16:00:18 #startmeeting FESCO (2017-01-06) 16:00:18 Meeting started Fri Jan 6 16:00:18 2017 UTC. The chair is jwb. Information about MeetBot at http://wiki.debian.org/MeetBot. 16:00:18 Useful Commands: #action #agreed #halp #info #idea #link #topic. 16:00:18 The meeting name has been set to 'fesco_(2017-01-06)' 16:00:18 #meetingname fesco 16:00:18 #chair maxamillion dgilmore jwb nirik paragan jsmith kalev sgallagh Rathann 16:00:18 The meeting name has been set to 'fesco' 16:00:18 Current chairs: Rathann dgilmore jsmith jwb kalev maxamillion nirik paragan sgallagh 16:00:22 hi all 16:00:30 morning 16:00:40 Greetings! 16:00:46 .hello sgallagh 16:00:47 sgallagh: sgallagh 'Stephen Gallagher' 16:00:50 I'ts been a while :-) 16:01:28 well, there's 4 of us anyway 16:01:37 .hello pnemade 16:01:38 paragan: pnemade 'Parag Nemade' 16:01:41 ah, 5 16:01:45 good, we have quorum 16:01:57 hello 16:02:08 ok, so some of the agenda items were wrapped up in the tickets themselves. that's good because the agenda is shorter now 16:02:11 let's get going 16:02:21 #topic #1646 No appropriate sudo directory for user scripts 16:02:21 .fesco 1646 16:02:21 https://pagure.io/fesco/issue/1646 16:02:22 jwb: Issue #1646: No appropriate sudo directory for user scripts - fesco - Pagure - https://fedorahosted.org/fesco/ticket/1646 16:02:45 I dont think we got any more info here... 16:03:04 no, we didn't but how long are we going to wait? 16:03:05 Proposal: No changes required at this time. 16:03:13 sgallagh: +1 16:03:20 I'm done debating and waiting :-) 16:03:36 +1 16:03:45 I haven't heard a compelling argument for the change; anyone who is creating sudo user scripts can make a trivial change to their sudoers file 16:03:58 hey all 16:04:01 sgallagh: that's a strange way to word the proposal 16:04:13 he's not asking if they're required. he's asking if he can make them 16:04:34 jwb: I thought he was asking that FESCo require the sudo maintainer to make a change 16:04:41 That's how I read it, at least 16:04:49 ah, i suppose 16:05:15 I am personally thinking that it would be slightly nicer to have the sudo paths match with the system $PATH, but I don't think it's so important that fesco should require that 16:05:23 * nirik is fine with no changes 16:05:27 sgallagh: +1 16:05:29 i guess i'd be more clear either way and phrase it as "FESCo does/does not support..." 16:05:29 but I think we should definitely be okay _allowing_ them to change it if they want 16:05:59 kalev: who is "them"? 16:06:04 kalev: Eh, the default sudo config is definitely in FESCo's wheelhouse 16:06:09 kalev: the maintainer or end users? 16:06:17 the maintainer 16:06:30 this is only the defaults 16:06:43 jwb: "FESCo does not support extending the set of paths to include a custom script path" Better? 16:06:45 I personally always use full paths with sudo anyway 16:06:57 just to make sure I am calling the intended thing 16:07:10 "FESCo does not support extending the set of paths to include a custom script path by default" 16:07:20 sgallagh: yes! 16:07:26 +1 16:07:29 +1 16:07:30 +1 16:07:30 sgallagh: I liked the previous wording more, because the new wording sounds like we are against changing it 16:07:44 kalev: i think we're saying we're against changing it 16:07:44 kalev: I am :) 16:07:56 fair enough 16:07:59 +1 then 16:08:00 Specifically, against changing the defaults 16:08:12 +1 to sgallagh's updated proposal 16:08:13 The users themselves can modify it to their hearts' content 16:08:18 +1 16:08:53 * jwb tallies the vote 16:09:29 #agreed FESCo does not support extending the set of paths to include a custom script path (+7: 0: -0) 16:09:34 ok, moving on 16:09:49 #topic #1657 Unresponsive maintainer: ke4qqq 16:09:50 .fesco 1657 16:09:50 https://pagure.io/fesco/issue/1657 16:09:51 jwb: Issue #1657: Unresponsive maintainer: ke4qqq - fesco - Pagure - https://fedorahosted.org/fesco/ticket/1657 16:11:08 Huh, I thought I voted on this in the ticket. Guess I didn't. +1 to orphaning all his packages and giving sheepdog to the reporter. 