14:59:36 <h01ger> #startmeeting
14:59:36 <MeetBot> Meeting started Thu Nov 26 14:59:36 2020 UTC.  The chair is h01ger. Information about MeetBot at http://wiki.debian.org/MeetBot.
14:59:36 <MeetBot> Useful Commands: #action #agreed #help #info #idea #link #topic.
14:59:58 <h01ger> #topic 1. Say hi / review & amend agenda as needed - https://pad.riseup.net/p/lts-meeting-agenda
15:00:01 * utkarsh2102 waves o/
15:00:06 <Beuc> o/
15:00:06 * h01ger = Holger Levsen, hi
15:00:06 <ta> hi everybody
15:00:07 <apo> hello
15:00:13 <bhe[m]> Hi
15:00:26 * h01ger just added lts-do/not-call me to the agenda. i guess it will be a 2min topic
15:00:34 <lamby> export TZ=UTC; echo Good afternoon
15:00:45 <h01ger> :)
15:00:49 <utkarsh2102> ooh :)
15:01:50 * h01ger gives people 60 more seconds to show :)
15:02:59 <h01ger> #topic 2. frontdesk handling
15:03:46 * h01ger liked the mail thread. even though it started a bit heated, it then calmed down and became very productive
15:04:29 <h01ger> apo: especially your summary mail. i guess some bits of it are not documented (?) if so it would be good to add them to the existing docs
15:05:07 <h01ger> (btw, el_cubano remarked that he might miss todays meeting because of a local holiday)
15:05:22 <apo> yes, I can them to the docs. I just wanted to wait for the meeting if there is more feedback. I will post another draft before making it official
15:05:29 <apo> add
15:05:48 <apo> yes, today is Thanksgiving in the US
15:06:48 <h01ger> apo: cool. i wouldnt be surprised if someone only speaks up when the diff becomes visible in git (or half a year later), but this also means there's no use to wait for further feedback to the mail thread ;)
15:07:07 <utkarsh2102> I do have something to say though
15:07:19 <h01ger> go
15:07:25 <apo> please speak up
15:07:26 <utkarsh2102> I don't htink the frontdesk should add all vulnerable packages to dla-needed.
15:07:56 <utkarsh2102> I man, when the frontdesk is triaging, if it's a clear no-dsa or ignored or postponed, they should do that
15:07:59 <h01ger> #action apo wil document/updates the current best practices for frontdesk handling per ml thread
15:08:31 <utkarsh2102> otoh, if the other person feels that it is something that warrants a DLA instead, then just drop an email (public or private) and proceed with that.
15:08:48 <apo> I have outlined some guidelines but there is no hard rule. I just believe we should fix most CVE anyway and not just postpone them indefinitely
15:09:11 <utkarsh2102> of course
15:09:35 <utkarsh2102> but I feel the frontdesk could do the initial triaging, instead of adding everything to dla-needed
15:10:07 <h01ger> is that related to "lts frontdesk should not run ahead of triaging than the security team"?
15:10:08 <apo> there are some obvious CVE that can be ignored, devision by zero CVE for example but if front desk is in doubt about the severity, please add the package to dla-needed.txt with a note and another contributor should double-check it
15:10:29 <utkarsh2102> for eg: if X marked ruby2.1 as no-dsa but me, being the part of the team and/or the maintainer feels that it is something needs a DLA, then I'd just drop an email and add it to dla-needed.
15:10:45 <ta> utkarsh2102: FD shall add a package to dla-needed if its CVEs are no-dsa and just send an email if a DLA is needed?
15:10:51 <utkarsh2102> normally, we do not see a lot of such cases where the FD's opinion and the contributor's opinion differs
15:11:35 <utkarsh2102> h01ger: no, not at all, it's not related.
15:11:43 <h01ger> utkarsh2102: but thats just 'maintainers opinion trumps anyone except tech-ctte'?
15:12:09 <utkarsh2102> let me quote the part from the email, brb
15:12:41 <Beuc> (division by zero resulting a daemon crash is not be ignored, btw)
15:13:03 <utkarsh2102> "No matter how front desk thinks about the vulnerability, add it to dla-needed.txt with a NOTE (optional) and document your assessment."
15:13:05 <apo> if you are the maintainer of ruby2.1, then in the ideal case FD has contacted you already by sending a bug report, you could react to it and say that you want to fix the package. If FD didn't send a bug report and you want to fix a package, then you can send an email to frontdesk to avoid any confusion. However that was my point in the first place, let's don't triage too many CVE as no-dsa and use
15:13:09 <utkarsh2102> this is what I am reffering to.
