13:00:02 <stickster> #startmeeting Workstation Working Group 13:00:02 <zodbot> Meeting started Mon Sep 11 13:00:02 2017 UTC. The chair is stickster. Information about MeetBot at http://wiki.debian.org/MeetBot. 13:00:02 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic. 13:00:02 <zodbot> The meeting name has been set to 'workstation_working_group' 13:00:03 <stickster> #meetingname workstation 13:00:03 <zodbot> The meeting name has been set to 'workstation' 13:00:04 <stickster> #topic Roll call 13:00:05 <stickster> .hello pfrields 13:00:10 <zodbot> stickster: pfrields 'Paul W. Frields' <stickster@gmail.com> 13:01:02 <juhp_> .hello petersen 13:01:04 <zodbot> juhp_: petersen 'Jens Petersen' <petersen@redhat.com> 13:01:05 <stickster> ping juhp juhp_ kalev mclasen otaylor cschalle ryanlerch rdieter walters 13:01:22 <stickster> oh crap, /walters/mcatanzaro/ sorry 13:01:34 <kalev> morning 13:01:34 <mclasen> .hello mclasen 13:01:35 <zodbot> mclasen: mclasen 'Matthias Clasen' <mclasen@redhat.com> 13:01:40 * stickster blames two weeks of travel 13:02:45 <stickster> #topic Agenda 13:02:53 <stickster> #link https://pagure.io/fedora-workstation/issues?status=Open&tags=meeting 13:03:07 <mcatanzaro> .hello catanzaro 13:03:08 <zodbot> mcatanzaro: catanzaro 'Michael Catanzaro' <mcatanzaro@gnome.org> 13:03:27 <stickster> reminder, if you want something covered in the meeting you need to do the following: 1. File an issue, if not done already; 2. tag it with "meeting" (which helpfully appears in the tags for you) 13:04:06 <stickster> #info two issues tagged 'meeting' currently: (1) Removing setroubleshoot; (2) Follow up on SQLite breaking GTK+ search 13:04:10 <mcatanzaro> the SQLite issue is resolved 13:04:21 <stickster> mcatanzaro: Ah, great. If so, could you please close the ticket as fixed then? 13:04:23 * kalev nods. 13:04:34 <mcatanzaro> Well, the underlying problem is not: there is almost no QA for updates and stuff breaks 13:04:41 <kalev> I talked to the maintainer and enable fts5 support in sqlite which made tracker work again 13:04:46 <mcatanzaro> I'll close the ticket 13:04:53 <mcatanzaro> But we really need to gate updates better 13:05:02 <stickster> mcatanzaro: It sounds like we could still use the discussion here, but let's hold on that, it's #2 on the agenda. 13:05:15 <stickster> #topic 1: Remove setroubleshoot 13:05:25 <stickster> #link https://pagure.io/fedora-workstation/issue/24 13:07:38 <mcatanzaro> So... we want to remove setroubleshoot :) 13:07:42 <mcatanzaro> Without replacement 13:07:51 <stickster> The ticket has some useful links to the upstream GNOME design for better problem feedback to the user, which is awesome. What's happening on that front to interact with the right devs (e.g. SELinux/abrt crew) to ensure they continue to receive error reports (if needed)? 13:08:07 <mcatanzaro> Nobody's working on it 13:08:43 <kalev> shouldn't this be a first step before removing setroubleshoot? 13:09:02 <stickster> kalev: +1 13:09:15 <mcatanzaro> I don't see why 13:09:35 <mcatanzaro> Ideally someone would be working on it, but I'm not gonna volunteer for this one :) 13:10:10 <stickster> Well, let's ask this... I'm running Workstation. I hit an SELinux error that prevents my service/app/whatever from working. Will I still receive an SELinux error notification telling me that happened? 13:10:13 <kalev> I feel like removing the only reporting mechanism we have is going to make fedora's selinux support much worse in the long run 13:10:44 <mcatanzaro> stickster: No, you won't. That's the goal, since the SELinux error notifications a full of confusing technical detail. 