18:01:20 <alexsaezm> #startmeeting Go SIG meeting 18:01:20 <zodbot> Meeting started Mon Jun 6 18:01:20 2022 UTC. 18:01:20 <zodbot> This meeting is logged and archived in a public location. 18:01:20 <zodbot> The chair is alexsaezm. Information about MeetBot at https://fedoraproject.org/wiki/Zodbot#Meeting_Functions. 18:01:20 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic. 18:01:20 <zodbot> The meeting name has been set to 'go_sig_meeting' 18:01:29 <alexsaezm> #topic Roll Call 18:01:45 <alexsaezm> Hi everyone :) 18:01:49 <mikelo> o/ 18:02:12 <jcajka> .hello jcajka 18:02:13 <zodbot> jcajka: jcajka 'None' <jcajka@cajka.dev> 18:02:18 * gotmax[m] is half here 18:02:33 <jcajka> hello 18:02:35 <mikelo> .hi mikelo2 18:02:36 <zodbot> mikelo: mikelo 'Miguel Angel Ortega Zapata' <mian.ortegaz@gmail.com> 18:02:47 <alexsaezm> awesome, today we are a lot! 18:02:49 <mikelo> mmm..... I'm not that one o_O 18:02:58 <gotmax[m]> jcajka: Do you have privacy turned on for your FAS account? 18:03:00 <gotmax[m]> That might be why it's none 18:03:22 <alexsaezm> odd 18:03:23 <gotmax[m]> mikelo: use `.hello` 18:03:28 <mikelo> .hello mikelo2 18:03:28 <zodbot> mikelo: mikelo2 'None' <mikel@olasagasti.info> 18:03:29 <gotmax[m]> .hellomynameis gotmax23 18:03:35 <zodbot> gotmax[m]: gotmax23 'Maxwell G' <gotmax@e.email> 18:03:43 <jcajka> gotmax[m]: not sure will check that, thanks :) 18:04:11 <gotmax[m]> Fun fact, `.hello`, `.hi`, and `hello2` are all short for `.hellomynameis`. 18:04:20 <alexsaezm> I had no idea O: 18:04:26 <gotmax[m]> s/`/`./ 18:05:48 <mikelo> .hello mikelo2 18:05:49 <zodbot> mikelo: mikelo2 'Mikel Olasagasti' <mikel@olasagasti.info> 18:06:07 <alexsaezm> great :D 18:06:15 <alexsaezm> that's you, right? :D 18:06:58 <mikelo> yes, thats the correct one 18:07:17 <alexsaezm> awesome 18:07:37 <alexsaezm> I don't see any issue tagged for the meeting so we can move to the Open Floor 18:07:43 <alexsaezm> #topic Open Floor 18:08:00 <gotmax[m]> Don't we have CVEs we need to address? 18:08:06 <alexsaezm> yes 18:08:07 <alexsaezm> there's one 18:08:16 <alexsaezm> but it wasn't tagged lol 18:08:25 <alexsaezm> I want to comment a thing on that and hear your opinions 18:08:49 <alexsaezm> so the update is ready but secteam didn't fill the bug yet so I didn't published the update to bodhi 18:09:11 <mikelo> which cve? 18:09:15 <alexsaezm> I don't want to wait for a bug that much... so what do you think? should I just push the update? wait? 18:09:25 <alexsaezm> mikelo, let me find the cve... 18:09:29 <gotmax[m]> I would just push it. 18:09:36 <gotmax[m]> You can still mark it as a security update on Bodhi 18:09:43 <gotmax[m]> alexsaezm: That would be helpful 18:09:47 <alexsaezm> https://bugzilla.redhat.com/show_bug.cgi?id=2092793 18:09:49 <mikelo> if it's not embargoed and just waiting for a BZ, then I would say also push 18:10:14 <alexsaezm> that's the cve main bug, not the fedora one that I'm waiting for 18:10:22 <gotmax[m]> F34 EOLs tomorrow, so we can probably just ignore that one 18:10:28 <gotmax[m]> I mean the one that was reported for f34 18:10:40 <alexsaezm> which one? 18:10:53 * gotmax[m] looks 18:11:22 <jcajka> gotmax[m]: +1 and I think you can even add the CVE BZ expost in to the bodhi update or just note that in the BZ, if not 18:11:55 <mikelo> CVE-2022-28327 & CVE-2022-24675 18:12:16 <mikelo> those are the CVEs that were reported for F34 iirc 18:12:30 <gotmax[m]> Yeah, I think so 18:12:49 * alexsaezm is waiting for bugzilla to load... 18:12:58 <gotmax[m]> Me to :D 18:13:01 <gotmax[m]> *too 18:13:07 <mikelo> Fale[m], and I discussed with RH's prodsec team about those CVEs and that they should probably avoid opening BZ's against 'library' packages 18:14:16 <mikelo> and provided them this thread & command https://lists.fedoraproject.org/archives/list/golang@lists.fedoraproject.org/message/BFO2UV6VOZ33RKUXMSPVKPHE4XCFJVQT/ 18:14:34 <mikelo> but I understand that the CVE alexsaezm was referring to is another CVE 18:14:56 <alexsaezm> yes, I mean, we have 3 as far as I understand 18:15:07 <alexsaezm> two (I'm still waiting for bugzilla) for f34 18:15:17 <alexsaezm> and the one I was asking about is for rawhide and f36 18:15:20 <alexsaezm> 1.18.3 18:16:07 <gotmax[m]> We also really need to figure out the large amount of FTBFS packages. 