15:13:11 <apo> dla-needed.txt for feedback instead of sending emails to each other
15:14:08 <utkarsh2102> well fair enough, but not everything's worthy of going to dla-needed is what I am saying
15:14:24 * h01ger wonders if we can move on for now, let apo commit his improvements, which utkarsh2102 then can review and if he's unhappy we can continue discussion?
15:14:34 <utkarsh2102> of course
15:14:42 <utkarsh2102> there's not a lot of disagreement, really
15:14:49 <apo> yeah, let's do it this way
15:14:57 <h01ger> well, if we can resolve/clarify things now in 2min, that would also work :)
15:15:06 <h01ger> but, seems we move on :)
15:15:31 <h01ger> #topic 3. lts-do-call-me and lts-dont-call-me handling
15:15:34 <utkarsh2102> I tend to be a +1/+0 on most of it, but just some small parts that I might be a -1.
15:15:45 <utkarsh2102> but it's just me, I'll be happy to move on, of course! \o/
15:15:52 <h01ger> this just came up on irc yesterday and several people couldnt find them
15:15:55 <utkarsh2102> s/it's/if it's/
15:15:59 <h01ger> so i just thought to mention
15:16:33 <h01ger> #info lts-do-call-me and lts-dont-call-me life at https://salsa.debian.org/security-tracker-team/security-tracker/-/tree/master/data/packages
15:16:46 <h01ger> not sure there's much more to say
15:16:51 <pochu> btw I wanted to mention (though I am late) that the security team no longer has assigned people to front desk, and they seem to cope well, with a little coordination and shared responsibilities
15:17:10 <h01ger> pochu: interesting
15:17:29 <h01ger> #info for last topic:  < pochu> btw I wanted to mention (though I am late) that the security team no longer has assigned people to front desk, and they seem to cope well, with a little coordination and shared responsibilities
15:17:38 <h01ger> anything else about our do and dont call lists?
15:18:13 <ta> using lts-do-call-me is fine
15:18:30 <lamby> wfm
15:18:39 <utkarsh2102> me too, indeed
15:19:41 <h01ger> #info this is documented in https://wiki.debian.org/LTS/Development#Contact_the_maintainer
15:19:47 <h01ger> so next topic then
15:20:10 <h01ger> #topic 4. project funding / finding projects
15:20:41 <h01ger> buxy said he couldnt join this meeting but wrote this in the agenda: "No opposition to the idea of project funding after the debian-project mail, but also nobody proposed any project. We should try to find ideas of projects that would help LTS and gather feedback from the corresponding team to see what they think of it.
15:20:43 <h01ger> https://lists.debian.org/debian-project/2020/11/msg00002.html (buxy)"
15:21:01 <h01ger> #save
15:21:58 * h01ger agrees with the idea but has no capacity to dive into this
15:23:10 <apo> I can think of three projects that may help LTS and Debian in general. 1. Making progress on the "bikeshed" project (PPAs), 2. Improve our testing capabilities, 3. Create something like lts-proposed-updates (2+3 could be combined)
15:23:33 <utkarsh2102> I've got another in mind
15:23:47 <utkarsh2102> ta: hey, would you or FTP team would be interested in handling #823820?
15:23:58 <utkarsh2102> we keep hitting these and it's only going to get frequent
15:24:14 <h01ger> utkarsh2102: what do you mean with 'handling'?
15:24:23 <utkarsh2102> I mean, here might not be the right place to ask the FTP team but just asking you in case you're interested or something?
15:25:24 <utkarsh2102> h01ger: s/handling/taking care of as a funded project/g
15:25:29 <ta> utkarsh2102: ansgar wants to better sync all packages
15:25:40 <utkarsh2102> that'd be great, really!
15:25:41 <pochu> utkarsh2102: I talked to ansgar a while ago about that, and I think he had a solution thought for it (for another issue though, but the solution would also benefit this case)
15:26:29 <utkarsh2102> aye, aye
15:26:31 <utkarsh2102> great then
15:26:34 <h01ger> this is the only remaining real topic so we have some more minutes to discuss
15:27:04 <apo> I have another one
15:27:07 <h01ger> funded project definitly is something where someone can do more hours if they dont find enough work with fixing packages
15:28:05 <Beuc> In this regard, can you clarify how the 'Projects' line is handled in ELTS?
15:28:41 <Beuc> I noticed it the other day and couldn't figure out how it was provisionned, nor how it was meant to be used.
15:28:51 <h01ger> ?
15:30:21 <h01ger> (i dont really know/understand what you mean with that nor how/if its handled in LTS and so on)
15:30:35 <Beuc> extended-lts$ grep Projects:Available timekeeping.ledger
15:30:38 <pochu> I think they are provisioned by 10% of the hours assigned each month, and they can be applied for by following the instructions in https://salsa.debian.org/freexian-team/project-funding
15:31:15 <Beuc> probably a separate topic
15:31:49 <utkarsh2102> oh yeah, do we really take 10% off from elts hours as well?
