#mageia-dev log

19:35:32 <malo> #startmeeting
19:35:32 <Inigo_Montoya`> Meeting started Tue Sep 30 19:35:32 2014 UTC.  The chair is malo. Information about MeetBot at http://wiki.debian.org/MeetBot.
19:35:32 <Inigo_Montoya`> Useful Commands: #action #agreed #help #info #idea #link #topic.
19:36:40 <malo> Morning everyone
19:36:47 <malo> Let's get to business
19:37:01 <malo> #topic Security updates
19:37:29 <malo> First order of business is the growing list of pending security problems that are not fixed by maintainers.
19:37:44 <malo> Luigi12_work: would you like to say a word?
19:38:06 <Luigi12_work> oh hello
19:38:31 <Luigi12_work> I guess that's two words
19:38:38 <Luigi12_work> getting a link, hold on a second
19:38:44 <malo> For newcomers, Luigi12_work is our security team :-)
19:39:01 <Luigi12_work> https://bugs.mageia.org/buglist.cgi?quicksearch=comp:secu+-@qa-b
19:39:07 <malo> and wouldn't mind more help
19:39:28 <Luigi12_work> that link shows all of the security bugs that have been filed, but not fixed yet such that they can be assigned to QA
19:40:01 <malo> the 60 of them ...
19:40:04 <Luigi12_work> some have been waiting for help for months.  Of particular concern is LibreOffice.  We used to support this package.
19:40:51 <Luigi12_work> There's also qemu, for which nobody's even provided any feedback on how to handle it, as the list of CVEs has gotten out of hand
19:41:30 <Luigi12_work> dams is missing, so some of his packages have fallen into disrepair, like boinc-client and nodejs you see on that list
19:41:46 <malo> #info security bugs waiting for packagers are listed at https://bugs.mageia.org/buglist.cgi?quicksearch=comp:secu+-@qa-b
19:42:01 <Luigi12_work> there's a bunch of Java packages on there unfortunately
19:42:32 <Luigi12_work> some packages with critical vulnerabilities like fish
19:42:44 <Luigi12_work> some really core packages like lua (used by rpm)
19:42:55 <malo> #info packagers are reminded that maintaining a package at the very least includes fixing security pb
19:43:30 <Luigi12_work> I can't do it all myself, so help is needed
19:43:32 <malo> ennael: should we start an effort to reduce this list?
19:43:53 <ennael> yep. First ping alive maintainers
19:43:57 <ennael> and share the others
19:44:16 <Akien> I guess Luigi12_work has already done the first step more than once.
19:44:33 <ennael> I will try also
19:44:41 <Luigi12_work> indeed.  Also swamped at work, and will be teaching 4 out of 5 weeks starting a couple weeks from now
19:44:47 <malo> Maybe one of the Sander style emails every week would be great
19:45:03 <Luigi12_work> I've done e-mails, they've generated very little response lately
19:45:37 <Akien> I'll see if I can handle the ffmpeg one.
19:45:40 <malo> #action ennael and malo are going to ping more aggressively packagers about security updates.
19:45:55 <Luigi12_work> Akien: ok, ffmpeg upstream will need to be pinged for that one
19:46:07 <malo> And we should have a Luigi round-up at every meeting like you do for qa.
19:46:15 <Luigi12_work> yep
19:46:32 <malo> any more suggestions/ideas?
19:46:59 <sander85> well, we can do another list to drop packages.. security bug not fixed for 2 months and out the door it goes :P
19:47:24 <Luigi12_work> yes some of the packages on this list definitely should be dropped before mga5 if they won't be fixed
19:47:34 <malo> sander85: yep, can you do that?
19:47:42 <Luigi12_work> hopefully we can determine which Java packages are actually needed by something and get rid of the rest too
19:47:49 <sander85> packagers aren't taking it seriously
19:47:56 <Luigi12_work> indeed
19:48:56 <malo> Let's increase awareness and maybe start dropping packages. It might work.
19:49:15 <Luigi12_work> that only helps so much though
19:49:25 <Luigi12_work> maybe something gets fixed in Cauldron but stable releases get ignored
19:49:46 <Luigi12_work> this reminds me of something
19:49:52 <malo> #action sander85 will start sending an automated reminder email about security bugs that get ignored.
