16:00:33 <maxamillion> #startmeeting FESCO (2016-10-21) 16:00:33 <zodbot> Meeting started Fri Oct 21 16:00:33 2016 UTC. The chair is maxamillion. Information about MeetBot at http://wiki.debian.org/MeetBot. 16:00:33 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic. 16:00:33 <zodbot> The meeting name has been set to 'fesco_(2016-10-21)' 16:00:34 <maxamillion> #meetingname fesco 16:00:34 <zodbot> The meeting name has been set to 'fesco' 16:00:34 <maxamillion> #chair maxamillion dgilmore jwb nirik paragan jsmith kalev sgallagh Rathann 16:00:34 <zodbot> Current chairs: Rathann dgilmore jsmith jwb kalev maxamillion nirik paragan sgallagh 16:00:37 <maxamillion> #topic init process 16:00:56 <dgilmore> hola 16:00:59 <nirik> morning 16:01:01 <jsmith> .hello jsmith 16:01:02 <zodbot> jsmith: jsmith 'Jared Smith' <jsmith.fedora@gmail.com> 16:01:08 <maxamillion> .hello maxamillion 16:01:09 <zodbot> maxamillion: maxamillion 'Adam Miller' <maxamillion@gmail.com> 16:01:15 <paragan> .hello pnemade 16:01:16 <zodbot> paragan: pnemade 'Parag Nemade' <pnemade@redhat.com> 16:01:30 <kalev> .hello kalev 16:01:31 <zodbot> kalev: kalev 'Kalev Lember' <klember@redhat.com> 16:01:32 <mhroncok> .hello churchyard 16:01:34 <zodbot> mhroncok: churchyard 'Miro Hrončok' <mhroncok@redhat.com> 16:01:39 <cstratak> .hello cstratak 16:01:40 <zodbot> cstratak: cstratak 'None' <cstratak@redhat.com> 16:02:13 <maxamillion> the agenda is pretty short for today (sorry again for getting it out so late, completely slipped my mind) 16:02:15 <jwb> hi 16:02:54 <maxamillion> alirght, let's get rolling 16:03:02 <sgallagh> .hello sgallagh 16:03:03 <zodbot> sgallagh: sgallagh 'Stephen Gallagher' <sgallagh@redhat.com> 16:03:04 <maxamillion> #topic Follow Up Business 16:03:07 <maxamillion> #topic #1634 EOL and vulnerable software 16:03:08 <maxamillion> .fesco 1634 16:03:08 <maxamillion> https://pagure.io/fesco/issue/1634 16:03:09 <zodbot> maxamillion: Issue #1634: EOL and vulnerable software - fesco - Pagure - https://fedorahosted.org/fesco/ticket/1634 16:04:07 <maxamillion> this didn't really get anywhere last week, wasn't sure if we wanted to discuss more here or defer again? maybe bring it to a wider audience? $other (I'll admit I'm behind on devel list so if it went there, apologies but I didn't see any updates to the ticket) 16:04:30 <mhroncok> no e-mail since last week 16:04:31 <jsmith> I haven't seen any further discussion 16:04:34 <mhroncok> AFAIK 16:05:05 <jwb> nope 16:05:11 * dgilmore feels if there is a need for such software there should be enough to make sure it is supported 16:05:43 <maxamillion> alright, any proposals for a vote? 16:07:18 <paragan> do we need fesco ticket for every such EOL software package entering into Fedora? 16:07:26 <paragan> I don't think so we need it 16:07:34 <dgilmore> paragan: I do not think so 16:08:18 <dgilmore> paragan: in the case of the python stack that caused this ticket to be filed, Red Hat is uspporting the python internally, we can make sure to keep the version in Fedora in lockstep with RHELs 16:08:35 <dgilmore> then people can test and develop coded against the same python they will use in production 16:08:36 <maxamillion> I do think it's a case by case basis thing 16:08:41 <sgallagh> Do we want to make that a policy? 16:09:21 <sgallagh> I guess there's no way we could really enforce such a thing, though 16:09:41 <dgilmore> proposal. if there is a compelling use case to have eol software it would mean that its being supported elsewhere, in which case we should be sure to work with the lesewhere to get fixes into fedora 16:09:48 <dgilmore> sgallagh: not simply 16:10:00 <maxamillion> because if people were to show up and want various versions of some scheme or lisp dialect available, given those language ecosystem's comparative popularity and vested interest from groups involved in Fedora, I think it would merit a discussion about support in the long term 16:10:01 <nirik> well, EOL is probibly not well defined... 16:10:07 <sgallagh> dgilmore: I like that phrasing 16:10:09 <maxamillion> (just as an example) 16:10:13 <maxamillion> nirik: +1 16:10:43 <dgilmore> nirik: sure unsupported upstream? 