Tuesday, 2025-03-25

fungiOpenInfra Summit Europe will be October 17-19, 2025, at École Polytechnique near Paris, France: https://openinfra.dev/blog/openinfra-summit-202513:48
fungitell your friends!13:49
opendevreviewElod Illes proposed openstack/openstack-manuals master: WIP: [www] Update project data of 2024.2 Dalmatian  https://review.opendev.org/c/openstack/openstack-manuals/+/94546114:11
opendevreviewElod Illes proposed openstack/openstack-manuals master: [www] Update project data of 2024.2 Dalmatian  https://review.opendev.org/c/openstack/openstack-manuals/+/94546115:32
noonedeadpunkfungi: oh, nice!16:23
noonedeadpunkoh, it's quite a nice place - as it;'s same as was for openinfra days last year16:26
noonedeadpunkthough transport to location is gonna be quite tough 16:27
clarkbyou can take a train to a hiking trail that takes you there16:37
clarkbget your workout in the morning and evening16:37
noonedeadpunkoh, yes, I did almost that, except it was a bike16:37
noonedeadpunkand it was really nice, as it was mid-May16:37
clarkbnice16:38
fungii bet mid-october will be similarly pleasant weather16:41
* noonedeadpunk fingers crossed16:46
fricklertc-members: doc update for release related docs updates that should be done for each release https://review.opendev.org/c/openstack/releases/+/945348 , just fyi16:48
bauzasfungi: well, Parisian weather in mid-october is not what I call 'pleasant'16:52
bauzasgo visit the Alps :p 16:52
fungioh, too warm?16:52
noonedeadpunkalmost 16:53
bauzasumbrellas are expected16:53
noonedeadpunktoo wet I'd guess16:53
noonedeadpunkbut there's a chance for it to bee good16:53
bauzasbut with the global weather change, this is always flipping 16:53
clarkbif its like here then october is very much the transition month where summer fades away and fall winter show up16:53
bauzasat least, I'm more than happy to ride by train to see a Summit, my carbon credit enjoys it :)16:54
fungii remember our first paris summit i got into town just before toussaint and found the weather to my liking, though this time will be a couple of weeks earlier than that16:54
bauzasparis summit weather was indeed surprinsly good16:54
bauzasI remember it, but this was raining one day if I recall correctly16:55
bauzasanyway, this is North of France, don't expect a pleasant autumn :)16:55
* bauzas living close to the 45° meridian, everything headed north is basically North to me :)16:56
fungirain doesn't bother me. i'm about 60% water already16:56
noonedeadpunkit can be fine, I'd say - I was very lucky once at almost same timeframe in Brussles, but they have very alike weather afaik16:56
bauzasoh, doh, s/meridian/latitude16:57
bauzasmy brain is so fried16:57
bauzasx != y16:57
bauzas(or rather, r, θ)16:58
bauzaserr, θ != φ16:59
gouthamrtc-members: gentle reminder that our weekly IRC meeting will be held here in ~54 minutes17:06
opendevreviewMerged openstack/openstack-manuals master: [www] Setup 2025.2 Flamingo and add project data to Epoxy  https://review.opendev.org/c/openstack/openstack-manuals/+/94531817:24
opendevreviewMerged openstack/openstack-manuals master: [www] Update project data template  https://review.opendev.org/c/openstack/openstack-manuals/+/94535417:24
gouthamr#startmeeting tc18:00
opendevmeetMeeting started Tue Mar 25 18:00:52 2025 UTC and is due to finish in 60 minutes.  The chair is gouthamr. Information about MeetBot at http://wiki.debian.org/MeetBot.18:00
opendevmeetUseful Commands: #action #agreed #help #info #idea #link #topic #startvote.18:00
opendevmeetThe meeting name has been set to 'tc'18:00
gouthamrWelcome to the weekly meeting of the OpenStack Technical Committee. A reminder that this meeting is held under the OpenInfra Code of Conduct available at https://openinfra.dev/legal/code-of-conduct.18:01
gouthamrToday's meeting agenda can be found at https://wiki.openstack.org/wiki/Meetings/TechnicalCommittee18:01
gouthamr#topic Roll Call18:01
bauzas\o18:01
