2024-07-31 18:00:20 <@tdawson:fedora.im> !startmeeting EPEL (2024-07-31)
2024-07-31 18:00:21 <@meetbot:fedora.im> Meeting started at 2024-07-31 18:00:20 UTC
2024-07-31 18:00:21 <@meetbot:fedora.im> The Meeting name is 'EPEL (2024-07-31)'
2024-07-31 18:00:24 <@tdawson:fedora.im> !meetingname epel
2024-07-31 18:00:25 <@meetbot:fedora.im> The Meeting Name is now epel
2024-07-31 18:00:27 <@tdawson:fedora.im> !topic aloha
2024-07-31 18:00:29 <@nirik:matrix.scrye.com> morning
2024-07-31 18:00:33 <@carlwgeorge:matrix.org> !hi
2024-07-31 18:00:35 <@zodbot:fedora.im> Carl George (carlwgeorge) - he / him / his
2024-07-31 18:00:46 <@smooge:fedora.im> hello
2024-07-31 18:01:17 <@jonathanspw:fedora.im> !hi
2024-07-31 18:01:17 <@zodbot:fedora.im> Jonathan Wright (jonathanspw)
2024-07-31 18:01:20 <@salimma:fedora.im> !hi
2024-07-31 18:01:21 <@nhanlon:beeper.com> !hi
2024-07-31 18:01:21 <@zodbot:fedora.im> Michel Lind (salimma) - he / him / his
2024-07-31 18:01:22 <@zodbot:fedora.im> Neil Hanlon (neil) - he / him / his
2024-07-31 18:02:34 <@davide:cavalca.name> !hi
2024-07-31 18:02:35 <@zodbot:fedora.im> Davide Cavalca (dcavalca) - he / him / his
2024-07-31 18:03:57 <@tdawson:fedora.im> Hi Davide Cavalca Neil Hanlon Michel Lind 🎩 Jonathan Wright Carl George 
2024-07-31 18:04:04 <@salimma:fedora.im> hello all
2024-07-31 18:04:04 <@tdawson:fedora.im> Morning nirik 
2024-07-31 18:04:09 <@tdawson:fedora.im> Hello Stephen J Smoogen 
2024-07-31 18:05:15 <@tdawson:fedora.im> !topic EPEL Issues https://pagure.io/epel/issues
2024-07-31 18:05:21 <@tdawson:fedora.im> https://pagure.io/epel/issues?tags=meeting&status=Open
2024-07-31 18:05:35 <@tdawson:fedora.im> We just have the one open issue
2024-07-31 18:05:51 <@tdawson:fedora.im> !epel 284
2024-07-31 18:05:52 <@zodbot:fedora.im> ● **Assignee:** Not Assigned
2024-07-31 18:05:52 <@zodbot:fedora.im> ● **Last Updated:** 4 days ago
2024-07-31 18:05:52 <@zodbot:fedora.im> **epel #284** (https://pagure.io/epel/issue/284):**Proposing incompatible upgrade of Zeek to the latest LTS version**
2024-07-31 18:05:52 <@zodbot:fedora.im> 
2024-07-31 18:05:52 <@zodbot:fedora.im> ● **Opened:** a week ago by salimma
2024-07-31 18:05:59 <@tdawson:fedora.im> Oooh ... it's working now. :)
2024-07-31 18:06:32 <@dherrera:fedora.im> hi!
2024-07-31 18:06:39 <@tdawson:fedora.im> Hi Diego Herrera 
2024-07-31 18:06:50 <@salimma:fedora.im> so yeah, TLDR zeek has LTS and feature releases, and LTS is only supported for a year
2024-07-31 18:06:50 <@salimma:fedora.im> The previous maintainer didn't work on it after leaving the company, so it's... very stale right now (3 years IIRC)
2024-07-31 18:06:50 <@salimma:fedora.im> 
2024-07-31 18:06:50 <@dherrera:fedora.im> !hi
2024-07-31 18:06:51 <@zodbot:fedora.im> Diego Herrera (dherrera) - he / him / his
2024-07-31 18:07:02 <@salimma:fedora.im> two years plus, sorry, form version 4 to 6
2024-07-31 18:07:13 <@salimma:fedora.im> two years plus, sorry, from version 4 to 6
2024-07-31 18:07:36 <@carlwgeorge:matrix.org> stale alone isn't necessarily sufficient to do an incompat upgrade
2024-07-31 18:07:44 <@carlwgeorge:matrix.org> are there any outstanding cves that can't be backported?
2024-07-31 18:08:01 <@nhanlon:beeper.com> thank you for finalizing zeek btw Michel Lind 🎩  -- I kept running into brick walls in some form or another...
2024-07-31 18:08:04 <@tdawson:fedora.im> It doesn't say on the ticket, if there are any configuration and/or manual user changes.
2024-07-31 18:08:15 <@salimma:fedora.im> I... need to look that up
2024-07-31 18:08:35 <@salimma:fedora.im> the other way I can do it is make it like Django, have a new package for each LTS series, and leave the old one there untouched
2024-07-31 18:09:19 <@salimma:fedora.im> oh, most of the arch-specific problems turns out to be from a new tool from the same project that is now bundled by default. if you turn it off it builds cross-platform again :P
2024-07-31 18:09:37 <@nhanlon:beeper.com> IMO, we should allow this and bump to 6.0
2024-07-31 18:09:41 <@tdawson:fedora.im> Nothing else is using it in EPEL, so I'm not sure it's necessary.  But I don't know zeek enough to know if that's something people would want.  (Meaning having a new packager for each LTS release)
2024-07-31 18:09:45 <@nhanlon:beeper.com> lol of course it was something simple...
