| opendevreview | Ghanshyam proposed openstack/governance-sigs master: Rename ‘Extended Maintenance’ SIG to the ‘Stable Maintenance’ https://review.opendev.org/c/openstack/governance-sigs/+/817499 | 01:01 |
|---|---|---|
| *** diablo_rojo_phone is now known as Guest5561 | 01:14 | |
| *** Guest5561 is now known as diablo_rojo_phone | 01:16 | |
| opendevreview | Ghanshyam proposed openstack/governance master: Remove retired training-labs repo https://review.opendev.org/c/openstack/governance/+/817511 | 02:27 |
| opendevreview | Ghanshyam proposed openstack/governance master: Retire training-labs repo https://review.opendev.org/c/openstack/governance/+/817511 | 02:29 |
| *** ykarel__ is now known as ykarel | 05:32 | |
| *** pojadhav is now known as pojadhav|afk | 07:52 | |
| *** pojadhav|afk is now known as pojadhav | 08:30 | |
| *** ykarel is now known as ykarel|lunch | 10:05 | |
| *** ykarel|lunch is now known as ykarel | 11:19 | |
| *** gagehugo_ is now known as gagehugo | 13:43 | |
| *** jungleboyj_ is now known as jungleboyj | 13:43 | |
| *** diablo_rojo_phone_ is now known as diablo_rojo_phone | 13:45 | |
| *** gmann_ is now known as gmann | 13:45 | |
| *** diablo_rojo_phone is now known as Guest5614 | 13:45 | |
| *** gouthamr_ is now known as gouthamr | 13:45 | |
| *** bbezak_ is now known as bbezak | 13:45 | |
| *** johnsom_ is now known as johnsom | 13:46 | |
| *** knikolla_ is now known as knikolla | 13:46 | |
| *** pojadhav is now known as pojadhav|sick | 13:46 | |
| *** ykarel is now known as ykarel|away | 14:46 | |
| mnaser | hi guys, I'm using oftc's web client today | 14:56 |
| mnaser | irc cloud seems to be down :( | 14:56 |
| mnaser_ | or maybe now they're back right as i said something? | 14:57 |
| gmann | mnaser: yeah, I think it is unstable since yesterday night | 14:57 |
| *** mnaser_ is now known as mnaser | 14:58 | |
| jungleboyj | It is back up at the moment, but it was down for a while. | 15:00 |
| gmann | #startmeeting tc | 15:00 |
| opendevmeet | Meeting started Thu Nov 11 15:00:26 2021 UTC and is due to finish in 60 minutes. The chair is gmann. Information about MeetBot at http://wiki.debian.org/MeetBot. | 15:00 |
| opendevmeet | Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. | 15:00 |
| opendevmeet | The meeting name has been set to 'tc' | 15:00 |
| gmann | tc-members: meeting time | 15:00 |
| gmann | #topic Roll call | 15:00 |
| gmann | o/ | 15:00 |
| mnaser | o/ | 15:00 |
| ade_lee | o/ | 15:01 |
| jungleboyj | o/ | 15:01 |
| gmann | hope everyone adjusted meeting time change with daylight saving things | 15:01 |
| jungleboyj | :-) I was smart enough to put it on my calendar in UTC. | 15:02 |
| gmann | yeah, I did same after i missed lot of meeting last time :) | 15:02 |
| gmann | less member today, may be holiday in USA, Poland and other place | 15:03 |
| gmann | let's start | 15:03 |
| gmann | #link https://wiki.openstack.org/wiki/Meetings/TechnicalCommittee#Agenda_Suggestions | 15:03 |
| dansmith | o/ | 15:03 |
| gmann | today agenda ^^ | 15:03 |
| belmoreira | o/ | 15:03 |
| *** diablo_rojo__ is now known as diablo_rojo | 15:03 | |
| gmann | #topic Follow up on past action items | 15:03 |
| jungleboyj | ++ | 15:03 |
| diablo_rojo | o/ | 15:03 |
| gmann | none from last meeting #link https://meetings.opendev.org/meetings/tc/2021/tc.2021-11-04-15.02.html | 15:04 |
| gmann | #topic Gate health check | 15:04 |
| dansmith | I've only had a few patches in the gate in the last week, but I haven't noticed any big problems | 15:04 |
| gmann | yeah | 15:04 |
| dansmith | I think nova reported some legit failure at some point though, but I didn't look deep | 15:04 |
| jungleboyj | I have seen things merging pretty efficiently. | 15:04 |
| gmann | only one was devstack removed the keystone admin client creation and it broke few projects like tacker, blazer etc | 15:05 |
| dansmith | also I think clarkb noted that nova has something n-v in the gate queue | 15:05 |
| gmann | yeah | 15:05 |
| jungleboyj | Cinder was hit with a queueing problem earlier but it sounds like that is fixed. | 15:05 |
