#debian-release log

18:59:41 <nthykier> #startmeeting
18:59:41 <MeetBot> Meeting started Wed Jan 27 18:59:41 2016 UTC.  The chair is nthykier. Information about MeetBot at http://wiki.debian.org/MeetBot.
18:59:41 <MeetBot> Useful Commands: #action #agreed #help #info #idea #link #topic.
18:59:48 <nthykier> #addchair jmw
18:59:49 <jmw> indeed
18:59:54 <nthykier> #addchair KiBi
18:59:57 <nthykier> #addchair KiBiadsb
19:00:03 <nthykier> #addchair adsb
19:00:10 <nthykier> #addchair jcristau
19:00:11 <jmw> right let's rattle through the formalities:
19:00:14 <jmw> #topic Apologies
19:00:23 <jmw> I'm aware of at least pochu who will not make it, are there any others?
19:00:37 <nthykier> adsb: wasn't sure
19:00:48 <nthykier> sorry - adsb said he was not sure
19:00:54 <jmw> yes, he might catch us up
19:01:07 <nthykier> mehdi: ping?
19:01:47 <jmw> I should state delayed apologies for myself for last time (I did mail team), and also thanks for taking care of it that time
19:01:56 <jmw> s/and/but/
19:02:08 <nthykier> :)
19:02:17 <jmw> nthykier: looks like it might just be you and I then...
19:02:30 <jmw> oh well
19:02:45 <jmw> #topic Transitions
19:03:00 <jmw> as usual, pochu does a fabulous job managing transitions
19:03:19 <jmw> there is quite a lot of unannounced ones though, which are usually quite small but sometimes get tangled
19:03:26 <jmw> is that a problem we should deal with or is the status quo ok for now?
19:03:56 <nthykier> I have not heard of any considerable problems, so I presume it is ok for now
19:04:06 <nthykier> (though I have not looked at it)
19:04:18 <jmw> I have had a vague eye open, and it seems not to be too bad
19:04:30 <jmw> getting maintainers to move the transition on is sometimes more of an issue
19:04:55 <jmw> #info maintainer-led transitions seem to be working ok for the time being
19:05:08 <jmw> maybe we should remind library maintainers of their responsibilities in some bits?
19:05:22 <nthykier> That might be good :)
19:05:23 <jmw> I know how you love bits :)
19:05:38 <jmw> #agreed remind library maintainers of their responsibilities in next bits
19:06:10 <jmw> #topic g++5 progress
19:06:15 <jmw> aha this one has been brewing a while
19:06:40 <jmw> so this kindof ground to a halt at 47%, although I don't know how reliable that figure is for actual progress
19:06:54 <nthykier> it is useless
19:06:59 <jmw> right, that was easy then :)
19:06:59 <nthykier> (the figure)
19:07:27 <jmw> can you give an idea of where we really stand?
19:07:58 <nthykier> I suspect we have basically lost track of it because we did not handle progress loging correctly from the beginning
19:09:42 <jmw> #info the 47% completion label on the transition tracker is actually not very much use
19:09:44 <jcristau> rather because there's no way to handle progress logging
19:09:49 <nthykier> We should probably just get the last known items fixed (https://bugs.debian.org/cgi-bin/pkgreport.cgi?users=debian-gcc@lists.debian.org;tag=libstdc%2b%2b-cxx11) and then close it at that
19:09:50 <jmw> ohai o/
19:10:31 <nthykier> There is - but it was manual and probably not structured well enough.
19:10:41 <jmw> that does look like a much more manageable list
19:11:04 <nthykier> I have an idea for "next time" (although I prefer there was no "next time" for this)
19:11:14 <jcristau> it might have been manageable if libstdc++6 shlibs had been bumped
19:11:18 <KiBi> (don't we have an upcoming gcc6? ;))
19:11:42 <jcristau> but it wasn't, so it isn't
19:12:54 <jmw> well, that list of bugs is something we can make some progress on probably, which is better than doing nothing
19:13:02 <jmw> pochu did ping some or all of them in october
19:13:40 <jcristau> the rc ones shouldn't affect testing anymore, hopefully?
19:13:43 <jmw> are nmus feasible? istr it was difficult to have confidence in uploads
19:13:48 <jcristau> so they can rot
19:13:59 <jmw> true
19:14:12 <jmw> maybe we should end the transition here then
19:14:30 <jmw> presumably there's been plenty of time for people to find breakage...
