15:09:53 <decathorpe> #startmeeting Stewardship SIG Meeting (2019-10-15)
15:09:53 <zodbot> Meeting started Tue Oct 15 15:09:53 2019 UTC.
15:09:53 <zodbot> This meeting is logged and archived in a public location.
15:09:53 <zodbot> The chair is decathorpe. Information about MeetBot at http://wiki.debian.org/MeetBot.
15:09:53 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic.
15:09:53 <zodbot> The meeting name has been set to 'stewardship_sig_meeting_(2019-10-15)'
15:10:02 <decathorpe> #meetingname stewardship-sig
15:10:02 <zodbot> The meeting name has been set to 'stewardship-sig'
15:10:08 <decathorpe> #topic Roll Call
15:10:20 <cipherboy> \o
15:10:21 <decathorpe> sorry for the delay, I lost track of time during dinner
15:10:34 <decathorpe> #chair cipherboy
15:10:34 <zodbot> Current chairs: cipherboy decathorpe
15:10:44 <cipherboy> mhroncok: \o
15:11:32 <cipherboy> decathorpe: I reviewed the agenda, looks good. TODO is the one I'm a bit fuzzy about.
15:11:40 <decathorpe> the agenda looks a bit boring I think. we only got a new CVE issue for commons-comoress
15:11:48 <decathorpe> *commons-compress
15:12:03 <decathorpe> but we can just merge the recent rawhide update back into stable branched
15:12:10 <cipherboy> decathorpe: I'll ACK backport from rawhide.
15:12:29 <decathorpe> I'll get to it later today :)
15:12:50 <decathorpe> you mean you're unsure about the TODO.md file I added to the repo?
15:13:13 <cipherboy> Yeah but we can get to that in time. :)
15:13:48 <decathorpe> #topic TODO Items
15:13:56 <decathorpe> I have nothing else to talk about ;)
15:14:05 <cipherboy> Ah ok :)
15:14:27 <decathorpe> in general, I created this list from the current build status of resteasy and its deps
15:14:50 <decathorpe> though things might change once you build it with reduced dependency set
15:16:10 <decathorpe> regarding your metrics question on the ticket: we're now at 71% of packages being up to date
15:17:48 <cipherboy> Ah I guess I own half of these packages, that's why I'm not familiar with them. ;-0
15:18:12 <decathorpe> yeah I opened some PRs against your packages as well
15:18:21 <decathorpe> I fixed 2/3 Jackson packages
15:18:34 <cipherboy> decathorpe: I think I need to change my email account on Fedora from my personal to my work.
15:18:43 <cipherboy> decathorpe: Messages keep getting lost :/
15:18:52 <decathorpe> that's not good
15:18:57 <decathorpe> 😅
15:21:31 <decathorpe> there's one thing I wanted to mention - seems like people are going to judge our work by whether we manage to update maven to 3.6 or not ... should we start working on that?
15:21:58 <cipherboy> Wait, do we maintain the ursine Maven?
15:23:23 <cipherboy> And outside of updating the packages we maintain to the latest versions, does this involve a lot of upstream work?
15:23:36 <cipherboy> I'd say lots of upstream work is outside of scope for _this_ SIG.
15:23:56 <cipherboy> Same with updating to JDK 11: that's driven by the Java SIG. We can do whatever we need to to fix breakage, but we're also not going to do lots of upstream work for that either.
15:24:14 <decathorpe> cipherboy: we do
15:24:45 <decathorpe> cipherboy: there's already a maven-3.6 branch, we could probably reuse most of the work from there
15:24:45 <cipherboy> decathorpe: Ah I see that now. Is maven 3.6 in modular?
15:24:49 <decathorpe> yes
15:25:17 <cipherboy> ACK, then I'd go for it. Its not a priority for dogtag since we don't use maven, but I don't know whodoes.
15:25:34 <decathorpe> everything that's not building with ant :)
15:25:43 <cipherboy> :) Okie dokie
15:25:48 <cipherboy> (We build with CMake but we're weird)
15:26:08 <decathorpe> heh
15:26:28 <cipherboy> https://github.com/picketbox/picketbox/
15:26:29 * cipherboy sighs
15:26:41 <cipherboy> Wonder if it moved somewhere.
