#meeting-1:fedoraproject.org log

<@james:fedora.im>

17:00:07

!startmeeting fpc

<@meetbot:fedora.im>

17:00:08

Meeting started at 2026-03-05 17:00:07 UTC

<@meetbot:fedora.im>

17:00:08

The Meeting name is 'fpc'

<@james:fedora.im>

17:00:12

!topic Roll Call

<@tibbs:fedora.im>

17:00:55

Hello.

<@james:fedora.im>

17:00:56

Hey

<@decathorpe:fedora.im>

17:05:11

hello 👋🏻

<@james:fedora.im>

17:06:04

50% moar ppls ;)

<@salimma:fedora.im>

17:07:35

!hi

<@zodbot:fedora.im>

17:07:36

Michel Lind (salimma) - he / him / his

<@salimma:fedora.im>

17:07:43

phew, I know I was forgetting something

<@tibbs:fedora.im>

17:08:43

Unfortunately we're still short.

<@tibbs:fedora.im>

17:09:13

I managed to get the calendar back into my phone so at least I get a notice if neochat doesn't do the ping sound.

<@james:fedora.im>

17:09:19

For quorum, but we can talk about things ... and no new tickets, and the PR needs work.

<@decathorpe:fedora.im>

17:10:48

<@decathorpe:fedora.im>

17:10:48

I suggested that the "packaging" org could also be the home for FedoraReview and similar guidelines-related (ish) stuff. it doesn't really fit anywhere else

<@decathorpe:fedora.im>

17:10:48

should I file a ticket to get an org on forge.fp.o created?

<@james:fedora.im>

17:11:37

Yeh, we should move "pretty soon"

<@tibbs:fedora.im>

17:12:01

Certainly something should happen and at least the ticket migration should be painless now.

<@james:fedora.im>

17:12:22

The actual migration should be fairly painless though, although the PRs will likely have problems if users haven't moved over.

<@tibbs:fedora.im>

17:12:34

I don't know about the tools; I don't have a problem with them being under the FPC umbrella but I don't know how much control we will have over permissions and such.

<@decathorpe:fedora.im>

17:12:34

ok, I can file a ticket with a proposed structure and you can weigh in there if I made any mistakes or weird choices?

<@decathorpe:fedora.im>

17:12:55

permissions should be settable in a way we want it, I'll make a proposal for that.

<@tibbs:fedora.im>

17:13:28

And also, do we have concerns about any expectations that come along with these things being under our umbrella?

<@james:fedora.im>

17:13:43

Yeh, the only real problem I know about is private tickets and we don't really have those.

<@tibbs:fedora.im>

17:13:45

As in, do we as a committee actually want to maintain those tools?

<@decathorpe:fedora.im>

17:14:47

I don't think that would (or should) change

<@decathorpe:fedora.im>

17:14:47

maintain - not really

<@tibbs:fedora.im>

17:15:26

Well, if it's under the FPC umbrella then there's sort of an implicit declaration that FPC is responsible for it in some way.

<@tibbs:fedora.im>

17:15:32

Maybe more of an explicit one.

<@decathorpe:fedora.im>

17:15:33

I mean, if the permissions system doesn't allow to set this up in a way that is satisfactory we'll find a different solution

<@decathorpe:fedora.im>

17:16:02

but I would have reached for the obvious one first before thinking about more complicated things

<@james:fedora.im>

17:18:23

We should probably talk about the PR:

<@james:fedora.im>

17:18:33

!topic FPC PR#1525 https://pagure.io/packaging-committee/pull-request/1525

<@james:fedora.im>

17:19:17

I had a look and both the comments seem good to me.

<@tibbs:fedora.im>

17:20:05

Ugh; sometimes the browser hangs on the catgirl.

<@decathorpe:fedora.im>

17:20:27

I'm not sure I understand the thing though

<@salimma:fedora.im>

17:20:32

so... one thing

<@salimma:fedora.im>

17:20:43

this seems really quite complicated to have in a spec - should it be a macro?

