15:00:01 <contyk> #startmeeting FESCO (2018-07-30) 15:00:01 <zodbot> Meeting started Mon Jul 30 15:00:01 2018 UTC. 15:00:01 <zodbot> This meeting is logged and archived in a public location. 15:00:01 <zodbot> The chair is contyk. Information about MeetBot at http://wiki.debian.org/MeetBot. 15:00:01 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic. 15:00:01 <zodbot> The meeting name has been set to 'fesco_(2018-07-30)' 15:00:04 <contyk> #meetingname fesco 15:00:04 <zodbot> The meeting name has been set to 'fesco' 15:00:06 <bowlofeggs> .hello2 15:00:08 <contyk> #chair nirik, maxamillion, jsmith, jwb, zbyszek, tyll, sgallagh, contyk, bowlofeggs 15:00:08 <zodbot> Current chairs: bowlofeggs contyk jsmith jwb maxamillion nirik sgallagh tyll zbyszek 15:00:10 <zodbot> bowlofeggs: bowlofeggs 'Randy Barlow' <rbarlow@redhat.com> 15:00:12 <contyk> #topic init process 15:00:15 <contyk> .hello psabata 15:00:16 <zodbot> contyk: psabata 'Petr Ĺ abata' <psabata@redhat.com> 15:00:24 <nirik> .hello kevin 15:00:25 <zodbot> nirik: kevin 'Kevin Fenzi' <kevin@scrye.com> 15:00:27 <contyk> let's see how many people we get today 15:00:28 <bcotton> .hello2 15:00:29 <zodbot> bcotton: bcotton 'Ben Cotton' <bcotton@redhat.com> 15:00:33 <bowlofeggs> are you ready to rumble 15:00:53 <ignatenkobrain> .hello2 15:00:54 <zodbot> ignatenkobrain: ignatenkobrain 'Igor Gnatenko' <i.gnatenko.brain@gmail.com> 15:01:19 <contyk> it's unclear whether jakub is coming today 15:01:27 <contyk> so I'd start with the "new" business and see if he makes it later 15:01:45 <ignatenkobrain> I think he doesn't 15:01:50 <contyk> #topic #1946 Updates process is broken 15:01:54 <contyk> .fesco 1946 15:01:56 <zodbot> contyk: Issue #1946: Updates process is broken - fesco - Pagure - https://pagure.io/fesco/issue/1946 15:01:58 <contyk> https://pagure.io/fesco/issue/1946 15:02:11 <sgallagh> I'm double-booked, but sort of here 15:02:21 <contyk> so I put this one on the agenda because at least to me it's unclear what the next steps are 15:02:24 <contyk> sgallagh: yeah, the same 15:02:39 <bowlofeggs> yeah there's not really a specific proposal here 15:03:09 <nirik> not sure why the abi check failed... that would be nice to know/fix. 15:03:30 <jsmith> .hello2 15:03:32 <zodbot> jsmith: jsmith 'Jared Smith' <jsmith.fedora@gmail.com> 15:04:03 <contyk> who could investigate? 15:04:16 <bowlofeggs> should this really be a fesco issue? 15:04:59 <contyk> probably not; we could probably pass it to infra 15:05:24 <bowlofeggs> or QA? 15:05:32 <nirik> well, kparal asked in ticket... but I havent seen a reply there yet 15:05:53 <nirik> dodji might be on vacation or something. 15:06:13 <nirik> so if things had worked, there would have been a failed abi test. 15:06:32 <tyll> .hello till 15:06:33 <zodbot> tyll: till 'Till Maas' <opensource@till.name> 15:06:38 <bowlofeggs> should we just refile it with the abicheck folks? 15:06:49 <bowlofeggs> is that QA? 15:06:53 <nirik> yes 15:07:17 <bowlofeggs> proposal: this should be filed with QA instead of FESCo. 15:07:21 <contyk> +1 15:07:22 <bowlofeggs> +1 15:07:32 <nirik> +1 15:08:13 <sgallagh> +1 15:08:15 <tyll> +1 15:08:37 <contyk> jsmith: ? 15:08:49 <tyll> I guess the problem is anyhow that there needs to be someone willing to work on it 15:08:50 <jsmith> +1 15:08:56 <jsmith> tyll: Agreed. 15:09:06 <contyk> let the QA figure that out 15:09:29 <contyk> #agree The issues should be filed with QA instead of FESCo (+6, 0, -0) 15:09:49 <contyk> did that work? :) 15:09:55 <sgallagh> Does #agree work or does it need to be #agreed? 