20:32:45 <prometheanfire> #startmeeting requirements
20:32:46 <openstack> Meeting started Wed Feb 13 20:32:45 2019 UTC and is due to finish in 60 minutes.  The chair is prometheanfire. Information about MeetBot at http://wiki.debian.org/MeetBot.
20:32:47 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
20:32:49 <openstack> The meeting name has been set to 'requirements'
20:32:49 <prometheanfire> #topic rollcall
20:33:01 <prometheanfire> ping tonyb, prometheanfire, number80, dirk, coolsvap, toabctl, smcginnis, dhellmann
20:33:04 <prometheanfire> o/
20:33:23 <tonyb> \o
20:34:12 <prometheanfire> will wait a min
20:34:25 <tonyb> could be a quick meeting ;P
20:35:37 <prometheanfire> ya
20:35:46 <prometheanfire> #topic issies in the queue
20:35:56 <prometheanfire> just needs votes for stable stuff
20:36:23 <tonyb> Yup I'll do them today
20:36:24 * prometheanfire would like it if people could check the queue at least once a week
20:36:28 <prometheanfire> thanks
20:36:37 <prometheanfire> these are less then a week old though
20:36:47 <tonyb> I'll also send the email about publishing constraints
20:37:12 <prometheanfire> oh? email needed?
20:37:41 <tonyb> prometheanfire: the one you're doing a good job of naggign me about ;P
20:38:27 <prometheanfire> tonyb: blame todoist :P
20:39:08 <prometheanfire> #topic requests updates in stable branches
20:39:36 <tonyb> This is a pretty big and risky chnage as it's proposed
20:39:43 <prometheanfire> I think https://storyboard.openstack.org/#!/story/2004979 is basically a drive by
20:39:48 <tonyb> I asked if we can get backports
20:39:52 <prometheanfire> ya
20:40:23 <tonyb> is sigmavirus a requests core? can we leverage him to do a thing?
20:40:46 <prometheanfire> I could try asking
20:40:59 <prometheanfire> and check if they even have stable branches
20:41:12 <prometheanfire> next?
20:41:19 <tonyb> I think so
20:41:31 <prometheanfire> #topic ptg/summit
20:41:38 <prometheanfire> still no confirmation here
20:42:01 <dhellmann> we haven't usually worried about raising mins for bugs on libs in stable branches in the past, have we?
20:42:09 <tonyb> I think we'll have a requirements-lib session at the forum, and then a follwo-up at the PYG
20:42:18 <dhellmann> there was an email with a list of the teams that had space
20:42:30 <prometheanfire> I did book wedding stuff so I can make it to the ptg part (fly back tuesday, can fly out wednesday)
20:42:42 <tonyb> dhellmann: IIRC we opted for 'hallway / adhoc' space at the PTF
20:42:52 <dhellmann> ok, I wasn't sure what prometheanfire meant about confirmation
20:43:11 <prometheanfire> tonyb: that can work
20:43:19 <prometheanfire> I've responded that reqs people will be there
20:43:23 <tonyb> dhellmann: I think he measn from $employer in terms of funding
20:43:25 <prometheanfire> will probably get a day slot for it
20:43:30 <prometheanfire> tonyb: yep
20:43:46 <dhellmann> aha
20:43:56 * dhellmann has no insight there
20:44:33 <tonyb> :D
20:44:48 <prometheanfire> yep, I should know soon though
20:45:35 <prometheanfire> who else is going?
20:45:39 <dhellmann> o/
20:45:49 <dhellmann> I have a ticket, but haven't booked anything else yet
20:46:11 <tonyb> So requests don't do stable branches and sigmavirus is a core
20:46:26 <dhellmann> not surprising
20:46:28 * tonyb has booked flights/hotel and summit pass
20:46:41 <tonyb> I don't think I can do more than that at this point ;p
20:46:49 <dhellmann> it's a bit early to pack
20:47:00 <tonyb> dhellmann: Only a little ;P
20:47:22 <tonyb> dhellmann: but I do have my 'travel box' accumulating stuff to pack ;P
20:47:24 <dhellmann> although I knew a guy once who went on enough trips that he just kept a bag packed all the time
20:47:33 <tonyb> ergh :/
20:47:40 <tonyb> I knew a support guy that did that
20:47:48 <prometheanfire> heh, not that bad
20:47:52 <tonyb> 'cause he'd often get very little notice
20:47:54 * dhellmann would not want that life
20:47:58 <dhellmann> yeah
20:48:03 <prometheanfire> depends, pay me enough
20:48:38 <dhellmann> prometheanfire : ask your fiancé about that
20:48:43 <dhellmann> so, for the security thing, are we capped in those stable branches?
20:49:08 <prometheanfire> well, not now, but before :P
20:49:18 <tonyb> dhellmann: no but the jump fro 2.12 -> 2.20 is pretty big and requests used to break stuff in minor releases
20:49:18 <dhellmann> yeah :-)
20:49:37 <dhellmann> right, I'm suggesting we not change anything in our setup at all
20:49:56 <dhellmann> if we're not capped, then we're not telling anyone they can't use something newer -- it might not work, but that's not on us
20:50:17 <tonyb> dhellmann: We can probably reach out via VMT to find security contacts and get them to test $projects against the proposed update
20:50:26 <dhellmann> we could always try raising the constraint in that branch as a test, but we don't do that for other things that don't break our gate
20:50:36 <prometheanfire> ya, the diff between those versions is a bit big
20:50:40 <tonyb> dhellmann: true, downstream is free to upgrade and/or backport
20:50:42 <prometheanfire> we can test it of course as well
20:50:51 <tonyb> dhellmann: I was thinkign about our gate etc
20:51:07 <dhellmann> right, if someone comes around and says "in order to make these stable branches work with 2.20 we need this patch" then we have a useful update to consider
20:51:12 <dhellmann> just raising the minimum doesn't seem useful
20:51:51 <dhellmann> so I would reject the current patch with that explanation, and wait for further communication
20:53:08 <prometheanfire> so... next steps, test a update?
20:53:30 <dhellmann> what's motivating us to update anything?
20:53:36 <prometheanfire> CVE
20:53:48 <dhellmann> if it was not a CVE, we wouldn't?
20:54:00 <prometheanfire> update a stable branch? correct
20:54:04 <tonyb> dhellmann: correct
20:54:11 <prometheanfire> security updates are one of the exceptions
20:54:25 <prometheanfire> but it's not JUST security :|
20:54:27 <dhellmann> I could see removing an exclusion or cap. I don't think we need to raise the min.
20:55:05 <tonyb> I don't think we need to raise the minimum at all, but upping u-c is something we should do
20:55:20 <dhellmann> Do we expect this CVE to cause issues for us in the gate?
20:55:31 <prometheanfire> tonyb: agreed, test the uc bump (and cap removal if needed) but don't bump min
20:55:34 <tonyb> the CVE speciifcally no
20:55:53 <tonyb> prometheanfire: I don't think there are any caps to remove
20:56:04 <dhellmann> Then what about the nature of this bug means we want to treat it differently? Just because it's security related?
20:56:26 <tonyb> dhellmann: Yes
20:56:41 <prometheanfire> yes, it's one of the criteria in evaling stable branch reviews
20:57:45 <prometheanfire> #topic open floor
20:58:26 <tonyb> Nothing from me
20:58:42 * dhellmann has nothing
20:59:09 <prometheanfire> #endmeeting