17:00:16 #startmeeting FESCO (2010-01-15) 17:00:16 Meeting started Fri Jan 15 17:00:16 2010 UTC. The chair is nirik. Information about MeetBot at http://wiki.debian.org/MeetBot. 17:00:16 Useful Commands: #action #agreed #halp #info #idea #link #topic. 17:00:23 * skvidal is here 17:00:25 #meetingname fesco 17:00:25 The meeting name has been set to 'fesco' 17:00:30 #chair dgilmore notting nirik skvidal Kevin_Kofler ajax pjones cwickert mjg59 17:00:30 Current chairs: Kevin_Kofler ajax cwickert dgilmore mjg59 nirik notting pjones skvidal 17:00:37 #topic init process 17:00:48 * notting is here 17:00:49 I'm not 100% sure we will have quorum today... but we can try and see. ;) 17:00:57 * cwickert is here too 17:01:05 Present. 17:01:07 ajax and mjg59 are travelling to LCA 17:01:37 That's 4, need one more. 17:01:42 dgilmore / pjones: you guys around? 17:01:50 * notting counts 5 17:01:55 Kevin_Kofler: we are at 5 I think 17:02:00 yo 17:02:25 cool. Shall we go ahead and start in then? 17:02:28 sorry, was fetching my lunch. 17:02:47 #topic Followups on old business 17:03:12 I pinged ticket 298 again... to see if we need to take further action there or if it's been resolved. 17:03:18 .fesco 298 17:03:19 nirik: #298 (Revoke Paul Johnsons pacakger access and put him on probation.) - FESCo - Trac - https://fedorahosted.org/fesco/ticket/298 17:03:40 I guess mjg59 was going to work on ticket 291 17:03:42 .fesco 291 17:03:43 nirik: #291 (Man pages Packaging Guideline) - FESCo - Trac - https://fedorahosted.org/fesco/ticket/291 17:03:53 Any other old business we should revisit? 17:04:26 ok, then on to new stuff. 17:04:38 #topic Finalize new meeting day/time. 17:04:49 Looks like we have 2 blocks... wed or thursday. 17:05:02 Does anyone have a further preference? 17:05:20 http://whenisgood.net/fesco-meeting/results/8kgg3e 17:05:41 sorry, tue/wed 17:05:56 IMO Wednesday is better 17:05:56 20-22 UTC on tuesday or wed. 17:06:13 either one is fine by me 17:06:29 tibbs|h: spot: do we need to move the packaging committee if we do weds? 17:06:50 notting: yes 17:06:59 * spot doesn't look forward to trying to reschedule that again 17:07:09 humm... wed in this channel that time is booked sometimes by http://fedoraproject.org/wiki/Ambassadors/Meetings ? 17:07:20 or is that page inaccurate. 17:07:28 I'm sure we can come up with a new channel :) 17:07:34 I'm fine with either time, they're both quite late here (9 PM), but I can deal with that, no preference for Tue vs. Wed. 17:07:39 I hear they haven't stopped making channels 17:07:46 skvidal: sure, but there are drawbacks to that. 17:07:59 nirik: I know - I was just being silly 17:08:17 spot: when is packaging now? 17:09:42 according to https://fedoraproject.org/wiki/Fedora_meeting_channel it is 16:00-17:00 17:09:58 * dgilmore is here 17:10:04 cwickert: which day? 17:10:10 wed. 17:10:15 Wednesday 17:10:22 so if we moved to tues 17:10:26 then there isn'tan issue? 17:10:48 I think Wed would actually make more sense, we could approve the guidelines fresh off the press, not 6 days later. 17:10:49 yeah, it means a week for us to object to their packaging changes, but is that so bad? 17:10:57 does anybody know if the "Fedora Magazine" meetings actually take place? 17:10:59 spot: wait, that doesn't overlap? 17:11:07 cwickert: they never have that I have seen. 17:11:16 * dgilmore thinks we should go with tuesday 17:11:19 but ENMA ambassadors does. 17:11:37 +1 for Tuesday because I'm also at the EMEA meetings usually 17:11:38 EMEA. can't type. 17:11:43 spot: how is it an issue if the schedule doesn't overlap? 