16:00:27 <stickster> #startmeeting Workstation WG
16:00:27 <zodbot> Meeting started Wed Nov  9 16:00:27 2016 UTC.  The chair is stickster. Information about MeetBot at http://wiki.debian.org/MeetBot.
16:00:27 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic.
16:00:27 <zodbot> The meeting name has been set to 'workstation_wg'
16:00:29 <stickster> #meetingname workstation
16:00:29 <zodbot> The meeting name has been set to 'workstation'
16:00:33 <stickster> #topic Roll call
16:00:35 <stickster> .hello pfrields
16:00:36 <zodbot> stickster: pfrields 'Paul W. Frields' <stickster@gmail.com>
16:02:31 <kalev> .hello kalev
16:02:32 <zodbot> kalev: kalev 'Kalev Lember' <klember@redhat.com>
16:02:33 <rdieter> .hello rdieter
16:02:35 <zodbot> rdieter: rdieter 'Rex Dieter' <rdieter@math.unl.edu>
16:05:01 <stickster> mclasen: cschalle: Ping
16:05:14 <cschalle> .hello cschalle
16:05:15 <zodbot> cschalle: Sorry, but you don't exist
16:05:21 <cschalle> sorry I am in another meeting that is overrunning
16:05:24 <stickster> that's a kick in the teeth
16:05:27 * stickster too
16:05:45 <stickster> kalev: rdieter: hang tight, we will gear up here shortly
16:05:58 <stickster> cschalle, mclasen, and I are all in that same meeting
16:06:09 <mcatanzaro> .hello catanzaro
16:06:10 <zodbot> mcatanzaro: catanzaro 'None' <mcatanzaro@gnome.org>
16:07:39 <stickster> Hi mcatanzaro -- some of us are in a meeting elsewhere, running long
16:07:43 <stickster> #chair kalev rdieter cschalle mcatanzaro
16:07:43 <zodbot> Current chairs: cschalle kalev mcatanzaro rdieter stickster
16:08:01 <mcatanzaro> stickster: I assumed you were discussing scheduling for this meeting :P
16:08:05 <stickster> I'm going to move ahead in the agenda though, just to keep things challenging ;-D
16:08:11 <stickster> #topic WG meeting schedule
16:08:31 <stickster> #idea Move meeting 2 hours earlier (to 09:00 US-Eastern time)
16:08:42 <cschalle> stickster, actually I am in another meeting :)
16:08:57 <mcatanzaro> 9:00 would clearly be best for Japan/Australia, so I'd suggest that
16:08:58 <stickster> cschalle: oh so now you're special, I get it
16:09:11 <mcatanzaro> Alternataively we could move back to 10:00. I would miss the next two or so, but that's hardly a big deal.
16:09:12 <stickster> mcatanzaro: right -- juhp and ryanlerch might be able to attend in that case
16:09:20 <kalev> having it 2 hours earlier would work just fine for me
16:09:55 * rdieter ok with earlier
16:10:00 <mcatanzaro> When scheduling meetings I normally like to do a Doodle poll since considering just a few times tends to work quite badly for someone, but if nobody objects....
16:10:20 <cschalle> earlier would be difficult for me and mclasen
16:10:22 * mcatanzaro notes that nobody objected to moving the meeting to 11:00 until after it was already agreed. People should really object if the meeting time is bad.
16:11:23 <stickster> I think I recall juhp did answer the last poll and we chose this time despite it being a no-go for him, because it worked for everyone else
16:11:33 <stickster> it was a least-bad choice
16:11:59 <stickster> (btw, my meeting is over internally, so if mclasen was in that one too, he should be here shortly.)
16:12:12 <mclasen> I am
16:12:23 <stickster> I'm happy to do another poll but I would expect similar issues. We'll have to choose a least-bad time.
16:12:30 <mclasen> .hello mclasen
16:12:31 <zodbot> mclasen: mclasen 'Matthias Clasen' <mclasen@redhat.com>
16:12:34 <stickster> #chair mclasen
16:12:34 <zodbot> Current chairs: cschalle kalev mcatanzaro mclasen rdieter stickster
16:12:58 <mcatanzaro> cschalle: Can you and mclasen do earlier on a different day of the week? Otherwise I don't think we can do any better than our original time, 10:00 Wednesdays.