15:09:56 <bowlofeggs> i think so 15:10:00 <bowlofeggs> oh i dunno 15:10:04 * sgallagh has always used the latter 15:10:19 <contyk> let's try that 15:10:22 <contyk> #agreed The issues should be filed with QA instead of FESCo (+6, 0, -0) 15:10:30 <contyk> worst case we'll have it twice 15:10:34 * sgallagh nods 15:10:36 <nirik> yeah, it's agreed... it doesn't send anything to channel, just the logs 15:10:42 <contyk> #topic #1945 Nonresponsive maintainer policy: stalled pull requests 15:10:46 <contyk> .fesco 1945 15:10:48 <zodbot> contyk: Issue #1945: Nonresponsive maintainer policy: stalled pull requests - fesco - Pagure - https://pagure.io/fesco/issue/1945 15:10:52 <contyk> https://pagure.io/fesco/issue/1945 15:11:02 <contyk> similar to the previous topic 15:11:13 <contyk> I wondwe what the next steps for FESCo would be? 15:11:26 <contyk> I agree with adding PRs to the policy 15:11:34 <contyk> I also agree that PRs need to be made more visible 15:11:39 <contyk> preferrably before we update the policy 15:11:55 <tyll> for the notifications we need to file an infra ticket I believe 15:12:04 <sgallagh> It looks like at least "adding to the policy" is approved in the ticket 15:12:10 <nirik> sure. 15:12:13 <sgallagh> Notifications would be a request to infra, yeah 15:12:31 <tyll> but I think the policy can be updated anyhow since the non-responsive maintainer procedure will act as a notification as long as there is no other notification 15:12:44 <contyk> that makes sense 15:13:18 <tyll> There is not too much harm except that maintainers might be surprised to be considered non-responsive which is unfortunate but I do not know of a better word for this 15:13:57 <contyk> who would be filing the infra request? 15:14:03 <sgallagh> tyll: Well, the non-responsive process still requires a direct contact attempt 15:14:05 <sgallagh> So I think it's okay 15:14:45 <nirik> so do we just want a weekly email to maintainers on their outstanding prs? or also to the devel list? 15:14:49 * jsmith_2 had a network outage, and has re-joined 15:15:05 <jsmith_2> nirik: Is it too much to ask for both? 15:15:21 <nirik> we can, but it means more devel mail... 15:15:49 * nirik can file the infra ticket, just want to clairify what we want 15:15:58 <contyk> alright 15:16:04 * jsmith_2 wishes for a developer portal that would highlight all the things that a packager needs to focus on (BZ, PRs, FTBFS, etc.) 15:16:21 <contyk> proposal: Let's update the policy and nirik will file an infra ticket to make PRs more visible 15:16:33 <jsmith_2> +1 to contyk's proposal 15:16:51 <bowlofeggs> i don't think we need a devel mail 15:17:03 <bowlofeggs> i think just somethnign like bz's outstanding requests notification would be enough 15:17:31 <bowlofeggs> jsmith_2: yeah, i think that hubs was supposed to make that possible but it got funding pulled 15:18:46 <nirik> I could go either way... on the one hand devel list mail would let people see who is overworked/has too many outstanding pr's... 15:18:49 <contyk> I think the implementation can be discussed in the infra ticket 15:18:51 <sgallagh> Could we do weekly ones to the maintainers and a monthly one to devel? 15:19:12 <jsmith_2> sgallagh: Seems like a reasonable compromise 15:19:36 <nirik> I wonder if this could be a RFE for pagure... 15:20:32 <jsmith_2> nirik: Not sure I follow -- you mean Pagure send these itself, rather than having an external process query Pagure via its REST API to build the body of the email? 15:20:45 <nirik> right. 15:20:55 <nirik> so ie, pagure.io could also send them... 15:21:07 <jsmith_2> nirik: That's fine with me too 15:21:08 <nirik> and users could disable that if they didn't want it in their prefs 15:21:37 <nirik> I can discuss with pingou and figure out where it is best. that doesn't need to be in this meeting. 15:22:01 <jsmith_2> Sounds good -- let's move on :-) 15:22:17 <contyk> any more votes on the proposal? 15:22:28 <contyk> although I could change it a bit to reflect the last bit 15:22:54 <contyk> proposal: Let's update the policy; nirik will discuss a method of highlighting PRs with pingou 15:23:02 <nirik> +1 15:23:07 <jsmith> +1 15:23:24 <contyk> +1 :) 15:23:28 <tyll> +1 15:23:34 <sgallagh> +1 15:23:45 <contyk> bowlofeggs: ? 