17:12:08 * nirik thinks tuesday sounds better too. 17:12:08 notting: because we usually want FESCo to have a window of time to review approved drafts 17:13:02 spot: I'm not so sure that's all that bad - if it's simple, we probably won't need much time and can just approve; if it'd take a couple of days, we defer for a week. 17:13:25 pjones: okay. if there is no overlap, and you don't care, i don't care. 17:13:32 well, if we do tuesday, that gives a week... 17:13:43 I usually don't have the time to look at the new guidelines until during the meeting anyway. 17:13:44 or if we need something faster we could poll for objections in the tickets. 17:14:11 But the conflict with EMEA Ambassadors is a stronger argument for not doing Wed, and thus by exclusion, doing Tue. 17:14:18 so, tuesday at 20:00 UTC ? going once... 17:14:24 sold 17:14:28 okie doke 17:14:30 +1 17:14:40 +1 17:14:53 #agreed New FESCo meeting time is 20:00 UTC on tuesdays. 17:14:54 that's 3pm EST5EDT? 17:14:59 sure, why not 17:15:09 (right now, anyway) 17:15:10 pjones: Yes. 17:15:11 if so, fine. 17:15:11 pjones: yeah, I think so. 17:15:25 #topic #301 Sponsor Request: "David A. Wheeler" 17:15:29 .fesco 301 17:15:30 nirik: #301 (Sponsor Request: "David A. Wheeler" ) - FESCo - Trac - https://fedorahosted.org/fesco/ticket/301 17:15:32 20:00 UTC is 21:00 CET, minus 6 hours that makes 15:00 EST. :-) 17:15:36 (I'm here, if anyone wants to ask questions) 17:15:53 welcome DavidAWheeler_ Thanks for coming. 17:16:26 So the feedback on the sponsors list was split, some positive, some negative (too few packages). 17:17:04 (I'm still here) 17:17:06 and too few reviews 17:17:12 I'd guess somebody working on formal methods can be trusted to know how important quality is. :-) 17:17:20 DavidAWheeler_: are you only interested in the formal methods area? or would you be doing more sponsoring/reviews in general? 17:17:20 * dgilmore thinks some more reviews are needed 17:17:48 Willing to do some sponsoring/reviews in general, especially in areas where they improve software development quality 17:18:44 Reviews like https://bugzilla.redhat.com/show_bug.cgi?id=548607#c25 look good. 17:18:46 Bug 548607: medium, medium, ---, dwheeler, CLOSED ERRATA, Review Request: pvs-sbcl - SRI's Prototype Verification System 17:19:01 I'm +1 to this request. 17:19:03 but even in this review some things were missed 17:19:52 (though I'm a bit biased because my dayjob at the university is in a project related to theorem proving ;-) ) 17:20:34 e.g. there is a commands in %post that has no Requires(post): 17:20:40 well, quantity isn't always required... but doing more reviews gives more experence and helps you notice things you may not if you haven't done a lot of them. 17:20:49 don't get me wrong, still a good review 17:21:32 * nirik gets a page from work... will be distracted for a few if someone can keep the meeting moving along. 17:21:41 and we all miss something from time to time, but IMO more packages and reviews are needed. please don't take this personally, DavidAWheeler_ 17:22:29 cwickert: i fully agree. i know ive missed things in a review and pickled it up after the fact 17:22:39 Now we just need a theorem prover doing reviews for us. ;-) 17:22:40 s/pickled/picked/ 17:23:37 Kevin_Kofler- :-) 17:24:42 DavidAWheeler_: so, would you be willing to go do another set of reviews and come back to us next week/whenever? 17:25:44 I can do that. It'd probably be more like 2-3 weeks (next week is hectic for me). 17:26:40 DavidAWheeler_: excellent. Please keep us posted... 17:26:41 that's fine. there's no time limit at all 17:27:03 #agreed David will do some more reviews and reapply. 17:28:04 #topic #302 libssh2 - non-responsive maintainer 17:28:08 .fesco 302 17:28:09 nirik: #302 (libssh2 - non-responsive maintainer) - FESCo - Trac - https://fedorahosted.org/fesco/ticket/302 17:28:22 (I am also here) 17:29:31 kdudka: so, I saw some commits to libssh2 after that? 17:29:46 kdudka: and did you attempt to contact the maintainer directly? 