19:14:51 <nthykier> wfm
19:14:56 <jcristau> well, doko wanted the whole archive rebuilt with gcc5, transition or no
19:15:12 <jcristau> but that's not tractable, so i'd rather not have that on my plate
19:15:25 <jmw> #info rc bugs should no longer affect testing, so we will leave those out of the equation now
19:16:27 <jmw> I can't say I'm wild about rebuilding the whole archive
19:17:09 <nthykier> even then, you would probably need gcc-4.8 and gcc-4.9 removed first to ensure everything was built with gcc-5
19:18:05 <jcristau> jmw: libstdc++ rdeps rather than the whole archive, and most have probably already been rebuilt
19:18:12 <jmw> ack
19:18:27 <jmw> can we get away with just letting that one lie as well?
19:18:46 <jmw> you did say "whole archive" as well :P
19:18:56 <nthykier> wfm as well
19:19:30 <jcristau> should be possible with some projectb query to find the list of source packages that build a deb depending on libstdc++, figure out when it was last built and binNMU if it's before $cutoff
19:19:34 <jcristau> but, meh.
19:19:40 <jcristau> somebody who cares can do that
19:20:05 <jmw> I don't really mind either way, but as you say none of us particularly wants to do it, so
19:20:18 <jmw> #info rebuilding the archive is not very practical
19:20:37 <jmw> #info it's been long enough that any serious breakage should have become apparent by now
19:20:40 <jcristau> the little spare time i have is already not being spent on helping adsb manage the p-u requests queue, and i care more about that :(
19:21:14 <jmw> #agreed unless problems are found at this stage, we consider the g++5 transition over
19:21:22 <nthykier> Ack
19:21:24 <jmw> anything else to be said on this topic?
19:21:38 <nthykier> Not from me
19:21:59 <jmw> #topic MySQL variants in Stretch
19:22:21 <jmw> I assume we have representation from robie or otto and maybe others? I forget nicks, sorry
19:22:32 <ryeng> _o/
19:22:37 <nthykier> rbasak: otto_: ltangvald:
19:22:42 <ltangvald> Yup
19:22:51 <ltangvald> Though I probably won't say much
19:23:20 <jmw> for the record, I should apologise for having dropped the ball so badly on this in september; there are reasons, but I haven't shared them publicly
19:24:29 <nthykier> ok
19:24:43 <jmw> just trying to work out where to begin on this :)
19:25:08 <jmw> how did the recent DSAs go from the maintainers perspectives?
19:25:19 <rbasak> Thanks jmw. I appreciate that everyone involved has other things to do too, and I thank you all for the time that you have been able to commit.
19:25:27 <jmw> there were one each I think?
19:25:59 <rbasak> The security uploads are all done, as of a few hours ago. There were a few technical hiccups, so I think we have some points we can improve on for next time.
19:26:07 <otto_> o/
19:26:33 <rbasak> It's a little painful as the primary maintainers (of both MySQL and MariaDB) are not DDs, but hopefully that can be fixed in time.
19:27:26 <rbasak> (it's also painful because the builds take so long and don't work in parallel; that's better in testing already)
19:27:27 <jmw> there should be at least one DD very soon, so that will hopefully make things easier
19:27:40 <otto_> jmw: you are one of the DAMs right? I've been waiting in DAM review since November to become a DD.. wink, wink :)
19:27:49 <jmw> I just have to get round to finishing otto's review
19:28:07 <jmw> quite :)
19:29:16 <otto_> Robie is also excellent candidate, his work is always of high standards.
19:29:37 <jmw> ok, but that's not really what we need to get to here
19:29:51 <otto_> It is apitty database packaging is not very sexy and practically no now team members have appeared in a long time
19:29:58 <rbasak> Thanks otto_ :)
19:30:01 <otto_> s/apitty/a pity/
19:30:31 <rbasak> Though if MySQL is removed, that may become irrelevant. The only other package I maintain needs to be removed probably now (it's Mozilla Persona related)
19:33:39 <mehdi> nthykier: o/
19:34:50 <nthykier> On that note.  I have been told that the Security Team is drafting a policy on their requirements for upstream security policies
19:35:24 <nthykier> "Security Transparency" was the actual words used
19:35:42 <nthykier> #info Security team working on a "Security Transparancy" document
19:36:29 <jmw> I think that will go a long way towards expectation-setting
19:37:04 <rbasak> Thank you - I really appreciate that. I hope it will help with resolving the disclosure policy issue we have with both MySQL and MariaDB at the moment.
