<@zbyszek:fedora.im>
19:00:32
!startmeeting FESCO (2024-05-06)
<@meetbot:fedora.im>
19:00:34
Meeting started at 2024-05-06 19:00:32 UTC
<@meetbot:fedora.im>
19:00:34
The Meeting name is 'FESCO (2024-05-06)'
<@zbyszek:fedora.im>
19:00:38
!meetingname fesco
<@zbyszek:fedora.im>
19:00:46
Chairs: @conan_kudo:matrix.org, @ngompa:fedora.im, @nirik:matrix.scrye.com, @humaton:fedora.im, @zbyszek:fedora.im, @sgallagh:fedora.im, @jistone:fedora.im, @dcantrell:fedora.im, @mhayden:fedora.im, @tstellar:fedora.im
<@zbyszek:fedora.im>
19:00:54
!topic Init Process
<@zbyszek:fedora.im>
19:00:59
!hi
<@zodbot:fedora.im>
19:01:01
Zbigniew Jędrzejewski-Szmek (zbyszek)
<@nirik:matrix.scrye.com>
19:01:02
morning everyone. I will also be in my other meeting for a bit... so will try and pay attention to both places.
<@jistone:fedora.im>
19:01:23
!hi
<@zodbot:fedora.im>
19:01:25
Josh Stone (jistone) - he / him / his
<@zbyszek:fedora.im>
19:01:51
Ack. I'll ping nirik if there's voting to be done.
<@tstellar:fedora.im>
19:02:42
!hi
<@zodbot:fedora.im>
19:02:45
Tom Stellard (tstellar)
<@zbyszek:fedora.im>
19:03:01
That's 4/9. Let's wait a bit more for folks to show up.
<@zbyszek:fedora.im>
19:04:10
Conan Kudo fesco meeting, ping
<@zbyszek:fedora.im>
19:04:24
jednorozec: fesco meeting, ping
<@zbyszek:fedora.im>
19:04:36
Stephen Gallagher: fesco meeting
<@humaton:fedora.im>
19:04:40
!hi
<@zodbot:fedora.im>
19:04:42
Tomáš Hrčka (humaton) - he / him / his
<@zbyszek:fedora.im>
19:04:49
dcantrell: fesco meeting, ping
<@zbyszek:fedora.im>
19:05:00
mhayden: fesco meeting
<@mhayden:fedora.im>
19:05:09
!hi
<@zodbot:fedora.im>
19:05:11
Major Hayden (mhayden) - he / him / his
<@zbyszek:fedora.im>
19:05:17
OK, let's start.
<@dcantrell:fedora.im>
19:05:18
!hi
<@zodbot:fedora.im>
19:05:22
David Cantrell (dcantrell) - he / him / his
<@zbyszek:fedora.im>
19:05:25
!topic #3204 Request for one-time Updates Policy Exception: GStreamer 1.24 for Fedora 40
<@mhayden:fedora.im>
19:05:27
appreciate the reminder. was knee-deep in jira tickets 🥵
<@zbyszek:fedora.im>
19:05:30
!fesco 3204
<@zodbot:fedora.im>
19:05:36
**fesco #3204** (https://pagure.io/fesco/issue/3204):**Request for one-time Updates Policy Exception: GStreamer 1.24 for Fedora 40** ● **Opened:** 2 days ago by decathorpe ● **Last Updated:** 4 hours ago ● **Assignee:** Not Assigned
<@zbyszek:fedora.im>
19:06:14
BTW, did you get a notification from the Chairs line above? If not, then maybe we should modify the template to include an explicit ping.
<@nirik:matrix.scrye.com>
19:06:17
This sounds pretty reasonable to me... +1
<@jistone:fedora.im>
19:06:33
+1
<@zbyszek:fedora.im>
19:06:42
We're +3 in the ticket.
<@humaton:fedora.im>
19:06:52
+1 from me as well
<@mhayden:fedora.im>
19:06:52
+1 here as well
<@tstellar:fedora.im>
19:07:06
+1
<@zbyszek:fedora.im>
19:07:22
!agreed APPROVE (+8, 0, 0)
<@zbyszek:fedora.im>
19:07:39
!topic #3200 provenpackager nomination for fche
<@zbyszek:fedora.im>
19:07:43
!fesco 3200
<@zodbot:fedora.im>
19:07:47
**fesco #3200** (https://pagure.io/fesco/issue/3200):**provenpackager nomination for fche** ● **Opened:** a week ago by fche ● **Last Updated:** 7 hours ago ● **Assignee:** Not Assigned
<@zbyszek:fedora.im>
19:08:09
So… I wrote a bit in the ticket, so I won't repeat myself.
