#opendaylight-meeting log

17:00:07 <colindixon> #startmeeting tsc
17:00:07 <odl_meetbot> Meeting started Thu May  4 17:00:07 2017 UTC.  The chair is colindixon. Information about MeetBot at http://ci.openstack.org/meetbot.html.
17:00:07 <odl_meetbot> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
17:00:07 <odl_meetbot> The meeting name has been set to 'tsc'
17:00:15 <colindixon> #topic agenda bashing
17:00:23 <colindixon> TSC members please #info in
17:00:25 <colindixon> #info colindixon
17:00:27 <vishnoianil> #info Anil Vishnoi
17:00:28 <skitt> #info skitt
17:00:28 <jamoluhrsen> #info jamoluhrsen
17:00:35 <hideyuki> #info Hideyuki
17:00:35 <colindixon> #link https://wiki.opendaylight.org/index.php?title=TSC:Main&oldid=54416#Agenda
17:00:46 <jamoluhrsen> vishnoianil, you're not on zoom man?
17:00:48 <colindixon> #link https://meetings.opendaylight.org/opendaylight-meeting/2017/tsc/opendaylight-meeting-tsc.2017-04-28-03.30.html last week's meeting minutes
17:01:09 <colindixon> #action colindixon, zxiiro and phrobb to come up with a proposal for tracking project activity in a positive way
17:01:09 <colindixon> #action phrobb and tykeal to look into an ODL infra micro-datacenter in a box to make things work better at tutorials
17:01:10 <colindixon> #action colindixon to try to either find people to document how to be compatible with an OpenDaylight release with participating in the OpenDaylight simultaneous release
17:01:11 <colindixon> #action katiezhang to follow up with validation of M4 and M5 Status per project here https://docs.google.com/spreadsheets/d/1sNscMkUl1uehVF9YF_MDs2p1tWX0is0Q_hgHiHtcQHI/edit#gid=1793320165
17:01:14 <abhijitkumbhare> #info abhijitkumbhare
17:01:34 <jamoluhrsen> gross
17:01:37 <rovarga> #info rovarga
17:02:04 <vishnoianil> jamoluhrsen, i am now :)
17:03:02 <LuisGomez> #info LuisGomez
17:03:19 <colindixon> #Info LuisGomez and vrpolak are working on enabling features in the karaf 4 distribution and filing blocking bugs against projects that aren't loading properly
17:04:09 <dfarrell07> shague, lori
17:04:18 <anipbu> #info anipbu
17:04:30 <lori> #info lori
17:05:06 <colindixon> #topic events
17:05:18 <colindixon> #link https://www.opendaylight.org/global-events
17:05:24 <colindixon> #link https://wiki.opendaylight.org/view/Events:Main
17:05:33 <colindixon> #Info there's an ONAP event happening now in NJ
17:05:56 <colindixon> #info openstack boson is next week
17:06:10 <colindixon> #info our DDF is at the end of the month (hopefully) after our release
17:06:48 <colindixon> #info ONAP is working on getting a release plan and timelines for project proposals, tentative release date of 11/2 (not approved yet)
17:07:21 <colindixon> #info colindixon notes that ONAP is using ODL Beryllium for both App-C and SDN-C
17:08:43 <colindixon> #action colindixon and anipbu to see if we can talk with ONAP about how we might get ONAP to move to newer version of ODL
17:08:55 <abhijitkumbhare> Heard that as Ed and Steven Colbert :)
17:09:02 <colindixon> #undo
17:09:02 <odl_meetbot> Removing item from minutes: <MeetBot.ircmeeting.items.Action object at 0x1cbe690>
17:09:17 <colindixon> #Info vishnoianil says that they are trying to move to ODL boron in ONAP
17:10:12 <colindixon> #action if you are attending OpenStack Boston, reach out to casey since there might be a community event
17:10:24 <colindixon> #topic boron
17:10:26 <colindixon> #info nothing this week
17:10:32 <colindixon> #topic carbon
17:11:08 <colindixon> #link https://meetings.opendaylight.org/opendaylight-meeting/2017/carbon_release_sync/opendaylight-meeting-carbon_release_sync.2017-05-04-15.01.html from the release sync this morning
17:11:36 <colindixon> #link https://lists.opendaylight.org/pipermail/release/2017-May/010691.html
17:14:11 <colindixon> #link https://git.opendaylight.org/gerrit/#/c/56541/ skitt has a patch which makes dependency=true default
17:16:09 <colindixon> #Info rovarga asks if this is true also for bulk feature installation, incremental feature installation, or both
17:16:52 <colindixon> #info LuisGomez says he's seen both fail in this way, LuisGomez also thinks just adding a feature repo
17:19:35 <colindixon> #info colindixon wonders if adding repos is really just ascribing blame to specific things for random/sporadic failures, LuisGomez says he doesn't think so
17:20:05 <colindixon> #info rovarga asks if we have these behaviors with reproduction instructions documented, LuisGomez says not really yet
17:20:37 <colindixon> #link https://docs.google.com/spreadsheets/d/1VcB12FBiFV4GAEHZSspHBNxKI_9XugJp-6Qbbw20Omk/edit#gid=259245455 bugs LuisGomez has opened so far are here
17:23:11 <colindixon> #link https://docs.google.com/spreadsheets/d/1VcB12FBiFV4GAEHZSspHBNxKI_9XugJp-6Qbbw20Omk/edit#gid=921315511 blocking bugs tracker
17:23:32 <colindixon> #link https://jenkins.opendaylight.org/releng/view/autorelease/job/autorelease-release-carbon/ autorelease job
17:23:44 <colindixon> #link https://jenkins.opendaylight.org/releng/view/autorelease/job/autorelease-release-notests-carbon/ jenkins -DskipTest job
17:24:01 <colindixon> #link https://jenkins.opendaylight.org/releng/view/autorelease/job/autorelease-release-failnever-carbon/ jenkins -fn and skip SFT job
17:24:37 <rovarga> skitt: your patch has a conflict vs. carbon, can you cherry-pick it?