17:30:04 nirik, *some commit* - they didn't solve the problem actually 17:30:14 * cwickert can't find the name of the maintainer in the ticket or in the review. who is it? 17:30:15 kdudka: yeah, looked like whitespace changes. 17:30:19 cweyl 17:30:24 .whoowns libssh2 17:30:24 nirik: cweyl (djuran in Fedora EPEL) 17:30:46 cweyl awol? I think he owns a lot of packages 17:31:01 that does seem weird. 17:31:13 skvidal, sure: http://www.fpaste.org/iM0L/ 17:31:38 so far Chris didn't respond any of my emails 17:31:50 cwickert: he did commit to libssh the other day, but only whitespace changes. 17:31:51 https://admin.fedoraproject.org/pkgdb/users/packages/cweyl lists 318 packages 17:32:11 (perhaps a miscommit, meant to fix this instead?) 17:32:12 kdudka: you cant demand access, you can ask for it 17:32:30 after filling the ticket at FESCO, he started commit something, but it didn't make any sense 17:32:44 so he's not awol, then? 17:33:01 among others, this one in curl: https://bugzilla.redhat.com/523796#c8 17:33:14 he is not awol at all 17:33:16 hm, so the first bug/patch was in november? 17:33:22 dgilmore, if you mean Fedora ACLs, that's what I asked for in the mail 17:33:22 Well, he updated to the latest upstream. 17:33:32 he commits to perl-local-lib on Jan 4 17:33:32 dgilmore, it's more than a month ago 17:33:39 That's not really something that doesn't make any sense. 17:33:42 kdudka: you didint ask you demanded 17:33:43 It just doesn't fix the bug. 17:34:01 hm 17:34:08 Kevin_Kofler, it doesn't fix anything 17:34:25 > I am the new maintainer of RHEL libssh2 package. Could you please grant me 17:34:27 Updating to current upstream makes sense. 17:34:28 > Fedora ACLs for the package? I am going to co-maintain the Fedora part as 17:34:31 > well. Thanks in advance! 17:34:35 so i think the first step would be to request cweyl respond to kdudka's request for comaintainership (yes, no, or otherwise) 17:34:43 kdudka: you could have said i would like to help co-maintain in fedora as well 17:34:49 dgilmore, not sure what's the difference (I am not native speaker) 17:35:01 IMHO we should require cweyl to accept it or remove his package ownership. 17:35:16 kdudka: "i am going to" is very pushy and demanding 17:35:17 dgilmore: "I am going to co-maintain the Fedora part as well" sounds clear to me 17:35:19 It sucks for the RHEL maintainer not to be able to commit his fixes to Fedora and it's bad for Fedora if fixes only make it into EL. 17:35:31 cwickert: i find it pushy 17:35:38 dgilmore, nothing wrong intended ... worth to reply in any case 17:35:49 dgilmore: ok, not a native speaker too 17:35:54 okay 17:35:59 "I would like to" "I am willing to" "if you would like I would" all sound better, but thats all bikeshedding. ;) 17:36:02 so let's stop discussing tone 17:36:06 * nirik nods at skvidal 17:36:08 and discuss the policy 17:36:16 thanks all for suggestions, will do next time 17:36:38 he is clearly not awol 17:36:41 however I don't think it solves the problem now 17:36:44 but he is not responsive 17:36:57 who is his sponsor? 17:37:05 what does actually mean awol< 17:37:18 Away WithOut Leave 17:37:19 * nirik digs into the account sys to see. 17:37:19 zodbot: fasinfo cwyel 17:37:23 AWOL - it's a military term 17:37:32 dgilmore: User "cwyel" doesn't exist 17:37:35 kdudka: it's an old military term to say that you've skipped out on your duties. 17:38:02 .fasinfo cweyl 17:38:02 zodbot: fasinfo cweyl 17:38:05 abadger1999: User: cweyl, Name: Chris Weyl, email: cweyl@alumni.drew.edu, Creation: 2005-12-01, IRC Nick: cweyl, Timezone: UTC, Locale: en, Extension: 5100333, GPG key ID: 7962f5cb, Status: active 17:38:10 abadger1999: Approved Groups: cla_done fedorabugs packager cla_fedora gitcamelus provenpackager 17:38:14 abadger1999: Unapproved Groups: None 17:38:17 pjones: User: cweyl, Name: Chris Weyl, email: cweyl@alumni.drew.edu, Creation: 2005-12-01, IRC Nick: cweyl, Timezone: UTC, Locale: en, Extension: 5100333, GPG key ID: 7962f5cb, Status: active 17:38:22 pjones: Approved Groups: cla_done fedorabugs packager cla_fedora gitcamelus provenpackager 17:38:26 pjones: Unapproved Groups: None 17:38:39 cweyl was last seen in #fedora-devel 17 weeks, 0 days, 1 hour, 32 minutes, and 56 seconds ago: later! 