<@salimma:fedora.im>

17:20:55

oh yaakov said that

<@tibbs:fedora.im>

17:20:56

That was the last comment there.

<@decathorpe:fedora.im>

17:21:04

it runs jq and pipes the output to devnull?

<@salimma:fedora.im>

17:21:13

I think it's relying on the error code

<@salimma:fedora.im>

17:21:27

you get the stderr printed out still I guess

<@decathorpe:fedora.im>

17:21:49

ah.

<@salimma:fedora.im>

17:21:51

but yeah a) this should be a macro and b) there should probably be examples of what it's supposed to look like when it's valid and invalid

<@decathorpe:fedora.im>

17:22:02

note that this is too simplistic to verify SPDX expressions

<@tibbs:fedora.im>

17:22:13

Yes, that is a really unfortunate amount of boilerplate. How many packages will need this?

<@decathorpe:fedora.im>

17:22:24

just AND ing everything together isn't giving you correct results in a lot of cases

<@decathorpe:fedora.im>

17:23:02

like, A OR B AND C OR D is not a valid expression AFAIK

<@tibbs:fedora.im>

17:23:13

I'm just not thinking that this is something which can be fully automated in general.

<@tibbs:fedora.im>

17:23:43

My question is whether it would even be useful for the majority of packages.

<@decathorpe:fedora.im>

17:23:53

the new Go tooling allows you to do this. but it also gives you knobs to tweak in cases where the simple solution is wrong

<@james:fedora.im>

17:23:58

Yeh, I don't think we want to require it ... but maybe it's useful for simple packages?

<@james:fedora.im>

17:24:25

I guess the problem in js land is that you get 666 deps. ... and they pull in new deps. randomly.

<@decathorpe:fedora.im>

17:24:29

simple? Nodejs?

<@james:fedora.im>

17:25:12

I guess we could request some stats. on how many js packages this does/doesn't work for?

<@salimma:fedora.im>

17:25:17

you intentionally used that number did you not

<@james:fedora.im>

17:26:55

I take no responsibility for creating a language without ints, but I'm not going to recommend it.

<@decathorpe:fedora.im>

17:27:05

the question is ... why document something that is known not to work in common cases?

<@decathorpe:fedora.im>

17:27:27

if any dependency is dual-licensed it breaks

<@salimma:fedora.im>

17:27:43

*cough* Lua *cough*

<@salimma:fedora.im>

17:27:58

sure it's the language we embed in RPM, what could go wrong

<@james:fedora.im>

17:29:39

JS = "At least it's not javabeans"

<@james:fedora.im>

17:29:39

LUA = "At least it's not rpm macros and sh"

<@james:fedora.im>

17:30:04

¯\\\_(ツ)\_/¯

<@decathorpe:fedora.im>

17:30:12

I can comment on the PR with my misgivings about the current Implementation

<@salimma:fedora.im>

17:30:14

both really should have Lispy syntax and JS almost had that early on :P

<@decathorpe:fedora.im>

17:31:13

(enqueue (decathorpe (comment (fpcticket text))))

<@james:fedora.im>

17:31:30

<@salimma:fedora.im>

17:32:09

eh Clojure has a -> threading functino for that

<@salimma:fedora.im>

17:32:26

(-> (fpcticket text) comment decathorpe enqueue) I guess

<@decathorpe:fedora.im>

17:32:33

I only know lambda calculus. no fancy stuff like that

<@salimma:fedora.im>

17:32:40

eh Clojure has a -> threading function for that

<@decathorpe:fedora.im>

17:33:00

aw, and there I thought it was actually called "functino" ...

<@salimma:fedora.im>

17:33:05

let me introduce you to the SKI combinator calculus :P

<@salimma:fedora.im>

17:33:18

functino sounds like a function that escaped from CERN

<@james:fedora.im>

17:33:33

Clojure = At least it's not Java ;)

<@james:fedora.im>

17:34:08

Anyway ...