16:10:45 <sgallagh> I guess maybe we should make the distinction between "EOL by upstream" vs "Maintained by a downstream" 16:10:59 <nirik> explicitly? 16:11:19 <nirik> because a project that hasn't released anything in years might well be not supporting it anymore, but we don't know 16:11:30 <dgilmore> proposal. if there is a compelling use case to have unsupported by upstream software it would mean that its being supported elsewhere, in which case we should be sure to work with the elsewhere to get fixes into fedora 16:11:39 <nirik> (and we have many cases of those kinds of packages in fedora) 16:11:55 <sgallagh> nirik: I guess what I'm saying is this: "Software may only be included in Fedora if someone, somewhere states they are maintaining ig" 16:11:56 <sgallagh> *it 16:12:12 <sgallagh> This might be Red Hat, Joyent, Sal's Pizza Parlor... 16:12:14 <nirik> ok, could that someone be the fedora maintainer(s)? 16:12:20 <cstratak> dgilmore, while this might work for python I don't think it applied for the vast majority of EOL packages that are currently included in Fedora 16:12:20 <jsmith> (With no solid definition of "maintaining") 16:12:22 <sgallagh> But a statement needs to exist. 16:12:32 <sgallagh> nirik: I'm fine with that, as long as the explicit statement is made 16:12:51 <maxamillion> cstratak: is there a list of EOl packages in fedora that dgilmore's proposal wouldn't apply to? 16:13:26 <cstratak> maxamillion, packages that are only maintained or "exist" in Fedora. Upstream is dead and they are not packaged somewhere else. 16:14:04 <dgilmore> cstratak: perhaps, but to date the people maintaining it have commited to do so. the difference with python is that tehy said they would not, which I think is wrong given that there is ongoing work elsewhere to upstream. and many of the others may be getting security fixes in Debian or other distros 16:14:14 * mhroncok have seen plenty of those when porting stuff to python 3, but does not have an explicit list 16:14:22 <dgilmore> in which case the debian and fedora maintainer should work together :D 16:14:33 <sgallagh> cstratak: Honestly, there's no way to detect that. We have to trust our maintainers and the non-responsive maintainer policy to step in there. 16:14:56 <maxamillion> sgallagh: +1 16:15:08 <cstratak> dgilmore, ehm I believe it has been explained numerous time that we are going to maintain the packages? 16:15:30 <mhroncok> the main idea behinf that "no security fixes" thing in pythonXZ packages was to wanr users 16:15:30 * nirik is fine with this specific case with the pythons getting security/other updates from rhel, but I am not sure how to generalize some generic answer here. 16:15:35 <dgilmore> cstratak: I left where the maintaince was happing necessarily broad to include anywhere else that is maintaing the same software 16:15:48 <mhroncok> so that they should not use those in production 16:16:06 <dgilmore> cstratak: thats not what was in the spec last I looked 16:16:22 <mhroncok> if we say those packages are in sync with RHEL, everybody will try to use them in production 16:16:23 * dgilmore is still catching uip on many things after fudcon though 16:16:40 <jsmith> nirik: +1 16:16:43 <dgilmore> mhroncok: and it may not be RHEL that we keep in sync with 16:17:20 <mhroncok> we intedned to maintain those packaages, if somebody opens a bug in bugzilla or asks us to fix this or that 16:17:38 <mhroncok> we didnẗ plan to fix CVE's automatically within minutes 16:17:47 <nirik> %description 16:17:47 <nirik> Python 3.5 package for developers. 16:17:48 <nirik> No security fixes will be applied. 16:17:53 <dgilmore> Python %{pybasever} package for developers. 