19:49:57 <malo> Luigi12_work: :-)
19:50:01 <Luigi12_work> a couple months ago I went back and read some threads on the dev ml from when Mageia first started
19:50:18 <Luigi12_work> there was a huge mega-thread about mirrors organization that devolved into discussion about our support policy
19:50:38 <Luigi12_work> boklm had advocated having some sort of metadata about whether packages were officially supported or not
19:50:53 <Luigi12_work> (this as opposed to having a contrib repo which was rejected for many reasons)
19:51:12 <Luigi12_work> boklm's idea made a lot of sense and sounded like it was worth exploring
19:51:25 <sander85> well, i don't want to see no repo that has unmaintained packages
19:51:44 <Luigi12_work> well the problem is everything is maintained at some point (at least when it's imported)
19:51:50 <sander85> we'll just drop the dead stuff or maintainers will take care of it
19:52:00 <Luigi12_work> the problem is sometimes we stop supporting them, and we have no way of noting this
19:52:13 <Luigi12_work> yes we can drop dead stuff in Cauldron, but that still leaves stable releases hanging
19:52:42 <sander85> coling: any progress on teams in maintdb?
19:52:57 <Luigi12_work> having some web api exposed through rpmdrake could help potential contributors see when a package they use is no longer supported
19:52:58 <sander85> that would help too i guess
19:53:00 <coling> sander85, oh yeah... I totally forgot about that... I committed support for it, but didn't really test....
19:53:17 <Luigi12_work> anyway, just a thought
19:54:25 <malo> There is definitely some improvement needed ...
19:55:08 <Luigi12_work> on a related note, it'd be nice if we could aggressively drop packages before mga5 that aren't being maintained
19:55:17 <Luigi12_work> I'd hoped to find time to make a list but I've been too busy
19:55:22 <malo> http://check.mageia.org/cauldron/age.html is already a good approximation of staleness
19:57:22 <malo> It also would help to know which packages are never downloaded.
19:57:26 <AL13N> well, didn't mass rebuild remove the staleness?
19:57:34 <Luigi12_work> AL13N: in that sense, yes
19:57:50 <AL13N> and besides, i had some stuff which is stable, didn't have any new version and still works
19:57:56 <Luigi12_work> malo: indeed, that would be really interesting to know, but that opens a whole new can of worms
19:58:15 <Luigi12_work> AL13N: yes, I don't think there's any trivial bot-like way to determine staleness really
19:58:40 <Akien> Luigi12_lappy: +1 for dropping packages before the release
19:58:47 <AL13N> same thing with stats... it would be nice, but there will not be any kind of stats... so we need to forget about that
19:59:01 <AL13N> dropping packages would be best
19:59:10 <malo> http://check.mageia.org/cauldron/age.html currently shows packages that did not build with mass rebuild and that have not been rebuilt in a while.
19:59:15 <AL13N> but is this all nobody's? or just the ones that aren't looked after?
19:59:26 <AL13N> malo: some, but far from all
19:59:33 <Luigi12_work> AL13N: I really couldn't care less what maintdb says
19:59:46 <AL13N> right
19:59:53 <AL13N> because of packagers not being active
20:00:02 <AL13N> so it's actually more about open bugs for those packages?
20:00:20 <Luigi12_work> that's a good indicator
20:00:22 <malo> Ok. We need to keep all of this in mind, as we will need to make a decision on dropping packages soon.
20:00:33 <Luigi12_work> past history with difficulty getting bugs fixed due to lack of support is too
20:00:50 <AL13N> ok
20:01:19 <malo> Ok, let's change topic. We'll come back to that one next meeting.
20:01:26 <Akien> I wonder whether we should force-nobodify packages from inactive packagers?
20:01:49 <AL13N> malo: better do it faster than next meeting
20:01:52 <sander85> Akien: we should
20:01:57 <Luigi12_work> Akien: we should
20:02:04 <Akien> Then let's do it.
20:02:13 <malo> Akien: that might have the oposite effect
20:02:36 <Luigi12_work> it's maintdb, it won't really have any effect
20:02:44 <malo> but for known inactive packagers we should
20:02:51 <Luigi12_work> it's already full of inaccuracies and is hardly looked at
20:03:11 <Akien> malo: Or maybe add a way for any packager to grab a package from someone else (maybe with a confirmation if it's owned by someone)?