17:38:44 I bet he's on vacation or something. 17:38:50 his sponsor is jwb. ;) 17:38:59 17 weeks is a long vacation. ;-) 17:39:34 Kevin_Kofler: but he hasn't gone that long without doing things, merely that long without being on irc. we've got plenty of valuable people who are /never/ on irc. 17:39:43 libssh2 was commited to by him yesterday 17:39:57 updating to 1.2.2 17:39:59 I'm also almost never on #fedora-devel, though I lurk around on #fedora-kde almost all the time. 17:40:05 seems like sending some emails might be helpful. 17:40:07 anyway it's pretty annoying ... we worked on the bug with Peter Stuge from upstream till 6AM to get it fixed ... now waiting two months to get the fix in Fedora :-) 17:40:27 The problem is, not being IRC (assuming he's not on some other channel) means it's harder to join him. 17:40:36 Kevin_Kofler: yeah., 17:40:39 'join him' ? 17:40:46 Oxf13: "invite", presumably. 17:40:47 I'd like to propose we mail him and ask him about this and see if he can/is willing to add kdudka as co-maintainer, etc. 17:40:49 Contact him. 17:40:59 * nirik is willing to mail him/irc/call whatever. 17:41:07 nirik: ... and if that doesn't work, we invite him to the irc meeting next week. 17:41:10 yeah, IRC isn't the only method of communication 17:41:21 nirik: sounds like a plan 17:41:22 pjones: sure. Sounds good. 17:41:29 +1 17:41:40 nirik/pjones: sounds like a plan. +1 17:42:07 +1, I don't like calling a person with 318 packages MIA without trying everything 17:42:10 let me note it's sort of urgent issue as curl builds in Koji are broken... 17:42:31 kdudka: Maybe a provenpackager should just commit this particular fix? 17:42:32 #agreed nirik will try and contact cweyl and get information flowing, failing that will invite him to the next meeting to try and fix things up. 17:42:39 but what about libssh2? can somebody give kdudka commit access? 17:42:39 could some proven packager here at least apply my fixes? 17:42:39 if it's a matter of something broken, why can't a provenpackager do the work? 17:42:40 I could do it. 17:42:48 kdudka: send me the fixes and i will commit them 17:43:03 Or I see dgilmore volunteered. :-) 17:43:04 we can get the important fix in without having to change ACLs 17:43:13 dgilmore, sounds great - where should it go actually? 17:43:18 cwickert: I don't think we should now... lets find out why cweyl hasn't first. 17:43:25 ok nirik 17:43:27 kdudka: dgilmore@fedoraproject.org 17:44:25 dgilmore, I'll send it today 17:44:29 dgilmore, thanks in advance! 17:44:37 shall we move on to the next topic? anything else on this? 17:45:21 #topic #297 Please consider the idea of a security (privilege escalation) policy 17:45:26 .fesco 297 17:45:27 nirik: #297 (Please consider the idea of a security (privilege escalation) policy) - FESCo - Trac - https://fedorahosted.org/fesco/ticket/297 17:45:35 so, adamw filed this just before xmas. 17:45:50 it's not really moved since then. 17:46:54 should we try and open another dialog on the list? 17:46:54 well, i think we need someone to come up with a proposal 17:47:01 does someone want to take point on this? 17:47:08 The list of things an unprivileged user should not be able to makes sense (though the system clock part is AFAIK currently NOT true with system-config-time; KDE on the other hand does require admin auth). 17:47:17 The problem is more: how do we verify this? 17:47:17 or can we pawn^H^H^H^Hassign it off to some other group? 