13:58:26 #startmeeting LTS monthly meeting. Agenda, https://pad.riseup.net/p/lts-meeting-agenda 13:58:26 Meeting started Thu Sep 28 13:58:26 2023 UTC. The chair is santiago. Information about MeetBot at http://wiki.debian.org/MeetBot. 13:58:26 Useful Commands: #action #agreed #help #info #idea #link #topic. 13:58:31 just #startmeeting 13:58:40 no? 13:58:52 utkarsh2102, indeed. thanks 13:58:59 o/ 13:59:16 hi everyone! Please say hi if you are here 13:59:19 hey all 13:59:21 hi 13:59:24 hi 13:59:26 hey 13:59:27 hello 13:59:27 hi 13:59:29 hi 13:59:37 hi 13:59:39 (#topic rollcall) 13:59:41 hey! 13:59:50 hey 13:59:51 hi 13:59:59 hi 14:00:07 #topic rollcall 14:00:23 hi 14:00:38 hi again 14:00:43 as you can see, this is my first time hosting an IRC meeting :-) 14:00:56 You're doing great. :) 14:01:09 hi 14:01:12 and thanks I have help from utkarsh2102 14:01:18 Hi again. 14:01:32 Roberto is on VAC, so I am hosting the meeting 14:01:48 hello 14:01:57 we have four items in the agenda, and I think we can start 14:02:16 #topic Reminder: LTS Extra Tasks 14:03:00 the first topic is a about LTS extra tasks. This is actually well described in the agenda, so I invite you to read it. In any case, Roberto wanted to remind there are non-security-update tasks to be done, e.g. those listed in: 14:03:12 https://salsa.debian.org/lts-team/lts-extra-tasks/-/issues/ 14:03:32 and that we can spend up to 25% of our time on them 14:04:07 so, please, don't hesitate to look at them, and pick any issue interesting for you 14:04:56 Nice - looks like this has expanded a lot since the last time I looked 14:05:10 it could be useful to make sure to get notifications from https://salsa.debian.org/lts-team/lts-extra-tasks 14:05:46 absolutely! 14:06:09 I personally set my notifications in Watch. Otherwise, you only get notified when you are mentioned/assigned/whatever 14:06:28 any questions or comments regarding those tasks? 14:06:31 some are straightforward and can be implemented straight away, other require more thoughts and coordination and it's then good to get some approval before spending many hours on them 14:06:51 if you are unsure please ask 14:07:06 indeed! 14:07:47 more comments? 14:08:05 no thanks santiago 14:08:13 it seems we can go ahead with next topic 14:08:29 #topic New LTS contributor report guidelines 14:08:55 this is also a topic brought by Roberto, that I acknowledge 14:09:11 one late question. should autopkgtest failures be -update-tasks or -extra-tasks? roberto let me file them in -update-tasks 14:09:53 helmut, I would say -update-tasks too 14:10:27 Same here, as the net result will likely be a package update. 14:10:29 I understand -update-tasks covers tasks related to the packages and their uploads 14:11:00 so it makes sense to file the autopkgtest-related issues there 14:11:12 Now I get the difference. Thank you 14:11:23 great. you are welcome! 14:12:07 #undo 14:12:07 Removing item from minutes: 14:12:12 grrr 14:12:19 #topic Reminder: LTS Extra Tasks 14:12:35 #info autopkgtest-related issues to be filled in -update-tasks 14:12:40 sorry for the noise 14:12:49 #topic New LTS contributor report guidelines 14:13:25 so, the monthly team report is partly made from the individual reports 14:13:44 I am thinking especially to the content of "Evolution of the situation" section, which is a narrative news section 14:14:26 to make the writing of the report easier, it would be great it we all follow those new guidelines, so it will be easier for us (Roberto and/or myself) to identify topics worth mentioning in the news :-) 14:14:51 the goal of the report is to make (reading) sponsors know we are making good use of their money, and the news could give them important insights of our work 14:15:24 thanks santiago for this normative text 14:15:42 I remember tobi's report from last month was useful, and it is a good example 14:16:09 any question? 