19:00:02 <zbyszek_> #startmeeting FESCO (2022-01-03) 19:00:02 <zodbot> Meeting started Mon Jan 3 19:00:02 2022 UTC. 19:00:02 <zodbot> This meeting is logged and archived in a public location. 19:00:02 <zodbot> The chair is zbyszek_. Information about MeetBot at https://fedoraproject.org/wiki/Zodbot#Meeting_Functions. 19:00:02 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic. 19:00:02 <zodbot> The meeting name has been set to 'fesco_(2022-01-03)' 19:00:02 <zbyszek_> #meetingname fesco 19:00:02 <zodbot> The meeting name has been set to 'fesco' 19:00:02 <zbyszek_> #chair nirik, decathorpe, zbyszek, sgallagh, mhroncok, dcantrell, mboddu, tstellar, Conan_Kudo, Pharaoh_Atem, Son_Goku, King_InuYasha, Sir_Gallantmon, Eighth_Doctor 19:00:02 <zbyszek_> #topic init process 19:00:02 <zodbot> Current chairs: Conan_Kudo Eighth_Doctor King_InuYasha Pharaoh_Atem Sir_Gallantmon Son_Goku dcantrell decathorpe mboddu mhroncok nirik sgallagh tstellar zbyszek zbyszek_ 19:00:12 <zbyszek_> .hello2 19:00:13 <zodbot> zbyszek_: Sorry, but user 'zbyszek_' does not exist 19:00:28 <mhroncok> .hello churchyard 19:00:29 <zodbot> mhroncok: churchyard 'Miro Hrončok' <mhroncok@redhat.com> 19:00:33 <zbyszek_> .hello zbyszek 19:00:34 <zodbot> zbyszek_: zbyszek 'Zbigniew Jędrzejewski-Szmek' <zbyszek@in.waw.pl> 19:00:39 <tstellar> .hello tstellar 19:00:40 <zodbot> tstellar: tstellar 'Tom Stellard' <tstellar@redhat.com> 19:01:14 <decathorpe> .hello2 19:01:15 <zodbot> decathorpe: decathorpe 'Fabio Valentini' <decathorpe@gmail.com> 19:02:50 <zbyszek> Just four of us? 19:02:53 <mhroncok> seems so 19:03:38 <Eighth_Doctor> hey 19:03:40 <Eighth_Doctor> .hello ngompa 19:03:41 <zodbot> Eighth_Doctor: ngompa 'Neal Gompa' <ngompa13@gmail.com> 19:03:52 <zbyszek> So that's quorum, let's start. 19:03:59 <zbyszek> #topic meeting time 19:04:21 <mhroncok> not sure if we can determine the time with just 5 of us 19:04:29 <mhroncok> but curious to see the results 19:04:40 <zbyszek> https://whenisgood.net/fesco-2021-december/results/h2xch99 are the results so far 19:05:14 <decathorpe> that's better than last time? 19:05:19 <mhroncok> and the results are in UTC, correct? 19:05:31 <zbyszek> UTC, yes. 19:05:47 <mhroncok> better, but only 6 people incl. bcotton have responded 19:05:49 <zbyszek> decathorpe: only six "votes" so far. I assume we'll go down to zero slots very quickyl. 19:06:20 <zbyszek> Eighth_Doctor: please fill it out. 19:06:39 <zbyszek> Anyway, we can't decide with just 5 of us, so let's move to the next topic. 19:06:52 <zbyszek> #topic #2711 F36 Change: Enable fs-verity in RPM 19:06:52 <zbyszek> .fesco 2711 19:06:54 <zodbot> zbyszek: Issue #2711: F36 Change: Enable fs-verity in RPM - fesco - Pagure.io - https://pagure.io/fesco/issue/2711 19:07:11 <tstellar> I'm going to need to drop after 30 minutes today (still on holiday). 19:09:17 <robertosassu> hi (not sure if I could talk in this meeting) 19:09:24 <mhroncok> robertosassu: you can 19:09:28 <zbyszek> robertosassu: hi, thanks for joining. 19:09:37 <robertosassu> hi everyone 19:09:54 * mhroncok has not yet checked the discussion on the list after the holidays 19:10:07 <robertosassu> I´m working on the PGP keys/signatures patch set 19:10:24 <robertosassu> which would help both this feature and DIGLIM 19:11:36 <zbyszek> robertosassu: can you say a bit how the PGP sigs could be used with fs-verity? 19:11:48 <zbyszek> (per file pgp signatures?) 