18:00:46 <mattdm> #startmeeting FESCO (2013-12-11) 18:00:46 <zodbot> Meeting started Wed Dec 11 18:00:46 2013 UTC. The chair is mattdm. Information about MeetBot at http://wiki.debian.org/MeetBot. 18:00:46 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic. 18:00:50 <mattdm> #meetingname fesco 18:00:50 <zodbot> The meeting name has been set to 'fesco' 18:00:54 <mattdm> #chair abadger1999 mattdm mitr mmaslano notting nirik pjones t8m sgallagh 18:00:54 <zodbot> Current chairs: abadger1999 mattdm mitr mmaslano nirik notting pjones sgallagh t8m 18:00:59 <mattdm> #topic init process 18:01:00 * abadger1999 is here 18:01:03 <mattdm> hello! 18:01:04 <t8m> hello 18:01:06 <sgallagh> .hellomynameis sgallagh 18:01:08 <zodbot> sgallagh: sgallagh 'Stephen Gallagher' <sgallagh@redhat.com> 18:01:13 * nirik is here, but also in the f20 blocker review meeting. 18:01:21 <jwb> hi mattdm. did you add ticket 1201 to the agenda today? 18:01:28 <mmaslano> hi 18:01:37 <mattdm> jwb yes i did 18:01:42 <jwb> mattdm, ok, great 18:01:43 <pjones> why, hello there. 18:02:02 <mattdm> jwb it's item #2 18:02:12 <jwb> cool 18:02:31 * pknirsch lurking 18:02:43 <mitr> Hello 18:03:29 <mattdm> okay that's almost everyone :) 18:04:17 * mattdm gives notting another 30 seconds 18:04:23 <notting> oh, sorry. yes, i'm here. 18:04:27 <mattdm> oh hi :) 18:04:33 <mattdm> #topic #1185 Enable "-Werror=format-security" by default 18:04:50 <mattdm> .fesco 1185 18:04:52 <zodbot> mattdm: #1185 (Enable "-Werror=format-security" by default) – FESCo - https://fedorahosted.org/fesco/ticket/1185 18:05:12 <mattdm> we actually also have another ticket on this 18:05:19 <mattdm> .fesco .1210 18:05:20 <zodbot> mattdm: An error has occurred and has been logged. Please contact this bot's administrator for more information. 18:05:29 <mattdm> .fesco 1210 18:05:30 <zodbot> mattdm: #1210 (F21 System Wide Change: Format Security - https://fedoraproject.org/wiki/Changes/FormatSecurity) – FESCo - https://fedorahosted.org/fesco/ticket/1210 18:06:07 <mattdm> the second one, as i understand it, just asking for a copy of of the final resolution of the first 18:06:13 <mattdm> jreznik is that right? 18:06:54 <sgallagh> I think the second one is actually just following the process we should have been using from the start. 18:07:03 <sgallagh> Since this is pretty clearly a System-Wide Change 18:07:21 <nirik> the first one is reopened because people are asking us to not approve it by default. 18:07:27 <mattdm> okay, fair enough. 18:08:07 <mattdm> so what are the proposals here? 18:08:09 <t8m> #proposal: Add the flag to rpm config only as -Wformat-security 18:08:26 <t8m> (i. e.) not use -Werror=format-security 18:08:27 <nirik> -1 18:08:27 <mitr> -1 at this point. What data do we have? 18:08:57 <mitr> I've seen at most 3 instances of correct code broken by the flag so far 18:09:13 <abadger1999> -1 18:09:18 <nirik> and about 3 (loud) people complaining 18:09:42 <mmaslano> mitr: thank it's not working properly 18:09:42 <mattdm> to be clear, we are talking about F21, not something that will impact F20 at all. right? 18:09:48 <mmaslano> t8m: +1 18:09:58 <mitr> mmaslano: Sorry, I can't udnerstand 18:10:05 <notting> mattdm: correct, this is rawhide/f21 only 18:10:07 <mitr> (and as a matter of philosophy, if we are ever going to move to more testing automation, as we IMHO absolutely must, then there will be more "you must fix this" bugs and it's OK to move in that direction) 18:10:13 <t8m> I have to agree with the so called "loud people" that -Werror anything is not a good idea for general distribution build flags 18:10:17 <jreznik> mattdm: sorry, re-reading 18:10:25 <mmaslano> mitr: maybe I misread you 18:10:41 <nirik> about 30% of them are already fixed. 18:10:58 <mattdm> Just checking. in that case I am -1 to t8m 18:11:35 <jreznik> mattdm, sgallagh: yes, it's just to follow the process - copy resolution there and I'll be more than happy with it! 18:11:37 <halfie> and some of the packages are being dropped as we speak (which is a good thing from security POV) 18:11:46 <mitr> mmaslano: There is a lot of code (~400 packages) that is suspect. There may be quite a few actual security bugs. I've seen very few packages actually broken by the flag, and there are workaround possible (if nothing else, locally overriding the flag). So on balance, this seems worth it to me, given the limited information I've seen so far. 18:11:50 <t8m> fixed = workarounded as correct code does not need fixes 18:11:53 <notting> halfie: dropped because of this??? 18:12:10 <halfie> notting, no, in some cases the upstream went dead. 18:12:33 <notting> halfie: ok. seemed extreme to drop b/c of this 18:12:42 <halfie> notting, heh, yeah :-) 18:12:55 <notting> mitr: are the three cases of correct code broken fixable? 18:13:31 <t8m> notting, not that they aren't fixable but sometimes upstream wouldn't accept the "fix" of correct code 18:13:56 <sgallagh> t8m: Then we carry patches 18:13:57 <mmaslano> mitr: imho it's bad to force flag, which break some packages even few 18:14:01 <mitr> notting: printf(x) => printf("%s", x) would work for all of them 18:14:13 <mitr> mmaslano: 400 packages to benefit, _and all future packages_ 18:14:42 <t8m> mitr, sometimes no benefit 18:14:48 <t8m> mitr, just additional workarounding 18:14:54 <abadger1999> and updates of current packages. 18:15:02 <t8m> I don't think we need to discuss this further 18:15:08 <t8m> I certainly don't 18:15:26 <nirik> with all the other distros already doing this, I don't see upstreams rejecting fixes. 18:15:26 <halfie> t8m, "unzip" upstream is one example. they wrote 50+ lines to explain why they won't fix it. in my opinion, they are being too stubborn about it. it never too late to learn "defensive" coding practices. the patch is around 8 lines IIRC and is trivial. 