15:00:34 #startmeeting tooling group meeting 20 october 2020 15:00:34 Meeting started Tue Oct 20 15:00:34 2020 UTC. The chair is ahf. Information about MeetBot at http://wiki.debian.org/MeetBot. 15:00:34 Useful Commands: #action #agreed #help #info #idea #link #topic. 15:00:58 there was no items on it until a few min ago, so i added one that was brought up yesterday by roger 15:01:18 * gaba going to look at the agenda 15:01:25 #topic gitlab and git.torproject.org 15:01:33 can we review the dashboard again? 15:01:38 sure 15:02:01 added it as next item 15:02:07 just add things to the list if there is something :-) 15:02:09 that is easiest 15:02:25 so what's with gitlab and git.tpo 15:02:33 yes, i was about to write that 15:02:39 sorry :) 15:02:57 so roger asked the other day about the website specifically and for the research page and getting more people involved with that without adding more people to ldap 15:03:21 it's easier to hand out access for users on gitlab and delegate things there, BUT, we are not ready yet with all the redirection stuff from git.torproject.org and so on 15:03:24 this have been up before 15:03:33 yes, we have discussed this before :) 15:03:37 we even have a ticket! 15:04:06 yep, i was about to look it up, but just gonna finish here. on the ticket we define what some of the things are that we have to do 15:04:29 "establish policy on git repository mirroring, hosting and, ultimately migration from gitolite" ticket https://gitlab.torproject.org/tpo/tpa/gitlab/-/issues/36 15:04:32 i wonder when we think we can begin with a small number of projects and move those over, and ignore the big set of things we might have to clean up at first 15:04:49 because we wont run that task like we did with the trac -> gitlab migration where i disapear from the world in 3 weeks 15:05:03 so it has to happen slowly and a bit more ad-hoc i think 15:05:04 no, we won't :) 15:05:06 we can do small things 15:05:08 ya 15:05:19 but i think we should do the small thing of agreeing on what the world will look like eventually first :p 15:05:25 like agreeing on what our end goal is 15:05:50 yeah 15:05:50 like i have a list of questions there 15:05:53 i understand it's a long list 15:06:14 no, it's a good list. i think the problem is i don't have the answer to all of it :-/ 15:06:28 for instance, i don't know if the plan with keeping a few TPA related repos around means having gitolite around forever? 15:06:31 the only answer i got so far was from gaba, and it was basically "postponed until june 2021" 15:06:32 you are talking about the list in that ticket? 15:06:35 or is this "having a public gitolite" around forever? 15:06:40 gaba: ya, and all of its content 15:06:40 ahh 15:06:47 which makes me feel like we should either do that now or reopen that discussion properly :p 15:07:13 my answers are in https://gitlab.torproject.org/tpo/tpa/gitlab/-/issues/36#note_2684335 15:07:32 can we postpone this discussion to november? I have a bunch of report and stuff to finish in October and I'm moving countries in 2 weeks. I will be able to look at gitlab policies and facilitate discussion in November. 15:07:36 basically, what i am proposing there is that we retire gitweb and gitolite, within a 1-2 year timeline 15:07:47 i think that is a good idea 15:07:52 new repositories are created on gitlab (which is basically already the case) 15:07:53 like the 1-2 year timeframe 15:08:05 repositories can be mirrored, as a temporary measure 15:08:05 and then at the end we might have the tpa ones and we can figure out ourselves what to do with those? 15:08:11 yes, i think we should revisit this gitolite retirement with the rest of TPI 15:08:16 before making a decision 15:08:22 we have a migration procedure in https://gitlab.torproject.org/tpo/tpa/team/-/wikis/howto/gitlab/#how-to-migrate-a-git-repository-from-legacy-to-gitlab 15:08:49 i think they have said what they need? some depends on git.torproject.org because of jenkins. we do have an alternative to that now that people can slowly experiment with. and we have TB and Tor and some tpa things that is not sure if they want to move yet 15:08:54 but we don't have a mechanism for SSH (and HTTPS?) redirections for "git clone" 15:08:55 \o/ for documetnation 15:09:02 the big task for us will be to get rid of /all/ the legacy stuff on git.torproject.org :-/ 15:09:05 so that's what i have 15:09:10 there is some much old stuff that nobody have touched in a long time 15:09:19 i don't think that's a problem 15:09:19 and there is still a big task on finishing decisions and policy on roles and permissions 15:09:24 you throw that in the legacy/ project 