17:59:34 <sgallagh> #startmeeting FESCO (2013-12-04)
17:59:34 <zodbot> Meeting started Wed Dec  4 17:59:34 2013 UTC.  The chair is sgallagh. Information about MeetBot at http://wiki.debian.org/MeetBot.
17:59:34 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic.
17:59:37 <sgallagh> #meetingname fesco
17:59:37 <zodbot> The meeting name has been set to 'fesco'
17:59:41 <sgallagh> #chair abadger1999 mattdm mitr mmaslano notting nirik pjones t8m sgallagh
17:59:41 <zodbot> Current chairs: abadger1999 mattdm mitr mmaslano nirik notting pjones sgallagh t8m
17:59:45 <sgallagh> #topic init process
17:59:46 <mmaslano> hi
17:59:53 <sgallagh> .hellomynameis sgallagh
17:59:55 <zodbot> sgallagh: sgallagh 'Stephen Gallagher' <sgallagh@redhat.com>
18:00:14 <nirik> .hellomynameis kevin
18:00:15 <zodbot> nirik: kevin 'Kevin Fenzi' <kevin@scrye.com>
18:00:20 * sgallagh volunteered to chair the meeting in mattdm's place this week
18:00:31 * notting is here
18:00:41 * mattdm is here but has very ill child
18:00:59 <pingou> g'd luck mattdm
18:01:09 <nirik> mattdm: :( sorry to hear it
18:01:17 <mattdm> she is telling me she wants to go to school betweel bouts of vomiting.
18:01:23 <mattdm> between
18:01:35 <nirik> wow... trooper
18:01:53 <sgallagh> That or it's picture day and she wants a memorable one
18:01:56 * abadger1999 here
18:02:09 <abadger1999> mattdm: clearly delusional
18:02:54 <pjones> yo
18:03:31 <sgallagh> ok, neither mitr nor t8m are online
18:03:33 <sgallagh> Let's begin
18:03:39 <sgallagh> #topic #1193 reboots for all updates -- are we ready for this?
18:03:40 <sgallagh> .fesco 1193
18:03:41 <zodbot> sgallagh: #1193 (reboots for all updates -- are we ready for this?) – FESCo - https://fedorahosted.org/fesco/ticket/1193
18:04:04 <mattdm> status is: I emailed richard twice (latest this morning) and haven't gotten a response.
18:04:47 <sgallagh> So how do we want to handle this?
18:05:11 <nirik> I can try and update it.
18:05:20 <nirik> action me. ;)
18:05:22 <sgallagh> Works for me
18:05:30 <nirik> it's just the wiki page right?
18:05:48 <sgallagh> #action nirik to update the AppInstaller Change pages
18:05:57 <abadger1999> nirik: Is it also telling docs?
18:05:58 <sgallagh> Yeah, we just want the description to match reality
18:06:09 <nirik> abadger1999: I can ping them too yeah...
18:06:14 <sgallagh> Yes, we need to notify docs that the description currently there is bunk
18:06:35 <nirik> I don't know if it's used anywhere, but I can ask.
18:06:44 <sgallagh> If it's not, it should be.
18:06:51 <sgallagh> It's a pretty big change from a user perspective
18:06:55 <abadger1999> *sigh* and that may mean release notes need to be updated and therefore the translations and packages :-(
18:07:34 <nirik> I'll follow up.
18:07:43 <abadger1999> nirik: thanks.
18:07:58 <notting> we do update the relnotes and common bugs post-release, don't we?
18:08:24 <nirik> yeah.
18:09:05 <sgallagh> ok, anything else we need to do here, or shall we move on?
18:09:21 <nirik> move on
18:09:28 <sgallagh> #topic #1201 Enabling third party repositories
18:09:30 <sgallagh> .fesco 1201
18:09:32 <zodbot> sgallagh: #1201 (Enabling third party repositories) – FESCo - https://fedorahosted.org/fesco/ticket/1201
18:10:04 <sgallagh> Ok, so spot came back with a much clearer ruling on third-party repos
18:10:57 <sgallagh> I have a related topic to this that came up on IRC the other day, but I'll get into it in open floor
18:10:58 <abadger1999> <nod>
18:11:57 <sgallagh> Do we want to vote on the opinion part of this ruling?
18:12:09 <sgallagh> Specifically whether copr-enablement packages should be shipped in the main repo.
