20:32:45 #startmeeting requirements 20:32:46 Meeting started Wed Feb 13 20:32:45 2019 UTC and is due to finish in 60 minutes. The chair is prometheanfire. Information about MeetBot at http://wiki.debian.org/MeetBot. 20:32:47 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 20:32:49 The meeting name has been set to 'requirements' 20:32:49 #topic rollcall 20:33:01 ping tonyb, prometheanfire, number80, dirk, coolsvap, toabctl, smcginnis, dhellmann 20:33:04 o/ 20:33:23 \o 20:34:12 will wait a min 20:34:25 could be a quick meeting ;P 20:35:37 ya 20:35:46 #topic issies in the queue 20:35:56 just needs votes for stable stuff 20:36:23 Yup I'll do them today 20:36:24 * prometheanfire would like it if people could check the queue at least once a week 20:36:28 thanks 20:36:37 these are less then a week old though 20:36:47 I'll also send the email about publishing constraints 20:37:12 oh? email needed? 20:37:41 prometheanfire: the one you're doing a good job of naggign me about ;P 20:38:27 tonyb: blame todoist :P 20:39:08 #topic requests updates in stable branches 20:39:36 This is a pretty big and risky chnage as it's proposed 20:39:43 I think https://storyboard.openstack.org/#!/story/2004979 is basically a drive by 20:39:48 I asked if we can get backports 20:39:52 ya 20:40:23 is sigmavirus a requests core? can we leverage him to do a thing? 20:40:46 I could try asking 20:40:59 and check if they even have stable branches 20:41:12 next? 20:41:19 I think so 20:41:31 #topic ptg/summit 20:41:38 still no confirmation here 20:42:01 we haven't usually worried about raising mins for bugs on libs in stable branches in the past, have we? 20:42:09 I think we'll have a requirements-lib session at the forum, and then a follwo-up at the PYG 20:42:18 there was an email with a list of the teams that had space 20:42:30 I did book wedding stuff so I can make it to the ptg part (fly back tuesday, can fly out wednesday) 20:42:42 dhellmann: IIRC we opted for 'hallway / adhoc' space at the PTF 20:42:52 ok, I wasn't sure what prometheanfire meant about confirmation 20:43:11 tonyb: that can work 20:43:19 I've responded that reqs people will be there 20:43:23 dhellmann: I think he measn from $employer in terms of funding 20:43:25 will probably get a day slot for it 20:43:30 tonyb: yep 20:43:46 aha 20:43:56 * dhellmann has no insight there 20:44:33 :D 20:44:48 yep, I should know soon though 20:45:35 who else is going? 20:45:39 o/ 20:45:49 I have a ticket, but haven't booked anything else yet 20:46:11 So requests don't do stable branches and sigmavirus is a core 20:46:26 not surprising 20:46:28 * tonyb has booked flights/hotel and summit pass 20:46:41 I don't think I can do more than that at this point ;p 20:46:49 it's a bit early to pack 20:47:00 dhellmann: Only a little ;P 20:47:22 dhellmann: but I do have my 'travel box' accumulating stuff to pack ;P 20:47:24 although I knew a guy once who went on enough trips that he just kept a bag packed all the time 20:47:33 ergh :/ 20:47:40 I knew a support guy that did that 20:47:48 heh, not that bad 20:47:52 'cause he'd often get very little notice 20:47:54 * dhellmann would not want that life 20:47:58 yeah 20:48:03 depends, pay me enough 20:48:38 prometheanfire : ask your fiancé about that 20:48:43 so, for the security thing, are we capped in those stable branches? 20:49:08 well, not now, but before :P 20:49:18 dhellmann: no but the jump fro 2.12 -> 2.20 is pretty big and requests used to break stuff in minor releases 20:49:18 yeah :-) 20:49:37 right, I'm suggesting we not change anything in our setup at all 20:49:56 if we're not capped, then we're not telling anyone they can't use something newer -- it might not work, but that's not on us 20:50:17 dhellmann: We can probably reach out via VMT to find security contacts and get them to test $projects against the proposed update 20:50:26 we could always try raising the constraint in that branch as a test, but we don't do that for other things that don't break our gate 20:50:36 ya, the diff between those versions is a bit big 20:50:40 dhellmann: true, downstream is free to upgrade and/or backport 20:50:42 we can test it of course as well 20:50:51 dhellmann: I was thinkign about our gate etc 20:51:07 right, if someone comes around and says "in order to make these stable branches work with 2.20 we need this patch" then we have a useful update to consider 20:51:12 just raising the minimum doesn't seem useful 20:51:51 so I would reject the current patch with that explanation, and wait for further communication 20:53:08 so... next steps, test a update? 20:53:30 what's motivating us to update anything? 20:53:36 CVE 20:53:48 if it was not a CVE, we wouldn't? 20:54:00 update a stable branch? correct 20:54:04 dhellmann: correct 20:54:11 security updates are one of the exceptions 20:54:25 but it's not JUST security :| 20:54:27 I could see removing an exclusion or cap. I don't think we need to raise the min. 20:55:05 I don't think we need to raise the minimum at all, but upping u-c is something we should do 20:55:20 Do we expect this CVE to cause issues for us in the gate? 20:55:31 tonyb: agreed, test the uc bump (and cap removal if needed) but don't bump min 20:55:34 the CVE speciifcally no 20:55:53 prometheanfire: I don't think there are any caps to remove 20:56:04 Then what about the nature of this bug means we want to treat it differently? Just because it's security related? 20:56:26 dhellmann: Yes 20:56:41 yes, it's one of the criteria in evaling stable branch reviews 20:57:45 #topic open floor 20:58:26 Nothing from me 20:58:42 * dhellmann has nothing 20:59:09 #endmeeting