2024-05-06 19:00:32 <@zbyszek:fedora.im> !startmeeting FESCO (2024-05-06)

2024-05-06 19:00:34 <@meetbot:fedora.im> Meeting started at 2024-05-06 19:00:32 UTC
2024-05-06 19:00:34 <@meetbot:fedora.im> The Meeting name is 'FESCO (2024-05-06)'
2024-05-06 19:00:38 <@zbyszek:fedora.im> !meetingname fesco

2024-05-06 19:00:46 <@zbyszek:fedora.im> Chairs: @conan_kudo:matrix.org, @ngompa:fedora.im, @nirik:matrix.scrye.com, @humaton:fedora.im, @zbyszek:fedora.im, @sgallagh:fedora.im, @jistone:fedora.im, @dcantrell:fedora.im, @mhayden:fedora.im, @tstellar:fedora.im

2024-05-06 19:00:54 <@zbyszek:fedora.im> !topic Init Process

2024-05-06 19:00:59 <@zbyszek:fedora.im> !hi
2024-05-06 19:01:01 <@zodbot:fedora.im> Zbigniew Jędrzejewski-Szmek (zbyszek)
2024-05-06 19:01:02 <@nirik:matrix.scrye.com> morning everyone. I will also be in my other meeting for a bit... so will try and pay attention to both places.
2024-05-06 19:01:23 <@jistone:fedora.im> !hi
2024-05-06 19:01:25 <@zodbot:fedora.im> Josh Stone (jistone) - he / him / his
2024-05-06 19:01:51 <@zbyszek:fedora.im> Ack. I'll ping nirik if there's voting to be done.
2024-05-06 19:02:42 <@tstellar:fedora.im> !hi
2024-05-06 19:02:45 <@zodbot:fedora.im> Tom Stellard (tstellar)
2024-05-06 19:03:01 <@zbyszek:fedora.im> That's 4/9. Let's wait a bit more for folks to show up.
2024-05-06 19:04:10 <@zbyszek:fedora.im> Conan Kudo fesco meeting, ping
2024-05-06 19:04:24 <@zbyszek:fedora.im> jednorozec: fesco meeting, ping
2024-05-06 19:04:36 <@zbyszek:fedora.im> Stephen Gallagher: fesco meeting
2024-05-06 19:04:40 <@humaton:fedora.im> !hi
2024-05-06 19:04:42 <@zodbot:fedora.im> Tomáš Hrčka (humaton) - he / him / his
2024-05-06 19:04:49 <@zbyszek:fedora.im> dcantrell: fesco meeting, ping
2024-05-06 19:05:00 <@zbyszek:fedora.im> mhayden: fesco meeting
2024-05-06 19:05:09 <@mhayden:fedora.im> !hi
2024-05-06 19:05:11 <@zodbot:fedora.im> Major Hayden (mhayden) - he / him / his
2024-05-06 19:05:17 <@zbyszek:fedora.im> OK, let's start.
2024-05-06 19:05:18 <@dcantrell:fedora.im> !hi
2024-05-06 19:05:22 <@zodbot:fedora.im> David Cantrell (dcantrell) - he / him / his
2024-05-06 19:05:25 <@zbyszek:fedora.im> !topic #3204 Request for one-time Updates Policy Exception: GStreamer 1.24 for Fedora 40

2024-05-06 19:05:27 <@mhayden:fedora.im> appreciate the reminder. was knee-deep in jira tickets 🥵
2024-05-06 19:05:30 <@zbyszek:fedora.im> !fesco 3204

2024-05-06 19:05:36 <@zodbot:fedora.im> **fesco #3204** (https://pagure.io/fesco/issue/3204):**Request for one-time Updates Policy Exception: GStreamer 1.24 for Fedora 40**

