17:30:01 <nirik> #startmeeting FESCO (2011-01-05) 17:30:01 <zodbot> Meeting started Wed Jan 5 17:30:01 2011 UTC. The chair is nirik. Information about MeetBot at http://wiki.debian.org/MeetBot. 17:30:01 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic. 17:30:01 <nirik> #meetingname fesco 17:30:01 <zodbot> The meeting name has been set to 'fesco' 17:30:01 <nirik> #chair mclasen notting nirik SMParrish kylem ajax cwickert mjg59 mmaslano 17:30:01 <nirik> #topic init process 17:30:01 <zodbot> Current chairs: SMParrish ajax cwickert kylem mclasen mjg59 mmaslano nirik notting 17:30:37 <cwickert> fuck fuck fuck 17:30:39 <cwickert> sorry 17:30:54 <cwickert> the meeting is just to early for me :) 17:31:08 <nirik> sorry. ;( 17:31:10 <mjg59> Hi 17:31:14 <nirik> we could revisit times again... 17:31:29 * cwickert will be around in 5 minutes 17:31:37 <mjg59> I think we can wait 5 minutes 17:31:43 * notting is here 17:31:44 <cwickert> thanks 17:31:56 <SMParrish_mobile> I am here but mobile :) 17:32:07 * mmaslano is here 17:32:42 <ajax> hey hey\ 17:33:50 <nirik> shall we wait a few before starting for cwickert... 17:34:10 <ajax> sure 17:34:30 <ajax> i may have to duck out around 1, apologies 17:35:51 <nirik> no worries. we have a bunch of features today, but hopefully we can churn thru them pretty fast. 17:37:44 <nirik> hopefully everyone had a nice holiday. ;) 17:38:06 * cwickert is back 17:38:16 <nirik> cool. Shall we dive in then? 17:38:45 <cwickert> sure, but again I haven't found the time to work on the updates-feature proposal 17:38:54 <cwickert> so please don't ask for it ;) 17:38:57 <nirik> ok. ;) 17:39:19 <nirik> I also didn't pick anything on the updates process changing this week from the ideas container. 17:39:28 <nirik> Figured we had enough other stuff this week. 17:39:51 <nirik> #info #516 Updates policy adjustments/changes - no action this week. 17:40:02 <cwickert> hold on 17:40:09 <nirik> #undo 17:40:09 <zodbot> Removing item from minutes: <MeetBot.items.Info object at 0xe822d10> 17:40:11 <nirik> yeah? 17:40:17 <cwickert> can we have the one little change this week already 17:40:26 <nirik> sure, lets discuss. 17:40:30 <nirik> #topic #516 Updates policy adjustments/changes 17:40:30 <nirik> .fesco 516 17:40:32 <zodbot> nirik: #516 (Updates policy adjustments/changes) - FESCo - Trac - https://fedorahosted.org/fesco/ticket/516 17:40:35 <nirik> what did you want to bring up? 17:40:35 <cwickert> propsal: allow direct pushes for security updates that are not critpath 17:41:26 <cwickert> I can understand we ban direct pushes for important conponents 17:41:29 <nirik> ok, the idea being that they can't break the universe because they are not critpath, and getting them out sooner than a week or after testing is better... 17:41:37 <cwickert> right 17:42:00 <ajax> fine with me 17:42:00 <cwickert> everybody fine with that or is someone feeling uncomfortable? 17:42:16 <mjg59> Not thrilled, but ok 17:42:18 <nirik> I guess I am a weak +1 on that... 17:42:24 <mmaslano> +1 17:42:25 <SMParrish_mobile> sounds fine to me 17:42:29 <cwickert> mjg59: any counterpropsal? 17:42:43 * cwickert is open to suggestions 17:43:12 <nirik> #agreed will allow direct pushes for security updates that are not critpath. 17:43:20 <cwickert> +1 (for the record) 17:43:50 <nirik> I'll note that I also still need to talk to lmacken about allowing critpath security updates to have a timeout. Will try and file tickets on these later today. 17:43:51 <cwickert> #note: needs to be implemented in bodhi 17:43:56 <nirik> yeah. 17:43:57 * notting is a weak +1 too 17:44:14 <mjg59> cwickert: Not really 17:44:20 <nirik> ok, anything more on updates right now, or shall we move on? 17:44:39 * cwickert thinks we should move on 17:45:02 <nirik> ok. 17:45:15 <nirik> Nothing on features repo, nothing on stats that I can see... so... 17:45:18 <nirik> #topic #518 Abrt 17:45:18 <nirik> .fesco 518 17:45:20 <zodbot> nirik: #518 (Abrt) - FESCo - Trac - https://fedorahosted.org/fesco/ticket/518 17:45:30 <nirik> we wanted to look at this again in the new year. 17:45:53 <nirik> do we need to invite abrt folks to a meeting, or ask them for a roadmap, or what do we want here? 17:46:34 <cwickert> +1 for meeting with the abrt folks. or should we discuss this at tempe? 17:46:35 <ajax> i'll ping them for a roadmap, hopefully will have something next weekish 17:46:58 <ajax> after that i'll be traveling for LCA so i may not be very available. 17:47:18 <nirik> cwickert: if they are going to be there, an abrt session/brainstorming would be nice. 17:47:26 <nirik> ajax: thanks. Can you note that in the ticket? 