| gmann | on job cleanup, I am removing the opensuse job, please review where ever you can +2 #link https://review.opendev.org/q/topic:%22remove-tempest-full-py3-opensuse15%22+(status:open%20OR%20status:merged) | 15:06 |
| gmann | let's move next | 15:07 |
| gmann | #topic Updates on community-wide goal | 15:07 |
| gmann | Decoupling goal from release cycle | 15:07 |
| gmann | we need more review on this #link https://review.opendev.org/c/openstack/governance/+/816387 | 15:07 |
| gmann | so that we can get this in first to avoid merge conflict/rebase need on proposed/rework on goals | 15:07 |
| jungleboyj | Ok. I will look. | 15:08 |
| gmann | thanks | 15:08 |
| gmann | RBAC goal rework | 15:08 |
| dansmith | I'm behind on looking at the recent changes to that | 15:09 |
| dansmith | will try to do that today | 15:09 |
| gmann | we had second call after PTG to continue the discussion and things are much clear now on what to target in Yoga | 15:09 |
| gmann | #link #link https://review.opendev.org/c/openstack/governance/+/815158 | 15:09 |
| gmann | dansmith: thanks | 15:09 |
| gmann | #link https://review.opendev.org/c/openstack/governance/+/815158 | 15:09 |
| gmann | other also please review. | 15:10 |
| jungleboyj | ++ | 15:10 |
| gmann | and we will continue the discussion on various open things for future cycle in policy popup biweekly meeting. | 15:10 |
| gmann | I will send the meeting detail on ML soon. | 15:10 |
| rosmaita | gmann: that meeting is scheduled for today according to eavesdrop invite | 15:11 |
| gmann | rosmaita: yeah, as we meet yesterday i think we can skip today and do from next week with biweekly odd 18th Nov, 2nd Dec.. | 15:11 |
| gmann | rosmaita: I updated here #link https://wiki.openstack.org/wiki/Consistent_and_Secure_Default_Policies_Popup_Team#Meeting | 15:12 |
| rosmaita | gmann: ty | 15:12 |
| gmann | and proposed the ical update also #link https://review.opendev.org/c/opendev/irc-meetings/+/817496 | 15:12 |
| gmann | once that is merged I will update on ML too | 15:12 |
| rosmaita | ok, great | 15:13 |
| gmann | anything else on RBAC ? | 15:13 |
| gmann | next is new proposed goal - "Proposed community goal for FIPS compatibility and compliance" | 15:14 |
| gmann | #link https://review.opendev.org/c/openstack/governance/+/816587 | 15:14 |
| gmann | ade_lee: hand over to you | 15:14 |
| ade_lee | thanks | 15:14 |
| ade_lee | I'm not if folks have had a chance to review, but there has been a lt of work around fips | 15:15 |
| ade_lee | I split this up into two goals here -- fips compatibility and fips compliance | 15:15 |
| ade_lee | fips compatibility means - I turn ffips on and everything still works | 15:16 |
| ade_lee | fips compliance means compatibility + I only use crypto libraries that have been fips certified | 15:16 |
| ade_lee | I think that we've made a lot of progress in fips compatibility to the point that we might be able to achieve it in Y | 15:17 |
| ade_lee | ie. most of the projects now have ci gate jobs in progress to run with fips enabled. | 15:18 |
| jungleboyj | That is good. | 15:18 |
| ade_lee | and we've identified and fixed a bunch of places where things would trip up -- ie. md5 , bad ciphers etc. | 15:18 |
| ade_lee | what making this a community goal would do would be to get all the remaining projects on board, as well as 3rd party vendors | 15:19 |
| ade_lee | maybe even, we could replace all the regular ci jobs with fips enabled versions | 15:19 |
| gmann | I saw the tempest changes plan on that but not read the goal completely. | 15:19 |
| ade_lee | ie. if it works under fips, it could work otherwise too. | 15:19 |
| ade_lee | as a longer term goal, we could do fips compliance - maybe for Z, because that will require changes like - for example, replacing paramiko and other non-certified crypto | 15:21 |
| fungi | there are probably some blindspots worth noting when testing with fips mode on | 15:21 |
| gmann | I think proposal is to replace paramiko with libssh ? | 15:21 |
| ade_lee | and we'd like to do that consistently across openstack ideally | 15:21 |
| mnaser | question that might be silly | 15:21 |
| fungi | for example support of any cyrptographic algorithms not approved by the usa nist can't be exercised | 15:21 |
