#openstack-meeting log

18:02:46 <morganfainberg> #startmeeting Keystone
18:02:47 <gyee> startmeeting?
18:02:48 <openstack> Meeting started Tue Mar 17 18:02:46 2015 UTC and is due to finish in 60 minutes.  The chair is morganfainberg. Information about MeetBot at http://wiki.debian.org/MeetBot.
18:02:49 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
18:02:51 <openstack> The meeting name has been set to 'keystone'
18:03:03 <morganfainberg> gyee, so i like to type extra spaces >>
18:03:07 <gyee> ha
18:03:13 <morganfainberg> Ok, lets just get to it.
18:03:25 <morganfainberg> K3 this is this week. Please review the last fernet token patches.
18:03:37 <morganfainberg> #topic DB2 CI
18:03:45 <marekd> that was fast.
18:03:54 <morganfainberg> bknudson, o/ (since yanfengxi is not in channel)
18:04:09 <bknudson> yanfenxi is in beijing and wasn't able to stay awake.
18:04:17 <morganfainberg> understandable
18:04:19 <bknudson> so he asked me to cover this...
18:04:28 <marekd> 2:04 AM
18:04:32 <marekd> in Beijing
18:04:34 <bknudson> so the DB2 CI was disabled a while ago.
18:04:45 <ayoung> why?
18:04:54 <davechen_> i am still awake, 2:04 here. :)
18:04:56 <bknudson> it was disabled because it was reporting merge failures
18:04:59 <lbragstad> o/
18:05:03 <bknudson> and nobody was around who could fix it.
18:05:07 <bknudson> I don't have access.
18:05:18 <morganfainberg> ayoung, noise, consistently broken, and was not presenting logs for 30 days, and no one was found to fix it
18:05:34 <dstanek> still in training, but i'll try to pay attention here too
18:05:41 <topol> who owns it?  We can get you access
18:06:11 <bknudson> so the request is to re-enable it, just so that it can get notifications so we can verify it works,
18:06:17 <bknudson> it won't be posting reviews
18:06:28 <gyee> was it a voting gate before?
18:06:30 <bknudson> when we think it's ready to post reviews we'll come ask fo rthat.
18:06:38 <morganfainberg> gyee, no.
18:06:51 <morganfainberg> bknudson, ok so you want to move it back to sandbox capable
18:07:30 <morganfainberg> bknudson, i'm ok with that and will ask -infra, as long as it isn't posting anything until we're sure it is working.
18:07:31 <bknudson> morganfainberg: right.
18:07:53 <gyee> how much time does db2 add to jenkins?
18:07:57 <bknudson> morganfainberg: ok, thanks.
18:08:09 <morganfainberg> bknudson, before it posts stuff again, we need to have a clear escalation when it's broken, it needs to retain logs for 30 days.
18:08:18 <marekd> bknudson: is that DB2 CI running on VM provided by Rackspace,HP and others?
18:08:26 <bknudson> gyee: obviously it runs on its own, and it's hard to compare since we've got our own system...
18:08:32 <morganfainberg> bknudson, preferably someone looking at it, vs. keystone having to ask them why it's broken.
18:08:40 <ayoung> I vote yes...any additional data points on our DB side are valuable
18:08:46 <bknudson> marekd: we've got our own systems.
18:09:01 <bknudson> one of the issues is that we didn't have enough systems and we've added more.
18:09:14 <marekd> bknudson: so, all VM's  simply configure keystone to point to that remote backend somewhere else, ok
18:09:31 <bknudson> I believe these vms have their own db2 instance.
18:09:32 <morganfainberg> ok i'll ask -infra to re-enable as long as it isn't posting anything.
18:09:40 <morganfainberg> until other issues are addressed.
18:09:42 <gyee> bknudson, that's fine so as long as it doesn't slow down jenkins considerably overall
18:09:56 <morganfainberg> gyee, it's 3rd party CI.
18:10:20 <bknudson> it actually doesn't run all of the tests, only ones marked for keystone.
18:10:44 <morganfainberg> gyee, so it should run mostly faster than the rest of the gate based on a smaller subset of tests.
18:11:00 <morganfainberg> gyee, and it wont blockup the actual gate pipeline (3rd party ci is check-only)
18:11:03 <ayoung> Can we all agree yes and move on?  I think this is a non issue
18:11:05 <gyee> morganfainberg, sure lets reenable then
18:11:17 <marekd> ayoung: yes
18:11:17 <bknudson> thanks!
18:11:24 <ayoung> coo
18:11:27 <bknudson> I'll let yanfengxi know.
