17:00:07 #startmeeting tsc 17:00:07 Meeting started Thu May 4 17:00:07 2017 UTC. The chair is colindixon. Information about MeetBot at http://ci.openstack.org/meetbot.html. 17:00:07 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 17:00:07 The meeting name has been set to 'tsc' 17:00:15 #topic agenda bashing 17:00:23 TSC members please #info in 17:00:25 #info colindixon 17:00:27 #info Anil Vishnoi 17:00:28 #info skitt 17:00:28 #info jamoluhrsen 17:00:35 #info Hideyuki 17:00:35 #link https://wiki.opendaylight.org/index.php?title=TSC:Main&oldid=54416#Agenda 17:00:46 vishnoianil, you're not on zoom man? 17:00:48 #link https://meetings.opendaylight.org/opendaylight-meeting/2017/tsc/opendaylight-meeting-tsc.2017-04-28-03.30.html last week's meeting minutes 17:01:09 #action colindixon, zxiiro and phrobb to come up with a proposal for tracking project activity in a positive way 17:01:09 #action phrobb and tykeal to look into an ODL infra micro-datacenter in a box to make things work better at tutorials 17:01:10 #action colindixon to try to either find people to document how to be compatible with an OpenDaylight release with participating in the OpenDaylight simultaneous release 17:01:11 #action katiezhang to follow up with validation of M4 and M5 Status per project here https://docs.google.com/spreadsheets/d/1sNscMkUl1uehVF9YF_MDs2p1tWX0is0Q_hgHiHtcQHI/edit#gid=1793320165 17:01:14 #info abhijitkumbhare 17:01:34 gross 17:01:37 #info rovarga 17:02:04 jamoluhrsen, i am now :) 17:03:02 #info LuisGomez 17:03:19 #Info LuisGomez and vrpolak are working on enabling features in the karaf 4 distribution and filing blocking bugs against projects that aren't loading properly 17:04:09 shague, lori 17:04:18 #info anipbu 17:04:30 #info lori 17:05:06 #topic events 17:05:18 #link https://www.opendaylight.org/global-events 17:05:24 #link https://wiki.opendaylight.org/view/Events:Main 17:05:33 #Info there's an ONAP event happening now in NJ 17:05:56 #info openstack boson is next week 17:06:10 #info our DDF is at the end of the month (hopefully) after our release 17:06:48 #info ONAP is working on getting a release plan and timelines for project proposals, tentative release date of 11/2 (not approved yet) 17:07:21 #info colindixon notes that ONAP is using ODL Beryllium for both App-C and SDN-C 17:08:43 #action colindixon and anipbu to see if we can talk with ONAP about how we might get ONAP to move to newer version of ODL 17:08:55 Heard that as Ed and Steven Colbert :) 17:09:02 #undo 17:09:02 Removing item from minutes: 17:09:17 #Info vishnoianil says that they are trying to move to ODL boron in ONAP 17:10:12 #action if you are attending OpenStack Boston, reach out to casey since there might be a community event 17:10:24 #topic boron 17:10:26 #info nothing this week 17:10:32 #topic carbon 17:11:08 #link https://meetings.opendaylight.org/opendaylight-meeting/2017/carbon_release_sync/opendaylight-meeting-carbon_release_sync.2017-05-04-15.01.html from the release sync this morning 17:11:36 #link https://lists.opendaylight.org/pipermail/release/2017-May/010691.html 17:14:11 #link https://git.opendaylight.org/gerrit/#/c/56541/ skitt has a patch which makes dependency=true default 17:16:09 #Info rovarga asks if this is true also for bulk feature installation, incremental feature installation, or both 17:16:52 #info LuisGomez says he's seen both fail in this way, LuisGomez also thinks just adding a feature repo 17:19:35 #info colindixon wonders if adding repos is really just ascribing blame to specific things for random/sporadic failures, LuisGomez says he doesn't think so 17:20:05 #info rovarga asks if we have these behaviors with reproduction instructions documented, LuisGomez says not really yet 17:20:37 #link https://docs.google.com/spreadsheets/d/1VcB12FBiFV4GAEHZSspHBNxKI_9XugJp-6Qbbw20Omk/edit#gid=259245455 bugs LuisGomez has opened so far are here 17:23:11 #link