20:03:11 <sander85> https://sander85.eu/mageia/activity.php
20:03:35 <Luigi12_work> Akien: problem is what if they're so inactive they don't respond to the request
20:03:49 <AL13N> not a new problem
20:03:57 <Luigi12_work> but the flipside is what if they legitimately maintain it but don't see the request for a while
20:04:16 <Luigi12_work> so it should probably support it, but it's got some downside
20:04:55 <AL13N> i guess if someone has the packages stolen or dropped to nobody, we can email a notification of that
20:05:05 <AL13N> that should take care of the flipside
20:05:09 <AL13N> they can regrab if they want
20:05:37 <sander85> yeah
20:05:43 <Luigi12_work> ok
20:05:50 <AL13N> it would be nice even if they are dropped to nobody that they still get the bug emails
20:06:04 <AL13N> i guess past commiters fall in that category
20:06:21 <malo> AL13N: it's easier to just change the maintdb rather than bugzilla
20:06:23 <AL13N> maybe we need to think of maintdb being the "current" state of maintainership
20:06:45 <AL13N> though then i need a different way to track my packages
20:07:37 <AL13N> it would be nice if maintdb is the current state, and we get a "favorite" tag for whatever package we want
20:07:54 <AL13N> to keep track of packages you officially or unofficially you maintain
20:08:11 <AL13N> and dropping from maintdb means a notification
20:08:14 <AL13N> that would be good for me
20:08:35 <stef74> Is it possible after to have one page with all package with nobody for maintener? And propose to new packager to maint's one?
20:08:39 <sander85> well, maintdb is ok already, it just needs teams support
20:08:45 <malo> Alright guys lets decide on a first step
20:08:45 <AL13N> stef74++
20:08:56 <malo> stef74: http://pkgsubmit.mageia.org/data/unmaintained.txt
20:09:03 <AL13N> drop aggressive + notify
20:09:07 <AL13N> that's step one
20:09:25 <AL13N> malo: he probably means on check.mageia.org (with the persons)
20:09:37 <malo> Sorry, more precise lets decide on a first step and who
20:09:44 <malo> 's doing what
20:09:46 <sander85> i'll see if i can generate some report on security bugs to start dropping those that aren't fixed
20:09:56 <malo> sander85: thanks
20:10:18 <AL13N> sander85: would it possible to include ALL bugs? not just security?
20:10:27 <sander85> no way
20:10:33 <Luigi12_work> that'd be too much work
20:10:37 <AL13N> how difficult would it be to count a nr of bugs per package?
20:10:40 <AL13N> (automated)
20:10:52 <AL13N> and start from there?
20:10:53 <Luigi12_work> automated is probably not a good idea in this instance
20:10:53 <stef74> malo: thx one page on wiki? New packager can see and take the choice to mant's one of them?
20:11:06 <Luigi12_work> it's good to take into account the actual state of the bugs, and not just the fact that they exist
20:11:07 <sander85> AL13N: you can do it if you think it's easy :P
20:11:11 <stef74> s/mant's/maint's
20:11:17 <AL13N> i've got no idea
20:11:37 <Luigi12_work> stef74: a wiki is not a good fit for a dynamic living thing like that
20:12:00 <malo> AL13N: can you look at cleaning maintdb? Sending an email to -dev with the list of packagers that appear inactive. Giving opportunity for them to react or others to grab their packages, Then resetting the inactive packages to nobody.
20:12:42 <Luigi12_work> doesn't sander85's newest mail already document some of the inactive packagers?
20:12:58 <Luigi12_work> anyway the list of packagers isn't that long, i could probably look at it and say off the top of my head most that are inactive
20:13:12 <Luigi12_work> but cleaning maintdb of those packagers is something only sysadmins can do
20:13:14 <AL13N> malo: who has access to dropping to nobody?
20:13:28 <malo> coling: ?
20:13:36 <AL13N> malo: it sounds like a lot of work to do manually
20:13:44 <malo> AL13N: sysadm I think
20:13:49 <pterjan> one line of shell
20:13:53 <malo> AL13N: it's not manual
20:13:55 <sander85> https://sander85.eu/mageia/activity.php - i'd say it's a pretty good list :P
20:14:01 <malo> AL13N: it's a text file
20:14:11 <AL13N> haha, no
20:14:28 <AL13N> it's the send email + giving opportunity that's the big task
20:14:45 <Luigi12_work> sander85: indeed
20:14:46 <malo> sander85: ok. But for example, I would like to get all packages of blue_prawn
20:14:58 <coling> I malo it's just a shell wrapper so we could open up the ability to drop packages to nobody to certain people fairly easily. Might just mean adding a more dedicated group in ldap if needs be.
