13:59:21 <h01ger> #startmeeting 13:59:21 <MeetBot> Meeting started Wed Apr 29 13:59:21 2020 UTC. The chair is h01ger. Information about MeetBot at http://wiki.debian.org/MeetBot. 13:59:21 <MeetBot> Useful Commands: #action #agreed #help #info #idea #link #topic. 13:59:35 <h01ger> so this is meetbot, its described on that wiki page 13:59:42 <h01ger> it will automatically provide logs 13:59:46 <h01ger> and a summary 13:59:59 <h01ger> anybody can add info to the summary by two means 14:00:04 <h01ger> https://example.org 14:00:13 <h01ger> #info h01ger gave a meetbot intro 14:00:16 <h01ger> #save 14:00:28 <h01ger> updates the log on meetbot.debian.net - handy if someone joins later etc 14:00:39 <h01ger> #topic introduction 14:01:02 <h01ger> I'm Holger from Hamburg, not really much affected by 'current events' currently. Please say hi to indicate p 14:01:03 <h01ger> resence. 14:01:18 <OlaLundqvist> hi 14:01:19 <ta> hi 14:01:21 <bunk> hi 14:01:22 <Beuc> hi 14:01:23 <daissi> hi 14:01:23 <el_cubano> hi 14:01:24 <apo> hi 14:01:26 <buxy> hi 14:01:26 <bhe[m]> Hello. 14:01:26 <utkarsh2102> hi 14:01:29 <gladk_> hi 14:01:32 <lamby> hi 14:02:05 <h01ger> about my job/role in LTS: I dont really see myself as your manager instead I try to be a secretary and offer advice. Often I ask buxy to decide (and just offer my advice to him as well). On average I spent less than 10h on billable work per month. 14:02:15 <h01ger> i thought this was useful information to you ;) 14:02:44 <h01ger> feel free to add other stuff you find important for this introduction, else i'll move to the next topic in 2min or so 14:02:47 <Beuc> :) 14:02:55 <h01ger> the agenda is at https://pad.riseup.net/p/ReLIIxDwtTkk_cuEuO_k btw 14:03:37 <OlaLundqvist> My work with LTS is as most others. I do typically spend most time on front desk. One of the reasons is the problem to find other work. This is a topic we will discuss later here I guess. 14:04:29 <buxy> For context, I run the business side, I used to be involved in the technical side at the start, but I stepped away because I have plenty of work with Kali mainly. I do still follow all the community side but less frequently than before. 14:05:15 <buxy> Hence the reason why I asked holger to fill the gap. 14:05:50 <h01ger> so, lets move on 14:05:57 <h01ger> #topic future meetings 14:06:55 <OlaLundqvist> Should we have some kind of poll now? 14:06:56 <h01ger> so, i think we need another poll, giving 7 days and 24h as options (every other hour..). and like the last poll we'll vote on the last week in May, meaning every last week of the month 14:07:29 <h01ger> thats about irc meetings and unless you come up with $something, i'll just go on with this plan ;) 14:07:59 <ta> sounds like a good plan to me an please announce the poll :-) 14:08:04 <h01ger> sure 14:08:08 <lamby> Might involve a lot of clicking, but sounds good to me so that everyone's timetable/timezone is accommodated 14:08:24 <OlaLundqvist> Personally I'm more flexible odd weeks, because then I do not have kids but other times works fine too. 14:08:45 <h01ger> about video/voice meetings, i'd be happy to try them, and would go with video 14:08:59 * ta does not like video conferences 14:09:25 <h01ger> and unlike the irc meetings i would declare those meetings as 'paid lts team' private meetings. surely we can invite people occasionaly, but these could be our private meetings 14:09:30 <OlaLundqvist> Video do sometimes not work that well at long distances with lot of participants 14:09:36 <buxy> Time availability for me depends a lot of changing factors like my son's sport training and so on. So it might not always work out. Given enough advance notice, most people can arrange a bit. 14:09:53 <h01ger> buxy: do you see those video meetings as paid time as well? 14:10:00 <buxy> h01ger: yes 14:10:09 <daissi> would it be possible to have a summary for video meetings for people which cannot partipate? 14:10:27 <el_cubano> I don't mind video conference, but we should be sure to make good notes/records/logs for those who cannot participate synchronously to be able to review later. 14:10:37 <utkarsh2102> in that case, someone will have to volunteer for writing mom(s) 14:10:43 <h01ger> i suppose $someone can write logs 14:10:47 <OlaLundqvist> We can record the whole meeting if necessary. Not sure what tools we have available for that though. 14:11:02 <h01ger> it doesnt have to be volunteer as in non paid (the log writing part) 14:11:39 <buxy> video conf poses some challenges but with some rules, they work quite well, I'm ready to go with jitsi for a try, but if it doesn't work I'm also ready to use zoom or something that works 14:11:46 <h01ger> so, the #minidebconf-online folks are having a jitsi tests with their debian.social setup tonite, i'll see if that works 14:12:02 <buxy> FTR zoom can keep a record of the video 14:12:22 <daissi> there is also BigBlueButton 14:12:25 * h01ger would really prefer to stay away from zoom, TBH 14:12:46 * h01ger tries to conclude 14:13:23 <Beuc> I haven't checked zoom's licensing, I'll need to check that. 14:13:23 <h01ger> shall we aim for a video meeting in may already? or give other folks (#minidebconf-online takes place end of May) time to test first? 