#openstack-meeting log

15:07:34 <smcginnis> #startmeeting releaseteam
15:07:35 <openstack> Meeting started Fri Dec 21 15:07:34 2018 UTC and is due to finish in 60 minutes.  The chair is smcginnis. Information about MeetBot at http://wiki.debian.org/MeetBot.
15:07:36 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
15:07:38 <openstack> The meeting name has been set to 'releaseteam'
15:07:54 <smcginnis> ping ttx, dhellmann, diablo_rojo_phon, armstrong, evrardjp, lbragstad
15:08:01 <smcginnis> Sorry, time got away from me this morning.
15:08:18 <lbragstad> o/
15:08:27 <diablo_rojo_phon> Hello
15:08:30 <smcginnis> https://etherpad.openstack.org/p/stein-relmgt-tracking
15:08:39 <dhellmann> o/
15:08:45 <evrardjp> o/
15:08:51 <smcginnis> We are at R-16 now.
15:08:53 <armstrong> o/
15:09:42 <smcginnis> #topic Meeting time change
15:09:44 <evrardjp> FYI I am on PTO until R-13.
15:09:57 <smcginnis> evrardjp: Enjoy!
15:10:19 <smcginnis> Kind of related to the meeting time change, I think we can skip next week's meeting.
15:10:25 <evrardjp> Agreed
15:10:46 <smcginnis> I think most are probably going to be taking some time off or be busy with other things.
15:10:56 <smcginnis> I will be off the 24th to the 2nd.
15:11:16 <smcginnis> Starting in the new year, we will have a new meeting time.
15:11:31 <smcginnis> We had discussed changing and based on the last meeting I had proposed https://review.openstack.org/#/c/625290/
15:11:58 <smcginnis> It really doesn't help Tony, unfortunately, but I don't think we could find a time that would work for EU, US, and APAC.
15:12:53 <smcginnis> So starting in January, meeting will now be on Thursday at 1600 UTC in the #openstack-release channel.
15:13:26 <smcginnis> Any comments, concerns, thoughts on that topic?
15:13:56 <evrardjp> It's impossible to please everyone...
15:14:02 <evrardjp> I like the new meeting time
15:14:07 <diablo_rojo_phon> I'm happy to not have to wake up at 6:57AM after this week?
15:14:09 <evrardjp> thanks for the change
15:14:28 <smcginnis> diablo_rojo_phon: Hopefully that makes it a little more pleasant.
15:14:34 <diablo_rojo_phon> Yes, definitely thank you
15:15:06 <ttx> Thought we had cancelled the meeting this week
15:15:16 <smcginnis> Did we?
15:15:31 <fungi> also a reasonable choice
15:15:35 <smcginnis> Well.. surprise? :)
15:15:39 <dhellmann> there's not much to talk about
15:15:56 <smcginnis> I did want to at least officially state the meeting time change.
15:16:05 <ttx> Technically, the eavesdrop calandar does not have one this week
15:16:05 <smcginnis> But other than that, not much to go over this week.
15:16:19 <dhellmann> I threw a link to the eavesdrop session we had on monday into the tracking pad in case someone wants to go through it to look for things we don't have documented more formally
15:16:26 <smcginnis> Ah, that's because the time change patch was merged right away I guess.
15:16:26 <ttx> since the change merged earlier this week and describes meetings starting next year :P
15:16:39 <smcginnis> #topic Release onboarding
15:16:43 <ttx> I had one topic though :)
15:16:49 <smcginnis> This is the other thing I wanted to officially recognize.
15:16:56 <smcginnis> Thanks dhellmann for running that training.
15:17:07 <smcginnis> #link http://eavesdrop.openstack.org/irclogs/%23openstack-release/%23openstack-release.2018-12-17.log.html#t2018-12-17T19:16:46
15:17:17 <fungi> i found the onboarding session very enlightening, thanks again dhellmann!
15:17:30 <dhellmann> thank you all for attending!
15:17:34 <smcginnis> I think that will be useful if anyone else wants to read through too. Even if they don't get the real time code review experience. :)
15:18:10 <smcginnis> ttx: What is you topic?