2024-07-31 18:10:02 <@conan_kudo:matrix.org> !hi
2024-07-31 18:10:03 <@zodbot:fedora.im> Neal Gompa (ngompa) - he / him / his
2024-07-31 18:10:10 <@nhanlon:beeper.com> I will write something more eloquent in the ticket :) 
2024-07-31 18:10:16 <@salimma:fedora.im> upstream changelog - https://github.com/zeek/zeek/blob/master/CHANGES - sadly it's a firehose
2024-07-31 18:10:25 <@tdawson:fedora.im> If users can just do a "dnf upgrade" and not have to do anything, I'm totally fine with the incompatible update.
2024-07-31 18:10:34 <@tdawson:fedora.im> Hi Conan Kudo 
2024-07-31 18:10:41 <@nhanlon:beeper.com> the last 4.x release was nearly 2 years ago (just under)
2024-07-31 18:10:44 <@carlwgeorge:matrix.org> we generally approve incompat requests when cves are involved, but it's a bit murkier otherwise
2024-07-31 18:10:54 <@salimma:fedora.im> I don't know zeek that much too, but the team at work that does use it seem very keen on using v6 (so it turns out they never used the v4 that their old member packaged :P)
2024-07-31 18:11:11 <@salimma:fedora.im> yeah, I could not actually find a CVE, only for one of the Zeek plugins
2024-07-31 18:11:15 <@conan_kudo:matrix.org> the choice between unmaintained and not unmaintained for a leaf package makes things pretty easy
2024-07-31 18:11:18 <@nhanlon:beeper.com> Yeah. I'm like 99% sure there's not actually anyone _using_ Zeek in EPEL right now
2024-07-31 18:11:27 <@carlwgeorge:matrix.org> reminder of the general epel policy:
2024-07-31 18:11:27 <@carlwgeorge:matrix.org> > The packages in the repository should, if possible, be maintained in similar ways to the Enterprise Packages they were built against. In other words: have a mostly stable set of packages that normally do not change at all and only changes if there are good reasons for it — so no "hey, there is a new version, it builds, let’s ship it" mentality.
2024-07-31 18:11:27 <@carlwgeorge:matrix.org> 
2024-07-31 18:11:49 <@conan_kudo:matrix.org> that's not fair... in this case we're talking about a package with effectively a dead upstream
2024-07-31 18:11:51 <@tdawson:fedora.im> Ah, good point.
2024-07-31 18:11:51 <@nhanlon:beeper.com> 6.x is, itself, 18 months old
2024-07-31 18:11:59 <@conan_kudo:matrix.org> and no resources to do work downstream on
2024-07-31 18:12:11 <@carlwgeorge:matrix.org> does fixing the cve in the zeek plugin require rebasing zeek?  that could be a justifiable angle.
2024-07-31 18:12:26 <@salimma:fedora.im> yeah, I agree with both of you. ideally we do the same thing as RHEL, but we don't actually have the bandwith backport fixes
2024-07-31 18:12:34 <@carlwgeorge:matrix.org> that's the policy, fairness isn't a factor
2024-07-31 18:12:38 <@salimma:fedora.im> good question. I can circle back later
2024-07-31 18:12:57 <@conan_kudo:matrix.org> fairness is a factor for us as arbiters of the policy
2024-07-31 18:13:00 <@salimma:fedora.im> fwiw if it's easier I'm ok with creating a zeek6 package then we can wait until there is a CVE to retire the old zeek
2024-07-31 18:13:36 <@carlwgeorge:matrix.org> judging how hard backporting fixes is requires specifying what fixes (i.e. cves) are desired
2024-07-31 18:14:09 <@nhanlon:beeper.com> particularly when this package was, effectively, a false start. e.g., it never actually made it into Fedora before it was built and released in EPEL (iirc)
2024-07-31 18:14:17 <@jonathanspw:fedora.im> Do major things change between versions that make the tool more/less useful with current traffic/web standards?
2024-07-31 18:14:22 <@salimma:fedora.im> disclosure: if someone at work does not need this I would drop it like a hot potato and wash my hands off it. it's... not enjoyable to work on Neil Hanlon can attest)
2024-07-31 18:14:31 <@conan_kudo:matrix.org> if zeek was a package that other things depended on, I think there would be a stronger argument (ie like Django)
2024-07-31 18:14:32 <@jonathanspw:fedora.im> Such as new patterns or something to grab modern traffic types.
2024-07-31 18:14:36 <@jonathanspw:fedora.im> (not familiar with zeek)
2024-07-31 18:15:14 <@davide:cavalca.name> I think for a leaf package on this these constraints it's probably ok to upgrade, but I'm with Carl George that's not what the policy actually says
2024-07-31 18:15:17 <@conan_kudo:matrix.org> but as a leaf application package, I think proceeding with an incompatible update notice is fine to bring the package into a maintainable state
2024-07-31 18:15:23 <@davide:cavalca.name> so we may want to consider amending the policy to cover this usecase
2024-07-31 18:15:35 <@salimma:fedora.im> ok, turns out there are security issues. just not CVE. and easiest way to find them is to go through the release notes on github one by one :(
2024-07-31 18:15:35 <@carlwgeorge:matrix.org> if it's in epel, someone we're not aware of could be depending on it, and a disruptive update would not be nice.  that's why we have the policy as it is.