18:11:42 <gyee> bknudson, he'll need to fix failures at 2am :)
18:11:56 <ayoung> he needs to give perms to bknudson to do it
18:12:02 <morganfainberg> #info DB2 CI will be requested to be re-enabled but will not post until other issues (failures and 30 day log retention) have been addressed.
18:12:08 <morganfainberg> #topic Feature Freeze Exceptions
18:12:09 <ayoung> ++
18:12:31 <morganfainberg> since kilo3 is this week.. we have a couple FFEs that will be requested.
18:12:34 <ayoung> how much work is left for Reseller?
18:12:45 <morganfainberg> I've spoken to henrynash to sponsor the two major FFEs
18:12:53 <morganfainberg> the first FFE is reseller.
18:13:00 <raildo> ayoung, we need to finish just one more patch (bye bye domain table)
18:13:15 <henrynash> yep, happy to sponsor
18:13:15 <morganfainberg> rodrigods, raildo, please send a message to the -dev mailing list requesting the FFE.
18:13:24 <ayoung> raildo, and how close is that...link?
18:13:29 <raildo> morganfainberg, ok
18:13:31 <gyee> a moment of silence for domains
18:13:33 <morganfainberg> please say henrynash will sponsor, link to the code, and show that it's mostly reviewing.
18:13:39 <marekd> morganfainberg: http://paste.openstack.org/show/192951/ this is also after couple iterations of reviews. and since we were blocked by a bug we couldn't merge earlier: https://review.openstack.org/#/c/152156/
18:13:39 <raildo> ayoung, https://review.openstack.org/#/c/161854/
18:13:48 <rodrigods> morganfainberg, great, thanks
18:13:58 <ayoung> why WIP?
18:14:18 <raildo> ayoung,because we don't finish the implementation yet
18:14:25 <ayoung> OK....how much work?
18:14:29 <morganfainberg> The second FFE, is the rest of henrynash's domainSQL, henrynash please send the FFE request to the -dev mailing list. I know it's just the final couple patches.
18:14:46 <henrynash> morganfainberg: will do
18:14:48 <raildo> adn we have a problem when we're trying drop the table
18:15:04 <morganfainberg> marekd, you or marco are welcome to send an FFE request for those.
18:15:05 <ayoung> raildo, ok,  hit me up after the meeting if you need help
18:15:13 <marekd> morganfainberg: ok
18:15:13 <morganfainberg> marekd, s/those/that
18:15:16 <ayoung> that should be relatively simple to knock out
18:15:17 <raildo> ayoung,  ok, thanks :)
18:15:34 <ayoung> or impossible...we'll see.
18:15:39 <morganfainberg> when sending to the dev mailing list be sure to use [keystone] and include FFE request in the subject
18:15:44 <morganfainberg> be descriptive
18:16:06 <morganfainberg> a few other BPs have been moved to post kilo3 since they are non-API impacting (and not really "Features")
18:16:07 <raildo> morganfainberg, ok
18:16:20 <marekd> morganfainberg: ack.
18:16:42 <morganfainberg> please respond to the ML topics (everyone) for/against/concerns once tehy are sent.
18:16:43 <ayoung> raildo, do it as two migrations.  One for the FK, one for the table drop
18:16:50 <ayoung> will make it easier to sort out/
18:16:51 <henrynash> bknduson, stevemar, lbragstad: there are two domain config ones that we can probably get in ahead of k3 since they have been extensively reviewed: https://review.openstack.org/#/c/159928/ and https://review.openstack.org/#/c/165075/
18:17:32 <raildo> ayoung, the FK part is working, but when we try drop the table, we got a error. i'll talk with you later :)
18:17:35 <morganfainberg> the ML topic will be used to either grant the exception or push to liberty. Realize it is not exclusively the keystone team involved in granting the FFE, i will be conferring with ttx and release management as well.
18:17:50 <bknudson> are all these reviews on the https://gist.github.com/dolph/651c6a1748f69637abd0 page?
18:18:06 <morganfainberg> bknudson, no. those reviews are just for k3 now [except the domain SQL one]
18:18:09 <bknudson> that's where I've been going to find reviews.
18:18:16 <morganfainberg> bknudson, since someone else has starred it
18:18:38 <lbragstad> should we put them on the review page?
18:18:42 <lbragstad> I can star them
18:18:42 <morganfainberg> bknudson, so basically the fernet tokens only
18:18:46 <marekd> morganfainberg: dolphm bknudson : https://review.openstack.org/#/c/152156/ is not
18:18:46 <morganfainberg> lbragstad, no.
18:18:49 <morganfainberg> lbragstad, wait till the FFEs are granted
18:18:54 <henrynash> morgainfainberg: remind me, keystone client library additions don’t need an FFE, right?