17:24:48 <skitt> rovarga, I'm pushing it right now ;-)
17:25:06 <skitt> https://git.opendaylight.org/gerrit/56545
17:25:29 <colindixon> #info we will merge skitt's odlparent dependency=true patch and see if it fixe things over the course of the next day
17:26:26 <colindixon> #info colindixon asks rovarga if he thinks that featuresBoot features is different, rovarga says he thinks so, but it's not clear if dpendency=true will help or not
17:26:57 <colindixon> #topic keep going on karaf 4?
17:27:07 <colindixon> #Info we are 1 week from our original planned release datea
17:27:09 <colindixon> #undo
17:27:09 <odl_meetbot> Removing item from minutes: <MeetBot.ircmeeting.items.Info object at 0x1cbefd0>
17:27:11 <colindixon> #Info we are 1 week from our original planned release date
17:27:28 <colindixon> #info we are 3.5 weeks from the DDF, so if at all possible we'd really like to release in 3 weeks or less
17:27:42 <colindixon> #Info what does that mean we should do with respect to Karaf 4
17:28:05 <colindixon> #info skitt says that Karaf 3 still has security support from apache, but that doesn't totally save us as it could be that karaf 3 stops us from pulling in a dependency that would be critical for us, but doesn't matter to Karaf
17:29:03 <vrpolak> "has security support from apache" up to Carbon-SR4?
17:29:15 <skitt> vrpolak, that's a good point, I don't know
17:29:32 <colindixon> #info rovarga asks what about apache commons on the classpath that is vulnerable and we need to upgrade
17:29:33 <skitt> vrpolak, Karaf 4.2 will be out before then so ...
17:29:34 <rovarga> LuisGomez: do you have an example of the featuresBoot value?
17:29:49 <rovarga> (because yes, boot features can be installed in chunks)
17:30:35 <colindixon> #info vrpolak asks if karaf 3 will have security support through Carbon-SR4 (and actually it really needs to be Oxygen release)
17:33:59 <colindixon> #info abhijitkumbhare is noting that he suspects some downstreams will not pick up Karaf 4
17:36:08 <colindixon> #info LuisGomez asks if we have an idea of what delay would be reasonable and/or tolerable
17:37:17 <colindixon> #action colindixon to reach out to the advisory group and board about how long a delay would be OK
17:38:34 <colindixon> #info jamoluhrsen asks if we can EoL Carbon sooner than would normally happen, colindixon says maybe, phrobb says that would probably be an even bigger exception than a 5-week delay
17:39:30 <colindixon> #info phrobb says the biggest thing here is our reputation, we haven't slipped this far in a long time
17:39:45 <skitt> rovarga, Karaf 3.0.6 had the fixed commons-collections: https://issues.apache.org/jira/browse/KARAF-4135
17:40:33 <colindixon> #info everyone basically says unless karaf 3.0.x will be supported for security updates for another year+, we really don't have a choice but to move to Karaf 4 and keep our word about security updates
17:40:54 <rovarga> skitt: weird, we definitely have 3.2.1 in our distro right now
17:41:33 <skitt> rovarga, yeah we'd noticed that too, https://bugzilla.redhat.com/show_bug.cgi?id=1291131
17:41:48 <rovarga> ./karaf/karaf4-parent/target/assembly/system/org/ops4j/pax/web/pax-web-features/4.3.0/pax-web-features-4.3.0-features.xml:178:        <bundle dependency="true">mvn:commons-collections/commons-collections/3.2.1</bundle>
17:41:50 <rovarga> oh wow
17:42:00 <skitt> ah so it's pax-web
17:42:05 <skitt> and sorry, that's a RH internal bug
17:43:16 <colindixon> #info abhijitkumbhare says that if we see carbon slip long enough, then we will not need an interim release to re-align
17:47:34 <colindixon> #startvote assuming (as we expect) that karaf 3.0.x will not have security updates for the next year+, should we make karaf 4 migration a mandatory part of Carbon? yes, no, abstain
17:47:34 <odl_meetbot> Begin voting on: assuming (as we expect) that karaf 3.0.x will not have security updates for the next year+, should we make karaf 4 migration a mandatory part of Carbon? Valid vote options are yes, no, abstain.