19:37:12 <nthykier> Though, I got no ETA on its completion nor its current status. Presumably it is in a very early state
19:37:45 <otto_> I don't think MariaDB has any disclosure problem. Take as example very recent CVE from MariaDB, mailed to oss-security
19:38:18 <nthykier> otto_: http://www.openwall.com/lists/oss-security/2016/01/26/3
19:38:21 <rbasak> otto_: MariaDB *upstream*, don't, but from a Debian perspective it does, right? Or else, why did you have to ask Oracle on the ML in relation to MariaDB?
19:38:22 <nthykier> ?
19:40:32 <nthykier> rbasak: Based on the security team's words and actions so far, I suspect they feel the same way as otto_ (although, it is my interpretation)
19:40:59 <rbasak> I understand that the root cause is Oracle's disclosure policy (which we hope to have them change).
19:41:16 <rbasak> But AFAICT, both the MariaDB and MySQL packages are impacted by this issue from Debian's perspective.
19:41:26 <rbasak> The security team themselves said so.
19:41:48 <rbasak> http://lists.alioth.debian.org/pipermail/pkg-mysql-maint/2016-January/008536.html
19:41:51 <nthykier> rbasak: impacted yes, but there is a difference between being affected by MySQL and behaving like MySQL
19:42:21 <rbasak> Yes, that's true. So the question is: does Debian make a decision based on technical impact, or something deeper?
19:43:11 <jcristau> making a decision based on whose policies are reasonable and whose aren't wouldn't be the worst idea ever, imo
19:43:15 <rbasak> If deeper, then I'd question whether the release or security teams have the remit to make that decision (I don't know - I don't mean to accuse).
19:44:29 <jmw> that is an interesting constitutional question, but I don't know if that's a rabbit hole we want to go down too far
19:44:38 <rbasak> I'm not sure that makes sense though. I could release rbasakSQL tomorrow, and have amazing Debian-spirit-compliant policies.
19:44:51 <rbasak> Anyway, sure.
19:44:56 <rbasak> Let's move on.
19:46:12 <jmw> the disclosure/information sharing thing is very relevant though. I think (though I can't speak for them) that a large part of the security team's objection is the quality of information that arrives in disclosures (the ones like "unspecified vulnerability")
19:46:32 <jmw> Debian is historically very open about what is wrong and how it's being fixed, and those make that very hard
19:46:51 <jmw> I am aware that some work is being done in that area though
19:48:50 <rbasak> Yes - I look forward to seeing the outcome for that. I hope that it will fix the situation for both MySQL and MariaDB.
19:49:16 <jmw> who is liaising with oracle about that? I get confused easily
19:49:32 <nthykier> Is there anything new on the Oracle side?  My understanding was that they were waiting for a fully specified list of things to implement
19:49:52 <rbasak> jmw: ryeng is an Oracle employee. It's on the pkg-mysql-maint list.
19:50:02 <ryeng> nthykier: Yes, I'm waiting for the security team to come back with some requirements.
19:50:06 <rbasak> One might say I'm liasing I suppose, and I'm happy to do that. But ryeng is happy to participate directly.
19:50:21 <rbasak> He's on the list, I mean.
19:50:21 <nthykier> ltangvald is as well (based on the @oracle.com in from)
19:50:33 <SpamapS> o/
19:50:47 <ltangvald> Yeah. I work on our Debian/Ubuntu packaging
19:51:02 <rbasak> ltangvald is being delegated a ton of the engineering work. He's behind the new 5.7 branch (not uploaded yet) and prepared the security updates.
19:51:07 <jmw> ltangvald may not be directly involved in the disclosure discussion though?
19:51:19 <ltangvald> No
19:51:22 <ryeng> No, I'm handling that from the Oracle side.
19:51:22 <rbasak> jmw: right. That's ryeng really. We're leaving ltangvald out of the politics.
19:51:26 <jmw> ok, thanks
19:51:32 <jmw> let me try and summarise some infos:
19:51:34 <jcristau> lucky him
19:51:36 <jcristau> :)
19:51:38 <ltangvald> :)
19:51:40 <nthykier> heheeh
19:52:28 <nthykier> jmw: ok :)
19:52:31 <jmw> #info the security team is working on a policy for security disclosure requirements, but it's not yet clear quite what shape that will take
19:53:29 <jmw> #info ryeng is liaising with oracle over the disclosure requirements
19:54:01 <jmw> ryeng: we don't want to end up with both teams waiting for each other though, so anything proactive you can do to oil the wheels would probably be appreciated all round
19:54:45 <nthykier> Is there any chance the Oracle policy change can be more iterative/agile?
