15:04:11 <jsmith> #startmeeting FESCO (2018-08-06)
15:04:11 <zodbot> Meeting started Mon Aug  6 15:04:11 2018 UTC.
15:04:11 <zodbot> This meeting is logged and archived in a public location.
15:04:11 <zodbot> The chair is jsmith. Information about MeetBot at http://wiki.debian.org/MeetBot.
15:04:11 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic.
15:04:11 <zodbot> The meeting name has been set to 'fesco_(2018-08-06)'
15:04:13 <jsmith> #meetingname fesco
15:04:13 <zodbot> The meeting name has been set to 'fesco'
15:04:15 <jsmith> #chair nirik, maxamillion, jsmith, jwb, zbyszek, tyll, sgallagh, contyk, bowlofeggs
15:04:15 <zodbot> Current chairs: bowlofeggs contyk jsmith jwb maxamillion nirik sgallagh tyll zbyszek
15:04:17 <jsmith> #topic init process
15:04:19 <contyk> .hello psabata
15:04:20 <zodbot> contyk: psabata 'Petr Šabata' <psabata@redhat.com>
15:04:23 <jsmith> .hello jsmith
15:04:24 <zbyszek> .hello2
15:04:24 <zodbot> jsmith: jsmith 'Jared Smith' <jsmith.fedora@gmail.com>
15:04:26 <nirik> .hello kevin
15:04:27 <zodbot> zbyszek: zbyszek 'Zbigniew Jędrzejewski-Szmek' <zbyszek@in.waw.pl>
15:04:30 <zodbot> nirik: kevin 'Kevin Fenzi' <kevin@scrye.com>
15:04:37 * jsmith can't figure out why the # wouldn't get added to his clipboard
15:04:39 * nirik has a hard stop in not long... have to head out for the airport
15:04:44 <maxamillion> .hello2
15:04:47 <zodbot> maxamillion: maxamillion 'Adam Miller' <maxamillion@gmail.com>
15:05:10 <zbyszek> I'm sorry I wasn't here last week — travel.
15:05:14 <jsmith> I'll have to head to the airport in an hour as well.
15:05:22 <jsmith> So let's try to make this quick :-)
15:05:37 <maxamillion> +1
15:05:42 <maxamillion> same
15:05:46 <jsmith> #topic Discussed and voted in tickets
15:06:09 <jsmith> #info Tickets 1953 and 1954 were discussed and voted on in tickets, and were both approved.
15:06:36 <jsmith> #topic Follow-ups
15:06:50 <jsmith> #topic #1935 [Security] Remove packages which has a consistent bad security record from the distribution
15:06:58 <jsmith> .fesco 1935
15:06:59 <zodbot> jsmith: Issue #1935: [Security] Remove packages which has a consistent bad security record from the distribution. - fesco - Pagure - https://pagure.io/fesco/issue/1935
15:07:06 <jsmith> https://pagure.io/fesco/issue/1935
15:07:37 <zbyszek> I think we should just treats the CVE bugs the same as FTBFS bugs
15:08:03 <jsmith> zbyszek: All CVEs, or CVEs with a CVSS greater than or equal to some threshhold?
15:08:11 * jsmith doesn't think all CVES are created equal
15:08:36 <nirik> well, FTBFS bugs only trigger if they are unassigned/NEW right?
15:08:45 <zbyszek> IMPORTANT+ I guess.
15:09:18 <zbyszek> But even the lower-priorty ones can be easily handled as WONTFIX/NEXTRELEASE/etc.
15:09:27 <jsmith> zbyszek: Well, I was thinking actual CVSS score, not just "IMPORTANT"/"CRITICAL"
15:09:33 <zbyszek> There is no need to keep them open if they will not be worked on and are not a problem.
15:09:48 <jsmith> Just to throw out a number -- say a CVSS score of 8.0 or higher.
15:09:50 <zbyszek> The CVSS score is often bogus
15:10:03 <maxamillion> metrics are fun :)
15:10:10 <zbyszek> There were a few cases in systemd where CVEs were used for trolling
15:10:10 <jsmith> zbyszek: No more bogus than "IMPORTANT"/"CRITICAL"
15:10:36 <zbyszek> But the severity field in bugzilla is under maintainer control, so they can reassing it if they wish.
15:10:52 <jsmith> I would prefer to focus on highest-priority first, and then eventually get to lower-priority CVEs
15:11:01 <jsmith> As it stands, the list is too long to begin to tackle...
15:11:12 <zbyszek> nirik: no, FTBFS bugs will trigger quickly if NEW, and with a long delay if ASSIGNED, but they will still do.