18:18:55 <lbragstad> morganfainberg: ok
18:19:03 <stevemar> henrynash, nope
18:19:15 <morganfainberg> henrynash, client and middleware and pycadf have no FFEs needed
18:19:17 <bknudson> at some point we're going to release a keystoneclient, so they have to be in before that.
18:19:21 <henrynash> ok
18:19:32 <morganfainberg> there will be a release of client right before RC
18:19:37 <ayoung> yeah...let's queue up the client questions for later
18:19:40 <henrynash> bknduson: indeed
18:19:45 <ayoung> I have a few...
18:19:48 <morganfainberg> that client release will coincide with the release (final tagging)
18:20:02 <morganfainberg> but for today, the Fernet token patches are the priority
18:20:02 <bknudson> scary.
18:20:21 <bknudson> btw, this means that bp https://blueprints.launchpad.net/openstack/?searchtext=auth-token-use-client isn't going to be done for K.
18:20:24 <ayoung> morganfainberg,   remove " Group role revocation invalidates all user tokens"
18:20:25 <morganfainberg> #info Fernet Token Final Reviews are priority for k3
18:20:28 <ayoung> we are not going to address that
18:20:37 <bknudson> since it requires changes to auth_token middleware that depend on client changes.
18:20:38 <morganfainberg> ayoung, i can't someone else has it starred
18:20:55 <morganfainberg> ayoung, it's not exclusively my list.
18:21:20 <ayoung> Clone it
18:21:22 <ayoung> Its git!
18:21:34 <morganfainberg> ayoung, i don't have the bot that updates it.
18:21:39 <morganfainberg> ayoung, that's dolphs code.
18:21:45 <morganfainberg> and i haven't seen it.
18:21:49 <ayoung> I know, but for the k3 list on launchpad it should be gone
18:22:07 <ayoung> https://launchpad.net/keystone/+milestone/kilo-3
18:22:25 <morganfainberg> ayoung, it was tagging 2 bugs, i missed one
18:22:31 <ayoung> cool
18:22:33 <morganfainberg> ok
18:22:50 <morganfainberg> #topic requirements.txt: Should requirements.txt be for the expected installation
18:22:57 <morganfainberg> #undo
18:22:57 <ayoung> wait
18:22:57 <openstack> Removing item from minutes: <ircmeeting.items.Topic object at 0x90b8750>
18:22:59 <ayoung> skipped one
18:23:04 <ayoung> https://blueprints.launchpad.net/keystone/+spec/mapping-enhancements
18:23:15 <morganfainberg> ayoung, that is a patch dstanek needed to update a comment on
18:23:16 <ayoung> that is on the k3 list, and tagged as needs code review
18:23:27 <ayoung> other than that it is good>?
18:23:28 <morganfainberg> it's done, just a test enhancement that could land now/post k3
18:23:29 <morganfainberg> yes
18:23:31 <stevemar> ayoung, i think we can close that one out now
18:23:47 <morganfainberg> wasn't going to close it till the last patch was landed but that is minimal/doesn't need massive eyes atm.
18:24:12 <ayoung> OK...
18:24:20 <morganfainberg> #topic requirements.txt: Should requirements.txt be for the expected installation?
18:24:27 <morganfainberg> bknudson, o/
18:24:32 <bknudson> ah, so I posted a review...
18:24:37 <bknudson> that got -1d
18:24:41 <ayoung> link
18:25:04 <morganfainberg> #link https://review.openstack.org/#/c/162360/
18:25:06 <stevemar> bknudson, you were finally on the receiving end
18:25:12 <bknudson> y, that was it.
18:25:24 <bknudson> essentially moving fernet requirements to test-requirements.txt
18:25:39 <bknudson> since my understanding was that we only have default config requirements in requirements.txt
18:25:55 <ayoung> Do we have mysql in requirements?
18:25:58 <morganfainberg> my view is test-requirements should only be for testing.
18:26:16 <bknudson> now, if we change that policy ... maybe we should also have ldap and ldappool in requirements.txt?
18:26:19 <morganfainberg> anything that could be used for runtime should be in main requirements.txt
18:26:25 <morganfainberg> bknudson, i would support that
18:26:28 <stevemar> bknudson, we probably should
18:26:36 <topol> bknudson +++
18:26:57 <bknudson> vote on it?
18:27:04 <morganfainberg> #vote
18:27:09 <morganfainberg> damn enter key.
18:27:09 <gyee> so why we even need test-requirements.txt then?
18:27:18 <bknudson> there will still be test-only requirements...