14:16:27 ack, will look at it 14:16:28 Could you #info tobi's report? :) 14:17:19 #info good sample report from tobi: https://lists.debian.org/debian-lts/2023/09/msg00008.html 14:17:32 thanks buxy 14:17:33 santiago: I think it'll be really useful if you or/and Roberto could go through everyone's report next month (when it's time) and give private feedback to those who still have $things to fix 14:18:35 santiago: yes any kind of feedback would be great 14:18:49 this way it'll be better as they would have direct "actionable" feedback 14:19:01 utkarsh2102, ta, OK, I'll discuss with el_cubano about this 14:19:03 +1 14:19:07 much better than a simple reminder to adhere to the guidelines. 14:19:30 keep in mind that we are ~18 active people currently. so it could take some time to give private feedback 14:19:48 of course, it can be an iterative thing 14:19:49 *nod* 14:19:49 but it is something to be discussed with him 14:19:59 if you look at a report and have immediate feedback, tell them 14:20:06 in any case, I will take care of the report next month 14:20:13 ack 14:20:14 opposite example to not follow: https://lists.debian.org/debian-lts/2023/09/msg00012.html %-) 14:20:21 otherwise, you can review in batches of 6 or 9 or whatever 14:21:21 yeah... it is more difficult of course to go through all the listed packages and CVEs, and see if there is something worth mentioning 14:22:25 I ackowledge writing something more verbose could be a burden for some, but we are needind an essay either :-) 14:22:43 any other question? 14:22:49 or comment 14:24:04 no thanks for the work santiago, please add example of good report to LTS-contributor-report-guidelines.html 14:24:24 #action everybody to look at the contributor report guidelines 14:24:53 #action el_cubano and santiago discuss about giving feedback to individual reports 14:25:47 #action santiago: add a good report sample to LTS-contributor-report-guidelines.html 14:25:54 so let's move forward 14:26:03 So where is this linked exactly? 14:26:33 petn-randall: deblts-team/documentation.git 14:27:45 #info https://freexian.gitlab.io/services/deblts-team/documentation/lts/LTS-contributor-report-guidelines.html (restricted to LTS contributors paid by Freexian) 14:28:33 petn-randall, also, look at the email "New LTS contributor report guidelines" sent by Roberto on Sept 1st 14:29:00 no more questions? 14:29:25 #topic Reminder: please take a look at packages needing an upload since a long time ago 14:29:27 santiago: Ah, I missed that mail. 14:29:51 this is a gentle ping so we take care of "old packages" 14:30:29 there are a set of very old packages, but looking into the details, with the exception of three or four (salt, rails, docker.io), the situation is not catastrophic, actually 14:30:36 could this package could be marked specialy under find-work (special color) 14:30:50 or have a extra score depending of aging ? 14:30:55 how das that reminder interact with find-work? 14:31:11 heh. rouca was faster 14:31:33 adding sqr(aging) to score seems mathematically resonable 14:31:49 or better sqrt(aging)*basescore 14:32:09 yes, better sorting them seems reasonable 14:33:08 there are especially nova, cinder and co, but we those are "remaining packages", and we are not aware of any user using them (./find-work already classify them/sort them at the bottom of the list) 14:33:30 for individual package: docker.io is hard (santiago could comment here) 14:33:35 but, in any case, special attention is _really_ needed for salt, rails and docker.io 14:34:05 yeah, for docker.io, rouca and I have been working/testing, but it has taking quite some time. I hope to resume my part of the work next week. 14:34:11 I think we had a task for reworking package priority, maybe https://gitlab.com/freexian/services/deblts-team/debian-lts/-/issues/25 14:34:41 for salt it will need a backport and moreover salt is not in stable/testing/unstable 14:34:42 I can do the changes in find-work, maybe with a discussion and testing various score calculation methods 14:35:19 Adding a color for age > 21 is trivial, I could do it after the meeting. 14:35:40 (since we now have the age readily available in the reworked find-work :)) 14:35:45 Beuc, thanks 14:36:01 beuc: use a configurable exponent in ageinday^exponent*basescore 14:36:12 fwiw, I'll take care of rails 14:36:25 within next two weeks 14:36:36 there is some drama involved with that, I just want to get it right 14:37:05 if not within two weeks, at least, I'll add a solid note with the progress, et al 14:37:07 can we discuss the specifics of the find-work algorithm elsewhere? 