15:11:27 <jsmith> What I'd love to get to is "top 20 CVEs that need to be addressed in Fedora", and then have FESCo take a more active role in helping the maintainers get those addressed
15:11:41 <jsmith> But I can't start with a list of 10,000 or it's just overwhelming.
15:11:46 <zbyszek> jsmith: then we should kick imagemagick from the distro
15:12:10 * nirik hasn't looked at the latest crop, but the last pile fixed were... not that important
15:12:25 <jsmith> zbyszek: That well might be the right thing to do, but I want to see the list first, before arbitrarily poking at one particular package
15:13:04 * nirik proposes we kick this down the road/discuss at flock.
15:13:04 <jsmith> I mean -- even from the packages I maintain... I've been very vigilant in trying to keep on track of CVEs, but I know I still have some that need to be addressed, and some that just need the tickets to be closed.
15:13:09 <zbyszek> https://bugzilla.redhat.com/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&classification=Fedora&keywords=SecurityTracking%2C%20&keywords_type=allwords&list_id=9223947&order=component%2Cchangeddate%2Cpriority%2Cbug_id&product=Fedora&query_based_on=&query_format=advanced
15:13:17 <jsmith> Proposal: Discuss this at Flock
15:13:55 <maxamillion> +1
15:13:58 <jsmith> zbyszek: That list has 984 bugs... Like I said, it's overwhelming.
15:13:58 <zbyszek> Is there a good slot?
15:14:14 <nirik> well, the proposer of this has a talk about it. ;)
15:14:20 <zbyszek> Oh, right.
15:14:23 <contyk> :)
15:14:28 <contyk> +1 to the proposal then
15:14:31 <jsmith> zbyszek: Instead, I'd rather have a list of the top (10/20/50) most imporant (either by CVSS score, or by being part of critical path, or some other criteria), and work from that.
15:14:42 <nirik> well, about security team in general
15:14:44 <jsmith> I'm +1 to the proposal
15:14:50 <nirik> +1
15:14:58 <contyk> although it won't be logged
15:14:58 <zbyszek> sure, +1
15:15:12 <jsmith> contyk: I'll try to take notes
15:15:21 <zbyszek> I hope we can all commit to being there at the talk, so that the discussion does not split
15:16:01 * contyk checks the schedule
15:16:04 <jsmith> #agreed #1935 Defer the discussion to Flock, and encourage FESCo members to attend the Security Team talk. (+1:5,+0:0,-1:0)
15:16:16 <jsmith> #topic New Business
15:16:28 <contyk> Wednesday 4.40?
15:16:40 <jsmith> #topic #1394 F29 Self Contained Change: Minishift Spin
15:16:47 <jsmith> .fesco 1394
15:16:49 <zodbot> jsmith: Issue #1394: Use timedatex when an NTP package is installed - fesco - Pagure - https://pagure.io/fesco/issue/1394
15:16:55 <jsmith> Oops, that's not right.
15:16:58 <jsmith> I might have a typo
15:17:24 * jsmith is totally made out of fail today
15:17:37 <contyk> it's too hot to think properly
15:17:39 <jsmith> .fesco 1934
15:17:40 <zodbot> jsmith: Issue #1934: F29 Self Contained Change: Minishift Spin - fesco - Pagure - https://pagure.io/fesco/issue/1934
15:17:47 <jsmith> https://pagure.io/fesco/issue/1934
15:18:22 <zbyszek> Frankly, I think the change page could use more love, but the essentials are there...
15:18:25 <jsmith> We've got two +1s in the comments on the ticket
15:18:31 <jsmith> (myself and zbyszek)
15:18:53 * nirik rechecks the change page
15:19:05 * contyk does as well
15:19:19 <jsmith> There's a link to the updates in the ticket
15:19:30 <jsmith> (There weren't a lot of updates...)
15:19:31 <contyk> well, it's still pretty brief but +1 to the change
15:19:33 <nirik> +1 here (can add in ticket too if you like)
15:19:40 <jsmith> maxamillion: ?
15:19:48 <maxamillion> +1
15:20:15 <jsmith> OK, that's five votes
15:20:20 <maxamillion> sorry, multi-tasking badly
15:20:38 <jsmith> #agreed Fesco #1934 Spin is approved (+1:5,+0:0,-1:0)
15:20:41 <jsmith> #topic #1955 Let's get rid of filedeps (FESCo edition)
15:20:41 <jsmith> .fesco 1955
15:20:41 <jsmith> https://pagure.io/fesco/issue/1955
15:20:42 <zodbot> jsmith: Issue #1955: Let's get rid of filedeps (FESCo edition) - fesco - Pagure - https://pagure.io/fesco/issue/1955
15:20:54 <jsmith> This one probably warrants a little more discussion
15:21:04 <jsmith> (And if you haven't read, there's discussion in the ticket)
15:21:19 <nirik> yeah, I think we need to hear from dnf folks
15:22:01 <contyk> I think the entire dnf team will be at flock
15:22:12 <contyk> just saying
15:22:22 * nirik nods
15:22:36 <jsmith> Proposal: Defer decision until after Flock
15:22:46 <contyk> +1
15:22:47 <zbyszek> Hmm
15:23:36 <zbyszek> Why not just ask the dnf developers now?