15:23:53 <bowlofeggs> +1 15:24:08 <contyk> #agreed Let's update the policy; nirik will discuss a method of highlighting PRs with pingou 15:24:15 <contyk> alright 15:24:18 <contyk> #topic #1935 [Security] Remove packages which has a consistent bad security record from the distribution 15:24:22 <contyk> .fesco 1935 15:24:24 <zodbot> contyk: Issue #1935: [Security] Remove packages which has a consistent bad security record from the distribution. - fesco - Pagure - https://pagure.io/fesco/issue/1935 15:24:26 <contyk> https://pagure.io/fesco/issue/1935 15:26:02 <sgallagh> So we're dropping Firefox? 15:26:03 <bowlofeggs> for this one, i would like us to consider that not all CVEs are important 15:26:04 * sgallagh ducks 15:26:07 <bowlofeggs> in fact, most probably are not 15:26:44 <nirik> sgallagh: the kernel is first. ;) 15:26:49 <sgallagh> I'd prefer not to make a general proposal on this and instead consider any such cases individually in FESCo 15:27:04 <sgallagh> actually, call the above my formal proposal for response 15:27:16 <contyk> +1 15:27:58 <nirik> well, who brings cases? whoever is interested I guess? so no systematic list? 15:27:58 <bowlofeggs> sgallagh: yeah i was considering a similar proposal 15:27:59 <bowlofeggs> +1 15:28:09 <jsmith> sgallagh: +1 15:28:29 <sgallagh> nirik: In practice, I'd assume the Fedora Security Team 15:28:43 <sgallagh> But I figure anyone interested enough should just be permitted to 15:29:01 <contyk> bet the first one will be Firefox 15:29:03 <sgallagh> I'll rephrase my proposal 15:29:38 <ignatenkobrain> .members gitfedora-security-team 15:29:39 <zodbot> ignatenkobrain: Members of gitfedora-security-team: dcafaro @ignatenkobrain jtaylor mhayden pjp siddharths @sparks 15:29:40 <sgallagh> Proposal: FESCo does not want to set a general policy on this matter but will consider cases on an individual basis when any Fedora contributor raises the issue. 15:30:04 <nirik> there really isn't an active fedora security team. ;) 15:30:05 <contyk> +1 15:30:11 <jsmith> sgallagh: +1 15:30:12 <nirik> +1 15:30:27 <jsmith> nirik: Yeah, I agree -- the security team is not functional at this point in time 15:30:42 <bowlofeggs> sgallagh: +1 15:31:02 <contyk> tyll: ? 15:31:19 <tyll> there is currenlty the request for all issues in https://bugzilla.redhat.com/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&classification=Fedora&keywords=SecurityTracking%2C%20&keywords_type=allwords&list_id=9188023&order=changeddate%2Cpriority%2Cbug_id&product=Fedora&query_format=advanced 15:31:33 <tyll> not sure that we as FESCo want to discuss every one individually 15:32:01 <orc_fedo> tyll: the problem and question as to production of a non-exempt list remains, though 15:32:15 <sgallagh> tyll: I'm going to formally suggest that if they want something reviewed, they need to select important cases and present them 15:32:30 <sgallagh> If they ask for a blanket removal, I'll vote "no" 15:32:45 <nirik> tyll: "This result was limited to 1000 bugs" thats going to take a while. ;) 15:32:49 <jsmith> Might be interesting to order that list based on highest CVSS score.... but otherwise, the list is too long to effectively deal with as-is. 15:33:19 <tyll> I guess the problem is that it is too much to do manually, therefore they request some kind of cleanup to make it manageable 15:34:04 <tyll> it is the same with FTBFS packages or like it was with orphaned pkgs in the past, there needs to be some kind of automatic removal threat to make sure that the important pkgs remain 15:36:14 <jsmith> tyll: I agree with the need to to put emphasis on the right packages... I think the key will be to come up with a shorter list of things that need to be addressed manually. 15:36:42 <jsmith> tyll: Maybe a list of the top ten or twenty offenders that we can start with -- and maybe go through several each FESCo meeting. 