17:47:24 I'd like to put some work into this, but right now there's no time due to RHEL 6 deadlines. 17:47:39 (but those should be less crappy next week...) 17:47:48 Kevin_Kofler: well, QA is asking for a policy that they can test against... they don't know what it should be currently. 17:47:53 Having to request FESCo approval for every SUID binary would suck, it'd mean even longer FESCo meetings and delays for packaging. 17:48:06 how often does anyone actually add an SUID binary? 17:48:07 * adamw here 17:48:23 (and stuff which gets root through e.g. D-Bus activation is effectively SUID) 17:48:30 Kevin_Kofler: that's also not what's really appropriate here at all 17:48:33 as wwoods says, we have no preconceptions of what the policy should be 17:49:04 wwoods: KDE is moving from using kdesu for entire systemsettings modules to PolicyKit/KAuth mechanisms. 17:49:19 we can also come up with a basic policy and add to it over time, doesn't have to be eveything at once, IMHO 17:49:20 which means less SUID binaries. 17:49:28 So KDE is currently in a phase where you'll see several stuff running as root added, but it's all to avoid having to kdesu the whole UI. 17:49:33 nirik: pawning it off to someone is more or less what we're asking for...we just want whatever butt kicking needs to be done to cause someone who actually has a clue about security to come up with a policy 17:49:39 so I still don't understand your point. 17:49:54 Our system-config tools are in a similar phase (porting from consolehelper to PolicyKit). 17:49:57 really what we need is guidelines so that a) developers know what sort of things they should be using polkit for, b) they know what /kind/ of things they should be asking for more input on, and c) it's possible for others to audit it and decide if they've missed something. 17:50:00 adamw: yeah. But I'm not sure who that will be. I guess I could take some kind of stab at it, but ENOTIME for me too. ;( 17:50:10 Kevin_Kofler: that's actually exactly the kind of situation which causes me to want such a policy to exist 17:50:17 Kevin_Kofler: it's precisely what led to the packagekit snafu 17:50:42 when the only option was 'run the entire packagekit app as root' it was screamingly obvious that it should require authentication to do so 17:51:06 it's not a "the policy must say who's reviewing each use" sort of thing. It's a "fedora's broader approach to $usage is $methodology, so in that case $structure of polkit acl is appropriate" 17:51:14 it only became a problem because things could be made more granular, so a specific packagekit _operation_ could be made not to require authentication... 17:51:48 Indeed, this migration can open up some holes. 17:51:55 But it's also a lot of stuff to audit. 17:51:57 Kevin_Kofler: so it could perfectly well happen with kde as it goes through the same process - it seems obvious that there needs to be a consistent policy about how exactly you deal with the question of authorization / authentication for each much more granular action you define as you go along. 17:52:05 adamw: no, it only became a problem because we didn't have any way for richard to know a priori that more people should be in on that decision 17:52:13 if the policy says "user cannot do X without authentication as admin user" then it's possible to test for. 17:52:18 pjones: ..... 17:52:29 skvidal: apart from "that seemed wrong to us" ;) 17:52:38 pjones: and to everyone in the fecking world 17:52:43 skvidal: but that's the point - it seemed wrong to us, so if he'd come to us, ... 17:52:52 pjones: if the policy is "don't be dumb" then so be it 17:52:58 skvidal: not to everyone. 17:53:14 pjones: everyone outside of the desktop echo chamber? 17:53:24 that's not being helpful 17:53:27 so, I don't think we are going to decide anything here aside from that we think it needs to be done, right? 