https://docs.google.com/spreadsheets/d/1VcB12FBiFV4GAEHZSspHBNxKI_9XugJp-6Qbbw20Omk/edit#gid=921315511 blocking bugs tracker 17:23:32 #link https://jenkins.opendaylight.org/releng/view/autorelease/job/autorelease-release-carbon/ autorelease job 17:23:44 #link https://jenkins.opendaylight.org/releng/view/autorelease/job/autorelease-release-notests-carbon/ jenkins -DskipTest job 17:24:01 #link https://jenkins.opendaylight.org/releng/view/autorelease/job/autorelease-release-failnever-carbon/ jenkins -fn and skip SFT job 17:24:37 skitt: your patch has a conflict vs. carbon, can you cherry-pick it? 17:24:48 rovarga, I'm pushing it right now ;-) 17:25:06 https://git.opendaylight.org/gerrit/56545 17:25:29 #info we will merge skitt's odlparent dependency=true patch and see if it fixe things over the course of the next day 17:26:26 #info colindixon asks rovarga if he thinks that featuresBoot features is different, rovarga says he thinks so, but it's not clear if dpendency=true will help or not 17:26:57 #topic keep going on karaf 4? 17:27:07 #Info we are 1 week from our original planned release datea 17:27:09 #undo 17:27:09 Removing item from minutes: 17:27:11 #Info we are 1 week from our original planned release date 17:27:28 #info we are 3.5 weeks from the DDF, so if at all possible we'd really like to release in 3 weeks or less 17:27:42 #Info what does that mean we should do with respect to Karaf 4 17:28:05 #info skitt says that Karaf 3 still has security support from apache, but that doesn't totally save us as it could be that karaf 3 stops us from pulling in a dependency that would be critical for us, but doesn't matter to Karaf 17:29:03 "has security support from apache" up to Carbon-SR4? 17:29:15 vrpolak, that's a good point, I don't know 17:29:32 #info rovarga asks what about apache commons on the classpath that is vulnerable and we need to upgrade 17:29:33 vrpolak, Karaf 4.2 will be out before then so ... 17:29:34 LuisGomez: do you have an example of the featuresBoot value? 17:29:49 (because yes, boot features can be installed in chunks) 17:30:35 #info vrpolak asks if karaf 3 will have security support through Carbon-SR4 (and actually it really needs to be Oxygen release) 17:33:59 #info abhijitkumbhare is noting that he suspects some downstreams will not pick up Karaf 4 17:36:08 #info LuisGomez asks if we have an idea of what delay would be reasonable and/or tolerable 17:37:17 #action colindixon to reach out to the advisory group and board about how long a delay would be OK 17:38:34 #info jamoluhrsen asks if we can EoL Carbon sooner than would normally happen, colindixon says maybe, phrobb says that would probably be an even bigger exception than a 5-week delay 17:39:30 #info phrobb says the biggest thing here is our reputation, we haven't slipped this far in a long time 17:39:45 rovarga, Karaf 3.0.6 had the fixed commons-collections: https://issues.apache.org/jira/browse/KARAF-4135 17:40:33 #info everyone basically says unless karaf 3.0.x will be supported for security updates for another year+, we really don't have a choice but to move to Karaf 4 and keep our word about security updates 17:40:54 skitt: weird, we definitely have 3.2.1 in our distro right now 17:41:33 rovarga, yeah we'd noticed that too, https://bugzilla.redhat.com/show_bug.cgi?id=1291131 17:41:48 ./karaf/karaf4-parent/target/assembly/system/org/ops4j/pax/web/pax-web-features/4.3.0/pax-web-features-4.3.0-features.xml:178: mvn:commons-collections/commons-collections/3.2.1 17:41:50 oh wow 17:42:00 ah so it's pax-web 17:42:05 and sorry, that's a RH internal bug 17:43:16 #info abhijitkumbhare says that if we see carbon slip long enough, then we will not need an interim release to re-align 17:47:34 #startvote assuming (as we expect) that karaf 3.0.x will not have security updates for the next year+, should we make karaf 4 migration a mandatory part of Carbon? yes, no, abstain 17:47:34 Begin voting on: assuming (as we expect) that karaf 3.0.x will not have security updates for the next year+, should we make karaf 4 migration a mandatory part of Carbon? Valid vote options are yes, no, abstain. 