19:11:59 <robertosassu> yes 19:12:13 <robertosassu> I understood there is already support for signatures in rpm for fsverity 19:12:21 <robertosassu> but in PKCS#7 format 19:13:01 <robertosassu> I don´t remember now the data structure, but we would need to differentiate the two types of signatures 19:13:19 <robertosassu> the PGP verification will be very similar to the PKCS#7 one 19:13:36 <robertosassu> I´m introducing similar functions, so that we just need a switch() 19:14:12 <robertosassu> the idea would be to sign the same data structure 19:14:31 <robertosassu> except that for PGP, rpm would use its own key, passed likely by the build service 19:15:10 <robertosassu> it should be a small change in the rpm source code 19:15:33 <zbyszek> robertosassu: thanks. This could be useful. 19:15:53 <robertosassu> and at the same time, we could do IMA appraisal of RPM headers 19:16:08 <robertosassu> with the existing Fedora keys 19:16:27 <robertosassu> I will mention both use cases in the patch set 19:17:10 <zbyszek> My biggest problem with both fs-verity and your proposal is that I don't see the "big picture" of how this is all supposed to work together. 19:17:38 <robertosassu> ok 19:17:57 <robertosassu> actually the two features would work in a different way 19:18:00 <zbyszek> I know that the parts that are being proposed now are building blocks for future more complicated schemes 19:18:19 <robertosassu> this feature proposes to add signatures in the RPM headers 19:18:46 <zbyszek> This is OK, in particular when we are talking about adding features that have no significant cost when not actively used, 19:19:08 <zbyszek> but starts being problematic when we're talking about adding something that'll be actively supported by the distro. 19:19:31 <robertosassu> ok, so enforcement with this feature will be done by fsverity itself, or IMA (also IPE, not yet accepted) 19:19:51 <robertosassu> the rpm plugin installs signatures for each file 19:20:07 <robertosassu> taken from the RPM headers 19:20:45 <mhroncok> (I am not sure this gets us anywhere here) 19:21:12 <zbyszek> I think we should continue the discussion on the mailing list… 19:21:49 <robertosassu> yes, probably emails would be easier 19:21:59 <Eighth_Doctor> I'm not sure the mailing list discussion is very productive at the moment :( 19:22:00 <Eighth_Doctor> but otherwise, I agree 19:22:32 <Eighth_Doctor> complex security features like this seem to be very poorly understood and there's a lot of conflating with other concepts 19:23:02 <zbyszek> I think we can assume that this all material for F37… Making changes to multiple low-level components within a months seems unrealistic. 19:23:03 <Eighth_Doctor> only reason I understand it well is because I've gotten some grounding by folks working on fsverity in Fedora for the past year or so 19:23:33 <Eighth_Doctor> I think it's reasonable to get the infra and userspace stuff shipped in F36 19:24:07 <Eighth_Doctor> but the kernel part is doomed, as I don't think the patches were proposed for Linux 5.17 19:24:31 <robertosassu> no, at least for DIGLIM there is no immediate plan of acceptance 19:24:52 <Eighth_Doctor> unless that happens and it gets accepted by the relevant subsystem maintainer upstream, it's unlikely to be enabled for F36, and that would push it to F37 19:25:43 <robertosassu> given that DIGLIM is mostly self-contained, there would be a chance to ship it with Fedora even if it is not accepted by upstream? 19:25:53 <zbyszek> robertosassu: yeah, getting the kernel patches accepted is the most important part. 19:26:00 <zbyszek> No, I don't think this is likely. 19:26:23 <robertosassu> could the feature be accepted before the patches are accepted? 