14:13:54 <buxy> #agreed videoconf are fine provided that we provides either a record or some minutes 14:13:58 <h01ger> i can provide a bunch of links about whats wrong with zoom, but thats off topic right now 14:13:58 <utkarsh2102> heh 14:14:04 <h01ger> also, doorbell, will be back in 2min 14:14:06 <h01ger> sorry 14:14:33 <OlaLundqvist> I think we can try already in May. If it does not work fine the first 15 minutes or so, we can fall back to IRC. 14:14:47 <buxy> Beuc: zoom is pretty much proprietary AFAIK, but as a participant, you can use it from the browser without installing anything 14:15:18 <h01ger> re 14:15:29 <Beuc> non-free JS I guess ;) 14:15:49 <h01ger> so, video meeting in May or June? i'm happy to do a similar poll for that one.. 14:15:51 <Beuc> Do we want to plan a audio-only fallback in case bandwidth-issues, etc.? 14:15:58 <el_cubano> Or, if you have a smartphone that already runs a non-free OS, just install it to your phone. 14:16:10 <h01ger> Beuc: turning off video in jitsi is easy 14:16:17 <Beuc> ok 14:16:28 <ta> h01ger: I have no camer yet, so from my point of view: june 14:16:36 <bhe[m]> fallback option mumble :) 14:16:51 <h01ger> ta: you can join (jitsi) without a camera 14:16:55 <OlaLundqvist> My experience with more than a few participants is that video will not work that well. But screen sharing is usually very good and video from the person who currently speaks can be good. 14:17:10 <ta> ta: shouldn't it be a video conference? 14:17:35 <OlaLundqvist> I think voice and screen sharing is the most important. If we can get video working that is a bonus. 14:17:35 <h01ger> buxy: whats your opinion on May or June? 14:18:04 <buxy> I'm fine with May 14:18:07 * h01ger doesnt see how we need screen sharing but is curious to learn ($then) :) 14:18:25 <OlaLundqvist> Screen sharing is really useful when trying to explain something. :-) 14:18:33 <buxy> ta: no worries if you don't have any webcam yet, you'll see others at least but we won't see you 14:18:40 <h01ger> June would give us more time to let other sort out technical woes, but i'm fine to try in may 14:18:58 <h01ger> #agreed h01ger will do a poll for a video meeting using debian.social in May 14:19:02 <ta> buxy: that would be great :-) 14:19:03 <lamby> :) 14:19:17 <h01ger> #topic Sylvain suggests to discuss the relevance of the front desk role: see https://blog.beuc.net/posts/Debian_LTS_and_ELTS_-_March_2020/ 14:19:54 <h01ger> "Most contributors claimed vulnerabilities by performing early CVE monitoring/triaging on their own, making me question the relevance of the Front-Desk role. It could be due to a transient combination of higher hours volume and lower open vulnerabilities." is the relevant sentence from that blog post 14:20:00 <h01ger> and Beuc is here too 14:20:03 <h01ger> :) 14:20:15 <utkarsh2102> Eh, my online classes seems to be working well with video conferencing. So it should be alright, hopefully. 14:20:50 <Beuc> h01ger, do you want to expand or is that clear enough? 14:21:02 <utkarsh2102> (sigh, I sent this 3 minutes ago :/) 14:21:03 <h01ger> Beuc: not sure. whats your suggestion to do/discuss 14:21:19 <buxy> Beuc: I think it's clear enough and utkarsh2102 raised something like this too 14:21:45 <utkarsh2102> yea 14:21:53 * h01ger thinks front-desk is (very) useful even if sometimes people are faster than frontdesk ;) 14:22:06 <OlaLundqvist> My opinion about the front desk role is that it is relevant and important to have someone that has the responsibility to do things. 14:22:23 <OlaLundqvist> A problem though is that it is rather often hard to find other work. 14:22:36 <Beuc> I don't have a clear suggestions, expect maybe poll what people feel about strengthening front-desk or weakening it 14:22:39 <OlaLundqvist> At least I have usually a problem to find packages that I can work with. 14:22:48 <daissi> I have the same problem 14:22:53 <el_cubano> For me, I usually see the automated commit emails from merges of the security-tracker into the ELTS repo. If the suject mentions a package I'm interested in and I'm available, I'll check to see if it is in dla-needed.txt. If not, I'll add it myself and start working on it. 14:22:54 <ta> frontdesk is not only about triage but should also answer questions from outside and take care of problems 14:23:05 <Beuc> I did some FD bypass in the past when FD was lagging (e.g. not working everyday), but only after 1-2d. 14:23:23 <buxy> IMO points 3-4 are tightly coupled and this results from the fact that we don't have enough work given the current funding level 14:23:39 <utkarsh2102> Beuc: seconded^ 14:23:51 <h01ger> point 4 is "Sylvain suggests to discuss aggressive package