17:00:53 <decathorpe> #startmeeting FESCo (2022-07-12) 17:00:53 <zodbot> Meeting started Tue Jul 12 17:00:53 2022 UTC. 17:00:53 <zodbot> This meeting is logged and archived in a public location. 17:00:53 <zodbot> The chair is decathorpe. Information about MeetBot at https://fedoraproject.org/wiki/Zodbot#Meeting_Functions. 17:00:53 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic. 17:00:53 <zodbot> The meeting name has been set to 'fesco_(2022-07-12)' 17:00:57 <decathorpe> #meetingname fesco 17:00:57 <zodbot> The meeting name has been set to 'fesco' 17:01:13 <decathorpe> #chair nirik, decathorpe, zbyszek, sgallagh, mhroncok, dcantrell, music, mhayden, Conan_Kudo, Pharaoh_Atem, Son_Goku, King_InuYasha, Sir_Gallantmon, Eighth_Doctor 17:01:13 <zodbot> Current chairs: Conan_Kudo Eighth_Doctor King_InuYasha Pharaoh_Atem Sir_Gallantmon Son_Goku dcantrell decathorpe mhayden mhroncok music nirik sgallagh zbyszek 17:01:23 <decathorpe> #topic Init Process 17:01:30 <sgallagh> .hi 17:01:30 <zodbot> sgallagh: sgallagh 'Stephen Gallagher' <sgallagh@redhat.com> 17:01:31 <nirik> morning everyone. 17:01:38 <dcantrell> .hello2 17:01:39 <zodbot> dcantrell: dcantrell 'David Cantrell' <dcantrell@redhat.com> 17:01:45 <salimma> .hi 17:01:46 <zodbot> salimma: salimma 'Michel Alexandre Salim' <michel@michel-slm.name> 17:01:54 <davide> .hello dcavalca 17:01:54 <dcantrell> nirik: EHLO 17:01:56 <zodbot> davide: dcavalca 'Davide Cavalca' <dcavalca@fb.com> 17:02:07 <zbyszek[m]> Fabio Valentini: meeting? 17:02:17 <zbyszek[m]> .hello2 17:02:18 <zodbot> zbyszek[m]: Sorry, but user 'zbyszek [m]' does not exist 17:02:25 <salimma> zbyszek: Fabio started it already 17:02:33 <zbyszek[m]> Pff, I'm on a train and I'm apparently having huge lag. 17:02:42 <zbyszek[m]> Sorry if I respond out of context. 17:03:00 <sgallagh> I wish I had that excuse. 17:03:11 <zbyszek[m]> I'll have to disembark at :40 too. 17:03:35 <nirik> dcantrell: 501 Syntax: EHLO hostname :) 17:03:45 <dcantrell> nirik: haha :) 17:04:47 <decathorpe> ok, I count 7 members as present, I think we can start? 17:05:13 <decathorpe> or rather, 6 members and one audience 17:05:57 <Eighth_Doctor> .hello ngompa 17:05:58 <MichaelCatanzaro> .hello catanzaro 17:05:59 <zodbot> Eighth_Doctor: ngompa 'Neal Gompa' <ngompa13@gmail.com> 17:06:02 <zodbot> MichaelCatanzaro: catanzaro 'Michael Catanzaro' <mcatanza@redhat.com> 17:06:08 <OwenTaylor[m]> .hello otaylor 17:06:09 <zodbot> OwenTaylor[m]: otaylor 'Owen Taylor' <otaylor@redhat.com> 17:07:10 <decathorpe> #link https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/S26Y3HFGRK2EWDO6FDCTSCGHMJY54ZXZ/ Schedule 17:07:15 <salimma> Fabio Valentini: I think dcavalca and I are both audience 17:07:20 <dustymabe> .hi 17:07:21 <zodbot> dustymabe: dustymabe 'Dusty Mabe' <dusty@dustymabe.com> 17:07:38 <decathorpe> right. I can't count 17:07:53 <bcotton> .hello2 17:07:54 <zodbot> bcotton: bcotton 'Ben Cotton' <bcotton@redhat.com> 17:07:56 <decathorpe> any particular preference for the order our topics? 17:08:35 <zbyszek[m]> We'll have to vote through acclamation 17:09:12 <decathorpe> meh. 17:09:30 <decathorpe> #topic Change: Deprecate openssl1.1 package 17:09:35 <decathorpe> .fesco 2821 17:09:37 <zodbot> decathorpe: Issue #2821: Change: Deprecate openssl1.1 package - fesco - Pagure.io - https://pagure.io/fesco/issue/2821 17:09:58 <decathorpe> last update: the change owners were unable to update their proposal 17:10:17 <nirik> sounds like we should wait a week until they can? 17:10:26 <decathorpe> given that there's been multiple -1 votes on the current version, do we want to wait until next week? 17:10:40 <zbyszek[m]> No, there's been another update half an hour ago 17:10:52 <zbyszek[m]> > @decathorpe I kindly ask to discuss also a limited version of the proposal 17:11:00 <zbyszek[m]> bbl 17:11:10 * nirik is fine waiting, I would be +1 to a more limited version that just marked the package as deprecated... 17:11:15 <decathorpe> Does that mean adding "Provides: deprecated()" to the openssl1.1 packages? 17:11:53 <decathorpe> The most recent comment isn't clear wrt/ what "limited version" means. 17:12:08 <Eighth_Doctor> I wouldn't want to vote on it without a concrete update 17:12:17 <dcantrell> right, and the change proposal page still hasn't changed since July 1 17:12:18 <zbyszek[m]> That's how I understood it. 17:12:18 <Eighth_Doctor> as the proposal stands, I'm -1 17:12:18 <music[m]> Likewise, I will +1 if the limited version is just the usual depreciation process, but there doesn’t seem to be a concret proposal yet. 17:13:15 <sgallagh> OpenSSL is really a special case though. 