18:15:27 <sgallagh> Ok, a simple vote then? Error vs Warning? 18:15:41 <t8m> sgallagh, please 18:15:51 <nirik> halfie: really? wow. 18:15:54 <mitr> t8m: Suppose a provenpackager were to fix all packages where the maintainer hasn't done so; would it be acceptable to you? 18:16:00 <mmaslano> halfie: people told me, they would like to see examples how to fix it. Preferebaly on feature page or in bugs 18:16:14 <halfie> nirik, their forum post is actually pretty funny. will post a link later on. 18:16:21 <mitr> mmaslano: there is a FAQ for C; not sure about C++ 18:16:23 <nirik> halfie: sure, thanks. 18:16:27 <t8m> mitr, I don't really care 18:16:27 <sgallagh> Proposal: We add -Werror=format-security by default. (A -1 indicates that we will add -Wformat-security instead) 18:16:40 <halfie> mmaslano, sure, I can work on it. I did add an example last week (about Qt related fixes). 18:16:40 <abadger1999> +1 18:16:42 <nirik> +1 18:16:44 <sgallagh> +1 18:16:45 <t8m> sgallagh, -1 just for record 18:16:45 <mmaslano> mitr: if it was so obvious to get it, they wouldn't ask 18:16:46 <mattdm> +1 18:16:51 <mmaslano> still -1 18:16:52 <mitr> sgallagh: +1 18:16:57 <mattdm> #agreed We add -Werror=format-security by default. (A -1 indicates that we will add 18:17:00 <mattdm> #undo 18:17:00 <zodbot> Removing item from minutes: <MeetBot.items.Agreed object at 0xa875950> 18:17:01 <notting> +1 18:17:03 <mitr> mmaslano: some of the maintainers really don't know the programming language AFAICT 18:17:15 <pjones> sgallagh: +1 18:17:15 <mitr> t8m: "we must keep all packages building as they are unchanged" would really be new. In some sense desirable, but really new. 18:17:29 <mattdm> #agreed We add -Werror=format-security by default. (A -1 indicates that we will add -Wformat-security instead) (+7,-2) 18:17:33 <mmaslano> mitr: the complain wasn't from those who can't program ;-) 18:17:55 <mattdm> okay. dissent respectfully noted, vote made, moving on. :) 18:18:02 <mattdm> #topic #1201 Enabling third party repositories 18:18:18 <mattdm> ping jwb 18:18:24 <mattdm> .fesco 1201 18:18:25 <zodbot> mattdm: #1201 (Enabling third party repositories) – FESCo - https://fedorahosted.org/fesco/ticket/1201 18:19:15 <mattdm> abadger1999 do you want to lay out the current state here? 18:19:35 * jwb is here 18:19:55 <abadger1999> jwb's comment is a good starting point to where we are: https://fedorahosted.org/fesco/ticket/1201#comment:28 18:20:26 <sgallagh> I think 1. in abadger1999's last comment is worth bringing to a FESCo vote. 18:20:46 <mattdm> pasting: 18:20:48 <mattdm> The questions that remain are: 18:20:50 <mattdm> Y) Can COPRs be searched for packages without the .repo files being installed. Pending FESCo. 18:20:52 <mattdm> Z) Is there some FESCo jurisdiction required for item 3 above, or does that all fall directly to Fedora Legal and the entity requesting review? (E.g. if Legal approves flash-plugin based on a request from Workstation, Workstation can then include that/make it discoverable) 18:21:18 <abadger1999> we should try to vote on Y today. 18:21:42 <mattdm> and for the sort of clarity my 7-year-old asks for, that's "may COPRs be searched", not the technical question of "can they" 18:21:59 <jwb> correct 18:22:00 <sgallagh> mattdm: Searched how? 18:22:14 <mattdm> To me that answer is clearly yes in the general sense. we let people search in firefox for whatever they want. 18:22:23 <mattdm> and it would be crazy to suggest otherwise. 18:22:39 <mattdm> and I don't see why we'd forbid people from searching in something that's part of the project 18:22:39 <notting> my problem with Y would still be some of the same infrastructural problems 18:22:47 <notting> (signing, deployment, etc.) 18:22:51 <sgallagh> jwb: Does that question mean something more like "Can gnome-software query COPRs without copr .repo files installed?" 18:22:52 <notting> obviously people can search manually 18:22:56 <abadger1999> sgallagh: For Y, last week you asked that we defer while rhughes and msuchy had talked about it. 18:23:21 <sgallagh> I did, and that conversation had stalled while msuchy got out the new version of COPRs that launched today 18:23:22 <jwb> sgallagh, s/gnome-software/an application 18:23:27 <abadger1999> k 18:23:33 <sgallagh> jwb: That was a representative example, not exclusive 18:23:39 <t8m> mattdm, +1 I agree 18:24:29 <abadger1999> I think that if the UI is like spot suggested (such searching tells user's explicitly when they are getting software from something that is not "Fedora") I'd be okay with this. 18:24:53 <sgallagh> abadger1999: Care to phrase that as a proposal? I'd be in favor of that. 18:24:59 <mattdm> abadger1999 +1 18:25:00 <abadger1999> if the searching was transparent then I'd agree with notting's view. 18:26:39 * mattdm waiting for proposal 18:26:46 <notting> i would really really like some sort of per-copr signing for any set of repos that we put search code for in fedora 18:26:55 <abadger1999> Proposal: Copr repos may be searched for applications to install as long as the user is explicitly asked to enable the copr before installing packages from them (See https://fedorahosted.org/fesco/ticket/1201#comment:19 for details) 18:27:36 <sgallagh> abadger1999: +1 18:27:36 <mitr> notting: that btw only works if copr is served over https or the Fedora search code includes the public key (but copr signing is a research in progress, not to arrive in the next month AFAIK) 18:27:42 <t8m> abadger1999, +1 18:28:16 <mattdm> I guess with what notting says, I'm, like, +0.75 for abadger1999's proposal. Warnings like "enabling this will make you insecure!" don't really help end users. 