16:00:33 <maxamillion> #startmeeting FESCO (2016-10-21)
16:00:33 <zodbot> Meeting started Fri Oct 21 16:00:33 2016 UTC.  The chair is maxamillion. Information about MeetBot at http://wiki.debian.org/MeetBot.
16:00:33 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic.
16:00:33 <zodbot> The meeting name has been set to 'fesco_(2016-10-21)'
16:00:34 <maxamillion> #meetingname fesco
16:00:34 <zodbot> The meeting name has been set to 'fesco'
16:00:34 <maxamillion> #chair maxamillion dgilmore jwb nirik paragan jsmith kalev sgallagh Rathann
16:00:34 <zodbot> Current chairs: Rathann dgilmore jsmith jwb kalev maxamillion nirik paragan sgallagh
16:00:37 <maxamillion> #topic init process
16:00:56 <dgilmore> hola
16:00:59 <nirik> morning
16:01:01 <jsmith> .hello jsmith
16:01:02 <zodbot> jsmith: jsmith 'Jared Smith' <jsmith.fedora@gmail.com>
16:01:08 <maxamillion> .hello maxamillion
16:01:09 <zodbot> maxamillion: maxamillion 'Adam Miller' <maxamillion@gmail.com>
16:01:15 <paragan> .hello pnemade
16:01:16 <zodbot> paragan: pnemade 'Parag Nemade' <pnemade@redhat.com>
16:01:30 <kalev> .hello kalev
16:01:31 <zodbot> kalev: kalev 'Kalev Lember' <klember@redhat.com>
16:01:32 <mhroncok> .hello churchyard
16:01:34 <zodbot> mhroncok: churchyard 'Miro Hrončok' <mhroncok@redhat.com>
16:01:39 <cstratak> .hello cstratak
16:01:40 <zodbot> cstratak: cstratak 'None' <cstratak@redhat.com>
16:02:13 <maxamillion> the agenda is pretty short for today (sorry again for getting it out so late, completely slipped my mind)
16:02:15 <jwb> hi
16:02:54 <maxamillion> alirght, let's get rolling
16:03:02 <sgallagh> .hello sgallagh
16:03:03 <zodbot> sgallagh: sgallagh 'Stephen Gallagher' <sgallagh@redhat.com>
16:03:04 <maxamillion> #topic Follow Up Business
16:03:07 <maxamillion> #topic #1634 EOL and vulnerable software
16:03:08 <maxamillion> .fesco 1634
16:03:08 <maxamillion> https://pagure.io/fesco/issue/1634
16:03:09 <zodbot> maxamillion: Issue #1634: EOL and vulnerable software - fesco - Pagure - https://fedorahosted.org/fesco/ticket/1634
16:04:07 <maxamillion> this didn't really get anywhere last week, wasn't sure if we wanted to discuss more here or defer again? maybe bring it to a wider audience? $other (I'll admit I'm behind on devel list so if it went there, apologies but I didn't see any updates to the ticket)
16:04:30 <mhroncok> no e-mail since last week
16:04:31 <jsmith> I haven't seen any further discussion
16:04:34 <mhroncok> AFAIK
16:05:05 <jwb> nope
16:05:11 * dgilmore feels if there is a need for such software there should be enough to make sure it is supported
16:05:43 <maxamillion> alright, any proposals for a vote?
16:07:18 <paragan> do we need fesco ticket for every such EOL software package entering into Fedora?
16:07:26 <paragan> I don't think so we need it
16:07:34 <dgilmore> paragan: I do not think so
16:08:18 <dgilmore> paragan: in the case of the python stack that caused this ticket to be filed, Red Hat is uspporting the python internally, we can make sure to keep the version in Fedora in lockstep with RHELs
16:08:35 <dgilmore> then people can test and develop coded against the same python they will use in production
16:08:36 <maxamillion> I do think it's a case by case basis thing
16:08:41 <sgallagh> Do we want to make that a policy?
16:09:21 <sgallagh> I guess there's no way we could really enforce such a thing, though
16:09:41 <dgilmore> proposal. if there is a compelling use case to have eol software it would mean that its being supported elsewhere, in which case we should be sure to work with the lesewhere to get fixes into fedora
16:09:48 <dgilmore> sgallagh: not simply
16:10:00 <maxamillion> because if people were to show up and want various versions of some scheme or lisp dialect available, given those language ecosystem's comparative popularity and vested interest from groups involved in Fedora, I think it would merit a discussion about support in the long term
16:10:01 <nirik> well, EOL is probibly not well defined...