claims, see https://lists.debian.org/debian-lts/2020/03/msg00043.html" 14:24:06 <buxy> and since people want to invoice all their hours, they look hard at getting updates assigned early, bypassing FD 14:24:09 <h01ger> is there a problem bypassing FD? i dont think so.. 14:24:30 <h01ger> we document stuff in git, so, fine. or? 14:24:41 <Beuc> I have some arguments in 4 14:25:15 <utkarsh2102> h01ger: i've heard bypassing FD becomes problematic to the person at FD 14:25:18 <utkarsh2102> s/heard/seen/ 14:25:23 <Beuc> Depends on whether bypass is within minutes of when a package is marked by security team, or a few days later 14:25:31 <h01ger> #topic Sylvain suggests to discuss the relevance of the front desk role: see https://blog.beuc.net/posts/Debian_LTS_and_ELTS_-_March_2020/ and suggests limiting concurrent claims in https://lists.debian.org/debian-lts/2020/03/msg00043.html 14:25:40 <h01ger> lets discuss this together than 14:25:51 <el_cubano> What about exploring some additional tasks (that do not directly involve packaing/fixing security vulns) to improve LTS, infrastrucure, etc. 14:25:52 <Beuc> depends on whether the claim is not while the claimer alreay has some work and should finish existing updates rather than claim more 14:25:54 <buxy> In theory, it's fine assuming that they do the same triage that FD would do. But in practice, they want to spend their hours and will favor handling the updates as opposed to marking it as no-dsa for example. 14:26:03 <Beuc> s/is not/is done/ 14:26:06 <h01ger> i've now added checking for too many concurrent claims to my script preparing the semiautomatic unclaim mails 14:26:28 <h01ger> and set the limit to complain at to >=3 packages claimed 14:26:41 <buxy> So I would rather that people do not bypass FD unless the issue is really critical and a timely release is important, or if FD is unresponsive. 14:26:51 <el_cubano> buxy: That might be addressed by only permitting FD to list packages in dla-needed.txt and only allowing us to take packages already listed there. 14:27:09 <OlaLundqvist> Yes a rule that the person first check with front desk would be good. 14:27:21 <h01ger> el_cubano: or by enforcing not to bypass FD unless really critical 14:27:23 <lamby> Maximum number of claims and the role (or the "bypass") of FD feel like different topics to me. Shall we consider them one at a time? I don't think we got to resolution on the FD one. 14:27:31 <h01ger> so that two people principle 14:28:03 <OlaLundqvist> lamby/all: I think we can rather easily agree on that it is good that we have a front desk role. 14:28:32 <OlaLundqvist> The question is more about the interaction with that role. 14:28:36 <utkarsh2102> of course 14:28:37 <lamby> OlaLundqvist: Sure. I am talking about the bypass of FD too. 14:28:44 <h01ger> ok, lets split the topic again, to come to conclusions.. 14:29:09 <h01ger> #topic rules on bypassing FD or not or exceptions 14:29:23 <h01ger> is that the question at hand? 14:29:29 <apo> FD is not only responsible for triaging but also for responding to emails on our mailing list and to IRC questions, so alone for this reason it makes sense to have such a role 14:29:48 <el_cubano> #agreed 14:29:49 <lamby> I believe at least twice I have gone to add something to dla-needed.txt as FD and it was already added simply in the 30 minutes I was spending on the triage and initial investigation of the issue. ie. a somewhat unavoidable race condition. 14:29:49 <h01ger> if so, i'd like to find a volunteer to update the README in git with the conclusion from this discussion here 14:29:50 <lamby> To be fair, it hasn't happened *loads* and I have been in LTS for some time so this might not even be an issue. 14:30:13 <h01ger> #agreed FD is not only responsible for triaging but also for responding to emails on our mailing list and to IRC questions, so alone for this reason it makes sense to have such a role 14:30:20 <utkarsh2102> I concur with buxy and would also add that we should have a "strict(er)" (virtual) rule to not let people triage packages themselves unless they're at FD!? 14:30:47 * ta agrees with utkarsh2102 14:30:51 <lamby> In the moment it is a little annoying to have wasted the time, but I understand that unless I am git pull'ing every 5 minutes whilst I'm investigating... it's fine. 14:30:59 <el_cubano> What about a script that automatically adds packages to dla-needed.txt with something like a [triage-required] tag? 14:31:29 <buxy> el_cubano: I don't see the point, what are you trying to solve? 14:31:50 <daissi> this will generates a lot of noise, no? 14:32:03 <ta> we are not the only user of that repository, the security might not like so many commits 14:32:14 <OlaLundqvist> I think so too. The lts-cve-triage script is good enough for that. 14:32:17 <el_cubano> It would make both the FD triage (or non-FD triage) and the packaging work itself "documented" in one place. 