17:13:38 <zbyszek[m]> proposal: say "please adjust the page to the new scope" in the ticket and revisit next week. 17:13:41 <sgallagh> It's an incredible amount of work to keep it alive and in sync with 3.x 17:14:36 <decathorpe> It also would put an incredible amount of work on the maintainers of affected packages if openssl1.1-devel were just dropped. I don't think that would be fair. 17:15:00 <zbyszek[m]> Yeah, I think it's less disruption to the distro to keep it limping along. 17:15:00 <nirik> zbyszek[m]: +1 17:15:18 <dcantrell> zbyszek[m]: +1 17:15:33 <sgallagh> Can we perhaps look into getting a regular (weekly? Monthly?) report to the devel list of packages still requiring 1.1 at runtime? 17:15:53 <decathorpe> Something similar to what happened with Python2 ? 17:16:06 <sgallagh> I think we should at least be advocating for getting people to move up to a supportable crypto library 17:16:12 <Eighth_Doctor> also openssl1.1 is still maintained in RHEL 8 17:16:25 <Eighth_Doctor> so keeping it at least in sync with that is I think workable 17:16:44 <sgallagh> Conan Kudo: You'd be surprised how difficult that can still be 17:17:01 <sgallagh> Since RHEL has much more stringent policies on available algorithms than Fedora does 17:17:16 <Eighth_Doctor> but those are managed by crypto-policies, which is external to openssl 17:17:29 <sgallagh> It's less external than we'd like it to be :-/ 17:18:13 <music[m]> In the ticket, I suggested that the change owners might benefit from setting up a tracking bug and filing “warning” bugs on packages still using 1.1. 17:18:48 <decathorpe> Right. That's all good feedback, but the Change hasn't been updated yet. 17:19:01 <decathorpe> which leads me to ... Proposal: Give Change owners another week to update their Change proposal or work out a concrete plan for a more limited version. 17:19:54 <nirik> as zbyszek[m] proposed a bit ago.... :) but still +1 17:20:08 <sgallagh> Honestly, I'd almost be in favor of just announcing "We'll leave OpenSSL 1.1 in the distro, but it will receive no regular or security updates after $DATE" 17:20:20 <decathorpe> nirik: let's just make it official ;) 17:20:27 <dcantrell> decathorpe: +1 17:20:34 <sgallagh> In any case, +1 to giving them one more week 17:21:17 <MichaelCatanzaro> sgallagh: You would leave a security-critical library in the distro, receiving no security updates? 17:21:35 <sgallagh> Note the word "almost" :) 17:22:35 <decathorpe> Conan Kudo music zbyszek vote? 17:22:38 <Eighth_Doctor> +1 to one more week 17:23:24 <zbyszek[m]> Fabio Valentini: +1 to your proposal too 17:24:07 <music[m]> i am +1 to allowing one more week 17:24:32 <zbyszek[m]> Is python2.7/3.6/3.7 also marked as deprecated? 17:24:54 <decathorpe> #agree Give change owners one more week to update their proposal (+7, 0, -0) 17:24:55 <zbyszek[m]> Also what about pypy? Is anyone using that? If we can't update it to openssl-3.0, mark it as deprecated too? 17:25:22 <decathorpe> Can we move discussion of the technical side of things to the mailing list? 17:26:09 <decathorpe> because I'd like to move on to the next topic, otherwise it's going to be a long meeting. 17:26:30 <zbyszek[m]> Yes please. 17:26:51 <decathorpe> #topic #2828 Change: Unfiltered Flathub 17:26:54 <decathorpe> .fesco 2828 17:26:55 <zodbot> decathorpe: Issue #2828: Change: Unfiltered Flathub - fesco - Pagure.io - https://pagure.io/fesco/issue/2828 17:27:32 <zbyszek[m]> I'm +1 17:27:39 <Eighth_Doctor> -1 17:28:08 <decathorpe> So you want to vote synchronously, or do we need to discuss something? 17:28:31 <zbyszek[m]> (As long as the user can clearly see whether they are installing rpm or flatpak, and change the choice. From the discussion on the list, this is the case at least with gnome-software.) 17:28:48 <Eighth_Doctor> as long as we don't have vendor preferences in gnome-software, I don't want this 17:28:53 <gotmax[m]> zbyszek: Yes, but the default matters hete 17:28:59 <nirik> My only hesitation is the pref order... 17:29:21 <gotmax[m]> *here 17:29:23 <Eighth_Doctor> I want Fedora content (first-party) to be preferred by default regardless of format 17:29:57 <zbyszek[m]> Conan Kudo: I agree. But don't we get that if rpm is preferred? 17:30:00 <Eighth_Doctor> zbyszek: flatpak is preferred in g-s right now 17:30:03 <dcantrell> am I missing something? I'm reading the proposal as stating that 17:30:29 <dcantrell> Eighth_Doctor: are you talking about a case like gimp or libreoffice which is both in rpm format and I assume flatpak format? 17:30:33 <Eighth_Doctor> g-s has Flatpak > RPM, but doesn't have Fedora > others 17:30:33 <nirik> flatpak (first fedora flatpak if available, then flathub if avaiable) then rpm 17:30:49 <OwenTaylor[m]> zbyszek: I'd say the workstation working group does *not* want to change the format order to prefer rpm over Flatpak - so prefering Fedora RPMs over Flathub Flatpaks owuld require adding fine-grained ordering to GNOME Software. 