18:28:25 <nirik> the asking there could include "are not signed, may go away, etc" I assume? 18:28:25 <sgallagh> notting: That would be preferable, yes. I'm viewing it as an implementation detail, though 18:28:31 * abadger1999 notes that on the copr signing front, there is this infra thread: https://lists.fedoraproject.org/pipermail/infrastructure/2013-December/013741.html 18:28:51 <nirik> there's apparently an obs signing thing. I don't know how it works off hand tho. 18:28:57 <mitr> mattdm: a warning like "you are deciding to trust a different party now" IMHO do 18:29:03 <abadger1999> Looks like a lot of work. Not something currently on the roadmap. 18:29:14 <sgallagh> mitr: Right, which is no worse than how our competitors work. 18:29:21 <t8m> I wouldn't hold copr searching for the signing to work 18:29:26 <sgallagh> Usually they give you the option to trust once or always 18:29:36 <abadger1999> nirik: I'm not really enthused about having to manage a third signing infrastructure... 18:29:48 <mattdm> yeah I guess I will round up to +1. but I *would* like to see signing accelerated as a priority if *this* is a priority 18:29:50 <pjones> sgallagh: {once, limited time, forever} has been a pretty good model for su on my phone 18:30:01 <sgallagh> pjones: Exactly 18:30:21 <pjones> mattdm: yeah, likewise, +1 but I'd like to see signing escalated as a priority 18:30:21 <mitr> Do we have _anybody_ plannign to point to coprs btw, or is this all about proprietary software hosted elsewhere? 18:30:22 <nirik> abadger1999: me either. 18:30:42 <sgallagh> #info FESCo would* like to see signing accelerated as a priority if searching COPRs is made a priority 18:30:51 <sgallagh> #undo 18:30:51 <zodbot> Removing item from minutes: <MeetBot.items.Info object at 0xfaf1dd0> 18:30:53 <nirik> sigul isn't really an option here either, IMHO 18:30:56 <sgallagh> #info FESCo would like to see signing accelerated as a priority if searching COPRs is made a priority 18:31:08 <jwb> sgallagh, priority or possibility? 18:31:16 <jwb> because afaics, you're only deciding the latter 18:31:33 <sgallagh> Semantics :-/ 18:32:10 <abadger1999> I think it's a good clarification. 18:32:11 <nirik> well, and 'would like to see' doesn't implement anything, but sure. ;) 18:32:26 <jwb> sgallagh, not really. "priority" is nebulous. priority to whom? FESCo? the people writing search software? 18:32:41 <jwb> are the latter going to even tell FESCo if this is permissible? 18:32:44 <jwb> doubt it 18:32:55 <notting> abadger1999: 0 18:33:14 <mattdm> so I *think* we have +5 for and one 0. 18:33:19 * mattdm scrolls back to count more 18:33:30 <sgallagh> #undo 18:33:30 <zodbot> Removing item from minutes: <MeetBot.items.Info object at 0xd981cd0> 18:33:30 <abadger1999> sgallagh: I think s/priority/possibility would be a good clarification. 18:33:53 <sgallagh> abadger1999: s/priority/possibility/g or just one of the two in that sentence? 18:33:55 <abadger1999> mattdm: I think you're one short... 18:34:02 <mattdm> jwb I think it means we will nicely ask the people working on COPRs and mention that it's important. 18:34:29 <jwb> mattdm, that's fine. then just say that if this is voted as permissible 18:34:37 <abadger1999> I think I'm a +0.75 too. 18:34:47 <t8m> sgallagh, I think that the second one should be changed only 18:34:47 <abadger1999> you can round me up to +1 to make it +5 18:34:55 <mattdm> abadger1999 :) 18:35:37 <mattdm> any other votes? 18:36:03 <mmaslano> votes for signing would be nice? 18:36:06 <mmaslano> sure +1 18:36:31 <nirik> sure, signing and unicorns for all. 18:36:32 <sgallagh> mmaslano: Signing as mandatory or signing as nice-to-have? 18:36:32 <mitr> jwb: Are there any plans about actually pointing to coprs? 18:36:52 <mmaslano> nice-to-have... 18:36:59 <mattdm> #agreed Proposal: Copr repos may be searched for applications to install as long as the user is explicitly asked to enable the copr before installing packages from them (See https://fedorahosted.org/fesco/ticket/1201#comment:19 for details) (+6,-,0) 18:37:01 <jwb> mitr, not to my knowledge. they came up as a weird case of 3rd party repo 18:37:01 <notting> nirik: given that the warning could be "by enabling this repo you are entrusting it with the full security of your machine and all its data" 18:37:05 <mattdm> #info signing and unicorns for all 18:37:15 <sgallagh> mmaslano: I don't think anyone disagrees that signing would be nice. 18:37:22 <mitr> Then I kind of don't see what the fuss is about... 18:37:50 <sgallagh> mitr: The OpenShift (or was it OpenStack?) guys wanted that as an option 18:37:52 <mattdm> mitr whether it's _nice_ or _required_, I think. 18:37:52 <nirik> notting: securly signing things is not an easy thing. ;) 18:38:15 <mitr> mattdm: If it weren't used, then conditions on its implementation would be irrelevant 18:38:18 <mitr> sgallagh: ah, ok 18:38:31 <notting> sgallagh: signing in an automated and sane fashion here is an issue. anyone can manually download their stuff from coprs and make a properly signed repo, of course 18:38:41 <mattdm> more on this or should we go on to the next sub-question? 18:38:46 <notting> darn you unattended processes 18:38:58 <sgallagh> notting: I'm aware of the issues, but I think we should not try to engineer the solution in this meeting 18:39:12 <t8m> sgallagh, +1 18:39:40 <mattdm> the next question, jwb's "Z" is broken down by abadger1999 thusly: 18:39:46 <mattdm> 1, 2, 3, and Y seem accurate to me. Z seems accurate but incomplete. I think there's three questions: 18:39:48 <mattdm> (spot) Does FESCo/Board want us to be able to point to non-free, legally permisible repos? 