#golang:fedoraproject.org log

<@mikelolasagasti:matrix.org>

18:28:22

open to discussion I guess

<@alexsaezm:fedora.im>

19:00:42

!startmeeting Go SIG meeting

<@meetbot:fedora.im>

19:00:43

Meeting started at 2024-03-25 19:00:42 UTC

<@meetbot:fedora.im>

19:00:43

The Meeting name is 'Go SIG meeting'

<@alexsaezm:fedora.im>

19:00:48

!topic Roll Call

<@alexsaezm:fedora.im>

19:00:52

Welcome everyone!

<@fale:fale.io>

19:01:13

!hello

<@mikelolasagasti:matrix.org>

19:01:19

!hello

<@zodbot:fedora.im>

19:01:25

Mikel Olasagasti Uranga (mikelo2)

<@zodbot:fedora.im>

19:01:26

Fabio Alessandro Locati (fale) - he / him / his

<@buckaroogeek:fedora.im>

19:01:34

!hello

<@zodbot:fedora.im>

19:01:35

Brad Smith (buckaroogeek)

<@alexsaezm:fedora.im>

19:02:41

we are a few today! (we can wait until 05 to see if we are even more people)

<@mikelolasagasti:matrix.org>

19:03:23

rushing home

<@alexsaezm:fedora.im>

19:05:52

We do have two tagged issues

<@alexsaezm:fedora.im>

19:05:56

!link https://pagure.io/GoSIG/go-sig/issues?status=Open&tags=meeting&close_status=

<@alexsaezm:fedora.im>

19:06:11

is there any one in particular that we want to talk about?

<@buckaroogeek:fedora.im>

19:06:55

Nothing from me to contribute to these topics

<@alexsaezm:fedora.im>

19:06:57

Also, I just saw issue #54 and I totally missed that one, I think it is worth to talk about it at some point (although I am still reading the information linked)

<@mikelolasagasti:matrix.org>

19:07:06

#53 is complete i think

<@mikelolasagasti:matrix.org>

19:09:12

it requires go2rpm 1.11 to generate the correct names

<@mikelolasagasti:matrix.org>

19:09:34

And packages with wrong naming just work

<@buckaroogeek:fedora.im>

19:09:47

i missed the last meeting or 2. Was the proposal by @gotmax concerning vendoring discussed?

<@mikelolasagasti:matrix.org>

19:10:19

I don’t think so

<@alexsaezm:fedora.im>

19:12:51

I didn't attend last meeting (I think it didn't happened) and the preovious one was one month ago. Checking the logs I don't see anything, but I do recall talking about it. It might have happened outside the meeting

<@buckaroogeek:fedora.im>

19:14:00

ok. Seems like a necessary option at least for the packages i work on

<@fale:fale.io>

19:15:35

I have to admit that I've stop updating a bunch of packages due to the issues with dependencies hoping to propose months ago to allow vendoring, but obviously I did not proposed it due to lack of time on my end, so those packages are a little out dated

<@mikelolasagasti:matrix.org>

19:15:58

are they new packages or updates?

<@mikelolasagasti:matrix.org>

19:17:21

My main difficulty to update my packages is the requirement of new deps. I don't like to beg for them to be reviewed.

<@alexsaezm:fedora.im>

19:18:26

It's not the first time I have a little bit of time to kill and I check some "is available" issues... to stop doing them because I need to fix a bunch of dependencies :)

<@mikelolasagasti:matrix.org>

19:18:48

there are some complex stacks like grpc/genproto that require to be updated, but as they require new packages... it's not that simple

<@fale:fale.io>

19:20:09

I would be tempted to focus on the go-vendor stuff and drop those stack asap

<@buckaroogeek:fedora.im>

19:21:32

Updates - kubernetes and I help with cri-o, cri-tools, containernetworking-plugins

<@fale:fale.io>

19:22:34

I think the go-vendor issue is two folds: 1 is a priori: should we mass-vendor things? 2 is technical: is our implementation ok/when will it be ok/what is the current implementation missing?