17:31:35 <zbyszek[m]> OK, but is a flathub flatpak preferred over a fedora rpm? This would be bad. 17:31:41 <decathorpe> as I understand it, doing "Fedora Flatpak > Fedora RPM > Flathub Flatpak" is not possible right now? 17:31:41 <Eighth_Doctor> zbyszek: it is 17:32:02 <zbyszek[m]> Pfff, that's a bummer. 17:32:10 <MichaelCatanzaro> Eighth_Doctor: To be clear, Flathub would not be enabled by default. But, if enabled (non-default), then I understand you still want Fedora RPMs to be preferred. (I responded on the mailing list to indicate why it's not a good idea...) 17:32:10 <Eighth_Doctor> this concern was raised by myself, xvitaly, and several others 17:32:11 <OwenTaylor[m]> zbyszek: if the proposal is accepted without changes, yes, a flathub flatpak is prefered over a fedora rpm (when installing through Software) 17:32:28 <gotmax[m]> I don't remember who said this on the ML, but the fact that content from other vendors is preferred over the community's own efforts is not great 17:32:44 <gotmax[m]> It feels a bit like a spit in the face to Fedora packagers 17:33:16 <zbyszek[m]> OK, so I misunderstood the situation. I'll need to fire up gnome-software and play around with this. So I withdraw my vote for now. 17:33:23 <sgallagh> As the proposal stands, I agree it's not acceptable for us to prefer an unvetted third-party repo over our community-packaged stuff. 17:33:33 <sgallagh> So right now, I'm -1 17:33:39 <MichaelCatanzaro> zbyszek[m]: Fedora RPMs are sadly unsafe because they are not sandboxed. Ideally we would not display RPMs in GNOME Software anymore at all, or Flatpaks that disable the sandbox. But the ecosystem doesn't seem to be there yet... 17:33:46 <sgallagh> But only on the prioritization order; I'm fine with enabling Flathub in general, so long as it's lower prio 17:33:55 <decathorpe> > Fedora RPMs are sadly unsafe 17:33:58 <music[m]> I’m torn on this. I understand the arguments that flatpaks can be sandboxed and can offer other advantages, but there is nothing guaranteeing that flatpaks on flathub-as-a-whole follow any of the practices that support that argument. I’m worried that unfiltered Flathub combined with always defaulting to Flatpak will really push users to packages that are in many (not all) cases still unsandboxed but also maintained to a lower 17:33:58 <music[m]> standard. 17:33:59 <gotmax[m]> AFAIK, no other current third party repository overrides Fedora content 17:34:14 <gotmax[m]> By third party, I mean in the ones we ship .repo files for 17:34:14 <decathorpe> this is disingenuous at best. 17:35:12 <sgallagh> There are also numerous pieces of useful software whose flatpak implementation is... suboptimal. 17:35:19 <MichaelCatanzaro> MichaelCatanzaro: This is why Flathub should be preferred. User safety. I do agree there is a problem with unsandboxed apps on Flathub, though, and this proposal does not address that.... 17:35:32 <sgallagh> (For example, Visual Studio Code loses a lot of its functionality since there's no obvious way to install helper software into the flatpak) 17:35:48 <gotmax[m]> I don't think it's universally agreed upon that flatpaks are always "more safe" 17:36:54 <sgallagh> I think we can agree that Flatpak's have a more security/isolation-first design, but that doesn't mean it's getting used that way. 17:36:59 * nirik wonders how many things we are actually talking about here. It's the set of things that are on flathub, are not fedora flatpaks and have a fedora rpm available... 17:37:13 <MichaelCatanzaro> decathorpe: It's true though. Unless the software has its own strong sandbox -- and only web browsers do, almost no other apps do -- it's surely not safe. Unless it's incapable of opening files or connecting to the internet.... 17:37:21 <gotmax[m]> Stephen Gallagher: Yes, I guess that's true 17:38:04 <OwenTaylor[m]> Stephen Gallagher: I think that's largely restricted to IDE's - most other software that doesn't work as Flatpaks is not packaged as Flatpaks 17:38:05 <gotmax[m]> But whether or not they are actually packaged to our standards is worth considering as well 17:38:10 <dustymabe> the way I look at it Fedora RPMS->safe, Fedora Flatpak->safe, third part RPM->untrusted, third party flatpak->untrusted but at least sandboxed 17:38:15 <MichaelCatanzaro> Sadly, Fedora has failed big time to secure RPM applications. All other distros similarly failed.... 17:38:33 <decathorpe> dustymabe: +1 17:38:53 <Eighth_Doctor> likewise 17:39:00 <sgallagh> Owen Taylor: And the proposal as-written would mean that people installing an IDE (VSCode, PyCharm, Eclipse, etc.) would end up with a crippled version. 