16:18:09 <dgilmore> thats the big button 16:18:09 <mhroncok> yes, ans as was discussed on devel ML, this was unfortunate 16:18:20 <mhroncok> and we are willing to change that wording after this discussion 16:18:58 <dgilmore> mhroncok: debian, or gentoo ,or other distros may be doing security work if Red Hat is not 16:19:02 <cstratak> also just some extra info, me and mhroncok are also maintaining the RHEL equivalents stacks so it's not really a question if we want to maintain the packages or not, this has already been established by the ongoing discussions at the tickets and ML 16:19:24 <dgilmore> if we are the only ones looking at some old piece of software, then I think it is fair to say we probably should not do it 16:20:03 <mhroncok> well I have such packages already, where noone is looking at them 16:20:10 <kalev> sorry, I had to step away for a bit -- I think it's probably fine to have packages in fedora that are EOL upstream, as long as there is someone committed to supporting them here downstream (the maintainer) 16:20:18 <mhroncok> upstream is dead and I make sure that if a Fedora bug is filled, I fix it 16:20:18 <kalev> I think the whole controversy here stemmed from the fact that the packages stated that they won't get security updates 16:20:23 <dgilmore> proposal. if there is a compelling use case to have eol software it would mean that its being supported by other downstreams, in which case we should be sure to work with the other downstreams to get fixes into fedora 16:20:24 <kalev> which is just against fedora's existing practices 16:20:28 <kalev> if we have that, I think it should be fine to ship the python packages 16:20:45 <dgilmore> kalev: exactly 16:20:49 <maxamillion> kalev: +1 16:20:56 * nirik nods. 16:21:04 <dgilmore> gahh 16:21:19 <dgilmore> proposal. if there is a compelling use case to have unsupported upstream software it would mean that its being supported by other downstreams, in which case we should be sure to work with the other downstreams to get fixes into fedora 16:21:54 <paragan> here fixes mean security fixes as well right? 16:22:03 <dgilmore> mhroncok: cstratak: if you had not put in "No security fixes will be applied." no one would have batted an eyelid 16:22:08 <dgilmore> paragan: yes 16:22:15 <mhroncok> I know that now :D 16:22:35 <nirik> It's this a more general case of "Packages in the fedora collection must be supported. If not upstream, but the fedora maintainer(s)"/ 16:22:36 <nirik> ? 16:22:43 <dgilmore> nirik: sure 16:23:19 <mhroncok> would "Securty fixes might not be applied as fast as on the regural python packages" be better? 16:23:30 <nirik> so perhaps we could just add that to https://fedoraproject.org/wiki/Package_maintainer_responsibilities ? or call it out better? 16:23:39 <dgilmore> nirik: indeed 16:24:39 <sgallagh> At the end of the day, all package maintenance in Fedora is voluntary. Sometimes it's subsidized by a company like Red Hat, but we've never given anyone promises about the speed at which we release updates. 16:24:52 <maxamillion> sgallagh: +1 16:24:58 <nirik> I could try and draft up a change there.... but I also won't be here next week. 16:24:58 <mhroncok> that's right 16:25:17 <maxamillion> there's no SLA on speed at which fixes/updates happen 16:25:22 <mhroncok> but we'd still like to indicate somehow that it si not a good idea to use pythonXY package in production 16:26:41 <nirik> I'd just be more verbose there and explain things... "These packages exist to allow fedora developers to test against RHEL or other long term downstream supported pythons. They are not a full python stack and if you wish to run your applications with them, see RHEL/CentOS/UbuntuLTS" 16:27:05 * kalev nods. +1 16:27:18 <mhroncok> nirik: thanks, I'll put somehting like that in %description 16:27:39 <cstratak> nirik, +1 16:27:44 <maxamillion> +1 16:28:14 <nirik> of course we can't force people to use a package a particular way, but we can suggest/point them... 16:28:29 <dgilmore> nirik: +1 16:28:38 <dgilmore> so can we wrap this up? 16:29:13 <dgilmore> seems we maybe want to make some changes in the packager responsibilities page to make things clearer 16:29:14 <maxamillion> I think so, yes 16:29:15 <nirik> how about we approve these and I draft a change for maintainer reposnsibilities... ? 16:29:23 <maxamillion> nirik: +1 16:29:24 <nirik> (these being pythonXY) 16:29:27 <jwb> nirik: +1 16:29:38 <dgilmore> and mhroncok and cstratak will update the text that caused all the noise 16:29:47 <mhroncok> sure, I'll do it ASAp 16:29:51 <dgilmore> nirik: sure 16:30:23 <dgilmore> #action nirik to draft up a change for maintainer reposnsibilities 16:30:29 <jsmith> nirik: +1 16:30:57 <dgilmore> #proposal accept pythonXY with wording changes in the description 16:31:08 <sgallagh> dgilmore: +1 16:31:09 <dgilmore> I am +1 16:31:12 <maxamillion> dgilmore: +1 16:31:16 <paragan> dgilmore, +1 16:31:40 <nirik> +1 16:32:14 <kalev> +1 16:32:31 <dgilmore> maxamillion: I will let you wrap it up 16:32:47 <maxamillion> jwb: jsmith: ? 