17:47:37 <ajax> yep 17:47:39 <nirik> #info will ask abrt maintainers for a roadmap 17:47:51 <nirik> #info will see about a session at fudcon to try and improve abrt. 17:47:58 <nirik> Anything else on this topic? 17:48:11 <rbergeron> if abrt folks aren't coming and people think it would be useful, let me know and I'll see if i can get them wrangled. 17:48:45 <nirik> cool. Thanks. 17:48:48 * rbergeron bows 17:49:07 <mmaslano> they are in my timezone, maybe you should write into ticket or send them email 17:49:17 <mmaslano> not sure if they are going to tempe 17:49:32 <nirik> ok. can note that. 17:50:17 * nirik will move on in 30sec unless someone has something else on this topic. 17:51:03 <nirik> #topic #521 Reconsider RemoveSUID feature 17:51:03 <nirik> .fesco 521 17:51:04 <zodbot> nirik: #521 (Reconsider RemoveSUID feature) - FESCo - Trac - https://fedorahosted.org/fesco/ticket/521 17:51:12 <nirik> This is another one we wanted to look at again in the new year. 17:51:30 <ajax> yeah 17:51:34 <mjg59> What's the situation with the tmpfs patches? 17:51:40 * nirik isn't sure. 17:52:02 <ajax> also, this: http://forums.grsecurity.net/viewtopic.php?f=7&t=2522 17:52:34 <ajax> in which over half of the capabilities are actually equivalent to root 17:52:49 * ajax becoming increasinly disillusioned with the whole idea 17:53:38 <nirik> yeah, seems like capabilities could have been designed for suid replacement, but were not really... 17:54:00 <nirik> ie, we need more of them or a better design of which ones do what or something. 17:54:08 <ajax> we need a _lot_ more of them 17:54:11 <ajax> hundreds. 17:55:15 <nirik> yeah. 17:55:19 <cwickert> ouch 17:55:35 <ajax> so, yeah. really not convinced. 17:55:47 <nirik> I'd like to hear from the feature owners here before we do anything, but yeah, this is seeming to be currently not very worth it. 17:56:20 <cwickert> is it not worth it or are we likely to run into troubles with it? 17:56:38 <notting> causes problems with tmpfs (and other fses that don't support it) 17:56:49 <notting> doesn't seem to actually gain much outside of a few simple cases? (ping?) 17:56:56 <dwalsh> I am here 17:57:01 <nirik> welcome. 17:57:21 <nirik> dwalsh: do you know the status of the tmpfs capabilities patches/work? 17:57:39 <nirik> and do you think the suid->capabilities feature is still worth doing? 17:57:44 <mjg59> Well, several of the capability->root cases do involve non-standard configurations 17:57:55 <mjg59> Or a set of specific circumstances 17:57:56 <dwalsh> Nope let me ping eparis 17:58:45 <mjg59> I think the question is the same as it was before, ie "In the absence of other bugs, does this increase or reduce security - and how much pain will it cause in the process" 17:59:22 <nirik> at the start the pain seemed pretty minimal... but the tmpfs thing is anoying lots of folks. ;( 18:00:02 <dwalsh> Is the tmpfs thing blowing up more then just ping? 18:00:03 <mjg59> Yeah. I think there's a pretty rational argument that this feature depends upon our standard filesystems supporting it, and that includes tmpfs 18:00:28 <dwalsh> I agree. 18:00:31 <nirik> dwalsh: well, the mock thing mostly. 18:00:41 <nirik> mock won't work with tmpfs anymore with this change. 18:01:45 <nirik> sgrubb: hey. welcome. 18:01:51 <sgrubb> hi 18:01:59 <nirik> we are just talking about the nosuid feature. 18:02:01 <mjg59> So I think unless we have a pretty good timescale for tmpfs supporting this it'll have to wait until it does 18:02:22 <nirik> sgrubb: do you know the status on any tmpfs patches? and do you still feel this feature is worth doing ? 18:02:24 <fenris02> mjg59, did you try the loopfs over tmpfs hack for /var/lib/mock ? 18:02:32 <mjg59> I didn't 18:02:42 <mjg59> But I don't think it matters 18:02:46 <sgrubb> I think eparis was working the tmpfs issue 18:03:18 <mjg59> If I can't copy ping to a tmpfs and run it, we don't have the infrastructure to support this feature 18:03:29 <sgrubb> but I thought we had a workaround for the mock issue of not having rpm failing when it cannot set the fs capabilities 18:03:47 <sgrubb> that could even be controlled by a .rpmmacro setting if need be 18:04:02 <dwalsh> Panu, Has this feature been added? 18:05:42 <nirik> so, proposal: gather more info and update our ticket, revisit next week? 18:05:50 <ajax> gotta run 18:05:52 * ajax afk 18:06:00 <nirik> ajax: thanks. Enjoy. 