18:27:19 <gyee> since now everything will be enabled by default
18:27:19 <bknudson> testtools
18:27:20 * topol yay a vote. lets see who is paying attention
18:27:23 <morganfainberg> gyee, yes there are test-only things
18:27:27 <bknudson> mock
18:27:28 <haneef> How about different providers for dogpile? where does it fit?
18:27:32 <bknudson> fixtures
18:27:51 <stevemar> the documentation stuff will be there too
18:28:00 <ayoung> we don't even have mySQL in test-requirements
18:28:08 <morganfainberg> haneef, we would be adding any runtim dep - the only special case is liky mongo for licensing reasons
18:28:17 <morganfainberg> haneef, and that is a special case across openstack
18:28:19 <stevemar> using test-req for 'optional' isn't right
18:28:19 <bknudson> I don't think mysql is on pypi?
18:28:26 <bknudson> b/c oracle.
18:28:39 <morganfainberg> bknudson, mysqldb is, but i think we get that another way
18:28:55 <ayoung> So...on the client side, we are splitting things into separate repos due to dependencies.  This is where the python packaging is dumb
18:29:26 <dstanek> i always thought that test-requirements was actually for the optional stuff
18:29:37 <ayoung> if we have a plugin/extension/driver that needs a special piece of code, we should be able to package that separately without having to split the repo
18:29:39 <stevemar> dstanek, that's what we kept telling people :P
18:29:52 <ayoung> well, it is for installing things we need to run tests
18:30:05 <ayoung> so it has the optional flavor, since you can do a minimal install without it
18:30:05 <topol> whaat?  test-requirements is for test. come on man!
18:30:10 <morganfainberg> #startvote Should all runtime requirements (that don't have specific licensing concerns) move from test-requirements.txt to requirements.txt (test-requirements no longer used for "optional")? yes,no,obligatory-yes-but-i-want-to-be-a-snowflake-answer
18:30:11 <openstack> Begin voting on: Should all runtime requirements (that don't have specific licensing concerns) move from test-requirements.txt to requirements.txt (test-requirements no longer used for "optional")? Valid vote options are yes, no, obligatory-yes-but-i-want-to-be-a-snowflake-answer.
18:30:12 <openstack> Vote using '#vote OPTION'. Only your last vote counts.
18:30:24 <ayoung> dstanek, is python really going to continue to be so stiffnecked about this?
18:30:29 <ayoung> #vote no
18:30:33 <gyee> #vote yes
18:30:38 <morganfainberg> #vote yes
18:30:43 <samueldmq> #vote yes
18:30:45 <topol> #vote yes
18:30:49 <ayoung> It's not licensing, it is dependencies on install
18:30:59 <marekd> #vote yes
18:30:59 <bknudson> #vote no
18:31:02 <breton> who will be the original one?
18:31:06 <breton> #vote yes
18:31:08 <jamielennox> #vote no
18:31:10 <dstanek> #vote no
18:31:11 <bknudson> voting no just because this is how we've always worked so why change it.
18:31:11 <morganfainberg> ayoung, magically knowing what to install to turn something on is a terrible experience
18:31:12 <jamielennox> but torn
18:31:20 <dolphm> #vote no
18:31:23 <morganfainberg> ayoung, it doesn't prevent redhat from bundling deps differently
18:31:29 <ayoung> morganfainberg, having to find the LDAP deps if you are not running LDAP is also a bad one
18:31:32 <ayoung> or postgresql
18:31:35 <ayoung> DB2?
18:31:36 <haneef> #vote no
18:31:41 <dstanek> has anyone talked to distributions about this?
18:31:44 <jamielennox> morganfainberg: it expects (for example redhat) package maintainer to go and find all this for themselves
18:31:46 <breton> #showvote
18:31:47 <openstack> yes (6): gyee, morganfainberg, marekd, samueldmq, topol, breton
18:31:48 <openstack> no (6): dstanek, ayoung, bknudson, haneef, dolphm, jamielennox
18:31:59 <gyee> evenly spread
18:32:03 <morganfainberg> test-requirements is the wrong place for "optional" python dependencies
18:32:03 <dstanek> ayoung: this isn't really a python thing
18:32:04 <bknudson> hmmm...
18:32:11 <topol> so ayoung brings up a valid consumability point
18:32:11 <ayoung> dstanek, distributions are going to have to update how they idenityf what to install with what...it will likely break their scripts\
18:32:16 <stevemar> #vote yes
18:32:26 <ayoung> dstanek, yes it is, cuz I can only deploy one package from one repo
18:32:29 <bknudson> stevemar: the tiebreaker.