<@dcantrell:fedora.im>
19:08:21
I agree with zbyszek and sgallagh here, so count me as a -1
<@nirik:matrix.scrye.com>
19:08:54
So I support this one... but thats through working with them on things... I can understand how others don't have any knowledge that they know things
<@jistone:fedora.im>
19:08:58
I am confident that fche is capable and trustworthy for this role, but I think it's reasonable to ask that he demonstrate increased activity first.
<@zbyszek:fedora.im>
19:09:22
We had two +0 votes, one -1 vote, and one +1 vote in the ticket.
<@fche:fedora.im>
19:10:54
no problem, thanks for your consideration, guess been working one level too far behind the scenes :-)
<@zbyszek:fedora.im>
19:11:38
Frank Ch. Eigler: would you be OK with doing to some more visible work and reopening the ticket in a few months?
<@fche:fedora.im>
19:12:18
sure
<@zbyszek:fedora.im>
19:13:24
I don't know how to handle this formally. Do we vote using the usual fesco rules, or should we count all votes made in the ticket?
<@nirik:matrix.scrye.com>
19:14:34
well, if Frank Ch. Eigler wants to resubmit, we just count it as withdrawn for now? no votes needed?
<@dcantrell:fedora.im>
19:14:49
that sounds reasonable
<@fche:fedora.im>
19:14:56
ok sure, if that makes things easier for y'all, consider my request withdrawn.
<@zbyszek:fedora.im>
19:15:40
!info Request was withdrawn and may be resubmitted later on.
<@zbyszek:fedora.im>
19:15:50
Frank Ch. Eigler++, thanks
<@zodbot:fedora.im>
19:15:53
zbyszek gave a cookie to fche. They now have 7 cookies, 1 of which were obtained in the Fedora 40 release cycle
<@tstellar:fedora.im>
19:16:40
Frank Ch. Eigler: Might help too if you listed something specific that you need provenpackager for e.g. "As a member of the security SIG, I may need to push urgent CVE fixes for packages"
<@zbyszek:fedora.im>
19:16:51
Yeah.
<@zbyszek:fedora.im>
19:16:56
!topic #3186 Mandatory 2FA for all packagers
<@zbyszek:fedora.im>
19:17:01
!fesco 3186
<@zodbot:fedora.im>
19:17:04
**fesco #3186** (https://pagure.io/fesco/issue/3186):**Mandatory 2FA for all packagers** ● **Opened:** a month ago by msuchy ● **Last Updated:** 7 hours ago ● **Assignee:** Not Assigned
<@nirik:matrix.scrye.com>
19:17:29
I'm not sure what fesco can do here
<@zbyszek:fedora.im>
19:17:43
@msuchy wrote: I will try to summarize the discussion from a mailing list: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/YWMNOEJ34Q7QLBWQAB5TM6A2SVJFU4RV/#UZBCRR3YVYKBFS4KEWKZYG2VNHDE6FNF some people welcomed that some people were against it it was pointed that when you change phone, you have to write GPG signed email to admins who will delete your old 2FA and you are allowed to create new one. You cannot have restore keys or more 2FA. it was pointed that without more users there will be likely no push to have better UX. it was pointed that we can start with smaller group - i.e. say that provenpackager group needs to use 2FA. The current implementation of fkinit is incompatible with Gnome accounts. Kilian pointed out other options - FIDO2 Fedora infra does not have a script that can check if people in some groups have 2FA enabled
<@tstellar:fedora.im>
19:18:13
My main question here is do we have infrastructure to support this in a convenient way.