18:12:26 <sgallagh> Spot is against it on principal, but it appears to be legally acceptable.
18:13:02 <abadger1999> I think I would propose allowing specific copr repos to be enabled.
18:13:17 <sgallagh> abadger1999: Sorry, can you clarify that statement?
18:13:48 <sgallagh> Do you mean we should allow this with restrictions (codified in packaging guidelines)?
18:14:02 <abadger1999> The idea being that for those repos, we really want to have those things be Fedora but we cannot (yet?) host them in the main Fedora repository.
18:14:09 <abadger1999> sgallagh: not quite.
18:14:16 <abadger1999> Use case I'm thinking of.
18:14:30 <sgallagh> OpenShift? P)
18:14:52 <abadger1999> let's say that there's certain packages that are common to multiple desktops but each desktop requires different version/compile flags for that package.
18:14:53 <mmaslano> software collections ;-)
18:15:17 <abadger1999> We could approve a set of copr repos that provide those packages and each desktop could pull from those repos.
18:15:25 <abadger1999> instead of the fedora main repo.
18:15:34 <mmaslano> abadger1999: I agree
18:15:38 <sgallagh> How about a more generic:
18:15:46 <abadger1999> and yeah, we could also enable openshift and software collections via this method.
18:15:59 <sgallagh> Proposal: FESCo may approve individual COPR repo-enablement packages for inclusion into the main repository.
18:16:13 <notting> sgallagh: as the repositories exist *now* (one main fedora repo, the 'anything submitter wants to build' in coprs), i would be against allowing copr-enablement packages in the main repo. in the future, with the product split, etc. we might consider different ideas of what the 'main' repo is, and need to rewrite it in terms of that.
18:16:32 <pjones> sgallagh: that's already the case, we don't need a proposal that says it ;)
18:16:35 <abadger1999> sgallagh: +1
18:16:44 <mattdm> I'm +1 to sgallagh. I'm also for delegating that to the Env & Stacks working group.
18:17:03 <mattdm> But I have a practical concern -- COPRs packages aren't signed, right?
18:17:23 <sgallagh> mattdm: They are not signed at present
18:17:25 <mmaslano> sgallagh: +1
18:17:30 <sgallagh> That was part of what I was going to bring up in Open Floor.
18:17:41 <mmaslano> mattdm: what should env and stacks do?
18:17:55 <sgallagh> mmaslano: I think he meant deferring to your WG for making that decision, instead of FESCo
18:18:06 <abadger1999> mattdm: I'm not sure I'd delegate... I think env and stacks will generate a lot of the requests but I don't know that they are really supposed to be knowledgable about all the reasons that a copr repo should be approved... whereas fesco is.
18:18:23 <mattdm> I am also okay with not delegating. :)
18:18:49 <notting> so, to step it back a bit
18:18:54 <notting> coprs is a build method
18:19:02 <notting> repo links is about hosting
18:19:03 <sgallagh> Perhaps I should s/may/must/ in my proposal.
18:19:03 <abadger1999> sgallagh, mattdm: That is indeed an issue.  Signing is tricky to implement.
18:19:22 <notting> i understand why we might put the two together, but they don't necessarily follow from each other
18:19:26 * nirik notes there's a RFE for signing in coprs, but not clear how it will work if it can even be made to
18:19:36 <sgallagh> abadger1999: Discussion happened about that in #fedora-cloud earlier to look into Sigul for that purpose.
18:19:55 <notting> i.e., there's nothing that say our official SCL repos (or similar) need to be *hosted* in coprs for the repo links
18:20:06 <notting> after all... coprs aren't mirrored.
18:20:10 <notting> (unless I missed something?)
18:20:40 <nirik> sgallagh: I don't think that would work.
18:20:50 <nirik> notting: right, they aren't mirrored. They are just in our cloud.
18:21:25 <abadger1999> notting: <nod>  My assumption would be that copr is an easy way to scale our repos for now but things we rewally embrace going down the line would eventually get a repo managed more like the fedora main repos.
18:21:47 <notting> i guess that would be my concern - if we wanted something to be officailly Part Of Fedora ... i think we want to use the rest of our CDN, not include links directly to coprs
18:22:15 * nirik nods.