18:06:09 <sgrubb> nirik, I think we need to find out what's going on with tmpfs 18:06:13 <nirik> yeah. 18:06:20 <cwickert> +1 to nirik's proposal 18:06:23 <mjg59> I'd go with Proposal: Defer to F16 unless support in tmpfs can be provided in the immediate future 18:06:32 <sgrubb> I think the feature is worth doing as we constantly get requests for it 18:06:45 <sgrubb> otherwise we may as well go back to the old capabilities model 18:06:47 <nirik> sgrubb: would you be willing to track down status on tmpfs and update our ticket with it? 18:07:00 <sgrubb> the bz? 18:07:18 <nirik> https://fedorahosted.org/fesco/ticket/521 18:07:20 <mjg59> sgrubb: I don't see hacking around mock's behaviour as a solution 18:07:31 <dwalsh> https://bugzilla.redhat.com/show_bug.cgi?id=648653 18:07:39 <sgrubb> mjg59, I'm not talking about mock's behavior 18:07:52 <sgrubb> rpm itself fails when it probably shouldn't 18:07:52 <dwalsh> As far as whether this is worth doing. Here is some analysys. 18:07:58 <sgrubb> is not good 18:08:04 <dwalsh> http://forums.grsecurity.net/viewtopic.php?f=7&t=2522 18:08:38 <mjg59> sgrubb: rpm is failing because one of the standard filesystems we ship and support doesn't implement a feature we depend on 18:08:48 <dwalsh> Yes I think rpm has to be able to handle file systems not supporting file capabilities as a warning instead of failure. 18:09:01 <mjg59> There's an argument that rpm should handle that more gracefully, but it doesn't change the fact that one of the standard filesystems we ship and support doesn't implement a feature we depend on 18:09:29 <mjg59> Until tmpfs implements this I don't think we can depend on filesystem based capabilities for anything 18:09:31 <sgrubb> mjg59, there's several filesystems that don't support it and we depend on it 18:09:42 <notting> dwalsh: so, essentially, it's not worth it for any of the capabilities in the first set 18:10:02 <sgrubb> I wouldn't say that 18:10:11 <dwalsh> I think it is better just not perfect. 18:10:19 <sgrubb> right 18:10:26 * cwickert tends to agree with mjg59 18:10:29 <mjg59> I think the feature is worth it. But I think we need to be able to support the feature, and I don't think we can currently do that. 18:10:32 <dwalsh> But we need to look at this analysys and try to make the capabilties model better 18:10:43 * nirik nods. 18:10:43 <mjg59> Whether capabilities are perfect is an orthogonal issue 18:10:56 <mjg59> Does this feature enhance security? In the absence of other bugs, yes 18:10:58 <notting> dwalsh: even for 'cap_sys_admin'? 18:11:00 <sgrubb> dwalsh, what is missing from brad's analysis is the couple of fs caps with pam_cap 18:11:06 <mjg59> Does this feature break things? At present, yes 18:11:21 <mjg59> Should we ship features unless we have a known timescale for them not to break things? 18:11:24 <mjg59> I think the answer there is "no" 18:11:29 <sgrubb> pam_cap is an essential part of the new model 18:11:41 <nirik> mjg59: yeah. I'm inclined to agree, but I'd like to see if we can find out more status on tmpfs before just saying punt to next release. 18:11:48 <mjg59> nirik: Absolutely 18:11:57 <mjg59> But I don't want to keep just putting this off 18:12:12 <dwalsh> mjg59, I agree. 18:12:31 <dwalsh> notting, I would like to see cap_sys_admin broken up into more capabilities. 18:12:43 * nirik thinks it's reasonable to wait a week to gather more info... if tmpfs turns out to be a ways off, punt to next release and go back to suid for now. 18:12:45 <dwalsh> Since it is just a dump for many issues. 18:14:18 <mjg59> Yeah, I'm ok with revisiting next week if the assumption then is that if we don't have a timescale for tmpfs we punt to F16 18:14:34 <nirik> any objections to that? 18:15:09 <nirik> sgrubb: you said there were other fs'es we support that don't support caps? which ones? 18:15:39 <dwalsh> nfs? 18:16:30 <nirik> possibly... 18:16:38 <notting> nfs doesn't? ick. 18:16:39 <mjg59> So does this work with nfs / ? 18:16:51 <mjg59> And if not, what's the fallback? 18:17:22 <dwalsh> setuid would have to be fall back. 18:17:53 <notting> ... which could make provisioning fun, if you're not provisioning directly to the nfs root 18:18:04 <mjg59> Wurgh. 18:18:22 <pjones> setuid doesn't really make a good fallback... the bit is either set or not on the executable. 18:18:50 * nirik doesn't have a nfs handy to test to see... 18:18:53 <mjg59> So if we start distributing applications that have been *written* for fs-based capabilities, you're suggesting that installing them on NFS should make them SUID instead? 18:19:10 <nirik> anyhow, shall we gather info and revisit next week? we have a bunch of other items on the agenda. ;) 18:19:13 <mjg59> I don't think this is a good thing 18:19:33 <nirik> yeah, I don't think thats a good solution. 