● **Opened:** 2 days ago by decathorpe
● **Last Updated:** 4 hours ago
● **Assignee:** Not Assigned
2024-05-06 19:06:14 <@zbyszek:fedora.im> BTW, did you get a notification from the Chairs line above? If not, then maybe we should modify the template to include an explicit ping.
2024-05-06 19:06:17 <@nirik:matrix.scrye.com> This sounds pretty reasonable to me... +1
2024-05-06 19:06:33 <@jistone:fedora.im> +1
2024-05-06 19:06:42 <@zbyszek:fedora.im> We're +3 in the ticket.
2024-05-06 19:06:52 <@humaton:fedora.im> +1 from me as well
2024-05-06 19:06:52 <@mhayden:fedora.im> +1 here as well
2024-05-06 19:07:06 <@tstellar:fedora.im> +1
2024-05-06 19:07:22 <@zbyszek:fedora.im> !agreed APPROVE (+8, 0, 0)
2024-05-06 19:07:39 <@zbyszek:fedora.im> !topic #3200 provenpackager nomination for fche

2024-05-06 19:07:43 <@zbyszek:fedora.im> !fesco 3200

2024-05-06 19:07:47 <@zodbot:fedora.im> **fesco #3200** (https://pagure.io/fesco/issue/3200):**provenpackager nomination for fche**

● **Opened:** a week ago by fche
● **Last Updated:** 7 hours ago
● **Assignee:** Not Assigned
2024-05-06 19:08:09 <@zbyszek:fedora.im> So… I wrote a bit in the ticket, so I won't repeat myself.
2024-05-06 19:08:21 <@dcantrell:fedora.im> I agree with zbyszek and sgallagh here, so count me as a -1
2024-05-06 19:08:54 <@nirik:matrix.scrye.com> So I support this one... but thats through working with them on things... I can understand how others don't have any knowledge that they know things
2024-05-06 19:08:58 <@jistone:fedora.im> I am confident that fche is capable and trustworthy for this role, but I think it's reasonable to ask that he demonstrate increased activity first.
2024-05-06 19:09:22 <@zbyszek:fedora.im> We had two +0 votes, one -1 vote, and one +1 vote in the ticket.
2024-05-06 19:10:54 <@fche:fedora.im> no problem, thanks for your consideration, guess been working one level too far behind the scenes :-)
2024-05-06 19:11:38 <@zbyszek:fedora.im> Frank Ch. Eigler: would you be OK with doing to some more visible work and reopening the ticket in a few months?
2024-05-06 19:12:18 <@fche:fedora.im> sure
2024-05-06 19:13:24 <@zbyszek:fedora.im> I don't know how to handle this formally. Do we vote using the usual fesco rules, or should we count all votes made in the ticket?
2024-05-06 19:14:34 <@nirik:matrix.scrye.com> well, if Frank Ch. Eigler wants to resubmit, we just count it as withdrawn for now? no votes needed?
2024-05-06 19:14:49 <@dcantrell:fedora.im> that sounds reasonable
2024-05-06 19:14:56 <@fche:fedora.im> ok sure, if that makes things easier for y'all, consider my request withdrawn.
2024-05-06 19:15:40 <@zbyszek:fedora.im> !info Request was withdrawn and may be resubmitted later on.
2024-05-06 19:15:50 <@zbyszek:fedora.im> Frank Ch. Eigler++, thanks
2024-05-06 19:15:53 <@zodbot:fedora.im> zbyszek gave a cookie to fche. They now have 7 cookies, 1 of which were obtained in the Fedora 40 release cycle
2024-05-06 19:16:40 <@tstellar:fedora.im> Frank Ch. Eigler: Might help too if you listed something specific that you need provenpackager for e.g. "As a member of the security SIG, I may need to push urgent CVE fixes for packages"
2024-05-06 19:16:51 <@zbyszek:fedora.im> Yeah.
2024-05-06 19:16:56 <@zbyszek:fedora.im> !topic #3186 Mandatory 2FA for all packagers
2024-05-06 19:17:01 <@zbyszek:fedora.im> !fesco 3186

2024-05-06 19:17:04 <@zodbot:fedora.im> **fesco #3186** (https://pagure.io/fesco/issue/3186):**Mandatory 2FA for all packagers**