18:39:50 <mattdm> (toshio) Do we want to further limit what repos are permissible over and above what's legal? 18:39:52 <mattdm> (jwb) Who decides what's permissible under #2? 18:40:07 <mattdm> so: first, "Zspot".... 18:40:14 <jwb> i'll note question 1 is not quite accurate 18:40:30 <mattdm> jwb okay please rephrase 18:40:30 <jwb> or that it should be further subquestioned 18:41:02 <jwb> 1) Does FESCo/Board want us to be able to point to legally permissible repos? 1b) legally permissiable repos containing non-free content? 18:41:25 <jwb> it is certainly possible to have a specific 3rd party repo contiaining free software 18:41:29 <jwb> so it should be considered in the question 18:41:38 <mattdm> jwb ah, yes. 18:42:12 <jwb> though if you just remove non-free from the question as toshio posed it, his question 2 would likely cover it 18:42:16 <sgallagh> At the risk of sounding pedantic, how are we definining "point to"? 18:42:17 * notting notes there is an alternate proposal in one of the WGs that explicitly bans 1b) 18:42:34 <jwb> sgallagh, discoverable/searchable. in the same manner you just decided for coprs 18:42:44 <jwb> notting, there is? 18:42:55 <jwb> notting, which WG and does that WG override other WGs? 18:43:13 <sgallagh> I think I'm +1/+1 here. 18:43:27 <mitr> 0 this is a Board matter IMHO 18:43:32 <sgallagh> This is a place where Ubuntu users have been able to tweak our noses for far too long 18:43:52 <t8m> I can be +1, +1 as well although it looks to me like questions for Board 18:44:11 <mmaslano> +1/+1 18:44:14 <notting> jwb: ". Fedora will not include any non-free software by default, host any non-free software in our repositories or link to third-party repositories containing non-free software." <- from mjg's proposal 18:44:15 <mattdm> For 1a (legally approved third-party free software), I think it's roughly the same as COPRs, although a little more out of our control. I'm okay with it with the same kind of warnings as with COPRs. 18:44:43 <jwb> notting, that proposal is just that. a proposal 18:44:49 <mattdm> for 1b, I have serious reservations. I don't think it's really in line with Fedora's mission. 18:46:03 <mattdm> Since I think this is probably a lot about kernel drivers, I'd also like to hear with kernel team / jwb thinks from a purely technical point of view. 18:46:31 <sgallagh> mattdm: At the end of the day, is it our mission to leave our users to fend for themselves for common needs, though? 18:46:31 <notting> mattdm: i suspect it's 1) kernel drivers (inc. nvidia) 2) chrome 3) steam 18:46:32 <pjones> mattdm: I'll note that such drivers only qualify under 1b under a ... highly questionable interpretation. 18:47:01 <jwb> notting, 4) matlab 5) lotus notes 6) <other software> 18:47:07 <sgallagh> 7) Flash... 18:47:11 <mitr> mattdm: Purely technically we are not responsible for the user's machine working if we are not the only software there, and as for preventing the user from installing other software, "plenty of rope" I suppose 18:47:17 <abadger1999> A point of clarity, I'd change "want" in all of the various versions of question (1) to "wish to allow". But I think we're all on the same page there. 18:47:21 <jwb> these are all just examples of a specific 3rd party repo, yes 18:47:22 <notting> jwb: heee. fedora matlab repo. 18:49:18 <jwb> i'm happy to discuss technical relevance of kernel drivers elsewhere, but this question is not limited to that and my opinion from a kernel perspective should not be under consideration for a general question 18:49:34 <abadger1999> +1 to (1a). I'll push for limiting it in answering (2). 18:49:35 <notting> given jwb's questions, i would be +1 to 1) and -1 to 1b) 18:49:37 <sgallagh> Every time a user hears "We don't ship that because it's not Free", they usually translate it to "We don't offer you what you need, so you should go elsewhere" 18:50:04 <pjones> I'd also be +1 to 1) and -1 to 1b) 18:50:05 * nirik is also +1 / -1 18:50:06 <jwb> sgallagh, we still aren't shipping it :) 18:50:16 <mattdm> jwb okay fair enough. But *if* we were to accept this I want to make sure technical concerns get a voice as well as the legal (and moral) ones. 18:50:23 <sgallagh> jwb: Poor phrasing, but you took my meaning 18:50:27 <jwb> mattdm, entirely fair 18:50:34 <sgallagh> mattdm: ack 18:50:38 <abadger1999> I'm really unsure what I want to vote on 1b. 18:50:44 <pjones> sgallagh: that's one hell of a shitty reason for abandoning our principles. 18:50:44 <jwb> sgallagh, i did. just making sure people don't suddenly think we're shipping things here 18:50:56 <notting> i can see the value in making it easier for users to get third-party software that can work on fedora, but i don't think fedora shipping repo links to third party repos is it 18:51:07 <mattdm> notting +1 18:51:20 <pjones> notting: yeah, I think that might be fair. 18:51:39 <sgallagh> pjones: There's an old question: "Is it more important to be correct... or loved?" 18:51:43 <mitr> pjones: I don't think the Free Software principles are not supposed to be good Just Because; they are supposed to be good as a _means_ to benefit actual people as they exist in the real world. 18:51:54 <abadger1999> notting: note -- afaiui, this is also about the search tool rather than a direct repo link. But that might be splitting hairs. 18:52:02 <jwb> abadger1999, correct 18:52:17 <abadger1999> since the search tool will hide that distinction a bit. 18:52:20 <jwb> need to be careful with what "repo link" means i guess. it is not installing a disabled .repo file 18:52:24 <sgallagh> mitr: There are certainly people who would disagree with that assertion, but I am not one of them 18:52:25 <mattdm> For 1b, I think this is very much about Fedora's identity and mission. That can be reshaped, but I think this has to be -1 unless it *is* reshaped as part of a bigger conversation. 