18:20:46 * nirik will move on in 30 seconds unless something further on this issue. 18:21:02 <mjg59> So I think we need a tmpfs timeline and more information on what happens with nfs 18:21:05 <nirik> Thanks for coming dwalsh, sgrubb. If you can gather info for us that would be great. 18:21:33 <nirik> #agreed will gather more info and revisit this next week. 18:21:35 <skvidal> nirik: you might think about pinging steved for the nfs question 18:21:40 <nirik> #info need info on tmpfs status 18:21:48 <skvidal> nirik: to be here next week 18:21:48 <nirik> #info need info on nfs capabilities status. 18:21:54 <nirik> skvidal: good idea. 18:22:15 <nirik> #topic #526 "systemd" feature scope acurracy and precision 18:22:15 <nirik> .fesco 526 18:22:16 <zodbot> nirik: #526 ("systemd" feature scope acurracy and precision) - FESCo - Trac - https://fedorahosted.org/fesco/ticket/526 18:22:43 <nirik> I think this was mostly answered there... although I think we should ask that the feature page be updated. 18:23:10 <nirik> And we should find out if changing everything to systemd units files is in the scope of the feature or just a nice thing to have if people get around to it. 18:23:24 <mjg59> nirik: Lennart said he'd try to drop by for this 18:23:27 <mjg59> Hang on a minute 18:23:41 <mjg59> Ah, good 18:23:42 <nirik> cool. 18:23:48 <nirik> welcome mezcalero 18:23:50 <mezcalero> hi 18:24:32 <mezcalero> did imiss anything so far? 18:24:48 <nirik> not much. ;) 18:25:06 <nirik> so, mitr wanted to get a better idea on scope and parts for systemd feature. 18:25:12 <mjg59> 18:22 < zodbot> nirik: #526 ("systemd" feature scope acurracy and precision) - FESCo - Trac - https://fedorahosted.org/fesco/ticket/526 18:25:15 <mjg59> 18:22 <+nirik> I think this was mostly answered there... although I think we should ask that the feature page be updated. 18:25:18 <mjg59> 18:23 <+nirik> And we should find out if changing everything to systemd units files is in the scope of the feature or just a nice thing to have if people get around to it. 18:25:30 <nirik> which I think were answered pretty well in comment 3. 18:26:12 <nirik> My outstanding question is: is changing everything to use systemd units part of this feature for f15? or is it just 'change things that would like to/can change'? it's unclear from the feature page. 18:26:27 <nirik> also, it would be good to update the feature page with info from comment 3. ;) 18:27:27 * cwickert thinks convert as much as possible to systemd units, but mezcalero can tell us better 18:27:56 <mezcalero> nirik: well, no, i don't want to make the convrsoin of all service files a feature for f15. i mean, i am happy to see if people convert their stuff, but i myself do not see that as my own priority 18:28:09 <mitr> If I may... I don't really think it's the feature owner's duty to actively get other people in the community involved, but the feature page should really allow people to see whether they should want to. 18:28:24 <nirik> mezcalero: ok, thats fine, but should perhaps be made clear on the feature page. 18:28:24 <cwickert> mitr: +1 18:28:47 * cwickert is willing to abuse his proven packager powers to help mezcalero 18:28:59 <mezcalero> cwickert: always happy for help ;-) 18:29:04 <mitr> Looking at any of the things discussed in comment #3, if you asked me to list things an init system does, none of them would be included. 18:29:05 <nirik> mitr: sure. Did your questions get answered? or do you have further ones? 18:29:07 <cwickert> mezcalero: is there a tracker bug? 18:29:19 <nirik> cwickert: there is... 18:29:24 <mezcalero> cwickert: there is 18:29:29 <mitr> nirik: "My wish, as a second best option, is that FESCo (probably in cooperation with the owners of the systemd feature) explicitly specifies the scope of the systemd feature" 18:30:21 <nirik> mitr: would what is on the feature page now + whats in comment 3 work for that? 18:30:50 <nirik> ie, cron is out of scope, rc.sysinit reorg is in scope, etc? 18:31:48 <mezcalero> hmm, so is this issue simply about extending the feature page? i don't think neither the cron-like functionality, nor the local stuff should be documented there really, as we don't use this for f15 really. the password stuff is an implementation detail, not many other packager folks should really care 18:31:51 <nirik> mitr: I think some of the things that are scope expansion are just part of rc.sysinit getting revamped. 