● **Opened:** a month ago by msuchy
● **Last Updated:** 7 hours ago
● **Assignee:** Not Assigned
2024-05-06 19:17:29 <@nirik:matrix.scrye.com> I'm not sure what fesco can do here
2024-05-06 19:17:43 <@zbyszek:fedora.im> @msuchy wrote: I will try to summarize the discussion from a mailing list:
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/YWMNOEJ34Q7QLBWQAB5TM6A2SVJFU4RV/#UZBCRR3YVYKBFS4KEWKZYG2VNHDE6FNF

    some people welcomed that
    some people were against it
    it was pointed that when you change phone, you have to write GPG signed email to admins who will delete your old 2FA and you are allowed to create new one. You cannot have restore keys or more 2FA.
    it was pointed that without more users there will be likely no push to have better UX.
    it was pointed that we can start with smaller group - i.e. say that provenpackager group needs to use 2FA.
    The current implementation of fkinit is incompatible with Gnome accounts.
    Kilian pointed out other options - FIDO2
    Fedora infra does not have a script that can check if people in some groups have 2FA enabled

2024-05-06 19:18:13 <@tstellar:fedora.im> My main question here is do we have infrastructure to support this in a convenient way.
2024-05-06 19:18:18 <@nirik:matrix.scrye.com> no
2024-05-06 19:18:21 <@zbyszek:fedora.im> @msuchy wrote: I will try to summarize the discussion from a mailing list:
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/YWMNOEJ34Q7QLBWQAB5TM6A2SVJFU4RV/#UZBCRR3YVYKBFS4KEWKZYG2VNHDE6FNF

- some people welcomed that
- some people were against it
- it was pointed that when you change phone, you have to write GPG signed email to admins who will delete your old 2FA and you are allowed to create new one. You cannot have restore keys or more 2FA.
- it was pointed that without more users there will be likely no push to have better UX.
- it was pointed that we can start with smaller group - i.e. say that provenpackager group needs to use 2FA.
- The current implementation of fkinit is incompatible with Gnome accounts.
Kilian pointed out other options - FIDO2
- Fedora infra does not have a script that can check if people in some groups have 2FA enabled
2024-05-06 19:19:05 <@nirik:matrix.scrye.com> we could script removing users from groups that don't have a otp enrolled. But that wouldn't stop them from being added and in there until the script ran. and such a script doesn't exist yet.
2024-05-06 19:19:18 <@nirik:matrix.scrye.com> IPA has no support for enforcing otp for groups currently
2024-05-06 19:19:27 <@nirik:matrix.scrye.com> (that I know of)
2024-05-06 19:19:30 <@mhayden:fedora.im> I like the idea of having provenpackagers go that route first (but I'm not a provenpackager so why am I talking?) 😜
2024-05-06 19:19:34 <@tstellar:fedora.im> Could we require 2FA only for provenpackagers?
2024-05-06 19:19:50 <@zbyszek:fedora.im> I think 2FA for pps would be a good start.
2024-05-06 19:20:09 <@nirik:matrix.scrye.com> you could ask for that, but ... we don't currently have any way to do that.
2024-05-06 19:20:18 <@zbyszek:fedora.im> pps can do so many things that it's reasonable to raise the bar for them.
2024-05-06 19:20:21 <@mhayden:fedora.im> i've had 2FA on for so many years i forgot when i enabled it 👀
2024-05-06 19:20:43 <@nirik:matrix.scrye.com> also, note that pushing changes to dist git is using ssh...
2024-05-06 19:21:33 <@nirik:matrix.scrye.com> Ideally IPA would implement a way to mark groups as requiring otp
2024-05-06 19:21:59 <@zbyszek:fedora.im> @msuchy wrote: I will try to summarize the discussion from a mailing list:
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/YWMNOEJ34Q7QLBWQAB5TM6A2SVJFU4RV/#UZBCRR3YVYKBFS4KEWKZYG2VNHDE6FNF