18:16:17 <gotmax[m]> We won't be able to rebuild them until they're fixed 18:16:25 <mikelo> alexsaezm, maybe it's a good time for you (and your team at RH?) to sit down with prodsec and discuss about what tickets need to be opened by them? 18:16:56 <mikelo> fale and I did, but our work for Fedora is not part of our duties at RH 18:17:11 <mikelo> we can be in the loop, of course 18:17:18 <alexsaezm> mikelo, I think we can do that, let me see if dbenoit is here reading (we work together and I will like like to read his take) 18:17:43 <gotmax[m]> They should only be reporting for go packages that contain binaries 18:18:20 <alexsaezm> that makes sense 18:18:44 <mikelo> gotmax[m], we explained that to them and they said they'll check the query. I think it's important alexsaezm or someone to contact them for this new cve and ensure they do the correct thing and less noise 18:19:03 <gotmax[m]> +1 18:19:04 <alexsaezm> I'll check how to start the conversation 18:19:17 <mikelo> alexsaezm, I can provide you details later 18:19:20 <jcajka> technically also plugins or .so. but I'm not aware that there are any packages that ship them 18:19:32 <alexsaezm> (I think I saw a way to add meeting minutes to the IRC chats..) 18:20:11 <gotmax[m]> FYI: I believe the F34 bugs will automatically close once it goes EOL 18:20:11 <gotmax[m]> I think it's `#info`. 18:20:55 <gotmax[m]> You can also use `#action` to say that someone will do something, and it will show up in the meetbot minutes. 18:21:22 <jcajka> alexsaezm: #action and #info 18:21:27 <alexsaezm> got it 18:21:29 <alexsaezm> thanks all 18:21:59 <alexsaezm> #action alexsaezm will talk with mikelo to sync on how to start a conversation with security team in order to discuss the type of tickets to be opened 18:22:43 <gotmax[m]> On another note, does anyone care if I handle https://pagure.io/GoSIG/go-sig/issue/25? 18:22:50 <alexsaezm> regarding the f36 cve... are we ok then with pushing the update to bodhi without the cve bug? 18:23:00 <gotmax[m]> Yes 18:23:13 <gotmax[m]> You can always edit the update or close it manually later 18:23:21 <alexsaezm> got it 18:23:32 <alexsaezm> gotmax[m], regarding the #25 feel free, as far as I know they are not relevant anymore 18:23:42 <jcajka> gotmax[m]: feel free to go ahead with that 18:24:00 <alexsaezm> #action alexsaezm will push the 1.18.3 update to f36 18:24:10 <gotmax[m]> For the F36 CVE, we will need to do a mass rebuild 18:24:12 * alexsaezm hopes the action command is working lol 18:24:56 <alexsaezm> gotmax[m], never did that... is there a procedure? 18:25:24 <mikelo> gotmax[m], mass? wouldn't again be like with the f34 cve to rebuild binary packages? 18:25:30 <jcajka> I would assume one would request side that for that 18:25:44 <jcajka> ...side tag... 18:25:58 <gotmax[m]> mikelo: Yes, that probably wasn't the best phrasing 18:26:25 <gotmax[m]> jcajka: Yes, you have to clone all the packages, bump the release, and rebuild in a side tag. 18:26:37 <gotmax[m]> Fale handled it last time 18:26:52 <jcajka> I guess it morphed to that https://docs.fedoraproject.org/en-US/rawhide-gating/multi-builds/ 18:27:09 <mikelo> Fale[m], created some scripts to handle it, alexsaezm you may want to contact him 18:27:22 <mikelo> but there is one problem, some packages don't have go-sig as commiter 18:27:30 <alexsaezm> right 18:27:42 <Fale[m]1> I can run them for tgis time as weel 18:27:53 <mikelo> we discussed about adding a step in the go-sig doc to require go-sig group to be added to each package unless a good reason is given 18:28:25 <mikelo> that should help with rebuilds *and* some of the FTBFS 18:28:30 <gotmax[m]> #action Fale to handle rebuilding binary packages to fix CVE-2022-30629. 18:29:09 <gotmax[m]> Thanks! 18:29:30 <mikelo> the rclone stack FTBFS is blocked in part because some packages miss go-sig group permissions 18:30:49 <gotmax[m]> Fale: When you sent your reminder email, did you BCC the packagers who needed to take action? 18:31:18 <Fale[m]1> @[Maxwell (@gotmax) (He/Him)] no I did not. I did pinged separately eclipseo thought 18:31:40 <Fale[m]1> More than 50% of problematic packages are owned by him 18:32:06 <gotmax[m]> Got it 18:32:17 <gotmax[m]> Maybe it's worth forwarding it to them individually in case they don't read the list? 18:32:17 <jcajka> Do we have any proven package around? 