16:32:55 <jwb> didn't we just vote on this? 16:33:04 <jwb> +1 16:33:19 <dgilmore> jwb: it was not a formal proposal 16:33:57 <maxamillion> I see jsmith +1'd nirik 16:34:07 <maxamillion> alright 16:34:08 <maxamillion> #agreed - accept pythonXY with wording changes in the description (+1: 7, +0: 0, -1: 0) 16:34:23 <maxamillion> #topic New Business 16:34:25 <maxamillion> #topic #1635 F26 Self Contained Changes 16:34:26 <maxamillion> .fesco 1635 16:34:26 <maxamillion> https://pagure.io/fesco/issue/1635 16:34:27 <zodbot> maxamillion: Issue #1635: F26 Self Contained Changes - fesco - Pagure - https://fedorahosted.org/fesco/ticket/1635 16:34:34 <mhroncok> thanks all 16:35:22 <maxamillion> new ones looks like Odoo and PHP 7.1 16:36:13 <nirik> +1 to both I guess. Odoo makes me want to revisit what a Change is tho... 16:36:22 <dgilmore> what nirik said 16:36:34 <maxamillion> yeah 16:36:37 <maxamillion> I think that's fair 16:36:43 <maxamillion> +1 to both for me as well 16:36:50 <sgallagh> I'm +1 to PHP but -1 on Odoo 16:36:54 <jwb> Odoo is not a Change 16:37:09 <sgallagh> In the sense that I don't have a problem with its inclusion, but it's not a Change 16:37:31 * kalev concurs. 16:37:57 <jsmith> +1 16:38:21 <paragan> +1 to PHP, -1 to Odoo as I don't think it qualifies a Change 16:38:26 <nirik> ha, it's open core too... ick 16:38:37 <maxamillion> Proposal: FESCo advises that Odoo not be listed as a Change, but the maintainer is free to add Odoo to the repositories 16:38:50 <jwb> +1 16:38:51 <kalev> +1 16:38:52 <maxamillion> +1 16:38:53 <paragan> +1 16:39:01 <nirik> +1 16:39:15 <dgilmore> +1 16:39:34 <maxamillion> jsmith: ? 16:39:37 <jsmith> +1 16:39:40 <maxamillion> #agreed - FESCO adavises that Odoo not be listed as a Change, but the maintainer is free to add Odoo to the repositories (+1: 7, +0: 0, -1: 0) 16:39:43 <jsmith> (Sorry, having network issues at the moment) 16:39:47 <maxamillion> jsmith: :( 16:40:05 <maxamillion> and now for posterity/clarity 16:40:05 <maxamillion> Proposal: Approve the PHP 7.1 self contained changed 16:40:16 <maxamillion> +1 16:40:23 <paragan> +1 16:40:33 <nirik> +1 16:41:00 <kalev> +1 16:41:03 <jwb> +1 16:41:21 <jsmith> +1 16:41:39 <maxamillion> dgilmore: ? 16:44:03 <maxamillion> meh, we have the votes 16:44:10 <maxamillion> #agreed - Approve the PHP 7.1 self contained Change (+1: 6, +0: 0, -1: 0) 16:44:18 <maxamillion> #topic Next week's chair 16:44:39 <maxamillion> who's up next week? 16:44:41 <nirik> I will not be here next week. Will try and vote in tickets if I can... 16:44:51 <jwb> doubtful i will be here 16:45:11 * paragan also will not be here for next week 16:45:18 <kalev> could maybe cancel it next week then? 16:45:31 <jwb> i will be at LPC the week after as well 16:45:37 <jwb> which is unfortunate, but unavoidable 16:46:23 <maxamillion> I'll not be here on Friday Nov 4th (Friday after next) but will be around next week 16:47:36 <paragan> I will also not be here on Nov 4th, as I will be attending FUDCon APAC 16:47:40 <maxamillion> so we're -2 members for next week, we should still have enough folks to host a meeting unless others are going to be gone that I'm not aware of 16:48:37 <sgallagh> I'll take it if no one else is willing 16:48:56 <jsmith> I can take it 16:49:10 <sgallagh> /me defers to jsmith 16:49:14 <jsmith> I'll be at All Things Open in Raleigh, but would be happy to still join and run the meeting 16:49:42 <maxamillion> #info jsmith to chair 2016-10-28 16:49:49 <maxamillion> #topic Open Floor 16:52:23 <maxamillion> I'll give it another couple minutes and we'll wrap up 16:53:03 * dgilmore has nothing, sorry got distracted trying to finalise a patch 16:53:31 <maxamillion> dgilmore: no worries, we had enough folks present to have the votes for a decision 16:53:49 <dgilmore> I had said earlier i was +1 :) 16:54:01 <maxamillion> ah 16:54:08 <maxamillion> alright, let's call it 16:54:11 <maxamillion> have a good one all! 16:54:12 <maxamillion> #endmeeting