17:39:01 <dustymabe> I'm blindly putting a lot of trust in Fedora, but I like to sleep at night and not worry about every problem in the world 17:39:25 <MichaelCatanzaro> dustymabe: There's no way we can hold a productive discussion if you hold this view. One memory safety vulnerability and your Fedora RPM is no longer looking so safe. And our apps have *tons* of memory safety vulnerabilities. 17:39:43 <sgallagh> Michael Catanzaro: I'm going to require you to back up that statement, because it's very much "begging the question" 17:39:47 <Eighth_Doctor> Michael Catanzaro: please stop being antagonistic to everyone who holds contrary views to you 17:39:55 <Eighth_Doctor> on flatpak vs rpm 17:40:13 * dustymabe runs flatpaks, btw 17:40:17 <decathorpe> please, this is starting to be off-topic. 17:40:30 <Eighth_Doctor> the view that I personally hold is that I can trust the process around Fedora packages, which is why I trust them more than third parties 17:40:39 <dustymabe> this ^^ 17:40:42 <dcantrell> I think that's the key point, yes 17:40:47 <Eighth_Doctor> and Fedora packages are easily mutable, whereas third party Flatpaks are not 17:40:52 <OwenTaylor[m]> Stephen Gallagher: yes, that's called out in the workstation ticket. I think if we were prefering Fedora RPMs (and fedora third-party repos for pycharm, etc.) over Flatpaks, that largely doesn't need a special-case solution. We *could* filter out IDe's from Flathub, but I don't see that as useful. 17:41:26 <MichaelCatanzaro> E.g. this story https://www.vice.com/en_us/article/v7gd9b/facebook-helped-fbi-hack-child-predator-buster-hernandez is an example where Facebook (hi ;) exploited a memory safety vulnerability in totem to achieve remote code execution... that happened in Tails, not Fedora, but there is no technical difference that would make it harder to do here. If they can do it to bad guys, the bad guys can similarly do it to other users. 17:41:26 <MichaelCatanzaro> Sandboxing is essential for user safety. This is why prioritizing Flathub is sadly preferable. :/ 17:41:45 <MichaelCatanzaro> I wish Fedora RPMs were secure, but they simply are not. 17:41:46 <sgallagh> Owen Taylor: It's slightly off-topic, but I'd love to see that issue somehow addressed in Flatpak. Otherwise IDEs will be practically impossible to use on Silverblue 17:42:33 <sgallagh> Michael Catanzaro: And I wish flatpaks were secure *and* functional, but in many cases the packager has chosen only one or the other. 17:42:42 * decathorpe reminds everyone we have spent 15 minutes on this topic 17:42:43 <bcotton> Secure is a spectrum, not a binary. And sandboxing isn't the only aspect of security 17:42:50 <gotmax[m]> I don't think it's fair to make blanket statements about Fedora RPMs like this just like it wouldn't be to do the same about flatpaks 17:43:00 <sgallagh> Ben Cotton (he/him)++ 17:43:26 <sgallagh> Sandboxing is one part of a defense-in-depth strategy. 17:43:33 <sgallagh> I am not at all arguing that it's a bad thing. 17:44:45 <nirik> so, right now there's a filter, showing only some subset of flathub to those who enable it right? that subset is curated by the working group right? 17:45:11 <gotmax[m]> Stephen Gallagher: You have to manually type bcotton if you want karma to work properly 17:45:26 <sgallagh> bcotton++ 17:45:26 <zodbot> sgallagh: Karma for bcotton changed to 5 (for the current release cycle): https://badges.fedoraproject.org/tags/cookie/any 17:45:27 <salimma> bcotton++ 17:45:29 <zodbot> salimma: Karma for bcotton changed to 6 (for the current release cycle): https://badges.fedoraproject.org/tags/cookie/any 17:45:38 <Eighth_Doctor> bcotton++ 17:45:38 <zodbot> Eighth_Doctor: Karma for bcotton changed to 7 (for the current release cycle): https://badges.fedoraproject.org/tags/cookie/any 17:45:45 <Eighth_Doctor> oh yay that worked 17:45:51 <MichaelCatanzaro> sgallagh: I understand some apps on flathub suffer degraded functionality, specifically IDEs. Ideally they should not be on flathub at all if so, but... the proposal as written does include a denylist. It was planned to be an empty denylist, to be reserved in case of unexpected legal emergencies, but we could add particular apps there to cause RPMs to be preferred for those apps. 17:46:35 <gotmax[m]> Otherwise it shows up on IRC as `Ben Cotton (he/him)++` and that doesn't work for zodbot 17:46:35 <gotmax[m]> Anyways... 17:46:37 <sgallagh> OK, that's worth exploring. 