18:32:35 <gotmax[m]> eclipseo_ is 18:32:35 <jcajka> proven packager around 18:32:54 <Fale[m]1> I was planning to send a new ping in few days, I can try bcc people this time 18:33:11 <jcajka> they could help out, it should be also possibility to get sponsored 18:33:43 <mikelo> Fale[m]1, I contacte him 6 days ago and no news 18:33:44 <jcajka> if you plan to focus on this, I think it would help to get sponsored 18:33:54 <jcajka> eventually 18:33:56 <gotmax[m]> The`[packagename]-maintainers@fedoraproject.org` aliases might help. 18:33:58 <Fale[m]1> Elliot is PP 18:34:52 <Fale[m]1> If we can not solve the gosig permission issue, I think we should evaluate to nominate new PP as a sig 18:34:59 <Fale[m]1> To manage those situations 18:35:29 <Fale[m]1> Because I believe golang CVEs will accelerate in the next few months/years 18:36:00 <gotmax[m]> Fale[m]1: Well, FESCO has to approve it 18:36:30 <Fale[m]1> Absolutely, but we can propose ;-) 18:37:13 <alexsaezm> who wants to handle this? :) 18:37:38 <jcajka> it needs to be a individual person, but Go SIG wreaking hovoc on the whole Fedora sounds cool :D 18:38:06 <gotmax[m]> Well, we'd only be touching go packages 18:38:33 <jcajka> but proven package can touch everything, except few otehr packages, it is not really for a SIG as a whole 18:39:31 <Fale[m]1> I would prefer if we fox the core problem (IE missing gosig permissions). Imho of we can not fox it in 1 or 2 months we go for plan B 18:40:05 <mikelo> +1 18:40:51 <mikelo> but if someone still wants to try to be a provenpackager that's another option, no need to wait 18:40:56 <Fale[m]1> (sorry guys for the typos, I'm from my phone in a pub :-D) 18:40:59 <jcajka> Fale[m]: +1 18:43:03 <gotmax[m]> <jcajka> "it needs to be a individual..." <- Sorry, I thought you were still talking about the mass rebuild. I now realize my comment makes no sense. 18:43:16 <mikelo> Fale[m]1, the plan would be then to list the go packages that don't have go-sig as group and contacting the owners. I think you've the script to list the packages, I can try to contact owners 18:43:18 <gotmax[m]> * about the go mass rebuild. 18:43:22 <gotmax[m]> Also, Fale++ for handling that 18:43:53 <gotmax[m]> fale++ 18:43:53 <zodbot> gotmax[m]: Karma for fale changed to 1 (for the current release cycle): https://badges.fedoraproject.org/tags/cookie/any 18:44:15 <Fale[m]1> @mikelo I've written code to automate it. I've sent an email a week ago for it, so I can just run it as many times as needed 18:44:33 <mikelo> fale++ that's even better! 18:44:33 <zodbot> mikelo: Karma for fale changed to 2 (for the current release cycle): https://badges.fedoraproject.org/tags/cookie/any 18:45:45 <alexsaezm> awesome, thanks Fale[m]1 18:47:02 <alexsaezm> do we have something else open? we talked about a lot of things today 18:48:08 <gotmax[m]> I don't think so 18:48:08 <jcajka> I just wanted to note that upstream Go is considering new policy for ports of Go https://github.com/golang/go/discussions/53060 might be of interest to some 18:48:25 <jcajka> to take part in the discussion 18:49:05 <Fale[m]1> I have one point: shall we consider different time for this meeting? At least check if this is optimal time for everyone 18:49:15 <alexsaezm> oh thanks jcajka I need to read that 18:49:39 <gotmax[m]> `linux/ppc64le` and `linux/s390x` are the secondary ones that we build for 18:49:52 <jcajka> and linux/arm64 18:49:53 <alexsaezm> Fale[m]1, I think we talked about this few months ago but of course, we can always run again a vote and gather the info 18:50:20 <jcajka> alexsaezm, Fale[m]1: I can start the vote,survey for that 18:51:09 <jcajka> arm64 is first class nowadays 18:51:30 <gotmax[m]> Yeah 18:53:16 <gotmax[m]> We might want to move the meeting to one of the #fedora-meeting rooms like the other groups do. 18:54:01 <jcajka> gotmax[m]: as long you have bot and not much traffic it works here, but meeting room is always an option 18:54:26 <gotmax[m]> https://pagure.io/irc/issue/27#comment-736840 18:55:35 <gotmax[m]> I think we can close this out if nobody has anything else to say 18:56:05 <alexsaezm> not from my side 18:56:26 <jcajka> same here 18:56:39 <mikelo> same 18:57:17 <alexsaezm> thanks a lot, it was a nice meeting. Hope you all have a great day 18:57:28 <gotmax[m]> #endmeeeting 18:57:28 <alexsaezm> #endmeeting