spotz[m]o/18:01
gtemao/18:01
frickler\o18:01
noonedeadpunko/18:01
mnasiadkao/18:02
gouthamrcourtesy-ping gmann cardoe18:03
gmanno/18:03
gouthamralright, its that magical time of 18:05 UTC, lets get started.. 18:05
gouthamr#topic Last Week's AIs18:05
gouthamrwe had a couple of things:18:07
gouthamr1) take operator engagement concerns to the PTG18:07
gouthamrwe added a topic to the etherpad:18:07
gouthamr#link https://etherpad.opendev.org/p/apr2025-ptg-os-operators18:07
bauzas+118:07
* gouthamr hopes that's the etherpad we'd use :) either case, save the date if you can attend: 18:07
gouthamr17 UTC on Friday April 1118:07
gouthamr2) TC meeting time poll 18:08
gouthamr#link https://framadate.org/os-tc-2025-218:08
gouthamrcardoe and spotz[m] haven't weighed in here18:09
spotz[m]Dang though I had hang on18:09
gouthamrokay, we can visit this topic at the end of this meeting18:10
gouthamrthat's all the AIs i was tracking, was anyone else working on anything?18:10
spotz[m]Ok looking at my current meeting schedule it's bad:( But might be different after Kubecon18:12
gouthamr#topic PTG Planning18:12
gouthamr^ a reminder to add topics to the etherpad here:18:12
gouthamr#link https://etherpad.opendev.org/p/apr2025-ptg-os-tc (OpenStack Technical Committee vPTG etherpad) 18:12
cardoesorry got stuck on a call.18:13
gouthamri'll slot these into specific times next week.. i'm hoping to get a split of topics that are good for the community to attend/participate in, and regular business where we'd take whatever participation we can get18:14
gouthamrack cardoe, please do fill out https://framadate.org/os-tc-2025-2 18:15
cardoedoing it now18:15
spotz[m]I'll be PTO that week18:15
gouthamr++ i've noted that about you and mnasiadka18:15
gouthamrplease feel free to add topics nevertheless if you think one of us can seed the discussion 18:16
mnasiadkaYeah, I'll be in NZST timezone that week18:16
gouthamr#topic A check on gate health18:20
gouthamrany CI updates to share this week?18:20
fricklerubuntu kernel bug breaking jobs in neutron and kolla18:20
clarkbthe same issue that hit jammy in december18:20
fricklerwe reverted to an old noble image and stopped rebuilds, so we are fine for now18:20
clarkband setuptools 78 rolled out breaking changes that broke many people though impact to openstack seemed minimal. They rolled back the change and now there is much discussion in python land about how to move forward18:21
clarkbit is a good reminder that our packages should convert -'s in metadata names to _'s though18:21
gouthamrah, ty for both these updates.. 18:21
mnasiadkaWe managed to do it in Kolla before they did a revert, so maybe they did succeed ;-)18:21
noonedeadpunkjust seen a couple of timeouts last week which were not there for quite some time18:23
fungithe centos 9 mirror was broken (sync'd an inconsistent state from an upstream mirror) for a few hours yesterday too18:24
gmannone thing to update, devstack/grenade/tempest setup for new stable/2025.1 and current master is almost done. main setting are merged but a few more things are in gate 18:25
gmann#link https://review.opendev.org/q/topic:%22qa-2025-1-release%2218:25
gouthamrclarkb: my very quick search on codesearch.o.o shows me that all openstack setup.cfg files are fixed up, there is some boilerplate/tests/examples that need to be addressed.. i see lots of fixes possible for the non openstack/ though: like, https://opendev.org/zuul/zuul-jobs/src/branch/master/setup.cfg18:27
clarkbgouthamr: ya an in theory pbr is doing the conversion for us but then setuptools did its own validation again and exploded18:28
clarkbwhich is like we tried to do the right thing the easiest way possible and they broke us anyweay18:28
clarkbgouthamr: within openstack I guess the problems were all in dependencies18:28
gouthamr++18:29
fungiwell, and the aforementioned kolla patch18:30
gouthamrty for all the updates, the grenade one is important, and nice to knock it off as soon as the cycle begins 18:30