17:47:14 <sgallagh> Though as a general rule, I still agree with the Fedora > 3rd-party recommendation, since if someone installed Fedora they have implicitly extended that trust to us. 17:47:18 <nirik> could we add any flathub apps that are packaged as fedora rpms? ie, a poor way to prefer them (I know it would mean that they wouldn't be able to switch to flatpak) 17:47:24 <gotmax[m]> Stephen Gallagher: Agreed 17:47:35 <sgallagh> That trust has to extend to us trying our best to give them vetted software when possible 17:47:43 <salimma> would it make sense to expose this ordering to the user? so we set a default but let it be overridden 17:47:46 <davide> what's the supply chain security story for flathub? for Fedora RPMs, we know where they come from, they the licenses are correct, etc. thanks to the review processes we have 17:47:53 <MichaelCatanzaro> <bcotton> "Secure is a spectrum, not a..." <- True... but it is arguably the most important aspect. A sandboxed app riddled with vulnerabilities is probably safer for users than a pristine unsandboxed app, though it depends on use (if you feed the app your sensitive documents, that would be bad). 17:47:59 <gotmax[m]> nirik: I think it's possible to just set it through Gnome Software and not have to do any filtering 17:48:04 <nirik> salimma: that is already the case. 17:48:04 <gotmax[m]> for that purpose 17:48:07 <Eighth_Doctor> davide: they don't have any of that 17:48:31 <Eighth_Doctor> I also did not receive a nice reception when I asked about it before 17:49:07 <gotmax[m]> Well, you can override it per install, but there's not an easy way exposed to the user to set it on a global level 17:49:09 <nirik> davide: there's a git repo per app so you can see whats in it, things are built on their hw. Many/some apps are repackaging other packages (.debs, etc). There was a blog post recently about how many... 17:49:10 <gotmax[m]> AFAIK, at least 17:49:17 <Eighth_Doctor> "we're not a distro, so we don't need to care" was basically the sentiment I got 17:49:42 <davide> oh so potentially they're not even built from source? 17:49:44 <davide> that seems... bad 17:49:49 <OwenTaylor[m]> I'm not sure it's that useful to debate sandboxing vs. what supply chain protections are in flathub here, unless that would change anybody's vote to say "it's OK to install Flathub Flatpaks instead of Fedora RPMs by default" 17:50:08 <Eighth_Doctor> Owen Taylor: it's part of the reason why I vote -1 to it 17:50:24 <Eighth_Doctor> I cannot trust their process, their inputs, or their outputs 17:50:40 <nirik> https://blogs.gnome.org/wjjt/2022/06/14/how-many-flathub-apps-reuse-other-package-formats/ 17:51:01 <music[m]> davide: As I understand it, even proprietary software would be included. Correct me if I’m wrong. 17:51:45 <OwenTaylor[m]> Davide Cavalca: well, an example is that the Blender packages on Flathub use the Blender foundation built binaries 17:51:57 <gotmax[m]> music: Yes, it does. But users have to explicitly enable third party software first. 17:52:09 <OwenTaylor[m]> Davide Cavalca: Certainly most packages of open source software on Flathub are built on Flathub infrastructure from source 17:52:14 <salimma> music[m]: you're correct. there's two VS Code in flathub, one is proprietary 17:52:15 <nirik> element on flathub uses the debs (but they don't provide an rpm) 17:52:22 <MichaelCatanzaro> davide: Correct, but I think this is mostly for proprietary software... 17:52:27 <Eighth_Doctor> nah 17:52:32 <Eighth_Doctor> it's also true for OSS as well 17:52:56 <Eighth_Doctor> cf element 17:52:57 <Eighth_Doctor> and I think jitsi meet too? 17:52:58 * Eighth_Doctor checks 17:53:09 <MichaelCatanzaro> nirik: TL;DR: 88% built from source, 12% weird stuff 17:53:27 <Eighth_Doctor> yup 17:53:28 <sgallagh> No, 12% is known to be repackaged 17:53:36 <sgallagh> The other 88% may or may not be built from source 17:53:36 <Eighth_Doctor> Jitsi meet is repacked from AppImage 17:53:44 <sgallagh> It could also just be repackaging pre-existing binaries. 17:54:00 <MichaelCatanzaro> sgallagh: Yes, that's more accurate (but it probably is built normally) 17:54:20 <Eighth_Doctor> I don't think we can make that assumption, given the query was based on known package archive formats 17:54:23 <sgallagh> Fair, but unknowable for practical purposes 17:54:27 <Eighth_Doctor> it didn't check for just incorporating raw binaries 17:54:57 <music[m]> Right, this may be a bit of a sidetrack, but just because something is built from “source” doesn’t mean it’s what Fedora would consider source. Java bytecode, transpiled and minified JS/CSS, ELF files checked into git… 17:54:59 <OwenTaylor[m]> I think if you restricted yourself to things packaged in Fedora, the number of things that aren't built from source would be small - not non-zero (see Blender above) but < 10. 