19:35:32 <malo> #startmeeting 19:35:32 <Inigo_Montoya`> Meeting started Tue Sep 30 19:35:32 2014 UTC. The chair is malo. Information about MeetBot at http://wiki.debian.org/MeetBot. 19:35:32 <Inigo_Montoya`> Useful Commands: #action #agreed #help #info #idea #link #topic. 19:36:40 <malo> Morning everyone 19:36:47 <malo> Let's get to business 19:37:01 <malo> #topic Security updates 19:37:29 <malo> First order of business is the growing list of pending security problems that are not fixed by maintainers. 19:37:44 <malo> Luigi12_work: would you like to say a word? 19:38:06 <Luigi12_work> oh hello 19:38:31 <Luigi12_work> I guess that's two words 19:38:38 <Luigi12_work> getting a link, hold on a second 19:38:44 <malo> For newcomers, Luigi12_work is our security team :-) 19:39:01 <Luigi12_work> https://bugs.mageia.org/buglist.cgi?quicksearch=comp:secu+-@qa-b 19:39:07 <malo> and wouldn't mind more help 19:39:28 <Luigi12_work> that link shows all of the security bugs that have been filed, but not fixed yet such that they can be assigned to QA 19:40:01 <malo> the 60 of them ... 19:40:04 <Luigi12_work> some have been waiting for help for months. Of particular concern is LibreOffice. We used to support this package. 19:40:51 <Luigi12_work> There's also qemu, for which nobody's even provided any feedback on how to handle it, as the list of CVEs has gotten out of hand 19:41:30 <Luigi12_work> dams is missing, so some of his packages have fallen into disrepair, like boinc-client and nodejs you see on that list 19:41:46 <malo> #info security bugs waiting for packagers are listed at https://bugs.mageia.org/buglist.cgi?quicksearch=comp:secu+-@qa-b 19:42:01 <Luigi12_work> there's a bunch of Java packages on there unfortunately 19:42:32 <Luigi12_work> some packages with critical vulnerabilities like fish 19:42:44 <Luigi12_work> some really core packages like lua (used by rpm) 19:42:55 <malo> #info packagers are reminded that maintaining a package at the very least includes fixing security pb 19:43:30 <Luigi12_work> I can't do it all myself, so help is needed 19:43:32 <malo> ennael: should we start an effort to reduce this list? 19:43:53 <ennael> yep. First ping alive maintainers 19:43:57 <ennael> and share the others 19:44:16 <Akien> I guess Luigi12_work has already done the first step more than once. 19:44:33 <ennael> I will try also 19:44:41 <Luigi12_work> indeed. Also swamped at work, and will be teaching 4 out of 5 weeks starting a couple weeks from now 19:44:47 <malo> Maybe one of the Sander style emails every week would be great 19:45:03 <Luigi12_work> I've done e-mails, they've generated very little response lately 19:45:37 <Akien> I'll see if I can handle the ffmpeg one. 19:45:40 <malo> #action ennael and malo are going to ping more aggressively packagers about security updates. 19:45:55 <Luigi12_work> Akien: ok, ffmpeg upstream will need to be pinged for that one 19:46:07 <malo> And we should have a Luigi round-up at every meeting like you do for qa. 19:46:15 <Luigi12_work> yep 19:46:32 <malo> any more suggestions/ideas? 19:46:59 <sander85> well, we can do another list to drop packages.. security bug not fixed for 2 months and out the door it goes :P 19:47:24 <Luigi12_work> yes some of the packages on this list definitely should be dropped before mga5 if they won't be fixed 19:47:34 <malo> sander85: yep, can you do that? 19:47:42 <Luigi12_work> hopefully we can determine which Java packages are actually needed by something and get rid of the rest too 19:47:49 <sander85> packagers aren't taking it seriously 19:47:56 <Luigi12_work> indeed 19:48:56 <malo> Let's increase awareness and maybe start dropping packages. It might work. 19:49:15 <Luigi12_work> that only helps so much though 19:49:25 <Luigi12_work> maybe something gets fixed in Cauldron but stable releases get ignored 19:49:46 <Luigi12_work> this reminds me of something 19:49:52 <malo> #action sander85 will start sending an automated reminder email about security bugs that get ignored. 