16:10:07 <sgallagh> dgilmore: I like that phrasing
16:10:09 <maxamillion> (just as an example)
16:10:13 <maxamillion> nirik: +1
16:10:43 <dgilmore> nirik: sure unsupported upstream?
16:10:45 <sgallagh> I guess maybe we should make the distinction between "EOL by upstream" vs "Maintained by a downstream"
16:10:59 <nirik> explicitly?
16:11:19 <nirik> because a project that hasn't released anything in years might well be not supporting it anymore, but we don't know
16:11:30 <dgilmore> proposal. if there is a compelling use case to have unsupported by upstream software it would mean that its being supported elsewhere, in which case we should be sure to work with the elsewhere to get fixes into fedora
16:11:39 <nirik> (and we have many cases of those kinds of packages in fedora)
16:11:55 <sgallagh> nirik: I guess what I'm saying is this: "Software may only be included in Fedora if someone, somewhere states they are maintaining ig"
16:11:56 <sgallagh> *it
16:12:12 <sgallagh> This might be Red Hat, Joyent, Sal's Pizza Parlor...
16:12:14 <nirik> ok, could that someone be the fedora maintainer(s)?
16:12:20 <cstratak> dgilmore, while this might work for python I don't think it applied for the vast majority of EOL packages that are currently included in Fedora
16:12:20 <jsmith> (With no solid definition of  "maintaining")
16:12:22 <sgallagh> But a statement needs to exist.
16:12:32 <sgallagh> nirik: I'm fine with that, as long as the explicit statement is made
16:12:51 <maxamillion> cstratak: is there a list of EOl packages in fedora that dgilmore's proposal wouldn't apply to?
16:13:26 <cstratak> maxamillion, packages that are only maintained or "exist" in Fedora. Upstream is dead and they are not packaged somewhere else.
16:14:04 <dgilmore> cstratak: perhaps, but to date the people maintaining it have commited to do so. the difference with python is that tehy said they would not, which I think is wrong given that there is ongoing work elsewhere to upstream. and many of the others may be getting security fixes in Debian or other distros
16:14:14 * mhroncok have seen plenty of those when porting stuff to python 3, but does not have an explicit list
16:14:22 <dgilmore> in which case the debian and fedora maintainer should work together :D
16:14:33 <sgallagh> cstratak: Honestly, there's no way to detect that. We have to trust our maintainers and the non-responsive maintainer policy to step in there.
16:14:56 <maxamillion> sgallagh: +1
16:15:08 <cstratak> dgilmore, ehm I believe it has been explained numerous time that we are going to maintain the packages?
16:15:30 <mhroncok> the main idea behinf that "no security fixes" thing in pythonXZ packages was to wanr users
16:15:30 * nirik is fine with this specific case with the pythons getting security/other updates from rhel, but I am not sure how to generalize some generic answer here.
16:15:35 <dgilmore> cstratak: I left where the maintaince was happing necessarily broad to include anywhere else that is maintaing the same software
16:15:48 <mhroncok> so that they should not use those in production
16:16:06 <dgilmore> cstratak: thats not what was in the spec last I looked
16:16:22 <mhroncok> if we say those packages are in sync with RHEL, everybody will try to use them in production
16:16:23 * dgilmore is still catching uip on many things after fudcon though
16:16:40 <jsmith> nirik: +1
16:16:43 <dgilmore> mhroncok: and it may not be RHEL that we keep in sync with
16:17:20 <mhroncok> we intedned to maintain those packaages, if somebody opens a bug in bugzilla or asks us to fix this or that
16:17:38 <mhroncok> we didnẗ plan to fix CVE's automatically within minutes
16:17:47 <nirik> %description
16:17:47 <nirik> Python 3.5 package for developers.
16:17:48 <nirik> No security fixes will be applied.
16:17:53 <dgilmore> Python %{pybasever} package for developers.
16:18:09 <dgilmore> thats the big button
16:18:09 <mhroncok> yes, ans as was discussed on devel ML, this was unfortunate
16:18:20 <mhroncok> and we are willing to change that wording after this discussion
16:18:58 <dgilmore> mhroncok: debian, or gentoo ,or other distros may be doing security work if Red Hat is not
16:19:02 <cstratak> also just some extra info, me and mhroncok are also maintaining the RHEL equivalents stacks so it's not really a question if we want to maintain the packages or not, this has already been established by the ongoing discussions at the tickets and ML
16:19:24 <dgilmore> if we are the only ones looking at some old piece of software, then I think it is fair to say we probably should not do it
16:20:03 <mhroncok> well I have such packages already, where noone is looking at them
16:20:10 <kalev> sorry, I had to step away for a bit -- I think it's probably fine to have packages in fedora that are EOL upstream, as long as there is someone committed to supporting them here downstream (the maintainer)
16:20:18 <mhroncok> upstream is dead and I make sure that if a Fedora bug is filled, I fix it
16:20:18 <kalev> I think the whole controversy here stemmed from the fact that the packages stated that they won't get security updates
16:20:23 <dgilmore> proposal. if there is a compelling use case to have eol software it would mean that its being supported by other downstreams, in which case we should be sure to work with the other downstreams to get fixes into fedora
16:20:24 <kalev> which is just against fedora's existing practices
16:20:28 <kalev> if we have that, I think it should be fine to ship the python packages
16:20:45 <dgilmore> kalev: exactly
16:20:49 <maxamillion> kalev: +1
16:20:56 * nirik nods.