<@james:fedora.im>

17:34:12

!topic Open Floor

<@decathorpe:fedora.im>

17:34:51

!action decathorpe to file forge org creation request

<@decathorpe:fedora.im>

17:35:00

just so I don't forget

<@james:fedora.im>

17:35:08

Oh, I missed that there were two nodejs things ...

<@james:fedora.im>

17:35:10

https://pagure.io/packaging-committee/pull-request/1521

<@salimma:fedora.im>

17:35:13

should we talk PURL and SBOM?

<@decathorpe:fedora.im>

17:35:35

should? maybe. want? eh ...

<@decathorpe:fedora.im>

17:36:06

ah, the second PR looks obsolete.

<@salimma:fedora.im>

17:36:07

oh let's discuss the PR first then

<@james:fedora.im>

17:36:13

I vaguely remember talking about this? Maybe it was just reading the emails?

<@james:fedora.im>

17:36:42

But I thought someone mentioned it was weird that the BR lines are requiring 3 different things.

<@decathorpe:fedora.im>

17:36:45

nodejs packaging was "improved" so I think this should no longer be necessary.

<@james:fedora.im>

17:37:09

Ok, I'm happy to close it

<@james:fedora.im>

17:37:44

Yeh, for some reason I've just seen my comment.

<@james:fedora.im>

17:37:57

Okay, back to open floor.

<@tibbs:fedora.im>

17:38:08

This is probably also the source of the discussion about *-unversioned-cmd

<@salimma:fedora.im>

17:38:40

so the PURL thing - security folks basically asked if we have something SBOM-like in our package metadata

<@salimma:fedora.im>

17:39:46

I think Fabio suggested PURL? seems like something that hopefully we can auto-generate from the existing python3dist(..) / crate(...) etc.

<@decathorpe:fedora.im>

17:40:27

yup

<@salimma:fedora.im>

17:40:42

the current situation with CVE false positives is so bad, we probably should make it as easy as possible for them since... that might make it easier for the life of all the contributors

<@james:fedora.im>

17:40:56

So ... https://github.com/package-url/purl-spec

<@decathorpe:fedora.im>

17:41:30

adding purl virtual provides to Rust packages would pe trivial

<@decathorpe:fedora.im>

17:42:11

<@decathorpe:fedora.im>

17:42:11

should be similarly straightforward for most other "modern" language stacks

<@decathorpe:fedora.im>

17:42:11

i.e. anything not C/C++

<@salimma:fedora.im>

17:42:35

hey even Perl should work

<@salimma:fedora.im>

17:42:40

does that mean it's modern

<@salimma:fedora.im>

17:42:58

yeah the dependency management story (or lack thereof) in C/C++ land makes me sad

<@james:fedora.im>

17:43:45

This is one extra purl per package? Or one per. crate?

<@decathorpe:fedora.im>

17:43:57

one per source package

<@salimma:fedora.im>

17:44:02

they file the bugs against the source package, so yeah

<@james:fedora.im>

17:44:58

Yeh, that's probably fine IMO. Do we need to approve policy for it, or "just" have someone update some macros?

<@decathorpe:fedora.im>

17:45:22

so we'd want to do this?

<@decathorpe:fedora.im>

17:45:34

has somebody confirmed with Red Hat that this would help them?

<@james:fedora.im>

17:45:51

I didn't say that ... I'm more like, that seems like a small cost to accept if someone wants to do it.

<@decathorpe:fedora.im>

17:45:59

ah. right

<@james:fedora.im>

17:46:54

Maybe whoever runs ELN has an opinion on how useful it is?

<@salimma:fedora.im>

17:47:04

yeah I think we basically just want to say if RH ProdSec finds it useful, we wouldn't stand in the way

<@salimma:fedora.im>

17:47:26

we can ask at the next ELN meeting

<@decathorpe:fedora.im>

17:47:35

and maybe document the expected syntax so everybody does it the same way

<@james:fedora.im>

17:47:55

Did the security people who mentioned this have any opinion on purl?