- some people welcomed that
- some people were against it
- it was pointed that when you change phone, you have to write GPG signed email to admins who will delete your old 2FA and you are allowed to create new one. You cannot have restore keys or more 2FA.
- it was pointed that without more users there will be likely no push to have better UX.
- it was pointed that we can start with smaller group - i.e. say that provenpackager group needs to use 2FA.
- The current implementation of fkinit is incompatible with Gnome accounts.
- Kilian pointed out other options - FIDO2
- Fedora infra does not have a script that can check if people in some groups have 2FA enabled
2024-05-06 19:22:48 <@zbyszek:fedora.im> OK, so… is there any hope for improvements to any of the pain points in the near future? If yes, then maybe we should wait a bit.
2024-05-06 19:22:51 <@nirik:matrix.scrye.com> Also ideally passkey support would appear (they are working on that)
2024-05-06 19:23:23 <@nirik:matrix.scrye.com> well, do you want us to try and find someone to implement a janky script? thats the only thing I see as possible in the short term
2024-05-06 19:23:56 <@zbyszek:fedora.im> The script would be for enforcement of the policy?
2024-05-06 19:24:12 <@nirik:matrix.scrye.com> yeah, but would have inherint race conditions
2024-05-06 19:24:22 <@tstellar:fedora.im> If users aren't able to update their own 2FA key, then for me this is a pretty easy no.
2024-05-06 19:24:25 <@zbyszek:fedora.im> By "improvements" I mostly meant changes to the UX for packagers.
2024-05-06 19:24:27 <@nirik:matrix.scrye.com> ie, add user, they are in until the next script runs and removes them
2024-05-06 19:24:51 <@zbyszek:fedora.im> That doesn't sound like a problem.
2024-05-06 19:25:00 <@nirik:matrix.scrye.com> Tom Stellard: they can update their otp(s) as much as they like, but you can't unenroll/remove the last one.
2024-05-06 19:25:22 <@nirik:matrix.scrye.com> if you give me a min I can tell you how many provenpackgers don't have a otp
2024-05-06 19:25:26 <@zbyszek:fedora.im> Can you have more than one OTP enrolled?
2024-05-06 19:25:26 <@tstellar:fedora.im> nirik: Ok so you can have multiple tops a once?
2024-05-06 19:25:44 <@tstellar:fedora.im> nirik: Ok so you can have multiple OTPs a once?
2024-05-06 19:26:21 <@tstellar:fedora.im> nirik: Ok so you can have multiple OTPs at once?
2024-05-06 19:26:28 <@nirik:matrix.scrye.com> yes, as many as you like. I don't think there is a limit
2024-05-06 19:26:46 <@nirik:matrix.scrye.com> any (valid) one of which will allow you to login
2024-05-06 19:27:19 <@zbyszek:fedora.im> > it was pointed that when you change phone, you have to write GPG signed email to admins who will delete your old 2FA and you are allowed to create new one. You cannot have restore keys or more 2FA.

So that summary is wrong?
2024-05-06 19:27:29 <@mhayden:fedora.im> hmm could we get a list of items we'd need to have to make the UX less painful and work through those?
2024-05-06 19:27:41 <@tstellar:fedora.im> Bullet 3 from the list makes it sound like you can't add a new on until you delete the old one, but if the problem is only that you can't delete the old one, that seems less bad.  However, it's not ideal as it makes it hard to remove a potentially compromised OTP.
2024-05-06 19:27:43 <@nirik:matrix.scrye.com> If that is the _only_ token you have and you lost it, yes
2024-05-06 19:27:50 <@tstellar:fedora.im> Bullet 3 from the list makes it sound like you can't add a new one until you delete the old one, but if the problem is only that you can't delete the old one, that seems less bad.  However, it's not ideal as it makes it hard to remove a potentially compromised OTP.
2024-05-06 19:28:07 <@jistone:fedora.im> i.e. you can't login to add the new one if you lost the old one?
2024-05-06 19:28:14 <@zbyszek:fedora.im> Yeah, but having just one token enrolled is a well-known "bad idea".
2024-05-06 19:28:20 <@nirik:matrix.scrye.com> there are 86 users in provenpackager without an otp... out of 124. (if my scripting is working right)
2024-05-06 19:28:34 <@nirik:matrix.scrye.com> to login, you need to use a token.
2024-05-06 19:28:45 <@nirik:matrix.scrye.com> If you don't have one, you can't login to enroll a new one
2024-05-06 19:29:22 <@nirik:matrix.scrye.com> IPA's setup/use case is very much for a company type infra... where you have a help desk and employees can ask for enrollment, etc.
2024-05-06 19:30:00 <@zbyszek:fedora.im> > Fedora infra does not have a script that can check if people in some groups have 2FA enabled