19:55:03 <jmw> ah nthykier has the buzzwords I am missing :)
19:56:17 <ryeng> I doubt it. We don't want to change policies all the time, so it will be one change in policy. Once we get some requirements, we can go back and forth a bit trying to find a specific solutions if there are options.
19:56:41 <rbasak> So there's "policy change", and "policy change process".
19:57:04 <rbasak> I don't think there's anyone here saying that the process cannot have some back and forthing, but I do think we need a written starting point.
19:57:46 <nthykier> ok :)  Figured it was worth a shot :)
19:58:00 <rbasak> My concern is that Oracle will do something, say "we've done it", and what they did won't be acceptable to Debian.
19:58:15 <rbasak> I want to avoid that, since all our efforts would be wasted.
19:58:22 <rbasak> (and we'd run out of time)
19:58:40 <nthykier> rbasak: you mean "if they only get the requireents little by little"?
19:58:45 <nthykier> requirements*
19:58:46 <rbasak> So I think it needs to start by Debian setting out its requirements, so I really appreciate that the security team are working on that now.
19:58:58 <jmw> I wonder if jmm_ or carnil carnil_ or Corsac are around and might be able to give an idea of what stage this is at
19:59:16 <Corsac> hhm?
19:59:18 <jmw> aha
19:59:27 <nthykier> jmw: I heard from jmm that he did not expect to be around
19:59:38 <jmw> nthykier: yeh it was a long shot
20:00:01 <jmw> Corsac: we are discussing mysql + security disclosures, and there's a rumour that the security team are working on some guidelines for disclosure requirements
20:00:16 <jmw> if it's news to you as well it's fine :)
20:01:02 <rbasak> jmm_ mentioned it earlier in this channel I think, before the meeting.
20:01:07 <Corsac> I'm not around either, and to be honest: the threads are way to large, with way too long mails (including the “summary” ones); so I'm definitely not aware enough
20:01:39 <jmw> ok, not to worry
20:01:43 <jmw> thanks
20:01:58 <rbasak> He said they've started, but it wouldn't be ready for this meeting.
20:02:12 <jmw> let's await developments there then
20:02:29 <otto_> (FYI: I'll be in FOSDEM this weekend if anybody wants to work on any MariaDB issues with me in person)
20:03:53 <jmw> on a different note, I have skimmed #811428 just now and this seems much more productive than on previous occasions, so assuming that continues I think I have much less concern about maintenance in stable for mysql
20:04:00 <nthykier> I am considering to add "[#]info The general feeling is that Oracle is unlikely to implement the desired result unless the full requirement list is given at once." - does that seem accurate enough / worded correctly
20:05:11 <ryeng> I'd say we're unlikely to hit the mark unless we have the full requirement list
20:06:07 <rbasak> jmw: thanks. Oracle worked hard to make that happen since it was brought up, so I appreciate you noticing!
20:06:08 <nthykier> ryeng: ok
20:06:11 <ryeng> You're the ones pushing for change, so we'll try to adapt to what we get from you. If that's not a complete list, it may not be a complete solution.
20:06:49 <nthykier> #info Oracle believes they are unlikely to hit the mark unless they got a full requirement list
20:06:50 <jmw> nthykier: how about $agree it's not reasonable for oracle to implement a moving set of requirements at short notice, so we await a more concrete set of guidelines to negotiate with
20:07:00 <jmw> or that
20:07:05 <nthykier> jmw: wfm
20:07:12 <jmw> will you do it?
20:07:27 <jmw> or we'll end up with two :)
20:07:41 <nthykier> will do
20:08:07 <nthykier> #agree It is not reasonable for Oracle to implement a moving set of requirements at short notice.  We will await a more concrete set of guidelines to negotiate with.
20:08:10 <jmw> otto_: I couldn't find a similar bug for the mariadb dsa recently, was there much discussion about that or did it just work?
20:09:12 <nthykier> ryeng: Do you know if this has high priority within Oracle in general?
20:09:39 <otto_> There was no separate bug report, we just documented the CVE in the package changelog and initial trigger to upload happened with Oracle CPU coming out
20:10:04 <ryeng> nthykier: It does, high up.
20:11:02 <jmw> otto_: ok, thanks
20:11:07 <nthykier> :)
20:11:53 <otto_> jmw: from this page you find the best links to more info: https://security-tracker.debian.org/tracker/CVE-2016-2047
20:12:42 <jmw> can I take it we're agreed that the maintenance issue isn't a big one any longer, and we can put that objection aside?