15:36:47 * jsmith is just throwing out ideas 15:37:03 <bowlofeggs> yeah this isn't quite like FTBFS 15:37:10 <bowlofeggs> because FTBFS is a binary 15:37:17 <bowlofeggs> but CVEs aren't always important 15:37:23 <bowlofeggs> they are a range of importance 15:37:42 <bowlofeggs> so FTBFS seems to be always important to fix to me, but CVEs depend on the score 15:38:01 <bowlofeggs> and BZ doesn't make it easy to search by score it seems 15:38:14 <misc> the score is not enough, context do matter 15:38:17 <sgallagh> I wish we had a way to associate CVEs to upstream commits 15:38:32 <tyll> AFAIU the problem is not that there is disagreement about whether they are important but that the issues are not triaged and there is no clear signal from maintainers that shows that certain CVEs are not important instead of just ignored 15:38:36 <sgallagh> Then we could at least invoke the non-responsive maintainer policy on those that were fixed upstream but not in Fedora 15:38:45 <misc> (and for library, a CVE depend on who use it) 15:40:47 * nirik isn't sure we are going to solve this here... might be we need more discussion/ideas? 15:41:14 <contyk> I think what was just said just confirms that we need to assess these individually 15:41:27 <sgallagh> contyk: I agree 15:41:38 <sgallagh> For now, the problem is intractible 15:41:54 <contyk> I'm still +1 to sgallagh's original proposal 15:42:38 <bowlofeggs> yeah me too 15:43:17 <contyk> tyll: so what do you say? do you have an alternative proposal or do you think this needs more discussion? 15:43:55 * nirik notes it was never discussed on devel. 15:44:25 <tyll> contyk: My would like a process more where the pkgs are announced to be removed with a deadline and then maintainers/people can object to them to be removed. Then they can stay and all the pkgs nobody cares about will be removed 15:45:30 <sgallagh> tyll: At a quick glance, it looks like we'd be doing that for nearly every package in the distro... 15:48:09 <nirik> yeah, so we would want some critera... but I am not sure what that should be 15:48:51 <contyk> so how about we move this to the devel list and revisit next week? 15:49:03 <sgallagh> +1 15:49:31 <tyll> sgallagh: most of the bugs seem to be rather new, so they might still be handled (not sure if Bugzilla hides the old bugs) 15:49:35 <bowlofeggs> contyk: +1 15:50:50 <nirik> contyk: +1 15:51:03 <tyll> contyk: +1 15:51:12 <contyk> jsmith: ? 15:51:29 <jsmith> +1 15:52:24 <contyk> #agreed Let's discuss this matter on the devel list before revisiting the topic next week (+6, 0, -0) 15:52:36 <contyk> and then we have one followup 15:52:41 <contyk> #topic #1942 F29 System Wide Change: Remove Excessive Linking 15:52:44 <contyk> .fesco 1942 15:52:45 <zodbot> contyk: Issue #1942: F29 System Wide Change: Remove Excessive Linking - fesco - Pagure - https://pagure.io/fesco/issue/1942 15:52:47 <contyk> https://pagure.io/fesco/issue/1942 15:52:56 <contyk> but since jakub isn't here, I think we can just postpone it again 15:53:27 <ignatenkobrain> when is the f29 branching? 15:53:34 * nirik looks 15:53:56 <nirik> 2018-08-14 15:54:01 <nirik> just after flock 15:55:02 <ignatenkobrain> are we going to have meeting next week? 15:55:04 <ignatenkobrain> or during flock? 15:55:24 <sgallagh> I remain opposed to this for F29. I'm fine with flipping the switch right after F29 branches from Rawhide. 15:55:39 <ignatenkobrain> we are talking about f30 ehre 15:55:39 <ignatenkobrain> I suppose 15:56:01 <sgallagh> ignatenkobrain: It was submitted for F29 15:56:09 <sgallagh> If you want to retarget it for F30, that would make me happier 15:56:23 <contyk> I think that was the plan 15:56:29 <bowlofeggs> yeah i also think it should be switched to F30 15:56:34 <ignatenkobrain> but there is written proposal in ticket 15:56:35 <contyk> but jakub was supposed to provide some input whether we should be doing it at all 15:56:36 <bcotton> just from a schedule standpoint, if it's not approved today it becomes F30 almost by default 15:57:15 <bcotton> we don't really have a deadline for change _approval_ in the schedule, but it seems too late for F29 at this point for reasons this group has raised 15:57:24 <ignatenkobrain> https://pagure.io/fesco/issue/1942#comment-523147 15:57:25 <ignatenkobrain> I mean here 15:57:57 <bowlofeggs> i do think we should