stephen J Smoogen and nirik another time for all their epel8 work.

<@tdawson:fedora.im>

18:39:30

Michel Lind UTC-6: Go for it.

<@salimma:fedora.im>

18:39:32

Haven't gotten round to deprecating EPEL Packagers SIG in the docs, since I was fighting with Antora for FESCo, but now that's done ish so I can file a PR this week

<@smooge:fedora.im>

18:40:48

cool what is the steps to delete the mailman list :)

<@carlwgeorge:fedora.im>

18:41:28

oh i've got an old thing, python-semantic_version

<@carlwgeorge:fedora.im>

18:41:38

!link https://bugzilla.redhat.com/show_bug.cgi?id=2355645

<@carlwgeorge:fedora.im>

18:42:08

troy asked me to file this manual ticket, and i see he linked it to the epel2rhel tracker bug

<@carlwgeorge:fedora.im>

18:42:28

is the automation working now to file these correctly?

<@tdawson:fedora.im>

18:42:57

If something goes from "buildroot only" to "released" no, it doesn't.

<@tdawson:fedora.im>

18:43:14

It only works on new packages.

<@carlwgeorge:fedora.im>

18:43:32

ah yeah i remember we talked about that nuance in the process

<@carlwgeorge:fedora.im>

18:44:42

so i guess if we notice this scenario, a buildroot only package getting published and it's already in epel, and no ticket gets filed, the corrective action is a manual ticket blocking the epel2rhel tracker?

<@carlwgeorge:fedora.im>

18:45:16

also, understood filing the bug isn't automated in that scenario, but is the retirement later on automated?

<@tdawson:fedora.im>

18:45:22

Carl George: After you filed that bug, I went through and filed bugs for all the other duplicate packages. Linking them to the epel2rhel tracker.

<@tdawson:fedora.im>

18:46:06

I thought that's what we talked about last week, I think we do it at RHEL release times, the week or so after.

<@tdawson:fedora.im>

18:46:23

"it" = remove all the duplicate places that really are in RHEL.

<@carlwgeorge:fedora.im>

18:47:43

Is that just you doing it manually as a proven packager?

<@tdawson:fedora.im>

18:48:22

I'd prefer to wait till the release because ... minds change. Johnny's been having fun putting packages back that he just barely took out, and vice versa the past couple of weeks.

<@tdawson:fedora.im>

18:48:41

Carl George: Yep. I've never had time to automate it.

<@carlwgeorge:fedora.im>

18:49:03

fair enough, it's probably not enough to justify the time to automate it

<@carlwgeorge:fedora.im>

18:49:16

https://xkcd.com/1319/

<@tdawson:fedora.im>

18:50:02

Anything else for old business?

<@salimma:fedora.im>

18:50:12

I have an open floor thing for later

<@nhanlon:beeper.com>

18:50:17

(same)

<@nhanlon:beeper.com>

18:50:24

also hi! 🙂

<@tdawson:fedora.im>

18:50:25

OK, let's go to that.

<@nhanlon:beeper.com>

18:50:25

!hi

<@zodbot:fedora.im>

18:50:27

Neil Hanlon (neil) - he / him / his

<@tdawson:fedora.im>

18:50:34

!topic General Issues / Open Floor

<@tdawson:fedora.im>

18:50:40

Hi Neil Hanlon

<@tdawson:fedora.im>

18:50:46

Michel Lind UTC-6: go for it.

<@salimma:fedora.im>

18:51:05

I posted announcing I plan to retire iptables-epel , first in EPEL 10 and later in EPEL 9 after more grace period, yesterday

<@salimma:fedora.im>

18:51:09

one sec, let me find the archive link

<@salimma:fedora.im>

18:51:42

any guidance on how to go about this properly? As long as I yank EPEL 10 builds before the launch, that's reasonable enough from my perspective

<@salimma:fedora.im>

18:51:42

<@salimma:fedora.im>

18:52:05

https://lists.fedoraproject.org/archives/list/epel-devel@lists.fedoraproject.org/thread/EISFHV6764PJTF3SQESUOET3GM3O7GFY/

<@tdawson:fedora.im>

18:52:21

I'd do it just like any other package retirement.