13:10:52 <mclasen> not annoying users with error notifications that they have no use for and no chance of doing anything about is the main goal here... 13:11:14 <mcatanzaro> Ideally the user would see no notification and the developer would get some anonymous report of the issue, like on FAF or something 13:11:29 <stickster> So all I get in that case is a silent failure, my thing doesn't work, and I can then conclude (in my naïvete) that Workstation is at fault 13:11:39 <otaylor> stickster: isn't it? 13:11:45 <mclasen> workstation _is_ at fault 13:11:52 <otaylor> (sorry to be late) 13:11:54 <mclasen> for shipping you a broken selinux configuration 13:12:03 <stickster> well yes, but does the developer get something filed to help them fix it? 13:12:13 <mclasen> which developer can fix it ? 13:12:37 <otaylor> stickster: the one reason to have notificaitons is for the subset set of users that would know "it's broken because of selinux and I should setenforce 0" 13:12:42 <mclasen> in my experience, selinux issues usually go like: 1) selinux guys decide to make a policy change 13:12:46 <mcatanzaro> #chair otaylor 13:12:50 <mclasen> 2) stuff breaks 13:12:50 <stickster> oh sorry! 13:12:56 <mclasen> 3) selinux guys make another change to fix it 13:12:59 <stickster> #chair kalev mcatanzaro otaylor mclasen 13:12:59 <zodbot> Current chairs: kalev mcatanzaro mclasen otaylor stickster 13:13:21 <kalev> right, so we need a way to get selinux people to know that stuff has broken 13:13:24 <kalev> how do we do that? 13:13:25 <stickster> mclasen: Any package can ship an SELinux policy module, actually. But in general you're right. 13:14:18 <otaylor> mclasen: there has to be problem rpeorting from 2=>3, but I suspect that people who can report a problem can probably also find the information in journalctl 13:14:20 <stickster> What we don't want is to break the feedback loop to the maintainer and/or SELinux policy maintainers to fix things that don't work 13:14:46 <mclasen> we need to get our endusers out of that loop, though 13:15:17 <stickster> Ideally, though, the system should notify the user in a readable way there was a problem, and that it's been reported so they can follow the fix iff. desired 13:16:12 * kalev agrees. 13:17:15 <kalev> I think it's important that users get an error message that says that something went wrong. if we start silently failing they are just going to feel less in control of their computer 13:17:19 <stickster> If removing setroubleshoot is going to break the flow of bugs/feedback entirely, then without any sort of mitigation (like docs or some other notification) it seems more like "wallpapering over the joists without any drywall" 13:17:48 <juhp_> yeah 13:18:21 <mclasen> notifying the user about a broken state of the system has very little to do with selinux though 13:18:27 <mclasen> the system can by broken for all sorts of reasons 13:19:58 <mclasen> it seems weird that we insist on notfying the user if a service fails due to an selinux error, but not if it fails due to out-of-disk, or some other error 13:19:58 <stickster> I completely sympathize with not wanting to put e.g. "httpd_enable_foo=1" in front of users; it's one of the most mumbo-jumbo things you can see. But if we're just hiding the error in a way that also prevents anyone hearing about it, ugh. 13:20:36 <stickster> In the disk example, I do get notifications ahead of time telling me I'm running out of space 13:20:59 <otaylor> I think the troublesome thing is not really notifying the users, it's that setroubleshoot assumes that the use can (or wants to) *do something about it* - which is simply not true for a "default user" 13:21:00 <stickster> There's no such preventative maintenance on SELinux 13:21:33 <otaylor> so there's a lot of complexity there that is "woah" 13:21:44 <mcatanzaro> TBH we would not be complaining if setroubleshoot was more like ABRT: present a non-confusing error message and otherwise stay out of the way 13:21:48 <mcatanzaro> But... it's