15:31:59 <utkarsh2102> for the same funding projects?
15:32:23 <pochu> afaik yes
15:32:37 <utkarsh2102> ah, okay
15:32:40 <h01ger> Beuc: thanks. both (in LTS and ELTS) are for funding projects like the ones in the topic
15:32:45 <Beuc> doesn't look like 10% and older
15:33:26 <h01ger> probably the unused hours are not accumulating (on purpose)
15:34:33 <h01ger> currently this question is a bit mood/off because hardly any of these hours are requested :)
15:36:00 <h01ger> so i guess we have no great ideas/plans on projects to fund and can move on the the last topics
15:36:05 <h01ger> ?
15:36:38 <utkarsh2102> hey, should we kind of have a limit on where to stop saving the hours/money for funding projects?
15:36:53 <lamby> Nothing to add to this topic here, although utkarsh2102's question is interesting
15:36:57 <utkarsh2102> I mean, we have around 180+ hours of funding for projects.
15:37:02 <utkarsh2102> but no projects to do, really
15:37:03 <h01ger> i dont think we are saving
15:37:10 <utkarsh2102> apo had a few in mind
15:37:11 <h01ger> grep Projects:Available timekeeping.ledger
15:37:18 <pochu> h01ger: there's been a few ideas floated around, but I think they need to be written down and sent to salsa
15:37:20 <h01ger> looks like we are not saving
15:37:35 <h01ger> pochu: ack
15:37:49 <utkarsh2102> h01ger: I mean, that we do have a bunch of hours already and keep adding 10% each month
15:38:04 <utkarsh2102> but since they're not being used, atm, should we probably dispatch them?
15:38:25 <h01ger> again: AIUI this is happening
15:38:48 <utkarsh2102> like, let's say, the limit is 200. so once we have 200 hours for funding projects, should we start dispatching them for general LTS work
15:38:51 <utkarsh2102> oh, is it?
15:38:57 <pochu> no, it's not :p
15:38:58 <utkarsh2102> I didn't know that.
15:39:02 <h01ger> they are dispatched to projects available and then they are not used, so dispatched again and again
15:39:08 <h01ger> ok, good
15:39:13 <h01ger> so next topic then :)
15:39:16 <pochu> h01ger: they aren't dispatched to anything?
15:39:30 <h01ger> they are dispatched within the month
15:39:39 <h01ger> (as i read the ledger...!)
15:39:40 <pochu> I think you're confusing Available with Projects:Available
15:39:49 <utkarsh2102> yes, that's what I think as well
15:39:58 <utkarsh2102> because we take away 10% every month
15:40:10 <h01ger> but we are not taking them anywhere the next month
15:40:35 <pochu> Available is being dispatched. Projects:Available is not, and it's growing indefinitely because no projects are being funded yet (because nobody has proposed a project yet, and because we've been reserving time for a long time, and project funding was only announced / approved recently)
15:41:05 <h01ger> lts now has 27.0419h in Projects available, free to be taken. if they are taken fine, if they are not taken, they will be redispacthed again, probably to Projects:Available
15:41:48 <h01ger> Projects:Available is not growing (except by bits of hours over months)
15:42:11 <pochu> sorry, I don't know where those 27h come from
15:42:31 <h01ger> anyhow, i feel this is leading nowhere now for most people so lets move on (happy to continue discussion after the meeting or via mail or whatever)
15:42:34 <pochu> there's way more assigned to Projects:Available in LTS
15:42:58 <h01ger> #topic next meeting
15:42:59 <pochu> but this is probably a question for buxy, so utkarsh2102, you may want to bring it up in the list
15:43:05 <h01ger> yes
15:43:11 <h01ger> #topic 5. next meeting
15:43:12 <utkarsh2102> indeed, will do this weekend.
15:43:27 <h01ger> #info there will be no team meeting in december 2020
15:43:44 <apo> I have another topic, mom
15:43:54 <h01ger> #info the next lts team meeting is on Thursday, January 28th 2021, at 15 UTC on #debian-lts on irc.debian.org
15:43:57 <utkarsh2102> that cound come in AOB^
15:44:03 <h01ger> apo: what utkarsh2102 said
15:44:19 <apo> I have sent an email on Monday to our mailing list. "Fixing CVE in LTS and stable"
15:44:25 <h01ger> apo: please wait
15:44:37 <h01ger> in january we can also discuss what video meeting solution we want to use in february
15:44:54 <h01ger> #info in january we can also discuss what video meeting solution we want to use in february (and if we want video again)
15:44:59 <h01ger> #topic 6. any other business
15:45:05 <h01ger> apo: the stage is yours :)
15:45:17 <apo> I have sent an email on Monday to our mailing list. "Fixing CVE in LTS and stable"
15:45:41 <utkarsh2102> whilst I do not do it all the time, I think it's definitely a good point. +1 to apo's mail :)
15:45:50 <apo> Do we agree that we should prepare DSA or point updates as well if the diff between LTS and stable is trivial ?