20:14:59 <malo> rather than having to manually reassign them to me
20:15:05 <coling> s/I /
20:15:44 <coling> malo, sedding is also possible I think if there are a few one-off rules to run.
20:15:51 <malo> that's why an email saying "in a week we are going to set all of these maintainers to nobody" gives the oportunity to people to react.
20:16:31 <malo> does it sound good?
20:16:56 <AL13N> what about ovitters, i believe he sent an email
20:17:01 <AL13N> about vacation
20:17:08 <AL13N> or do we just not care about that?
20:17:10 <sander85> so?
20:17:17 <filipesaraiva> malo sounds good for me
20:17:18 <sander85> he's not inactive :D
20:17:34 <AL13N> oh, oops, i needed to start at bottom :-)
20:18:00 <malo> AL13N: now is not the time to go through the list one by one.
20:18:10 <AL13N> i wasn't planning on it
20:18:26 <AL13N> ok, i'm gonna send the email then
20:19:00 <malo> #action AL13N will send an email proposing to reassign to nobody packages currently owned by inactive packagers
20:19:05 <AL13N> i'm gonna try and get a package count with the list
20:19:33 <AL13N> coling: do i mention something about the changes in the maintdb stuff you were working on? or not?
20:20:22 <coling> AL13N, well all I did was allow an informal grouping. I should really try and do more on the concept really. It might help just now but probably needs a bit more work to be really useful.
20:20:25 <malo> Ok. Those are good first steps. Next meeting we should discuss dropping criteria.
20:20:54 <malo> Next topic?
20:21:08 <malo> #topic mass rebuild
20:21:25 <AL13N> coling: you should read the suggestions from me about having a favority tag (ie: a package you want to work on)
20:21:52 <malo> Ok, there was a mass rebuild and the new rpm dependancy generator broke everything.
20:22:00 <malo> Good summary? ;-P
20:22:05 <pterjan> things are mostly fixed
20:22:28 <pterjan> running an autobuild to see if there are more problems
20:22:39 <AL13N> pterjan: can you sync so we can see?
20:22:45 <malo> pterjan: great!
20:23:01 <ennael> great news indeed
20:23:07 <AL13N> pterjan: tv looks like he could fix the pear stuff, (from ML)
20:23:13 <sander85> AL13N: http://pkgsubmit.mageia.org/autobuild/results.php?run=2014-09-30
20:23:27 <AL13N> but as Luigi12_work pointed out, there should still be a mass rebuild anyway
20:24:18 <pterjan> so far it seems a lot of java packages are now broken but I didn't check why
20:24:18 <malo> #action everyone should watch the current autobuild http://pkgsubmit.mageia.org/autobuild/results.php?run=2014-09-30 and fix problems fast
20:24:21 <sander85> i'd vote for another rebuild too, to make sure it's all cool
20:24:24 <AL13N> (20:14:29) Luigi12_work: malo: half the packages have corrupted cpio archives, don't forget that
20:24:24 <AL13N> (20:14:50) Luigi12_work: malo: and we don't know if rpm will still *generate* correct deps/provides for most of the packages, due to amount of changes to this during the rebuild
20:24:24 <AL13N> (20:15:04) Luigi12_work: we really need to rebuild again to make sure, once things are settled
20:24:47 <Luigi12_work> thank you for reposting that
20:24:53 <AL13N> sorry
20:24:54 <Akien> Maybe we can schedule another rebuild for after the beta1 release?
20:25:01 <Luigi12_work> AL13N: I was serious, thank you
20:25:20 <Luigi12_work> Akien: probably too soon
20:25:23 <pterjan> we can run another faster one when things are fixed
20:25:31 <pterjan> but currently it seems maven is broken
20:25:31 <AL13N> beta1 is supposed to be out today... wouldn't it be better if we looked first to stabilize and delay beta1 for a couple of weeks anyway?
20:25:34 <Luigi12_work> I don't know that we need a hard date on it today
20:25:35 <grenoya> perl packages have been rebuilded, TV intend to do the same for pear. What about Python?