20:13:26 <jmw> jcristau: your opinion valued on that point, with your SRM hat on
20:14:10 <jcristau> i have no information on that.  don't know.
20:14:29 <nthykier> If it continues like #811428 I do not have any immediate concerns - I cannot speak for the security team nor the SRMs
20:14:47 <jmw> well, I mean maintenance in {old,}stable specifically
20:15:24 <jcristau> SRM hasn't been involved in any of that so far afaik.  they're all through security.
20:16:32 <nthykier> (concerns over the how, though it is still new upstream releases)
20:16:35 <jmw> ok
20:17:21 <jmw> #agreed the security release process seems much improved, but a longer view should be taken about overall maintenance in stable
20:17:32 <jmw> I guess there isn't likely to be much non-security stable maintenance
20:18:13 <jmw> #action jmw will mail the security team to see how things are going with DSAs
20:18:29 <jmw> now this question of "defaults"
20:19:35 <Corsac> jmw: please keep mail *short*; we're already overwhelmed by mail for actually handling/triaging security issues, embargoed or not
20:19:46 <jmw> Corsac: sure thing
20:21:28 <jmw> defaults: we have a finite window in which to make package dependency changes to effectively default one engine over the other for packages which just don't care (the libmysqlclient problem)
20:22:20 <jmw> there is a virtual mysql package at the moment as well, isn't there? (I'm not so clear on this bit)
20:22:51 <rbasak> I believe there's virtual-mysql-server, provided by both mysql-server and mariadb-server, or something like that.
20:23:00 <rbasak> otto_ knows more I think.
20:23:32 <otto_> https://wiki.debian.org/Teams/MySQL/virtual-mysql-server
20:23:41 <rbasak> libmysqlclient is an entirely separate thing I think. It'll take some care and coordination, since the MariaDB build of it is different from the MySQL build of it (same soname)
20:24:12 <rbasak> AIUI, MariaDB aren't progressing libmysqlclient at all. Instead they have a separate client library that they work on, with a separate soname.
20:24:17 <otto_> maraidb.org repos ship libmariadbclient18 and all software seems to work OK with it
20:24:45 <otto_> libmariadbclient18 is designed to be a drop-in-replacement for libmysqlclietn18
20:24:47 <ryeng> rbasak: Correct, MariaDB Corp. are developing a separate library: https://lists.launchpad.net/maria-developers/msg09042.html
20:25:10 <ryeng> According to them, libmysqlclient in MariaDB is not actively maintained
20:25:21 <otto_> All new developments I think is in libmariadb2 and libmariadb3, which is natural
20:25:51 <ryeng> otto_: Yes, if switching library, it would be natural to use that instead of libmysqlclient from MariaDB.
20:25:56 <rbasak> otto_: is libmariadb3 also a client library?
20:26:15 <rbasak> I hear three names - libmysqlclient, libmariadbclient, and libmariadb.
20:26:31 <rbasak> I'm a bit confused as to MariaDB's position on the first two.
20:26:43 <otto_> Switch to a new library (eg libmaria2) I think needs something from the app developer to do, at minimum change soname they link to
20:26:44 <rbasak> Are they the same?
20:27:12 <otto_> Switch to libmariadbclient18 package provided libmysqlclient.so.18 would not require any extra work
20:27:45 <rbasak> Any ABI differences?
20:28:05 <rbasak> It doesn't feel right to me that MariaDB is taking over the same soname, but that's up to the release team I suppose.
20:28:22 <rbasak> It might be cleaner to get dependent packages to explicitly build against a new soname perhaps?
20:28:55 <otto_> SUSE and RedHat migrated all existing software to build against MariaDB provided version of libmysqlclient
20:28:58 <ryeng> libmysqlclient in MySQL and MariaDB are very similar, but there may be a few issues with 5.6 features and newer, since that happened after the fork.
20:29:59 <rbasak> otto_: what soname do SUSE and RedHat use?
20:30:18 <otto_> The ABI is not 100% same in mysql-5.5/libmysqlclient.so.18 and mysql-5.6/libmysqlclient.so.18 and mariadb-*/libmysqlclient.so.18
20:30:40 <otto_> ..but with regard of compatibility they are the same
20:30:41 <nthykier> ryeng: But the libmariadbclient.so.18 implements these features?