18:32:32 <raildo> #vote yes
18:32:33 <ayoung> and that is due to python, not git, and not packaging
18:32:45 <morganfainberg> dstanek, packagers have told me both sides, the one that got me was "i can't make X a dependency in my package cause it's in test-requirements, move it to requirements or i can't support it because $policy"
18:32:48 <topol> we should not put something in requirements if its not always required and can easily break stuff
18:33:00 <dolphm> morganfainberg: that's a broken $policy
18:33:04 <stevemar> topol, how would it break stuff?
18:33:10 <bknudson> topol: changing your vote?
18:33:11 <ayoung> can we hold off on this one until we get feedback please?
18:33:13 <dstanek> ayoung: normally you would use the extras_require to say 'hey, i'm using ldap and here are the extra requirements'
18:33:15 <morganfainberg> dolphm, putting things in test-requirements because they are optional is worse imo
18:33:18 <lhcheng> #vote no
18:33:19 <breton> topol: if it's in the main tree and covered with tests, it's working
18:33:26 <lbragstad> #vote no
18:33:30 <morganfainberg> dolphm, that is very much the wrong place for these things
18:33:31 <stevemar> breton, ++
18:33:32 <lbragstad> for the reasons bknudson listed
18:33:34 <bknudson> ayoung: you know someone who can provide feedback on your side?
18:33:40 <ayoung> bknudson, yes
18:33:42 <ayoung> apevec
18:33:44 <topol> ayoung can you elaborate on your ldap concern
18:33:45 <morganfainberg> this includes cryptography, msgpack, ldap, ldappool, etc
18:33:50 <dolphm> morganfainberg: is there a broader community concern on that?
18:33:54 <ayoung> topol, LDAP pulls in a native library
18:34:06 <jamielennox> morganfainberg: isn't this a TC question anyway?
18:34:09 <dolphm> morganfainberg: (i wouldn't want to see keystone deviate from the community consensus on usage of test-requirements)
18:34:14 <morganfainberg> jamielennox, not really.
18:34:16 <topol> ayoung and if the library isnt there?
18:34:17 <ayoung> so by putting LDAP in the python tree, you pull in pythn-ldaop, which pulls in openldap libs
18:34:25 <gyee> morganfainberg have an excellent point on *user experience*
18:34:27 <morganfainberg> dolphm, i think we're flat out doing it wrong in python.
18:34:40 <ayoung> topol, I think with PIP, it is even worse
18:34:44 <breton> #showvote
18:34:44 <gyee> it would suck if I enabled a feature and then found out I need to explicitly install more packages
18:34:45 <openstack> yes (8): gyee, morganfainberg, marekd, samueldmq, topol, raildo, breton, stevemar
18:34:47 <openstack> no (8): dstanek, ayoung, lhcheng, bknudson, haneef, lbragstad, dolphm, jamielennox
18:34:56 <stevemar> how contentious
18:34:57 <breton> gyee: ++
18:34:57 <ayoung> for MySQL and LDAP you have to have the devel version of the native libs installed to do the native bindings
18:34:59 <bknudson> I vote to put it off, let's have an action to hear back from packagers.
18:35:01 <topol> gyee makes a good point
18:35:10 <morganfainberg> dolphm, this isn't openstack community this is doing it wrong in python world. if we want a separate dependency tree, we should be splitting the stuff up into separate python packages
18:35:13 <topol> I agree with bknudson
18:35:19 <stevemar> gyee, that's always been the case
18:35:20 <henrynash> #vote no
18:35:29 <gyee> stevemar, then lets make it less suck
18:35:29 <dolphm> gyee: some of those packages might require more binary deps - which sucks in python land imo
18:35:35 <dstanek> gyee: that mean you always have to install everything? what about things that have a dep on a system package?
18:35:38 <bknudson> as far as our packaging goes, I don't think it will cause a problem either way.
18:35:40 <stevemar> gyee, thats why i voted yes
18:35:46 <haneef> gyee: it would also suck if  my installation is  stuck due to a dependency which I won't be using it
18:35:50 <dolphm> morganfainberg: that'd be fantastic
18:35:52 <gyee> most of us are shipping a distro
18:36:01 <morganfainberg> dolphm, i have $ideas for liberty ;)
18:36:03 <ayoung> we split the python-keystoneclient repo for just this reason
18:36:05 <topol> henrynash, what sis your concern?
18:36:05 <dolphm> morganfainberg: test-requirements.txt was invented by the openstack community
18:36:05 <gyee> a distro, not distro and a bunch of optional deps
18:36:21 <ayoung> the client is relatively consistant, but we pushed kerberos and SAML codes to separate repos
18:36:26 <davechen_> #vote no
18:36:35 <topol> Im scared we will rush this decision and really break folks
18:36:59 <ayoung> Let's float it to the -dev list and get some wider feedback, and revisit
18:37:03 <morganfainberg> topol, it wont really break anyone shipping a distro, and anyone doing CI/CD already has addressed most of this.