2024-07-31 18:15:42 <@salimma:fedora.im> first I found, going backwards, for 6.0.3: https://github.com/zeek/zeek/releases/tag/v6.0.3
2024-07-31 18:15:55 <@salimma:fedora.im> that limits the depth the parser will attempt to follow the entity nesting. If
2024-07-31 18:15:55 <@salimma:fedora.im> the limit is reached an exceeded_mime_max_depth weird is generated.
2024-07-31 18:15:55 <@salimma:fedora.im> risk.The fix included adds a new option (MIME::max_depth) to the MIME parser
2024-07-31 18:15:55 <@salimma:fedora.im> possibility of receiving these packets from remote hosts, this is a DoS
2024-07-31 18:15:55 <@salimma:fedora.im> cause Zeek to spend large amounts of time parsing the entities. Due to the
2024-07-31 18:15:55 <@salimma:fedora.im> A specially-crafted series of packets containing nested MIME entities can
2024-07-31 18:16:01 <@conan_kudo:matrix.org> that's why we require the incompatible update notices
2024-07-31 18:16:46 <@salimma:fedora.im> 6.0.2 has even more security fixes https://github.com/zeek/zeek/releases/tag/v6.0.2
2024-07-31 18:16:58 <@carlwgeorge:matrix.org> ok then i'm on board.  we don't actually require assigned cve numbers, just security fixes that aren't easily backported.
2024-07-31 18:17:05 <@salimma:fedora.im> 5 of them so I won't copy paste. ugh these really should be CVEs :(
2024-07-31 18:17:29 <@conan_kudo:matrix.org> it's security software, I think it is perfectly in line similar to clamav
2024-07-31 18:17:31 <@salimma:fedora.im> thanks! from the release notes looks like they fix both the LTS and the feature release (e.g. 6.0.3 and the parallel 6.1.x release have the same notice)
2024-07-31 18:17:55 <@conan_kudo:matrix.org> and I'm also not terribly surprised at the lack of CVE declarations
2024-07-31 18:17:57 <@carlwgeorge:matrix.org> this is something i actually have in mind for epel10.  relax the rebase policy in the epel10 branch only, which defers changes for rhel users till the next minor version.
2024-07-31 18:18:04 <@salimma:fedora.im> If we don't have enough to decide on we can just make it a one off and circle back when zeek 7 is out - if there's a track record of needing security fixes maybe we can make this permanent?
2024-07-31 18:18:12 <@conan_kudo:matrix.org> not many people know you can declare CVEs right from GitHuba
2024-07-31 18:18:17 <@conan_kudo:matrix.org> not many people know you can declare CVEs right from GitHub
2024-07-31 18:18:38 <@conan_kudo:matrix.org> or rather security advisories that can be turned into CVEs
2024-07-31 18:18:41 <@salimma:fedora.im> yeah, epel10 being more visible than epel9-next should help with "this is a heads up that breakages are coming"
2024-07-31 18:18:55 <@conan_kudo:matrix.org> that would make things _considerably_ easier
2024-07-31 18:19:08 <@salimma:fedora.im> I certainly would still not upgrade willy-nilly :)
2024-07-31 18:19:38 <@conan_kudo:matrix.org> certainly not, but it makes dealing with various forcing functions less painful
2024-07-31 18:19:42 <@carlwgeorge:matrix.org> i would say that if it's not terribly difficult, i'd be in favor of versioned packages like zeek6 and zeek7, which avoids the policy problem entirely.  just retire the old ones when you don't feel like maintaining them anymore.
2024-07-31 18:19:57 <@carlwgeorge:matrix.org> i think zabbix is set up that way
2024-07-31 18:20:08 <@jonathanspw:fedora.im> it is
2024-07-31 18:20:09 <@salimma:fedora.im> I am on board with that, but can we start doing versioned package for zeek 7 instead?
2024-07-31 18:20:30 <@conan_kudo:matrix.org> that's probably a good idea
2024-07-31 18:20:33 <@conan_kudo:matrix.org> 7 is the next LTS, right?
2024-07-31 18:20:43 <@carlwgeorge:matrix.org> if version 6 is going to stick around for a while, why not go ahead and get it in as zeek6?
2024-07-31 18:20:43 <@salimma:fedora.im> how does zabbix do it? I see an unversioned zabbix in Fedora https://src.fedoraproject.org/rpms/zabbix
2024-07-31 18:20:47 <@tdawson:fedora.im> Are you meaning, update the current one to 6, and then make a zeek7 ?
2024-07-31 18:20:52 <@salimma:fedora.im> yeah, LTS is always x.0.z for Zeek
2024-07-31 18:21:06 <@salimma:fedora.im> yup, update the current one to 6, start only having versioned packages when zeek 7 is out
2024-07-31 18:21:46 <@conan_kudo:matrix.org> zabbix is not multiversioned as far as I know
2024-07-31 18:22:01 <@salimma:fedora.im> we do have versioned packages for Django now, so zeek will just be done the same way
2024-07-31 18:22:02 <@tdawson:fedora.im> Since the current one has CVE's, I'm good with starting versioned on zeek7.  My only concern is when you would retire unversioned zeek.