18:22:33 <sgallagh> Ok, so for the "blessed" COPR repos, we would add them to our mirror network as an optional repo instead of pointing to them directly?
18:22:36 <mattdm> Proposal: develop a way for a COPRs repo to be promoted to a new repo system which would be signed and mirrored.
18:22:36 <nirik> we could mirror it off and sign it, but thats more releng work, etc.
18:22:48 * sgallagh nods
18:23:01 * mattdm notes more rel-eng work.
18:23:23 <mmaslano> mattdm: fine, who will create the ticket?
18:23:26 <nirik> coprs wasn't designed to replace our existing repo infra... not sure it makes sense to ask it to change what it is.
18:23:35 <abadger1999> nirik: +1
18:23:59 <nirik> I mean you could as well say: replace our existing build/updates/mirroring system with something that lets us add more repos arbitrariary.
18:24:00 <mattdm> this would not be coprs but could be fed from it.
18:24:02 <nirik> and a pony
18:24:05 <sgallagh> mattdm: +1, provided that dgilmore doesn't get angry.
18:24:15 <abadger1999> mattdm: in terms of the limited, only approved copr repos are allowed to ship repo files in fedora, I'm not sure that makes sense.
18:25:05 <abadger1999> as it might be better to move them from biulding in copr to building in koji for a separate repo when we get to the point of wanting signing and mirroring.
18:25:24 <sgallagh> mattdm: That was actually a +1 there, with a ping of dgilmore to hopefully get him involved in this discussion. Not an actual contingency.
18:25:58 <notting> abadger1999: for your use case above... the idea is coprs as independent repos that can conflict, or be built differently from the same source?
18:26:13 <notting> abadger1999: just trying to be clear on what you're suggesting using coprs to solve
18:26:36 <nirik> so, do we have specific copr cases people want to ship repos for in fedora right now? or is this all theoretical?
18:26:37 <mattdm> As much as I want the increased flexibility, I don't think it's responsible of us to allow repos that aren't signed at even the base level of "this is a package built in Fedora"
18:26:45 <abadger1999> notting: Somewhat. s/same source/same package name/  I think.
18:26:45 <mmaslano> abadger1999: I don't think everything will be rebuild in koji
18:28:01 <abadger1999> I it's just one use case though -- I guess what I was wanting to achieve is Let's allow some specific copr repos so that we can make additional restrictions on the package quality if we want to.
18:28:05 <nirik> so, perhaps we punt on this except to note we might like this functionality someday? (ie, signed, mirrorred builds of things not in the fedora collection yet)
18:28:20 <abadger1999> rather than -- let's allow all copr repos to ship in fedora main repositories.
18:28:27 <abadger1999> where anything that's legal goes.
18:29:10 <sgallagh> Proposal: FESCo must approve individual COPR repo-enablement packages for inclusion into the main repository. At this time, these external repos are not required to be signed, but may NOT specify gpgcheck=0 if they are not.
18:29:35 * nirik tries to re-read the negatives there.
18:29:36 <mattdm> ? sooo, they can be enabled but will generate errors?
18:29:57 <sgallagh> mattdm: They can be enabled but will require authorization any time they install/update
18:30:17 <pjones> sgallagh: that sounds counterproductive
18:30:22 <nirik> by authorization you mean passing --nogpgcheck?
18:30:33 <sgallagh> nirik: Or being prompted for a password, but yes
18:30:52 * sgallagh notes that works for packagekit, but not yum today
18:30:54 <abadger1999> (which then doesn't check the packages from the main repo that would be pulled in via deps either)
18:31:00 <notting> i would say that i'm OK with fesco potentially approving repo packages that go to additional fedora repos, but i cannot conceive of approving liks to copr repos without infrastructure changes around how coprs are signed and distributed
18:31:05 <mattdm> I think in that case, it's better to go with spot's suggestion, of having a higher level tool enable the repo.
18:31:29 <pjones> I'm not really okay with saying "hey, you can use these other repos too, and we encourage that.  so get used to typing your password into another dialog box all the time"
18:31:50 <abadger1999> notting: Okay... then we probably want to go back to sgallagh's original proposal and vote to deny it for now.