17:55:39 <decathorpe> another bad example is firefox. it doesn't even have a repo in github.com/flathub, so you have no idea where that comes from 17:56:04 <MichaelCatanzaro> decathorpe: That one doesn't have a repo because it's pushed directly by Mozilla 17:56:13 <decathorpe> oh, is that better? :D 17:56:29 <gotmax[m]> Also, re the security aspect, how do we know whether or not the libraries bundled in flathub flatpaks are up to date and not vulnerable themselves? In Fedora, prodsec files bugs for security issues, but I would guess there isn't a similar procedure for flathub. 17:56:30 <MichaelCatanzaro> i.e. Mozilla does the builds. Whether that is better or not... I will not say. :D 17:56:33 <Eighth_Doctor> Blender is actually done this way: https://github.com/flathub/org.blender.Blender/blob/master/org.blender.Blender.json 17:56:39 <Eighth_Doctor> just binaries 17:56:54 <MichaelCatanzaro> decathorpe: Maybe not :) 17:56:55 <Eighth_Doctor> ironically it builds blenders deps, but not blender itself 17:57:10 * decathorpe reminds everyone we have spent 30 minutes on this topic 17:57:50 <dcantrell> how about we vote 17:58:14 <gotmax[m]> dcantrell: That seems more productive to me 17:58:48 <sgallagh> Based on all of this discussion, I think I'm -1 on enabling Flathub en masse 17:59:05 <sgallagh> However, I'd like to see a better mechanism for vetting things to be included in the Fedora-approved collection 17:59:14 <sgallagh> Something akin to our RPM package review process 17:59:30 <zbyszek[m]> What would we be voting on? Because if the vote is just straight up/down accept/reject, I'd prefer to have a week more to dig into this and ask some more questions. The discussion here raised various good points. 17:59:38 <sgallagh> That way we can increase the available Flatpaks without decreasing quality 17:59:54 <decathorpe> Stephen Gallagher: (we already have that - it's the curated flathub filter) 18:00:12 <sgallagh> Fabio Valentini: Yes, but what process is used to populate that filteR? 18:00:16 <OwenTaylor[m]> There's a process defined in https://pagure.io/fedora-flathub-filter/ - it's more of a question of getting the crank churning. 18:00:30 <sgallagh> I'd like that codified and made available to the community at large to manage. 18:00:48 <MichaelCatanzaro> sgallagh: We will have to debate whether to keep the Fedora-approved collection if this proposal passes. It has received primarily negative feedback from users. Owen wants to keep it, but I'm not sure what to do. 18:00:58 <decathorpe> Question: Is there the possibility of getting the Change proposal amended within a reasonable timeframe (i.e. until the next meeting or so)? 18:00:58 <MichaelCatanzaro> s/passes/does not pass/ 18:01:05 <decathorpe> Or is there no interest in doing that? 18:01:20 <OwenTaylor[m]> For people who are voting no, I'd like to know whether they would be +1 if Fedora RPMs were preferred over Flathub Flatpaks 18:01:25 <mclasen> decathorpe: when is the next meeting ? 18:01:31 <Eighth_Doctor> there was interest from other distributions on rolling out fedora flathub filter 18:01:42 <decathorpe> mclasen: next week, same time, same place. 18:01:57 <dcantrell> OwenTaylor[m]: I am -1 as written, but if the proposal were modified to prioritize all Fedora software over third party software I would be a +1 18:01:58 <OwenTaylor[m]> Fabio Valentini: I think that depends on how it would be modified :-) 18:02:08 <Eighth_Doctor> Owen Taylor: I'd consider it if Fedora was universally preferred, yes 18:02:10 <music[m]> So I was just looking back at the proposal, and one thing I hadn’t quite caught before is that this proposal will have no impact on users who don’t specifically enable third-party software. Correct? 18:02:18 <sgallagh> Owen Taylor: I'd be weakly +1, but I'd still much rather we establish an easy-to-follow review policy to get additional Fedora flatpak's approved 18:02:21 <mclasen> not much from me until then. Owen and Michael may have time to work on it 18:02:41 <MichaelCatanzaro> music[m]: Correct, this only affects users who *opt-in*. It remains disabled by default. 18:03:03 <Eighth_Doctor> most people will opt-in to third-party though, esp since that covers nvidia driver 18:03:10 <Eighth_Doctor> there is no granularity there 18:03:11 <MichaelCatanzaro> We would probably request two weeks to amend the proposal because most decisions happen on Tuesdays 18:03:15 <sgallagh> Sure, but I wonder how many people *don't* hit the "Enable third-party repositories" button 18:03:24 <MichaelCatanzaro> Eighth_Doctor: Quite possible. 18:03:25 <sgallagh> I suspect it may be functionally the default, if not technically. 