19:49:57 <malo> Luigi12_work: :-) 19:50:01 <Luigi12_work> a couple months ago I went back and read some threads on the dev ml from when Mageia first started 19:50:18 <Luigi12_work> there was a huge mega-thread about mirrors organization that devolved into discussion about our support policy 19:50:38 <Luigi12_work> boklm had advocated having some sort of metadata about whether packages were officially supported or not 19:50:53 <Luigi12_work> (this as opposed to having a contrib repo which was rejected for many reasons) 19:51:12 <Luigi12_work> boklm's idea made a lot of sense and sounded like it was worth exploring 19:51:25 <sander85> well, i don't want to see no repo that has unmaintained packages 19:51:44 <Luigi12_work> well the problem is everything is maintained at some point (at least when it's imported) 19:51:50 <sander85> we'll just drop the dead stuff or maintainers will take care of it 19:52:00 <Luigi12_work> the problem is sometimes we stop supporting them, and we have no way of noting this 19:52:13 <Luigi12_work> yes we can drop dead stuff in Cauldron, but that still leaves stable releases hanging 19:52:42 <sander85> coling: any progress on teams in maintdb? 19:52:57 <Luigi12_work> having some web api exposed through rpmdrake could help potential contributors see when a package they use is no longer supported 19:52:58 <sander85> that would help too i guess 19:53:00 <coling> sander85, oh yeah... I totally forgot about that... I committed support for it, but didn't really test.... 19:53:17 <Luigi12_work> anyway, just a thought 19:54:25 <malo> There is definitely some improvement needed ... 19:55:08 <Luigi12_work> on a related note, it'd be nice if we could aggressively drop packages before mga5 that aren't being maintained 19:55:17 <Luigi12_work> I'd hoped to find time to make a list but I've been too busy 19:55:22 <malo> http://check.mageia.org/cauldron/age.html is already a good approximation of staleness 19:57:22 <malo> It also would help to know which packages are never downloaded. 19:57:26 <AL13N> well, didn't mass rebuild remove the staleness? 19:57:34 <Luigi12_work> AL13N: in that sense, yes 19:57:50 <AL13N> and besides, i had some stuff which is stable, didn't have any new version and still works 19:57:56 <Luigi12_work> malo: indeed, that would be really interesting to know, but that opens a whole new can of worms 19:58:15 <Luigi12_work> AL13N: yes, I don't think there's any trivial bot-like way to determine staleness really 19:58:40 <Akien> Luigi12_lappy: +1 for dropping packages before the release 19:58:47 <AL13N> same thing with stats... it would be nice, but there will not be any kind of stats... so we need to forget about that 19:59:01 <AL13N> dropping packages would be best 19:59:10 <malo> http://check.mageia.org/cauldron/age.html currently shows packages that did not build with mass rebuild and that have not been rebuilt in a while. 19:59:15 <AL13N> but is this all nobody's? or just the ones that aren't looked after? 19:59:26 <AL13N> malo: some, but far from all 19:59:33 <Luigi12_work> AL13N: I really couldn't care less what maintdb says 19:59:46 <AL13N> right 19:59:53 <AL13N> because of packagers not being active 20:00:02 <AL13N> so it's actually more about open bugs for those packages? 20:00:20 <Luigi12_work> that's a good indicator 20:00:22 <malo> Ok. We need to keep all of this in mind, as we will need to make a decision on dropping packages soon. 20:00:33 <Luigi12_work> past history with difficulty getting bugs fixed due to lack of support is too 20:00:50 <AL13N> ok 20:01:19 <malo> Ok, let's change topic. We'll come back to that one next meeting. 20:01:26 <Akien> I wonder whether we should force-nobodify packages from inactive packagers? 20:01:49 <AL13N> malo: better do it faster than next meeting 20:01:52 <sander85> Akien: we should 20:01:57 <Luigi12_work> Akien: we should 20:02:04 <Akien> Then let's do it. 20:02:13 <malo> Akien: that might have the oposite effect 20:02:36 <Luigi12_work> it's maintdb, it won't really have any effect 20:02:44 <malo> but for known inactive packagers we should 20:02:51 <Luigi12_work> it's already full of inaccuracies and is hardly looked at 20:03:11 <Akien> malo: Or maybe add a way for any packager to grab a package from someone else (maybe with a confirmation if it's owned by someone)? 