15:09:27 i feel that right now is alittle cahotic in gitlab 15:09:29 it's not a problem, but it is a big task i think 15:09:36 gaba: ah 15:09:40 right 15:09:41 gaba: agreed 15:09:45 so that's what i'm worried about here 15:09:57 gitolite is already a huge liability, both in terms of (non-existent) maintenance and security 15:10:13 now we're talking about moving projects piecemeal between gitolite and gitlab 15:10:20 yet we don't quite know how to operate gitlab just yet 15:10:27 i would prefer for us to have a clear idea on how user permissions and roles work before doing any other shutdown of gitolite or even migration of big repos 15:10:28 so i feel we're playing with fire a bit 15:10:46 ack, okay 15:10:55 well what's being proposed here is not the immediate shutdown of gitolite or migration of big repos :) 15:10:59 i think it is ok to move repos like research 15:11:00 it's migrating small projects 15:11:02 those are not a big deal 15:11:04 i think this is good, i think we are not ready yet and we have some proposals, but there is also some other things playing in 15:11:13 gaba: i don't think we can start moving small things now, then we lose the grand overview 15:11:14 but we should wait longer on anything that could be a secuiryt issue 15:11:20 that is why i brought it up 15:11:28 so about the security issue 15:11:31 not moving small things? what do you mean? 15:11:35 i've been looking into this quite a bit 15:11:54 yeah, not have things that are both on git.torproject.org and gitlab where the former isn't canonical 15:11:55 let me find that ticket 15:12:03 ah, i see 15:12:12 i am fine with people starting new projects on gitlab 15:12:25 crap, i don't have that ticket :p 15:12:34 but basically, what i'm proposing is we adopt OpenPGP signatures for git commits 15:12:50 the problem we feel we have with the security of gitlab for our code, we already have with gitolite 15:12:58 possibly even worse 15:13:00 we just don't know about it 15:13:16 so we should slowly start adopting git signatures 15:13:22 and authenticate them in various places, like CI 15:13:26 interesting. Let's bring that up wheneever we discuss this other migration from gitolite with the rest of tpi 15:13:26 and in release processes 15:13:32 it's a team-wide question, obviously 15:13:42 but it's my response to "but gitlab insecure aaah" :) 15:14:02 i think with the way we use gpg in the org that nobody will be able to do that :-/ 15:14:05 there are many ways of checking commits too, so there will need to be some discussions on which process makes more sense based on various teams workflow 15:14:10 ahf: how is that? 15:14:19 how do we handle external contributions too with that? 15:14:31 well, if people do rebasing as part of their review policy, it breaks signatures right away 15:14:40 tor.git have tons of signed commits that are borked in various ways iirc 15:14:51 ahf: that's what i'm saying, there are various ways of implementing that :) 15:14:58 you could sign tags, for example 15:14:59 i have never seen a good problem that was solved by using pgp 15:15:04 or sign merge commits 15:15:13 nod 15:15:14 oh god, really 15:15:24 "pgp doesn't solve anything" is not exactly constructive right now 15:15:35 but i hear you 15:15:36 pushback :) 15:15:38 yeah :-S i am open to do the idea, but my gut feeling is that i wont be a fan. but it is something we can look at 15:15:49 i can open an issue and throw a few links in there 15:15:51 i tried for some years with the gpg and git signing of things 15:15:53 yeah, please do! 15:16:06 honestly, i don't see any other solution that doesn't involve a billion insanities 15:16:09 i think it would be interesting. it might be something have changed and the integration is better 15:16:16 for what it's worth, i'm proposing to use this for TPA as well 15:16:19 should we move to next item in the agenda? 15:16:20 it was in 2015 i messed around with it 15:16:32 i don't think the integration changed significantly 15:16:33 i'm ok with that - it sounds like anarcat will add some info on this 15:16:49 could we just see if we can agree on at least *some* of the questiosn i outlined in the issue already? 