<@salimma:fedora.im>

17:47:55

yeah that's where FPC comes in I guess

<@decathorpe:fedora.im>

17:48:18

not yet I think

<@salimma:fedora.im>

17:48:29

hmm - it's been nirik who's the go between I think? not sure if it's bubbled up back to them yet

<@james:fedora.im>

17:49:57

nirik has a meeting that classes with this one almost every week of the year, and is always super busy ... bringing it up at the next ELN meeting seems a better first step. Anyone want to volunteer for that?

<@decathorpe:fedora.im>

17:50:37

when are eln meetings?

<@salimma:fedora.im>

17:51:12

Tuesdays

<@decathorpe:fedora.im>

17:51:17

or we can bring it up at the FCRL level too

<@salimma:fedora.im>

17:51:35

11 AM Eastern so 4 PM GMT / 5 PM CET right now

<@james:fedora.im>

17:51:36

https://docs.fedoraproject.org/en-US/eln/sig/#_meetings

<@salimma:fedora.im>

17:51:50

yeah, so we can do ELN first and then FRCL since the time lines up

<@salimma:fedora.im>

17:52:11

and at least this is something concrete, that meeting sometimes ends up being an airing of grievances / wishlists

<@decathorpe:fedora.im>

17:52:32

next week should be Fedora Sandbox

<@james:fedora.im>

17:52:42

s/that/all/ ;)

<@salimma:fedora.im>

17:53:10

sandbox?

<@decathorpe:fedora.im>

17:53:12

alright I'll try to remember. and if I don't I have Michel as my backup :)

<@decathorpe:fedora.im>

17:53:24

Jef's Proposal

<@salimma:fedora.im>

17:53:29

(I'm undercaffeinated today so I... oh right)

<@salimma:fedora.im>

17:53:45

yeah we'll queue this up to get voted for the next FRCL topic after next

<@james:fedora.im>

17:55:20

Okay, anything else for the last 5 minutes?

<@decathorpe:fedora.im>

17:56:00

I need to get dinner and then go/no-go meeting :(

<@salimma:fedora.im>

17:56:02

is this meeting technically one hour? I've been booking it as half an hour in my work calendar copy

<@salimma:fedora.im>

17:56:11

oh go/no go is today! I should come

<@decathorpe:fedora.im>

17:56:22

in 5 minutes!

<@decathorpe:fedora.im>

17:56:53

I think 60 minutes? but I'm not at my desk to check calendar.fp.o

<@salimma:fedora.im>

17:56:57

trying to find it on fedocal

<@salimma:fedora.im>

17:57:18

ah Fedora release has a separate calendar

<@salimma:fedora.im>

17:57:20

doh

<@james:fedora.im>

17:57:42

it's 100% 60m in calendars

<@salimma:fedora.im>

17:57:44

and yes fpc is an hour

<@james:fedora.im>

17:58:08

I try to close it early, if we don't have much to discuss, though.

<@james:fedora.im>

17:58:32

Anyway ... go get food and do the go/no-go dance for beta ;)

<@conan_kudo:matrix.org>

17:58:53

!hi

<@james:fedora.im>

17:58:54

Conan Kudo: I saw you typing ;P

<@zodbot:fedora.im>

17:58:56

Neal Gompa (ngompa) - he / him / his

<@conan_kudo:matrix.org>

17:59:46

It can be done with pc and CMake data at least

<@conan_kudo:matrix.org>

18:00:04

Which covers a very large cross section

<@conan_kudo:matrix.org>

18:00:31

We have bomtool that does some version of this in fedora

<@salimma:fedora.im>

18:01:20

and now go/no-go has started and we're out of time

<@james:fedora.im>

18:01:52

Maybe see you all in a couple of weeks (not sure I'll be here or not).

<@james:fedora.im>

18:01:59

!endmeeting