16:13:05 <mcatanzaro> If you can do earlier on other days, then we should do a Doodle poll.
16:13:10 <stickster> mcatanzaro++
16:13:49 * mclasen can offer any day of the week between 6 and 8am
16:14:02 <mcatanzaro> (There's no way to do three continents without scheduling Americans uncomfortably early and Australasia uncomfortably late, it's just not possible)
16:14:53 <stickster> I think we'll have to do a poll to get an answer here.
16:15:06 <stickster> #action stickster set up Doodle poll to see if we can reschedule WG meetings at a better time
16:15:10 <mcatanzaro> Note that rdieter and I are Central time, so we're farthest west. 5 AM would be unfortunate for us. :)
16:15:17 <stickster> mcatanzaro: right
16:15:31 <stickster> Anything else to add before we move on?
16:15:43 <mcatanzaro> What's really fun is when you have to do Asia and California! We're actually lucky!
16:16:05 <stickster> Ha!  Well, I guess we can let the data speak for itself, then. :-)  Moving on.
16:16:13 <stickster> #topic Release announcement
16:16:19 <stickster> #link https://fedoraproject.org/wiki/F25_general_release_announcement
16:16:32 <stickster> #info thanks mcatanzaro for input, revisions made earlier this morning
16:17:15 <stickster> I would encourage everyone else to look at it, and wrack your brain to see if there's anything else we want to highlight for the release. This document, when it's published on the Magazine, is the source many PR outlets use to power their stories too
16:18:26 <stickster> anything come to mind? anyone? Bueller? '-)
16:18:48 <kalev> looks pretty good to me I think
16:20:22 <stickster> OK then, shall we move on?
16:21:05 <stickster> *chirp chirp ;-)
16:22:16 <stickster> All right, silence gives consent
16:22:17 <stickster> #topic coredumpctl issue
16:22:20 <stickster> #link https://bugzilla.redhat.com/show_bug.cgi?id=1341829
16:22:39 * kalev looks at mcatanzaro.
16:23:07 <stickster> mcatanzaro: I spent a while yesterday trying to understand this issue, and I honestly don't... anyway you can do a 5-min "here's what's happening," just the facts
16:25:15 <mclasen> I can do it in3, I hope
16:25:40 <stickster> mclasen: OK, go for it, I still didn't grok fully yesterday when you tried but maybe it's just me
16:25:42 <mcatanzaro> There's not much to discuss: SELinux broke a major developer feature that I want to enable by default
16:25:44 <mclasen> systemd has a (not so new anymore) containerization feature for system services where it remounts some important locations readonle
16:25:48 <mclasen> like /etc
16:25:49 <mcatanzaro> systemd developers don't know how to fix it
16:25:52 <stickster> *with you so far
16:25:57 <mclasen> its called ProtectSystem
16:25:58 <mcatanzaro> SELinux developers are ignoring it
16:26:04 <mclasen> and selinux is not allowing it to do that
16:26:32 <mclasen> and the selinux team so far has resisted any pleading to please let systemd make the system more secure in that way
16:26:36 <mclasen> and thats it
16:26:47 <mclasen> we have one part of the os plumbing interfere with another
16:26:52 <mclasen> that never happens!
16:26:58 <stickster> ha
16:27:59 * kalev idly wonders if it would be possible to have a more relaxed selinux policy for workstation and a tighter one like we have now for server.
16:28:00 <mclasen> and since we're shipping coredumpctl with ProtectSystem enabled, it is broken
16:28:14 <stickster> OK -- not sure why but today it seems clear. Maybe I was overthinking it yesterday, but whatever.  So one thing I pointed out in the bug is that I don't think disabling SELinux is an option -- at least it's a very bad one.  IIRC one of the ground rules for editions was not to do so.
16:29:18 <stickster> kalev: that might be an option.  Although in my experience the SELinux guys have generally worked fairly well with the systemd folks and I'm not sure why this is proving to be an exception
16:29:41 <mcatanzaro> I think it needs to be reconsidered based on whether it's working for us or not. It's a desirable security feature but the number of complaints and bugs is very high.