<@nirik:matrix.scrye.com>
19:18:18
no
<@zbyszek:fedora.im>
19:18:21
@msuchy wrote: I will try to summarize the discussion from a mailing list: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/YWMNOEJ34Q7QLBWQAB5TM6A2SVJFU4RV/#UZBCRR3YVYKBFS4KEWKZYG2VNHDE6FNF - some people welcomed that - some people were against it - it was pointed that when you change phone, you have to write GPG signed email to admins who will delete your old 2FA and you are allowed to create new one. You cannot have restore keys or more 2FA. - it was pointed that without more users there will be likely no push to have better UX. - it was pointed that we can start with smaller group - i.e. say that provenpackager group needs to use 2FA. - The current implementation of fkinit is incompatible with Gnome accounts. Kilian pointed out other options - FIDO2 - Fedora infra does not have a script that can check if people in some groups have 2FA enabled
<@nirik:matrix.scrye.com>
19:19:05
we could script removing users from groups that don't have a otp enrolled. But that wouldn't stop them from being added and in there until the script ran. and such a script doesn't exist yet.
<@nirik:matrix.scrye.com>
19:19:18
IPA has no support for enforcing otp for groups currently
<@nirik:matrix.scrye.com>
19:19:27
(that I know of)
<@mhayden:fedora.im>
19:19:30
I like the idea of having provenpackagers go that route first (but I'm not a provenpackager so why am I talking?) 😜
<@tstellar:fedora.im>
19:19:34
Could we require 2FA only for provenpackagers?
<@zbyszek:fedora.im>
19:19:50
I think 2FA for pps would be a good start.
<@nirik:matrix.scrye.com>
19:20:09
you could ask for that, but ... we don't currently have any way to do that.
<@zbyszek:fedora.im>
19:20:18
pps can do so many things that it's reasonable to raise the bar for them.
<@mhayden:fedora.im>
19:20:21
i've had 2FA on for so many years i forgot when i enabled it 👀
<@nirik:matrix.scrye.com>
19:20:43
also, note that pushing changes to dist git is using ssh...
<@nirik:matrix.scrye.com>
19:21:33
Ideally IPA would implement a way to mark groups as requiring otp
<@zbyszek:fedora.im>
19:21:59
@msuchy wrote: I will try to summarize the discussion from a mailing list: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/YWMNOEJ34Q7QLBWQAB5TM6A2SVJFU4RV/#UZBCRR3YVYKBFS4KEWKZYG2VNHDE6FNF - some people welcomed that - some people were against it - it was pointed that when you change phone, you have to write GPG signed email to admins who will delete your old 2FA and you are allowed to create new one. You cannot have restore keys or more 2FA. - it was pointed that without more users there will be likely no push to have better UX. - it was pointed that we can start with smaller group - i.e. say that provenpackager group needs to use 2FA. - The current implementation of fkinit is incompatible with Gnome accounts. - Kilian pointed out other options - FIDO2 - Fedora infra does not have a script that can check if people in some groups have 2FA enabled
<@zbyszek:fedora.im>
19:22:48
OK, so… is there any hope for improvements to any of the pain points in the near future? If yes, then maybe we should wait a bit.
<@nirik:matrix.scrye.com>
19:22:51
Also ideally passkey support would appear (they are working on that)
<@nirik:matrix.scrye.com>
19:23:23
well, do you want us to try and find someone to implement a janky script? thats the only thing I see as possible in the short term
<@zbyszek:fedora.im>
19:23:56
The script would be for enforcement of the policy?
<@nirik:matrix.scrye.com>
19:24:12
yeah, but would have inherint race conditions
<@tstellar:fedora.im>
19:24:22
If users aren't able to update their own 2FA key, then for me this is a pretty easy no.
<@zbyszek:fedora.im>
19:24:25
By "improvements" I mostly meant changes to the UX for packagers.
<@nirik:matrix.scrye.com>
19:24:27
ie, add user, they are in until the next script runs and removes them
<@zbyszek:fedora.im>
19:24:51
That doesn't sound like a problem.
<@nirik:matrix.scrye.com>
19:25:00
Tom Stellard: they can update their otp(s) as much as they like, but you can't unenroll/remove the last one.
<@nirik:matrix.scrye.com>
19:25:22
if you give me a min I can tell you how many provenpackgers don't have a otp
<@zbyszek:fedora.im>
19:25:26
Can you have more than one OTP enrolled?
<@tstellar:fedora.im>
19:25:26
nirik: Ok so you can have multiple tops a once?
<@tstellar:fedora.im>
19:25:44
nirik: Ok so you can have multiple OTPs a once?
<@tstellar:fedora.im>
19:26:21
nirik: Ok so you can have multiple OTPs at once?