It seems nirik does have a such a script… So we know this is fixable.
2024-05-06 19:30:30 <@nirik:matrix.scrye.com> I think that point was we don't have a script that removes people without otp in groups... but I could be wrong
2024-05-06 19:31:04 <@nirik:matrix.scrye.com> and also removal is somewhat unexpected. It would need to notify the user(s), otherwise they would not know they were removed.
2024-05-06 19:31:38 <@zbyszek:fedora.im> OK, so I think we should start by introducing a policy that packagers *should* have 2FA, but not do enforcement initially. This will give us some time to improve the UX.
2024-05-06 19:32:42 <@nirik:matrix.scrye.com> some people seemed resistant to it until the UX is better. ;)
2024-05-06 19:32:54 <@nirik:matrix.scrye.com> but I guess with Should they could just ignore it for now
2024-05-06 19:33:41 <@zbyszek:fedora.im> Effectively, ssh is a form of 2fa too: you need the key file and the password for it. It's just handled locally, not on the server.
2024-05-06 19:34:21 <@nirik:matrix.scrye.com> When we ever get pagure running on rhel9, we could also support fido keys for ssh directly...
2024-05-06 19:34:39 <@jistone:fedora.im> we can't enforce that ssh keys are password-protected though
2024-05-06 19:35:11 <@nirik:matrix.scrye.com> yeah, another reason -sk ssh keys are nicer. ;)
2024-05-06 19:35:32 <@zbyszek:fedora.im> I don't think this matters. We can't prevent people from putting their password in their github profile either.
2024-05-06 19:36:31 <@nirik:matrix.scrye.com> so, I'm fine with fesco saying people 'should' have a otp for now and try and work through issues that are had. There's also some 'best practices' things people should know tho, like enrolling several keys to have a backup, etc.
2024-05-06 19:37:01 <@nirik:matrix.scrye.com> I'm happy to make a doc/blog post/whatever on those...
2024-05-06 19:38:05 <@zbyszek:fedora.im> proposal: We want packagers to use 2FA and will start with proven packagers. As an initial step, the policy will be changed that PPs SHOULD enroll tokens for 2FA. Once the UX for packagers improved, we'll consider changing the policy to "MUST".
2024-05-06 19:38:41 <@tstellar:fedora.im> +1
2024-05-06 19:38:49 <@zbyszek:fedora.im> Feel free to reword.
2024-05-06 19:38:49 <@jistone:fedora.im> +1
2024-05-06 19:38:52 <@dcantrell:fedora.im> +1
2024-05-06 19:39:01 <@humaton:fedora.im> +1
2024-05-06 19:39:20 <@nirik:matrix.scrye.com> sure, thats fine +1
2024-05-06 19:40:01 <@zbyszek:fedora.im> !agreed We want packagers to use 2FA and will start with proven packagers. As an initial step, the policy will be changed that PPs SHOULD enroll tokens for 2FA. Once the UX for packagers improved, we'll consider changing the policy to "MUST". (+6, 0, 0)
2024-05-06 19:40:16 <@zbyszek:fedora.im> Phew.
2024-05-06 19:40:17 <@zbyszek:fedora.im> !topic Next week's chair