<@salimma:fedora.im>

18:52:24

TL;DR it's really hard to maintain this as a companion -epel package, *and* it turns out it's not necessary for anyone on stock kernels

<@conan_kudo:matrix.org>

18:52:27

you'd just retire it like you would in Fedora

<@salimma:fedora.im>

18:52:53

yeah. just want to double check that nobody sees any concern here before I proceed, thanks

<@carlwgeorge:fedora.im>

18:52:55

https://docs.fedoraproject.org/en-US/epel/epel-policy-retirement/#process_no_time_or_desire

<@salimma:fedora.im>

18:53:14

FYI we plan to just build this in Hyperscale in the fb-only repo, start with the Fedora package and just bump the epoch

<@salimma:fedora.im>

18:53:26

(because we happen to .. not be able to use nftables for.. reasons)

<@salimma:fedora.im>

18:53:44

no time or desire and also this is useless

<@tdawson:fedora.im>

18:54:33

Moving on while we have time .... Neil Hanlon go for it.

<@nhanlon:beeper.com>

18:55:25

My thing is quick and can continue off-meeting... basically I wanted to ask @Michel Lind UTC-6 about https://bugzilla.redhat.com/show_bug.cgi?id=2356480 and if he had any recollection of what we talked about re: mistune in the past. i feel like it has been a "problem child" but I can't really remember exactly. It also has epel-packagers-sig on it, so, perhaps some action needs to be taken there?

<@salimma:fedora.im>

18:55:53

the problem with mistune08 in the past is it's really hard to do python compat packages

<@salimma:fedora.im>

18:55:59

because site-packages is not versioned

<@salimma:fedora.im>

18:56:05

so just packaging *one* mistune is fine

<@nhanlon:beeper.com>

18:56:12

Ah. Okay.. then this should be fine 😃

<@salimma:fedora.im>

18:56:18

yeah, mistune08 is cursed

<@salimma:fedora.im>

18:56:25

Miro had to help fix a bunch of corner cases

<@nhanlon:beeper.com>

18:56:37

TY! Does it still need packagers-sig? or should just wait for that to be dropped in due time?

<@salimma:fedora.im>

18:57:49

no, we should never add epel-packagers-sig

<@salimma:fedora.im>

18:57:58

feel free to add python-sig or another relevant SIG

<@salimma:fedora.im>

18:58:08

the guidelines for that should be up in a few days as a PR

<@nhanlon:beeper.com>

18:58:27

awesome. i'll wait for those then ask miro to remove the epel-packagers-sig, while it's on my mind

<@conan_kudo:matrix.org>

18:58:28

python-packagers-sig, as python-sig is dead

<@salimma:fedora.im>

18:58:47

I think keeping epel-packagers-sig on packages for now is fine if it's already there

<@nhanlon:beeper.com>

18:58:49

python-packagers-sig is on it already, so it's just cleanup

<@nhanlon:beeper.com>

18:59:02

aight, then i'll ignore it 😃

<@salimma:fedora.im>

18:59:07

we want to start sending them to more targeted SIGs and then do a cleanup later, but blocking access at this point seems sily

<@salimma:fedora.im>

18:59:14

all that work for no gain :)

<@salimma:fedora.im>

18:59:20

yes, this one

<@nhanlon:beeper.com>

18:59:31

Heard! 🙂

<@tdawson:fedora.im>

18:59:41

We're at the end of our time. Thank you all for all the good discussions, decisions, and work that ya'll do for EPEL and the EPEL community.

<@nhanlon:beeper.com>

18:59:54

Thanks for running @Troy Dawson !

<@nirik:matrix.scrye.com>

18:59:56

thanks Troy Dawson!

<@tdawson:fedora.im>

19:00:09

I'll talk to ya'll next week, if not sooner.

<@tdawson:fedora.im>

19:00:30

!endmeeting