2024-07-31 18:22:08 <@salimma:fedora.im> starting from next version
2024-07-31 18:22:25 <@salimma:fedora.im> oh, if we do versioned I think we can evaluate based on unfixed security issues if we want to retire it or not
2024-07-31 18:22:29 <@salimma:fedora.im> once it's EOL
2024-07-31 18:23:11 <@salimma:fedora.im> I'm happy leaving it in the repo until we discover issues. but for Fedora I'll retire it from Rawhide as soon as its EOL upstream
2024-07-31 18:23:15 <@jonathanspw:fedora.im> it is
2024-07-31 18:23:25 <@carlwgeorge:matrix.org> i still think that starting the versioning now with a zeek6 package would avoid the need to do an incompat upgrade, so it would be worthwhile
2024-07-31 18:23:33 <@salimma:fedora.im> can you point to the multiversioned zabbix spec? I have the dump of all packages and I don't see it
2024-07-31 18:23:46 <@conan_kudo:matrix.org> yeah I don't see it either
2024-07-31 18:23:52 <@jonathanspw:fedora.im> https://src.fedoraproject.org/rpms/zabbix50
2024-07-31 18:23:52 <@jonathanspw:fedora.im> https://src.fedoraproject.org/rpms/zabbix
2024-07-31 18:23:52 <@jonathanspw:fedora.im> https://src.fedoraproject.org/rpms/zabbix6.0
2024-07-31 18:24:00 <@carlwgeorge:matrix.org> looks like in epel8 it's zabbix6.0, but in epel9 it's just zabbix
2024-07-31 18:24:00 <@salimma:fedora.im> Carl George: fair. I can do that (just copy paste, and mark it as conflicting the main package I guess)
2024-07-31 18:24:19 <@carlwgeorge:matrix.org> yeah we allow conflicts between epel packages
2024-07-31 18:24:30 <@conan_kudo:matrix.org> it looks like it's legacy versioned, not true multiversioned
2024-07-31 18:24:30 <@salimma:fedora.im> interestingly the main zabbix is also in EPEL9. I wonder if that one has ever been upgraded from 5 to 6
2024-07-31 18:24:40 <@jonathanspw:fedora.im> yeah there's def some weird stuff going on here
2024-07-31 18:24:45 <@jonathanspw:fedora.im> between multiple maintainers
2024-07-31 18:25:09 <@salimma:fedora.im> oh well
2024-07-31 18:25:15 <@conan_kudo:matrix.org> oh, this is orionp doing his own thing
2024-07-31 18:25:24 <@conan_kudo:matrix.org> so I wouldn't count this the same as what Carl George is suggesting
2024-07-31 18:26:06 <@carlwgeorge:matrix.org> if a versioned package is hard now, i doubt it would get easier for zeek7
2024-07-31 18:26:30 <@carlwgeorge:matrix.org> this probably needs more investigation, so lets do the rest of the meeting and then pick this back up in the main channel
2024-07-31 18:26:33 <@salimma:fedora.im> yeah, it just frontloads the work
2024-07-31 18:26:37 <@salimma:fedora.im> right
2024-07-31 18:26:40 <@salimma:fedora.im> let's move on first
2024-07-31 18:26:51 <@tdawson:fedora.im> Sounds good ... moving on.
2024-07-31 18:27:11 <@tdawson:fedora.im> That was our last issue marked with Meeting, so loving on to epel10
2024-07-31 18:27:20 <@tdawson:fedora.im> !topic EPEL 10
2024-07-31 18:27:26 <@salimma:fedora.im> I like loving on more than moving on :)
2024-07-31 18:28:14 <@tdawson:fedora.im> Do we have any progress on epel10?  (He says, knowing that the answer is yes)
2024-07-31 18:28:31 <@salimma:fedora.im> the lawyer way of asking. only ask what you know the answer to :)
2024-07-31 18:28:34 <@tdawson:fedora.im> !link https://hackmd.io/q6TNkYjJT82EtzhlyPGpog
2024-07-31 18:29:10 <@carlwgeorge:matrix.org> couple of cool milestones.  we've got epel10.0 in bodhi, confirmed signing works, our first successful epel10 branch request, an lots of fixes for owner-sync-pagure.
2024-07-31 18:29:27 <@carlwgeorge:matrix.org> oh and fedpkg-minimal has been bootstrapped https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2024-6c5e7c0cdf
2024-07-31 18:30:08 <@conan_kudo:matrix.org> wait, wait, WAAAIT
2024-07-31 18:30:13 <@conan_kudo:matrix.org> does that mean we can make packages now?!
2024-07-31 18:30:15 <@carlwgeorge:matrix.org> next i need to figure out why that update didn't get marked stable, how to publish the repo somewhere like rawhide does, and build epel-release and epel-rpm-macros
2024-07-31 18:30:18 <@carlwgeorge:matrix.org> NO
2024-07-31 18:30:26 <@conan_kudo:matrix.org> awww ☹️
2024-07-31 18:30:46 <@carlwgeorge:matrix.org> as previously stated in the epel10 status update, don't start doing packages until i give the all clear (likely during the flock hackfest)
2024-07-31 18:31:20 <@nirik:matrix.scrye.com> publishing the repo like rawhide is means a nightly.sh script that calls pungi and pungi config.
2024-07-31 18:31:39 <@carlwgeorge:matrix.org> but at this point it does look likely that the hackfest can involve actual packaging work, not just releng stuff
2024-07-31 18:32:01 <@salimma:fedora.im> whee
2024-07-31 18:32:06 <@conan_kudo:matrix.org> like the one that was just added for eln, right?