20:30:53 <otto_> MariaDB has some extra async functions
20:31:16 <nthykier> ("these features" being the 5.6 features)
20:31:58 <ryeng> nthykier: I'm not sure what libmariadbclient.so.18 is. If it's libmysqlclient.so.18 as shipped by MariaDB, it doesn't implement all features in libmysqlclient.so.18 as shipped by MySQL.
20:31:59 <otto_> This is the rule of thumb: mysql-5.5=mariadb-5.5, mysql-5.6=mariadb-10.0
20:32:30 <nthykier> otto_: ack, thanks
20:33:10 <nthykier> ryeng: ok - guess I will have to ask otto_ :)
20:33:31 <otto_> but they all have the soname .18 by Oracle design - only in 5.7 Oracle bumped to so.20
20:33:36 <jmw> am I right in saying that the major problem we need to solve is whether to ship variants, rather than which one gets preferred by applications?
20:33:40 <jcristau> wrt libraries and SONAMEs, i don't think rule of thumb is enough.  it sounds like if we switch packages to use mariadb-provided libmysqlclient, it should have a different SONAME.
20:33:56 <jcristau> and not pretend to be something it's not
20:34:38 <jcristau> the -dev package could still ship libmysqlclient.so, to keep API the same.
20:34:43 <otto_> jcristau: If that rule is followed to the letter, then the SONAME in mysql-5.6 should urgently be changed to .19
20:34:55 <jcristau> otto_: nope
20:35:20 <rbasak> otto_: right, and Oracle kindly reserved .19 for Debian for this purpose.
20:35:42 <otto_> jep, but not implemented yet as nobody requested it hard enough
20:35:50 <rbasak> We decided not to do it because we thought it was the lesser of two evils, given the timing.
20:36:22 <rbasak> But I'm happy to fix it that way if the release team require it. That's not a policy problem in my mind, just a bug that needs to be fixed.
20:36:43 <jcristau> otto_: if something built against libmysqlclient from mysql 5.5 would still work with libmysqlclient.so.18 from 5.6, there's no need to change SONAMEs.  but with two parallel branches, keeping oracle's SONAME sounds like a recipe for trouble
20:36:44 <otto_> Equally the lesser of two evils in migration to libmariadb.so.18 would be to keep the SONAME
20:37:36 <jcristau> anyway.  dinner time.
20:37:53 <rbasak> otto_: I think that introduces potential future problems because you end up with two owners of the same soname. For example, what happens if Oracle's disclosure policy gets fixed to Debian's satisfaction, and then Oracle want an 18.1 or 19?
20:37:54 <otto_> jcristau: Yes, the Debian repositories should not have two providers of libmysqlclient.so.18, thus MariaDB in Debian does not ship any libmariadbclient package from teh mariadb server source as mysql does
20:37:59 <rbasak> (or 20, which they have)
20:39:02 <otto_> I am just replying to jmw question: can the client library "default" switched? Yes if release team wants.
20:39:33 <jcristau> ok
20:40:16 <jmw> otto_: that wasn't quite what I meant, let me rephrase it
20:41:13 <jmw> the disagreement between mysql and release teams is about whether to ship a particular variant or not, rather than the "default", right? for example, shipping mariadb but not mysql
20:41:33 <jmw> and the mysql team's position is that you want to ship both in parallel
20:41:47 <rbasak> jmw: right. We want to ship both, you (and/or security) want to remove one.
20:41:51 <rbasak> That's my understanding.
20:41:55 <jmw> ok good
20:42:24 <otto_> If there is only one option, then we don't need to have a discussion of what is the "default"
20:42:32 <jmw> I'm coming to that
20:43:16 <jmw> the major concern from our point of view is the amount of time there is remaining to do the technical work *if* one variant ends up dropped because it lacks support from the security team, for whatever reason
20:44:07 <jmw> I don't think it's disputed that mysql is currently the issue there, rather than mariadb (the security team certainly have that preference, afaik)
20:44:32 <rbasak> I agree in part.
20:44:48 <rbasak> There's no dispute that it's MySQL facing the cut here.
20:45:03 <rbasak> But I think there is dispute that it's being done on sound technical reasons, rather than political feeling.
20:45:48 <rbasak> Since, for example, security disclosure issues *impact* both variants, as we discussed earlier.
20:46:08 <jmw> ok, noted, although security support is largely out of our hands (we have no desire to ship something without security team support)
20:46:35 <rbasak> I understand that you can only proceed on the decision of the security team.
20:47:00 <rbasak> I think that the security team owe us an answer on this point, which is distinct and separate from the progress on getting Oracle to change their policy.
