19:01:36 <nthykier> #startmeeting
19:01:36 <MeetBot> Meeting started Wed Nov 23 19:01:36 2016 UTC.  The chair is nthykier. Information about MeetBot at http://wiki.debian.org/MeetBot.
19:01:36 <MeetBot> Useful Commands: #action #agreed #help #info #idea #link #topic.
19:02:27 <nthykier> hey, who is around? :)
19:02:34 <pochu> o/
19:02:44 <nthykier> I think we got 2-3 known no-shows (or late shows)
19:03:22 <pochu> yeah
19:03:27 <adsb> .
19:03:37 <pochu> oh look, an Adam o/
19:03:38 <adsb> (although will need to nip off in ~20 minutes to eat)
19:03:42 <nthykier> While we wait
19:03:46 <pochu> hmm, food
19:03:52 <nthykier> #info Last meeting minutes at: http://meetbot.debian.net/debian-release/2016/debian-release.2016-10-26-19.02.html
19:04:25 <nthykier> ok
19:04:34 <adsb> I suspect jmw is currently driving
19:04:38 <nthykier> #topic Previous meeting/actions
19:05:25 <nthykier> #info nthykier was supposed to ask MariaDB maintainers to start a MFB for the migration - they started the discussion on their own
19:05:48 <nthykier> pochu: you got an item for a sprint - a venue and a mail to team@?
19:06:31 <nthykier> Any news on that? :)
19:06:46 <pochu> yeah. I started to look at that this afternoon (I suck), and I call a hotel but got asked to call again tomorrow morning so that I could talk to the person in charge of meetings et al
19:06:50 <pochu> but I find a nice hotel, I think
19:06:58 <pochu> with nice prices, I think
19:07:03 <nthykier> Ah, very nice
19:07:11 <pochu> just need to talk to that lady and ask about meeting space, discounts, etc :)
19:07:20 <nthykier> #info pochu is still working on the venue for the sprint!
19:07:54 <pochu> btw we should know who is planning to attend, and find the best date. but we can do that over email
19:08:11 <pochu> as we're only 3 here atm
19:08:23 <nthykier> we should - I need to request vacation for that time, so the sooner we figure that out the better for me :)
19:08:33 <nthykier> (unless we keep to strictly weekend)
19:08:44 <pochu> yeah. I'll call the hotel tomorrow morning and send that mail - promise
19:08:49 <nthykier> Thanks
19:09:25 <nthykier> ok, I think I will move on then
19:09:34 <nthykier> #topic Transitions
19:10:04 <nthykier> Lets ignore the elephant in the room a while longer and start with the others
19:10:20 <nthykier> I believe we got a couple of minor self-contained transitions
19:10:31 <nthykier> pochu: Any thing (besides ssl) worth mentioning?
19:11:58 <pochu> xserver is started since yesterday - currently blocked on the binutils mips bug
19:12:19 <pochu> I want to start the hdf5 one, but am waiting for openssl to settle
19:12:33 <pochu> haskell is blocked on openssl
19:12:57 <pochu> the rest is very small / unimportant
19:13:03 <bunk> SQLAlchemy?
19:13:28 <pochu> I want to push the mariadb one as well, so more packages switch to default-libmysqlclient-dev
19:13:54 <pochu> by push I don't mean start a transition. that has been ongoing for months...
19:14:23 <pochu> we have a new SQLAlchemy version which seems to break some packages. I still need to mediate there and see what's the best option
19:15:17 <nthykier> Yeah, SQLAlchemy sounded a bit sore
19:15:49 <nthykier> pochu: do you have a feeling about the mysql transitions and how far it is?
19:16:25 <pochu> nthykier: I haven't looked too closely, but mostly we need ~100 packages to build-dep on default-lib... rather than lib...
19:16:40 <h01ger> ouch
19:16:46 <pochu> so that they pick up a dependency on libmariaclient
19:16:59 <nthykier> And then a removal, which usually implies that someone realising that a use-case was overlooked?
19:17:03 <pochu> and we can remove mysql-5.6
19:17:13 <pochu> nthykier: sorry, wdym?
19:17:24 <nthykier> pochu: I mean "assuming no one overlooked something" :)
19:17:30 * KiBi waves from belated train
19:17:39 <KiBi> and here come the tunnels anyway… meh :(
19:17:41 <pochu> oh yes. that's why I said I haven't looked closely at it
19:17:51 <nthykier> Hopefully we didn't :)
19:18:03 <pochu> I need to play a bit with dak rm, look at Packages and Sources files, and see if there are any other dependencies
19:18:06 <nthykier> (no offense intended btw. - it came out wrong)
19:18:27 <nthykier> good
19:18:51 <pochu> for now, I am blocking mysql-5.7 from entering testing. which has the nice side effect that packages that get rebuilt with libmysqlclient-dev pick a dependency on that, and they don't enter testing. nice effect because then they have to switch to default-libmysqlclient-dev ;-)
19:19:15 <nthykier> :D
19:19:21 <pochu> nthykier: no worries man, I didn't get it in a bad way
19:19:24 <nthykier> :)
19:19:30 <nthykier> That is a nice way to push it
19:19:42 <pochu> I asked Otto to send a MBF mail to debian-devel, but I guess he's been busy
19:20:18 <nthykier> ok - any final remarks on general transitions?