gouthamr#topic TC Tracker18:31
gouthamr#link https://etherpad.opendev.org/p/tc-2025.1-tracker (Technical Committee activity tracker - 2025.1)18:31
gouthamrfrickler++ on the war footing merges last week :D 18:32
frickleryes, sadly even more zuul config errors now, need to do some follow ups18:33
gouthamr#link https://review.opendev.org/c/openstack/releases/+/942218 (Yoga EOL) 18:33
gouthamr#link https://review.opendev.org/c/openstack/releases/+/942201 (Xena EOL) 18:33
gouthamr#link https://review.opendev.org/c/openstack/releases/+/941458 (Wallaby EOL)18:33
gouthamrah.. yes, we couldn't know if we didn't start cleaning up18:33
frickleralso no progress afaict on cleaning up issues for the things we did not eol18:34
gouthamrack18:34
gouthamrthese are repos that have (un) maintainers.. i suppose we can narrow things down at the PTG18:35
gouthamri'll go down the list and seek updates, because we'll close this etherpad and create a new tracker at the PTG18:36
gouthamrhttps://etherpad.opendev.org/p/tc-2025.1-tracker 18:36
gouthamrplease share any updates if you'd like on items that you've been tagged with18:36
gouthamranything else on the tracker?18:37
gouthamr#topic Open Discussion and Reviews18:37
gouthamr 18:37
* gouthamr copy-pastes from teh agenda18:37
gouthamrNon-auditable process of skyline releases, ie: https://opendev.org/openstack/openstack-ansible-os_skyline/src/branch/master/tasks/skyline_install_yarn.yml#L126-L127 That is a result of building static files with yarn, but potentially it should be completely offloaded to Zuul to prevent malicious code injection during such manual patches.18:37
fungiyeah, i recall we discussed it in #openstack-infra recently at length18:39
fungipep 770 will in time provide a mechanism for recording sboms as static data files shipped in sdists/wheels18:40
mnasiadkaFWIW I don't think we're building static files with yarn in kolla - but I haven't used skyline really. frickler do you have any... experience?18:40
fungithere's a yarn plugin apparently to auto-generate cyclonedx sboms18:40
noonedeadpunkwell we do in osa18:41
fungibut also, a short term stop-gap would be to amend the manifest to include the yarn.lock file used at build time18:41
noonedeadpunkbut the biggest problem is that they do a human made patch for the realease of the amount that is non-verifiable18:41
fricklerI never did that18:41
bauzasI have no context either so far18:42
clarkbnoonedeadpunk: patch of what? Sorry I don't understand what is being patched18:42
noonedeadpunkand that is actully somehow reminds me of xz being compromised in an alike way18:43
noonedeadpunk#link https://review.opendev.org/c/openstack/skyline-console/+/94506518:43
fungibauzas: the larger problem is that we have openstack projects (horizon does it too) shipping embedded copies of random libraries developed outside openstack, and these are not easily inspected or tracked for updates, often falling well out of date and including known vulnerabilities, which our users of those files are not notified about in any way18:43
noonedeadpunkso they do prepare it for releasing skyline-console so that it was containing the rightfully built content18:43
clarkboh they are committing the build artifacts into the repo. they shouldn't do that either way18:43
noonedeadpunkyup...18:44
clarkbbutthen I agree that is the same sort of vector used by xz. Use opaque gzip data as the transport layetr18:44
fungiyeah, the more narrow problem in skyline is that they're committing compiled versions of those libs into git, not even doing it automated at build time18:44
gmannIf i am recalling correctly but isn't that one of the things to check when skyline project status changed from emerging to active projects ?18:45
bauzasI see, a security attack vector indeed 18:45
noonedeadpunkSo sorry if I mislead by original description18:45
noonedeadpunkno I think we totally missed the process18:45