20:47:11 <otto_> Currently we have worked to have both side-by-side. Inside the team we cannot of course agree that either one should be defalt in any way, and thus technically Debian users have as much freedom to choose right now as possible. Which is a positive thing.
20:48:32 <jmw> meanwhile the freeze marches nearer, and one idea I recently heard was to start the process of switching dependencies towards mariadb clients in anticipation of a problem. this would not mean that we don't do everything we can to ship both side by side, but it lessens the crunch quite a lot in november when we suddenly have to get on with it
20:48:53 <jmw> shipping in parallel would be ideal, but this keeps the options open
20:49:23 <nthykier> jmw: It is november - 2 months (assuming this to be a transition)
20:49:27 <rbasak> As an aside, two packages come to mind. akonadi and pinba-engine-mysql. They have deeper integration with MySQL than most.
20:49:30 <jmw> nthykier: yes
20:49:51 <rbasak> If there are issues switching, I think those are more likely to have issues than some of the others.
20:50:06 <rbasak> I haven't done any real analysis though. That's just off the top of my head.
20:51:04 <ryeng> rbasak: Yes, those and ... and MP3 player I don't remember the name of just now, which uses the embedded server lib.
20:51:09 <otto_> I don't know pinba but there was at least one user running akonadi with mariadb-server-core-10.0 package installed and reported it to work
20:51:23 <rbasak> jmw: I wonder. Could you agree to ship both, if and when the security team considers its cocnerns addressed?
20:51:56 <rbasak> jmw: because if you can, that might make it more likely to get a favourable result (from Debian's perspective) on the disclosure issue.
20:53:10 <jmw> well, I'm pretty sure shipping mysql in stretch is less disruption all round. not sure whether I would want to commit to it right here and now though, although I'm not against it
20:53:15 <jmw> I wonder what nthykier thinks
20:54:41 <jmw> (brb)
20:56:05 <otto_> (I need to go to bed soon, early morning and long travel day tomorrow..)
20:56:13 <nthykier> otto_: ack
20:57:01 <nthykier> Personally, I am not against shipping both based on the assumption that every thing works out on the security disclosure transparancy part.
20:57:51 <nthykier> Though, I like jmw I am not comfortable with commiting to ship both right here and now
20:58:41 <rbasak> I understand that there may be other reasons that crop up, and wouldn't expect you to be restrained by those.
20:58:55 <rbasak> I wonder if there's some sort of statement in the middle that you can make.
20:59:00 <rbasak> I don't know what.
20:59:59 <rbasak> My thinking is that if Oracle face "meet these requirements and the problem is solved", that's better than facing "meet this requirements and we'll think about it". The former is much more likely to get us a favourable result, IYSWIM.
21:00:15 <jmw> rbasak: we certainly can't commit the team to it between the two of us (especially not SRMs), but I'm inclined to be upbeat
21:00:27 <jmw> the security team objection is by far the biggest factor
21:00:58 <jmw> SRM's concern will be/is long-term maintenance; there are at least three years worth
21:01:43 <jmw> so returning to the question of switching clients early in anticipation
21:02:15 <rbasak> There are clients, depending on libmysqlclient18. And there are things that need servers, depending on mysql-server-5.6 or mysql-server-5.6-core.
21:02:25 <rbasak> Anything else?
21:02:40 <rbasak> ryeng: mentioned an MP3 client.
21:02:59 <rbasak> pinba-engine-mysql build-depends on mysql-server-source (binary)
21:03:44 <ryeng> cqrlog
21:03:47 <rbasak> pinba-engine-mysql might be a good place to start, actually. If it's blocked, then the release team will need to make a decision about what to do with it.
21:03:54 <jmw> what I'm getting at is should we start that process *now*
21:04:13 <jmw> or dither and hope we don't have to do it at all
21:04:58 <otto_> there is by the way already packages with "Depends: mariadb-server | virtual-mysql-server"
21:05:10 <nthykier> Certainly biased, but I am in favor of starting the process *now*.   My greatest motivation being risk reduction
21:05:40 <otto_> But it is of course a different scale if release team sets it as a goal for all mysql depending pacakges
21:05:41 <rbasak> If MySQL eventually gets leave to remain, what would happen then?
21:05:42 <nthykier> s/reatest/primary/ ?
21:05:57 <rbasak> I presume that right now the release team will set the goal, and later on let maintainers do what they wish again?
