========================== #opendaylight-meeting: tsc ========================== Meeting started by colindixon at 17:00:07 UTC. The full logs are available at http://meetings.opendaylight.org/opendaylight-meeting/2017/tsc/opendaylight-meeting-tsc.2017-05-04-17.00.log.html . Meeting summary --------------- * agenda bashing (colindixon, 17:00:15) * colindixon (colindixon, 17:00:25) * Anil Vishnoi (vishnoianil, 17:00:27) * skitt (skitt, 17:00:28) * jamoluhrsen (jamoluhrsen, 17:00:28) * Hideyuki (hideyuki, 17:00:35) * LINK: https://wiki.opendaylight.org/index.php?title=TSC:Main&oldid=54416#Agenda (colindixon, 17:00:35) * LINK: https://meetings.opendaylight.org/opendaylight-meeting/2017/tsc/opendaylight-meeting-tsc.2017-04-28-03.30.html last week's meeting minutes (colindixon, 17:00:48) * ACTION: colindixon, zxiiro and phrobb to come up with a proposal for tracking project activity in a positive way (colindixon, 17:01:09) * ACTION: phrobb and tykeal to look into an ODL infra micro-datacenter in a box to make things work better at tutorials (colindixon, 17:01:09) * ACTION: colindixon to try to either find people to document how to be compatible with an OpenDaylight release with participating in the OpenDaylight simultaneous release (colindixon, 17:01:10) * ACTION: katiezhang to follow up with validation of M4 and M5 Status per project here https://docs.google.com/spreadsheets/d/1sNscMkUl1uehVF9YF_MDs2p1tWX0is0Q_hgHiHtcQHI/edit#gid=1793320165 (colindixon, 17:01:11) * abhijitkumbhare (abhijitkumbhare, 17:01:14) * rovarga (rovarga, 17:01:37) * LuisGomez (LuisGomez, 17:03:02) * LuisGomez and vrpolak are working on enabling features in the karaf 4 distribution and filing blocking bugs against projects that aren't loading properly (colindixon, 17:03:19) * anipbu (anipbu, 17:04:18) * lori (lori, 17:04:30) * events (colindixon, 17:05:06) * LINK: https://www.opendaylight.org/global-events (colindixon, 17:05:18) * LINK: https://wiki.opendaylight.org/view/Events:Main (colindixon, 17:05:24) * there's an ONAP event happening now in NJ (colindixon, 17:05:33) * openstack boson is next week (colindixon, 17:05:56) * our DDF is at the end of the month (hopefully) after our release (colindixon, 17:06:10) * ONAP is working on getting a release plan and timelines for project proposals, tentative release date of 11/2 (not approved yet) (colindixon, 17:06:48) * colindixon notes that ONAP is using ODL Beryllium for both App-C and SDN-C (colindixon, 17:07:21) * vishnoianil says that they are trying to move to ODL boron in ONAP (colindixon, 17:09:17) * ACTION: if you are attending OpenStack Boston, reach out to casey since there might be a community event (colindixon, 17:10:12) * boron (colindixon, 17:10:24) * nothing this week (colindixon, 17:10:26) * carbon (colindixon, 17:10:32) * LINK: https://meetings.opendaylight.org/opendaylight-meeting/2017/carbon_release_sync/opendaylight-meeting-carbon_release_sync.2017-05-04-15.01.html from the release sync this morning (colindixon, 17:11:08) * LINK: https://lists.opendaylight.org/pipermail/release/2017-May/010691.html (colindixon, 17:11:36) * LINK: https://git.opendaylight.org/gerrit/#/c/56541/ skitt has a patch which makes dependency=true default (colindixon, 17:14:11) * rovarga asks if this is true also for bulk feature installation, incremental feature installation, or both (colindixon, 17:16:09) * LuisGomez says he's seen both fail in this way, LuisGomez also thinks just adding a feature repo (colindixon, 17:16:52) * colindixon wonders if adding repos is really just ascribing blame to specific things for random/sporadic failures, LuisGomez says he doesn't think so (colindixon, 17:19:35) * rovarga asks if we have these behaviors with reproduction instructions documented, LuisGomez says not really yet (colindixon, 17:20:05) * LINK: https://docs.google.com/spreadsheets/d/1VcB12FBiFV4GAEHZSspHBNxKI_9XugJp-6Qbbw20Omk/edit#gid=259245455 bugs LuisGomez has opened so far are here (colindixon, 17:20:37) * LINK: https://docs.google.com/spreadsheets/d/1VcB12FBiFV4GAEHZSspHBNxKI_9XugJp-6Qbbw20Omk/edit#gid=921315511 blocking bugs tracker (colindixon, 17:23:11) * LINK: https://jenkins.opendaylight.org/releng/view/autorelease/job/autorelease-release-carbon/ autorelease job (colindixon, 17:23:32) * LINK: https://jenkins.opendaylight.org/releng/view/autorelease/job/autorelease-release-notests-carbon/ jenkins -DskipTest job (colindixon, 17:23:44) * LINK: https://jenkins.opendaylight.org/releng/view/autorelease/job/autorelease-release-failnever-carbon/ jenkins -fn and skip SFT job (colindixon, 17:24:01) * LINK: https://git.opendaylight.org/gerrit/56545 (skitt, 17:25:06) * we will merge skitt's odlparent dependency=true patch and see if it fixe things over the course of the next day (colindixon, 17:25:29) * colindixon asks rovarga if he thinks that featuresBoot features is different, rovarga says he thinks so, but it's not clear if dpendency=true will help or not (colindixon, 17:26:26) * keep going on karaf 4? (colindixon, 17:26:57) * we are 1 week from our original planned release date (colindixon, 17:27:11) * we are 3.5 weeks from the DDF, so if at all possible we'd really like to release in 3 weeks or less (colindixon, 17:27:28) * what does that mean we should do with respect to Karaf 4 (colindixon, 17:27:42) * skitt says that Karaf 3 still has security support from apache, but that doesn't totally save us as it could