20:25:48 <grenoya> should we do it by hand?
20:25:58 <Luigi12_work> tv rebuilt those too
20:26:01 <pterjan> grenoya: no, I have a list
20:26:06 <Akien> AL13N: We've decided to delay it by two weeks
20:26:07 <ennael> AL13N: beta1 will be out when it's ready
20:26:21 <AL13N> sure, just the wiki was not updated to reflect
20:26:26 <AL13N> but i guess that's normal
20:26:33 <malo> #chair ennael
20:26:33 <Inigo_Montoya`> Current chairs: ennael malo
20:26:41 <grenoya> AL13N: it's been announced yesterday on the blog
20:26:42 <malo> Sorry got to go
20:26:43 <pterjan> anyone is welcome to help on http://pkgsubmit.mageia.org/autobuild/cauldron/x86_64/core/2014-09-30/activemq-protobuf-1.1-8.mga5.src.rpm/build.0.20140930165452.log :)
20:26:47 <AL13N> woops
20:26:58 <pterjan> (I'll try to understand)
20:27:31 <Luigi12_work> great quote about the Bash issue: "The last 20 years were full of happiness, because people didn't know."
20:27:38 <filipesaraiva> AL13N there is a blogpost talking about the delay
20:31:39 <ennael> ok pterjan promised with his blood full rebuild will take about 2 days :)
20:31:46 <pterjan> :P
20:31:49 <AL13N> :-)
20:31:52 <ennael> so it means we can wait 2 more days  for this
20:32:06 <ennael> tv is fixing some more stuff at the moment then we will rebuild everything
20:32:17 <ennael> and start working on isos for beta1
20:32:22 <ennael> is that ok?
20:32:22 <pterjan> (what made it slow this time was that I had to stop it each time a bug was discovered, and rebuild some packages many times)
20:32:52 <AL13N> ok
20:32:57 <grenoya> ok :)
20:33:00 <ennael> looks like we have rebuilt all packagers ok :p
20:33:11 <grenoya> :))
20:33:11 <filipesaraiva> nice! =)
20:33:25 <AL13N> it would be nice to rebuild dead packagers into alive ones
20:33:42 <ennael> at least it does not sound too bad in terme of delay
20:33:55 <ennael> then we need to work on fixing broken packages
20:34:10 <ennael> for mageia4 it was done in the very last days of the release
20:34:16 <AL13N> yes
20:34:20 <AL13N> not good
20:34:25 <ennael> which is hardly doable
20:34:37 <ennael> so we need to find a way for this also
20:37:15 <ennael> beer?
20:37:21 <grenoya> o/
20:37:55 <grenoya> new RPM killed packagers! they don't even react to 'beer'...
20:38:20 <Luigi12_work> new RPM did kill rindolf at least I think
20:39:42 <ennael> ok so let's try regular mails about broken packages list
20:40:23 <Luigi12_work> broken in terms of not building?
20:40:31 <ennael> yep sorry
20:40:34 <Luigi12_work> ok
20:40:46 <AL13N> missing deps?
20:41:08 <Luigi12_work> sander already does that one
20:41:18 <ennael> well let's do it a bit harder :)
20:41:59 <Luigi12_work> probably wouldn't hurt to drop the distinction of whether it's marked as maintained in maintdb, since that's meaningless half the time anyway
20:42:16 <ennael> yep I had full list in mind
20:42:26 <ennael> not depending on wether it's maintained or not
20:43:04 <ennael> ok I guess we have lots of things to do in coming days then. Next meetings should focused on this only
20:43:55 <AL13N> Luigi12_work: btw: you should try to pester Stormi in making a madb tool for listing unfixed sec bugs too
20:46:00 <Akien> AL13N: Well bugzilla does it well, you just have to customise it so that you can access the saved search in one click
20:46:16 <ennael> ok anything else to add before everybody fall asleep ?
20:47:38 <AL13N> Akien: sure, but that way there's a similar table like the QA has, and then QA knows what will be coming soon-ish and keep track if it's fixed for all versions or only cauldron or ...
20:47:40 <ennael> well looks like it's already done :)
20:47:44 <AL13N> yes
20:47:47 <ennael> so thanks for attending this meeting
20:47:55 <ennael> and see you next week
20:48:00 <ennael> #endmeeting