14:37:09 I do wonder however if that (better output from ./find-work) is enough. But I am not sure of having a better plan for the moment 14:37:33 https://gitlab.com/freexian/services/deblts-team/debian-lts/-/issues/33 is somewhat related to find-work (it's about its replacement) 14:38:22 utkarsh2102, thanks for taking care of rails! 14:38:35 buxy, noted 14:39:21 any volunteer to handle salt? :-) 14:40:09 rouca, small correction, salt is in unstable, but not in bookworm and testing 14:40:14 I can take a look next weeek 14:40:23 rouca, awesome, thank you! 14:40:56 I'd rather not take difficult packages for a change. :) 14:41:18 #action Beuc (et al) to improve ./find-work. (please take a look at https://gitlab.com/freexian/services/deblts-team/debian-lts/-/issues/33 ) 14:41:30 I have some leads on salt, I'll send a mail on private list about that shortly 14:41:39 (not today though) 14:41:44 #action utkarsh2102 to take care of rails 14:42:13 #action rouca will handle salt next week 14:42:22 #action santiago will resume docker.io work next week 14:42:29 anything else? 14:43:12 so let's move forward 14:43:27 #topic imagemagick: Handle it with a partial upload? 14:44:00 Actually this topic should be: "upload partial DLAs for particular packages" 14:44:01 go ahead with partial upload 14:44:14 i am still waiting for cve number from redhat 14:44:18 about rmagick 14:44:19 rouca, yeah, but we need to agree with it :-) 14:44:54 just in case, there is no need to wait for a CVE id to upload 14:45:01 right! 14:45:03 indeed 14:45:12 What is the context here? 14:45:28 yeah I'm not sure I understand the question 14:45:49 we do partial uploads if there's a specific case. it's not very ideal but it's not bad, too. I am assuming "partial case" is where you have a bunch of CVEs and you'd like to fix in two (or more) batches? 14:45:53 I added this topic to the agenda since Roberto mentioned that anywhere during the year, imagemagick seems to have more than a dozen open CVEs 14:46:08 s/partial case/partial upload/ 14:46:14 utkarsh2102, exactly 14:46:39 it is difficult to wait to solve all the open CVEs 14:47:12 and it is more difficult too to handle possible regressions 14:47:17 right on 14:47:18 Like, what's the context here? I'd read "partial upload" as an incomplete file upload. Are we only fixing some of the CVEs? Is it an incomplete fix? 14:47:34 petn-randall: what i mentioned above^^ 14:47:38 petn-randall, sorry if its not clear enough 14:48:02 for imagemagick it means do CVE by batch 14:48:04 santiago: in that case, we're okay in doing the upload in two (or more, but try to keep it to two) batches 14:48:11 I mean uploads that solve part of all the open CVEs 14:48:28 Ah, so we're just fixing some of the open CVEs with the upload, with some remaining open. Yeah, I'd do that. That's what I did with samba, too. 14:49:26 Especially regarding potential uncaught regressions I'd do it in smaller batches, as it makes debugging easier. 14:49:27 OK. maybe I am wrong, but I remember the policy was to cover all the open CVEs 14:49:49 it wasn't really a policy 14:49:51 so do we need to document this maybe? 14:49:57 if it were, then we had this as an exception 14:50:10 that it's okay to do it in batches where things don't fit in in a single upload 14:50:24 +1 on having this documented 14:50:38 utkarsh2102, are you volunteering for that? :-) 14:51:09 I have some things on my plate but if no one does it by next week or so, I'll do that 14:51:28 ok, thank you! 14:52:09 #action utkarsh2102 or santiago to document how to handle uploads that fix CVEs by batches 14:52:27 more comments or questions? 14:53:13 ok. so it seems we are done 14:53:33 JIT 14:53:38 (just in time) :) 14:53:43 Thank you Santiago! 14:53:56 thanks. :) 14:53:57 thank you everyone! 14:54:00 thank you, santiago \o 14:54:08 thanks! o/ 14:54:12 thanks 14:54:24 thanks! o/ 14:54:30 thx! 14:54:51 Next meeting: October 26th 14:00UTC 14:55:14 #info Next meeting: October 26th 14:00UTC on Jitsi 14:55:30 see you, and have a good afternoon/evening 14:55:37 #endmeeting