16:11:27 +1 16:11:33 +1 also 16:11:43 https://admin.fedoraproject.org/pkgdb/packager/ke4qqq/ 16:11:45 +1 16:11:48 I'm +1 too, I'd just want to add that if we are processing unresponsive maintainer tickets, it would be nice to add the unresponsive maintainer to fesco ticket's CC 16:11:50 point of contact on 26 packages 16:11:52 so that they know what's going on 16:12:01 +1 (although he should have been added to the ticket) 16:12:21 +1 to orphan packages 16:13:04 There was a suggestion to mail him at an apache.org address on the devel list, but I guess that didn't pan out 16:13:27 #agreed FESCo agrees to orphan ke4qqq's packages and give sheepdog to the reporter (+7:0:-0) 16:14:13 nirik, i assigned the ticket to you to do the orphaning (sorry) 16:14:16 * nirik can do that after the meeting. ;) 16:14:17 Worst case, he resurfaces and requests access 16:14:18 sure 16:14:32 ok, moving on 16:14:44 #topic #1635 F26 Self Contained Changes 16:14:44 .fesco 1635 16:14:44 https://pagure.io/fesco/issue/1635 16:14:45 well, note that changing poc to orphan leaves them still with access. just not poc. 16:14:46 jwb: Issue #1635: F26 Self Contained Changes - fesco - Pagure - https://fedorahosted.org/fesco/ticket/1635 16:15:38 pagure is being slow for me 16:15:44 same here 16:15:49 WE BROKE IT 16:16:08 * nirik looks 16:17:19 I'm pretty sure I voted in the ticket :-p 16:17:35 * nirik pokes it with a sharp stick 16:17:58 pretty sure the two to discuss today were Golang PIE and fontconfig 16:18:14 https://fedoraproject.org/wiki/Changes/golang-buildmode-pie 16:18:26 sorry I'm late 16:18:28 .hello maxamillion 16:18:29 maxamillion: maxamillion 'Adam Miller' 16:18:46 I was working on something and completely lost track of time, apologies 16:19:06 np, it happens. apparently to pagure too! 16:19:20 jwb: uh oh, what'd I miss? 16:19:26 ok, it should be back 16:19:30 https://fedoraproject.org/wiki/Changes/FontconfigCacheDirChange 16:19:34 there, those two changes 16:19:37 maxamillion: nothing. it just stalled 16:19:42 fun 16:19:44 yes its back now 16:20:10 there were comments on performance numbers with the PIE change to golang 16:20:32 i'm not sure that's really enough to not approve the change, but it would be good to get some data either way 16:20:34 Yeah, I don't want to vote on the PIE change until we have more information 16:20:43 I haven't seen any response to the Golang performance issue 16:21:02 So I'll change my vote to "defer" :-) 16:21:11 I mean, I'm always in favor of security hardening, but not if it comes with an 80% performance hit or something ridiculous. 16:21:14 fontconfig seems kinda wrong 16:21:24 As for the fontconfig issue, I'm still squarely -1 16:21:53 i forget what the objection there was 16:22:00 I haven't looked at the fontconfig change closely, but from the discussion in https://bugzilla.redhat.com/show_bug.cgi?id=1377367 it seems that people are trying to come up with alternative ways to do it 16:22:16 would be good to make sure that the PIE change does not effect performance 16:22:53 jsmith: why so? I don't really know my way around fontconfig well enough to have an informed opinion 16:23:10 jwb: I don't like having caches under /usr/lib 16:23:19 maxamillion: ^^^ 16:23:26 jsmith: there are a number of others already there 16:23:29 jsmith: Well, the debate is whether it's *really* a cache 16:23:43 There's a semantic difference, I think 16:24:03 I don't really see what's a problem with having a cache that's updated at package install time in /usr 16:24:07 To me, a cache is a temporary storage of data that gets retrieved option as a perf enhancement 16:24:17 lots of other stuff does that too, like for example in /usr/share/icon there's the icon cache etc 16:24:24 /usr/share/icons 16:24:25 A "cache" that is built once and used forever after isn't a cache... it's data. 16:24:37 * jwb finds the invocation of FHS somewhat laughable 16:24:41 jsmith: oh 16:24:46 OK, comment 10 makes that more clear... 16:25:25 s/option/often/ above. Not sure what I was thinking there.. 16:25:54 Proposal: Defer golang PIE change until more data on performance impact is available 16:26:01 jwb: +1 16:26:02 jwb: +1 16:26:03 +1 I guess 16:26:04 +1 16:26:06 +1 16:26:08 +1 16:26:21 -1 to my own proposal fwiw 16:26:42 ha 16:26:49 +1 16:27:13 #agreed Defer golang PIE change until more data on performance impact is available (7:0:-1) 16:27:19 ok, fontconfig 16:27:20 as for the /usr vs /var/cache, I think it's fine to have a lookup table that's generated at package install time in /usr. Things that are dynamically generated at runtime should be in /var/cache though 16:29:10 kalev: So the main issue as I see it is that the data differs between traditional and ostree 16:29:29 * paragan agrees with kalev 16:29:32 With ostree, you only generate the font cache on the server and never update it. 16:29:49 On a traditional RPM deployment, if a package pulls in a new font, the data set is regenerated. 