20:03:11 <sander85> https://sander85.eu/mageia/activity.php 20:03:35 <Luigi12_work> Akien: problem is what if they're so inactive they don't respond to the request 20:03:49 <AL13N> not a new problem 20:03:57 <Luigi12_work> but the flipside is what if they legitimately maintain it but don't see the request for a while 20:04:16 <Luigi12_work> so it should probably support it, but it's got some downside 20:04:55 <AL13N> i guess if someone has the packages stolen or dropped to nobody, we can email a notification of that 20:05:05 <AL13N> that should take care of the flipside 20:05:09 <AL13N> they can regrab if they want 20:05:37 <sander85> yeah 20:05:43 <Luigi12_work> ok 20:05:50 <AL13N> it would be nice even if they are dropped to nobody that they still get the bug emails 20:06:04 <AL13N> i guess past commiters fall in that category 20:06:21 <malo> AL13N: it's easier to just change the maintdb rather than bugzilla 20:06:23 <AL13N> maybe we need to think of maintdb being the "current" state of maintainership 20:06:45 <AL13N> though then i need a different way to track my packages 20:07:37 <AL13N> it would be nice if maintdb is the current state, and we get a "favorite" tag for whatever package we want 20:07:54 <AL13N> to keep track of packages you officially or unofficially you maintain 20:08:11 <AL13N> and dropping from maintdb means a notification 20:08:14 <AL13N> that would be good for me 20:08:35 <stef74> Is it possible after to have one page with all package with nobody for maintener? And propose to new packager to maint's one? 20:08:39 <sander85> well, maintdb is ok already, it just needs teams support 20:08:45 <malo> Alright guys lets decide on a first step 20:08:45 <AL13N> stef74++ 20:08:56 <malo> stef74: http://pkgsubmit.mageia.org/data/unmaintained.txt 20:09:03 <AL13N> drop aggressive + notify 20:09:07 <AL13N> that's step one 20:09:25 <AL13N> malo: he probably means on check.mageia.org (with the persons) 20:09:37 <malo> Sorry, more precise lets decide on a first step and who 20:09:44 <malo> 's doing what 20:09:46 <sander85> i'll see if i can generate some report on security bugs to start dropping those that aren't fixed 20:09:56 <malo> sander85: thanks 20:10:18 <AL13N> sander85: would it possible to include ALL bugs? not just security? 20:10:27 <sander85> no way 20:10:33 <Luigi12_work> that'd be too much work 20:10:37 <AL13N> how difficult would it be to count a nr of bugs per package? 20:10:40 <AL13N> (automated) 20:10:52 <AL13N> and start from there? 20:10:53 <Luigi12_work> automated is probably not a good idea in this instance 20:10:53 <stef74> malo: thx one page on wiki? New packager can see and take the choice to mant's one of them? 20:11:06 <Luigi12_work> it's good to take into account the actual state of the bugs, and not just the fact that they exist 20:11:07 <sander85> AL13N: you can do it if you think it's easy :P 20:11:11 <stef74> s/mant's/maint's 20:11:17 <AL13N> i've got no idea 20:11:37 <Luigi12_work> stef74: a wiki is not a good fit for a dynamic living thing like that 20:12:00 <malo> AL13N: can you look at cleaning maintdb? Sending an email to -dev with the list of packagers that appear inactive. Giving opportunity for them to react or others to grab their packages, Then resetting the inactive packages to nobody. 20:12:42 <Luigi12_work> doesn't sander85's newest mail already document some of the inactive packagers? 20:12:58 <Luigi12_work> anyway the list of packagers isn't that long, i could probably look at it and say off the top of my head most that are inactive 20:13:12 <Luigi12_work> but cleaning maintdb of those packagers is something only sysadmins can do 20:13:14 <AL13N> malo: who has access to dropping to nobody? 20:13:28 <malo> coling: ? 