| ade_lee | gmann, that could be the approach - there may be others | 15:21 |
| mnaser | is there a benefit in running FIPS only for our gates | 15:21 |
| ade_lee | libssh uses certified cryto in the backend | 15:21 |
| gmann | k | 15:22 |
| mnaser | like is there a downside to making everything FIPS only by standard? | 15:22 |
| fungi | for example, you can't ssh with keys using ed25519 | 15:22 |
| fungi | mnaser: it's an americentric standard pushed by the united states government, so people in other countries, and particularly governments of countries besides the usa, are understandably wary | 15:23 |
| fungi | it's great when you want to supply resources under usa government/defense department contracts | 15:24 |
| fungi | but maybe not in other cases | 15:24 |
| mnaser | ok i see | 15:25 |
| gmann | is fips compliance means 'everything FIPS only ' ? | 15:25 |
| mnaser | so its not necessary a 'good to have by default' | 15:25 |
| gmann | yeah | 15:25 |
| ade_lee | its also not just govts though - many financial and regulated industries want fips too - as a requiremwnt for other compliance regimes | 15:26 |
| fungi | the global technical community is split on opinion, some expect nist has cryptographic strength as the primary goal, others suspect the nsa has convinced nist not to approve algorithms they don't know how to compromise... i personally expect it's a mix of those two priorities as well as other influences | 15:27 |
| * jungleboyj feels like he is being watched | 15:27 | |
| fungi | though supposedly fips 186-5 will add curve25519 as an allowed primitive, so ssh with ed25519 keys will probably eventually work in fips mode | 15:28 |
| mnaser | okay that's fair, so it's not overall a 'good thing' for us to aim for fips only to 'increase security' | 15:29 |
| fungi | right, it's possible to be "more secure than fips" in ways that are not fips compliant (depending on your definition of "secure" of course), but those are mostly corner cases | 15:30 |
| dansmith | even if it doesn't get us better security, | 15:30 |
| dansmith | is it bad to run with that as a default just because a lot of people _do_ want it? | 15:30 |
| dansmith | like, are we losing coverage if we enable? | 15:30 |
| fungi | making sure openstack can be used in fips-compliant environments is 100% a good thing, i think | 15:30 |
| fungi | only testing in fips mode may reduce coverage, mainly around any support we might have for cryptographic primitives not (yet) approved by nist | 15:31 |
| mnaser | yeah, i am thinking more of 'do we do it by default' or not | 15:31 |
| fungi | but for the most part openstack doesn't really roll its own crypto, and tries to leave that to external dependencies | 15:31 |
| gmann | I am also not sure about default but definitely make openstack fips compatible and test with few jobs | 15:31 |
| fungi | well, also currently only know how to do fips mode testing on rhel/fedora-derived distros, so debian/ubuntu would probably take a fair amount of work to use for fips mode testing | 15:32 |
| fungi | and obviously the majority of our testing happens on whatever the latest ubuntu lts was at the time we started a given cycle | 15:33 |
| ade_lee | fungi, thats true - although by the time that is done, most of the fips bugs will have been shaken out. | 15:34 |
| dansmith | that seems like both a good reason not to enable by default, but also probably a bad thing if we don't know how to make our own primary test platform compliant :D | 15:34 |
| gmann | yeah. if we think on making it default then enabling in ubutnu is required | 15:34 |
| ade_lee | much of the work in setting up the fips jobs has been getting them working on rhel/centos instead of ubuntu. | 15:34 |
| gmann | we can start with the centos job adding in tempest and other tempest plugins and see | 15:35 |
| fungi | worth noting, logistically, fips mode is explicitly a non-default configuration for most linux distros (even the rhel/fedora-derived ones), so to test in fips mode on opendev's standard distro images you need to reboot the test nodes into fips mode | 15:35 |
| fungi | you can't effectively enter/exit fips mode without a complete reboot | 15:36 |