14:32:25 <Beuc> I'd say redundant with bin/lts-cve-triage.py 14:32:30 <OlaLundqvist> agree 14:32:31 <el_cubano> But the objections are noted. 14:32:36 <OlaLundqvist> :-) 14:32:45 <h01ger> #agreed people should not bypass FD unless the issue is really critical and a timely release is important, or if FD is unresponsive (for more than 24-48h) 14:32:54 <buxy> lamby: I'm not to worried about wasting a bit of time on the frontdesk side, but I'm worried about low quality triage because someone wanted to have work to do on an update they felt confident to handle 14:33:30 <h01ger> #agreed people should not triage packages themselves unless they're at FD 14:33:34 <OlaLundqvist> buxy: Agree. Let us discuss this a little on point 7. 14:33:50 <Beuc> buxy, I don't understand your remark 14:34:14 <h01ger> is there any volunteer to update the README with those agreements? else i'll do (but i'd prefer if you take this work away from me). and anyway i suggest to move on to the next topic, concurrent claims 14:34:29 <h01ger> or is there something still to be discussed about this topic? (FD) 14:34:36 <OlaLundqvist> I can volonteer on this. 14:34:39 <gladk_> I am very new here and have a question. Should every DLA always go through dla-needed.txt-file? 14:34:51 <h01ger> gladk_: please ask that question later 14:35:36 <h01ger> OlaLundqvist: yay 14:35:41 <h01ger> OlaLundqvist: thank you! 14:35:55 <h01ger> #info OlaLundqvist will update the README with the conclusions from the FD topic 14:36:05 <buxy> Beuc: FD has paid time to do "triage", other contributors have paid time to provide updates. For an untriaged CVE-XXXX, a contributor will decide to a DLA to spend his work hours while FD would decide no-dsa... 14:36:28 <Beuc> ok 14:36:47 <h01ger> gladk_: the answer to your question is 'yes'. for the reasons buxy just gave :) (and also to claim a DLA technically) 14:36:59 <Beuc> buxy, though FD can auto-claim and do both ;) 14:37:01 <h01ger> next topic? 14:37:13 <OlaLundqvist> Should we also have a rule that FD should not claim the package on his own? 14:37:47 <Beuc> should be OK with not-too-many-claims? 14:38:34 <h01ger> ok, lets move on. OlaLundqvist, i think FD should also be sensible with claiming packages ;) 14:38:37 <h01ger> #topic concurrent package claims 14:38:46 <h01ger> https://lists.debian.org/debian-lts/2020/03/msg00043.html 14:38:50 <h01ger> was the trigger 14:39:14 <h01ger> i'll now warn (in my weekly semi aytomatic mails) if someone has claimed 3 or more packages 14:39:34 <h01ger> we could also forbid 4 or X packages claimed 14:39:35 <OlaLundqvist> Should the limit be different depending on how many hours you have free? 14:39:44 <h01ger> OlaLundqvist: i dont think so 14:40:11 <h01ger> basically you should not have claimed packages you dont work on 14:40:23 <utkarsh2102> OlaLundqvist: I don't think so either 14:40:25 <buxy> For me concurrent package claims is fine, you often have to interact with others to properly handle a given update. The only problem is claims where nothing is happening and that should already be taken care of with the requirement to update the dla-needed.txt with status data. 14:40:27 <OlaLundqvist> I think we should have a limit. If the person is waiting for something it can be un-claimed with a note what is waited for 14:40:58 <utkarsh2102> Should there be a maximum limit? If so, should it be 3? Or lesser? 14:41:00 <OlaLundqvist> buxy: But you are right, some parallelism is good 14:41:02 <h01ger> all that is why i concluded to warn only... :) 14:41:37 <h01ger> i surely expect pochu to say 'i claimed firefox and thunderbird and X and am waiting because of foo' ;) (and i expect to reply 'fine') 14:41:38 <OlaLundqvist> I think a warning is fair enough. 14:41:49 <Beuc> I think # of claim is an inappropriate metric to regulate pre-emptive claims 14:41:49 <buxy> OlaLundqvist: what for? this is busy work assuming that the person is reactive when they get the answer they wanted 14:41:55 <Beuc> but I don't have another one ;) 14:42:42 <buxy> For me people are complaining of concurrent claims because they are not able to spend their work hours and the response to this is to have more work to do... 14:42:53 <OlaLundqvist> Well sometimes someone is waiting for an answer that someone else can solve easily. 14:43:19 <OlaLundqvist> But yes, I agree on that the problem is that we have too little issues to fix. :-) 14:43:28 <OlaLundqvist> Oh my we are overfunded. :-D 14:43:30 <buxy> We have some documentation on what other work you are allowed to do but few of you are doing anything else than preparing updates. We should likely try to be better structured to always have a list of other things to do... 14:43:33 <h01ger> i'd suggest i'll continue with issuing these warnings and we'll see how it goes in a month or two. and move to next topic now 14:43:56 <el_cubano> buxy: Perhaps we should put some effort toward organizing that list, ensuring new items are added to it, etc. 14:44:00 <OlaLundqvist> h01ger: Sounds like a fair thing to agree on 14:44:14 <h01ger> el_cubano: there is https://wiki.debian.org/LTS/TODO - please contribute 14:44:24 <el_cubano> h01ger: I'll volunteer to undertake that in the next days, if you and buxy agree 14:44:29 <buxy> el_cubano: definitely, I would love to have a list of packages that had security updates and that lack autopkgtest for instance 14:44:41 <h01ger> #agreed h01ger will continue with issuing these warnings and we'll see how it goes in a month or two 14:44:46 <h01ger> el_cubano: sure 14:45:04 <h01ger> #topic Raphael want to discuss the issue of putting LTS hours aside for other projects 14:45:04 <daissi> is it fine to write a DEP-8 tests for packages not supported by sponsors? 