20:13:36 <AL13N> malo: it sounds like a lot of work to do manually 20:13:44 <malo> AL13N: sysadm I think 20:13:49 <pterjan> one line of shell 20:13:53 <malo> AL13N: it's not manual 20:13:55 <sander85> https://sander85.eu/mageia/activity.php - i'd say it's a pretty good list :P 20:14:01 <malo> AL13N: it's a text file 20:14:11 <AL13N> haha, no 20:14:28 <AL13N> it's the send email + giving opportunity that's the big task 20:14:45 <Luigi12_work> sander85: indeed 20:14:46 <malo> sander85: ok. But for example, I would like to get all packages of blue_prawn 20:14:58 <coling> I malo it's just a shell wrapper so we could open up the ability to drop packages to nobody to certain people fairly easily. Might just mean adding a more dedicated group in ldap if needs be. 20:14:59 <malo> rather than having to manually reassign them to me 20:15:05 <coling> s/I / 20:15:44 <coling> malo, sedding is also possible I think if there are a few one-off rules to run. 20:15:51 <malo> that's why an email saying "in a week we are going to set all of these maintainers to nobody" gives the oportunity to people to react. 20:16:31 <malo> does it sound good? 20:16:56 <AL13N> what about ovitters, i believe he sent an email 20:17:01 <AL13N> about vacation 20:17:08 <AL13N> or do we just not care about that? 20:17:10 <sander85> so? 20:17:17 <filipesaraiva> malo sounds good for me 20:17:18 <sander85> he's not inactive :D 20:17:34 <AL13N> oh, oops, i needed to start at bottom :-) 20:18:00 <malo> AL13N: now is not the time to go through the list one by one. 20:18:10 <AL13N> i wasn't planning on it 20:18:26 <AL13N> ok, i'm gonna send the email then 20:19:00 <malo> #action AL13N will send an email proposing to reassign to nobody packages currently owned by inactive packagers 20:19:05 <AL13N> i'm gonna try and get a package count with the list 20:19:33 <AL13N> coling: do i mention something about the changes in the maintdb stuff you were working on? or not? 20:20:22 <coling> AL13N, well all I did was allow an informal grouping. I should really try and do more on the concept really. It might help just now but probably needs a bit more work to be really useful. 20:20:25 <malo> Ok. Those are good first steps. Next meeting we should discuss dropping criteria. 20:20:54 <malo> Next topic? 20:21:08 <malo> #topic mass rebuild 20:21:25 <AL13N> coling: you should read the suggestions from me about having a favority tag (ie: a package you want to work on) 20:21:52 <malo> Ok, there was a mass rebuild and the new rpm dependancy generator broke everything. 20:22:00 <malo> Good summary? ;-P 20:22:05 <pterjan> things are mostly fixed 20:22:28 <pterjan> running an autobuild to see if there are more problems 20:22:39 <AL13N> pterjan: can you sync so we can see? 20:22:45 <malo> pterjan: great! 20:23:01 <ennael> great news indeed 20:23:07 <AL13N> pterjan: tv looks like he could fix the pear stuff, (from ML) 20:23:13 <sander85> AL13N: http://pkgsubmit.mageia.org/autobuild/results.php?run=2014-09-30 20:23:27 <AL13N> but as Luigi12_work pointed out, there should still be a mass rebuild anyway 20:24:18 <pterjan> so far it seems a lot of java packages are now broken but I didn't check why 20:24:18 <malo> #action everyone should watch the current autobuild http://pkgsubmit.mageia.org/autobuild/results.php?run=2014-09-30 and fix problems fast 20:24:21 <sander85> i'd vote for another rebuild too, to make sure it's all cool 20:24:24 <AL13N> (20:14:29) Luigi12_work: malo: half the packages have corrupted cpio archives, don't forget that 20:24:24 <AL13N> (20:14:50) Luigi12_work: malo: and we don't know if rpm will still *generate* correct deps/provides for most of the packages, due to amount of changes to this during the rebuild 20:24:24 <AL13N> (20:15:04) Luigi12_work: we really need to rebuild again to make sure, once things are settled 20:24:47 <Luigi12_work> thank you for reposting that 20:24:53 <AL13N> sorry 20:24:54 <Akien> Maybe we can schedule another rebuild for after the beta1 release? 20:25:01 <Luigi12_work> AL13N: I was serious, thank you 20:25:20 <Luigi12_work> Akien: probably too soon 20:25:23 <pterjan> we can run another faster one when things are fixed 20:25:31 <pterjan> but currently it seems maven is broken 20:25:31 <AL13N> beta1 is supposed to be out today... wouldn't it be better if we looked first to stabilize and delay beta1 for a couple of weeks anyway? 