15:16:53 i think we do agree on some stuff 15:17:10 i think we agree on most of it from what i could tell 15:17:22 11:09:20 <+anarcat> basically, what i am proposing there is that we retire gitweb and gitolite, within a 1-2 year timeline 15:17:24 i don't think there was anything i actually flat out disagree with 15:17:37 anyone disagrees with that? 15:17:49 i totally agree in looking for 1-2 years to retire it 15:17:57 i also think we clearly agree that new repos are created on gitlab 15:18:01 and figuring out a process on what needs to happen before it 15:18:03 and that people can mirror repos 15:18:06 right 15:18:18 so i'll check those boxes and document that in the ticket 15:18:27 i'm not sure we agree on "can people migrate their git repositories from gitolite to gitlab?" just yet 15:18:36 i was blocking on that before we made sure we have a plan 15:18:54 and i'm not sure we do, but if we agree we eventually retire gitolite, then i agree with starting to migrate small projects 15:19:10 yep 15:19:15 i think it would depend on which repo we are talking about 15:19:26 yes on small projects 15:19:50 no? we can't *move* things. people can start new projects there? otherwise in 2 years we have to sit and decide which repos belongs where and why and what is canonical 15:19:58 and we can do the syncing we do today 15:20:11 mmm 15:20:20 so what do you think we should do with repos like research? 15:20:45 nothing i think. because they still depend on jenkins they can merge things on gitlab and then manually sync from gitlab to git.tpo 15:20:47 a bit like we do in tor 15:20:50 with tor.git* 15:21:28 there will be chaos when we migrate it because i think some projects are already gitlab only, but i think the goal is to minimize the chaos as much as possible 8) 15:21:31 i'm updating the ticket's summary 15:21:39 ok 15:22:40 done 15:22:45 ok bueno 15:22:48 can we jump to next one 15:22:52 sure 15:22:54 7 of 10 tasks completed in https://gitlab.torproject.org/tpo/tpa/gitlab/-/issues/36 15:23:07 #agenda outreachy reviews 15:23:22 ahf: ITYM "#topic" 15:23:25 ugh 15:23:26 ahf: also, i think we *can* move things 15:23:31 #topic outreachy reviews 15:23:43 it's just tricky with jenkins projects, obviously, but hopefully those projects can migrate to gitlab ci on their own? 15:23:49 * ahf went over a few of them yesterday, some via email, some via gitlab 15:24:01 also found some things in there that i had to handle via email and i am still waiting for some response on that 15:24:25 and i have a bit of an issue that i am not sure how to solve without having to do a TON of git support to the contributors 15:24:45 I'm mostly interesting in discussing a little more on what we want from the lobby 15:24:55 ahf: what is the issue? 15:24:56 are all the issues in that list something we want 15:25:03 anarcat: let us take that one in PM after the meeting 15:25:12 https://gitlab.torproject.org/tpo/tpa/gitlab-lobby/-/issues?scope=all&utf8=%E2%9C%93&state=opened&label_name[]=Outreachy 15:25:13 okay 15:25:46 whoa that's a lot of tickets 15:25:48 yeah 15:25:56 so, we are using the lobby for two things: 15:26:05 1) we have a need for it and there is a lot of small issues we need solved 15:26:11 those are many tickets related to the lobby but not to the anonymous submissions 15:26:19 2) we are trying to find a person who seems capable of diving into the django world 15:26:29 * gaba looking for the ticket on submissions 15:26:40 gaba: yeah, that is the plan? :-) the project we accept people into will be doing the anonymous tickets system from scratch with the person we pick 15:26:47 https://gitlab.torproject.org/tpo/tpa/gitlab-lobby/-/issues/1 15:26:54 yep 15:27:32 i think so far the contributions are good and i also think i have some ideas about who is capable and so on for the bigger project 15:27:40 a lot of the interns is PM'ing and emailing me too 15:27:59 please remember to not give names as we are in a public channel with logs 15:28:03 ok 15:28:13 yeah, no names 15:28:59 anarcat: any question/comment about this? 15:29:24 apart from "whoa that's a lot of tickets" you mean? :) 15:29:25 not really 15:30:37 ok :) 15:30:59 ok, next item? 15:31:03 i opened this ticket regarding the openpgp signing stuff https://gitlab.torproject.org/tpo/tpa/gitlab/-/issues/81 "evaluate mitigation strategies to work around GitLab's attack surface for git hosting" 15:31:12 so the dashboard 15:31:20 https://gitlab.torproject.org/groups/tpo/tpa/-/boards 15:31:23 i think i'm going to give up on it 15:31:35 #topic dashboard 15:31:51 the issues i have in next will have to wait until november 15:31:57 because it's not really working 15:32:23 i keep poking people to triage their stuff 15:32:28 and it seems no one does it 15:32:36 so i'm going to retreat to https://gitlab.torproject.org/tpo/tpa/team/-/boards 15:32:42 and stop triaging non-tpa tickets 15:33:10 gaba: could you move those tickets to backlog? 