14:00:45 #startmeeting Security Team Meeting - Agenda: https://fedoraproject.org/wiki/Security_Team_meetings 14:00:45 Meeting started Thu Apr 16 14:00:45 2015 UTC. The chair is Sparks. Information about MeetBot at http://wiki.debian.org/MeetBot. 14:00:45 Useful Commands: #action #agreed #halp #info #idea #link #topic. 14:00:48 #meetingname Fedora Security Team 14:00:48 The meeting name has been set to 'fedora_security_team' 14:00:56 #topic Roll Call 14:00:57 * Sparks 14:01:11 * d-caf 14:01:27 .fas bvincent 14:01:29 bvincent: bvincent 'Brandon Vincent' 14:01:34 .hellomynameis pjp 14:01:35 pjp: pjp 'None' 14:01:43 Hello all! :) 14:01:55 hello! 14:02:32 * Sparks is in another meeting so... 14:02:55 #info Participants are reminded to make liberal use of #info #link #help in order to make the minutes "more better" 14:03:13 #topic Follow up on last week's tasks 14:03:52 * Sparks isn't going to run through everything. 14:03:57 ...right now 14:04:05 Does anyone have anything? 14:05:00 No response from Michael Stahnke after first reminder -> https://bugzilla.redhat.com/show_bug.cgi?id=1209124 14:05:03 #link https://bugzilla.redhat.com/show_bug.cgi?id=1209124 14:05:31 pjp: Okay, I'm assuming you're keeping up on this. 14:05:36 Yes, 14:05:45 Cool 14:06:10 Last week I also pinged on older bugs via a script, 14:06:16 +1 14:06:26 I'm yet to follow up on the maintainer responses, 14:06:36 #topic 90-Day Challenge 14:07:23 Did jsmith follow up with the rubygems critical issue? 14:07:34 I haven't updated te numbers yet. Will send something out later today on thie list 14:07:51 I've got a scratch-build for the rubygem-activesupport issue that updates to a newer version 14:08:04 In order to get it to build, however, I had to disable the built-time checks 14:08:14 (as they haven't been ported to the newer version of the gem) 14:08:17 Thoughts? 14:08:41 #topic Outstanding BZ Tickets 14:09:08 jsmith: what kind of built in checks? 14:09:17 pjp: Ruby "rake" tests 14:09:33 I see, 14:09:35 pjp: In short, the Rakefile is completely out of date and no longer runs 14:10:04 fun 14:10:30 * pjp has no idea about ruby gem packaging, 14:11:36 * jsmith just barely knows enough to be dangerous 14:11:41 Sorry, ruby is one of my worst languages 14:11:43 Came across this #link -> https://fedoraproject.org/wiki/Packaging:Ruby?rd=Packaging/Ruby 14:12:13 jsmith: I'll try to find out someone who could help with it, let's see 14:12:14 jsmith: Are you getting help with this? 14:12:45 Sparks: gomix has agreed to help me with this, but unfortunately he's swamped with ${DAYJOB} and a very sick wife, so I've been mostly on my own :-( 14:13:07 :[ 14:13:11 I wonder if he can suggest someone else to help 14:13:46 mmorsi maybe 14:14:07 try #fedora-ruby channel 14:14:10 He's the package maintainer, and obviously hasn't been responsive up to this point :-( 14:14:16 ohhh... 14:14:18 i see 14:14:20 did not notice 14:15:11 #info Thursday's numbers: Critical 1, Important 39 (-2), Moderate 333 (-17), Low 159 (-4), Total 532, Trend -24 14:15:14 #info Current tickets owned: 141 (~26%) 14:15:17 jsilhan: mmorsi did ping Miachel on the non-reponsive bug, I guess he is active 14:15:23 #info Tickets closed: 278 (+7) 14:15:34 jsmith: ^^ 14:15:41 jsilhan: sorry, ;) 14:16:11 np 14:16:45 #topic Open floor discussion/questions/comments 14:16:48 Regarding tickets, looks like I have 6 Important tickets I'm going to have to file non-responsive maintainer bugs on. 14:17:28 d-caf: :( 14:17:56 Probably worth putting out a "call for help" on the -devel list too... 14:17:58 Yeah, I've tried, and nothing, got to get it going formally now so we can get them to someone else or out 14:18:11 jsmith: not on the devlist yet 14:18:17 OK... 14:18:40 I'll do that as part of the non-response ticket 14:19:09 jsmith: Could you please attach the scratch-build SRPM to the bug with your comments? -> https://bugzilla.redhat.com/show_bug.cgi?id=905374 14:19:25 jsmith: I'll check with mmorsi if he could help us with it. 14:19:40 #action jsmith to update the rubygem-activesupport bug with scratch build, etc. 14:19:51 What is the process for transferring package from one main contact/administrator to another? 