20:25:34 <Luigi12_work> I don't know that we need a hard date on it today 20:25:35 <grenoya> perl packages have been rebuilded, TV intend to do the same for pear. What about Python? 20:25:48 <grenoya> should we do it by hand? 20:25:58 <Luigi12_work> tv rebuilt those too 20:26:01 <pterjan> grenoya: no, I have a list 20:26:06 <Akien> AL13N: We've decided to delay it by two weeks 20:26:07 <ennael> AL13N: beta1 will be out when it's ready 20:26:21 <AL13N> sure, just the wiki was not updated to reflect 20:26:26 <AL13N> but i guess that's normal 20:26:33 <malo> #chair ennael 20:26:33 <Inigo_Montoya`> Current chairs: ennael malo 20:26:41 <grenoya> AL13N: it's been announced yesterday on the blog 20:26:42 <malo> Sorry got to go 20:26:43 <pterjan> anyone is welcome to help on http://pkgsubmit.mageia.org/autobuild/cauldron/x86_64/core/2014-09-30/activemq-protobuf-1.1-8.mga5.src.rpm/build.0.20140930165452.log :) 20:26:47 <AL13N> woops 20:26:58 <pterjan> (I'll try to understand) 20:27:31 <Luigi12_work> great quote about the Bash issue: "The last 20 years were full of happiness, because people didn't know." 20:27:38 <filipesaraiva> AL13N there is a blogpost talking about the delay 20:31:39 <ennael> ok pterjan promised with his blood full rebuild will take about 2 days :) 20:31:46 <pterjan> :P 20:31:49 <AL13N> :-) 20:31:52 <ennael> so it means we can wait 2 more days for this 20:32:06 <ennael> tv is fixing some more stuff at the moment then we will rebuild everything 20:32:17 <ennael> and start working on isos for beta1 20:32:22 <ennael> is that ok? 20:32:22 <pterjan> (what made it slow this time was that I had to stop it each time a bug was discovered, and rebuild some packages many times) 20:32:52 <AL13N> ok 20:32:57 <grenoya> ok :) 20:33:00 <ennael> looks like we have rebuilt all packagers ok :p 20:33:11 <grenoya> :)) 20:33:11 <filipesaraiva> nice! =) 20:33:25 <AL13N> it would be nice to rebuild dead packagers into alive ones 20:33:42 <ennael> at least it does not sound too bad in terme of delay 20:33:55 <ennael> then we need to work on fixing broken packages 20:34:10 <ennael> for mageia4 it was done in the very last days of the release 20:34:16 <AL13N> yes 20:34:20 <AL13N> not good 20:34:25 <ennael> which is hardly doable 20:34:37 <ennael> so we need to find a way for this also 20:37:15 <ennael> beer? 20:37:21 <grenoya> o/ 20:37:55 <grenoya> new RPM killed packagers! they don't even react to 'beer'... 20:38:20 <Luigi12_work> new RPM did kill rindolf at least I think 20:39:42 <ennael> ok so let's try regular mails about broken packages list 20:40:23 <Luigi12_work> broken in terms of not building? 20:40:31 <ennael> yep sorry 20:40:34 <Luigi12_work> ok 20:40:46 <AL13N> missing deps? 20:41:08 <Luigi12_work> sander already does that one 20:41:18 <ennael> well let's do it a bit harder :) 20:41:59 <Luigi12_work> probably wouldn't hurt to drop the distinction of whether it's marked as maintained in maintdb, since that's meaningless half the time anyway 20:42:16 <ennael> yep I had full list in mind 20:42:26 <ennael> not depending on wether it's maintained or not 20:43:04 <ennael> ok I guess we have lots of things to do in coming days then. Next meetings should focused on this only 20:43:55 <AL13N> Luigi12_work: btw: you should try to pester Stormi in making a madb tool for listing unfixed sec bugs too 20:46:00 <Akien> AL13N: Well bugzilla does it well, you just have to customise it so that you can access the saved search in one click 20:46:16 <ennael> ok anything else to add before everybody fall asleep ? 20:47:38 <AL13N> Akien: sure, but that way there's a similar table like the QA has, and then QA knows what will be coming soon-ish and keep track if it's fixed for all versions or only cauldron or ... 20:47:40 <ennael> well looks like it's already done :) 20:47:44 <AL13N> yes 20:47:47 <ennael> so thanks for attending this meeting 20:47:55 <ennael> and see you next week 20:48:00 <ennael> #endmeeting