18:31:54 <pjones> notting: indeed
18:31:58 <mmaslano> it might be better to discuss how to sign those approved repos
18:32:18 <nirik> and by whom
18:32:28 <pjones> mmaslano: or rather, how to mirror a COPR into a sanctioned repo
18:32:53 <pjones> as its own whole thing, instead of trying to shoehorn it
18:33:09 <abadger1999> Proposal: At this time, copr-enablement packages cannot be shipped in the main repo.
18:33:09 <mattdm> I agree mmaslano/nirik/pjones, but maybe not for this meeting?
18:33:14 <pjones> mattdm: sure.
18:33:19 <mmaslano> mattdm: yes
18:33:20 <nirik> abadger1999: +1
18:33:20 <pjones> abadger1999: +1
18:33:27 <abadger1999> +1
18:33:40 <notting> abadger1999: +1
18:33:46 <mattdm> +1
18:33:50 <mmaslano> abadger1999: I'm not so sure, maybe discuss it later, when we will have more usecases 0
18:34:04 <sgallagh> abadger1999: +1 (on the "at this time" restriction)
18:34:11 <mattdm> (maybe throw in some infos about the above discussion?)
18:34:14 <notting> is it worth stating "at this time, issues around linking directly to copr repos include signing/key management, and mirrored distribution"
18:34:21 <abadger1999> mmaslano: Sure... Also, if the signing/distributing/building pieces change we can revisit as well.
18:34:33 <abadger1999> notting: works for me.
18:34:46 <mattdm> #info at this time, issues around linking directly to copr repos include signing/key management, and mirrored distribution"
18:35:39 <sgallagh> nirik: Wearing your infra hat, could I convince you to start a discussion thread on devel@ about those issues?
18:35:52 <abadger1999> revised wording: At this time, copr-enablement packages cannot be shipped in the main repo.  Issues that need to be addressed include signing/key management, and mirrored distribution
18:35:53 <nirik> sgallagh: well, copr-devel more like?
18:35:56 <nirik> or?
18:36:01 <sgallagh> Hmm
18:36:13 <sgallagh> Well, whatever we do will involve infra and rel-eng
18:36:13 <nirik> mirroring wouldn't be hard.
18:36:17 <nirik> signing may be impossible
18:36:24 <mattdm> abadger1999 sure.
18:36:26 <sgallagh> So probably devel@ is the common list
18:36:52 <mattdm> nirik Signing at a high level of assurance is impossible. Some level of signing certainly isn't.
18:37:16 <nirik> mattdm: it's a big can of worms.
18:37:20 <mattdm> and even a signature that indicates "this came through the fedora build system" is worth something.
18:37:34 * mattdm has a can opener
18:37:41 <nirik> does copr sign it? with one key? with a key per repo? who has the passphrase? where it is stored? who inputs it?
18:37:44 <pjones> mattdm: only if it's possible to tell the difference between that and some other signature.
18:38:05 <notting> ideally, if we're using coprs as personal/group repos, you'd want per-copr keys
18:38:10 <mattdm> pjones it is, although we don't necessarily present that every well.
18:38:24 <nirik> do different coprs from the same user have the same key? where are keys published? how do you revoke keys?
18:38:25 <notting> so your in-fedora *search* could say "Do you trust software from Joe's Package Sack", or whatever
18:38:26 <sgallagh> May I suggest that a solution for this would be better crowdsourced? I'm not sure we're exactly the right people for this.
18:38:37 * mattdm had a several-hour conversation with Seth about this but did not take notes.
18:39:33 <mmaslano> mattdm: sad
18:39:52 <notting> oof. should we start this convo outside of the meeting and move on?
18:39:53 <mmaslano> nirik: I do not have any idea how to sign it. It would be better to discuss it on list
18:39:57 <abadger1999> notting: +1
18:39:57 <nirik> yeah, so I can bring this up on infra list?
18:40:07 <pjones> yeah.
18:40:12 * nirik can do so
18:40:28 <abadger1999> sgallagh: Did you want to bring up additional aspects/proposals for 3rd party repos?
18:41:15 <sgallagh> Actually, we've hit on two of the three I was going to mention (signing and selection of approved ones)
18:41:23 <abadger1999> like -- whether app installers an search out additional repositories and any requirements for the user interface if they do so?
18:41:31 <abadger1999> *can search
18:41:58 <sgallagh> abadger1999: I put msuchy and hughsie together about this the other day. I'd like to see what they hash out on that front.
18:42:26 * sgallagh wracks his brain for the third thing.
