18:01:20 <alexsaezm> #startmeeting Go SIG meeting
18:01:20 <zodbot> Meeting started Mon Jun  6 18:01:20 2022 UTC.
18:01:20 <zodbot> This meeting is logged and archived in a public location.
18:01:20 <zodbot> The chair is alexsaezm. Information about MeetBot at https://fedoraproject.org/wiki/Zodbot#Meeting_Functions.
18:01:20 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic.
18:01:20 <zodbot> The meeting name has been set to 'go_sig_meeting'
18:01:29 <alexsaezm> #topic Roll Call
18:01:45 <alexsaezm> Hi everyone :)
18:01:49 <mikelo> o/
18:02:12 <jcajka> .hello jcajka
18:02:13 <zodbot> jcajka: jcajka 'None' <jcajka@cajka.dev>
18:02:18 * gotmax[m] is half here
18:02:33 <jcajka> hello
18:02:35 <mikelo> .hi mikelo2
18:02:36 <zodbot> mikelo: mikelo 'Miguel Angel Ortega Zapata' <mian.ortegaz@gmail.com>
18:02:47 <alexsaezm> awesome, today we are a lot!
18:02:49 <mikelo> mmm..... I'm not that one o_O
18:02:58 <gotmax[m]> jcajka: Do you have privacy turned on for your FAS account?
18:03:00 <gotmax[m]> That might be why it's none
18:03:22 <alexsaezm> odd
18:03:23 <gotmax[m]> mikelo: use `.hello`
18:03:28 <mikelo> .hello mikelo2
18:03:28 <zodbot> mikelo: mikelo2 'None' <mikel@olasagasti.info>
18:03:29 <gotmax[m]> .hellomynameis gotmax23
18:03:35 <zodbot> gotmax[m]: gotmax23 'Maxwell G' <gotmax@e.email>
18:03:43 <jcajka> gotmax[m]: not sure will check that, thanks :)
18:04:11 <gotmax[m]> Fun fact, `.hello`, `.hi`, and `hello2` are all short for `.hellomynameis`.
18:04:20 <alexsaezm> I had no idea O:
18:04:26 <gotmax[m]> s/`/`./
18:05:48 <mikelo> .hello mikelo2
18:05:49 <zodbot> mikelo: mikelo2 'Mikel Olasagasti' <mikel@olasagasti.info>
18:06:07 <alexsaezm> great :D
18:06:15 <alexsaezm> that's you, right? :D
18:06:58 <mikelo> yes, thats the correct one
18:07:17 <alexsaezm> awesome
18:07:37 <alexsaezm> I don't see any issue tagged for the meeting so we can move to the Open Floor
18:07:43 <alexsaezm> #topic Open Floor
18:08:00 <gotmax[m]> Don't we have CVEs we need to address?
18:08:06 <alexsaezm> yes
18:08:07 <alexsaezm> there's one
18:08:16 <alexsaezm> but it wasn't tagged lol
18:08:25 <alexsaezm> I want to comment a thing on that and hear your opinions
18:08:49 <alexsaezm> so the update is ready but secteam didn't fill the bug yet so I didn't published the update to bodhi
18:09:11 <mikelo> which cve?
18:09:15 <alexsaezm> I don't want to wait for a bug that much... so what do you think? should I just push the update? wait?
18:09:25 <alexsaezm> mikelo, let me find the cve...
18:09:29 <gotmax[m]> I would just push it.
18:09:36 <gotmax[m]> You can still mark it as a security update on Bodhi
18:09:43 <gotmax[m]> alexsaezm: That would be helpful
18:09:47 <alexsaezm> https://bugzilla.redhat.com/show_bug.cgi?id=2092793
18:09:49 <mikelo> if it's not embargoed and just waiting for a BZ, then I would say also push
18:10:14 <alexsaezm> that's the cve main bug, not the fedora one that I'm waiting for
18:10:22 <gotmax[m]> F34 EOLs tomorrow, so we can probably just ignore that one
18:10:28 <gotmax[m]> I mean the one that was reported for f34
18:10:40 <alexsaezm> which one?
18:10:53 * gotmax[m] looks
18:11:22 <jcajka> gotmax[m]: +1 and I think you can even add the CVE  BZ expost in to the bodhi update or just note that in the BZ, if not
18:11:55 <mikelo> CVE-2022-28327 & CVE-2022-24675
18:12:16 <mikelo> those are the CVEs that were reported for F34 iirc
18:12:30 <gotmax[m]> Yeah, I think so
18:12:49 * alexsaezm is waiting for bugzilla to load...
18:12:58 <gotmax[m]> Me to :D
18:13:01 <gotmax[m]> *too
18:13:07 <mikelo> Fale[m], and I discussed with RH's prodsec team about those CVEs and that they should probably avoid opening BZ's against 'library' packages
18:14:16 <mikelo> and provided them this thread & command https://lists.fedoraproject.org/archives/list/golang@lists.fedoraproject.org/message/BFO2UV6VOZ33RKUXMSPVKPHE4XCFJVQT/
18:14:34 <mikelo> but I understand that the CVE alexsaezm was referring to is another CVE
18:14:56 <alexsaezm> yes, I mean, we have 3 as far as I understand
18:15:07 <alexsaezm> two (I'm still waiting for bugzilla) for f34
18:15:17 <alexsaezm> and the one I was asking about is for rawhide and f36
18:15:20 <alexsaezm> 1.18.3
18:16:07 <gotmax[m]> We also really need to figure out the large amount of FTBFS packages.