19:20:57 <pochu> oh there was boost1.62. that's currently blocked by the mips* binutils bug too
19:22:02 <pochu> and as I expected, there are quite some uncoordinated transitions happening after the freeze. which I don't really mind at this point as they are small, but I wonder if this will keep happening one or two months from now
19:22:06 <pochu> and that's all
19:22:49 <adsb> [food]
19:23:14 <nthykier> they will - especially if we permit them. But I agree if they are small / self-contained and cause no issues, then we are probably better off letting them through than enforcing the freeze
19:23:57 <pochu> yeah. or at least, let's see if that becomes a problem, and only act / enforce it if that happens
19:23:59 <nthykier> But we should remember to slow it down as we approach December - it should be done before we reach 5th. of Jan
19:24:17 <pochu> aye
19:24:27 <ansgar> I thought "small / self-contained" doesn't count as a transition?
19:24:55 <ansgar> I still plan to update a few dune-* packages for example (they have no outside dependencies).
19:25:03 <pochu> I'm only acking small transitions now (also because the maintainers that didn't ask are doing them, so why punish those who are asking and did their job of testing rdeps...)
19:25:57 <nthykier> ansgar: self-contained might be a bit overloaded in this case :)
19:26:41 <pochu> ansgar: if you maintain them all and there aren't many packages involved, then I don't think you need to ask at this point in time
19:27:12 <nthykier> pochu: AFAICT, ssl and mariadb/mysql are the only two major ongoing transitions, which looks like they might not complete before 5th of Jan - agreed?
19:27:40 <nthykier> or would at least require some focus to make it
19:27:45 <pochu> nthykier: agreed
19:28:25 <nthykier> #info There are a bunch of minor ongoing transitions, which are not an issue
19:28:55 <nthykier> #info There is a concern about the SSL 1.1 and MySQL transition being complete before 5th of Jan
19:29:13 <nthykier> Ok - with that, SSL1.1
19:29:58 <nthykier> We have had some internal communication with Q_ and the security team on that.
19:31:17 <nthykier> We have been looking at how big a bundle of (source) packages have to agree on the same version of openssl
19:32:05 <nthykier> On the positive side, we have found a significant number of packages that are allegedly isolated from the rest in that regard (i.e. they can freely choose)
19:32:41 <nthykier> On the flip side - we are still not quite done with the process, and we still have a rather large group left.
19:32:59 <nthykier> Last I heard, we are hoping to get it down to about 70 source packages.
19:33:52 <bunk> Is that the group around curl?
19:34:07 <pochu> nthykier: isshibboleth in that set? that's been one of the problematic ones iirc
19:34:22 <pochu> is shibboleth
19:34:51 <nthykier> -> https://paste.debian.net/898166/
19:34:57 <nthykier> That is the list I got
19:35:19 <nthykier> curl is there, but I think shibboleth isn't
19:36:49 <bunk> Why is haskell-curl not?
19:36:49 <nthykier> what source package builds shibboleth again?
19:37:35 <pochu> shibboleth-sp2 / shibboleth-resolver / moonshot-*
19:39:00 <nthykier> bunk: because it does not depend on libssl?
19:39:05 <nthykier> (is my guess)
19:39:38 <nthykier> the tool used uses binary (pre)-depends for computing this
19:39:43 <pochu> oh and xml-security-c
19:39:48 <bunk> ah, haskell does static linking, or?
19:40:52 <nthykier> bunk: it depends on libcurl-gnutls and libcurl-openssl-dev AFAICT
19:41:18 <nthykier> pochu: xml-security-c is the package I have been using as indicator :)
19:41:31 <bunk> nthykier: You've seen my patch for libcurl4-openssl-dev?
19:41:37 <bunk> xmltooling is also part of shibboleth
19:41:41 <nthykier> bunk: no, I haven't
19:42:22 <bunk> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=844018#10
19:43:11 <bunk> This forces 1.0.2 on all users of libcurl3.
19:43:40 <nthykier> ok
19:44:10 <nthykier> We should definitely enforce the same ssl version in curl and its rdeps
19:44:25 <nthykier> (from what I gathered so far)
19:46:45 <Q_> Yes, I think anything using libcurl should probably use the same version.
19:46:57 <Q_> At least if it's making use of those functions.
19:48:02 <Q_> And that group of 70 is around libcurl yes
19:48:46 <nthykier> Hey Q_ :)
19:48:46 <Q_> At least one of them is zurl, which says he switched because of QT5. I just send him an email.
19:49:18 <jannic> I'm here (maintainer of zurl)
19:49:50 <nthykier> Q_: Am I correct in that openssl/1.1.0c-2 upload fixes all known RC bugs in openssl 1.1? :)
19:49:57 <Q_> Yes
19:50:00 <jannic> My current understanding is that zurl should use same version of openssl as libcurl, but qt is independent, as no internal structures are exchanged that way.