18:37:10 <morganfainberg> but in short. we'll defer this till liberty
18:37:13 <breton> ++ayoung
18:37:14 * topol trying to my yes back in the bottle
18:37:14 <bknudson> there are some discussion already going on in community.
18:37:16 <gyee> as a user, I would expect a distro contains everything that I need
18:37:17 <morganfainberg> based on this. vote
18:37:22 <henrynash> topol: I’m worried about a) deviating from openstack standard, and b) loading stuff that’s not strictly needed into production systems (less you install the better for secuirty)
18:37:27 <morganfainberg> we'll do further talking at the summit and on the list
18:37:35 <morganfainberg> bknudson, i am going to -2 that patch though for now.
18:37:54 <bknudson> wait, my patch was about following the current policy...
18:37:58 <bknudson> not deviating.
18:38:04 <topol> henrynash, make sense
18:38:13 <topol> makes sense  :-)
18:38:20 <dstanek> #showvote
18:38:21 <openstack> yes (8): gyee, morganfainberg, marekd, samueldmq, topol, raildo, breton, stevemar
18:38:22 <openstack> no (10): dstanek, ayoung, lhcheng, bknudson, davechen_, haneef, lbragstad, dolphm, jamielennox, henrynash
18:38:23 <morganfainberg> bknudson, because i don't want to shuffle everything around right now.
18:38:24 <topol> (that s makes a world of difference)
18:38:30 <topol> #vote no
18:38:35 <morganfainberg> #endvote
18:38:36 <openstack> Voted on "Should all runtime requirements (that don't have specific licensing concerns) move from test-requirements.txt to requirements.txt (test-requirements no longer used for "optional")?" Results are
18:38:38 <openstack> yes (7): gyee, morganfainberg, marekd, samueldmq, raildo, breton, stevemar
18:38:39 <openstack> no (11): dstanek, ayoung, lhcheng, bknudson, davechen_, haneef, lbragstad, dolphm, jamielennox, henrynash, topol
18:38:46 <bknudson> it's 2 lines.
18:38:51 <morganfainberg> bknudson, and if we're doing massive policy adherance lots of stuff needs to shuffle.
18:38:57 <bknudson> really?
18:39:07 <morganfainberg> bknudson, yes. we have lots of non-default things in there.
18:39:11 <morganfainberg> relating to PKI tokens as well
18:39:20 <ayoung> Oy Vey!
18:39:20 <dolphm> genesis in keystone? https://github.com/openstack/keystone/commit/72e4edcc12f4741bd945adf777fe43f3ffcd62d6
18:40:03 <morganfainberg> moving optional to test-requirements was an awful thing. it has caused a lot of questions and "why can't X work" with a response of "go install thing because we don't make it a hard requirement"
18:40:06 <dolphm> morganfainberg: i might change my vote to yes after seeing my own commit :P
18:40:27 <topol> wow things were simpler in 2011
18:40:31 <ayoung> morganfainberg, lets work with dstank to have a better modular install story
18:40:45 <morganfainberg> ayoung, liberty.
18:40:48 <gyee> topol, 1969, nothing by peace and love
18:40:54 <ayoung> if we can get away from "separate git repo to avoid depednecy hell"  I'll be happy
18:40:59 <bknudson> ok, so for K we're going to stick with fernet requirements in requirements.txt ?
18:41:07 <morganfainberg> ayoung, we wont be able to with pypi
18:41:09 <ayoung> morganfainberg,  on the client first, and then Liberty for Server.
18:41:19 <morganfainberg> ayoung, and pbr.
18:41:20 <ayoung> morganfainberg, THEN WE BREAK THEM!
18:41:23 <bknudson> we can just make it a policy where we pick based on what we know.
18:41:24 <ayoung> WE BREAK THAT TOO
18:41:34 <ayoung> BREAK ALL THE THINGS!
18:41:48 <marekd> rewrite everythin from scratch
18:41:49 <morganfainberg> bknudson, ok so let me change my stance
18:41:50 <jamielennox> ayoung's ptl slogan
18:41:51 <dstanek> this is really a packager issue - 'apt-get install keystone keystone-ldap ... etc' - right?
18:41:54 <topol> please remember the user experience concerns
18:42:02 <morganfainberg> dstanek, pip install and apt-get install
18:42:17 <ayoung> jamielennox, life philosophy really.  I was, and will always in my heart be, an Infantryman
18:42:33 <gyee> there's a man who lived
18:42:35 <morganfainberg> bknudson, so my stance is: if it's pure python it can always go in requirements. if it has exceptional binary deps lets put it in test-requirements for now (ldap)
18:42:56 <topol> morganfainberg that makes sense
18:42:58 <haneef> That  is better
18:43:01 <dolphm> morganfainberg: pki & openssl?