16:30:26 <stickster> I think we should hold off on the nuclear option here, honestly
16:30:33 <mcatanzaro> stickster: I would too
16:30:45 <mcatanzaro> But it's something worth considering
16:30:48 <stickster> what efforts have been made to bring the devs together to figure out a way forward?
16:31:07 <stickster> that seems like a good first step, but someone may have already tried this
16:31:13 <cschalle> sorry, battery died
16:32:01 <Southern_Gentlem> sounds like a good f26 feature
16:32:12 <mclasen> stickster: one option is to change the coredumpctl configuration and take out ProtectSystem
16:32:30 <mclasen> that would fix coredumpctl at the cost of rewarding the selinux guys for their stubborness
16:33:06 <mcatanzaro> stickster: So far I've just been asking various Red Hat employees to ask the SELinux developers to respond in the bug report. That didn't work very well, last comment is from September, and that's why we're discussing it here. mclasen's suggestion seems fine to me, but the irony there is that we have SELinux reducing security. ;)
16:33:24 <rdieter> I may have missed it, but have selinux maintainers explicitly said "we refuse to fix this" ?  (sounds like no)
16:34:08 <stickster> I don't think so -- my take from the bug is it probably just got lost amidst bugpile
16:34:10 <rdieter> otherwise, sounds like a case to consider escalating to FESCo (and push for such issues to be release blocking)
16:35:11 <mclasen> I had an answer a bit like that in another bug, lets see if I can find it
16:36:13 <rdieter> and, either unofficially or officially recommending disabling selinux is a bad slippery slope to go down too, imo
16:36:59 <rdieter> in the meantime, if ProtectSystem can't work as-is, then "take outu ProtectSystem" is likely the only viable alternative
16:38:28 <stickster> rdieter: agreed -- but I still would like to maybe push harder, even if that means I need to go nudge some people internally because that's more likely to get a mutually satisfactory result
16:38:33 <mclasen> this was actually closed with a fix: https://bugzilla.redhat.com/show_bug.cgi?id=1317927
16:39:38 <mcatanzaro> I think escalating to FESCo is a good idea. Also obvious now that you mention it, but I really didn't think of it.
16:40:10 <stickster> mcatanzaro: If we want to make this a F26 feature, it seems less like an escalation, and more like a "hey, we're serious, let's fix this"
16:40:30 <stickster> as opposed to escalation of "we need you to step in and get devs aligned"
16:40:40 <mcatanzaro> Yes. On that note, the deadline to file the change proposal for F26 is probably not far out. I haven't looked it up, but we don't want to miss it like we did for Wayland
16:40:49 <mcatanzaro> So is it OK if I file a F26 feature proposal for this?
16:40:58 <mcatanzaro> I have an old action item to ask the other WGs about coredumpctl
16:41:10 <stickster> then we can proactively reach out to SELinux and systemd folks to make sure they understand the feature is going to be proposed, and we need them to come together and figure out how to collaborate
16:41:10 <mcatanzaro> But I figure we can just go through the feature process  and they'll be able to object that way just as well
16:41:21 <mcatanzaro> I think we should do it regardless of what the other editions do, though.
16:41:41 <kalev> makes sense to write up a F26 Chnge pge, this is wht we hve for coordination in Fedor
16:41:41 <stickster> mcatanzaro: agreed -- anyone object to that?
16:41:45 <mcatanzaro> stickster: I've done all I can to reach out but just couldn't get a response, so it's up to you Red Hat folks!
16:41:46 <kalev> grr, a key not working
16:41:56 <stickster> mcatanzaro: understood, will do
16:42:13 <stickster> #action mcatanzaro write up F26 Change page that addresses this bug
16:42:41 <stickster> #action stickster contact SELinux and systemd devs for heads up on the Change, and see if we can align on an approach
16:43:58 <stickster> OK, anything else to capture here for next action?
16:44:17 <stickster> mcatanzaro: let me know when you have the Change page, I'll use that to propel my outreach ;-)
16:46:10 <stickster> OK sounds like agenda is over then.