16:30:04 So while it's not a *cache* by my personal definition, it's still variable data. 16:30:19 that seems... orthogonal to the location of where the data is stored 16:30:34 i mean, nitpicking the definition of a "cache" is fine i guess but it doesn't really matter 16:31:28 Ok, you've convinced me 16:31:30 sgallagh: so moving to /usr won't help the ostree use-case, isn't that the whole point of the proposed change and if it doesn't in fact work wouldn't it kind of make the whole thing pointless? 16:32:04 no, I think it would help ostree 16:32:12 maxamillion: well the data is made at ostree creation time in /usr and shipped in the ostree 16:32:14 ostree needs to have a separation of cache directories and system directories because the system directories are always generated on the server side 16:32:23 yup, what dgilmore said 16:32:26 Right, I think the change affects the OStree build-time 16:32:31 so the things that happen during 'rpm -i' stage need to be in the ostree tree for things to work 16:32:33 I was thinking in terms of the end-user system 16:32:39 dgilmore: right, but then users can't add fonts ... right? 16:32:57 maxamillion: users can not install anything at run time 16:33:03 thats how ostree is designed 16:33:05 kalev: so ostree fails if rpmostree tries to put data in /var ? 16:33:21 sgallagh: in /var/cache at least, that's my understanding 16:33:32 to add fonts they would have to make a new tree 16:33:38 dgilmore: sure they can, just not with dnf ... nothing is stopping someone from laying font files down on the filesystem and running commands to update fontconfig, right? 16:33:55 maxamillion: thats making a updated tree 16:34:01 kalev: OK, so if they moved it to /var/lib, everyone could be happy? 16:34:01 :) 16:34:04 its all in the new tree when you reboot into it 16:34:18 that's not what maxamillion is describing 16:34:23 the bug seems to indicate they are installing and using overlay? 16:34:24 sgallagh: I suspect so, but not entirely sure. would have to ask someone who understands ostree better than I do 16:34:25 dgilmore: that's not what I mean 16:34:30 Fair enough 16:34:36 maxamillion: thats how it works afaik 16:34:52 May I suggest that FESCo doesn't have all the information it needs to make a decision on this today? 16:34:57 sure! 16:35:00 sgallagh: sure 16:35:04 * kalev agrees. 16:35:40 I'll try to catch Colin next week in the office and discuss it with him 16:35:43 it's the overlay/install package at runtime thats not working with fontconfig... 16:35:49 sgallagh: should we come up with a list of questions we'd like answered? 16:35:54 at least as far as I can tell 16:35:57 maxamillion: That would be helpful. 16:36:05 Might as well just ask them in the BZ, I suppose 16:36:22 Proposal: FESCo defers the fontconfig cache change so that it can gather more information 16:36:27 +1 16:36:33 sgallagh: yeah, fair point 16:36:34 jwb: +1 16:36:49 +1 16:36:50 +1 16:36:54 +1 16:36:55 +1 16:37:00 =1 16:37:02 +1, that is 16:37:20 1 16:37:28 #agreed FESCo defers the fontconfig cache change so that it can gather more information (8:0:-0) 16:38:02 #topic #1664 Orphaning of rrati's packages 16:38:02 .fesco 1664 16:38:02 https://pagure.io/fesco/issue/1664 16:38:03 jwb: Issue #1664: Orphaning of rrati's packages - fesco - Pagure - https://fedorahosted.org/fesco/ticket/1664 16:38:49 this one didn't exactly follow the normal process, but the equivalent data seems to be there 16:39:19 proposal: contact rrati and offer to orphan their packages or assist them in doing so 16:39:29 nirik: +1 16:39:33 nirik: +1 16:39:38 +1 16:39:40 +1 16:39:51 +1 16:39:52 +1 16:39:53 +1 16:40:17 poc on 16 packages: https://admin.fedoraproject.org/pkgdb/packager/rrati/ 16:40:19 #agreed contact rrati and offer to orphan their packages or assist them in doing so (8:0:-0) 16:40:47 who wants to contact them? 16:40:47 anyone already planning to take that as an action item? 16:40:51 jwb: +1 :D 16:40:53 I can do it. 16:40:56 nirik++ 16:41:00 nope, not gonig to let nirik do it 16:41:02 someone else 16:41:12 ha. ;) 16:41:13 I'll do it 16:41:16 sure, I don't care. 16:41:22 great, thanks maxamillion 16:42:00 ok, last topic 16:42:09 #topic #1663 How strongly should we recommend systemd sandboxing features? 