16:21:04 <dgilmore> gahh
16:21:19 <dgilmore> proposal. if there is a compelling use case to have unsupported upstream software it would mean that its being supported by other downstreams, in which case we should be sure to work with the other downstreams to get fixes into fedora
16:21:54 <paragan> here fixes mean security fixes as well right?
16:22:03 <dgilmore> mhroncok: cstratak: if you had not put in "No security fixes will be applied." no one would have batted an eyelid
16:22:08 <dgilmore> paragan: yes
16:22:15 <mhroncok> I know that now :D
16:22:35 <nirik> It's this a more general case of "Packages in the fedora collection must be supported. If not upstream, but the fedora maintainer(s)"/
16:22:36 <nirik> ?
16:22:43 <dgilmore> nirik: sure
16:23:19 <mhroncok> would "Securty fixes might not be applied as fast as on the regural python packages" be better?
16:23:30 <nirik> so perhaps we could just add that to https://fedoraproject.org/wiki/Package_maintainer_responsibilities ? or call it out better?
16:23:39 <dgilmore> nirik: indeed
16:24:39 <sgallagh> At the end of the day, all package maintenance in Fedora is voluntary. Sometimes it's subsidized by a company like Red Hat, but we've never given anyone promises about the speed at which we release updates.
16:24:52 <maxamillion> sgallagh: +1
16:24:58 <nirik> I could try and draft up a change there.... but I also won't be here next week.
16:24:58 <mhroncok> that's right
16:25:17 <maxamillion> there's no SLA on speed at which fixes/updates happen
16:25:22 <mhroncok> but we'd still like to indicate somehow that it si not a good idea to use pythonXY package in production
16:26:41 <nirik> I'd just be more verbose there and explain things... "These packages exist to allow fedora developers to test against RHEL or other long term downstream supported pythons. They are not a full python stack and if you wish to run your applications with them, see RHEL/CentOS/UbuntuLTS"
16:27:05 * kalev nods. +1
16:27:18 <mhroncok> nirik: thanks, I'll put somehting like that in %description
16:27:39 <cstratak> nirik,  +1
16:27:44 <maxamillion> +1
16:28:14 <nirik> of course we can't force people to use a package a particular way, but we can suggest/point them...
16:28:29 <dgilmore> nirik: +1
16:28:38 <dgilmore> so can we wrap this up?
16:29:13 <dgilmore> seems we maybe want to make some changes in the packager responsibilities page to make things clearer
16:29:14 <maxamillion> I think so, yes
16:29:15 <nirik> how about we approve these and I draft a change for maintainer reposnsibilities... ?
16:29:23 <maxamillion> nirik: +1
16:29:24 <nirik> (these being pythonXY)
16:29:27 <jwb> nirik: +1
16:29:38 <dgilmore> and mhroncok and cstratak will update the text that caused all the noise
16:29:47 <mhroncok> sure, I'll do it ASAp
16:29:51 <dgilmore> nirik: sure
16:30:23 <dgilmore> #action nirik to draft up a change for maintainer reposnsibilities
16:30:29 <jsmith> nirik: +1
16:30:57 <dgilmore> #proposal accept pythonXY with wording changes in the description
16:31:08 <sgallagh> dgilmore: +1
16:31:09 <dgilmore> I am +1
16:31:12 <maxamillion> dgilmore: +1
16:31:16 <paragan> dgilmore, +1
16:31:40 <nirik> +1
16:32:14 <kalev> +1
16:32:31 <dgilmore> maxamillion: I will let you wrap it up
16:32:47 <maxamillion> jwb: jsmith: ?
16:32:55 <jwb> didn't we just vote on this?