15:45:51 <h01ger> apo: our list is the public or private lts list?
15:46:00 <apo> the private list
15:46:16 <ta> apo: +1
15:46:32 <h01ger> apo: thanks i just found the mail
15:46:51 * h01ger agrees with the content of the mail but thinks it should have been sent to the public list :)
15:47:24 <Beuc> Does the security team & the maintainers actually wants this?
15:47:35 <Beuc> I had various success doing so.
15:47:48 <utkarsh2102> Beuc: at least we can help with the point release updates
15:47:58 <utkarsh2102> they're always looking for help
15:48:09 <utkarsh2102> bin/lts-needs-forward-port.py lists a bunch of those which could need help
15:48:19 <apo> I can't imagine why the security team or the release team don't want bug fixes, but it is sensible to contact the maintainer to avoid any collisions or double work
15:48:25 <Beuc> Sometimes sec team just redoes everything without crediting and doesn't answer on how we can improve.
15:48:33 * h01ger still prefers if issues are fixed in sid and stable first, before fixing them in older releases (because sid and stable have more users)
15:48:35 <utkarsh2102> and most of the CVEs have bugs opened against them, maybe sending a debdiff or asking first on the BTS would help
15:48:48 <ta> preparing a DSA does no hurt and the sec team decide whether to do the upload
15:49:01 <apo> right
15:49:13 <utkarsh2102> yeah, though asking prior to do that would save a bit of time and effort :)
15:49:26 <h01ger> is this again something of documentation to be improved somewhere?
15:49:46 <utkarsh2102> Beuc: i understand that sentiment wrt rails update but well, as I said, we can definitely help with point updates
15:49:49 <apo> could be something for LTS/Development
15:50:22 <utkarsh2102> this can, though, be discussed once more publicly with security team explicitly CCed, so they can put in their opinions
15:50:32 <utkarsh2102> that'd be helpful I think, to some extent, at least
15:51:05 <h01ger> utkarsh2102: can you kick that off? :)
15:51:31 <utkarsh2102> h01ger: by all means, if apo doesn't have a problem
15:51:50 <utkarsh2102> (since I'll be using most of his words probably)
15:51:54 <apo> no, not at all, then I concentrate on finishing the front desk guidelines
15:51:56 <utkarsh2102> (with credits :))
15:52:10 <utkarsh2102> alrighty, will do this weekend then
15:52:22 <apo> we already have some guidelines btw here https://wiki.debian.org/LTS/Development#Guidelines_for_CVE_triaging
15:52:46 <apo> needs some clarification after I have finished the draft
15:53:12 <utkarsh2102> \o/
15:53:34 <h01ger> #action utkarsh2102 and apo will document "Fixing the same CVE in LTS and stable" as per our internal list
15:53:44 <h01ger> any *other* business? :)
15:54:36 <utkarsh2102> wait, just to be on  the same page, I'll initally send the private mail to public list (with security team CCed) + some other basic things to initate the discussion
15:54:45 <utkarsh2102> and then we could document the conclusion
15:54:48 <lamby> I created a new frontdesk file for 2021 by the way. (for both LTS and ELTS)
15:55:10 <utkarsh2102> and surprisngly, all the slots are, more or less, taken :P
15:55:22 <utkarsh2102> but lamby: thanks for doing that! \o/
15:55:50 <pochu> yeah, I wanted to send an email about that. if we're to keep FD, then others may want to jump in the train and we could evenly dispatch them if that's the case
15:56:02 <h01ger> lamby: cool
15:56:11 <h01ger> utkarsh2102: your page sounds good
15:56:16 <lamby> I think I managed to not do LTS/ELTS around my birthday this year..
15:56:24 <h01ger> lamby: *g*
15:56:53 <utkarsh2102> OT: when's that? :)
15:57:13 <h01ger> so
15:57:23 <h01ger> lets wrap up the meeting
15:57:38 <h01ger> thank you all for attending and especially those with action items now! :)
15:57:49 <pochu> o/
15:57:54 <utkarsh2102> o/
15:57:59 <ta> o/
15:58:02 <lamby> o/
15:58:15 <Beuc> o/
15:58:20 <apo> ciao ciao
15:58:23 <h01ger> \o
15:58:30 <h01ger> #endmeeting