17:47:34 <odl_meetbot> Vote using '#vote OPTION'. Only your last vote counts.
17:48:32 <colindixon> #vote yes
17:48:39 <skitt> #vote yes
17:48:41 <vishnoianil> #vote yes
17:48:45 <rovarga> #vote yes
17:48:45 <hideyuki> #vote yes
17:48:50 <lori> #vote yes
17:48:59 <anipbu> #vote yes
17:49:00 <LuisGomez> #vote yes
17:49:11 <jamoluhrsen> #vote yes
17:49:18 <abhijitkumbhare> #vote yes (if Karaf 3 supportability for next year is issue)
17:49:18 <odl_meetbot> abhijitkumbhare: yes (if Karaf 3 supportability for next year is issue) is not a valid option. Valid options are yes, no, abstain.
17:49:34 <jamoluhrsen> and now our release schedule for carbon should be advertised as *unknown*
17:49:34 <abhijitkumbhare> #vote yes
17:49:37 <colindixon> #endvote
17:49:37 <odl_meetbot> Voted on "assuming (as we expect) that karaf 3.0.x will not have security updates for the next year+, should we make karaf 4 migration a mandatory part of Carbon?" Results are
17:49:37 <odl_meetbot> yes (10): rovarga, skitt, LuisGomez, hideyuki, colindixon, lori, jamoluhrsen, anipbu, vishnoianil, abhijitkumbhare
17:50:07 <colindixon> #agreed assuming Karaf 3 security support for the next year is an issue for them, we will keep karaf 4 as mandatory for Carbon
17:50:40 <colindixon> #topic security mailing list
17:51:09 <colindixon> #info rovarga notes (and colindixon confirms) we simply don't have enough people on the security team and security mailing list to address the issues that come in in the manner we would like to
17:51:18 <colindixon> #undo
17:51:18 <odl_meetbot> Removing item from minutes: <MeetBot.ircmeeting.items.Info object at 0x1a39090>
17:51:26 <colindixon> #info rovarga notes (and colindixon confirms) we simply don't have enough people with enough free cycles on the security team and security mailing list to address the issues that come in in the manner we would like to
17:52:03 <colindixon> #info skitt asks about the process for handling CVEs in OpenDaylight that we know about, colindixon says there is a process and we should have private bugs for them, this hasn't happened flawlessly lately for the previous reason
17:53:52 <skitt> CaseyODL, things are working again
17:53:57 * dfarrell07 can't find any info problems
17:53:59 <rovarga> #link https://wiki.opendaylight.org/view/Security:Main
17:54:07 <dfarrell07> infra*
17:54:17 <rovarga> #link https://wiki.opendaylight.org/view/TSC:Vulnerability_Management
17:54:43 <skitt> dfarrell07, I had a bunch of jobs fail simultaneously with SSH failures
17:54:52 <skitt> dfarrell07, and Nexus d/l failures
17:55:07 <colindixon> #action colindixon to post current CVEs to the security advisories page
17:55:18 <CaseyODL> So just to confirm... Infra is up?
17:55:23 <skitt> CaseyODL, yes
17:55:27 <CaseyODL> Ok.
17:55:39 <colindixon> #action colindixon will also make sure security-announce is notified
17:56:25 <abhijitkumbhare> #info Happy birthday colindixon !
17:56:32 <skitt> +1
17:56:34 <jamoluhrsen> HAPPY BIRTHDAY!
17:56:35 <lori> +1
17:56:38 <gzhao> colindixon: Happy Birthday
17:56:42 <hideyuki> Happy birthday!!!
17:56:50 <anipbu> happy birthday colindixon
17:57:41 <vina_ermagan> Happy Birthday colindixon
18:00:25 <colindixon> #info rovarga notes that we really need people that have this security issue handling as a top-of-their-stack responsibility, they also likely need at least some familiarity with OpenDaylight or a willingness to get it to hunt and track issues
18:00:56 <colindixon> #info rovarga asks if there is another place to lean for at least the administrative parts of the security issues and track, hound OpenDaylight internal people
18:01:48 <colindixon> #info dfarrell07 asks if we could try to find a security manager the way we've found release managers in the past
18:03:46 <colindixon> #info skitt also notes that he'd expect us to handle our own CVEs instead of RedHat doing it for us
18:03:55 <colindixon> #info we also need to clean up the current people on the security mailing list
18:04:50 <colindixon> #action colindixon to work on maybe schedule a Beryllium-4.1 release to handle the fixes
18:05:07 <colindixon> #action phrobb to bring the need for a security manager to the board
18:05:22 <rovarga> #info we have not had a successful https://jenkins.opendaylight.org/releng/view/autorelease/job/autorelease-release-beryllium/ in 2 months
18:05:29 <colindixon> #topic cookies
18:05:43 <colindixon> #endmeeting