| gmann | but defining a goal to make it default seems difficult in Yoga | 15:36 |
| dansmith | default is different than complete right? | 15:36 |
| fungi | so that does extend job runtime a bit to swizzle the kernel parameters and reboot | 15:36 |
| dansmith | complete can mean "everyone runs at least one job to ensure compliance" | 15:37 |
| gmann | we can go with three steps here 1. run few jobs on few projects 2. complete- have all project at least on job 3. discuss on making it default or not | 15:37 |
| dansmith | yeah | 15:38 |
| ade_lee | gmann, we're already doing 1 -- I'm hoping for at least 2 | 15:38 |
| gmann | ade_lee: as you mentioned, you have already divided it into multiple steps/goal. and with our new structure on goal, we can do it in these three steps and see how fast we do it. new structure I mean this #link https://review.opendev.org/c/openstack/governance/+/816387 | 15:39 |
| jungleboyj | gmann: That sounds like a reasonable plan. | 15:39 |
| gmann | ade_lee: and with new structure which is not merged yet, it can be done at any different time within a cycle or in multiple cycle. | 15:39 |
| ade_lee | gmann, ack - I can add in the new miestones etc. | 15:40 |
| ade_lee | as described in the template you described | 15:40 |
| gmann | ade_lee: cool, and we will continue the discussion on gerrit. | 15:41 |
| ade_lee | cool | 15:41 |
| gmann | ade_lee: you can add depends on the 816387in case to avoid merge conflict or so | 15:41 |
| ade_lee | will do | 15:41 |
| gmann | ade_lee: thanks for the proposal and explaining here | 15:41 |
| ade_lee | thanks all | 15:41 |
| gmann | moving next | 15:42 |
| gmann | #topic Adjutant need PTLs and maintainers | 15:42 |
| gmann | #link http://lists.openstack.org/pipermail/openstack-discuss/2021-October/025555.html | 15:42 |
| gmann | I saw fungi reply on email to someone asking on Adjutant plan and reaching out to adrian | 15:43 |
| gmann | nut did not find the original email they asked on, may be i missed | 15:43 |
| gmann | but I think there is no volunteer to help on this project or may be they are discussion internally ? | 15:43 |
| gmann | * help on this project yet | 15:44 |
| mnaser | isn't catalyst using this internally? | 15:44 |
| gmann | not sure, adrian mentioned they might take this up but not sure | 15:45 |
| gmann | but at least they are aware as I see Andrew from catalyst reply on this ML thread | 15:46 |
| fungi | i was replying to this: | 15:46 |
| gmann | I will send another reminder on ML and not sure how long adrian will be there to help/lead so they might need to take this soon | 15:46 |
| fungi | #link http://lists.openstack.org/pipermail/openstack-discuss/2021-November/025713.html | 15:46 |
| gmann | yeah | 15:47 |
| gmann | so let's wait for more time on this | 15:47 |
| gmann | moving next | 15:47 |
| gmann | #topic Pain Point targeting | 15:47 |
| gmann | #link https://etherpad.opendev.org/p/pain-point-elimination | 15:48 |
| gmann | we decided to continue iterating the list and keep discussion on this. | 15:48 |
| gmann | we did not much time in last week meeting also and this too | 15:49 |
| gmann | I think we can have a voice call to iterate it in adhoc meeting? | 15:49 |
| gmann | belmoreira: ricolin_ what you think? | 15:49 |
| gmann | like RBAC discussion we are doing | 15:50 |
| belmoreira | looks good to me | 15:50 |
| gmann | cool, belmoreira or ricolin_ any one of you to schedule it otherwise I can do, sometime for next week or so? | 15:51 |
| jungleboyj | I think that makes sense as a next step. | 15:51 |
| gmann | yeah, we do not get much time in weekly meeting so doing it in adhoc meeting will be more productive | 15:51 |
| belmoreira | it would be better to confirm with ricolin_ first since he started this effort | 15:52 |
| jungleboyj | belmoreira: ++ | 15:52 |
| gmann | sure, he is not here today but I will ping him in case he miss to see our ping here. | 15:52 |
| gmann | #action gmann, ricolin_ to schedule adhoc meeting for pain point discussions | 15:53 |
| gmann | #topic Open Reviews | 15:53 |
| gmann | #link https://review.opendev.org/q/projects:openstack/governance+is:open | 15:53 |
| gmann | lot of open reviews, let check what all are ready to vote | 15:53 |