15:23:36 <maxamillion> +1
15:24:00 <contyk> not sure if they are around
15:24:27 <jsmith> Would be nice to give them a little advanced warning, and let them more clearly articulate their opinions
15:25:06 <zbyszek> I can send a mail to the right mailing list, and ask for input.
15:25:11 <nirik> sure. what's the best way to ask? upstream issue?
15:25:13 <jsmith> zbyszek: Sounds like a great plan...
15:25:42 <jsmith> nirik: Mailing list and the upstream issue seem like logical choices
15:26:11 <zbyszek> Is rpm-ecosystem@ the right mailing list?
15:26:39 * jsmith has lost track over the last few years, and doesn't really know
15:27:22 <zbyszek> OK, I'll ask around.
15:27:28 <zbyszek> +1 to "defer" then
15:29:27 <jsmith> nirik: Can I assume you're a +1 to the proposal then?
15:29:39 <nirik> yeah, +1, sorry
15:30:17 <jsmith> #agreed Defer decision on #1955 until after Flock (and a chance to talk with the DNF team) (+1:5,+0:0,-1:0)
15:30:23 <jsmith> #topic Next Week's Chair
15:30:35 <jsmith> Meeting next week?  Push off an extra week due to Flock?
15:30:42 <jsmith> Any volunteers?
15:30:57 * jsmith will be stuck in a data center with limited availability/connectivity next Monday
15:31:13 <contyk> well, I'm getting home on Sunday evening so I'll be around
15:31:16 * nirik will be traveling next monday
15:31:18 <maxamillion> yeah, I won't be around next Monday because of travel but I can take the one after that
15:31:31 * zbyszek should be there
15:31:34 <contyk> if most of you will be gone, we won't have quorom
15:31:40 <jsmith> Proposal: Next meeting on Aug 20th with maxamillion as chair
15:31:44 <jsmith> +1
15:31:49 <maxamillion> +1
15:31:52 <zbyszek> +1
15:32:11 <contyk> +1
15:32:22 <jsmith> nirik?
15:32:32 <nirik> sure, ++1
15:32:37 <nirik> +1 even
15:32:38 <jsmith> Guess we don't really need quorum on this decision :-)
15:32:54 <jsmith> #agreed maxamillion to chair next meeting on Aug 20th
15:32:58 <jsmith> #topic Open Floor
15:33:01 <mhroncok> since the next meeting is in 14 days, could you please respond to https://pagure.io/fesco/issue/1965 before that? we can discuss it at flock or do it now
15:33:18 <mhroncok> (I've send a reply to the agenda e-mail)
15:33:46 <jsmith> Sure...
15:33:51 <mhroncok> thanks
15:34:09 <jsmith> mhroncok: Just some quick feedback -- are those packages all leaf nodes?  Are any of them needed by any critical path packages?
15:34:37 <nirik> I think we should be able to vote in ticket on that one...
15:34:42 <maxamillion> lol, is subscription-manager really going to get retired?
15:34:47 <zbyszek> mhroncok: do we need to do anything different than normal FTBFS policy? Those packages would be retired soonish anyway.
15:34:47 <mhroncok> jsmith: I can do the check, we can add the requirement to the criteria for retirement
15:34:58 <jsmith> mhroncok: That would be useful :-)
15:35:09 <mhroncok> maxamillion: the subscription-manager that is soo desperately needed in Fedora? :D
15:37:04 <mhroncok> jsmith: I'm Ok if we say "leaf packages"
15:37:22 <mhroncok> zbyszek: sson enough?
15:37:24 <jsmith> mhroncok: Thanks :-)
15:37:38 * jsmith added a note to the ticket
15:37:40 <mhroncok> zbyszek: isn't that half year thing? cannot remember
15:38:15 <zbyszek> mhroncok: right, not soon enough. So ignore my comment.
15:39:16 <zbyszek> So, I think it would be better to vote on this now, because the retirement is supposed to happen in two weeks
15:40:38 <zbyszek> Proposal: approve the proposed schedule, so that mhroncok can send out notifications sooner rather than later
15:40:43 <jsmith> zbyszek: I'm ready to vote +1 right now, but we typically leave tickets for a week for discussion before voting.