get more feedback from jakub - perhaps we need to contact him to ask if he intends to come to a fesco meeting 15:58:14 <bowlofeggs> we might not have given him very good notice for the two so far 15:58:22 * nirik nods. 15:58:25 <contyk> that's true 15:58:32 <sgallagh> bowlofeggs: I'm willing to let it happen early in F30, reasoning that if it goes terribly poorly we can revert it before the mass rebuild 15:59:05 <ignatenkobrain> I would love to switch it as soon as f29 branches 15:59:28 <ignatenkobrain> because if we will be waiting for long, we might spot some issues too late and we would have to move it for f31 15:59:53 <nirik> right, so we have until the 14th to decide that... 15:59:54 <ignatenkobrain> so that's why I was asking if there will be meeting next / after next week 15:59:59 <sgallagh> I'm with ignatenkobrain here. Let's approve it for right after the branch, which gives us ample time to roll it back if we needed to 16:00:25 <sgallagh> It also gives Jakub and his team two full weeks to chime in and tell us to stop if they feel like they need to. 16:00:32 <sgallagh> We can revisit any decision. 16:00:33 <contyk> I'll definitely be around both Mondays 16:01:01 <jsmith> WORKSFORME 16:01:10 <tyll> I will not be around next Monday 16:01:14 * nirik should be around next monday 16:01:22 <tyll> Approving for early F30 sounds good to me 16:01:24 <bowlofeggs> i will not be around next monday 16:01:58 <bowlofeggs> i am inclined to also approve pending feedback from jakub, since he hasn't been particularly responsive (he may be on vacation though?) 16:02:04 <contyk> well, no reason to cancel the meeting early 16:02:08 <jsmith> I'll be around on Monday 16:04:23 <contyk> ok, so what's the proposal here? 16:05:01 <sgallagh> Proposal: Accept this change for F30, expecting it to be activated immediately after branching to provide maximum time to shake out issues or invoke the contingency plan. 16:05:04 <sgallagh> +1 FTR 16:05:15 <nirik> +1 16:05:19 <bowlofeggs> sgallagh: +1 16:05:26 <tyll> +1 16:05:30 <nirik> do announce when it's enabled so people can look for the issues... 16:05:45 <sgallagh> nirik: Yeah, good idea 16:06:09 <jsmith> +1 16:06:15 <contyk> alright, +1 16:06:40 <contyk> #agreed Accept this change for F30, expecting it to be activated immediately after branching to provide maximum time to shake out issues or invoke the contingency plan. 16:06:53 <contyk> alright, so that's for the agenda 16:06:57 <contyk> #topic Next week's chair 16:07:05 <sgallagh> I will not be around 16:07:32 <contyk> I can do that again if no one else volunteers 16:07:40 <jsmith> I can do it too 16:07:51 <contyk> thanks! 16:07:58 <bowlofeggs> i will not be here the next two meetings 16:08:02 <contyk> #action jsmith will chair next meeting 16:08:07 <jsmith> :-) 16:08:11 <contyk> #topic Open Floor 16:08:16 <contyk> anything for the open floor? 16:09:19 <nirik> looking forward to flock... 16:09:24 <contyk> oh yes 16:09:25 <nirik> is everyone going to make it? 16:09:30 <contyk> I am 16:09:31 * tyll is 16:10:01 <bowlofeggs> i'll be there 16:10:04 <sgallagh> I'd better be, I'm scheduled as a speaker for six sessions :-/ 16:10:14 <bowlofeggs> and travel is why i'm misisng both of the next two meetings :) 16:10:20 <bowlofeggs> whoah six is crazy 16:10:23 * bowlofeggs is just doing 1 16:10:24 * jsmith is still only about 30% sure he'll make it to Flock 16:10:58 * nirik will be there. 1 talk and 1 workshop and 1 hackfest. :) 16:11:15 <contyk> how many beers? 16:11:28 * ignatenkobrain is going to floc ;) 16:11:29 <ignatenkobrain> glock 16:11:29 <ignatenkobrain> argh! 16:11:30 <ignatenkobrain> flock 16:12:08 <nb> jsmith, i hope you will make it 16:12:38 <sgallagh> bowlofeggs: I think I still hold the record. I had nine sessions at the first Flock 16:12:47 <bowlofeggs> wow 16:13:09 <bowlofeggs> so, endmeeting? 16:13:15 * contyk nods 16:13:19 <bowlofeggs> jcline is trying to abandon me for lunch 16:13:29 <contyk> yep, let's end it 16:13:32 <contyk> #endmeeting