18:32:10 <mezcalero> and regaridng the tmpfiles stuff this is kinda covered by the var/run tmpfs feature page 18:32:40 <nirik> mezcalero: yeah, the feature page would be nice to update to what it currently covered.. and perhaps even note what is _not_ covered... ? 18:32:54 <dwalsh> BTW Steved just said that NFS does support file capabilities. 18:32:54 <mitr> nirik: I don't know how to draw the boundary, but I'd like the boundary of a feature to be specified _in advance_. IOW, I'd like to _now_ know that mlocate is not in scope. 18:33:00 <nirik> dwalsh: cool. ;) 18:33:06 <mitr> (this is an obviously ridiculous example just to demonstrate the point) 18:33:29 <notting> dwalsh: yay. 18:33:30 <nirik> mitr: well, it's impossible to note everything thats not in scope, right? 18:34:15 <mitr> nirik: "Anything run from rc.sysinit is in scope" is the kind of answer I'd like. (although I'd be happier if it were more limited0 18:34:52 <mezcalero> well, systemd is a system and service manager 18:35:05 <mezcalero> so it manages the systemd, which is a really fuzzy description of what it does 18:35:24 <mezcalero> but stuff like the tmpfiles stuff i would definitely would subsume under "managing the system" 18:35:28 <nirik> perhaps we could approach it this way... mezcalero: has pretty much all the functionality landed in rawhide? it's just down to bugfix mode and converting to units packages? 18:35:51 <mezcalero> nirik: i don't se any big changes coming for F15, no 18:36:06 <mezcalero> nirik: currently working my way through rhbz and stuff 18:36:33 <mezcalero> nirik: rawhide is pretty much in shape already, when it comes to systemd 18:36:38 <nirik> yeah. 18:36:41 <mezcalero> (i mean, it kinda was already for the f14 timeframe ;-)) 18:37:21 <mezcalero> i mean, we will probably end up mergin the functionality of CK into systemd in F16 or so 18:37:22 <nirik> so, what shall we do here? mezcalero: can you work on updating the feature page with current status and note the scope there? mitr: would that be sufficent? would you be willing to work with him to get the feature page in shape? 18:37:30 <mezcalero> so there will be changes coming, but not for F15 really 18:37:43 <nirik> do you have a roadmap type doc? 18:37:49 <mitr> nirik: That works for me. 18:37:55 <drago01> there is a todo file in git 18:38:02 <mezcalero> nirik: there's a TODO list in systemd git which covers the CK stuff, though terse 18:38:18 <nirik> cool. 18:38:26 <nirik> anyone have objections to that plan? 18:38:34 <mezcalero> nirik: i kinda would like more clarficiations on what is actually requested here before we add clarifications to the feature page ;-) 18:39:41 <nirik> mezcalero: I think he just wants scope to note that systemd will be involved with things around rc.sysinit and things it runs, so maintainers of those packages should expect/be involved in changes. 18:40:50 <mitr> Well ideally more precise - but if no major changes are planned, just adding the items from comment#3 would make the scope more or less precise AFAICS 18:40:58 * nirik nods. 18:41:42 <nirik> mitr: perhaps you could propose feature page changes and mezcalero can look them over for accuracy? and if you guys get stuck, we can revisit? 18:42:24 <mitr> This is kind of backwards :), but I can do that 18:42:33 <nirik> #agreed mitr and mezcalero to work on updating feature page. 18:42:41 <nirik> Thanks mitr and mezcalero. 18:42:53 <nirik> #topic #527 Dist Git Branch Redux Proposal 18:42:53 <nirik> .fesco 527 18:42:55 <zodbot> nirik: #527 (Dist Git Branch Redux Proposal) - FESCo - Trac - https://fedorahosted.org/fesco/ticket/527 18:42:57 <nirik> Oxf13: you around? 18:43:07 <mezcalero> thanks 18:43:28 <mitr> nirik, mezcalero: thank you 18:44:41 * nirik is fine with this proposal. It changes stuff for clients, but maintainers should hopefully figure things out. 18:44:43 <cwickert> +1 on this 18:45:03 <notting> I like simpler. +1 18:45:40 <mjg59> Sure, +1 18:45:43 <mmaslano> +1 18:46:09 <nirik> #agreed This proposal is accepted. 18:46:18 <nirik> #topic #528 Add xz package to buildsys-build comps group 18:46:18 <nirik> .fesco 528 18:46:19 <zodbot> nirik: #528 (Add xz package to buildsys-build comps group) - FESCo - Trac - https://fedorahosted.org/fesco/ticket/528 18:46:24 <nirik> +1 from me. 18:46:51 <notting> +1 18:46:54 <mjg59> +1 can't see why not 18:46:54 <mmaslano> +1 18:46:57 <SMParrish_mobile> +1 18:47:02 <nirik> #agreed This proposal is accepted. 18:47:09 <nirik> #topic #532 Nonresponsive maintainer: pysvn 18:47:09 <nirik> .fesco 532 18:47:11 <zodbot> nirik: #532 (Nonresponsive maintainer: pysvn) - FESCo - Trac - https://fedorahosted.org/fesco/ticket/532 18:47:49 <nirik> This maintainer has only the one package. 