20:01:53 <waldi> #startmeeting 20:01:53 <MeetBot> Meeting started Fri Oct 12 20:01:53 2018 UTC. The chair is waldi. Information about MeetBot at http://wiki.debian.org/MeetBot. 20:01:53 <MeetBot> Useful Commands: #action #agreed #help #info #idea #link #topic. 20:01:57 <waldi> if noone else wants 20:02:00 <waldi> #chair ta 20:02:00 <MeetBot> Current chairs: ta waldi 20:02:04 <waldi> #chair ansgar 20:02:04 <MeetBot> Current chairs: ansgar ta waldi 20:02:46 <waldi> #topic Check action items from last meeting 20:03:18 <waldi> no action items on last months meeting 20:03:48 <ta> so done 20:04:08 <waldi> i'm reordering the entries, as i have to go shortly 20:04:20 <waldi> #topic Status of secure boot signing 20:04:29 <ansgar> See https://lists.debian.org/debian-efi/2018/10/msg00000.html 20:04:32 <waldi> ansgar: sorry about pestering you. i think Sledge talked to you? 20:05:04 <waldi> #link https://lists.debian.org/debian-efi/2018/10/msg00000.html 20:05:06 <waldi> ansgar: thanks 20:05:26 <ansgar> I would like to have either recording which key an upload trusts (bwh's suggestion) or the Ubuntu patch to not have trusted keys in the kernel, but just use the one UEFI/shim tursts before we start using the production keys. 20:06:02 <ansgar> On the plus side, I have enabled secure boot with Debian's kernel on a laptop and it works :) 20:06:27 <waldi> okay. i intend to do some tests as well after the hands-on session with the intel guys yesterday 20:06:53 <ansgar> (Ubuntu has a kernel patch for the latter) 20:07:21 <waldi> okay. do you know where or do i have to search for it? 20:07:40 <ansgar> In the diff.gz, load_uefi.c or load_efi.c or so. 20:08:04 <waldi> okay, thx 20:08:21 <ansgar> Plus the sig verification function needs to be called with slightly different parameters AFAIU. 20:09:12 <waldi> #topic How much do we care about copyright holders in d/copyright 20:09:35 <ta> I think this text is ok 20:09:36 <waldi> ScottK would like to have the text for this finished 20:11:19 <waldi> okay. who wants to send it? 20:11:24 <ansgar> I think it should say "documenting copyright *holders*" in the first sentence of (4) or so. 20:11:44 <ansgar> Just copyright might be confusing (does it mean license or copyright holders?) 20:12:18 <ta> it means both 20:13:16 <waldi> yes, i think aw well that it should be explicit as we only want to change the listing of holders, not the licenses 20:13:49 <waldi> i'm sorry, but i have to go 20:13:57 <waldi> see you tomorrow 20:14:56 <ta> hmm, ok, with the rest of the paragraph, its about the holders 20:16:12 <ta> so shall scottk send the email? 20:16:40 <ansgar> Fine with me. 20:17:26 <ta> #action scottk shall send email about copyright holders 20:18:26 <ta> #topic Sources for architectures on ports 20:19:28 <ta> hmm, what does that mean? 20:19:49 <ansgar> It is about source packages that don't built anything for the main archive, but only for ports.d.o. 20:20:23 <ansgar> These get tagged as cruft and one port maintainer was unhappy when something disappeared. 20:21:13 <ta> ah, I remember, shall we change the tagging as cruft? 20:21:18 <ansgar> I'm not very enthusiastic to change that; I would like to see more cruft removal from unstable in the future (e.g. packages that haven't been installable for a long time in unstable/exp) 20:22:22 <ansgar> Which will probably conflict with having sources w/o any binary or uninstallable arch:all packages (which are only installable on a port) 20:23:55 <ta> #agreed at the moment don't change the tagging as cruft 20:24:52 <ta> #topic Unsupportable software for stable 20:25:19 <ansgar> What is this one about? 20:26:44 <ta> I think this is about software in stable that gets no security fixes or other updates anymore 20:27:22 <ta> but isn't that a matter of the release team? 20:27:25 <ansgar> That sounds more like a release team thing? 20:27:42 <ansgar> Maybe we should wait for the next meeting so waldi can explain. 20:27:46 <ta> it was waldis topic ... 20:27:48 <ta> ok 20:28:03 <ta> #topic CUPS license change (GPL -> Apache) 20:29:33 <ansgar> CUPS switches to Apache-2 which is incompatible with GPL-2 or so. 20:29:41 <ansgar> So CUPS is the new OpenSSL ;-) 20:29:59 <ta> yes, and 2.3 is already in experimental ... 20:30:58 <ansgar> I wonder if any other distribution saw this as a problem? Given most don't see a problem with GPL-2 and OpenSSL either... 20:31:22 <ansgar> (and Fedora still wasn't sued; nor was Canonical for merging ZFS into their Linux kernel package) 20:31:55 <ta> #link https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/2L2FK52XUKXHVK23AOPMCTOW3PQCTL5Z/ 20:32:39 <ta> do you know how many packages are affected? 20:32:51 <ansgar> No idea. 20:33:18 <ansgar> We also just count some forms of "linking" for some reason too... 20:34:11 <ansgar> dlopen() (or "import openssl") is somehow different from ld ;-) 20:35:02 <ta> "CUPS is fairly ubiquitous and easily falls under the "OS-supplied library" exception in the GPL 2." (from that thread above, citing someone from apple) 20:35:09 <ta> so only static linking is a problem 20:35:57 <ta> ok, I will look for affected packages until next meeting ... 20:36:04 <ansgar> Yes, but if we would say the exception applies to CUPS, it would probably apply to OpenSSL too. 20:36:23 <ta> yes, like everybody else :-) 20:36:25 <ansgar> (Which would arguably make life easier... And Fedora wasn't sued into oblivion.) 20:36:40 <Mithrandir> Debian has traditionally not applied the system library exception to any libraries, and I'm not sure if it's fine to apply it between system libraries either. 20:36:51 <Mithrandir> (at the risk of reopening that debate. :-) ) 20:38:29 <ansgar> Yes, that's basically a question the CUPS license change brings back :) 20:39:37 <ta> but than we must remove some packages 20:40:24 <ansgar> Yes, Python scripts using OpenSSL (indirectly) that are licensed under GPL-2-only ;) 20:41:05 <ansgar> Or ones using CUPS. 20:41:54 <ta> Mithrandir: do you have a link to a previous discussion at hand? 20:42:07 <Mithrandir> ta: I do not 20:44:02 <ta> ansgar: did we ask a lawyer about this in the past? 20:44:32 <ansgar> Don't know. That was too long ago for me :) 20:45:15 <ta> so maybe we should do this again/now? 20:46:25 <ansgar> Maybe. I would like to ask Joerg about historic things first. 20:47:06 <ta> ok 20:47:27 <ansgar> Though first I still need to find a new appartment... 20:48:13 <ta> #action talk to ganneff about openssl history (related to CUPS license change) 20:48:33 <ta> #topic OpenSSL 20:48:47 <ta> I have no idea why this is on the agenda 20:49:10 <ansgar> Ah, because it is the same as CUPS. 20:49:44 <ta> ok, then we are finished with that 20:50:02 <ta> #topic Any other business 20:50:43 <ta> anybody? 20:51:17 <ansgar> Nothing really. There is a plan to publish the debug archive for the security archive now. 20:52:09 <ta> yes, that would be nice 20:53:39 <ta> so we are finished for today, thanks to everybody :-) 20:53:43 <ta> #endmeeting