19:26:30 <robertosassu> maybe it would help with the acceptance 19:26:45 <robertosassu> in upstream 19:26:52 <Eighth_Doctor> right, and upstream acceptance is mandatory for Fedora features requiring kernel enablement 19:27:00 <zbyszek> The feature could be accepted, if/when we know that the kernel parts are on their way. 19:27:11 <mhroncok> (we will loose quorum in 3 minutes) 19:27:13 <robertosassu> ok 19:27:21 <robertosassu> thanks for the explanation 19:27:27 <zbyszek> Yeah, let's continue this on the mailing list. 19:27:37 <zbyszek> robertosassu: thanks for coming 19:27:39 <zbyszek> #topic #2713 F36 Change: Make Rescue Mode Work With Locked Root 19:27:40 <zbyszek> .fesco 2713 19:27:41 <zodbot> zbyszek: Issue #2713: F36 Change: Make Rescue Mode Work With Locked Root - fesco - Pagure.io - https://pagure.io/fesco/issue/2713 19:27:42 <robertosassu> welcome 19:28:04 <robertosassu> bye 19:28:34 <zbyszek> So… I commented on the ticket. Any other opinions? 19:28:56 <Eighth_Doctor> robertosassu: we can do conditional acceptance 19:29:03 <Eighth_Doctor> we've done it for kernel features before 19:29:23 <mhroncok> not toher opinions by me yet, sorry 19:29:28 <mhroncok> *no other 19:30:04 <Eighth_Doctor> I think if it's not okay for normal fedora, we should remove it from FCOS too 19:30:29 <Eighth_Doctor> from a security perspective, there is no functional difference between FCOS and Fedora 19:30:45 <decathorpe> zbyszek: I think you're probably the best informed person wrt/ this topic, so I agree with you ;) 19:31:16 <Eighth_Doctor> zbyszek: my opinion is that I'll go with whatever we do if we consistently apply it 19:31:27 <Eighth_Doctor> if we don't like this solution, then we need to rip it out of FCOS too 19:31:34 <Eighth_Doctor> because it's already there 19:31:39 <zbyszek> FCOS: I agree. 19:31:47 <zbyszek> *Eighth_Doctor 19:32:08 <Eighth_Doctor> the whole reason this change was proposed was that we discovered it was done in FCOS and everyone seemed fine with it 19:32:27 <Eighth_Doctor> but if we're not fine with it, then we need to fix that 19:32:58 <zbyszek> Eighth_Doctor: right. 19:33:49 <tstellar> I need to drop now. 19:33:51 <zbyszek> OK, so… do we want to vote on this now? (I'd prefer not, and wait for more votes in the ticket.) 19:34:03 <zbyszek> tstellar: ack, see you next week. 19:34:28 <Eighth_Doctor> I don't care one way or another 19:34:58 <mhroncok> we can no longer vote anyway 19:35:04 <zbyszek> Yeah, let's wrap this up. 19:35:23 <zbyszek> I'll skip the next topic, since we can't vote anyway. 19:35:29 <zbyszek> #topic Next week's chair 19:35:39 <mhroncok> I wnated to talk about tlp a bit 19:35:43 <mhroncok> even without voting 19:35:47 <zbyszek> #undo 19:35:47 <zodbot> Removing item from minutes: <MeetBot.items.Topic object at 0x7fb5ef0e8080> 19:36:06 <zbyszek> #topic TLP 19:36:16 <zbyszek> .fesco 2725 19:36:17 <zodbot> zbyszek: Issue #2725: tlp package deliberately breaks power-profiles-daemon package - fesco - Pagure.io - https://pagure.io/fesco/issue/2725 19:36:24 <decathorpe> yeah this seems obviously against the rules :/ 19:36:34 <Eighth_Doctor> this package is very against the rules :( 19:36:57 <mhroncok> ok, it seems it is, but how is this urgent? 19:37:09 <mhroncok> I mean, it is this way for months, apparently 19:37:25 <decathorpe> it's not installed by default, is it? 19:37:26 <mhroncok> so now they come to fesco and we need to decide it via fast track? 