not 13:22:30 <mcatanzaro> Also, in F27, after the first selinux error, it will run forever in the background and be impossible to quit, because it uses a tray icon to stay open and the tray is going away. 13:22:36 <otaylor> I think that we need to get to a point where the default experience is based on considering a selinux problem a non-user-fixable OS assembly error, and anything else is something that you have to opt into 13:23:01 <mcatanzaro> (It's actually not impossible to quit: you can show the window manually by opening it up from the overview. But most users will not realize it's running unnecessarily even without a window.) 13:23:20 <mclasen> I think thats a good way to put it 13:25:26 <stickster> I haven't seen the issue on F27 with the sealert browser continuing to run when it shouldn't be 13:25:26 * otaylor doesn't actually know what topic was being debated, so is unable to suggest a way forward 13:25:52 <juhp_> otaylor: https://pagure.io/fedora-workstation/issue/24 13:25:56 <stickster> But the troubleshooter *does* allow the user to fix errors temporarily so they can continue with their operation 13:26:01 <otaylor> juhp: thanks 13:26:05 <kalev> I think so too, it's not something that users should know how to fix and I don't think setroubleshoot should offer instructions on how to fix things -- but how do we make sure that developers learn about selinux problems? 13:26:44 <kalev> I don't think removing the feedback loop helps keeping fedora high quality 13:26:51 <stickster> In any case, kalev's point is the same as mine. Breaking the feedback loop is my main concern. 13:27:33 <stickster> Why not engage with the SELinux team folks to get them to help with a more user-friendly solution? 13:28:09 <otaylor> If we didn't install setroubleshoot/sealert what would be the experience - silent breakage and messages in the journal? 13:28:12 <stickster> well, user- and dev-friendly to be fair 13:28:49 * mclasen is still +1 on removing it 13:29:25 <otaylor> For 28 I think we need to design the experience, but need to figure out what makes sense for f27 which has zero runway (assuming that we're discussing f27) 13:30:12 <mclasen> best to start over, instead of a painful slow process of making incremental changes to a fundamentally wrong tool, in my opinion 13:30:27 <mcatanzaro> For F27 timeframe the only options are "do nothing" and "remove it"... we can't realistically change anything this late in the game 13:31:01 <mcatanzaro> I'm fine with either option for F27, what I care about is the long-term solution 13:31:27 <mcatanzaro> Ideally that would be a new bug reporting program that replaces both setroubleshoot and ABRT, built from scratch by GNOME. But Workstation WG cannot take on a project like that. 13:31:57 * mclasen tries sealert on f28 13:32:01 <mclasen> $ sealert 13:32:03 <mclasen> could not attach to desktop process 13:32:06 <mclasen> problem solved! 13:32:14 <juhp_> haha 13:32:30 <mcatanzaro> I hope that's an selinux bug ;) 13:32:35 <juhp_> lol 13:32:54 <stickster> urgh, running f26 on this station 13:33:00 <stickster> but it's 'sealert -b' here 13:33:05 <juhp_> seems to work on 26 anyway 13:33:29 <mclasen> stickster: sealert -b doesn't give me that message, but no window either 13:34:00 <otaylor> mcatanzaro: maybe you have no selinux messages to browse :-) 13:34:06 <mclasen> and sealert --noservice gives me: ModuleNotFoundError: No module named 'setroubleshoot.browser' 13:34:07 <otaylor> (mclasen meant) 13:34:08 <mclasen> not reassuring 13:34:11 <stickster> We're past the Beta Freeze at this point, I think removing setroubleshoot is a bad idea for F27 in any case, and we're talking about F28 here. 13:34:42 <kalev> is anyone here familier with abrt? can we make add selinux reporting to abrt easily? 13:34:47 <juhp_> anyone have f27? 