gouthamrgmann: not the same issue: https://review.opendev.org/c/openstack/governance/+/924109/comments/510391ea_9cf4bc3818:47
gmanngouthamr: I mean we missed to check this in that change. I think that was one of the thing we discussed to take it as emerging project and not active18:47
gmannand one of the few things they should solve before becoming the Active project18:48
bauzaslooks important indeed18:48
fricklerwell we made it active, didn't we?18:48
gmannyes, we made it active18:50
noonedeadpunkI think we did18:50
gmannthis is good email thread I found where fungi mentioned all points for skyline team to solve18:51
gmann#link https://lists.openstack.org/pipermail/openstack-discuss/2021-December/026254.html18:51
spotz[m]cardoe: I know you all are using Skyline, is this something you all could possible help with?18:51
spotz[m]My thought maybe they just need help and guidance to resolve this18:52
cardoeI've really wanted our folks to get involved.18:52
fungiit's wholly possible i missed things though, i had limited available time to audit the state of their projects18:55
noonedeadpunkso I guess it's a question now on how we should proceed with this, given that project was made active18:55
noonedeadpunkas apparently this is a case for TC to step in a way18:55
clarkbstep 0 might be trying to reproduce what was built18:55
bauzasShould we signal it ?18:55
fungilooks like i didn't bring up any of the javascript content at all18:55
clarkbif that chceks out then the risk is probably low and they can work to fix in the next cycle18:55
clarkbif that doesn't check out then you have bigger questions18:55
bauzaslike a disclosure 18:56
fricklerpretty likely yarn builds are not reproducible bit-by-bit like when deps got updated, what then?18:57
clarkbfrickler: they should have a lockfile and the diff should probably be minimal if using the same version of the lock?18:58
clarkbI mean its effort and I'm not signing up myself for this. But I think it is one path forward18:58
mnasiadkaLooking at the brief list of items from this Dec 2021 thread - shouldn't there be a resolution that this is the framework that all projects need to comply with? (briefly the list that fungi mentioned there and probably some more)18:58
fungiwe have a list:18:59
fungi#link https://governance.openstack.org/tc/reference/new-projects-requirements.html Requirements for new OpenStack Project applications18:59
fungibut it could certainly stand to be improved18:59
gouthamrwe're at the hour, but we can close out with this topic19:01
bauzasplease yeah19:01
gouthamrcan someone take a stab at bringing this issue to the ML?19:01
gouthamrwe've struggled to get conversations going with skyline contributors on the ML/IRC, but, i can't think of a better way to have a public discussion on something that's not a code change19:02
gouthamrwe'd do this also to bring attention to deployers/distros and operators apart from the contributors19:03
fungii think project leaders have reached out to them through wechat in the past19:03
noonedeadpunkwell, I can try to reproduce the process, sure, as we do perform yarn build in osa19:03
fungimight at least be able to give them a heads up that it's being discussed19:03
fungi(and where, in case they want to participate in the discussion)19:04
gouthamrwe can alert them wherever to come respond to the ML :D 19:04
gmannI think language is also one of the challenge for them to be less active on ML19:05
gmannat least to read a lengthy emails or so19:05
gouthamryes, we need this to be broken down into problem and suggestion to be helpful.. i think we've identified problems with them in the past, and they don't know what they'd do to fix it? or they may not understand why they should care.. 19:06
bauzaslanguage is a barrier for many of us :-)19:07
gouthamralright, 7 minutes over, don't mean to keep us on this.. let me end the meeting so we can chat async about this19:08
gouthamrthank you all for attending19:08