<@mikelolasagasti:matrix.org>

19:22:46

I like the idea of vendoring to get things fast to Fedora. I did that with `opentofu` for example. Just one package and done. I would like to work on having all the packages... but that's complex because I depend on others to do the reviews.

<@mikelolasagasti:matrix.org>

19:23:46

and I feel that if everything is vendored then we're duplicating tons of libraries with different versions and for security/rebuilds it can be tricky

<@mikelolasagasti:matrix.org>

19:24:50

now it's update one library && rebuild packages. Vendored means for each package either update the package if a new version is released or patch the package source before the vendoring

<@fale:fale.io>

19:25:38

in one hand is more tricky (since there are more things to scan), but in the other hand is easier, since when a vulnerable version is discovered: 1. less packages will need to be rebuilt and 2. it will be easier to rebuild them. Also, on average, we will have more updated packages, so less vulnerable packages

<@alexsaezm:fedora.im>

19:27:04

Also, for simple packages, Packit will help a lot here as updates are way easier if they are vendored

<@mikelolasagasti:matrix.org>

19:27:13

not sure about that Fale , the number of packages that would require rebuild would be potentially the same. But the work it's larger with vendored

<@alexsaezm:fedora.im>

19:27:46

my main concern is the first part, the criteria to vendor. I am eager to say let's mass vendor everything but I might be missing something

<@fale:fale.io>

19:28:30

my point on "less packages" is that only packages that will depend on a vulnerable version will need to be rebuilt, so if the vulnerable version is not the latest, we might already have a bunch of packages not vulnerable.

<@fale:fale.io>

19:29:40

I think that the advantages of those systems will be highest at the extremes, so either everything vendored or everything non-vendored. If we mix the systems we might get the worst of both worlds

<@fale:fale.io>

19:30:05

Though, I agree we might have some packages that will be vulnerable for longer time

<@mikelolasagasti:matrix.org>

19:30:13

I also wonder if at "Fedora Project" level vendoring by default can be considered a problem that requires discussion beyond go-sig

<@fale:fale.io>

19:30:44

I think we will need to propose a packaging guidelines change

<@alexsaezm:fedora.im>

19:30:51

I think we at some point should move the conversation to devel-

<@buckaroogeek:fedora.im>

19:31:13

alexsaezm: will go-sig need to make a formal recommendation on this topic? And also get FESCO concurrence if vendoring is widely adopted?

<@fale:fale.io>

19:31:54

I don't think that's a requirement, but it would surely make sense if the SIG has a recommendation

<@alexsaezm:fedora.im>

19:32:13

Once we know what we want to do, I think we should talk with FESCo and not do anything unilaterally

<@alexsaezm:fedora.im>

19:32:53

and as Fale said: the guidelines will change for sure

<@buckaroogeek:fedora.im>

19:34:02

ok. sounds reasonable. Since this is an ad-hoc topic today should it be on a future agenda? :)

<@alexsaezm:fedora.im>

19:34:25

let me check if we have something already in the issues...

<@alexsaezm:fedora.im>

19:34:50

nothing I can find...

<@fale:fale.io>

19:35:20

yeah, we discussed the topic multiple times in informal ways, but I think this is the first conversation in a formal location

<@alexsaezm:fedora.im>

19:36:05

!action Create an issue to properly discuss the vendoring issue

<@alexsaezm:fedora.im>

19:36:23

(not sure if action was the correct... action)

<@alexsaezm:fedora.im>

19:37:57

Any other topic that we want to discuss today?

<@buckaroogeek:fedora.im>

19:38:11

Nothing from me

<@fale:fale.io>

19:39:27

nothing from me

<@alexsaezm:fedora.im>

19:41:54

in that case... we can call it :)

<@alexsaezm:fedora.im>

19:43:03

I'll create the issue to gather all the stuff we want to discuss about the vendoring

<@alexsaezm:fedora.im>

19:43:06

thanks everyone!

<@alexsaezm:fedora.im>

19:43:08

!endmeeting