15:41:00 <jsmith> I'm fine with voting now, if others are as well...
15:41:22 <contyk> it feels a little rushed
15:41:38 <jsmith> What if we agree to vote by next Monday?
15:41:44 <jsmith> (even though there's no meeting next Monday)
15:41:52 <jsmith> Does that sound like a reasonable compromise?
15:42:03 <jsmith> mhroncok: Does that timetable work for you?
15:42:15 <mhroncok> we can move the retirement to the future
15:42:23 * nirik would prefer to have more time to look... probibly +1, but want to look at the list more closely
15:42:27 <mhroncok> I only assumed beta freeze is a good pijtn in the schedule
15:42:38 <mhroncok> *point
15:43:11 <maxamillion> I'm interested in RelEng's thoughts, just to make sure there's no unknown/unforeseen side effects of losing a package they end up needing
15:43:27 <jsmith> maxamillion: Agreed -- would be usefuly to get their input.
15:43:56 <jsmith> Proposal: FESCo members, please review and vote in the ticket as quickly as possible.
15:44:01 <maxamillion> +1
15:44:03 <jsmith> +1
15:44:09 <zbyszek> +1
15:44:28 * zbyszek has voted in the ticket
15:45:31 <zbyszek> I have something else for open floor
15:47:05 <jsmith> nirik, contyk?
15:47:10 <jsmith> zbyszek: Sure... just one second...
15:47:18 <nirik> +1 to voting in ticket
15:47:36 <contyk> +1
15:47:41 <mhroncok> thanks
15:48:04 <jsmith> #agreed FESCo members to vote in ticket 1965 as quickly as possible. (+1:5,+0:0,-1:0)
15:48:14 <jsmith> zbyszek: Go ahead :-)
15:48:34 <zbyszek> There's a mass bug filing happening for "man page issues"
15:48:35 <zbyszek> https://bugzilla.redhat.com/show_bug.cgi?id=1600386
15:48:53 <zbyszek> But afaict, it's all false positives.
15:49:07 <nirik> yeah. ;( I asked them to discuss on devel list when they filed the tracker... but they didn't seem to understand.
15:49:14 <mhroncok> (also the bug text is extremely unhelpful)
15:49:22 <nirik> well, some of mine are that man pages are missing...
15:49:46 <nirik> which is true, but whats the recommended action? should I write one? ask upstream to? just hope for one?
15:49:55 <zbyszek> Do we want to ask them to stop and rethink the approach?
15:50:40 <zbyszek> Some of the bugs were private, which is even more annoying
15:51:10 <jsmith> zbyszek: At first glance, without fulling reading into the issue, my gut reaction is "Yeah, we should be thoughtgul and deliberate in our approach"
15:51:35 <nirik> I'm not sure where best to have the dialog, but yes, we should talk to them...
15:51:41 <nirik> devel list? fesco ticket?
15:52:10 <jsmith> I'd prefer to start with the mailing list, then move to a ticket as necessary
15:53:55 <nirik> ok, would someone want to start a thread? I'd hope we can be gentle... it's nice that someone cares about man pages. :)
15:55:20 <nirik> I guess I can, but of course travel may make it take a bit
15:55:50 <maxamillion> I need to bail, safe travels to all who are going to Flock!
15:55:51 * maxamillion &
15:56:02 <zbyszek> maxamillion: see you at Flock
15:56:14 <maxamillion> +1
15:56:47 <zbyszek> nirik: that'd be nice
15:56:58 <nirik> maxamillion: safe travels.
15:57:29 <zbyszek> Maybe it's another thing to discuss at Flock. mnalband is based in Brno, so she might be at Flock too.
15:58:12 <jsmith> Proposal: Try to talk to mnalband at Flock, otherwise defer to our next meeting
15:58:31 <zbyszek> sure, +1
15:59:05 <contyk> +1
15:59:12 <nirik> or try flock, devel list thread otherwise?
15:59:25 <contyk> should we reserve a slot for fesco discussions?
15:59:30 <contyk> there are too many things already
15:59:49 <contyk> maybe that SIGs slot on Thursday?
16:01:02 <jsmith> #agreed Try talking with mnalband at Flock about RHBZ1600386, then try a thread on the devel list next
16:01:03 <nirik> yeah
16:01:13 <nirik> +1
16:01:39 <jsmith> Anything else for the open floor?
16:03:02 <jsmith> Lighting the fuse...
16:03:22 <jsmith> #endmeeting