18:47:52 <nirik> pysvn 18:48:02 <nirik> They have not been active or answering emails, etc for a while. 18:48:56 <nirik> I guess I am +1 to adding the reporter as co-maintainer, then if they don't show up after a while changing ownership... 18:49:10 <SMParrish_mobile> I'm good with that +1 18:49:41 <mmaslano> +1 18:49:47 <ajax> (back) 18:50:08 <nirik> also, it would be nice if we had a better way to detect and handle missing maintainers (but thats a larger topic) 18:50:16 <mjg59> +1 18:50:28 * notting is +1 about adding sgallagher as a comaintainer 18:50:45 <nirik> #agreed will add reporter as co-maintainer 18:50:54 <nirik> #topic #531 Orphaned package ownership claiming clarification 18:50:54 <nirik> .fesco 529 18:50:56 <zodbot> nirik: #529 (F15Feature: KDE46 - http://fedoraproject.org/wiki/Features/KDE46) - FESCo - Trac - https://fedorahosted.org/fesco/ticket/529 18:51:13 <nirik> this one has to do with when to re-review things that were orphaned coming back into the collection. 18:51:22 <nirik> ugh... 18:51:24 <nirik> wrong thing. 18:51:33 <nirik> #topic #531 Orphaned package ownership claiming clarification 18:51:33 <nirik> .fesco 529 18:51:34 <zodbot> nirik: #529 (F15Feature: KDE46 - http://fedoraproject.org/wiki/Features/KDE46) - FESCo - Trac - https://fedorahosted.org/fesco/ticket/529 18:51:40 <nirik> wrong ticket. 18:51:45 <nirik> .fesco 531 18:51:46 <zodbot> nirik: #531 (Orphaned package ownership claiming clarification) - FESCo - Trac - https://fedorahosted.org/fesco/ticket/531 18:52:13 <tibbs|h> The policy is clear, but seems a bit odd. 18:52:57 <nirik> I think the issue the reporter wanted to fix was that people could bypass the policy... 18:53:19 <nirik> just claim it in pkgdb, build, etc. If you don't need new branches or anything, scmadmins don't see it. 18:53:28 <tibbs|h> The problem is that you end up with what's basically a merge review. 18:53:42 <tibbs|h> Since there's no incentive to do the review, and if he hadn't posted one nobody would be the wiser. 18:54:18 <tibbs|h> Some cron job that auto-blocks packages after three months of orphanage, or somesuch, would resolve the issue. 18:54:19 <nirik> right. 18:54:45 <tibbs|h> (I'm not sure "blocks" is the right term. Maybe blocks in koji and retires in pkgdb.) 18:55:04 <nirik> or just blocks in koji... they couldn't build then, though it would be less clear. 18:55:19 <tibbs|h> I'm not sure how feasible any of that is, however. 18:55:40 <nirik> I can ask abadger1999... 18:56:06 <nirik> so really we need some kind of tech solution here, and there's not really any fesco action right? 18:56:22 <cwickert> can't we just trust people? do we need another technical solution to a social problem? 18:56:37 <tibbs|h> I don't think trust is the issue here. 18:56:47 <cwickert> if we have a problem, it's the missing knowledge of the guidelines 18:56:52 <tibbs|h> Since you can't see how long a package has been orphaned in pkgdb. 18:57:02 <nirik> cwickert: well, I don't know that people are doing it because they want to subvert the policy, it's because they don't know the policy. 18:57:05 <ajax> on the one hand, re-reviewing orphans is a little draconian without re-review of existing packages 18:57:21 <tibbs|h> I don't think it's draconian at all. 18:57:27 <ajax> actually i guess i just have the one hand there. 18:57:30 <dgilmore> tibbs|h: blocking a package in koji will cause it to drop from rawhide 18:57:36 <tibbs|h> Good. 18:57:42 <tibbs|h> That's what we want, isn't it? 18:57:53 <tibbs|h> I mean, if it's orphaned, it certainly shouldn't be in rawhide or the next release. 18:57:57 <ajax> re-re of blocked packages sounds perfectly sane 18:58:11 <ajax> re-re of things that are merely orphaned for a month during a rawhide cycle, meh 18:58:29 <cwickert> +1 18:58:38 <notting> releng is the one that blocks packages, but we don't (usually) check that the other orphaning/deprecation steps are done 18:58:39 <nirik> right, which is why the policy was 3 months. 18:58:45 <tibbs|h> Not a month, three months. Which is half of the release cycle. 18:59:08 <cwickert> and means it has missed at least one milestone 18:59:19 <ajax> sorry, i was inventing numbers with "1 month". 3 sounds reasonable. 18:59:47 <nirik> so we need something to move things to retired / block them after 3 months, right? 19:00:03 <skvidal> and maybe obsolete them? 19:00:18 <cwickert> ouch 19:00:24 <nirik> skvidal: ;) 19:00:30 <cwickert> I don't think this is necessary in rawhide 19:00:50 <skvidal> nirik: hey - just thought I'd give it a shot :) 19:01:03 <skvidal> I wonder if I can renick to sysiphus 19:01:36 <nirik> proposal: ask pkgdb/releng folks about setting up something to auto retire/block packages after 3 months as orphan. 