On Thu, Sep 13, 2018 at 11:07:50PM +0200, Miro Hrončok wrote:
> On 13.9.2018 22:44, Petr Šabata wrote:
> > On Fri, Aug 03, 2018 at 04:43:15PM +0200, Miro Hrončok wrote:
> > > Hi,
> > >
> > > I was thinking about this for a while and I got the impression that this is
> > > something I don't know the answer for. The question is a bit harder to
> > > formulate simply, so let put it in examples:
> >
> > I see no one's really responded to this yet (ack!), so let me try...
>
> Thank You! I was starting to feel like nobody cares.
I really hope that's not the case :)
> > > a) A need packaging guideline is about to be discussed. A member of FPC
> > > wants to know how many packages would be affected so they run a quick grep
> > > query over all the rawhide specfiles at [0].
> >
> > Obviously this wouldn't be enough. We would need to find all
> > modules shipped with Rawhide, then all the RPM stream branches
> > they build from, and grep those as well. Perhaps we could
> > do something to generate archives that include all of this
> > automatically.
>
> Please do, otherwise this would be tedious. There are archives with rawhide
> specs.
Noted. I don't have any ETA at this point, though.
> > > b) A CVE is found in a web framework, so bugz are filled for the "framewrok"
> > > package to be fixed in Fedora 27, because newer Fedoras have newer version
> > > of the framework where the CVE is not applicable.
> >
> > Also valid. Rather than just relying on the non-modular package
> > upgrade path, all currently supported modules and their RPMs
> > would need to be checked.
>
> Is the Red Hat security response team aware of that? Do they file bugs for
> modules?
Not yet. I think this is tied to the previous point. They will
also need that archive or something similar. Also noted.
> > > c) A new version of interpreted language lands in rawhide. All packages
> > > depending on the interpeter need mass rebuild in a side tag.
> >
> > This would be a new stream of the interpreter module.
>
> No interpreter module here. An interpreter that lives in non-modular Fedora,
> but various modules possibly use it. I have no idea what modules use it (if
> any) and I have no idea how to easily find out.
>
> I know there is at least one module that uses non-modular Python 2. At least
> we won't rebase that Python to a newer version.
Again the archive ;) We should be including stream-branched
SPEC files as well as currently included modulemds.
> > > d) A packager decides to retire a library and they check nothing in Fedora
> > > requires it.
> >
> > Similar to a) and b). They need to check the currently supported
> > modules as well.
>
> How? We are mass removing python2 packages from rawhide that nothing in
> rawhide depend on. Our automation has no clue about modules and if there are
> modules that use python2-... packages from nonmodular Fedora, we need to
> know.
Same as above.
> > > I wonder how are such situations meant to be handled with modules?
> > > Do we build modules for rawhide? If so, should Fedora changes (such as, but
> > > not limited to, "the Changes") somehow handle all the modules, or is it the
> > > modular maintainer responsibility to make sure their module works on the
> > > next Fedora version?
> >
> > We're aware there are many gaps here. I consider identifying &
> > resolving them a priority for the Modularity WG at the moment,
> > so thank you for contributing.
>
> Thanks for looking into this.
We (Modularity WG) are thinking about new way of organizing &
tracking all these things (currently it's mostly just a shared
document). We'll announce it once ready.
> > > a) I was planning to propose a more strict "No more automagic Python
> > > bytecompilation" [1] change for Fedora 30 where we would query all packages
> > > that depend on the old behavior and mass add "%global
> > > _python_bytecompile_extra 1" to all of them, so we could switch the default
> > > to be 0. Normally, we would do it in Rawhide only. But how do I handle
> > > modules? How do I find out what modular packages rely on the old behavior?
> >
> > Modules typically build the same content in all contexts
> > (buildroots). If that's a problem for this particular change
> > of yours, I think the proper way would be adding %{fedora}
> > conditionals around that macro definition.
>
> No, I don't want to only add this thing if %fedora. Quite the opposite, I
> need to gather a list of packages that rely on the old behavior, so I can
> hotfix/workaround them with that line. See
> https://bugzilla.redhat.com/show_bug.cgi?id=1626685#c2 for what I did in the
> non-modular world to better understand what I mean.
If you're okay with implementing the change in all supported
releases, that just makes it easier. My point was that if you
change is only applicable to Rawhide, for instance, you should
conditionalize your edits, as modules are typically built for
all of them.
> > > b) A CVE was filled for Django [2]. How does the security team responsible
> > > for tracking CVEs figure out we have Django 1.6 in modular Fedora? How is a
> > > bugzilla filled against a modular package anyway?
> >
> > They should file a report against Fedora Modules rather than
> > Fedora, although in practice I suspect people will report bugs
> > as usual. Then it's about the non-modular package maintainer
> > re-assigning the bug properly, if necessary.
>
> I've added a note to that bug about the modular build. Got no response IIRC.
>
> > > c) When we recently mass rebuilt Python 3 packages for Python 3.7, should we
> > > go and seek for modules that use Python 3 (how do I do that?) and rebuild
> > > the packages in the modules (or even the modules?)?
> >
> > Python is part of the "platform" module, so you really need
> > to check all the RPM stream branches used by the currently
> > supported modules.
>
> The change is done now. We've checked no modules. What happens now?
>
> How do I see what modules depend on (non modular) Python 3?
It's not easy to do at the moment.
I suggest you see what modules are tagged into
f{29|30}-modular[-updates[-candidate]]. Then, depending on what
you find out, either scan their binaries or see their modulemds
to see what packages they include and from what branches.
> > You do not rebuild these packages, you rebuild the modules.
> > If there's no change to the SPEC files, you'll have to instruct
> > MBS to do a full rebuild (fedpkg module-build --optional
> > rebuild_strategy=all). We also plan to add more options to
> > limit these rebuilds to specific platforms so you wouldn't be
> > rebuilding for all three or more releases if not required.
>
> Is there a mass rebuild of modules like with packages?
Not yet, unfortunately. We did it manually for F30 but not
for F29. The process needs to be updated; it's on our agenda.
> > > d) (this example is not real (yet)) We decide to retire (remove)
> > > python2-sphinx because upstream Sphinx no longer supports Python 2. We make
> > > sure that nothing in Fedora requires or buildrequires it, as all Fedora's
> > > Python packages use python3-sphinx or no Sphinx at all. However there is a
> > > Django 1.6 module where python-django uses python2-sphinx to build the docs,
> > > while python2-sphinx is not part of the module itself. How do we find out
> > > about this and is it our reprehensibility to keep it in rawhide or add it to
> > > the module?
> >
> > I wouldn't say it's your responsibility to resolve the issue
> > but it is your responsibility to file a bug for the module.
>
> How would I know about that in the first place? How do I query it?
It will either be in the archive :) or you check the tags and
their binaries & modulemds.
> > > Sorry if those things are obvious, yet I don't know the answers. There might
> > > be even more examples where traditionally we would only think rawhide, but
> > > now with modules the problem seems more complex.
> >
> > Keep them coming.
> >
> > I hope this helps at least a little bit, even this late.
>
> If you would ignore the questions entirely, I guess it would mean less work
> for me :D
Apologies ;)
P
>
> --
> Miro Hrončok
> --
> Phone: +420777974800
> IRC: mhroncok
> _______________________________________________
> devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
> To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