16:46:17 <stickster> #topic Open floor (all other business)
16:46:35 <stickster> One thing that obviously is consuming list b'width here is branding
16:47:15 <stickster> I noticed that hadess put together a GNOME wiki page addressing potential downstream opportunities
16:47:18 <stickster> #link https://wiki.gnome.org/Design/OS/DownstreamBranding
16:47:49 <stickster> cschalle_: did you want to add some thoughts here I could capture for minutes? that's a really big thread :-)
16:48:47 <cschalle_> not atm, although I think maybe the working group should at some point, maybe the next meeting, consider if we want to formally adopt a goal for branding, so that we can at least close the loop on that part of the discussion
16:49:19 <kalev> my thought here is that it would probably make sense to use the same kind of downstream branding in fedora as is used in rhel, so that we share patches etc
16:49:35 <cschalle_> yeah, agree on that
16:49:52 <stickster> cschalle_: kalev: both those things sound very reasonable to me, unify efforts upstream first
16:50:04 <stickster> cschalle_: kalev: I can add this in agenda for next meeting
16:50:23 <kalev> sure
16:50:55 <stickster> that's pretty good timing, since I expect only a week or two out of GA we'll not have pressing technical issues to deal with -- although proposed Changes also come to mind ;-)
16:51:00 <sfix> stickster: do you have a link to the SELinux/systemd RHBZ?  Only just noticed the highlights
16:51:18 <stickster> sfix: It's earlier in the log, but I believe you're referring to https://bugzilla.redhat.com/show_bug.cgi?id=1341829
16:51:22 <stickster> #action stickster put downstream branding first in agenda next meeting
16:51:47 <stickster> <eof> for the branding topic -- next?
16:52:08 <stickster> oh oh oh, I have one
16:52:09 <mcatanzaro> Do we have anything to discuss on branding actually? Maybe we need to wait for concrete proposals from design team?
16:53:18 <stickster> mcatanzaro: I think cschalle_ was talking about setting a goal, not proposing a detailed visual change -- so it would be about agreeing what we're trying to achieve
16:53:41 <stickster> there are bits of that scattered around the thread but we need to pull it together into something the WG agrees on and can stand behind
16:54:28 <sfix> stickster: thanks, will take a look
16:55:01 <mcatanzaro> OK, maybe #action cschalle_ to produce a policy proposal...?
16:55:11 <cschalle_> ok will do
16:55:14 <stickster> ah yes! thanks mcatanzaro ... although you also have chair :-)
16:55:28 <mcatanzaro> #action cschalle_ to propose branding policy
16:55:30 <stickster> boom
16:55:37 <stickster> I'm all about empowerment ;-)
16:55:40 <mcatanzaro> Well I didn't want to add an action item unless he's OK with it!
16:55:58 <stickster> mcatanzaro: it's OK, if he doesn't like it, he just fires me
16:57:26 <stickster> Ah -- so, my little open-floor topic was: big thank you to kalev, mclasen, rdieter, halfline, mcatanzaro (and others I'm probably forgetting, apologies!) for help throughout the F25 release on a variety of fixes and tweaks to make it as good as possible
16:57:31 <stickster> kalev++
16:57:36 <stickster> mclasen++
16:57:39 <stickster> rdieter++
16:57:39 <zodbot> stickster: Karma for rdieter changed to 9 (for the f24 release cycle):  https://badges.fedoraproject.org/tags/cookie/any
16:57:41 <stickster> halfline++
16:57:44 <stickster> catanzaro++
16:57:51 <mcatanzaro> cschalle_: Your email the other day: "I'm sure the designers can come up with something" is probably the most polite way I've ever seen someone say "I'm da boss." ;)
16:57:51 <stickster> mcatanzaro++
16:58:48 <stickster> best approach is always consensus :-)
16:59:00 <stickster> OK, any other topics? we are almost at top of hour :-)
16:59:24 <stickster> actually, let's end cleanly... if you have something else, bring it to the desktop@ list per usual.  See you online!
16:59:27 <stickster> #endmeeting