16:42:09 .fesco 1663 16:42:09 https://pagure.io/fesco/issue/1663 16:42:10 jwb: Issue #1663: How strongly should we recommend systemd sandboxing features? - fesco - Pagure - https://fedorahosted.org/fesco/ticket/1663 16:42:57 to be honest, i don't think we've all had time to digest this 16:43:33 there's a lot of options to look at and figure out what to do, and there's no concrete proposal on which to enable and under what conditions 16:43:41 I read over it this morning, I'm in support of improving the guidelines to recommend the sandboxing but I'm honestly not sure what's being proposed here ... it's kind of open ended in the ticket 16:43:46 * dgilmore notes we have had to eject systemd-232 from fedora 16:43:53 I haven't had time to fully digest it, but I do agree with mattdm's proposal that we go for stronger rather than weaker.... but a proposal would be nice 16:43:55 dgilmore: oh fun 16:44:09 jsmith: +1 16:44:16 there's a patch tho, we should try that soon. ;) 16:44:16 dgilmore: dare I ask what happened? 16:44:17 it breaks compoing entirely as the kernel gets incorrectly copied 16:44:18 jsmith: i'm going to guess that mattdm was hoping fesco would come up with said proposal 16:44:28 dgilmore: computers! \o/ 16:44:33 so none of the new functionality is tested in fedora 16:44:36 this seems like one of those polite FPL request things 16:44:41 jwb: That's my guess as well -- I'm just not sure I'm (yet?) qualified to make such a proposal 16:44:57 I am all for making things more secure 16:44:58 I think there's a few things we could change the default on... and the rest suggest maintainers use any that don't break functionality on their package 16:45:09 I am not sure how it will effect things in practice 16:45:11 nirik: +1 16:45:13 ok, so this needs 1) an owner to make concrete suggestions, 2) a timeframe 16:45:14 nirik: Sounds very reasonable 16:45:26 jwb: indeed 16:45:27 jwb: Yes, exactly. 16:46:08 jwb: at least some things I can think of of the top of my head, how hard is it to do something like change the port of ssh 16:46:18 For timeframe, I propose F27... 16:46:27 if the service filed limited to tcp 22 would users find it to cumbersome to change 16:46:38 well, likely it will be ongoing for a long time before everything is changed... 16:46:53 and making sure changes in the service files got merged simply with user changes 16:47:27 jsmith: I would leave the timeframe open until we know more 16:47:56 dgilmore: I guess what I"m trying to say is "Let's come up with an initial proposal for F27... it's not carved in stone, and can be adjusted from there" 16:48:02 different suggestions could have different timeframes 16:48:08 to be clear, i meant the proposal needs a timeframe 16:48:16 jwb: oh :D 16:48:19 right, what jsmith said 16:48:20 dgilmore: Rather than trying to solve for everything up front 16:48:41 I read that very differently 16:48:54 communication is hard 16:49:00 jsmith: +1 16:49:33 still needs an owner 16:49:35 I'm happy to brainstorm on the ticket for the next week or so, and see if we can't come up with a more concrete proposal for F27 16:49:41 I think a month would be a good timeframe to come up with some initial proposals 16:49:41 jsmith: great 16:49:49 I don't really want to volunteer to own it, but I'm happy to work on it 16:50:01 and if nobody else volunteers, I guess I'm stuck :-) 16:50:14 Proposal: jsmith to take initial stab at a concrete proposal and present something in one month. Help welcome 16:50:25 WORKSFORME +1 16:50:29 Unfortunately, I know I'm not going to have the spare cycles in January. 16:50:36 Sorry :( 16:50:39 sgallagh: Understood :-) 16:51:07 might be good to setup a wiki page or something and ask everyone to poke at it a little 16:51:45 nirik: That's a good suggestion, and one that I wholeheartedly support 16:52:03 I like that also 16:52:19 +1 to jwb's proposal 16:53:04 +1 to jwb's proposal 16:53:19 +1 to jwb's proposal 16:53:22 +1 16:53:43 +1 16:53:46 +1 16:53:52 #agreed jsmith to take initial stab at a concrete proposal and present something in one month. Help welcome (8:0:-0) 16:54:00 #topic Next Week's Chair 16:54:14 I can it has been awhile 16:54:40 #agreed dgilmore to chair next week 16:54:43 #topic Open Floor 16:55:17 jsmith: damnit, i misspelled your name in the ticket. sorry 16:55:32 Reminder that voting in Fedora elections (FESCo, Council, FAmSCo) starts on January 10th 16:55:38 jwb: No worries -- I get that all the time 16:56:08 #info Reminder that voting in Fedora elections (FESCo, Council, FAmSCo) starts on January 10th 16:56:16 anything else? 16:56:21 nada 16:56:31 nope 16:57:03 ok, thanks everyone 16:57:05 #endmeeting