2024-07-31 18:32:07 <@nirik:matrix.scrye.com> perhaps.
2024-07-31 18:32:52 <@nirik:matrix.scrye.com> yep
2024-07-31 18:33:01 <@carlwgeorge:matrix.org> more good news, Aoife Moloney adjusted the schedule so nirik can attend both the infra/releng and epel10 hackfests
2024-07-31 18:34:00 <@nirik:matrix.scrye.com> yeah, looks good to me...
2024-07-31 18:34:06 <@jonathanspw:fedora.im> Aoife Moloney++
2024-07-31 18:34:08 <@zodbot:fedora.im> jonathanspw gave a cookie to amoloney. They now have 51 cookies, 18 of which were obtained in the Fedora 40 release cycle
2024-07-31 18:34:30 <@conan_kudo:matrix.org> looks like it's parallel to the multimedia hackfest that Davide Cavalca and I will be running
2024-07-31 18:34:31 <@carlwgeorge:matrix.org> i think that covers it for epel10 updates, we can move on
2024-07-31 18:34:39 <@conan_kudo:matrix.org> so there's gonna probably be some sprinting :P
2024-07-31 18:34:50 <@nirik:matrix.scrye.com> hopefully the rooms are close together
2024-07-31 18:34:55 <@tdawson:fedora.im> Thank you Carl George , and everyone else helping out with epel10.
2024-07-31 18:35:06 <@tdawson:fedora.im> !topic Old Business
2024-07-31 18:35:18 <@tdawson:fedora.im> Does anyone have any old Business they would like to bring up?
2024-07-31 18:36:20 <@tdawson:fedora.im> I'll take the silence as a no ... moving on.
2024-07-31 18:36:30 <@tdawson:fedora.im> !topic General Issues / Open Floor
2024-07-31 18:37:11 <@carlwgeorge:matrix.org> one small fyi, after our last docs adjustment i realized it wasn't documented anywhere how to request epel branches, so i sent https://pagure.io/fedora-docs/package-maintainer-docs/pull-request/165
2024-07-31 18:37:19 <@carlwgeorge:matrix.org> (which our docs already reference)
2024-07-31 18:37:53 <@tdawson:fedora.im> One thing I'd like to bring up is just a reminder that we will not have our EPEL Steering Committee meeting or EPEL Office hours next week.
2024-07-31 18:38:12 <@rcallicotte:fedora.im> !hi
2024-07-31 18:38:13 <@zodbot:fedora.im> Robby Callicotte (rcallicotte) - he / him / his
2024-07-31 18:38:53 <@tdawson:fedora.im> Hi Robby Callicotte 
2024-07-31 18:39:13 <@rcallicotte:fedora.im> Michel Lind 🎩 I almost said hi in the EPEL room too hehe
2024-07-31 18:39:31 <@tdawson:fedora.im> Thank you Carl George  ... I didn't realize that wasn't documented. 
2024-07-31 18:39:53 <@carlwgeorge:matrix.org> yeah i was surprised too, so i fixed it
2024-07-31 18:40:28 <@tdawson:fedora.im> Anything else for Open Floor?
2024-07-31 18:42:22 <@tdawson:fedora.im> If nobody objects, then I'm going to close the meeting early.
2024-07-31 18:42:35 <@jonathanspw:fedora.im> See most of y'all in a week :)
2024-07-31 18:42:41 <@tdawson:fedora.im> Yep.
2024-07-31 18:42:49 <@nirik:matrix.scrye.com> safe travels everyone
2024-07-31 18:43:14 <@smooge:fedora.im> have a good trip to people
2024-07-31 18:43:16 <@rcallicotte:fedora.im> yay!! see y'all next week
2024-07-31 18:43:16 <@carlwgeorge:matrix.org> oh i had one more thing
2024-07-31 18:43:19 <@tdawson:fedora.im> Thank you all for comming today and the good discussions.  Thank you all for all you do for EPEL and it's community.  And I look forward to seeing many of you in person next week.
2024-07-31 18:43:22 <@smooge:fedora.im> and see you in 2 wekes online
2024-07-31 18:43:30 <@tdawson:fedora.im> Carl George: Go for it.
2024-07-31 18:44:00 <@salimma:fedora.im> thanks Troy!
2024-07-31 18:44:06 <@salimma:fedora.im> oh, one more thing
2024-07-31 18:44:10 <@salimma:fedora.im> (Carl's I mean)
2024-07-31 18:44:30 <@carlwgeorge:matrix.org> it occurred to me that our current epel-release is marked as gpl2, and indicates that the overall epel collective work is gpl2.  that seems to be carried forward all the way from epel4.  the fedora collective work is mit, so i think for epel10 we can align with fedora and say that collective work is mit.
2024-07-31 18:44:47 <@salimma:fedora.im> +1
2024-07-31 18:44:58 <@rcallicotte:fedora.im> lol
2024-07-31 18:45:00 <@salimma:fedora.im> we should not make this retroactive, but for EPEL10+ that sounds like a good idea
2024-07-31 18:45:13 <@carlwgeorge:matrix.org> we should probably also have an equivalent file to https://src.fedoraproject.org/rpms/fedora-release/blob/rawhide/f/Fedora-Legal-README.txt
2024-07-31 18:45:17 <@nirik:matrix.scrye.com> I am not sure that the release package implies everything in epel has some license or other
2024-07-31 18:45:19 <@salimma:fedora.im> isn't black turtlene... oh epel, apple
2024-07-31 18:45:29 <@salimma:fedora.im> 🤦‍♂️
2024-07-31 18:45:37 <@conan_kudo:matrix.org> 🤦‍♂️
2024-07-31 18:45:46 <@smooge:fedora.im> the 'one more thing' at the end of a meeting was also an Steve Jobs thing
2024-07-31 18:45:50 <@nirik:matrix.scrye.com> and... relicensing should have everyone who contibuted say ok, no?