18:52:47 <mattdm> I'm not afraid of the bigger conversation, but this isn't the way to do it. 18:52:55 <abadger1999> mattdm: Okay, I can agree with that -- so would that then become definite Board territory? 18:52:56 <sgallagh> mattdm: Flock session? 18:54:11 <mattdm> I'm not saying FESCo shouldn't participate and have a voice, but I think it's bigger than a FESCo technical vote. 18:54:28 <jwb> FESCo is always free to push up to the Board and submit a recommendation at the same time 18:54:32 <notting> <large handwavy idea> if gnome-software (or fedora, via gnome-software) hosts a program where third-party vendors can submit their own repos to be registered in some online registry/app store that's maintained and curated, and fedora tools can call out to search it, that seems more workable. but it involves essentially an ISV program, security contacts, etc. etc. 18:54:59 <mattdm> After the F20 release, we have a lot of Fedora.next to talk about, and I'm entirely happy to include this as part of that. 18:55:22 <jwb> is there something about the F20 release gating you from talking about it now? 18:55:37 <abadger1999> notting: I could be okay with that implementation -- but I think it would be an additional idea separate from deciding on this question. 18:56:08 <mitr> notting: re: security contacts, AFAICT we have a lot of choice in what do we promise to deliver. Historically Fedora has been a "one stop shop for all your security guarantees" but that's not strictly speaking something we are unavoidably required to do for others 18:56:10 <notting> abadger1999: yes. just trying to describe, since i'm -1 to 1b) as stated, something i could potentially be in favor of that serves that purpose 18:56:12 <mattdm> jwb business? 18:56:14 <abadger1999> <nod> 18:56:19 <mattdm> busyness I mean :) 18:56:33 <mattdm> I mean, not just me, but everyone. 18:56:54 * mattdm is counting votes 18:57:42 * jwb doesn't think people will be less busy after the F20 release, but ok 18:59:25 <mattdm> notting, were you +1 to 1a? 18:59:56 <notting> mattdm: yes 19:00:44 <mattdm> mitr are you 0 on both? 19:01:01 <mitr> mattdm: 0 "please ask the board", yes. I would vote if this were a +4/-4 situation 19:02:34 <abadger1999> mattdm: I'll vote +0 on 1b as well to make your numbers come out 19:02:38 <mattdm> that leaves us at +8/_/1 for 1a) and +3/-4/2 for 1b) 19:03:33 <pjones> which would seem to mean 1a passes and 1b does not 19:03:40 <mattdm> yep. 19:04:12 <jwb> and should someone disagree with this, they can escalate to the Board? or is FESCo sending this to the Board as a recommendation? 19:04:59 <abadger1999> I think we should send 1b to the Board w/ a recommendation. 19:04:59 <notting> jwb: sure! 19:05:04 <sgallagh> abadger1999: +1 19:05:04 <mattdm> jwb, I think we're saying it, and the board would be the natural escalation point. 19:05:10 <abadger1999> I like mattdm's statement of the problem. 19:05:39 * mattdm is trying to write this up in agreed form but keeps getting distracted. :) 19:05:43 <jwb> mattdm, so the ruling is official unless the board disagrees? i'm asking for clarification 19:05:55 <abadger1999> well... okay -- I'm not sure if we can agree on a recommendation as well -- but i think that mattdm's phrasing of the problem is what we want to send to the Board. 19:06:09 <jwb> apparently i'm not the only one that needs clarification 19:06:13 <abadger1999> jwb: Yes, I think that would be accurate. 19:06:24 <mattdm> okay yes let's have some clarification :) 19:06:27 <notting> jwb: aren't all fesco rulings official until the board disagrees? 19:06:38 <jwb> notting, except the ones FESCo punts 19:06:43 <jwb> notting, which is at time, unclear 19:07:10 <jwb> so i'm asking if this is a ruling or recommendation i guess 19:07:36 <mattdm> how about we do it this way -- we'll assume the "0" votes are basically "punt" 19:07:38 <abadger1999> I think I'd say status quo is that no non-free repos are pointed to and we have not changed that. 19:07:56 <mattdm> does anyone want to change their + or - vote to a 0? 19:08:53 <mitr> mattdm: I don't think that will get us to 5 votes for any of the alternatives 19:09:19 <mattdm> mitr yeah but you don't need 5 votes to not pass :) 19:09:54 <mitr> mattdm: => adopting this procedure implies being silent on the issue, doesn't it? 19:10:03 <mattdm> I'm going to do an agreed for the first part. 19:11:38 <mattdm> #agreed FESCo is okay with pointing to legally-permitted free software repositories (+8/-0/1) 19:11:45 <mattdm> (is that correct?) 19:12:12 <jwb> might want to clarify they need to be approved by Fedora Legal 19:12:34 <jwb> so we don't get arm-chair lawyers declaring something legally permissible 19:12:36 <mattdm> #undo 19:12:36 <zodbot> Removing item from minutes: <MeetBot.items.Agreed object at 0xfb64fd0> 19:12:50 <mattdm> #agreed FESCo is okay with pointing to free software repositories approved by Fedora Legal (+8/-0/1) 19:13:22 <abadger1999> mattdm: Also -- "in the same way as copr repos" 19:13:30 <mattdm> sure 19:13:32 <mattdm> #undo 19:13:32 <zodbot> Removing item from minutes: <MeetBot.items.Agreed object at 0x1065fb50> 19:13:53 <mattdm> #agreed FESCo is okay with pointing to free software repositories approved by Fedora Legal in the same way as COPR repos (+8/-0/1) 19:14:39 <mattdm> for the second part, since we didn't have enough votes for a clear statement either way, maybe vote on a statement to send to the board? 19:15:13 <notting> i'd be ok with a simpler "No. If you think policy should change here, talk to the board." 