14:45:35 <apo> I would also like to suggest that we let team members who are also maintainers of CVE affected packages handle their packages. I find it inefficient when other people handle it 14:45:39 <OlaLundqvist> dassi: I think this question is a topic on its own 14:45:42 <buxy> daissi: as long as they have an history of security updates, I'd say yes 14:45:58 <daissi> thanks 14:46:12 <h01ger> the new topic is "Raphael want to discuss the issue of putting LTS hours aside for other projects. i.e. development projects that would improve the infrastructure and see what would be acceptable to everybody. Could this money reserve be spent to pay a developer not involved in LTS? How would we select projects? Should I select project? do we want a collective process? etc. Some of our problems are due 14:46:12 <h01ger> to contributors having too much time to spend on non-serious issues, we could thus vary the percentage of hours assigned to extra projects to ensure some scarcity and avoid the problems we have." 14:47:08 <h01ger> buxy: ? 14:47:12 <buxy> This is somewhat related to the current suggestion to have more things to do. 14:47:29 <h01ger> what do you want to discuss here+now? 14:47:32 <el_cubano> That may become easier to manage if the LTS/TODO list grows in an organized and manageable way. 14:47:48 <h01ger> el_cubano: yes :) 14:47:56 <ta> we should do the things on our own, I don't think external developers are needed for this 14:48:01 <buxy> Except that some things that we can imagine, like having a staging repository where tests are run and reports are generated, are huge projects, unlike adding DEP-8 tests to a source package. 14:48:29 <OlaLundqvist> buxy and h01ger: When it comes to other things in the TODO list, do we need to get some approval before it is started? 14:48:29 <buxy> So if we want those to happen, we need somehow to put money aside and spent it on larger chunk... 14:49:01 <h01ger> OlaLundqvist: depends on the amount of work. for a 2h thing not, for 20h yes 14:49:10 <Beuc> buxy, do you have a status of what was attempted/done last summer, when there was discussion of doing such infrastructure work? 14:49:14 <el_cubano> I would suggest allowing LTS contributors to first make a proposal for any large task before seeking outside developers. 14:49:23 <Beuc> it would help see what worked / didn't work 14:49:31 <h01ger> OlaLundqvist: i'm watching the diffs of that TODO wiki page, so... 14:50:10 <buxy> Beuc: I'm not quite sure what you are referring to... 14:50:17 <OlaLundqvist> I can add this information to the README when updating it. That it is ok to spend one or a few hours per month on other things in the TODO list but more than that needs approval 14:50:36 <h01ger> OlaLundqvist: i'm pretty sure its already in there 14:50:36 <Beuc> buxy, the work about a django app to run auto-tests, debusine, etc. 14:51:17 <buxy> Beuc: Right, basically it didn't go far due to lack of time on my part. 14:51:22 <OlaLundqvist> Ok it says 20-25% fair 14:52:24 <buxy> el_cubano: and then if we get multiple proposals, who gets to decide? what factors do we use to evaluate the proposal? 14:52:34 <h01ger> buxy: TBH i'm a bit lost where we are discussing this topic. eg more to discuss? action items? put on the agenda for next month again? 14:53:23 * h01ger reminds everyone that these meeting should last an hour and that i will cut it at 90min. 14:53:50 <buxy> yes, let's first answer the basic question. Would you agree if starting from next month, we put 10% aside to be used later in funding a larger infrastructure project? 14:54:03 <OlaLundqvist> I agree 14:54:17 <el_cubano> buxy: Since it's a business decision, I assumed you decide, perhaps with input from h01ger 14:54:27 <ta> if a project is to big to finish in a few hours, it can be broken into smaller chunks ... 14:54:47 * ta agrees to 10% 14:54:58 * el_cubano also agrees 14:55:06 <apo> +1 14:55:07 * h01ger agrees thats sensible. we spent some time doing updates others wouldnt do, so clearly we have too much time 14:55:16 <buxy> ta: yes if you have a project manager doing that work... 14:55:27 <daissi> I agree 14:55:29 <ta> buxy: we have h01ger :-) 14:55:36 <Beuc> h01ger, or others have too little time :) 14:55:47 <h01ger> #agreed starting from next month, we put 10% aside to be used later in funding a larger infrastructure project 14:56:12 * bhe[m] also agree 14:56:16 <ta> otherwise the person making a proposal could do this as well 14:56:28 <h01ger> buxy: anything else to discuss now? or continue this discussion next month? 