be that karaf 3 stops us from pulling in a dependency that would be critical for us, but doesn't matter to Karaf (colindixon, 17:28:05) * rovarga asks what about apache commons on the classpath that is vulnerable and we need to upgrade (colindixon, 17:29:32) * vrpolak asks if karaf 3 will have security support through Carbon-SR4 (and actually it really needs to be Oxygen release) (colindixon, 17:30:35) * abhijitkumbhare is noting that he suspects some downstreams will not pick up Karaf 4 (colindixon, 17:33:59) * LuisGomez asks if we have an idea of what delay would be reasonable and/or tolerable (colindixon, 17:36:08) * ACTION: colindixon to reach out to the advisory group and board about how long a delay would be OK (colindixon, 17:37:17) * jamoluhrsen asks if we can EoL Carbon sooner than would normally happen, colindixon says maybe, phrobb says that would probably be an even bigger exception than a 5-week delay (colindixon, 17:38:34) * phrobb says the biggest thing here is our reputation, we haven't slipped this far in a long time (colindixon, 17:39:30) * everyone basically says unless karaf 3.0.x will be supported for security updates for another year+, we really don't have a choice but to move to Karaf 4 and keep our word about security updates (colindixon, 17:40:33) * abhijitkumbhare says that if we see carbon slip long enough, then we will not need an interim release to re-align (colindixon, 17:43:16) * VOTE: Voted on "assuming (as we expect) that karaf 3.0.x will not have security updates for the next year+, should we make karaf 4 migration a mandatory part of Carbon?" Results are, yes: 10 (colindixon, 17:49:37) * AGREED: assuming Karaf 3 security support for the next year is an issue for them, we will keep karaf 4 as mandatory for Carbon (colindixon, 17:50:07) * security mailing list (colindixon, 17:50:40) * rovarga notes (and colindixon confirms) we simply don't have enough people with enough free cycles on the security team and security mailing list to address the issues that come in in the manner we would like to (colindixon, 17:51:26) * skitt asks about the process for handling CVEs in OpenDaylight that we know about, colindixon says there is a process and we should have private bugs for them, this hasn't happened flawlessly lately for the previous reason (colindixon, 17:52:03) * LINK: https://wiki.opendaylight.org/view/Security:Main (rovarga, 17:53:59) * LINK: https://wiki.opendaylight.org/view/TSC:Vulnerability_Management (rovarga, 17:54:17) * ACTION: colindixon to post current CVEs to the security advisories page (colindixon, 17:55:07) * ACTION: colindixon will also make sure security-announce is notified (colindixon, 17:55:39) * Happy birthday colindixon ! (abhijitkumbhare, 17:56:25) * rovarga notes that we really need people that have this security issue handling as a top-of-their-stack responsibility, they also likely need at least some familiarity with OpenDaylight or a willingness to get it to hunt and track issues (colindixon, 18:00:25) * rovarga asks if there is another place to lean for at least the administrative parts of the security issues and track, hound OpenDaylight internal people (colindixon, 18:00:56) * dfarrell07 asks if we could try to find a security manager the way we've found release managers in the past (colindixon, 18:01:48) * skitt also notes that he'd expect us to handle our own CVEs instead of RedHat doing it for us (colindixon, 18:03:46) * we also need to clean up the current people on the security mailing list (colindixon, 18:03:55) * ACTION: colindixon to work on maybe schedule a Beryllium-4.1 release to handle the fixes (colindixon, 18:04:50) * ACTION: phrobb to bring the need for a security manager to the board (colindixon, 18:05:07) * we have not had a successful https://jenkins.opendaylight.org/releng/view/autorelease/job/autorelease-release-beryllium/ in 2 months (rovarga, 18:05:22) * cookies (colindixon, 18:05:29) Meeting ended at 18:05:43 UTC. Action items, by person ----------------------- * colindixon * colindixon, zxiiro and phrobb to come up with a proposal for tracking project activity in a positive way * colindixon to try to either find people to document how to be compatible with an OpenDaylight release with participating in the OpenDaylight simultaneous release * colindixon to reach out to the advisory group and board about how long a delay would be OK * colindixon to post current CVEs to the security advisories page * colindixon will also make sure security-announce is notified * colindixon to work on maybe schedule a Beryllium-4.1 release to handle the fixes * **UNASSIGNED** * phrobb and tykeal to look into an ODL infra micro-datacenter in a box to make things work better at tutorials * katiezhang to follow up with validation of M4 and M5 Status per project here https://docs.google.com/spreadsheets/d/1sNscMkUl1uehVF9YF_MDs2p1tWX0is0Q_hgHiHtcQHI/edit#gid=1793320165 * if you are attending OpenStack Boston, reach out to casey since there might be a community event * phrobb to bring the need for a security manager to the board People present (lines said) --------------------------- * colindixon (76) * skitt (15) * rovarga (11) * odl_meetbot (11) * jamoluhrsen (6) * abhijitkumbhare (5) * dfarrell07 (3) * hideyuki (3) * lori (3) * anipbu (3) * vishnoianil (3) * LuisGomez (2) * CaseyODL (2) * vrpolak (1) * gzhao (1) * vina_ermagan (1) Generated by `MeetBot`_ 0.1.4