18:43:05 <bknudson> let's write a pure-python ldap client.
18:43:09 <morganfainberg> dolphm, opensssl isn't exceptional.
18:43:14 <ayoung> morganfainberg, we shouldprobably get MySQL into test-requirements then
18:43:18 <gyee> and xmlsec1
18:43:24 <ayoung> pki and openssl is even worse
18:43:36 <bknudson> remember lxml?
18:43:39 <ayoung> those can't be done by package requirements except at the distro level
18:43:44 <morganfainberg> if it has historically been in requirements DONT MOVE IT until we decide how we're handling the splitup/new install etc
18:43:45 <gyee> yes that one too
18:43:50 <morganfainberg> this is for new requirements
18:43:57 <dstanek> morganfainberg: to me that is harder to draw the line - do i now have to know how projects are implemented?
18:43:58 <morganfainberg> so crypto and msgpack should be evaluated
18:44:08 <ayoung> we need to get the cryptography.py solution in place for PKI etc.
18:44:10 <bknudson> cryptography must rely on openssl.
18:44:12 <ayoung> But not today
18:44:19 <gyee> dstanek, I am on the user experience side
18:44:23 * dolphm finds it best to refer to the library as pypi/cryptography to avoid confusion
18:44:32 <morganfainberg> dstanek, try and install it, is it awful to pip install it?
18:44:41 <dolphm> bknudson: it does not, afaik
18:44:51 <morganfainberg> dstanek did it require a bunch of extra apt-gets (e.g. ldap libs dev)
18:44:56 <haneef> ayoung:  There was a review last week to replace  openssl system calls with a crypto lib
18:45:09 <dstanek> morganfainberg: things will go fine if i have the required system packages already so i may not think twice
18:45:25 <morganfainberg> dstanek, since we aren't adding more g-rs this cycle, this is largely deferred
18:45:31 <morganfainberg> dstanek, the only question is msgpack and crypto
18:45:33 <ayoung> haneef, link?
18:45:47 <dstanek> morganfainberg: fair enough
18:45:51 <bknudson> btw - we need a newer cryptography, we're using features that aren't in 0.4
18:45:54 <morganfainberg> dstanek, so, for this cycle address those two and in liberty we work on better stuff.
18:45:56 <browne> https://review.openstack.org/#/c/163088/
18:46:00 <morganfainberg> bknudson, yes there should be a g-r update
18:46:10 <morganfainberg> browne, yay!
18:46:18 <morganfainberg> browne, thats cool.
18:46:36 <bknudson> that must rely on openssl?
18:46:40 <ayoung> Ah...cool.  that is for the setup.  Need to -2 that one
18:46:42 <haneef> ayoung: https://review.openstack.org/#/c/163088/
18:46:46 <ayoung> Its right, but not right enopguh
18:46:49 <topol> browne, Really?  we can do that now?  Thats awesome!
18:46:51 <amakarov> wow, at long last!
18:46:53 <marekd> browne: does it also spawns new process?
18:46:59 <dolphm> morganfainberg: i believe alex gaynor implemented everything we needed to replace openssl while sitting at the keystone pod in atlanta
18:47:12 <dolphm> marekd: no
18:47:18 <morganfainberg> bknudson, https://review.openstack.org/#/c/164289/
18:47:23 <browne> marekd: no, library calls.  this patch only replace rsa key generation
18:47:25 <dolphm> pypi/cryptography implements it's own primitives
18:47:32 <bknudson> morganfainberg: y, +2 it.
18:47:45 <browne> and requires python-cryptography 0.8
18:47:48 <dolphm> browne: going to do validation next?
18:47:52 <morganfainberg> bknudson, i can only +1 requirements
18:48:04 <dolphm> browne: does global requirements require 0.8?
18:48:18 <browne> dolphm: yeah, i want to, more work for sure.
18:48:21 <dolphm> oh i see the review
18:48:29 <ayoung> doesn't matter, we want to kill that code path anyway.
18:49:00 <ayoung> selfsigning was never the right approach for SSL, and if we do it, it should not be embedded in the keystone code
18:49:02 <bknudson> #showvote
18:49:06 <dolphm> browne: add "Depends-On: I98941cce82d3c33bcc95ecc48ecff413ef81664a" to your keystone patch commit message
18:49:09 <ayoung> its not their code that is wrong, it is ours
18:49:13 <gyee> ayoung, by they are two different issues
18:49:20 <morganfainberg> bknudson, highly contentious, with people switching votes
18:49:22 <ayoung> gyee,
18:49:26 <gyee> one is about key management
18:49:29 <dolphm> browne: IF you don't want your patch to ever be tested without cryptography > 0.8
18:49:32 <ayoung> https://review.openstack.org/#/c/134099/
18:49:37 <ayoung> gyee, ^^
18:49:39 <gyee> the other to replace openssl command line call
18:50:17 <ayoung> gyee the openssl command line call can go away, and be replaced by the certmonger call
18:50:34 <gyee> ayoung, so certmonger does both?