15:33:11 anarcat: the issue is that we do not have so much time for this. 15:33:37 yeah, you're right. i by no means prioritize this, it gets pushed down my list all the time 15:33:42 ok. moving my tickets and unassign tickets to backlog 15:33:47 i will get them back in november 15:33:53 well you can keep the tickets 15:33:58 just move them out of "next" :) 15:34:21 also this implies i should probably just close https://gitlab.torproject.org/tpo/tpa/gitlab/-/issues/10 again 15:34:30 because i can't move to subprojects 15:34:33 yes 15:34:38 otherwise i wouldn't be able to ignore the gitlab and lobby issues 15:35:03 also, i understand we don't have time to process all the gitlab issues 15:35:11 obviously, there's a lot more work than what we have available 15:35:20 yes and that is why we have this meetings 15:35:24 but 15:35:29 to prioritize this work and figure out what needs to be done first 15:35:34 that doesn't mean we can schedule stuff properly 15:35:42 i think we've been overly optimistic with our scheduling so far 15:35:53 yes :/ 15:35:55 and what i was asking is basically to have the board reflect a more realistic availabilty 15:36:12 even the backlog is too big right now 15:36:16 those 60 issues won't be done in november 15:36:29 last week i proposed to move everything one step back 15:36:38 all of backlog to icebox, all next to backlog 15:36:44 can we close https://gitlab.torproject.org/tpo/tpa/gitlab/-/issues/48 15:36:51 then pick only some stuff in next 15:36:52 i moved some of my stuff t obacklog; maybe it should just go straight to icebox 15:36:58 and then from there, once "doing" is empty, move some stuff 15:37:02 i think we should focus on the permissions/user roles stuff 15:37:36 if we close #48, it means we're happy with using the lobby, no? 15:37:41 where is the permission/user stuff if not in #48? 15:39:39 #15 15:39:46 and #31 15:40:21 it seems those 2 can be merged 15:40:26 i think we are more happy with the lobby than we were with the open rollercoaster 15:40:55 those do seem redundant 15:41:04 yep 15:41:11 i'll close 48 15:41:27 16 tickets in backlog now 15:41:32 bueno 15:43:50 anything else? 15:43:53 * ahf has none 15:43:54 ahf: pro tip i just read in the "bullet journal" book: if you keep postponing a task all the time, just do it first thing tomorrow morning. it's a chore, you won't like it, but you'll feel better after :) 15:44:05 i do use bullet journal 15:44:07 if you can't just do it in the morning, it's not small enough, break it down and reschedule 15:44:09 no way! 15:44:12 i don't! :) 15:44:13 i also use bullet journal :) 15:44:16 i'm just reading the book 15:44:18 oh wow 15:44:18 TIL 15:44:24 super interesting 15:44:24 ya, i have a small book with dots in for drawing and such 15:44:28 and then i move things over each morning 15:44:32 but i prioritize too 15:44:54 I stopped doing bullet journal because I was having trouble to move things :) 15:44:57 like today i have the vpn meeting coming up, so now i have spend some time to prepare for that, and next i need to do outreachy and then prepare some slides because they are urgent because other people are going on holiday 15:45:04 and tomorrow i then i have to do the CI things i wont make today 15:45:07 maybe we have too many meetings 15:45:15 i don't follow it strictly, but just a tiny bit 15:45:15 like it seems i spend more time meeting about gitlab than working on gitlab 15:45:31 i think we handle gitlab things, but just the things that pop up rather than the big lines 15:45:32 i wonder if we can do now the gitlab meetings every 2 weeks 15:45:34 instead of every week 15:45:43 at least until we have more time to work on gitlab 15:45:59 it's OK with me to have it bi-weekly 15:46:04 we could just call the meeting as needed 15:46:06 like schedule it 15:46:16 and then we free a real time slot for it and we're all fully available :) 15:46:18 the issue with calling it is that it may not just happen 15:46:31 then it doesn't happen 15:46:34 if it needs to happen, it will 15:46:34 we can do it every 2 weeks and if we do not have anything in the agenda then it gets very short 15:46:47 i believe this is misfiled https://gitlab.torproject.org/tpo/tpa/gitlab/-/issues/80 15:46:50 (ot) 15:46:59 also i would like this space to be a discussiong about internal toolings 15:47:01 not only gitlab 15:47:10 gaba: my experience is different; what actually happens is nothing is in the agenda, then we add stuff to the agenda and discuss stuff we don't have time to do :p 15:47:27 then let's not add it to the agenda :) 15:48:02 easier said than done 15:48:09 if you are all ok with it I will change the nc event to every 2 weeks 15:48:15 anyways, i'm okay with 2 weeks 15:48:19 ok 15:48:23 yep 15:49:47 let's call it then folks 15:49:50 thanks for the chat! 15:50:15 thanks! 15:50:17 #endmeeting