14:56:29 <utkarsh2102> me too 14:57:19 <lamby> Sounds good. 14:57:45 <OlaLundqvist> Please continue. 14:57:56 <OlaLundqvist> Looks like discussion stopped. 14:58:08 <buxy> Timing is almost over. 14:58:24 <buxy> I'd like to have holger's update on the LTS survey. 14:58:29 <h01ger> well, we agreed to do 90min today max, because this is the first time 14:58:31 <h01ger> so 14:58:35 <buxy> Ah ok, right. 14:58:40 <h01ger> #agreed we continue this discussion next month 14:58:58 <h01ger> #topic create an LTS survey - contributors wanted 14:59:34 <h01ger> i didnt make any progress on this so far, and only (and at least!) utkarsh2102 said he wanted to help 15:00:22 <h01ger> my plan is now to find a date with utkarsh2102 next week to actually write up this survey, then survey the internal lts list whether the survey is sound, and then announce it to the world 15:00:23 <el_cubano> I must have missed the discussion. What is the nature of the survey? 15:00:28 <ta> hmm, I seem to have missed something: what is a LTS survey? 15:00:30 <utkarsh2102> \o/ 15:00:44 * ta is not alone :-) 15:00:50 <daissi> same here :-) 15:01:08 <h01ger> el_cubano: whats working well with lts, whats working not so well, wishlist bugs etc. - LTS is 6 years old now and we have no systematic understanding what people (dis)like about it 15:01:18 <h01ger> ta: daissi: ^ 15:01:18 * el_cubano nods 15:01:23 <ta> ah, ok 15:01:31 <daissi> ok 15:01:31 <h01ger> we discussed this on the list some 6 weeks ago or so 15:01:47 <h01ger> so, any other volunteers? please ping me 15:01:58 <buxy> h01ger: is that also a mean to get feedback from the security team? 15:02:08 <h01ger> yes 15:02:12 <el_cubano> I'll go find the discussion and follow-up after reviewing the details. 15:02:25 <h01ger> buxy: and release team, and ftp team, bugs owner 15:03:18 <buxy> is restricted to other teams or do you expect users to respond too? 15:03:25 <h01ger> #info this should be a survey whats working well with lts, whats working not so well, wishlist bugs etc. - LTS is 6 years old now and we have no systematic understanding what people (dis)like about it. target audience for the survey are sponsors, non sponsoring lts users, fellow debian developers, esp security team, ftp team, bts owners, etc 15:03:40 <h01ger> buxy: its open to all 15:03:43 <buxy> ok 15:04:02 <h01ger> ok, next topic then 15:04:10 <lamby> :) 15:04:13 <h01ger> #topic Ola wants to discuss triaging practices and how to judge different type of packages 15:04:34 <h01ger> i recall jmm wrote something about this 15:05:21 <OlaLundqvist> One problem is that this may affect the "normal" debian security team so maybe they should be involved in this discussion too. 15:06:19 <h01ger> (i'd just call them the debian security team, as thats what they are and what they call themselves. we are the LTS team, easy enough distinction :) 15:06:30 <OlaLundqvist> :-) 15:06:31 <Beuc> a quick note about "(it is sometimes a little odd to see that LTS get updated while the regular security team judge it as no dsa with comment "Minor issue")": 15:07:32 <ta> no-dsa does not mean that this package gets no update 15:07:36 <apo> I think we can have a different opinion sometimes, they use "Minor issue" fairly often 15:07:56 <ta> if enough no-dsa are accumulated an update might be appropriate 15:08:03 <Beuc> security team do the triaging and doesn't do most uploads - packagers do. So when they mark "no-dsa" it's basically up to maintainer to do an update nonetheless, or do it in a point release. We do the triaging and the uploads, so we can make a more precise decision. 15:08:31 <daissi> When triaging, should we consider the fact that a package is in the packages-to-support list? 15:08:35 <h01ger> i think we should try not to have a different opinion than the debian security team. 15:08:48 <el_cubano> +1 15:09:01 <Beuc> h01ger, it's not a different opinion, it's a matter of delay 15:09:10 <h01ger> (we might to a DLA where they dont do a DSA, but the severity/impact should ideally have the same assessment) 15:09:17 <ta> daissi: such packages should be updated first 15:09:19 <h01ger> Beuc: i know :) 15:09:27 <OlaLundqvist> I think that, generally, we should have same opinion as debian secruity team. However it is quite often so that LTS front desk do triaging first. 15:09:29 <el_cubano> Also, perhaps one of the FD duties should involve reviewing packages with accumulated no-dsa entries to determine if an update is needed for LTS. 15:09:39 <el_cubano> Especially, since there are no LTS point releases. 