13:34:56 <kalev> I have f27, but don't have setroubleshoot installed :) 13:35:00 * stickster will need to pull a copy today but has no time until later 13:35:04 <stickster> lol 13:35:25 <juhp_> I couldn't install before flock 13:35:32 <mclasen> sealert seems busted on my system, basically 13:36:00 <mcatanzaro> kalev: jfilak promised to add selinux reporting to ABRT, but he's gone :( 13:36:36 <mclasen> so, i guess we should take decisions on f27 and f28 separately ? 13:36:49 <mclasen> or are we still doing fact-finding for f27 ? 13:38:00 <stickster> I think we should be aiming at a F28 change here, not touching F27 post-Beta freeze 13:38:30 <stickster> But yeah, still need to determine what's going on with F27... if things are broken similarly there, it's a bad sign 13:38:33 <juhp_> oops, I forgot this is still f25 on my home machine 13:38:42 <stickster> juhp_: tsk tsk! 13:39:18 <stickster> #proposed #action stickster find out if F27 setroubleshoot is broken (i.e. non-launching) 13:39:34 <stickster> Also... 13:40:06 <stickster> #proposed #action mcatanzaro talk with setroubleshoot maintainers about seeing if they can work with the GNOME redesign on the wiki (shown in the ticket) 13:40:22 <mcatanzaro> I don't wanna! :) 13:40:32 * mcatanzaro pouts 13:40:52 <otaylor> I don't think that's really worth hvaing in absence of a bigger plan to implement that design 13:41:18 <mcatanzaro> TBH I think it needs to be GNOME/desktop team developers working on the UI if we want the result to be satisfactory. 13:41:28 <stickster> otaylor: what bigger plan are you talking about? that implies more work that no one's taking on ;-) 13:41:34 <mcatanzaro> As we learned from ABRT 13:42:09 <otaylor> I think the "GNOME redesign on the wiki" is a comprehensive plan for error reporting that has been banging around for 4-5 years 13:42:21 <stickster> hmm, I see 13:42:39 <stickster> But then blocking on that seems even more nonsensical 13:43:28 <kalev> I think it makes sense to remove setroubleshoot from the default install in a long run and replace it with something else that autoreports things to bugzilla (an abrt plugin?) 13:43:37 <kalev> not sure an setroubleshoot redesign is worth the effort here 13:43:38 <stickster> I may be missing something, what prevents some discussion btw GNOME devs and SELinux guys on how to maintain a feedback loop to continue improving policy? 13:44:16 <stickster> Basically, if we can figure out how to do that ^ it's easy to be +1 on removing setroubleshoot. 13:44:49 * stickster withdraws proposal #2 above, it's fine if that's overreach 13:45:06 <otaylor> stickster: that sounds like good discussion to have, and improving the situation is a very reasonable goal. I'm just not sure that asking mcantazaro to point the selinux developers to some big redesign on the wiki makes any sense 13:45:08 <mcatanzaro> I don't think anything prevents discussion... we just need a volunteer. 13:45:16 <kalev> I have to step away from keyboard for a bit, sorry 13:45:21 <stickster> otaylor: that's fair 13:46:05 <mclasen> I don't think a discussion with the goal of having selinux team improve the ui makes much sense 13:46:13 <stickster> mclasen: that's not the goal 13:46:26 <otaylor> <x> to do some background research, talk to the designers and then set up a meeting with designers, selinux people, and possibly abrt developers (if making abrt do the reporting seems plausible) 13:46:38 <stickster> mclasen: the goal is to ensure that in removing setroubleshoot we don't break all feedback. Maybe there's a way to do a background function to report errors, via abrt or something else. 13:47:03 <mclasen> we can have a discussion about about apis that we may discover to be missing as we write a better error reporting frontend 13:47:21 <mclasen> but that requires to