18:16:17 <gotmax[m]> We won't be able to rebuild them until they're fixed
18:16:25 <mikelo> alexsaezm, maybe it's a good time for you (and your team at RH?) to sit down with prodsec and discuss about what tickets need to be opened by them?
18:16:56 <mikelo> fale and I did, but our work for Fedora is not part of our duties at RH
18:17:11 <mikelo> we can be in the loop, of course
18:17:18 <alexsaezm> mikelo, I think we can do that, let me see if dbenoit is here reading (we work together and I will like like to read his take)
18:17:43 <gotmax[m]> They should only be reporting for go packages that contain binaries
18:18:20 <alexsaezm> that makes sense
18:18:44 <mikelo> gotmax[m], we explained that to them and they said they'll check the query. I think it's important alexsaezm or someone to contact them for this new cve and ensure they do the correct thing and less noise
18:19:03 <gotmax[m]> +1
18:19:04 <alexsaezm> I'll check how to start the conversation
18:19:17 <mikelo> alexsaezm, I can provide you details later
18:19:20 <jcajka> technically also plugins or .so. but I'm not aware that there are any packages that ship them
18:19:32 <alexsaezm> (I think I saw a way to add meeting minutes to the IRC chats..)
18:20:11 <gotmax[m]> FYI: I believe the F34 bugs will automatically close once it goes EOL
18:20:11 <gotmax[m]> I think it's `#info`.
18:20:55 <gotmax[m]> You can also use `#action` to say that someone will do something, and it will show up in the meetbot minutes.
18:21:22 <jcajka> alexsaezm: #action and #info
18:21:27 <alexsaezm> got it
18:21:29 <alexsaezm> thanks all
18:21:59 <alexsaezm> #action alexsaezm will talk with mikelo to sync on how to start a conversation with security team in order to discuss the type of tickets to be opened
18:22:43 <gotmax[m]> On another note, does anyone care if I handle https://pagure.io/GoSIG/go-sig/issue/25?
18:22:50 <alexsaezm> regarding the f36 cve... are we ok then with pushing the update to bodhi without the cve bug?
18:23:00 <gotmax[m]> Yes
18:23:13 <gotmax[m]> You can always edit the update or close it manually later
18:23:21 <alexsaezm> got it
18:23:32 <alexsaezm> gotmax[m], regarding the #25 feel free, as far as I know they are not relevant anymore
18:23:42 <jcajka> gotmax[m]: feel free to go ahead with that
18:24:00 <alexsaezm> #action alexsaezm will push the 1.18.3 update to f36
18:24:10 <gotmax[m]> For the F36 CVE, we will need to do a mass rebuild
18:24:12 * alexsaezm hopes the action command is working lol
18:24:56 <alexsaezm> gotmax[m], never did that... is there a procedure?
18:25:24 <mikelo> gotmax[m], mass? wouldn't again be like with the f34 cve to rebuild binary packages?
18:25:30 <jcajka> I would assume one would request side that for that
18:25:44 <jcajka> ...side tag...
18:25:58 <gotmax[m]> mikelo: Yes, that probably wasn't the best phrasing
18:26:25 <gotmax[m]> jcajka: Yes, you have to clone all the packages, bump the release, and rebuild in a side tag.
18:26:37 <gotmax[m]> Fale handled it last time
18:26:52 <jcajka> I guess it morphed to that https://docs.fedoraproject.org/en-US/rawhide-gating/multi-builds/
18:27:09 <mikelo> Fale[m], created some scripts to handle it, alexsaezm you may want to contact him
18:27:22 <mikelo> but there is one problem, some packages don't have go-sig as commiter
18:27:30 <alexsaezm> right
18:27:42 <Fale[m]1> I can run them for tgis time as weel
18:27:53 <mikelo> we discussed about adding a step in the go-sig doc to require go-sig group to be added to each package unless a good reason is given
18:28:25 <mikelo> that should help with rebuilds *and* some of the FTBFS
18:28:30 <gotmax[m]> #action Fale to handle rebuilding binary packages to fix CVE-2022-30629.
18:29:09 <gotmax[m]> Thanks!
18:29:30 <mikelo> the rclone stack FTBFS is blocked in part because some packages miss go-sig group permissions
18:30:49 <gotmax[m]> Fale: When you sent your reminder email, did you BCC the packagers who needed to take action?
18:31:18 <Fale[m]1> @[Maxwell (@gotmax) (He/Him)] no I did not. I did pinged separately eclipseo thought
18:31:40 <Fale[m]1> More than 50% of problematic packages are owned by him
18:32:06 <gotmax[m]> Got it
18:32:17 <gotmax[m]> Maybe it's worth forwarding it to them individually in case they don't read the list?