15:26:46 <decathorpe> ooof
15:27:10 <cipherboy> The website is even worse: https://picketbox.jboss.org/downloads
15:27:19 <cipherboy> 5.1.0.Final is latest -- but 3.0.0 on the website.
15:27:45 <decathorpe> looks like someone resurrected it here: https://github.com/picketbox-back
15:28:06 <decathorpe> though 2012 seems a bit ... old
15:28:07 <cipherboy> Yeah, I'll take a look at all the deps in the TODO list and update them.
15:28:16 <cipherboy> decathorpe:  Yeah, that's older than 5.1.0.Final -- 2018
15:28:25 <decathorpe> :(
15:28:32 <cipherboy> decathorpe:  I'll poke some JBoss folks.
15:28:40 <decathorpe> are they still around?
15:28:46 <cipherboy> JBoss is still around :)
15:28:59 <cipherboy> I'll ask resteasy team how they're using picketbox and if they know of a more recent fork.
15:29:00 <decathorpe> you mean, like haunting us?
15:29:17 <cipherboy> Hmmm, no, we're haunting them.
15:29:36 <decathorpe> possible
15:30:37 <decathorpe> by the way, have you seen the google spreadsheet link I sent / linked from the README? I find it really useful to get a quick overview of how we're doing
15:31:50 <cipherboy> Nifty :)
15:32:18 <decathorpe> yeah I started going through at all the outdated stuff  a few weeks ago
15:32:42 <decathorpe> and it left some scars :)
15:33:09 <decathorpe> like, upstream is dead, java.net doesn't exist anymore, where are you supposed to download sources from? :/
15:34:29 <decathorpe> but it was really useful to figure out the "package name" <-> "groupId:artifactID" mapping ...
15:36:42 <decathorpe> cipherboy: by the way, before I forget: if you want to build some packages for f31 but need something that's not been pushed to stable yet, feel free to ping me, then I can set up the buildroot overrides
15:39:43 <cipherboy> ACK, will do :)
15:40:04 <cipherboy> sorry, was talking in other meeting.
15:40:10 <cipherboy> But yeah, that mapping is good to have ;)
15:40:25 <cipherboy> Doesn't eclipse own most of the EE packages now? So GitHub I think has some stuff.
15:40:52 <decathorpe> cipherboy: no problem
15:40:58 <decathorpe> yeah but they don't have everything
15:41:04 <cipherboy> Ah, that's yucky.
15:41:09 <decathorpe> only *most things*, which makes this terrible
15:41:24 <decathorpe> some of our packages don't have an upstream anymore. yay
15:41:38 <cipherboy> Are those annotated somehow?
15:41:53 <decathorpe> I started marking them with "BORKED (dead)"
15:42:05 <cipherboy> ah, gotcha.
15:42:20 <decathorpe> I also thought about creating "new" upstream projects for them ... I assume fedora is not the only distro with this problem?
15:42:41 <cipherboy> What's broken about Java 9?
15:42:49 <decathorpe> that package requires Java 9
15:42:53 <decathorpe> and we don't have it yet :)
15:43:09 <cipherboy> We might want to check with Debian/Ubuntu maintainers to see what they're doing but no point rushing it.
15:43:13 <cipherboy> We have JDK11?
15:43:22 <decathorpe> yeah
15:43:35 <decathorpe> but it's not the default JDK. so you can't build things with it
15:43:37 <cipherboy> Not that I'm an expert though, but you could compile with JDK11 and target JDK 8...
15:43:44 <cipherboy> Oh, really? What's the point of having things available with it?
15:43:48 <cipherboy> **of having it available?
15:43:55 <decathorpe> you can *run* things on it
15:44:09 <decathorpe> `alternatives --update java java-11-openjdk` or something like that
15:44:11 <cipherboy> Debian will let you build with JDK8 even though JDK11 is the default, FWIW. But then they removed JDK8 >.>
15:44:18 <decathorpe> heh
15:44:27 <cipherboy> Can you link the formal requirements?