19:15:18 <notting> but that may not pass either 19:15:26 <pjones> I'd be for that. 19:16:25 <t8m> I'd be as well 19:16:27 <mattdm> okay in order to get things moving let's vote on that. 19:16:32 <abadger1999> notting: I'd be okay with that -- and then we could be CC'd to the Board ticket/discussion to clarify what we would like addressed at the Board level (if it goes there) 19:16:38 <mattdm> +1 19:16:44 <abadger1999> +1 19:16:48 * nirik is also ok with that. 19:17:37 <notting> that's 6? 19:17:59 <mattdm> wording: For non-free sofware repositories, FESCo is not changing exisiting policy. If you think the policy should change, talk to the board. 19:18:05 <mattdm> any other votes? 19:18:12 <sgallagh> +1 19:18:16 <pjones> +1 19:18:28 <pjones> (though notting already counted me in his six) 19:18:37 <mmaslano> +1 19:18:43 <mitr> +1 19:18:52 <t8m> +1 for clarification 19:18:58 * notting was implying +1 for himself 19:19:06 <mattdm> #agreed For non-free sofware repositories, FESCo is not changing exisiting policy. If you think the policy should change, talk to the board. (+9,-0,0) 19:19:14 <mattdm> lookit all that agreement 19:19:37 <jwb> thank you all for your time and consideration. this ticket has been rather involved. 19:19:47 <mattdm> there are some further subquestions too.... 19:20:01 <mattdm> I think this has sort of decided some of them implicitly 19:20:27 <jwb> it has 19:20:27 <pjones> I think at this point if there are subquestions, maybe they should be rephrased with our decisions today in mind. 19:20:39 <pjones> And if somebody wants to do that, then we'll consider them. 19:20:58 <jwb> yeah, i consider the two decisions here basically covering the other 2 subquestions. partially because i rephrased the original question 19:21:01 <mattdm> Yeah okay unless anyone objects I'm going to info that and move on. 19:21:07 <sgallagh> mattdm: Please do 19:21:10 <abadger1999> The subquestions are: can non-legal reasons be used to evaluate other third party repositories? 19:21:19 <abadger1999> Who does the evaluation? 19:21:30 <abadger1999> I kinda object... 19:21:38 <mattdm> okay holding off. 19:21:46 <abadger1999> I don't think we've got a firm policy until those are answered. 19:22:14 <mattdm> I think the answers are 1) Yes. and 2) FESCo, or working group as delegated by FESCo. 19:22:23 <notting> mattdm: i'm +1 to that 19:22:29 <jwb> i think the answers are Yes and Fedora Legal 19:22:29 <abadger1999> 1) +1 19:22:47 <jwb> there were no qualifications given on 1a other than "approved by Legal" 19:22:47 <abadger1999> 2) Fesco and Fedora Legal. 19:23:09 <jwb> if you want to make this simple, say FESCo and Fedora legal to 1a 19:23:31 <abadger1999> Well, I did write: +1 to (1a). I'll push for limiting it in answering (2). 19:23:50 <jwb> which is backwards 19:23:58 <jwb> because now you have to change your answer to 1a 19:24:11 <mattdm> jwb abadger1999 ooh. I see the ambiguity now. :) 19:24:26 <abadger1999> jwb: well, not really -- 1a was "Do we wish to allow other repos of free software" 19:24:31 <jwb> seriously, make this simple for yourselves. revote that the qualifications on 1a are "approved by FESCo and Fedora Legal" 19:24:42 <abadger1999> this is answering the question of "which repos of free software" 19:25:13 * nirik is +1 with jwb. 19:25:45 <notting> jwb: +1 19:25:56 <abadger1999> Proposal: Repos must be approved by FESCo and Fedora Legal. Currently, FESCo and Fedora Legal are not limited in the criteria that they can choose to apply. 19:26:00 <mattdm> I'm good with either because I think the end result is the same. this will make the meeting minutes confusing though :) 19:26:26 <sgallagh> abadger1999: I don't really see this as different from what we said earlier, but ok. +1 19:26:36 <jwb> mattdm, the minutes are less important than the actual decisions (that should be) documented on the wiki 19:26:53 <jwb> sgallagh, earlier you just said Legal had to approve. not even brough to fesco 19:26:59 <mattdm> jwb agreed 19:27:04 <notting> abadger1999: reasonable. +1 19:27:10 <abadger1999> sgallagh: well... I guess it could just be a clarification... the thing is that many times when we say "Fedora Legal" we mean "is it legal?" and in this case I want to be clear that we mean more than that. 19:27:11 <mmaslano> +1 19:27:12 <t8m> I don't really see the need for FESCo approval 19:27:34 <t8m> If anything problematic appears we can explicitly reject it 19:27:43 <t8m> so +0 19:28:00 <abadger1999> t8m: I could be okay with that too. Whichever will get the voting done with least objections. 19:28:19 <mattdm> +1 to any of these too 19:28:31 <mattdm> I'm seeing +4 for abadger1999's proposal 19:28:44 <pjones> I kind of hate this 19:28:51 <jwb> t8m, the difference is you have to discover the problematic thing after the fact. good luck 19:28:53 <pjones> because it's going to wind up being just like naming 19:29:18 <nirik> +1 abadger1999 or jwb or whoever, I think we all agree? :) 19:29:23 <mattdm> I'm hoping it will be more like the change process than like naming. 19:29:28 <mitr> 19:29:29 <pjones> And also - so say legal approves a repo? 19:29:32 <pjones> what does that mean? 19:29:55 <jwb> i means software can then search it for applications, and prompt users they're installing from a 3rd party repo 19:29:56 <pjones> can they not change what's in it without legal approving again, or is this like package reviews where once it's reviewed nobody sees you mess it up? 19:30:12 <mattdm> pjones It will mean the most terse possible statement they can come up with. 19:30:20 <jwb> pjones, arguably up to Legal. 19:30:27 <pjones> mattdm: kind of ignoring the problem. 