21:07:09 <jmw> I guess - given we haven't worked this out yet - that we would file non-rc bugs requesting a switch, and when we know for sure what the outcome will be either make them RC or relax
21:07:16 <jmw> something along those lines, probably
21:07:33 <rbasak> Understood, thanks.
21:08:11 <rbasak> I'd appreciate the opportunity to provide some feedback on the text of that bug.
21:08:22 <jmw> certainly, if and when the time comes
21:08:29 <rbasak> Thanks
21:08:49 <jmw> to be honest, pkg-mysql-maint would be in a better position to drive that process in general, knowing the packages better
21:08:56 <jmw> but we can sort that later
21:10:03 <jmw> I must admit starting that process and leaving time for fixups appeals to me as it does nthykier (and I think jcristau too)
21:11:01 <jmw> we should move this to mail so that the rest of the teams can get involved:
21:11:04 <otto_> If the release team makes a clear announcement somewhere I can then implement what was requested
21:11:21 <otto_> (file bugs about virtual-mysql-* preference)
21:12:01 <otto_> Something else? We can't touch libmysqlclient.so.18 now and there might not be a need to do it ever?
21:12:34 <rbasak> jmw: I'm not really clear on how the release team works on this kind of thing. What's necessary to get a release team decision? Eg. majority vote, a leader, or something else?
21:13:09 <jmw> #info it may be wise to start migration towards mariadb dependencies sooner rather than later, but ship mysql as well if security concerns are resolved
21:13:24 <jmw> #info a decision cannot be taken right now
21:13:27 <nthykier> rbasak: If we had been more, we would probably have voted over IRC
21:13:33 <rbasak> otto_: I imagine that it'd be a virtual-mysql-* preference together with an instruction to build against libmaria* and drop libmysqlclient dependency?
21:13:48 <nthykier> rbasak: but we appear to be 2 (maybe 3), so I think we will vote over email
21:13:49 <jmw> #action jmw will mail release team and include pkg-mysql-maint about moving to mariadb dependencies
21:13:56 <jmw> quite
21:14:03 <rbasak> OK, thanks.
21:14:15 <jmw> we don't usually have to resort to voting and can reach consensus, but nthykier and I certainly can't decide this on our own
21:14:33 <jmw> I think we should wrap mysql up there; we have made some progress and have some actions
21:14:47 <jmw> rbasak otto_ ryeng thanks for your contributions
21:15:03 <ryeng> jmw: thank you
21:15:04 <nthykier> tsk, you forgot ltangvald :)
21:15:16 <jmw> ah i was just trying to find him in scrollback :)
21:15:19 <ltangvald> Shh, I'm not part of the political talk :D
21:15:26 <rbasak> :)
21:15:29 <nthykier> hahaha
21:15:32 <jmw> ltangvald, thanks for your non-political contributions :)
21:15:43 <rbasak> And thank you for the time from the release and security teams on this.
21:15:54 <otto_> Thanks and good night! (now or later today :))
21:15:57 <ltangvald> Yes, thank you!
21:16:05 <ryeng> If anyone wants to talk face to face, both Otto and I will be at FOSDEM. Just reach out.
21:16:12 <jmw> nthykier: so we have a few things left on the agenda, but it's getting on:
21:16:29 <jmw> reproducible builds: I feel bad pushing that back another month :s
21:16:53 <jmw> they were keen for a discussion before christmas even
21:17:16 <nthykier> jmw: Ok with me :)
21:17:40 <jmw> h01ger: we have not forgotten you
21:17:51 <jmw> I will put move it to the top of the agenda for next time perhaps
21:18:09 <jmw> nthykier: mips64el, do you know what that is about?
21:18:22 <nthykier> next to nothing
21:18:27 <jmw> ok we'll defer that
21:18:36 <jmw> and linux in stretch only arrived this evening, that can wait
21:18:44 <jmw> I might see ben next month anyway
21:18:52 <jmw> #topic Next meeting
21:19:23 <jmw> according to my calendar it's 24th Feb next, does that sound right?
21:20:08 <nthykier> Yupe - my calendar also says Feb 24th
21:20:16 <jmw> #info Next meeting: 24th February 2016
21:20:28 <jmw> I will do the usual
21:20:31 <jmw> #topic AOB
21:20:35 <jmw> any other business?
21:20:58 <nthykier> nope
21:21:07 <KiBi> not from me (apologies as well, only slowly coming back to #-release stuff)
21:21:22 <jmw> ok, let's leave it there
21:21:23 <jmw> #endmeeting
21:21:36 <nthykier> #endmeeting