19:02:12 <SMParrish_mobile> +1 19:02:29 <mmaslano> +1 19:02:31 <ajax> +1\ 19:02:40 * nirik is fine with his own proposal. ;) 19:02:58 <notting> +1 19:03:02 <cwickert> +1 19:03:04 <nirik> #agreed ask pkgdb/releng folks about setting up something to auto retire/block packages after 3 months as orphan. 19:03:17 <nirik> that would also save us the orphan cull step. 19:03:24 <nirik> #topic #434 F15Feature - DNSSEC_on_workstations - https://fedoraproject.org/wiki/Features/DNSSEC_on_workstations 19:03:24 <nirik> .fesco 434 19:03:25 <zodbot> nirik: #434 (F15Feature - DNSSEC_on_workstations - https://fedoraproject.org/wiki/Features/DNSSEC_on_workstations) - FESCo - Trac - https://fedorahosted.org/fesco/ticket/434 19:03:30 <nirik> Does anyone know the status here? 19:03:35 <nirik> it's been around a while... 19:04:01 <ajax> not heard anything. 19:04:53 <nirik> I Guess I will ping the ticket and we can try again next week. 19:05:01 <nirik> #info will ask for updated info from feature owners. 19:05:09 <nirik> #topic #529 F15Feature: KDE46 - http://fedoraproject.org/wiki/Features/KDE46 19:05:09 <nirik> .fesco 529 19:05:11 <zodbot> nirik: #529 (F15Feature: KDE46 - http://fedoraproject.org/wiki/Features/KDE46) - FESCo - Trac - https://fedorahosted.org/fesco/ticket/529 19:05:40 <cwickert> +1 19:05:47 <mjg59> Looks fine to me 19:05:52 <nirik> +1 here. 19:05:58 * nirik notes the spin size change. 19:05:59 <SMParrish_mobile> +1 19:06:07 <ajax> +1 19:06:12 <notting> "work on adding kde-integration to libreoffice " - details? 19:06:14 <notting> but, +1 19:06:41 <nirik> #agreed feature is approved. 19:06:47 <nirik> notting: might add that to the talk page... 19:06:55 <nirik> #topic #530 F15Feature: Riak - http://fedoraproject.org/wiki/Features/Riak 19:06:55 <nirik> .fesco 529 19:06:56 <zodbot> nirik: #529 (F15Feature: KDE46 - http://fedoraproject.org/wiki/Features/KDE46) - FESCo - Trac - https://fedorahosted.org/fesco/ticket/529 19:07:27 <nirik> .fesco 530 19:07:28 <zodbot> nirik: #530 (F15Feature: Riak - http://fedoraproject.org/wiki/Features/Riak) - FESCo - Trac - https://fedorahosted.org/fesco/ticket/530 19:07:31 * nirik has link issues today 19:07:47 <ajax> just new packages, +1 19:07:58 <mjg59> +1 19:08:00 <cwickert> +1 19:08:02 <nirik> sure, fine with me as well. 19:08:36 <SMParrish_mobile> +1 19:08:46 <notting> +1 19:08:53 <nirik> #agreed Feature is approved 19:08:59 <nirik> #topic #534 F15Feature: Dynamic Firewall -https://fedoraproject.org/wiki/Features/DynamicFirewall 19:08:59 <nirik> .fesco 534 19:09:00 <zodbot> nirik: #534 (F15Feature: Dynamic Firewall - https://fedoraproject.org/wiki/Features/DynamicFirewall) - FESCo - Trac - https://fedorahosted.org/fesco/ticket/534 19:09:19 <cwickert> +1, however I'd like some clarification on this 19:09:24 <cwickert> maybe mjg59 can help 19:09:32 <mjg59> I think it needs a little clarification with respect to the tray icon 19:09:38 <cwickert> right 19:09:43 <mjg59> But otherwise no problem 19:09:52 <notting> danpb raised some points on the list about this 19:09:56 <cwickert> what if not a try icon? what are the alternatives? 19:10:04 <notting> but esp. if it's not the default, i think we can work through it 19:10:43 <notting> the implication is that the tray icon merely displays status 19:10:50 <notting> and wraps the command lne 19:10:55 <notting> so it can be controlled w/o it 19:11:12 <nirik> so, if it's not default, is this more of a tech preview? ;) 19:11:52 <mmaslano> proof of concept 19:11:53 * cwickert likes to have a try icon 19:12:02 <cwickert> s/try/tray :) 19:12:35 <nirik> anyhow, +1 for it... I think it's a good plan, if early. 19:12:57 <cwickert> I have seen it already in action 19:13:00 <cwickert> and it rocks 19:13:04 <SMParrish_mobile> +1 19:13:26 <cwickert> however if you do everything with notifications, the desktop can become messed up fast 19:13:35 <cwickert> this is why I like the tray icon 19:13:40 <notting> isn't the point of a good firewall that you *won't* see it? :) 19:13:51 <cwickert> I don't think so 19:14:09 <nirik> what would show in the tray ? denials? 19:14:21 <cwickert> If I cannot use the network printer due to a restrictive firewall, seeing it saves troubleshooting 19:14:36 <cwickert> nirik: for example 19:14:53 <mjg59> cwickert: I think that's the wrong expectation 19:14:57 <nirik> yeah, but if you are on a busy network with a bunch of port scans and junk it would be a bit nasty. 