<@nirik:matrix.scrye.com>
19:26:28
yes, as many as you like. I don't think there is a limit
<@nirik:matrix.scrye.com>
19:26:46
any (valid) one of which will allow you to login
<@zbyszek:fedora.im>
19:27:19
> it was pointed that when you change phone, you have to write GPG signed email to admins who will delete your old 2FA and you are allowed to create new one. You cannot have restore keys or more 2FA. So that summary is wrong?
<@mhayden:fedora.im>
19:27:29
hmm could we get a list of items we'd need to have to make the UX less painful and work through those?
<@tstellar:fedora.im>
19:27:41
Bullet 3 from the list makes it sound like you can't add a new on until you delete the old one, but if the problem is only that you can't delete the old one, that seems less bad. However, it's not ideal as it makes it hard to remove a potentially compromised OTP.
<@nirik:matrix.scrye.com>
19:27:43
If that is the _only_ token you have and you lost it, yes
<@tstellar:fedora.im>
19:27:50
Bullet 3 from the list makes it sound like you can't add a new one until you delete the old one, but if the problem is only that you can't delete the old one, that seems less bad. However, it's not ideal as it makes it hard to remove a potentially compromised OTP.
<@jistone:fedora.im>
19:28:07
i.e. you can't login to add the new one if you lost the old one?
<@zbyszek:fedora.im>
19:28:14
Yeah, but having just one token enrolled is a well-known "bad idea".
<@nirik:matrix.scrye.com>
19:28:20
there are 86 users in provenpackager without an otp... out of 124. (if my scripting is working right)
<@nirik:matrix.scrye.com>
19:28:34
to login, you need to use a token.
<@nirik:matrix.scrye.com>
19:28:45
If you don't have one, you can't login to enroll a new one
<@nirik:matrix.scrye.com>
19:29:22
IPA's setup/use case is very much for a company type infra... where you have a help desk and employees can ask for enrollment, etc.
<@zbyszek:fedora.im>
19:30:00
> Fedora infra does not have a script that can check if people in some groups have 2FA enabled It seems nirik does have a such a script… So we know this is fixable.
<@nirik:matrix.scrye.com>
19:30:30
I think that point was we don't have a script that removes people without otp in groups... but I could be wrong
<@nirik:matrix.scrye.com>
19:31:04
and also removal is somewhat unexpected. It would need to notify the user(s), otherwise they would not know they were removed.
<@zbyszek:fedora.im>
19:31:38
OK, so I think we should start by introducing a policy that packagers *should* have 2FA, but not do enforcement initially. This will give us some time to improve the UX.
<@nirik:matrix.scrye.com>
19:32:42
some people seemed resistant to it until the UX is better. ;)
<@nirik:matrix.scrye.com>
19:32:54
but I guess with Should they could just ignore it for now
<@zbyszek:fedora.im>
19:33:41
Effectively, ssh is a form of 2fa too: you need the key file and the password for it. It's just handled locally, not on the server.
<@nirik:matrix.scrye.com>
19:34:21
When we ever get pagure running on rhel9, we could also support fido keys for ssh directly...
<@jistone:fedora.im>
19:34:39
we can't enforce that ssh keys are password-protected though
<@nirik:matrix.scrye.com>
19:35:11
yeah, another reason -sk ssh keys are nicer. ;)
<@zbyszek:fedora.im>
19:35:32
I don't think this matters. We can't prevent people from putting their password in their github profile either.
<@nirik:matrix.scrye.com>
19:36:31
so, I'm fine with fesco saying people 'should' have a otp for now and try and work through issues that are had. There's also some 'best practices' things people should know tho, like enrolling several keys to have a backup, etc.
<@nirik:matrix.scrye.com>
19:37:01
I'm happy to make a doc/blog post/whatever on those...
<@zbyszek:fedora.im>
19:38:05
proposal: We want packagers to use 2FA and will start with proven packagers. As an initial step, the policy will be changed that PPs SHOULD enroll tokens for 2FA. Once the UX for packagers improved, we'll consider changing the policy to "MUST".
<@tstellar:fedora.im>
19:38:41
+1
<@zbyszek:fedora.im>
19:38:49
Feel free to reword.