19:30:35 <abadger1999> Revised 1a (with proposal and t8m's feedback): FESCo is okay with pointing to free software repositories in the same way as COPR repos if they are approved by Fedora Legal. Fedora Legal is not limited in the criteria that it can choose to apply. 19:30:47 <pjones> "Legal must approve" isn't a great way to work with legal, tbh. what are we asking them? 19:30:51 <abadger1999> pjones: I'd say that legal can choose to removal approval in this case. 19:30:51 <jwb> pjones, i would think Legal takes that under consideration when doing the initial review 19:31:02 <abadger1999> pjones: the reason is that Legal is signing up for ongoing work. 19:31:11 <nirik> I think 'rechecking' was specifically mentioned in the ticket. 19:31:19 <pjones> abadger1999: so you're asking them to periodically revisit it? or just hoping FL will do so for fun? 19:31:19 <t8m> abadger1999, +1 19:31:31 <abadger1999> pjones: Since they have to continue to audit the repo periodically, they should have the right to say, this is too much work. 19:31:52 <abadger1999> pjones: I'm not asking them to do that -- spot's answers in the ticket are that fedora Legal is Legally obligated to do that. 19:32:06 <pjones> abadger1999: I don't think that's specified in the proposal here. 19:32:19 <nirik> "review every third-party repo (and rereview them regularly)" 19:32:22 <mattdm> right, what abadger1999 -- this is part of the "not limited in criteria". if they want to say "we don't have the resources for the required audits" that's a valid answer. 19:33:15 <abadger1999> pjones: Do you think the power is not specified or the obligation? 19:33:47 <pjones> abadger1999: I think what we're looking for here is a /process/ for maintaining these things going forward and what we've got isn't it. 19:34:39 <notting> surely there are non-legal reasons to not link to a repo? that's why i would say fesco & legal, not just legal. unless legal wants to also arbitrate non-legal aspects 19:35:04 <abadger1999> pjones: <nod> -- I can sort of agree with that. it's why I stopped us from going on without answer the subquestions. 19:35:51 <pjones> abadger1999: so in a way, I don't know that it's useful to "clarify" so much as to say that there needs to be a process and this decision doesn't counteract that need. 19:36:16 <abadger1999> notting: In the rephrased proposal, Legal would also get to decide on non-legal aspects. (and as t8m said, fesco would also be able to step in after the fact to further say no)... but levaing fesco out was only for t8m... so if you're on the other side of the fence, we can put fesco back in. 19:37:34 <abadger1999> pjones: okay -- so that would leave us with -- fesco has decided in theory that 3rd party repos of free software may be pointed to but we need more process about approving and maintaining those repos before we can implement it in practice. 19:38:16 <jwb> does it need to be more complicated than opening a ticket for fesco and legal to evaluate? 19:38:22 <jwb> because damn. 19:38:59 <jwb> (again, assuming you make it simple on yourselves and reword 1a) 19:38:59 <pjones> jwb: since that's what people have just told me it really isn't, then yes, I would imagine it needs to be something other than that. 19:39:11 <jwb> i don't see where anyone said that 19:39:49 <pjones> well, okay. 19:40:25 <notting> i would suggest abadger1999's proposal with s/Fedora Legal/FESCo and Fedora Legal/ 19:40:59 <mattdm> okay.... soooooooo. Can someone quick repropose that and then do a quick vote? 19:41:16 <mattdm> And then if that doesn't pass we will continue discussion. 19:42:02 * abadger1999 does so 19:42:08 <notting> Revised 1a (with proposal and t8m's feedback): FESCo is okay with pointing to free software repositories in the same way as COPR repos if they are approved by FESCo and Fedora Legal. They are not limited in the criteria that they can choose to apply. 19:42:15 <mattdm> +1 19:42:32 <nirik> sure, +1 19:42:41 <abadger1999> +1 19:43:15 <sgallagh> +1 19:43:18 <notting> (i'm +1, obvs.) 19:43:20 <pjones> I'm not so much against this language as I just don't think it actually solves anything. 19:43:25 <mmaslano> +1 19:43:27 <abadger1999> pjones we could add clarification that approval can be revoked as well as granted.... but I'm not sure if that solves your problem or not. 19:43:42 <t8m> +1 19:44:18 * pjones +0 19:44:49 <mattdm> #agreed Revised 1a (with proposal and t8m's feedback): FESCo is okay with pointing to free software repositories in the same way as COPR repos if they are approved by FESCo and Fedora Legal. They are not limited in the criteria that they can choose to apply. (+7,-0,1) 19:45:04 <mattdm> can ammend that if mitr wants to vote but i think we're good enough. 19:45:26 <mattdm> I think we've spent enough on this one for now -- further discussion to ticket and list if necessary? 19:45:35 <t8m> mattdm, +1 19:45:36 <abadger1999> wfm. 19:45:55 <mattdm> #info further discussion to ticket and lists if necessary 19:46:04 <mitr> mattdm: move on, I don't care to nitpick the above 19:46:09 <jwb> mattdm, afaik, the ticket can be closed now 19:46:22 * mattdm will close ticket 19:46:27 <mattdm> #topic #1211 F21 System Wide Change: Headless Java 19:46:42 <mattdm> .fesco 1211 19:46:43 <zodbot> mattdm: #1211 (F21 System Wide Change: Headless Java - https://fedoraproject.org/wiki/Changes/HeadlessJava) – FESCo - https://fedorahosted.org/fesco/ticket/1211 19:46:47 <mattdm> https://fedoraproject.org/wiki/Changes/HeadlessJava 19:47:41 <mattdm> This looks great to me. 19:47:47 <sgallagh> Is there any controversy here (beyond packagers complaining that they'll need to change their BuildRequires)? 