15:18:13 <diablo_rojo_phon> Thank you dhellmann for spending two hours educating me on release things :)
15:18:26 <ttx> http://lists.openstack.org/pipermail/openstack-discuss/2018-December/001256.html
15:18:45 <smcginnis> #topic release job failures
15:18:59 <smcginnis> Oh, the rerelease failure
15:19:04 <ttx> If someone knows what that "found 42 vulnerabilities (2 low, 34 moderate, 6 high)" mention refers to, please let me know
15:19:32 <ttx> It's a NPM feature, that checks the stuff you're trying to upload for knownvulnerabilities in deps
15:19:36 <smcginnis> I don't know npm much either, but I think that's pretty normal for that.
15:19:50 <dhellmann> it sounds like they're pinned to old dependencies
15:19:51 <ttx> But the report is a bit unclear
15:20:07 <ttx> it looks like the vulnerabilities arise from npm 4.6.1
15:20:19 <ttx> but I could not find where that was pulled in
15:20:31 <smcginnis> No response to that last post either. But good that it was called out.
15:20:35 <ttx> But it could also be that the report is unclear and that comes from the pinned deps
15:20:38 <smcginnis> I hope that team is looking into it.
15:20:59 <fungi> are you saying the vulnerabilities are in/because of using npm 4.6.1, or that the vulnerability checking/reporting was introduced by npm 4.6.1?
15:21:06 <ttx> Furthermore, it could just be the normal state of things in NPMland
15:21:18 <ttx> Vuln checking was introduced in NPM6
15:21:32 <ttx> But the report mentions +npm@4.6.1
15:21:40 <ttx> just before saying "Boo!"
15:21:43 <fungi> interesting
15:21:58 <ttx> but then that npm@4.6.1 is not listed in the deps of k-s-r
15:22:11 <ttx> and that is the limit of the extent of my npm knowledge
15:22:20 <ttx> which I'd rather keep at that level for my sanity
15:22:26 <smcginnis> ;)
15:22:31 <fungi> yeah, i know npm is a javascript something-or-other
15:22:34 <ttx> so i was pinging the collective mindhive
15:22:58 <smcginnis> Would it be worth another reply there to bump the thread?
15:23:06 <ttx> fungi: would we have some other NPM upload job to check if the mention is different?
15:23:14 <ttx> smcginnis: I just posted one
15:23:14 <smcginnis> It would be nice to have some kind of ack from the team at least that they are aware of it.
15:23:18 <smcginnis> OK, good.
15:23:50 <ttx> I was trying to compare with another similar job output but could not find one at first glance
15:24:02 <smcginnis> If there's something our release jobs need to be checking for that they are not now, I think someone more involved in JS development would need to tell us what that would be.
15:24:04 <fungi> it may be that there are a couple of npm upload jobs still because of an incomplete transition to zuul v3 or something, looking
15:24:25 <ttx> like maybe that npm@4.6.1 is brought in by the job itself, in which case it might make sense to generally update it
15:26:35 <smcginnis> Hopefully there is a response on the thread. Not sure what we can do (or should do) from here.
15:28:52 <smcginnis> Anything else to discuss?
15:28:59 <fungi> #link https://git.openstack.org/cgit/openstack-infra/zuul-jobs/tree/roles/install-nodejs/defaults/main.yaml#n2
15:29:20 <fungi> looks like we default to nodejs v6 which presumably provides npm v6?
15:29:53 * dhellmann has nothing
15:31:05 <smcginnis> OK, let's see if someone more knowledgable on NPM steps forward.
15:31:11 <smcginnis> I don't have any other agenda items.
15:31:24 <ttx> nothing else on my side
15:31:26 <smcginnis> Unless someone else has something, I think we can close early.
15:31:30 <ttx> except happy holidays
15:31:37 <ttx> starting VERY soon
15:31:58 <smcginnis> I hope everyone has a nice break. Thank you all for being part of the release team.
15:32:06 <fungi> thanks smcginnis!
15:32:13 <smcginnis> #endmeeting