18:32:17 <jcajka> Do we have any proven package around?
18:32:35 <gotmax[m]> eclipseo_ is
18:32:35 <jcajka> proven packager around
18:32:54 <Fale[m]1> I was planning to send a new ping in few days, I can try bcc people this time
18:33:11 <jcajka> they could help out, it should be also possibility to get sponsored
18:33:43 <mikelo> Fale[m]1, I contacte him 6 days ago and no news
18:33:44 <jcajka> if you plan to focus on this, I think it would help to get sponsored
18:33:54 <jcajka> eventually
18:33:56 <gotmax[m]> The`[packagename]-maintainers@fedoraproject.org` aliases might help.
18:33:58 <Fale[m]1> Elliot is PP
18:34:52 <Fale[m]1> If we can not solve the gosig permission issue, I think we should evaluate to nominate new PP as a sig
18:34:59 <Fale[m]1> To manage those situations
18:35:29 <Fale[m]1> Because I believe golang CVEs will accelerate in the next few months/years
18:36:00 <gotmax[m]> Fale[m]1: Well, FESCO has to approve it
18:36:30 <Fale[m]1> Absolutely, but we can propose ;-)
18:37:13 <alexsaezm> who wants to handle this? :)
18:37:38 <jcajka> it needs to be a individual person, but Go SIG wreaking hovoc on the whole Fedora sounds cool :D
18:38:06 <gotmax[m]> Well, we'd only be touching go packages
18:38:33 <jcajka> but proven package can touch everything, except few otehr packages, it is not really for a SIG as a whole
18:39:31 <Fale[m]1> I would prefer if we fox the core problem (IE missing gosig permissions). Imho of we can not fox it in 1 or 2 months we go for plan B
18:40:05 <mikelo> +1
18:40:51 <mikelo> but if someone still wants to try to be a provenpackager that's another option, no need to wait
18:40:56 <Fale[m]1> (sorry guys for the typos, I'm from my phone in a pub :-D)
18:40:59 <jcajka> Fale[m]: +1
18:43:03 <gotmax[m]> <jcajka> "it needs to be a individual..." <- Sorry, I thought you were still talking about the mass rebuild. I now realize my comment makes no sense.
18:43:16 <mikelo> Fale[m]1, the plan would be then to list the go packages that don't have go-sig as group and contacting the owners. I think you've the script to list the packages, I can try to contact owners
18:43:18 <gotmax[m]> * about the go mass rebuild.
18:43:22 <gotmax[m]> Also, Fale++ for handling that
18:43:53 <gotmax[m]> fale++
18:43:53 <zodbot> gotmax[m]: Karma for fale changed to 1 (for the current release cycle):  https://badges.fedoraproject.org/tags/cookie/any
18:44:15 <Fale[m]1> @mikelo I've written code to automate it. I've sent an email a week ago for it, so I can just run it as many times as needed
18:44:33 <mikelo> fale++ that's even better!
18:44:33 <zodbot> mikelo: Karma for fale changed to 2 (for the current release cycle):  https://badges.fedoraproject.org/tags/cookie/any
18:45:45 <alexsaezm> awesome, thanks Fale[m]1
18:47:02 <alexsaezm> do we have something else open? we talked about a lot of things today
18:48:08 <gotmax[m]> I don't think so
18:48:08 <jcajka> I just wanted to note that upstream Go is considering new policy for ports of Go https://github.com/golang/go/discussions/53060 might be of interest to some
18:48:25 <jcajka> to take part in the discussion
18:49:05 <Fale[m]1> I have one point: shall we consider different time for this meeting? At least check if this is optimal time for everyone
18:49:15 <alexsaezm> oh thanks jcajka I need to read that
18:49:39 <gotmax[m]> `linux/ppc64le` and `linux/s390x` are the secondary ones that we build for
18:49:52 <jcajka> and linux/arm64
18:49:53 <alexsaezm> Fale[m]1, I think we talked about this few months ago but of course, we can always run again a vote and gather the info
18:50:20 <jcajka> alexsaezm, Fale[m]1: I can start the vote,survey for that
18:51:09 <jcajka> arm64 is first class nowadays
18:51:30 <gotmax[m]> Yeah
18:53:16 <gotmax[m]> We might want to move the meeting to one of the #fedora-meeting rooms like the other groups do.
18:54:01 <jcajka> gotmax[m]: as long you have bot and not much traffic it works here, but meeting room is always an option
18:54:26 <gotmax[m]> https://pagure.io/irc/issue/27#comment-736840
18:55:35 <gotmax[m]> I think we can close this out if nobody has anything else to say
18:56:05 <alexsaezm> not from my side
18:56:26 <jcajka> same here
18:56:39 <mikelo> same
18:57:17 <alexsaezm> thanks a lot, it was a nice meeting. Hope you all have a great day
18:57:28 <gotmax[m]> #endmeeeting
18:57:28 <alexsaezm> #endmeeting