2024-05-06 19:40:24 <@zbyszek:fedora.im> Vlntrs?
2024-05-06 19:41:22 <@zbyszek:fedora.im> I would prefer not to do it next week, I have a bunch of family matters to attend to over the weekend.
2024-05-06 19:41:34 <@tstellar:fedora.im> I can do it.
2024-05-06 19:41:49 <@zbyszek:fedora.im> !action Tom Stellard  will chair next meeting

2024-05-06 19:41:49 <@zodbot:fedora.im> jistone gave a cookie to tstellar. They now have 17 cookies, 2 of which were obtained in the Fedora 40 release cycle
2024-05-06 19:41:53 <@zbyszek:fedora.im> Thanks.
2024-05-06 19:41:59 <@zbyszek:fedora.im> !topic Open Floor

2024-05-06 19:42:00 <@zodbot:fedora.im> kevin gave a cookie to tstellar. They now have 18 cookies, 3 of which were obtained in the Fedora 40 release cycle
2024-05-06 19:42:39 <@tstellar:fedora.im> I wanted to take about the backlog or PRs for redhat-rpm-config.  I think we need to designate official reviewers or something like that.
2024-05-06 19:42:40 <@zbyszek:fedora.im> The repro builds change was approved, so I plan to submit changes that'll make it happen this week or the next.
2024-05-06 19:42:53 <@tstellar:fedora.im> I wanted to talk about the backlog or PRs for redhat-rpm-config.  I think we need to designate official reviewers or something like that.
2024-05-06 19:43:02 <@tstellar:fedora.im> I wanted to talk about the backlog of PRs for redhat-rpm-config.  I think we need to designate official reviewers or something like that.
2024-05-06 19:43:16 <@zbyszek:fedora.im> The prep for bin-sbin merge is mostly done, but I'm waiting for selinux policy changes. Once that's done, I'll submit changes to make it happen too.
2024-05-06 19:43:59 <@nirik:matrix.scrye.com> as a heads up, I'm going to be scheduling some outages soon... need to migrate database servers and update/reboots, etc. (and hopefully move builders to f40, but thats stalled right now)
2024-05-06 19:44:26 <@nirik:matrix.scrye.com> Tom Stellard: thats been a long standing issue, we tried to add co-maintainers a while back, but I guess it didn't take?
2024-05-06 19:45:14 <@zbyszek:fedora.im> Hmm, there's 21 open PRs, maybe ~15 of those could be merged.
2024-05-06 19:45:27 <@tstellar:fedora.im> I think the main problem is that it's unclear who to ping to get a review.
2024-05-06 19:45:52 <@nirik:matrix.scrye.com> yeah, problem with large groups... who's actually responsible. ;(
2024-05-06 19:46:36 <@tstellar:fedora.im> I would volunteer to be a reviewer, but I'm unsure how to get 'official' status as someone who can approve patches.
2024-05-06 19:47:24 <@tstellar:fedora.im> I think other people may be in the same position.
2024-05-06 19:47:48 <@nirik:matrix.scrye.com> I guess mail the maintainers and ask to be added?
2024-05-06 19:50:04 <@codonell:fedora.im> Tom Stellard: Reviewing related PRs for redhat-rpm-config is something I do weekly, but we're only tracking the relevant ones to the toolchain for the subset of issues I care about.
2024-05-06 19:50:09 <@zbyszek:fedora.im> It should also be converted to rpmautospec. This is _exactly_ the kind of package where conflicts between PRs are exteremely painful because of %changelog.
2024-05-06 19:51:36 <@tstellar:fedora.im> OK, I will try to email the admins.
2024-05-06 19:52:16 <@zbyszek:fedora.im> !action Tom Stellard to mail admins of redhat-rpm-config for official access and do some reviews of open PRs.
2024-05-06 19:52:33 <@zbyszek:fedora.im> OK, other topics?
2024-05-06 19:52:59 <@zbyszek:fedora.im> If not, I'll close in a minute.
2024-05-06 19:54:14 <@zbyszek:fedora.im> !endmeeting

2024-05-06 19:54:42 <@zbyszek:fedora.im> Hmm, zodbot, are you here?
2024-05-06 19:54:52 <@zbyszek:fedora.im> !endmeeting