gouthamr#endmeeting19:08
opendevmeetMeeting ended Tue Mar 25 19:08:14 2025 UTC.  Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4)19:08
opendevmeetMinutes:        https://meetings.opendev.org/meetings/tc/2025/tc.2025-03-25-18.00.html19:08
opendevmeetMinutes (text): https://meetings.opendev.org/meetings/tc/2025/tc.2025-03-25-18.00.txt19:08
opendevmeetLog:            https://meetings.opendev.org/meetings/tc/2025/tc.2025-03-25-18.00.log.html19:08
gouthamrfungi: do you recall when the discussion happened on #openstack-infra, or have a handy way to search? 19:08
fungigouthamr: sorry, it was a related discussion about security concerns with horizon's continued reliance on xstatic packages: https://meetings.opendev.org/irclogs/%23openstack-infra/%23openstack-infra.2025-03-13.log.html#t2025-03-13T19:36:5719:11
gouthamrah! ty fungi 19:11
fungias for skyline, picking a random example https://opendev.org/openstack/skyline-console/src/branch/master/skyline_console/static/base.bundle.1663167892.js.gz doesn't seem to have been updated in almost 3 years19:12
mnasiadkaLooking at Gerrit they do seem to be active, maybe it's just a matter of guidance and reaching out to them using the proper medium (but also that should be documented somewhere in skyline docs - currently there's nothing how to reach the project maintainers)19:12
gouthamrmnasiadka: https://docs.openstack.org/skyline-console/latest/contributor/contributing.html 19:14
gouthamrsome "default content" adapted to their context19:15
gouthamrthere are three core developers, all from 99cloud, and you can get their emails from the gerrit group linked.. but besides, they note that there is no weekly meeting, and IRC is their primary method of communication (it isn't)19:15
gouthamrwu_wenxiang checks IRC messages though19:16
fungiyeah, when i pinged wu_wenxiang about release highlights in #openstack-skyline i did get an "ok" a few days later19:17
fungi(though still no release highlights, sadly)19:18
gouthamryes, that's the last encounter i see19:19
gouthamras you stated, this issue is shared with horizon - i see sean-k-mooney and tmazur chatting on #openstack-horizon as well, identifying the old old js/xstatic content and working on it as tech debt.. 19:23
fungialso zuul has some similar challenges i want to find a way to solve19:24
fungiwhich got a mention in the #openstack-infra discussion19:24
gouthamrspotz[m]: missed saying this during the meeting, please share availability for a generic week on https://framadate.org/os-tc-2025-2 .. it'd be after you return in the next month21:20
gouthamrsince the meeting time we pick will last until the end of this release 21:21
spotz[m]Besides the one I did during the meeting?21:21
spotz[m]dangit! It's not there21:21
spotz[m]Ok third time is the charm gouthamr ! Right now I've got a ton of meetings, some of them might shift after Kubecon but no guarantees21:23
gouthamrtyty :) 21:24
spotz[m]I think my issue was hitting the button on the bottom of the page vs under my name21:24
gouthamrokay, its between 1700 UTC where we won't have cardoe or 1800 UTC where we won't have gtema 21:24
gouthamrand both on Tuesday21:24
spotz[m]So basically same day and timish21:25
cardoeI’ll see if I can adjust.21:25
spotz[m]I'd say we could rotate but that gets confusing and folks miss it because they show up at the wrong time21:25
gouthamryes :( 21:26
gouthamrcardoe++ i think it'd ease the EU folks' pain a teeny-bit to set this meeting to 1700 UTC on Tuesdays 21:28
cardoeJust gonna have to21:29
cardoeFirm push at folks. It’s EU folks at work that are the problem21:29
cardoe For me. Wrecking my calendar.21:29
cardoeWhich is what happened today.21:30
spotz[m]I would confirm with them, some like to have family/dinner time with that earlier slot and others don't want to stay up later working:( It's kind of why I do a broken up day to try to be everywhere21:30

Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!