17:53:42 anyone willing to work on it? or have ideas on who we can ask to work on it? 17:53:46 (because there were those in the desktop group who also didn't agree with the change) 17:53:54 pjones: you willing to look at it after next week? 17:53:56 this isn't a one group against another group kind of thing. 17:54:00 Oxf13: I didn't say desktop group 17:54:01 skvidal: I realize you think it's a severe lapse, but in reality what happened was that he chose between two very similar policies, both of which were implemented, and he picked the wrong one for one thing. 17:54:35 pjones: well the point is that these decisions only become problematic with the level of granularity that pk offers 17:54:38 skvidal: so yes, it had serious ramifications, but if we'd had a policy that says "users don't get to pick which packages get installed" ahead of time, he probably would have picked the other. 17:54:46 adamw: that's simply not the cas 17:54:48 case 17:54:51 as a side note, I think any security policy should have a 'this is default fedora' and a 'this is something it's possible for a local admin/spin to change' 17:55:10 nirik: yeah, that's probably _generally_ true. 17:55:21 nirik: I'd like to think we wouldn't indorse the "rootkit" spin ;) 17:55:45 pjones: no, we'd just rename it the 'security audit' spin ;) 17:55:49 Another good question is: should it be possible to retain authorizations for this kind of stuff. I know PK1 dropped retaining authorizations, but it'd be possible to implement them at app level, and possibly also at auth agent level (I'm toying with the idea of having polkit-kde allow retaining the authorization for things listed in some systemwide editable-only-by-root config file, I haven't evaluated the technical 17:55:49 feasibility though). 17:56:20 sure, so the 'this is possible for local admin/spin to change' would also default to 'deny by default'. So, only those things allowed/listed there would be acceptable to change there. 17:56:21 So the question is, assuming this is technically feasible, would this be desirable or yet another no no not to step into. 17:56:30 adamw: the granularity changed how obvious it was that his decision was wrong, making it less obvious. less granularity still leaves the same kinds of decisions, which we're currently giving no guidance on. 17:56:47 will this policy also apply to spins? in the security spin there are currently lots of apps running with root privileges without authentification, but only in live-mode, not on the installed version 17:57:12 Kevin_Kofler: doesn't polkit /already/ have that functionality built in? 17:57:13 pjones: i really think what i said is true, though. 'should trusted updates be possible without root authentication' is a much trickier question than 'should my entire package updating application run without root authentication'. yes, in _theoretical_ terms anyone can screw up any security choice and therefore we should have had a policy for this years ago. but in practical terms, the chances of anyone screwing up are now far far higher because a) th 17:57:13 ere will be more decisions and b) they will be harder decisions. hence it becomes much more _important_ to have a policy. 17:57:18 Kevin_Kofler: I think it does... 17:57:41 pjones: as kevin said, they took it out 17:57:49 adamw: that's fair, though I don't think it reflects your previous point ;) 17:57:56 upstream decided that it wasn't something they want to see 17:57:57 ah, okay. 17:58:11 well, that's unfortunate. 17:58:13 Kevin_Kofler: i'm not sure it'd be a good idea to externally reimplement something into policykit that the policykit developers decided was a bad idea. 17:58:14 * nirik sets a timer for debate on this, since the chances of us coming up with and approving a new policy here is 0. ;) 17:58:17 that instead of retained auth for some people for some apps and lots of popup boxes, they'd rather see users defined to have roles 17:58:19 pjones: Not anymore. 