18:43:01 <sgallagh> Oh right: do we want to put any restrictions on what can go in a COPR in general? For example, is it acceptable for a COPR to downgrade a package by playing with epochs?
18:43:09 <sgallagh> *downgrade a package from the standard repo
18:43:46 <pjones> ew.
18:43:56 <abadger1999> sgallagh: at the moment, I think that's fine -- I think if we had any "official coprs" I think we'd want to have restrictions on those.
18:43:58 <notting> ? i thought coprs could be any developer's scratch repo. so, they certainly *could* do that, but it wouldn't be the nicest thing.
18:44:09 <mattdm> yeah what notting said.
18:44:19 <pjones> yeah, I think the place we impose limits there is when we make them "official"
18:44:31 <sgallagh> I agree. Just wanted to bring it up for discussion.
18:45:34 <sgallagh> Proposal: COPRS in general can play whatever nasty packaging tricks it wants. When we start promoting "official" COPRs, we'll set restrictions.
18:45:52 <mmaslano> sgallagh: I agree +1
18:45:57 <nirik> I suspect ones that do wacky things won't get used much. :)
18:45:57 <sgallagh> s/whatever nasty/whatever nasty, legel/
18:46:01 <sgallagh> *legal
18:46:20 <abadger1999> probably the easiest way to restrict would be to note what differences the copr has vs the Packaging guidelines, update policy, and replacing of packages in (Fedora base|Fedora main repos)
18:46:42 <abadger1999> sgallagh: +1  that's just an affirmation of the status quo.
18:46:52 <sgallagh> abadger1999: True enough
18:47:17 * sgallagh notes he forgot the earlier "agree"
18:47:28 <sgallagh> #agreed At this time, copr-enablement packages cannot be shipped in the main repo.
18:48:35 <nirik> abadger1999: I guess currently its: must be under an ok for fedora license, otherwise, go to town?
18:49:15 <abadger1999> nirik: yep.
18:50:08 <sgallagh> ok, so no need to vote on that.
18:50:17 <sgallagh> Anything else on this topic?
18:51:28 <sgallagh> #topic Next week's chair
18:52:01 <mattdm> um, i can do it for real next week :)
18:52:04 * sgallagh tosses the grenade into the crowd. Who's going to fall on it?
18:52:11 <sgallagh> boom
18:52:14 <mattdm> ouch
18:52:26 <sgallagh> #info mattdm to chair next week's meeting
18:52:30 <sgallagh> #topic Open Floor
18:52:39 <mattdm> Devconf! Who will be at Devconf?
18:52:53 <misc> o/
18:53:02 <mmaslano> mattdm: do you mean devconf in Brno? me
18:53:41 <mattdm> yes :)
18:53:44 <pjones> hrm.  not sure, actually.
18:53:47 <sgallagh> I will be in attendance
18:54:02 <sgallagh> #link http://devconf.cz/
18:54:10 <notting> i'll be around
18:54:12 <sgallagh> Related:
18:54:16 <sgallagh> #link fosdem.org
18:54:31 <mattdm> Although I awesomely missed the deadline, I was told there is still room for a fedora.next presentation
18:54:54 <mattdm> which I am happy to put together but would like to include the other people involved too
18:55:33 <mattdm> are the other wg liaisons up for giving a brief overview of their group's state?
18:55:36 <mmaslano> mattdm: yes, you did, but you can still try
18:55:59 <mmaslano> mattdm: I can be there and do overview
18:56:06 <sgallagh> mattdm: At DevConf or FOSDEM? (for the latter, I submitted a devroom)
18:56:24 <sgallagh> mattdm: I'm game
18:56:25 <mattdm> at devconf. but we can do the same show at fosdem.
18:56:40 <jzb> sgallagh: you submitted to a devroom, or you submitted a whole devroom proposal?
18:57:32 <sgallagh> jzb: I answered the CFP for the "distributions" devroom
18:58:09 <jzb> sgallagh: ah, good.
19:00:02 <sgallagh> Ok, anything else for open floor?
19:00:09 <sgallagh> If not, I'll close the meeting in 120s
19:00:22 <mattdm> I'll contact the other wg people about devconf
19:00:44 <sgallagh> #action mattdm to contact WG liasons about DevConf presentation
19:02:21 <sgallagh> #endmeeting