2024-07-31 18:45:59 <@conan_kudo:matrix.org> yup
2024-07-31 18:46:07 <@salimma:fedora.im> true. though I recently saw it taken over by Rivian's CEO so that's the one I remembered
2024-07-31 18:46:07 <@smooge:fedora.im> So I would say we talk to legal first
2024-07-31 18:46:23 <@carlwgeorge:matrix.org> well this wouldn't be a relicense, it would be for epel10 from the start going forward
2024-07-31 18:46:26 <@conan_kudo:matrix.org> well, technically for epel10 it's carrying the Fedora collection license over
2024-07-31 18:46:26 <@salimma:fedora.im> but if we only do it for the new epel10 it should be fine right?
2024-07-31 18:46:28 <@salimma:fedora.im> exactly
2024-07-31 18:46:39 <@carlwgeorge:matrix.org> obligatory ianal
2024-07-31 18:46:45 <@smooge:fedora.im> The 'overall' collection thing was something that Fedora had for a long time but the interpretation of the legal reason changed
2024-07-31 18:46:45 <@salimma:fedora.im> I would rather not touch epel9 and open the can of worms of "does this apply to other specs or not?"
2024-07-31 18:46:46 <@conan_kudo:matrix.org> I definitely don't want to touch the older ones
2024-07-31 18:47:00 <@smooge:fedora.im> so please ask fedora-legal
2024-07-31 18:47:18 <@carlwgeorge:matrix.org> yeah i was planning to run this by the fedora legal folks who wrote this policy file
2024-07-31 18:47:20 <@smooge:fedora.im> it may be that the 'whole' collection idea is invalid
2024-07-31 18:47:20 <@salimma:fedora.im> so there is a tension even in epel9 I guess
2024-07-31 18:47:33 <@salimma:fedora.im> since we mostly get package specs inherited from Fedora but the license declared in epel-release is different
2024-07-31 18:47:42 <@nirik:matrix.scrye.com> yeah, needs some reviewing. I am not sure either
2024-07-31 18:48:08 <@jonathanspw:fedora.im> I'm not making the connection on how epel-release's license has anything to do with package licenses from EPEL.
2024-07-31 18:48:09 <@carlwgeorge:matrix.org> bringing this up for awareness, no decision needed yet.  will include it in the initial epel-release pr for the epel10 branch.
2024-07-31 18:48:10 <@nirik:matrix.scrye.com> but if we are starting with a copy, I would think it would retain it's license.
2024-07-31 18:48:17 <@rcallicotte:fedora.im> does the license specified in epel-release only account for the epel-release package or the whole collection??
2024-07-31 18:48:23 <@nirik:matrix.scrye.com> Jonathan Wright: same here
2024-07-31 18:48:31 <@smooge:fedora.im> The issue is if the entire 'collection' is GPL2 we would have to drop many packages from EPEL (anything without a GPL exception)
2024-07-31 18:48:45 <@jonathanspw:fedora.im> 'collection' being all of EPEL?
2024-07-31 18:48:49 <@smooge:fedora.im> so talk to legal.. and find out what needs to be done
2024-07-31 18:48:56 <@salimma:fedora.im> epel's is gpl2 because centos stream / RHEL release packages are also GPLv2 right?
2024-07-31 18:48:58 <@nirik:matrix.scrye.com> They are different things.
2024-07-31 18:49:04 <@salimma:fedora.im> we just copied theirs at some point
2024-07-31 18:49:11 <@conan_kudo:matrix.org> Michel Lind 🎩: EPEL 4 is when we copied it
2024-07-31 18:49:30 <@conan_kudo:matrix.org> so fairly early on
2024-07-31 18:49:36 <@carlwgeorge:matrix.org> normally the license field applies to the packaged software, but release packages don't have such software, they're self contained.  existing ones like fedora-release and redhat-release sorta repurpose the license field to describe the "collective work".
2024-07-31 18:49:39 <@salimma:fedora.im> maybe after we make epel's MIT we can see about making the RH one MIT too (opened Pandora's box)
2024-07-31 18:49:55 <@nirik:matrix.scrye.com> that is not at all my understanding. ;)
2024-07-31 18:49:59 <@smooge:fedora.im> back in the pre-billion licenses day, Red Hat Linux was under a 'GPLv2' collection idea that everything was seen as GPLv2 to say we were 'FLOSS' that turned into problems over the years and the interpretation of that being valid was the difference between what engineers think is possible and what is actually legally possible
2024-07-31 18:50:00 <@davide:cavalca.name> Is this documented somewhere?
2024-07-31 18:50:04 <@carlwgeorge:matrix.org> our currently GPL file references red hat linux
2024-07-31 18:50:07 <@nirik:matrix.scrye.com> epel-release is a package it has files, it's under the license it is.
2024-07-31 18:50:08 <@jonathanspw:fedora.im> Is there something inherently wrong with GPLv2 that we're trying to solve, or just to align better with fedora?