18:03:26 <decathorpe> Still, it might be unexpected behaviour if opting in to third-party stuff will actually override things that were already available. 18:03:32 <Eighth_Doctor> between steam and nvidia, thirdparty gets enabled quite often 18:03:40 <sgallagh> decathorpe++ 18:03:40 <zodbot> sgallagh: Karma for decathorpe changed to 2 (for the current release cycle): https://badges.fedoraproject.org/tags/cookie/any 18:05:12 <sgallagh> Owen Taylor: So yeah, I could be on-board so long as Fedora-provided software is preferred over Flathub. 18:05:35 <decathorpe> So, would it be possible to amend this change so that the default preference would be "Fedora Flatpak > Fedora RPM > Flathub Flatpak"? 18:06:06 <decathorpe> With this change, I'd be less likely to vote against it. 18:06:14 * sgallagh would slightly prefer "Fedora RPM > Fedora Flatpak > Flathub", but that's not worth side-tracking on. 18:06:26 <Eighth_Doctor> me too 18:06:39 <Eighth_Doctor> but Fedora > third party is the important thing here 18:06:45 <sgallagh> Agreed 18:06:58 <dustymabe> +1 18:08:01 <sgallagh> Michael Catanzaro: To address your concerns: what I'd like to see also is that if a properly-secured Flatpak is added to Fedora Flatpaks, we should retire the RPM version. 18:08:21 <zbyszek[m]> Ewww, please no. 18:08:36 <Eighth_Doctor> please don't do that 18:08:44 <decathorpe> I'm not even sure how that would work, given the the Fedora Flatpaks are built from the RPM packages. 18:08:47 <zbyszek[m]> I like flatpaks, but being forced to use flatpaks doesn't seem nice. 18:09:04 <Eighth_Doctor> that's also how we piss off our userbase like Ubuntu has been doing 18:09:05 <sgallagh> OK, that's more controversial than I expected, so I withdraw it. 18:09:08 * decathorpe reminds everyone to stay on topic please 18:09:11 <sgallagh> Let's not get diverted 18:09:12 <gotmax[m]> Is it even possible to add more Fedora flatpaks now that the tools have been orphaned? 18:09:23 * decathorpe sighs 18:10:00 <sgallagh> Fabio Valentini: How about just a quick vote: Do we accept the Change as-is? 18:10:04 <mclasen> gotmax[m]: kalev is reviving fedmod 18:10:05 <music[m]> So not to drag this conversation too far backwards, but if this were approved as-is, and I installed FooApp in F37, I would get the flatpak unless I explicitly chose the rpm in the gnome-software dropdown (ignoring for the moment Fedora flatpaks). Is that right? And if I already had FooApp installed from RPM in F36 and I upgraded to F37: I would stay on the RPM, or get switched to the third-party Flatpak? 18:10:12 <sgallagh> I don't see many people saying +1 to that question right now 18:10:35 <sgallagh> music: Stays with the RPM 18:10:43 <gotmax[m]> I don't think any FESCO members did 18:10:46 <MichaelCatanzaro> music[m]: Correct. App type would not change on upgrade. 18:11:09 <music[m]> Ok, that’s what I thought. 18:12:00 <decathorpe> Stephen Gallagher: good idea, let's move this forward. 18:12:35 <decathorpe> Please vote on the proposal as-is (but change owners will have the chance to give us an updated proposal): 18:12:58 <Eighth_Doctor> -1 18:13:03 <zbyszek[m]> -0 18:13:04 <dcantrell> -1 18:13:06 <decathorpe> -1 18:13:18 <nirik> +0 18:14:05 <sgallagh> -1 18:14:13 <zbyszek[m]> I need to drop. See you next week. 18:14:30 <decathorpe> zbyszek++ thanks, see you next week. 18:14:30 <zodbot> decathorpe: Karma for zbyszek changed to 3 (for the current release cycle): https://badges.fedoraproject.org/tags/cookie/any 18:15:03 <decathorpe> music: vote? you're the only one missing 18:15:06 <music[m]> I’m still finding both sides of the discussion somewhat persuasive. I suppose I’m still +0. 18:15:19 <decathorpe> thanks everyone 18:15:19 <sgallagh> Just a general reminder that voting 0 here is functionally equivalent to -1 18:15:58 <mhroncok> hey 18:15:59 <decathorpe> It doesn't make a difference in this case. 18:16:01 * gotmax[m] waves 18:16:02 <mhroncok> sorry for missing the meeting, got an emergency at home 18:16:14 <sgallagh> mhroncok: I hope nothing too serious. 18:16:14 <decathorpe> mhroncok: hey, just in time for the controversy 18:16:21 <sgallagh> Meeting is still going, FWIW 18:16:41 <gotmax[m]> decathorpe: mhroncok: ^ 18:16:44 <gotmax[m]> About the flatpak change 18:16:57 * decathorpe seems to have bad luck and always ends up running meetings with controversial stuff 18:17:14 <sgallagh> It's not bad luck, we plan it that way maliciously ;-) 18:17:20 <gotmax[m]> decathorpe++ for running/moderating the meeting 18:17:20 <zodbot> gotmax[m]: Karma for decathorpe changed to 3 (for the current release cycle): https://badges.fedoraproject.org/tags/cookie/any 18:18:01 <mhroncok> -0 I guess (I wasn't paying that much attention, but I am not in favor of prefering 3rd