14:20:52 d-caf: Transferring ? 14:21:09 pjp: yes 14:21:20 d-caf: In cases of non-responsive maintainers? 14:21:35 pjp: yes, I have a new maintainer willing and ready 14:22:27 d-caf: Oh, 14:23:04 David who took over the EPEL builds of torque is willing to take the Fedora builds 14:23:33 The old maintainer appears to just be to busy now... 14:25:01 Okay, anyone have anything else? 14:26:39 * pjp looking for a ownership transfer process, 14:26:44 * jsmith has nothing left to add 14:27:14 pjp: Typically if the maintainer is non-responsive, the packages get orphaned. If someone claims them, great. If not, they get kicked out of the pool... 14:27:30 * d-caf tried to find ownership transfer process with out orphaning.. 14:28:09 Okay, I need to run 14:28:11 d-caf: Just add the new maintainer as a co-maintainer 14:28:14 jsmith: d-caf I think asking existing maintainer to pass on the maintainer rights in the git should help, 14:28:23 Just add a co-maintainer in pkgdb 14:28:34 Right, 14:28:47 pjp: maintainer doesn't respond 14:29:07 #chair pjp jsmith d-caf 14:29:07 Current chairs: Sparks d-caf jsmith pjp 14:29:10 I'll have to check if I have the perms in pkgdb, don't think I do, can only request 14:29:30 d-caf: Then as part of the non-responsive maintainer process, their packages can be re-assigned by infra 14:29:35 jsmith: Can you take the rest of the meeting fo rme? 14:29:43 Sparks: ACK 14:29:49 tnkx 14:30:37 yep, appears I can only request access for myself 14:31:09 Again, if it's a non-responsive maintainer, just state that you've found a willing maintainer as part of the notification process. 14:31:24 jsmith: ok 14:31:27 d-caf: there is -> https://fedoraproject.org/wiki/Orphaned_package_that_need_new_maintainers 14:31:46 pjp: That's great in theory, but doesn't often effect a lot of change :-( 14:32:00 d-caf: so, retire and then un-retire the package 14:32:08 jsmith: I see, 14:32:32 pjp: thanks, I'll go over that and chat with the new maintainer see if we can't get this sorted 14:32:47 on #fedora-devel pjp: yes, pkgdb ui has a "give" button 14:32:54 was hoping for some quick button I had missed :-) 14:33:23 No, if the current maintainer is non-responsive, you have to follow the process... 14:33:41 True 14:33:47 ... if the maintainer *is* responsive, then they can give control of their packages to someone else. 14:34:23 I had talked with the maintainer months ago, and he wanted to find someone new, and the new maintainer says he talked with him a few weeks ago and got the ok 14:34:35 but he fails to update tickets or responde to emails last few weeks 14:34:54 Have the old maintainer "give" his packages to the new maintainer. If that fails, follow the "non-responsive maintainer" process. 14:35:04 will do 14:35:17 Typically, initiating the process will be enough to kick the old maintainer into at least passing control of the packages. 14:35:28 d-caf: non-responsive policy has details about transferring ownership -> https://fedoraproject.org/wiki/Policy_for_nonresponsive_package_maintainers#Outline 14:35:29 (Nothing like a little public shame, right?) 14:35:38 d-caf: see #7 14:36:04 pjp: yep got that page (actually added a link to it of the security team page :-) 14:36:07 step 7 is the change of ownership 14:36:18 d-caf: Cool! 14:36:36 Awesome... anything else for the meeting? 14:36:44 d-caf: is there a non-responsive bug against the maintainer ? 14:37:00 pjp: no not yet 14:37:29 d-caf: I think let's start with that right away, 14:37:31 was trying to avoid public shaming, as he kinda resonded off and on 14:37:39 I see, 14:39:35 I'm not a huge fan of public shaming of volunteers if it can be avoided 14:39:51 Anyways, nothing more really for this meeting, looks like I have a few routes to go down, thanks 14:41:53 End meeting? 14:41:53 Cool! 14:42:10 d-caf: Okay, if there is nothing else on agenda. 14:42:27 Will do 14:42:29 Thanks everyone! 14:42:31 #endmeeting