#fedora-golang log

19:00:02 <alexsaezm> #startmeeting Go SIG meeting
19:00:02 <zodbot> Meeting started Mon Feb 27 19:00:02 2023 UTC.
19:00:02 <zodbot> This meeting is logged and archived in a public location.
19:00:02 <zodbot> The chair is alexsaezm. Information about MeetBot at https://fedoraproject.org/wiki/Zodbot#Meeting_Functions.
19:00:02 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic.
19:00:02 <zodbot> The meeting name has been set to 'go_sig_meeting'
19:00:08 <alexsaezm> #topic Roll Call
19:00:12 <alexsaezm> Hi everyone!
19:02:08 <gotmax23> .hi
19:02:08 <zodbot> gotmax23: gotmax23 'Maxwell G' <maxwell@gtmx.me>
19:02:54 <gotmax23> Hi Álex!
19:03:00 <alexsaezm> Hi there :)
19:03:25 <alexsaezm> (i'll give a few more minutes till 05 and we can start :D)
19:03:34 <mikelo_m[m]> .hi
19:03:35 <zodbot> mikelo_m[m]: Sorry, but user 'mikelo_m [m]' does not exist
19:03:46 <mikelo_m[m]> .hello mikelo2
19:03:51 <zodbot> mikelo_m[m]: mikelo2 'Mikel Olasagasti Uranga' <mikel@olasagasti.info>
19:03:54 * mikelo_m[m] always forgets how to do it :D
19:04:35 <alexsaezm> funny that hi and hello are two different things...
19:04:37 <gotmax23> BTW, I'm sponsoring dghuble to help maintain containerd.
19:04:58 <alexsaezm> <3
19:06:02 <alexsaezm> we have a bunch of stuff in the issue tracker tragged with meeting: https://pagure.io/GoSIG/go-sig/issues?status=Open&tags=meeting&close_status=
19:06:03 * gotmax23 is a bit preoccupied with other tasks
19:06:08 <alexsaezm> any preferences?
19:08:10 <gotmax23> I just untagged the golang-race and leaves issues.
19:08:48 <gotmax23> I'm not sure if you've done any work towards #49. I have no updates about the other two.
19:09:19 <alexsaezm> thanks, yeah #50 and #48 I think they are not part of the meeting. Also, no, no updates on #49 yet
19:09:58 <alexsaezm> open floor then?
19:10:05 <gotmax23> Ack
19:10:07 <alexsaezm> #topic Open floor
19:10:21 <alexsaezm> zodbot seems to be sleepy
19:10:49 <alexsaezm> I updated f36 go package (https://pagure.io/fesco/issue/2941)
19:10:51 <alexsaezm> and that's it :D
19:11:36 <gotmax23> Thanks!
19:12:11 <alexsaezm> also, the http2 cve might require a mass-rebuild (kinda, 696 packages so far)
19:12:16 <mikelo_m[m]> that may break rclone stack due to the quic package version dep
19:12:28 <alexsaezm> mikelo_m: yay :-/
19:12:33 <gotmax23> How serious is the CVE?
19:13:32 <alexsaezm> gotmax23: Medium
19:13:37 <alexsaezm> it's not critical
19:14:21 <gotmax23> Perhaps we should discuss a policy for CVE rebuilds.
19:14:35 <gotmax23> It's non trivial to rebuild everything after every Go release
19:15:21 <alexsaezm> I think that it's not feasible to do a mass-rebuild with every single CVE, so probably only critical ones should trigger that
19:15:47 <gotmax23> :nod:
19:16:25 <alexsaezm> and if it's less than critical, well, we can wait for a normal update
19:16:43 <alexsaezm> we have tons of packages and in this case, it's a quarter of the whole golang packages
19:16:50 <gotmax23> We could consider doing them on a scheduled basis. Every couple releases or something. It's not that bad in rawhide, but stable branches are more difficult to mass rebuild.
19:17:31 <alexsaezm> you mean to do a mass rebuild after a couple of go updates?
19:17:32 <mikelo_m[m]> it says it's been fixed since 1.19.4 and that was pushed to Fedora 2 months ago https://src.fedoraproject.org/rpms/golang/c/67a51aa259eea7f853f3b9d72b88139ec85bfb55?branch=f37
19:17:35 <mikelo_m[m]> so there should be a bunch of packages that have been recompiled sine
19:17:38 <mikelo_m[m]> s/sine/since/
19:18:01 <alexsaezm> good point
19:18:02 <gotmax23> alexsaezm: that was the suggestion
19:18:24 <gotmax23> yeah, some packages that are regularly updated so this isn't as much of a problem
19:19:12 <alexsaezm> well, it makes sense, we know that once a go version reaches a Y release (1.20 for example) no new features are going to be added until N+1 so every Z update is a fix (CVE or not)... I like the idea
19:19:52 <alexsaezm> or wait for a specific point in  time
19:19:54 <alexsaezm> like each 3 months
19:21:11 <gotmax23> I could refine my scripts and make this easier, but in any case, the rebuild needs to be announced and the script to rebuild everything needs to be monitored, so this takes time. In stable releases, you have to avoid divergences from rawhide.
19:21:24 <gotmax23> Every 3 months seems reasonable
19:21:30 <gotmax23> Do you want to create a ticket?
19:22:05 <gotmax23> Perhaps every 3 months and only in the latest stable and rawhide releases
19:23:18 <alexsaezm> hmmmm so we need a ticket to discuss this with fesco, as a policy in general, and I understand that we will need a ticket every time we do the thing right?
19:23:24 <alexsaezm> I can create the ticket, yes
19:23:36 <gotmax23> I meant file a ticket on the go-sig tracker
19:23:44 <gotmax23> I don't think we necessarily need FESCo approval
19:24:18 <alexsaezm> yeah, I'll create it
19:24:18 <alexsaezm> oh ok
19:26:35 <alexsaezm> https://pagure.io/GoSIG/go-sig/issue/51
19:26:37 <alexsaezm> created
19:29:22 <alexsaezm> anything else to discuss? :)
19:29:39 <gotmax23> I think we can close out
19:30:54 <alexsaezm> epic
19:30:58 <alexsaezm> thanks a lot to everyone!!!
19:31:07 <alexsaezm> #endmeeting