17:58:23 but yeah, it'd be nice to stay focused 17:58:24 and the roles would get rights 17:58:30 Retaining authorizations permanently got removed in PK1. 17:58:34 but the roles stuff hasn't landed yet 17:58:35 and answer the important point: who should write a policy for this and how do we make them do it? 17:59:05 Which is one of the reasons PackageKit switched to that "always allow" policy which caused the chaos. 17:59:11 adamw: the old strategy was to write it your self, however poorly it is, and then show it to the right people 17:59:14 anyway, we need a policy that provides guidance on what kind of actions need what kind of roles. from that you can derive both decision making on the part of developers and test things for correctness, 17:59:16 i mean, if nothing comes out of this, we (qa) have an emergency fallback procedure that we will kick in: we'll write our own policy, test according to that, and when people complain that we're Doing It Rong we'll point out that no-one else seemed to give a stuff 17:59:21 but I _really_ don't think that seems optimal 17:59:31 asking for help doesn't get you much, but incorrectly answering something will get you a lot of corrections and attention. 17:59:36 and we don't have to get into the nitty gritty details of every damn thing 17:59:43 fine, I can oversubscribe my time some more and work on this some. 17:59:50 adamw: tbf, if you guys wanted to write a policy and bring it to us for approval, that wouldn't be the worst plan ever. 18:00:09 pjones: as long as someone who knows what they're talking about will look it over then that can probably work. 18:00:13 * nirik thinks the first step is to find out if RHEL/Debian/Ubuntu/Suse/Mandriva already have something like this we can look at. 18:00:36 nirik: rhel really doesn't (i talked to the rhel guys and they said they'd be very interested in reading whatever we come up with :>) 18:00:39 the current RHEL way isn't particularly interesting to us. 18:00:46 nirik: mandriva doesn't either, i'd know if they do. dunno about the others. 18:00:58 ok. 18:00:58 (it's basically "let fedora figure it out and then prune their packagelist of stuff we don't like when we do a major version rev") 18:01:20 good thought, though. i'll check with ubuntu / debian / suse before we start writing anything. 18:01:34 adamw: could you do that and add your findings to the ticket? 18:01:39 nirik: alright 18:01:59 adamw: also, even tho it's likely futile, can you mail the security list and ask for interested people? 18:02:09 nirik: already done :) both fedora and rh security 18:02:23 that should bring some fun from the peanut gallery ;) 18:02:24 i'll cc fedora security on any further work on this of course 18:02:42 but yeah, i did that long before coming to fesco, if it'd worked i wouldn't be bothering you 18:02:52 adamw: I don't recall seeing it there, and I am on that lsit. 18:02:58 it gets almost no traffic. 18:03:06 hum. lemme see 18:03:15 oh dho. it was. 18:03:21 * nirik will check his filters. 18:03:40 nirik: https://www.redhat.com/archives/fedora-security-list/2009-November/msg00000.html 18:03:45 so, what do we do here? let adamw add info and revisit? 18:03:55 lots of discussion, but mostly of the 'nitpick' variety, no 'oh yes let's write one!' 18:04:14 adamw: you mean: http://lists.fedoraproject.org/pipermail/security/2009-November/001398.html :) 18:04:40 nirik: :) 18:04:51 nirik: as soon as that's the first google result, i will =) 18:04:59 * adamw just finds the archives via google 18:05:19 Well, some people were still mailing to rhl-devel-list and using rhl-devel-list archives not too long ago. ;-) 18:05:42 ok, so, lets punt to next week, hope for more info and people willing to work on it 18:06:06 thanks for the input adamw / wwoods. 