19:37:52 <Eighth_Doctor> Fabio Valentini (decathorpe): it's not installed by default, but the power-profiles-daemon mask is new 19:38:01 <Eighth_Doctor> that's how the issue was detected in the first place 19:38:26 <Eighth_Doctor> https://src.fedoraproject.org/rpms/tlp/c/4432f18ccc1e21f82afb18eefc11ebdbb2f5d033 19:38:59 <Eighth_Doctor> it's also calling `systemctl enable`, which we don't allow either 19:39:40 <mhroncok> I mean, should we strive to initiate a discussion between the reporters and the maintainrs? 19:40:37 <zbyszek> I agree that fast-track seems unnecessary, if just uninstalling the package is a viable workaround. 19:40:45 <Eighth_Doctor> maybe, though hadess apparently tried 19:43:06 <mhroncok> apparently they did, but I think we should give them a chance to respond to the ticket 19:43:18 <mhroncok> honestly, I think this should be discussed on the devel list instead of fesco 19:43:34 <Eighth_Doctor> and also, having Plasma crash because of this is pretty bad 19:43:47 <Eighth_Doctor> I don't know if the same problem would also happen with GNOME 19:44:06 <Eighth_Doctor> (I kinda don't want to find out on my computers, I like having working power management) 19:44:20 <zbyszek> Eighth_Doctor: so I think Plasma needs to be fixed independently of the changes in tlp. 19:44:37 <zbyszek> It must not crash just because an unrelated dbus service is not active. 19:45:03 <Eighth_Doctor> well, powerprofilesctl is what causes it to come down 19:45:05 <Eighth_Doctor> but sure 19:45:40 <zbyszek> Also powerprofilesctl, a triple backtrace because a service is not active. It needs to be fixed to print a single-line error message. 19:46:12 <Eighth_Doctor> fundamentally, this issue was only discovered last month after a bunch of triaging on RHBZ 19:46:22 <Eighth_Doctor> s/triaging/troubleshooting/ 19:48:01 <zbyszek> Hmm, 'powerprofilesctl foobar' just … returns 0. 19:48:36 <zbyszek> Also 'powerprofilesctl -h'. 19:49:33 <zbyszek> Anyway, let's move on. Eighth_Doctor: would it be OK to take down the fast-track designation? 19:49:44 <Eighth_Doctor> sure 19:49:54 <mhroncok> thanks 19:50:04 <Eighth_Doctor> I would personally want this taken care of quickly, because I think hadess is going to go nuclear if we don't 19:50:18 <Eighth_Doctor> and I'd rather not have him go nuclear on us 19:50:34 <mhroncok> that should not be our motivation, should it? 19:50:57 <zbyszek> That would not be power-conserving, contrary to the goals of both power-profiles-daemon and tlp ;) 19:51:50 <zbyszek> #info we'll drop fast-track for now 19:51:55 <zbyszek> #topic Next week's chair 19:51:57 <Eighth_Doctor> mhroncok: well I'd like this fixed for Plasma users, but that's _my_ primary motivation 19:52:07 <mhroncok> understood 19:52:13 <zbyszek> Volunteers? 19:52:27 <mhroncok> I have an important hink next day morning, so I'd rather not 19:52:33 <mhroncok> but technically, I should be available 19:52:43 <mhroncok> s/hink/thing/ 19:52:55 * mhroncok makes multiple typos in single words :( 19:53:23 <Eighth_Doctor> I'm on-call next week at work, so I'd rather not 19:53:48 <zbyszek> I'm not sure if decathorpe is still with us, or just awfully quiet 19:54:15 <zbyszek> #action zbyszek will chair next meeting 19:54:15 <zbyszek> #topic Open Floor 19:54:26 <mhroncok> zbyszek: thanks 19:55:10 <zbyszek> I assume that if y'all will get bored with me as chair, somebody will volunteer :) 19:55:22 <zbyszek> I hope there's nothing for open floor. I'll close in a minute. 19:55:56 <mhroncok> zbyszek++ 19:55:56 <zodbot> mhroncok: Karma for zbyszek changed to 4 (for the current release cycle): https://badges.fedoraproject.org/tags/cookie/any 19:56:20 <zbyszek> #endmeeting