20:01:53 <waldi> #startmeeting
20:01:53 <MeetBot> Meeting started Fri Oct 12 20:01:53 2018 UTC.  The chair is waldi. Information about MeetBot at http://wiki.debian.org/MeetBot.
20:01:53 <MeetBot> Useful Commands: #action #agreed #help #info #idea #link #topic.
20:01:57 <waldi> if noone else wants
20:02:00 <waldi> #chair ta
20:02:00 <MeetBot> Current chairs: ta waldi
20:02:04 <waldi> #chair ansgar
20:02:04 <MeetBot> Current chairs: ansgar ta waldi
20:02:46 <waldi> #topic Check action items from last meeting
20:03:18 <waldi> no action items on last months meeting
20:03:48 <ta> so done
20:04:08 <waldi> i'm reordering the entries, as i have to go shortly
20:04:20 <waldi> #topic Status of secure boot signing
20:04:29 <ansgar> See https://lists.debian.org/debian-efi/2018/10/msg00000.html
20:04:32 <waldi> ansgar: sorry about pestering you. i think Sledge talked to you?
20:05:04 <waldi> #link https://lists.debian.org/debian-efi/2018/10/msg00000.html
20:05:06 <waldi> ansgar: thanks
20:05:26 <ansgar> I would like to have either recording which key an upload trusts (bwh's suggestion) or the Ubuntu patch to not have trusted keys in the kernel, but just use the one UEFI/shim tursts before we start using the production keys.
20:06:02 <ansgar> On the plus side, I have enabled secure boot with Debian's kernel on a laptop and it works :)
20:06:27 <waldi> okay. i intend to do some tests as well after the hands-on session with the intel guys yesterday
20:06:53 <ansgar> (Ubuntu has a kernel patch for the latter)
20:07:21 <waldi> okay. do you know where or do i have to search for it?
20:07:40 <ansgar> In the diff.gz, load_uefi.c or load_efi.c or so.
20:08:04 <waldi> okay, thx
20:08:21 <ansgar> Plus the sig verification function needs to be called with slightly different parameters AFAIU.
20:09:12 <waldi> #topic How much do we care about copyright holders in d/copyright
20:09:35 <ta> I think this text is ok
20:09:36 <waldi> ScottK would like to have the text for this finished
20:11:19 <waldi> okay. who wants to send it?
20:11:24 <ansgar> I think it should say "documenting copyright *holders*" in the first sentence of (4) or so.
20:11:44 <ansgar> Just copyright might be confusing (does it mean license or copyright holders?)
20:12:18 <ta> it means both
20:13:16 <waldi> yes, i think aw well that it should be explicit as we only want to change the listing of holders, not the licenses
20:13:49 <waldi> i'm sorry, but i have to go
20:13:57 <waldi> see you tomorrow
20:14:56 <ta> hmm, ok, with the rest of the paragraph, its about the holders
20:16:12 <ta> so shall scottk send the email?
20:16:40 <ansgar> Fine with me.
20:17:26 <ta> #action scottk shall send email about copyright holders
20:18:26 <ta> #topic Sources for architectures on ports
20:19:28 <ta> hmm, what does that mean?
20:19:49 <ansgar> It is about source packages that don't built anything for the main archive, but only for ports.d.o.
20:20:23 <ansgar> These get tagged as cruft and one port maintainer was unhappy when something disappeared.
20:21:13 <ta> ah, I remember, shall we change the tagging as cruft?
20:21:18 <ansgar> I'm not very enthusiastic to change that; I would like to see more cruft removal from unstable in the future (e.g. packages that haven't been installable for a long time in unstable/exp)
20:22:22 <ansgar> Which will probably conflict with having sources w/o any binary or uninstallable arch:all packages (which are only installable on a port)
20:23:55 <ta> #agreed at the moment don't change the tagging as cruft
20:24:52 <ta> #topic Unsupportable software for stable
20:25:19 <ansgar> What is this one about?
20:26:44 <ta> I think this is about software in stable that gets no security fixes or other updates anymore
20:27:22 <ta> but isn't that a matter of the release team?
20:27:25 <ansgar> That sounds more like a release team thing?
20:27:42 <ansgar> Maybe we should wait for the next meeting so waldi can explain.
20:27:46 <ta> it was waldis topic ...
20:27:48 <ta> ok
20:28:03 <ta> #topic CUPS license change (GPL -> Apache)
20:29:33 <ansgar> CUPS switches to Apache-2 which is incompatible with GPL-2 or so.
20:29:41 <ansgar> So CUPS is the new OpenSSL ;-)
20:29:59 <ta> yes, and 2.3 is already in experimental ...
20:30:58 <ansgar> I wonder if any other distribution saw this as a problem?  Given most don't see a problem with GPL-2 and OpenSSL either...
20:31:22 <ansgar> (and Fedora still wasn't sued; nor was Canonical for merging ZFS into their Linux kernel package)
20:31:55 <ta> #link https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/2L2FK52XUKXHVK23AOPMCTOW3PQCTL5Z/
20:32:39 <ta> do you know how many packages are affected?
20:32:51 <ansgar> No idea.
20:33:18 <ansgar> We also just count some forms of "linking" for some reason too...
20:34:11 <ansgar> dlopen() (or "import openssl") is somehow different from ld ;-)
20:35:02 <ta> "CUPS is fairly ubiquitous and easily falls under the "OS-supplied library" exception in the GPL 2." (from that thread above, citing someone from apple)
20:35:09 <ta> so only static linking is a problem
20:35:57 <ta> ok, I will look for affected packages until next meeting ...
20:36:04 <ansgar> Yes, but if we would say the exception applies to CUPS, it would probably apply to OpenSSL too.
20:36:23 <ta> yes, like everybody else :-)
20:36:25 <ansgar> (Which would arguably make life easier... And Fedora wasn't sued into oblivion.)
20:36:40 <Mithrandir> Debian has traditionally not applied the system library exception to any libraries, and I'm not sure if it's fine to apply it between system libraries either.
20:36:51 <Mithrandir> (at the risk of reopening that debate. :-) )
20:38:29 <ansgar> Yes, that's basically a question the CUPS license change brings back :)
20:39:37 <ta> but than we must remove some packages
20:40:24 <ansgar> Yes, Python scripts using OpenSSL (indirectly) that are licensed under GPL-2-only ;)
20:41:05 <ansgar> Or ones using CUPS.
20:41:54 <ta> Mithrandir: do you have a link to a previous discussion at hand?
20:42:07 <Mithrandir> ta: I do not
20:44:02 <ta> ansgar: did we ask a lawyer about this in the past?
20:44:32 <ansgar> Don't know. That was too long ago for me :)
20:45:15 <ta> so maybe we should do this again/now?
20:46:25 <ansgar> Maybe.  I would like to ask Joerg about historic things first.
20:47:06 <ta> ok
20:47:27 <ansgar> Though first I still need to find a new appartment...
20:48:13 <ta> #action talk to ganneff about openssl history (related to CUPS license change)
20:48:33 <ta> #topic OpenSSL
20:48:47 <ta> I have no idea why this is on the agenda
20:49:10 <ansgar> Ah, because it is the same as CUPS.
20:49:44 <ta> ok, then we are finished with that
20:50:02 <ta> #topic Any other business
20:50:43 <ta> anybody?
20:51:17 <ansgar> Nothing really.  There is a plan to publish the debug archive for the security archive now.
20:52:09 <ta> yes, that would be nice
20:53:39 <ta> so we are finished for today, thanks to everybody :-)
20:53:43 <ta> #endmeeting