15:44:39 <cipherboy> Is this something we need to bother the Java SIG about, or the packaging committee?
15:44:42 <decathorpe> for gson?
15:45:00 <cipherboy> No, for Java version used to build in Fedora. :)
15:45:06 <decathorpe> ah. no idea
15:45:38 <decathorpe> but IIRC gson failed to build because it uses either Modules or other Java 9 features, and our default target is 1.8 (or even 1.7? I don't remember)
15:46:11 <cipherboy> I think we could try targetting JDK 8 with JDK11 compiler. Then users can run with JDK8 or JDK11 I think.
15:46:26 <cipherboy> Hmm, not sure how modules interact with JDK8, I assume they're just ignored. :)
15:46:37 <decathorpe> heh. I wish
15:46:53 <decathorpe> I had to do some weird POM hacking to make maven ignore module specific stuff
15:47:12 <cipherboy> I'll see what I can dig up and see if we can't get the rules changed somewhat.
15:47:25 <cipherboy> Seems weird that we'll baby Python users and not do the same for Java users.
15:47:27 <cipherboy> Inconsistent at least.
15:47:50 <decathorpe> people actually care about python though
15:48:24 <mbooth> Whats the deal with gson?
15:48:36 <mbooth> Is there a build log?
15:48:50 <decathorpe> hey mbooth o/
15:49:30 <decathorpe> I tried building 2.8.6 but maven gave up, and from what I was able to understand, it only likes Java 9 now
15:50:09 <cipherboy> decathorpe:  mbooth:  https://github.com/google/gson/blob/master/pom.xml#L69-L74
15:50:26 <decathorpe> cipherboy: ah, yeah, exactly
15:50:47 <cipherboy> The commit isn't helpful: https://github.com/google/gson/commit/c18813884285493e69d94f004c294f539cc49828
15:51:31 <cipherboy> https://github.com/google/gson/commit/0e90771e455cd5db201b7beaa2456ffdf50c78f2#diff-600376dffeb79835ede4a0b285078036 -- looks like they're having issues with JDK8 support.
15:51:55 <cipherboy> They did add a module though (which only supports JDK9+)
15:51:58 <cipherboy> https://github.com/google/gson/commit/7ddac52748c59228cb86d08d60b417ce737a0563#diff-600376dffeb79835ede4a0b285078036
15:53:27 <mbooth> Eh, you can probably just revert that commit for now: https://github.com/google/gson/commit/c18813884285493e69d94f004c294f539cc49828
15:53:57 <decathorpe> mbooth: I'll try! :)
15:54:17 <mbooth> Until Java >9 becomes default I don't think it matters. I'd be extremely surprised if there was another package in Fedora that has JPMS requirements on gson
15:54:36 <mbooth> OSGi is much much much much much much more widely used
15:54:42 <mbooth> And will be for a long time
15:54:50 <cipherboy> mbooth: Can't you build with JDK11 and target JDK8 byte code?
15:55:07 <cipherboy> mbooth: Or does the packaging committee not like that?
15:55:30 <decathorpe> cipherboy: hey, I'm still here o/
15:55:32 <mbooth> cipherboy: You'll get both JDKs in the buildroot and java 8 will be used because it is default IIRC
15:55:53 <decathorpe> mbooth: I think you'd have to much with alternatives in the .spec file ...
15:56:05 <decathorpe> which probably wouldn't even work
15:56:12 <mbooth> Exactly, which is... nasty even it works
15:56:55 * mbooth wishes Java adopted OSGi instead of re-inventing the wheel
15:57:01 <mbooth> Oh well
15:57:16 <cipherboy> Okie dokie.
15:57:16 <decathorpe> reinventing the wheel is a bit of a programmer's affliction, I think
15:58:19 * mbooth covers the "programmer" label on his badge
15:58:33 * decathorpe as well
15:59:26 <decathorpe> alright, our time's up. if there's anything else, just open a ticket or write in #fedora-stewardship
15:59:36 <decathorpe> thanks guys!
15:59:38 <decathorpe> mbooth++
15:59:45 <decathorpe> #endmeeting