19:15:12 <mjg59> If I cannot use the network printer due to a restrictive firewall, then the firewall should just get out of the way rather than telling me why I can't see my printer 19:15:29 <nirik> yeah, the printer applet could/should just ask the firewall to change. 19:15:32 <cwickert> so you expect the firewall to know what you want? 19:15:56 * nirik expects the printer applet to know what it needs from the firewall. 19:15:58 <mjg59> cwickert: I think "I try to use my printer and something tells me that I'm potentially being attacked over the internet" is a poor user experience 19:16:37 <cwickert> mjg59: agreed, but this means the firewall is dump and firewalls only block attacks from the internet 19:16:52 <nirik> anyhow, where are we here. 19:16:59 <nirik> +1 I see 19:17:02 <cwickert> they do other things as well and it could be a meaningful info instead attack from the internet 19:17:04 <nirik> +3 rather 19:17:08 <mjg59> +1 from me 19:17:30 <cwickert> mjg59: for me the question is: (at least some people) want a tray icon. what alternative can GNOME provide that works across different desktops 19:17:35 <cwickert> +1 from me as wll 19:17:37 <cwickert> well 19:17:44 <mjg59> cwickert: I think for spins that want to focus on paranoia even when it conflicts with user desire, there's no problem in providing a tray icon 19:17:44 <dgilmore> it should be able to detect if its the same network or not 19:18:10 * nirik waits for one more vote at least 19:18:10 <mjg59> Whereas I'd really hope that any development on the desktop spin is aimed at doing this automatically, even if there's some perceived security cost 19:18:26 <mjg59> The important thing here is the backend 19:18:32 <mjg59> The UI is a desktop integration issue 19:19:27 <notting> %post 19:19:29 <cwickert> ok, lets not discuss this, lets focus on the feature itself. more votes please? 19:19:35 <ajax> +1 19:19:50 <notting> ln -sf /sbin/halt /sbin/init <- your paranoia spin 19:20:02 <nirik> #agreed Feature is approved. 19:20:08 * cwickert needs to leave now 19:20:11 <nirik> #topic #537 F15Feature: Spice support for virt-manager - http://fedoraproject.org/wiki/Features/SpiceInVirtManager 19:20:11 <nirik> .fesco 537 19:20:12 <zodbot> nirik: #537 (F15Feature: Spice support for virt-manager - http://fedoraproject.org/wiki/Features/SpiceInVirtManager) - FESCo - Trac - https://fedorahosted.org/fesco/ticket/537 19:20:17 <cwickert> +1 19:20:24 <mjg59> +1 19:20:29 <nirik> +1 here too. 19:20:29 <SMParrish_mobile> +1 19:20:37 <notting> +1 19:20:50 <nirik> cwickert: if you are back on later, I have some quick questions for you. ;) 19:20:55 <nirik> #agreed Feature is approved. 19:20:55 <ajax> +1 19:21:05 <nirik> #topic #535 F15Feature: ecryptfs in authconfig - http://fedoraproject.org/wiki/Features/EcryptfsAuthConfig 19:21:05 <nirik> .fesco 535 19:21:06 <zodbot> nirik: #535 (F15Feature: ecryptfs in authconfig - http://fedoraproject.org/wiki/Features/EcryptfsAuthConfig) - FESCo - Trac - https://fedorahosted.org/fesco/ticket/535 19:21:45 <nirik> +1 from me. I know some folks who would like this functionality. 19:21:48 <notting> ecrpytfs? 19:22:14 <nirik> well, a local per user encrypted dir/store. 19:22:41 <SMParrish_mobile> I like it +1 19:22:50 <ajax> cute trick, +1 19:23:17 <notting> neat idea. wonder how well it will work long term 19:23:21 <notting> +1 in general 19:23:27 <nirik> ecryptfs has been in a while. 19:23:30 <notting> would be interesting to talk to the desktop folks about tying this in more broadly 19:23:47 <nirik> yeah. 19:24:01 <nirik> one more vote? ;) 19:24:10 <mjg59> +1 19:24:19 <nirik> #agreed Feature is approved. 19:24:21 <nirik> #topic #536 F15Feature: RPM 4.9 - http://fedoraproject.org/wiki/Features/RPM4.9 19:24:21 <nirik> .fesco 536 19:24:22 <zodbot> nirik: #536 (F15Feature: RPM 4.9 - http://fedoraproject.org/wiki/Features/RPM4.9) - FESCo - Trac - https://fedorahosted.org/fesco/ticket/536 19:24:30 <ajax> oh my yes +1 19:24:40 <ajax> i want collections so badly 19:24:55 <nirik> +1 here. Land as soon as feasable. ;) 19:25:03 <mjg59> +1 19:25:18 <SMParrish_mobile> +1 19:25:31 <notting> +1 19:25:59 <nirik> #agreed Feature is approved. 19:26:10 <nirik> #topic Open Floor 19:26:21 <nirik> That brings us to almost 2 hours and open floor. ;) 19:26:28 <nirik> Any items for open floor from anyone? 19:27:28 * nirik listens to the crickets chirp. 19:27:39 <nirik> will close out the meeting in a few here if nothing comes up. 19:27:43 <nirik> Thanks for coming everyone! 19:28:20 <nirik> #endmeeting