15:09:42 <lamby> h01ger: Just found it, in the "security upload imposing load on other parts of Debian" thread which links to https://security-team.debian.org/security_tracker.html#issues-not-warranting-a-security-advisory 15:09:58 <h01ger> lamby: thanks 15:10:06 <h01ger> #info https://security-team.debian.org/security_tracker.html#issues-not-warranting-a-security-advisory 15:10:08 <el_cubano> lamby: Thanks. I was looking for that in the lxc thread and couldn't locate it. 15:10:08 <lamby> #link https://lists.debian.org/debian-lts/2020/03/msg00013.html 15:10:08 <daissi> ta: ok 15:10:16 <lamby> h01ger: *g* 15:10:20 <lamby> #info https://lists.debian.org/debian-lts/2020/03/msg00013.html 15:10:39 <h01ger> OlaLundqvist: ^ if you could add this link to the README while at it... that would be much appreciated ;) 15:10:48 <h01ger> (the security.d.o link) 15:10:58 <OlaLundqvist> If an issue has been classified as minor should mean that it is not really that important to fix it. Would it change if we have many such? 15:11:08 <OlaLundqvist> holger: will do 15:11:11 * h01ger would like to close this topic, we still have 3 more and 18min left and 2 of the upcoming topics are also larger 15:11:15 <h01ger> OlaLundqvist: thank you! 15:11:27 <OlaLundqvist> Sore we can continue discussing next month 15:11:35 <OlaLundqvist> s/Sore/Sure/ 15:11:52 <Beuc> We can discuss this on the mailing list too if you've got questions. 15:12:02 <h01ger> if we can move this to the list, i think this would be better 15:12:09 <Beuc> Let's not discuss EVERYTHING in the next meeting ;) 15:12:11 <h01ger> else next months meeting agenda will be very long again 15:12:13 <h01ger> that 15:12:27 <OlaLundqvist> I'll start a mail thread about this. 15:12:27 <h01ger> Beuc: can you move this discussion to the list? 15:12:28 <Beuc> haha 15:12:39 <h01ger> OlaLundqvist: 👍 15:12:53 <h01ger> #topic Roberto wants to discuss embargoed issues 15:12:57 <Beuc> OK. I have some material to copy/paste already. 15:13:07 <h01ger> "Roberto wants to discuss embargoed issues in order to understand proper etiquette around handling of embargoed issues. Apparently, we have an LTS embargo team and there are issues being handled outside the view of other LTS contributors. As we contributors become more aggressive in self-triaging, this has the potential to cause some problems." 15:13:26 <h01ger> as far as i know, we dont get informed about embargoed issues. end of the story. 15:13:35 <buxy> not true 15:13:35 <h01ger> please correct me if wrong :) 15:13:46 <el_cubano> h01ger: ta mentioned to me that he is part of the LTS embargo team 15:13:52 <h01ger> oh 15:13:52 <el_cubano> It made me think we had such a team 15:14:16 * h01ger stands corrected and waves with his fool hat 15:14:21 <buxy> We have an emails with ta and bwh on it. And the security team can copy them with information about embargoed security updates. 15:14:23 <ta> yep, we sometimes get infomations about embargoed issues 15:14:45 <ta> this happens about two or three times a year 15:14:56 <h01ger> #info there's an LTS embargoed issues alias with ta and bwh on it 15:15:03 <el_cubano> ta: So, perhaps not often enough to worry about. 15:15:13 <h01ger> el_cubano: i think so 15:15:14 <buxy> #info https://wiki.debian.org/LTS/Contact#Email_alias_for_private_exchanges 15:15:20 <h01ger> next topic? 15:15:31 <ta> el_cubano: yes 15:15:38 <el_cubano> h01ger: yes, please 15:15:42 <h01ger> #topic new upstream versions - our policy 15:16:01 <h01ger> i think our policy for new upstream versions should be the same as for stable / normal security updates 15:16:17 <OlaLundqvist> Yes almost 15:16:24 <h01ger> (so frowned upon in general) 15:16:34 <h01ger> OlaLundqvist: where do you see deviations? 15:16:42 <OlaLundqvist> Some packages (like spamassassin) need more regular updates. 15:16:49 <h01ger> OlaLundqvist: same in stable 15:16:59 <OlaLundqvist> That is handled in (previously named) volatile. Or is that part of stable now? 15:17:09 <h01ger> OlaLundqvist: yes. its called stable-updates 15:17:27 <utkarsh2102> yep. I wouldn't want to introduce a new upstream version unless very critical 15:17:35 <OlaLundqvist> Ok, so we have same policy as stable security and stable updates 15:17:40 <h01ger> stable/updates are security updates while stable-updates is what used to be called volatile 15:17:55 <buxy> There might be cases where it makes sense. 15:17:55 <el_cubano> No chance of confusion there /s 15:18:03 <h01ger> el_cubano: *g* 15:18:13 * bhe[m] looking for the security team's policy on new upstream version. 15:18:14 <lamby> (Does non-LTS security update firefox to new upstream versions?) 15:18:22 <h01ger> lamby: yes 15:18:30 <buxy> I mean when some packages are no longer supported and no longer supportable, switching to a new upstream version might be better than saying EOL. 15:18:41 <el_cubano> yes, along with openjdk, mysql (when it was in stable), t-bird, and a few others 15:18:48 <OlaLundqvist> There can be exceptions when we are forced to go for an upstream version because upstream have ceased its support. 