18:06:15 #topic #303 Feature: KDE PolicyKitOneQt ( https://fedoraproject.org/wiki/Features/KDE_PolicyKitOneQt ) 18:06:19 .fesco 303 18:06:20 nirik: #303 (Feature: KDE PolicyKitOneQt ( https://fedoraproject.org/wiki/Features/KDE_PolicyKitOneQt )) - FESCo - Trac - https://fedorahosted.org/fesco/ticket/303 18:07:35 * nirik wonders how Kevin_Kofler will vote here. ;) 18:07:37 +1, already in Rawhide, feature page complete. 18:07:42 +1, sounds good 18:07:47 +1, sounds good to me. 18:07:49 +1, looks good 18:07:50 +1 from me 18:07:52 +1 18:08:09 #agreed Feature is approved. 18:08:15 #topic #304 Feature: KDE44 ( https://fedoraproject.org/wiki/Features/KDE44 ) 18:08:19 .fesco 304 18:08:20 nirik: #304 (Feature: KDE44 ( https://fedoraproject.org/wiki/Features/KDE44 )) - FESCo - Trac - https://fedorahosted.org/fesco/ticket/304 18:08:30 ack 18:08:49 +1, likewise (well, 4.4.0 is not out yet so we have 4.3.90 which is a prerelease). 18:09:12 +1 here. Is there any kind of global changelog/changes you can point to for the release notes? instead of just "lots of changes" ? 18:09:25 There will be one in the 4.4.0 release announcement. 18:09:36 this is just really for the release notes, right? 18:09:40 But there have been some in RC announcements or such already, I'll see if I can add a link. 18:09:51 skvidal: looks that way 18:09:52 Kevin_Kofler: cool. 18:09:58 Kevin_Kofler: it there a contingency Plan? 18:10:04 It's not needed. 18:10:18 See https://fedoraproject.org/wiki/Features/KDE44#Contingency_Plan 18:10:39 I did look at this, but it's not convincing to me 18:10:45 If 4.4.0 really isn't ready we'll just ship 4.3.90 or whatever, but it looks like there's plenty of time to get probably even 4.4.2 in. 18:11:14 I don't like the idea of shipping a prerelease, btu I'm not a KDE user, so I don't know how good their prereleases are 18:11:23 We're only at alpha. 18:11:38 Trust me, we will get at least 4.4.0 in, most likely 4.4.2 or 4.4.3. 18:11:51 kde release schedule is clear and we have lot of time 18:11:52 +1 kde 4.4 is coming along nicely 18:12:03 they deliver mostly on time 18:12:03 http://techbase.kde.org/Schedules/KDE4/4.4_Release_Schedule 18:12:06 * dgilmore has rawhide on his laptop and desktop 18:12:24 * pjones too. 18:12:45 "we're only at alpha"; alpha is feature freeze, anything after alpha should be bugfixes 18:12:52 does that mesh with KDE's schedule? 18:12:57 RC to final is bugfixes. 18:13:03 KDE 4.4 is already feature-frozen. 18:13:10 ok. 18:13:14 Hard feature freeze was on Nov 25. 18:13:22 I just get twitchy when somebody says "we're only at alpha" (: 18:14:05 The final 4.4.0 should be on Feb 9, so it might even make it into the alpha. 18:14:05 ok then, +1 from me 18:14:17 If not, we'll have RC2 (release scheduled for Jan 20). 18:14:34 * nirik notes we are at 5 if notting's 'ack' was a +1. ;) 18:14:39 it was 18:14:43 * Oxf13 laughs at planned "release candidate"s greater than 1 18:14:44 Kevin_Kofler: maybe you should link that schedule from the feature page 18:15:01 how can it be a 'release candidate' if you're not planning on being able to release it? 18:15:29 ... is that fesco's concern? 18:15:34 notting: +1 18:15:35 can we not get into the epistemology of the term "release candidate"? 18:15:39 Better than our Alpha / Beta naming which puts the feature freeze at alpha. 18:15:45 Everyone thinks that's far away from release. 18:15:51 They're wrong. 18:15:53 okie doke 18:15:55 let's stop 18:16:00 it's been approved 18:16:02 next item 18:16:05 b/c I would like to go to lunch 18:16:11 KDE's Beta/RC makes much more sense to me, as did our old Beta/Preview. 18:16:13 #agreed Feature has been approved. 18:16:14 rc2 is only for worst cases 18:16:26