16:33:04 <jwb> +1
16:33:19 <dgilmore> jwb: it was not a formal proposal
16:33:57 <maxamillion> I see jsmith +1'd nirik
16:34:07 <maxamillion> alright
16:34:08 <maxamillion> #agreed - accept pythonXY with wording changes in the description (+1: 7, +0: 0, -1: 0)
16:34:23 <maxamillion> #topic New Business
16:34:25 <maxamillion> #topic #1635 F26 Self Contained Changes
16:34:26 <maxamillion> .fesco 1635
16:34:26 <maxamillion> https://pagure.io/fesco/issue/1635
16:34:27 <zodbot> maxamillion: Issue #1635: F26 Self Contained Changes - fesco - Pagure - https://fedorahosted.org/fesco/ticket/1635
16:34:34 <mhroncok> thanks all
16:35:22 <maxamillion> new ones looks like Odoo and PHP 7.1
16:36:13 <nirik> +1 to both I guess. Odoo makes me want to revisit what a Change is tho...
16:36:22 <dgilmore> what nirik said
16:36:34 <maxamillion> yeah
16:36:37 <maxamillion> I think that's fair
16:36:43 <maxamillion> +1 to both for me as well
16:36:50 <sgallagh> I'm +1 to PHP but -1 on Odoo
16:36:54 <jwb> Odoo is not a Change
16:37:09 <sgallagh> In the sense that I don't have a problem with its inclusion, but it's not a Change
16:37:31 * kalev concurs.
16:37:57 <jsmith> +1
16:38:21 <paragan> +1 to PHP, -1 to Odoo as I don't think it qualifies a Change
16:38:26 <nirik> ha, it's open core too... ick
16:38:37 <maxamillion> Proposal: FESCo advises that Odoo not be listed as a Change, but the maintainer is free to add Odoo to the repositories
16:38:50 <jwb> +1
16:38:51 <kalev> +1
16:38:52 <maxamillion> +1
16:38:53 <paragan> +1
16:39:01 <nirik> +1
16:39:15 <dgilmore> +1
16:39:34 <maxamillion> jsmith: ?
16:39:37 <jsmith> +1
16:39:40 <maxamillion> #agreed - FESCO adavises that Odoo not be listed as a Change, but the maintainer is free to add Odoo to the repositories (+1: 7, +0: 0, -1: 0)
16:39:43 <jsmith> (Sorry, having network issues at the moment)
16:39:47 <maxamillion> jsmith: :(
16:40:05 <maxamillion> and now for posterity/clarity
16:40:05 <maxamillion> Proposal: Approve the PHP 7.1 self contained changed
16:40:16 <maxamillion> +1
16:40:23 <paragan> +1
16:40:33 <nirik> +1
16:41:00 <kalev> +1
16:41:03 <jwb> +1
16:41:21 <jsmith> +1
16:41:39 <maxamillion> dgilmore: ?
16:44:03 <maxamillion> meh, we have the votes
16:44:10 <maxamillion> #agreed - Approve the PHP 7.1 self contained Change (+1: 6, +0: 0, -1: 0)
16:44:18 <maxamillion> #topic Next week's chair
16:44:39 <maxamillion> who's up next week?
16:44:41 <nirik> I will not be here next week. Will try and vote in tickets if I can...
16:44:51 <jwb> doubtful i will be here
16:45:11 * paragan also will not be here for next week
16:45:18 <kalev> could maybe cancel it next week then?
16:45:31 <jwb> i will be at LPC the week after as well
16:45:37 <jwb> which is unfortunate, but unavoidable
16:46:23 <maxamillion> I'll not be here on Friday Nov 4th (Friday after next) but will be around next week
16:47:36 <paragan> I will also not be here on Nov 4th, as I will be attending FUDCon APAC
16:47:40 <maxamillion> so we're -2 members for next week, we should still have enough folks to host a meeting unless others are going to be gone that I'm not aware of
16:48:37 <sgallagh> I'll take it if no one else is willing
16:48:56 <jsmith> I can take it
16:49:10 <sgallagh> /me defers to jsmith
16:49:14 <jsmith> I'll be at All Things Open in Raleigh, but would be happy to still join and run the meeting
16:49:42 <maxamillion> #info jsmith to chair 2016-10-28
16:49:49 <maxamillion> #topic Open Floor
16:52:23 <maxamillion> I'll give it another couple minutes and we'll wrap up
16:53:03 * dgilmore has nothing, sorry got distracted trying to finalise a patch
16:53:31 <maxamillion> dgilmore: no worries, we had enough folks present to have the votes for a decision
16:53:49 <dgilmore> I had said earlier i was +1 :)
16:54:01 <maxamillion> ah
16:54:08 <maxamillion> alright, let's call it
16:54:11 <maxamillion> have a good one all!
16:54:12 <maxamillion> #endmeeting