party over Fedora stuff) 18:18:29 <decathorpe> great 18:18:36 <dcantrell> decathorpe++ 18:18:36 <zodbot> dcantrell: Karma for decathorpe changed to 4 (for the current release cycle): https://badges.fedoraproject.org/tags/cookie/any 18:18:37 <Eighth_Doctor> decathorpe++ 18:18:39 <zodbot> Eighth_Doctor: Karma for decathorpe changed to 5 (for the current release cycle): https://badges.fedoraproject.org/tags/cookie/any 18:18:57 <bcotton> decathorpe++ 18:18:57 <zodbot> bcotton: Karma for decathorpe changed to 6 (for the current release cycle): https://badges.fedoraproject.org/tags/cookie/any 18:19:47 <decathorpe> #agree REJECTED: Proposal is rejected as-is, but Change owners will - of course - be able to submit and updated Change proposal. (+0, 4, -4) 18:20:27 <sgallagh> #info Primary objection was due to the overriding of Fedora-packaged software by third-party flatpaks 18:20:33 <OwenTaylor[m]> I'm not sure if the vote formally concluded or not, but we'll discuss whether we want to resubmit for F37 with changes - we'll need to check with the Software maintainers and designers about what's feasible in this release. 18:21:12 <bcotton> The FAA says I have to drop now. Enjoy the rest of the meeting 18:21:23 <decathorpe> bcotton++ 18:21:23 <zodbot> decathorpe: Karma for bcotton changed to 8 (for the current release cycle): https://badges.fedoraproject.org/tags/cookie/any 18:21:32 <decathorpe> #topic #2759 Proposal: periodic check on packagers reachability 18:21:33 <sgallagh> safe travels, bcotton_ 18:21:35 <decathorpe> .fesco 2759 18:21:36 <zodbot> decathorpe: Issue #2759: Proposal: periodic check on packagers reachability - fesco - Pagure.io - https://pagure.io/fesco/issue/2759 18:22:12 <decathorpe> I suggest that we look at this asynchronously and vote in ticket? 18:22:20 <decathorpe> The policy has been updated to take feedback into account since last week. 18:22:21 <sgallagh> Yeah, this meeting is long enough, I thinjk 18:22:30 <decathorpe> My thoughts exactly. 18:22:44 <sgallagh> Oh, and a quick thank-you to Owen Taylor and Michael Catanzaro for fielding our questions today. 18:23:10 <sgallagh> I know it's not the outcome you were hoping for, but we appreciate your involvement 18:23:13 <decathorpe> Yes, thank you for being here. 18:23:31 <decathorpe> Even if it makes meetings longer, the decisions are more well-informed. 18:23:45 <dustymabe> MichaelCatanzaro++ 18:23:49 <dustymabe> OwenTaylor[m]++ 18:24:01 <Eighth_Doctor> mcatanzaro++ 18:24:06 <Eighth_Doctor> otaylor++ 18:24:06 <zodbot> Eighth_Doctor: Karma for otaylor changed to 1 (for the current release cycle): https://badges.fedoraproject.org/tags/cookie/any 18:24:20 <decathorpe> #topic Next Week's Chair 18:24:29 <decathorpe> Any victims ... errr volunteers? 18:24:48 <Eighth_Doctor> I can't do it, I'm going to be on a plane at the time 18:24:56 <decathorpe> oh, the FAA wouldn't be happy about that 18:25:00 <Eighth_Doctor> lol 18:25:18 <Eighth_Doctor> I don't think my flight offers wifi 18:25:31 * Eighth_Doctor is flying up to Rochester, NY next week to setup the Hatch event in the Datto Rochester office 18:25:47 <Eighth_Doctor> https://pagure.io/fedora-hatch-2022-rochester 18:25:47 * sgallagh will also be there 18:26:23 <decathorpe> No volunteers? I really don't want to run next week's meeting too :) 18:26:39 <dcantrell> Eighth_Doctor: if only you could take a Dattco bus to your Datto office 18:26:45 <Eighth_Doctor> lol 18:26:51 <Eighth_Doctor> I've done that to go to Six Flags before 18:27:00 <Eighth_Doctor> for company summer parties 18:27:05 <dcantrell> ha, nice 18:27:14 <Eighth_Doctor> Datto rented Dattco buses 18:27:15 <sgallagh> I'll take it, I guess 18:27:19 <nirik> I haven't done it in a while, I could... 18:27:23 <nirik> or sgallagh can have it. ;) 18:27:23 <sgallagh> Since no one else is jumping in 18:27:32 <sgallagh> Help yourself, nirik 18:27:38 <decathorpe> well what now 18:28:12 <sgallagh> Flip a coin? 18:28:14 <decathorpe> one of you can take next week, the other can take the week after that 18:28:47 <sgallagh> I'll take the 26th, then 18:29:01 <nirik> sure. 18:29:12 <decathorpe> #action nirik will chair the meeting on 2022-07-19 18:29:21 <decathorpe> #action sgallagh will chair the meeting on 2022-07-26 18:29:23 <decathorpe> thank you! 18:29:29 <decathorpe> #topic Open Floor 18:29:33 <sgallagh> Thanks for chairing, Fabio Valentini 18:29:53 <decathorpe> I volunteered last week, so that's what I signed up for :) 18:29:58 <decathorpe> Is there anything for the open floor? 18:30:22 <decathorpe> Otherwise I'll end the meeting at :32. 18:32:24 <decathorpe> Alright, let's wrap up. Thanks everyone, sorry for running long :) 18:32:29 <decathorpe> #endmeeting