identify resources for picking that up as a project, first 13:48:38 * stickster will figure out who in selinux team (and abrt) needs to be involved to discuss the feedback problem, and will get kalev to help identify a designer if needed (in the case this can't be done invisibly) 13:49:16 <stickster> with the understanding that we're not doing this in f27, not enough time to coordinate anything meaningful 13:49:44 <stickster> oops 13:50:00 <stickster> #action stickster figure out who in selinux team (and abrt) needs to be involved to discuss the feedback problem, and ask kalev to help identify a designer if needed (in the case this can't be done invisibly) 13:50:16 <stickster> #action stickster also get F27 somewhere to see current situation 13:50:21 <stickster> ;-) 13:50:41 <stickster> #topic 2: Sqlite/GTK+ breakage followup 13:50:55 * stickster notes we've managed to run out the clock mostly, I need to vacate in 7 min 13:51:00 <mclasen> do we have time for one open-floor issue at the end ? 13:51:13 <mclasen> I have a quick thing 13:51:14 <stickster> mclasen: only if this one is really short. 13:51:20 <mcatanzaro> Let's defer this discussion to the next meeting, mclasen has an open floor issue and I've noticed one too: mozjs52 13:51:25 <stickster> okeydoke 13:51:28 <mclasen> gnome 3.26 will support color emoji 13:51:34 <stickster> #topic 3: All other stuff (mclasen) 13:51:37 <mclasen> but we need a suitable font 13:51:45 <mclasen> can we add emojione to the default install ? 13:51:58 <mclasen> and possibly add a dependency somewhere so it gets pulled in on upgrades ? 13:52:12 <mcatanzaro> I don't see any reason not to add it to default install. 13:52:17 <mcatanzaro> Not sure where a dependency would make sense. 13:52:58 <otaylor> workstation-release? 13:53:01 <stickster> mclasen: Are you talking about something licensed as seen here? https://www.emojione.com/licenses -- because even the free license looks problematic. 13:53:07 <stickster> Maybe I'm looking at the wrong thing. 13:53:23 <juhp_> we have google-noto-emoji-fonts 13:53:59 <mcatanzaro> OK well looks like emojione is out of the question... how about the noto thing, mclasen? 13:54:14 <mclasen> https://koji.fedoraproject.org/koji/packageinfo?packageID=24743 13:54:32 <stickster> uhhhh 13:54:33 <mclasen> not sure whats wrong with using the package thats already in fedora ? 13:55:25 <juhp_> Is emojione better? 13:55:41 <mclasen> I don't like either of them too much, visually 13:56:39 <mcatanzaro> Hm, sadly I think this calls for FE-Legal review... https://github.com/eosrei/emojione-color-font/blob/master/LICENSE.md looks mostly fine but for "specific attribution requirements for commercial use" 13:56:42 <stickster> mclasen: I'm having trouble reconciling the license, the github sources seem to indicate MIT, which is not what this package says 13:56:55 <mclasen> the package is an older version, afaik 13:56:58 <stickster> mcatanzaro: I'm also concerned there may be a licensing issue here 13:57:05 <mcatanzaro> Maybe that package shouldn't be in Fedora at all. 13:57:09 <mclasen> best to discuss that with hadess 13:57:13 <mclasen> he will give you all the details 13:57:19 <mcatanzaro> We'll have to defer this to next meeting as we're out of time anyway. 13:57:20 <juhp_> Maybe check the package review first? 13:57:27 <stickster> juhp_: yup 13:57:43 <mclasen> and I'm sure he will appreciate the 5-minute-google-backseat-lawyering :-) 13:57:44 <stickster> mcatanzaro: Can you take a look at that and hit us up in #fedora-workstation? 13:57:58 <mcatanzaro> OK 13:58:04 <stickster> could be an older fork, yes 13:58:16 <stickster> #action mcatanzaro take a look at emojione and follow up in IRC 13:58:31 <stickster> OK gotta run folks 13:58:36 <stickster> Thanks for coming 13:58:37 <stickster> #endmeeting