19:50:20 <nthykier> (excellent, been wanting ssl1.1 in testing for a while now)
19:50:46 <pochu> yes, but it won't transition to testing until #844503 gets fixed
19:50:56 <Q_> There is just a minor problem on hppa, and I guess you don't care about that.
19:51:20 <bunk> pochu: you could remove salt from testing
19:51:26 <pochu> I was about to say that
19:51:28 <Q_> pochu: Does that Breaks really prevent the migration?
19:51:45 <pochu> Q_: yes, because otherwise salt becomes uninstallable
19:51:54 <Q_> Oh, right.
19:52:07 <pochu> but it is marked for autoremoval. so I may remove it earlier to not stall openssl anymore
19:52:39 <nthykier> oh, upstream merged the patch
19:52:46 <nthykier> https://github.com/saltstack/salt/pull/37772
19:53:32 <nthykier> tag away
19:53:35 <nthykier> ok
19:53:47 <Q_> There are at least 2 other packages in the libcurl grop with open RC bugs. One is php5.
19:54:00 <nthykier> I believe php5 was scheduled for removal?
19:54:20 <bunk> yes, RM bug is waiting for rdeps to disappear
19:54:25 <nthykier> rather, php5 is not in testing
19:54:49 <Q_> Ok, so I can ignore that.
19:54:53 <nthykier> yes
19:55:09 <pochu> yeah
19:55:17 <Q_> cgsi-gsoap was the other I know about
19:56:42 <nthykier> allegedly blocked by the voms ssl issue
19:56:46 <Q_> Oh, and osslsigncode also uses libssl1.0-dev
19:56:50 <nthykier> #828595
19:59:27 <nthykier> So the big question we need to finish is - how big is this set really and what version do they need
20:00:04 <nthykier> For the rest, it seems like we have divided it into small enough bits to handle those.
20:00:56 <bunk> voms has X509_STORE_CTX as part of its API, unless that's identical in 1.0.2 and 1.1 this is part of the curl group
20:01:59 <Q_> Since we made it opaque, I can't guarantee it says the same anyway.
20:02:34 <nthykier> ok
20:03:11 <Q_> So there are something around 5 packages in the libcurl group that are currently still on 1.0
20:03:17 <nthykier> We are running low on time, so I will have to cut it here (meeting-wise, you are welcome to continue this afterwards)
20:03:45 <Q_> Assuming I can get all of them to support 1.1, I guess it's going to require an soname change in that case?
20:03:55 <bunk> boost1.62 also uses X509_STORE_CTX in its headers
20:05:25 <nthykier> https://sources.debian.net/src/mysql-5.7/5.7.16-1/extra/yassl/include/openssl/ssl.h/?hl=115#L115
20:05:47 <nthykier> ah sorry that was a mysql file
20:06:20 <nthykier> https://sources.debian.net/src/boost1.62/1.62.0%2Bdfsg-1/boost/asio/ssl/verify_context.hpp/?hl=43#L43
20:06:30 <Q_> bunk: boost actually doesn't show up in the list of libraries using libssl?
20:06:47 <Q_> Oh, it'a asio.
20:09:50 <nthykier> I presume that means a(nother) boost transition?
20:09:59 <nthykier> for ssl1.1 to be the default
20:11:33 <nthykier> Ok - as said, we are out of time, so I will have to cut this short here.
20:11:46 <nthykier> #topic AOB
20:11:50 <nthykier> Any last minute items?
20:11:59 <nthykier> (and very short ones preferably)
20:12:16 <pochu> not from me
20:12:23 <adsb> nope
20:12:37 <nthykier> #topic Next meeting
20:13:03 <nthykier> Auto scheduled to Dec 28 2016 at 1900 UTC - does this seem sensible?
20:13:10 <pochu> Dec 21st?
20:13:14 <pochu> ah
20:13:24 <Q_> So my current understanding is that zurl needs to use libssl1.0 because of QT5 anyway.
20:13:47 <pochu> nthykier: it's christmas and I'll be on holidays. so I won't know if I can make it until an hour earlier :P
20:13:54 <pochu> but fine with me
20:14:06 <jannic> Q_: Did you get my mail? Probably 1.1 is fine as well, I think.
20:14:15 <Q_> jannic: Writing to you.
20:14:18 <nthykier> ok
20:14:35 <pochu> nthykier: give me an action for the sprint venue
20:14:40 <nthykier> pochu: ok
20:14:48 <Q_> But let's just say it here.
20:14:55 <nthykier> #action pochu to work on the sprint venue
20:15:10 <pochu> ta
20:15:21 <nthykier> wfm - I fear rescheduling to the 21st would mean a lot of busy people with no time anyway, so lets keep it simple :P
20:15:33 <pochu> aye
20:15:41 <nthykier> #info Next meeting 28th of December at 1900 UTC
20:15:44 <nthykier> and with that ..
20:15:48 <nthykier> #endmeeting