| gmann | this one is needed for goal things #link https://review.opendev.org/c/openstack/governance/+/816387 | 15:54 |
| gmann | mnaser: jungleboyj rosmaita diablo_rojo spotz ^^ please check | 15:54 |
| jungleboyj | mnaser: Got it. | 15:55 |
| gmann | this will be quick one as we discussed in last meeting to remvoe the office hours #link https://review.opendev.org/c/openstack/governance/+/817493 | 15:55 |
| gmann | and this one is important for Yoga testing runtime so that we can start working on new testing part soon #link https://review.opendev.org/c/openstack/governance/+/815851 | 15:55 |
| gmann | frickler: fungi ^^ you too in case you have not checked the latest version | 15:56 |
| gmann | with adding centos9-stream, I have removed the py36 and making py3.8 and py3.9 as voting | 15:56 |
| gmann | there are othr open reviews also which are ready to vote, please check and review in this week as much as possible | 15:57 |
| fungi | i think we're getting close on stream 9 testing, right now we're trying to work through getting package mirroring in place | 15:58 |
| gmann | +1, thanks | 15:58 |
| diablo_rojo | I will check that out toda | 15:59 |
| gmann | thanks | 15:59 |
| gmann | one last thing- | 15:59 |
| gmann | is openinfra tv keynotes 1 hr long or 2? on 18th | 15:59 |
| gmann | #link https://openinfra.dev/live/ | 15:59 |
| gmann | ah but it is at same time out tc meeting | 16:00 |
| gmann | we can cancel it for next week on 18th if ok for everyone ? | 16:00 |
| fungi | yes, i was just watching this week's episode during the tc meeting | 16:00 |
| gmann | cancel TC meeting | 16:00 |
| diablo_rojo | yes please | 16:00 |
| jungleboyj | That would be good. | 16:01 |
| gmann | ok, let's cancel meeting on 18th and we will meet on 25th Nov. I will update on ML too | 16:01 |
| gmann | thanks everyone for joining, let's close it for today | 16:01 |
| gmann | #endmeeting | 16:02 |
| opendevmeet | Meeting ended Thu Nov 11 16:02:04 2021 UTC. Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4) | 16:02 |
| opendevmeet | Minutes: https://meetings.opendev.org/meetings/tc/2021/tc.2021-11-11-15.00.html | 16:02 |
| opendevmeet | Minutes (text): https://meetings.opendev.org/meetings/tc/2021/tc.2021-11-11-15.00.txt | 16:02 |
| opendevmeet | Log: https://meetings.opendev.org/meetings/tc/2021/tc.2021-11-11-15.00.log.html | 16:02 |
| diablo_rojo | Thanks gmann! | 16:02 |
| jungleboyj | Thank you! | 16:02 |
| opendevreview | Lance Bragstad proposed openstack/governance master: Rework the yoga secure RBAC community goal https://review.opendev.org/c/openstack/governance/+/815158 | 17:46 |
| opendevreview | Lance Bragstad proposed openstack/governance master: Rework the yoga secure RBAC community goal https://review.opendev.org/c/openstack/governance/+/815158 | 18:16 |
| opendevreview | Merged openstack/governance master: Decouple the community-wide goals from cycle release https://review.opendev.org/c/openstack/governance/+/816387 | 18:37 |
| opendevreview | Merged openstack/governance master: Unselect RBAC goal to rework the implementation https://review.opendev.org/c/openstack/governance/+/816253 | 18:38 |
| gmann | lbragstad: ^^ these are merged now which end up merge conflict to 815158. as RBAC goal is moved to goal/proposed dir we need to rebase it and add different milestone. and once we agree on the proposed goal then we can move to goal/selected. this is new process | 18:42 |
| lbragstad | gmann ok - cool | 18:42 |
| gmann | lbragstad: I can rebase it with new structure if you want? sorry for merge conflict | 18:42 |
| lbragstad | gmann no worries - i figured that was going to happen anyway and i was anticipating it | 18:43 |
| gmann | fungi: mnaser can you help on these two project-config changes to proceed on few repo retirement https://review.opendev.org/c/openstack/project-config/+/817324/1 https://review.opendev.org/c/openstack/project-config/+/817502 | 19:00 |
| opendevreview | Merged openstack/governance master: Merge 'Technical Writing' SIG into TC https://review.opendev.org/c/openstack/governance/+/815869 | 19:02 |
Generated by irclog2html.py 2.17.2 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!