2024-07-31 18:50:15 <@smooge:fedora.im> hi guys one sec
2024-07-31 18:50:20 <@smooge:fedora.im> I explained aboe
2024-07-31 18:50:33 <@carlwgeorge:matrix.org> the latter
2024-07-31 18:50:35 <@rcallicotte:fedora.im> whoa!
2024-07-31 18:50:35 <@conan_kudo:matrix.org> not particularly anything wrong with it other than alignment with the broader Fedora side of things
2024-07-31 18:50:41 <@smooge:fedora.im> yes..
2024-07-31 18:50:50 <@jonathanspw:fedora.im> Ok.  also I see your reply now Stephen J Smoogen 
2024-07-31 18:51:01 <@conan_kudo:matrix.org> my copy of Red Hat Linux proudly says the _distribution_ is GPLv2 :P
2024-07-31 18:51:08 <@carlwgeorge:matrix.org> https://src.fedoraproject.org/rpms/epel-release/blob/epel9/f/GPL#_2-5
2024-07-31 18:51:16 <@nirik:matrix.scrye.com> MIT is the default for the FPCA (and before it the predecesors...)
2024-07-31 18:51:17 <@jonathanspw:fedora.im> I mean, if legal checks off on it I'd be +1 I guess
2024-07-31 18:51:19 <@conan_kudo:matrix.org> one of my really old copies even says a portion of the sale is donated to FSF :P
2024-07-31 18:51:21 <@smooge:fedora.im> the epel came from extras which came from the older RHL release
2024-07-31 18:51:29 <@jonathanspw:fedora.im> (for 10+)
2024-07-31 18:51:43 <@davide:cavalca.name> I would highly recommend just deferring to legal here
2024-07-31 18:52:09 <@salimma:fedora.im> yeah, the amount of confusion even among us here kind of heavily suggests let's just get legal involved
2024-07-31 18:52:18 <@carlwgeorge:matrix.org> https://src.fedoraproject.org/rpms/fedora-release/blob/rawhide/f/Fedora-Legal-README.txt
2024-07-31 18:52:27 <@salimma:fedora.im> because if we change it for 10 someone will ask "what does this mean for 9"
2024-07-31 18:52:37 <@salimma:fedora.im> so we better have an answer :)
2024-07-31 18:52:50 <@smooge:fedora.im> 8 is still a valid release people
2024-07-31 18:52:57 <@salimma:fedora.im> and 8, yes
2024-07-31 18:52:57 <@carlwgeorge:matrix.org> i can't imagine a different answer than "just follow fedora's example", but will certainly do my due diligence and contact legal
2024-07-31 18:53:20 <@smooge:fedora.im> i can imagine a couple of different answers 
2024-07-31 18:53:29 <@jonathanspw:fedora.im> Can I commit the change of the license and then when legal gets mad I can finally get my badge for legal having to override something I did?
2024-07-31 18:53:38 <@nirik:matrix.scrye.com> I suspect no one has looked at this in a long time and asking will get it looked at. ;) for good or bad.
2024-07-31 18:53:44 <@salimma:fedora.im> wait, is there a badge for that?
2024-07-31 18:53:51 <@smooge:fedora.im> there used to be
2024-07-31 18:53:54 <@jonathanspw:fedora.im> yep.  Carl George has it, that turd
2024-07-31 18:53:57 <@carlwgeorge:matrix.org> fedora legal badge of doom, or something
2024-07-31 18:53:58 <@conan_kudo:matrix.org> can I pretend it isn't?
2024-07-31 18:54:03 <@smooge:fedora.im> nope
2024-07-31 18:54:07 <@rcallicotte:fedora.im> hehe
2024-07-31 18:54:09 <@smooge:fedora.im> you have 4 more years of 8
2024-07-31 18:54:15 <@conan_kudo:matrix.org> noooo
2024-07-31 18:54:34 <@conan_kudo:matrix.org> yup, I got it for... things :P
2024-07-31 18:54:36 <@carlwgeorge:matrix.org> to be clear i'm suggesting epel8 and epel9 stay as is, and we start epel10 as an mit "collection"
2024-07-31 18:54:39 <@conan_kudo:matrix.org> this is probably one of those "things"
2024-07-31 18:54:54 <@salimma:fedora.im> this is also a nice benefit of versioned packages, you don't get swamped with papercut bugs for older releases that are valid but hard to fix :)
2024-07-31 18:55:08 <@jonathanspw:fedora.im> Best course of action is probably for us to all +1 the *idea*, and then defer to legal if it's kosher.
2024-07-31 18:55:14 <@smooge:fedora.im> I would serious check on all of them
2024-07-31 18:55:39 <@carlwgeorge:matrix.org> hopefully i'll have an answer in time for flock, along with an initial epel-release build for 10
2024-07-31 18:55:41 <@salimma:fedora.im> Proposal: epel-release 10 switching to MIT license, subject to clarification from legal
2024-07-31 18:55:49 <@smooge:fedora.im> but not my circus, and not my monkeys 🐒
2024-07-31 18:56:01 <@nirik:matrix.scrye.com> -1
2024-07-31 18:56:21 <@conan_kudo:matrix.org> the rabid monkeys are potentially not worth it
2024-07-31 18:56:26 <@jonathanspw:fedora.im> TBH I'm kind of indifferent, but I wouldn't fight against it.  abstain?