<@jistone:fedora.im>
19:38:49
+1
<@dcantrell:fedora.im>
19:38:52
+1
<@humaton:fedora.im>
19:39:01
+1
<@nirik:matrix.scrye.com>
19:39:20
sure, thats fine +1
<@zbyszek:fedora.im>
19:40:01
!agreed We want packagers to use 2FA and will start with proven packagers. As an initial step, the policy will be changed that PPs SHOULD enroll tokens for 2FA. Once the UX for packagers improved, we'll consider changing the policy to "MUST". (+6, 0, 0)
<@zbyszek:fedora.im>
19:40:16
Phew.
<@zbyszek:fedora.im>
19:40:17
!topic Next week's chair
<@zbyszek:fedora.im>
19:40:24
Vlntrs?
<@zbyszek:fedora.im>
19:41:22
I would prefer not to do it next week, I have a bunch of family matters to attend to over the weekend.
<@tstellar:fedora.im>
19:41:34
I can do it.
<@zbyszek:fedora.im>
19:41:49
!action Tom Stellard will chair next meeting
<@zodbot:fedora.im>
19:41:49
jistone gave a cookie to tstellar. They now have 17 cookies, 2 of which were obtained in the Fedora 40 release cycle
<@zbyszek:fedora.im>
19:41:53
Thanks.
<@zbyszek:fedora.im>
19:41:59
!topic Open Floor
<@zodbot:fedora.im>
19:42:00
kevin gave a cookie to tstellar. They now have 18 cookies, 3 of which were obtained in the Fedora 40 release cycle
<@tstellar:fedora.im>
19:42:39
I wanted to take about the backlog or PRs for redhat-rpm-config. I think we need to designate official reviewers or something like that.
<@zbyszek:fedora.im>
19:42:40
The repro builds change was approved, so I plan to submit changes that'll make it happen this week or the next.
<@tstellar:fedora.im>
19:42:53
I wanted to talk about the backlog or PRs for redhat-rpm-config. I think we need to designate official reviewers or something like that.
<@tstellar:fedora.im>
19:43:02
I wanted to talk about the backlog of PRs for redhat-rpm-config. I think we need to designate official reviewers or something like that.
<@zbyszek:fedora.im>
19:43:16
The prep for bin-sbin merge is mostly done, but I'm waiting for selinux policy changes. Once that's done, I'll submit changes to make it happen too.
<@nirik:matrix.scrye.com>
19:43:59
as a heads up, I'm going to be scheduling some outages soon... need to migrate database servers and update/reboots, etc. (and hopefully move builders to f40, but thats stalled right now)
<@nirik:matrix.scrye.com>
19:44:26
Tom Stellard: thats been a long standing issue, we tried to add co-maintainers a while back, but I guess it didn't take?
<@zbyszek:fedora.im>
19:45:14
Hmm, there's 21 open PRs, maybe ~15 of those could be merged.
<@tstellar:fedora.im>
19:45:27
I think the main problem is that it's unclear who to ping to get a review.
<@nirik:matrix.scrye.com>
19:45:52
yeah, problem with large groups... who's actually responsible. ;(
<@tstellar:fedora.im>
19:46:36
I would volunteer to be a reviewer, but I'm unsure how to get 'official' status as someone who can approve patches.
<@tstellar:fedora.im>
19:47:24
I think other people may be in the same position.
<@nirik:matrix.scrye.com>
19:47:48
I guess mail the maintainers and ask to be added?
<@codonell:fedora.im>
19:50:04
Tom Stellard: Reviewing related PRs for redhat-rpm-config is something I do weekly, but we're only tracking the relevant ones to the toolchain for the subset of issues I care about.
<@zbyszek:fedora.im>
19:50:09
It should also be converted to rpmautospec. This is _exactly_ the kind of package where conflicts between PRs are exteremely painful because of %changelog.
<@tstellar:fedora.im>
19:51:36
OK, I will try to email the admins.
<@zbyszek:fedora.im>
19:52:16
!action Tom Stellard to mail admins of redhat-rpm-config for official access and do some reviews of open PRs.
<@zbyszek:fedora.im>
19:52:33
OK, other topics?
<@zbyszek:fedora.im>
19:52:59
If not, I'll close in a minute.
<@zbyszek:fedora.im>
19:54:14
!endmeeting
<@zbyszek:fedora.im>
19:54:42
Hmm, zodbot, are you here?
<@zbyszek:fedora.im>
19:54:52
!endmeeting