15:18:56 <OlaLundqvist> exactly. 15:19:03 <bunk> buxy: An upper limit is in any case that the version has to be < than what is in the next stable release. 15:19:11 <h01ger> i dont think we should go for new upstream versions if stable didnt do that 15:19:34 <OlaLundqvist> But generally we should be as relaxed as the combination of stable/updates and stable-updates combined. 15:19:43 <buxy> In particular if you think that you want to continue to provide updates in Extended LTS... 15:19:47 <h01ger> eg something which is not updated to a new upstream version now should not get a new upstream version in 2 months when stretch becomes LTS 15:19:49 <buxy> bunk: yes 15:20:02 <h01ger> for eLTS i see things more relaxed than for LTS 15:20:30 <lamby> Was this issue raised because there is a package that we are unsure about, or was it more of a general enquiry? I wouldn't want the former question to be lost. 15:20:36 * OlaLundqvist conclude that all people seems to agree. 15:20:50 <buxy> but if you declare some packages EOF during the LTS timeframe because you refused to jump to a new uptsream version, it doesn't make sense to reintroduce support later either 15:20:51 <h01ger> #info we need to discuss and document deviations from that general rule though 15:21:19 <h01ger> time is just out in 8min and we have another topic left 15:21:28 <OlaLundqvist> Please go to next topic. 15:21:32 <h01ger> and personally i feel to rushed 15:21:36 <Beuc> Usually deviations are case-by-case and discussed on ML. 15:21:42 <h01ger> if someone wants to shift this discussion to the list, please do 15:21:47 <OlaLundqvist> Should I document something in README? 15:21:56 <h01ger> else we can let it rest here 15:22:06 <OlaLundqvist> But we can take it off the meeting. Please contine with next topic. 15:22:17 <h01ger> OlaLundqvist: maybe 'general rule' as discussed above and 'please discuss exceptions on the list first' 15:22:23 <OlaLundqvist> Will do 15:22:26 <h01ger> superb 15:22:33 <h01ger> #topic any other business 15:23:10 <h01ger> one suggested topic is 'yearly LTS sprints', which i think is a great idea, but which i also think we can postpone discussing at least as long as some of us are not allowed to leave their houses... 15:23:40 * utkarsh2102 nods 15:23:44 <Beuc> on-site sprints then? 15:23:45 <OlaLundqvist> Haha, yes we can postpone this topic when it becomes more relevant. 15:23:49 <h01ger> #info yearly LTS sprints: we should do them, once its practical again to do them 15:23:50 <ta> apropos nothing to do: while doing FD last week I stumbled upon CVEs that are marked as no-dsa for Jessie but are fixed in Wheezy and Stretch. As they are even fixed in Stretch, the no-dsa rating might not be correct anymmore. I would suggest to work on such packages as well ... 15:23:55 <h01ger> any other business 15:24:20 <el_cubano> Since I missed tagging this earlier: 15:24:21 <el_cubano> #action el_cubano (Roberto) to review/improve/updated/expand https://wiki.debian.org/LTS/TODO 15:24:24 <buxy> what's the idea of the sprint? meet IRL or work together for longer online? 15:25:04 <h01ger> a sprint before the debian-sprint before fosdem 2021 could work. or after fosdem. or at another time. 15:25:06 <utkarsh2102> (and maybe the big project you were discussing earlier) 15:25:07 <el_cubano> The sprints might good for at least the initial phases of larger tasks; in person or online would work 15:25:52 <h01ger> we could do a sprint at the minidebconf-online end of May 15:26:23 <h01ger> we also will end this meeting in 3min :) so if you have anything else to comment... do it now :) 15:26:38 <Beuc> Related to #5 / 10%-for-tasks then? 15:26:45 <lamby> Nothing here, beyond thanks for organising this. I enjoyed it and feel more connected to the rest of the team. :) 15:26:46 <h01ger> Beuc: ? 15:26:46 <OlaLundqvist> Looks like we do not have the time to finish this topic. 15:27:02 <OlaLundqvist> Yes really good that we have this meeting. 15:27:25 <Beuc> h01ger, sprint -> larger tasks -> topic #5 15:27:35 * h01ger is also happy how this meeting worked out 15:27:40 <h01ger> Beuc: ah 15:28:25 * buxy .oO (we need to put another 10% aside to fund travel for sprints !?) 15:28:52 <Beuc> That was not what I had in mind. 15:29:05 <h01ger> Beuc: i'd also see it as an opportunity to work together on other (LTS and other debian) tasks and to get to know each other better (which will improve working together later) 15:29:19 <h01ger> buxy: heh, touche! 15:29:31 <h01ger> so, thank you all for attending! 15:29:32 <buxy> Beuc: I know, but that's what in my head, while I like the idea of sprints, I'm not sure we can afford them. 15:29:40 <h01ger> o/ 15:29:43 <Beuc> o/ 15:29:47 <gladk_> thank you 15:29:48 <buxy> thanks h01ger, well done 15:29:54 <ta> byebye everybody 15:29:58 <OlaLundqvist> See you o/ 15:29:58 <daissi> thanks h01ger 15:30:04 * utkarsh2102 hopes everyone is doing well and keeping themselves safe 15:30:18 <h01ger> #endmeeting