2024-07-31 18:56:35 <@salimma:fedora.im> I'm fine either way but just wanted to table what Jonathan suggested
2024-07-31 18:56:51 <@carlwgeorge:matrix.org> my outlook was that if the fedora collection is mit, and we derive from that, are we even allowed to relicense the collection as gpl?
2024-07-31 18:56:56 <@conan_kudo:matrix.org> yes
2024-07-31 18:56:59 <@nirik:matrix.scrye.com> If we want to say the epel collection is mit, thats one thing, but changing epel-release license seems different and much more difficult
2024-07-31 18:57:05 <@conan_kudo:matrix.org> it's the other way that isn't necessarily allowed
2024-07-31 18:57:16 <@carlwgeorge:matrix.org> no need for an explicit motion or vote now, let me see what legal says
2024-07-31 18:57:26 <@salimma:fedora.im> but the prob is MIT requires attribution and we don't stick a copy of the MIT license on every Fedora repo :P
2024-07-31 18:57:44 <@conan_kudo:matrix.org> there's one shipped in fedora-release, IIRC
2024-07-31 18:57:52 <@salimma:fedora.im> so.. depending on if this 'collection' thing is valid or not, we might or might not be relicensing the specs from MIT to GPL
2024-07-31 18:57:59 <@conan_kudo:matrix.org> since you can't actually install fedora without it, you generally have it
2024-07-31 18:58:01 <@carlwgeorge:matrix.org> indeed https://src.fedoraproject.org/rpms/fedora-release/blob/rawhide/f/LICENSE
2024-07-31 18:58:06 <@salimma:fedora.im> yeah, but I mean individual package dist-gits don't have that
2024-07-31 18:58:11 <@conan_kudo:matrix.org> it's also in generic-release too, I think
2024-07-31 18:58:27 <@tdawson:fedora.im> Carl George: Just realize, that if you change it to MIT, you need to re-write the whole epel-release package.  Otherwise you have to get a release from all past contributors.
2024-07-31 18:58:27 <@conan_kudo:matrix.org> Michel Lind 🎩: it's not explicitly required as long as the license and attribution is _somewhere_
2024-07-31 18:58:36 <@salimma:fedora.im> Carl is asking legal so let's not bash our heads here :)
2024-07-31 18:58:40 <@conan_kudo:matrix.org> we have a license file on disk, the changelogs contain attribution, ergo it's fine
2024-07-31 18:58:46 <@nirik:matrix.scrye.com> https://docs.fedoraproject.org/en-US/legal/misc/#_license_of_fedora_spec_files
2024-07-31 18:59:09 <@carlwgeorge:matrix.org> individual dist-git repos don't, but when missing they roll up to the overall fpca or whatever it's called, that says the default is mit
2024-07-31 18:59:27 <@salimma:fedora.im> I guess EPEL specs are still Fedora specs since it's Fedora EPEL
2024-07-31 18:59:38 <@salimma:fedora.im> so Fedora specs even in the epel* branches are actually MIT licensed
2024-07-31 18:59:41 <@carlwgeorge:matrix.org> sure, that's easy enough
2024-07-31 18:59:42 <@conan_kudo:matrix.org> yes
2024-07-31 18:59:47 <@conan_kudo:matrix.org> so actually epel-release needs both GPL and MIT
2024-07-31 18:59:48 <@salimma:fedora.im> in which case, ok I'm a weak +1 to making epel-release MIT
2024-07-31 18:59:52 <@salimma:fedora.im> just to avoid the confusion
2024-07-31 19:00:14 <@conan_kudo:matrix.org> regardless of this, we do actually need to add an MIT license file to epel-release
2024-07-31 19:00:20 <@nirik:matrix.scrye.com> why?
2024-07-31 19:00:38 <@salimma:fedora.im> I don't think we need to, it's not statically linked or anything
2024-07-31 19:00:42 <@conan_kudo:matrix.org> because that's how we deliver the license of the spec files to people
2024-07-31 19:00:54 <@conan_kudo:matrix.org> even when you relicense, the old license is still valid
2024-07-31 19:01:08 <@nirik:matrix.scrye.com> they just default to MIT
2024-07-31 19:01:10 <@carlwgeorge:matrix.org> no need to litigate (hehe) it here, i'll get an answer from fedora legal and report back
2024-07-31 19:01:12 <@salimma:fedora.im> I would not mind at the very least adding a notice that individual EPEL spec files are MIT unless stated otherwise
2024-07-31 19:01:24 <@salimma:fedora.im> so there's no confusion that GPL only applies to files in epel-release itself
2024-07-31 19:01:41 <@tdawson:fedora.im> Looks like our time is up.  I think we're going to have to put this conversation on pause, while Carl George talks to Legal.
2024-07-31 19:01:41 <@salimma:fedora.im> and... we're at the hour
2024-07-31 19:02:25 <@tdawson:fedora.im> That you all for the discussion ... I'm pretty sure it will continue next week and on Matrix and elsewhere.
2024-07-31 19:02:35 <@salimma:fedora.im> thanks Troy!
2024-07-31 19:02:51 <@rcallicotte:fedora.im> thanks Troy.  See yall next week!
2024-07-31 19:03:04 <@tdawson:fedora.im> I've already said my usual closing stuff ... so this time I'm just closing in 20 seconds.
2024-07-31 19:03:27 <@smooge:fedora.im> go for it
2024-07-31 19:03:31 <@tdawson:fedora.im> !endmeeting