18:50:35 <ayoung> I mean, where they *fixed* things it is arguable irrelevant.
18:50:37 <ayoung> Yep
18:50:43 <gyee> nice
18:50:43 <topol> ayoung, VERY COOL!
18:50:50 <browne> is certmonger another command line?
18:51:09 <morganfainberg> browne, yes, but it can talk to secure cert stores.
18:51:19 <morganfainberg> browne, vs needing a cert in an insecure location(ish) thing.
18:51:27 <ayoung> command line is irrelevant
18:51:36 <lbragstad> ~ 9 minutes left
18:51:39 <ayoung> we need the library for the hot path
18:51:41 <topol> ayoung, doesnt command line imply a performance hit?
18:51:44 <ayoung> signing and validating certs
18:51:48 <ayoung> topol, this is at setup
18:51:50 <morganfainberg> browne, there are further discussons to using certmonger, but that is not today
18:51:51 <ayoung> so irrelevant
18:52:04 <topol> ayoung, K
18:52:09 <morganfainberg> ok so back on topic
18:52:23 <ayoung> topol, certmonger is just for provisioning,  we need cryptography.py for keystoneclient
18:52:26 <morganfainberg> requirements: nothing is moving, please vote on bknudson's patch.
18:52:30 <morganfainberg> i wont -2
18:52:33 <ayoung> server calls in to client to sign tokens
18:52:44 <browne> ayoung: command line is not irrelevant with keystoneclient anyway.  i was seeing huge numbers of open file handles due to the exec (and chatty neutron)
18:52:44 <morganfainberg> ayoung, please defer this to later
18:52:51 <ayoung> ++
18:53:20 <morganfainberg> if you want msgpack and crypto over in test-requirements please +2/+1
18:53:25 <morganfainberg> if you don't care, no vote -1.
18:53:33 <morganfainberg> no vote/-1
18:54:00 <bknudson> alright, thanks.
18:54:06 <morganfainberg> i'll either press approve based on overall score on post k3 or -2/abandon
18:54:11 <topol> is there a good reason to move beyond the "it should be there"
18:54:16 <ayoung> vote yes
18:54:23 <ayoung> vote for pedro
18:55:07 <gyee> vote for jeb
18:55:08 <morganfainberg> this is a simple case where overall score will win, a +2/+1 is 1 point for, a -1 is a vote against. just score the patch the way you feel.
18:55:24 <topol> if folks are used to it being in requirements we just cause pain by moving to test
18:55:34 <morganfainberg> topol, this is just for fernet
18:55:41 <morganfainberg> the 2 items bknudson wanted to move
18:55:46 <morganfainberg> crypto and msgpack
18:55:48 <morganfainberg> nothing else is moving
18:55:50 <topol> K, so no larger impact. got it
18:55:52 <bknudson> those are both new
18:56:07 <morganfainberg> next quick topic
18:56:10 <topol> K. brad slow on St Patricks day (and all other days)
18:56:15 <morganfainberg> #topic Liberty Specs
18:56:32 <morganfainberg> I will be sending the announcemenrt that liberty spec proposals will be open as soon as K3 has been tagged
18:56:45 <morganfainberg> #info morganfainberg will be sending the announcemenrt that liberty spec proposals will be open as soon as K3 has been tagged
18:57:11 <morganfainberg> the goal is to make it so we can have spec discussions (like at the midcycle) but at the summit this time
18:57:21 <marekd> ++
18:57:44 <marekd> so we should start working on the specs right about almost now.
18:57:49 <morganfainberg> getitng almost a full ½ dev cycle on specs by L1 so we can avoid piling everything into the 3rd milestone
18:58:02 <morganfainberg> marekd, that is why we're going to open spec proposals now :)
18:58:08 <samueldmq> morganfainberg, ++
18:58:21 <morganfainberg> marekd, well this week :)
18:58:37 <marekd> morganfainberg: that's why i said "almost now" :-)
18:58:40 <morganfainberg> thats all i have.
18:58:48 <morganfainberg> and we should clear out of here for the nice -infra folks
18:58:56 <morganfainberg> drink an irish drink or something
18:59:05 <morganfainberg> #endmeeting