17:47:34 Vote using '#vote OPTION'. Only your last vote counts. 17:48:32 #vote yes 17:48:39 #vote yes 17:48:41 #vote yes 17:48:45 #vote yes 17:48:45 #vote yes 17:48:50 #vote yes 17:48:59 #vote yes 17:49:00 #vote yes 17:49:11 #vote yes 17:49:18 #vote yes (if Karaf 3 supportability for next year is issue) 17:49:18 abhijitkumbhare: yes (if Karaf 3 supportability for next year is issue) is not a valid option. Valid options are yes, no, abstain. 17:49:34 and now our release schedule for carbon should be advertised as *unknown* 17:49:34 #vote yes 17:49:37 #endvote 17:49:37 Voted on "assuming (as we expect) that karaf 3.0.x will not have security updates for the next year+, should we make karaf 4 migration a mandatory part of Carbon?" Results are 17:49:37 yes (10): rovarga, skitt, LuisGomez, hideyuki, colindixon, lori, jamoluhrsen, anipbu, vishnoianil, abhijitkumbhare 17:50:07 #agreed assuming Karaf 3 security support for the next year is an issue for them, we will keep karaf 4 as mandatory for Carbon 17:50:40 #topic security mailing list 17:51:09 #info rovarga notes (and colindixon confirms) we simply don't have enough people on the security team and security mailing list to address the issues that come in in the manner we would like to 17:51:18 #undo 17:51:18 Removing item from minutes: 17:51:26 #info rovarga notes (and colindixon confirms) we simply don't have enough people with enough free cycles on the security team and security mailing list to address the issues that come in in the manner we would like to 17:52:03 #info skitt asks about the process for handling CVEs in OpenDaylight that we know about, colindixon says there is a process and we should have private bugs for them, this hasn't happened flawlessly lately for the previous reason 17:53:52 CaseyODL, things are working again 17:53:57 * dfarrell07 can't find any info problems 17:53:59 #link https://wiki.opendaylight.org/view/Security:Main 17:54:07 infra* 17:54:17 #link https://wiki.opendaylight.org/view/TSC:Vulnerability_Management 17:54:43 dfarrell07, I had a bunch of jobs fail simultaneously with SSH failures 17:54:52 dfarrell07, and Nexus d/l failures 17:55:07 #action colindixon to post current CVEs to the security advisories page 17:55:18 So just to confirm... Infra is up? 17:55:23 CaseyODL, yes 17:55:27 Ok. 17:55:39 #action colindixon will also make sure security-announce is notified 17:56:25 #info Happy birthday colindixon ! 17:56:32 +1 17:56:34 HAPPY BIRTHDAY! 17:56:35 +1 17:56:38 colindixon: Happy Birthday 17:56:42 Happy birthday!!! 17:56:50 happy birthday colindixon 17:57:41 Happy Birthday colindixon 18:00:25 #info rovarga notes that we really need people that have this security issue handling as a top-of-their-stack responsibility, they also likely need at least some familiarity with OpenDaylight or a willingness to get it to hunt and track issues 18:00:56 #info rovarga asks if there is another place to lean for at least the administrative parts of the security issues and track, hound OpenDaylight internal people 18:01:48 #info dfarrell07 asks if we could try to find a security manager the way we've found release managers in the past 18:03:46 #info skitt also notes that he'd expect us to handle our own CVEs instead of RedHat doing it for us 18:03:55 #info we also need to clean up the current people on the security mailing list 18:04:50 #action colindixon to work on maybe schedule a Beryllium-4.1 release to handle the fixes 18:05:07 #action phrobb to bring the need for a security manager to the board 18:05:22 #info we have not had a successful https://jenkins.opendaylight.org/releng/view/autorelease/job/autorelease-release-beryllium/ in 2 months 18:05:29 #topic cookies 18:05:43 #endmeeting