19:47:48 <mitr> So if I understand correctly, the final proposal is to ask maintainers to fix their packages but for the change owners to provide a backstop... 19:47:57 <mitr> +1 19:47:59 <t8m> +1 19:48:19 <notting> +1 19:48:27 <mitr> sgallagh: I'm not sure that "how do I know that my package is headless" has been really strictly defined but there is a way to find out 19:48:45 <abadger1999> sgallagh: I don't think that hte Change specifies that packagers must change their BRs? 19:48:49 <sgallagh> mitr: If you can't answer that question, should you be packaging it? 19:48:54 <mmaslano> +1 19:48:57 <sgallagh> Sorry, not BRs 19:49:15 <mitr> sgallagh: rather, if we can't answer that question, should we have a guideline about that depens on answering it? 19:50:06 <sgallagh> mitr: Given that the worst-case solution is to just use the heavyweight Requires, I don't think it's much of an issue 19:50:14 <sgallagh> I'm +1 on this Change 19:50:20 <mitr> sgallagh: right 19:50:23 <abadger1999> sgallagh: I don't think they require packagers to change their Requires either... if I understand the reults of the thread, it's that switching to -headless will be best effort. 19:50:36 <mitr> (https://fedoraproject.org/wiki/User:Akurtakov/JavaPackagingDraftUpdate says "needs sound or graphical server connection" FWIW) 19:50:42 <nirik> I guess I am +1, it seems like there should be a better way to know... yeah. 19:50:58 <mattdm> I'm +1 too ... so that's +7. do we want to ask for any particular clarifications or updates to the proposal 19:51:00 <mattdm> ? 19:51:19 <mitr> Proposal, for completeness: Please update the Change page to be consistent with comment#2 in the ticket 19:51:51 <mattdm> sure. 19:51:56 <abadger1999> Just to be sure to get the Pakaging guidelines to the FPC soon. 19:52:00 <sgallagh> mitr: +1 19:52:13 <abadger1999> And let them know in the ticket that this Change depends on it. 19:52:26 * mattdm doesn't think the for-completeness comment needs a formal vote 19:52:27 <abadger1999> +1 19:52:49 <t8m> mitr, +1 19:53:00 <abadger1999> (that was a +1 to the Change from me) 19:53:18 <mattdm> #agreed Headless Java system wide change is approved. Please update the change page to be consistent with comment#2 in the ticket and get updated packaging guidelines to FPC soon. (+8,0,0) 19:53:37 <mattdm> and..... 19:53:41 <mattdm> #topic Next week's chair 19:54:21 <mattdm> annnnyone? 19:54:30 <mattdm> will everyone be around? 19:54:47 <mattdm> has everyone all already left? 19:54:59 <sgallagh> I'll be around next week. I expect not to be around the week after (or after that) 19:55:12 <sgallagh> Unless we want to shift the January 1 meeting to another day 19:55:17 <abadger1999> I'll chair next week. 19:55:20 * mattdm assumes we are not meeting on christmas. 19:55:25 <notting> i'll be around next week, but not the two after that 19:55:27 <mattdm> #info abadger1999 to chair next week. 19:55:29 <abadger1999> I won't be around jan 2 either. 19:55:44 <mattdm> #info we're going to skip the next two meetings after next week due to the holidays 19:55:57 <mattdm> Unless anyone objects :) 19:56:08 <mattdm> #topic Open Floor 19:56:31 <sgallagh> Can we re-institute the 15 minute vote-to-continue policy? 19:57:11 <mattdm> sgallagh +1 yes that would be good. 19:57:13 <abadger1999> -1 19:57:23 <notting> did we drop it, or just forget it? 19:57:35 <mitr> That policy is in theory still in force, but chairs acting on it have in practice been mostly ignored AFAICT 19:57:45 <abadger1999> heh. 19:57:51 <mitr> (ref: https://fedoraproject.org/wiki/FESCo_meeting_process ) 19:57:59 <abadger1999> Then I suppose voting doesn't mean anything. 19:58:11 <mitr> abadger1999: no, the _vote_ didn't even happen 19:58:30 <abadger1999> maybe instead -- if someone other than the chair notices just note it in the meeting so the chair can call for a vote to continue 19:58:37 <sgallagh> I've called for it occasionally when chairing and the other members generally ignore the call to vote 19:58:56 <nirik> I'd prefer to just drop it personally... 19:59:03 <pjones> I think that's basically fine, though - if there's something contentious enough we'll want to vote, if there's not we won't. 19:59:11 <mitr> My annoying self would propose that proposals delivered to FESCo 1 day in advance need a +5, proposals made later (including during the meeting) need a +7; this is to motivate ongoing dicussion instead of figuring things out at the meeting 19:59:12 <t8m> mattdm, Can I chair on Jan 8th meeting? I was not chairing for a long time and I am always too late to get it in the next week chair call 19:59:33 <mattdm> I don't think ayone will object t8m 19:59:42 <pjones> mitr: tbh I'd prefer we just not discuss things that aren't in the agenda unless there's some real exigence. 19:59:45 <mattdm> #info t8m to chair january 8th meetiing 19:59:52 <pjones> mitr: otherwise the interested parties have a hard time showing up. 20:00:05 <mattdm> pjones yes that makes sense. 20:00:07 <mitr> pjones: "being in the agenda" is not really the issue 20:00:22 <sgallagh> We spent over an hour on an agenda item this week 20:00:24 <mattdm> Also I would like to suggest a 3pm hard stop for the meeting. two hours is plenty. 20:00:32 <mattdm> oh look at the time! 20:00:36 <mitr> (FWIW I'm not always in agreement with my annoying self :) ) 20:00:38 * notting has a 3pm he has to wander off to anyway 20:00:45 * mattdm motions to adjourn 20:00:58 <t8m> mattdm, +1 20:01:00 <sgallagh> seconded 20:01:01 <abadger1999> mattdm: hey, three more hours to go today! ;-) 20:01:12 * abadger1999 plays with timezones some more 20:01:24 <pjones> abadger1999: you clearly don't have any meetings that regularly go to 6:30pm. 20:01:35 <mattdm> #endmeeting