On 17.9.2018 12:36, Petr Šabata wrote:
On Thu, Sep 13, 2018 at 11:07:50PM +0200, Miro Hrončok wrote:
On 13.9.2018 22:44, Petr Šabata wrote:
On Fri, Aug 03, 2018 at 04:43:15PM +0200, Miro Hrončok wrote:
Hi,
I was thinking about this for a while and I got the impression that this is
something I don't know the answer for. The question is a bit harder to
formulate simply, so let put it in examples:
I see no one's really responded to this yet (ack!), so let me try...
Thank You! I was starting to feel like nobody cares.
I really hope that's not the case :)
a) A need packaging guideline is about to be discussed. A member of FPC
wants to know how many packages would be affected so they run a quick grep
query over all the rawhide specfiles at [0].
Obviously this wouldn't be enough. We would need to find all
modules shipped with Rawhide, then all the RPM stream branches
they build from, and grep those as well. Perhaps we could
do something to generate archives that include all of this
automatically.
Please do, otherwise this would be tedious. There are archives with rawhide
specs.
Noted. I don't have any ETA at this point, though.
b) A CVE is found in a web framework, so bugz are filled for the "framewrok"
package to be fixed in Fedora 27, because newer Fedoras have newer version
of the framework where the CVE is not applicable.
Also valid. Rather than just relying on the non-modular package
upgrade path, all currently supported modules and their RPMs
would need to be checked.
Is the Red Hat security response team aware of that? Do they file bugs for
modules?
Not yet. I think this is tied to the previous point. They will
also need that archive or something similar. Also noted.
c) A new version of interpreted language lands in rawhide. All packages
depending on the interpeter need mass rebuild in a side tag.
This would be a new stream of the interpreter module.
No interpreter module here. An interpreter that lives in non-modular Fedora,
but various modules possibly use it. I have no idea what modules use it (if
any) and I have no idea how to easily find out.
I know there is at least one module that uses non-modular Python 2. At least
we won't rebase that Python to a newer version.
Again the archive ;) We should be including stream-branched
SPEC files as well as currently included modulemds.
Not really here. Parsing specs is hard. We actually need a proper
repoquery setup.
This is what we have now:
https://fedoraproject.org/wiki/SIGs/Python/UpgradingPython#After_a_side_tag_merge
d) A packager decides to retire a library and they check nothing in Fedora
requires it.
Similar to a) and b). They need to check the currently supported
modules as well.
How? We are mass removing python2 packages from rawhide that nothing in
rawhide depend on. Our automation has no clue about modules and if there are
modules that use python2-... packages from nonmodular Fedora, we need to
know.
Same as above.
Same as above. Repoquery, not archive.
I wonder how are such situations meant to be handled with modules?
Do we build modules for rawhide? If so, should Fedora changes (such as, but
not limited to, "the Changes") somehow handle all the modules, or is it the
modular maintainer responsibility to make sure their module works on the
next Fedora version?
We're aware there are many gaps here. I consider identifying &
resolving them a priority for the Modularity WG at the moment,
so thank you for contributing.
Thanks for looking into this.
We (Modularity WG) are thinking about new way of organizing &
tracking all these things (currently it's mostly just a shared
document). We'll announce it once ready.
a) I was planning to propose a more strict "No more automagic Python
bytecompilation" [1] change for Fedora 30 where we would query all packages
that depend on the old behavior and mass add "%global
_python_bytecompile_extra 1" to all of them, so we could switch the default
to be 0. Normally, we would do it in Rawhide only. But how do I handle
modules? How do I find out what modular packages rely on the old behavior?
Modules typically build the same content in all contexts
(buildroots). If that's a problem for this particular change
of yours, I think the proper way would be adding %{fedora}
conditionals around that macro definition.
No, I don't want to only add this thing if %fedora. Quite the opposite, I
need to gather a list of packages that rely on the old behavior, so I can
hotfix/workaround them with that line. See
https://bugzilla.redhat.com/show_bug.cgi?id=1626685#c2 for what I did in the
non-modular world to better understand what I mean.
If you're okay with implementing the change in all supported
releases, that just makes it easier. My point was that if you
change is only applicable to Rawhide, for instance, you should
conditionalize your edits, as modules are typically built for
all of them.
b) A CVE was filled for Django [2]. How does the security team responsible
for tracking CVEs figure out we have Django 1.6 in modular Fedora? How is a
bugzilla filled against a modular package anyway?
They should file a report against Fedora Modules rather than
Fedora, although in practice I suspect people will report bugs
as usual. Then it's about the non-modular package maintainer
re-assigning the bug properly, if necessary.
I've added a note to that bug about the modular build. Got no response IIRC.
c) When we recently mass rebuilt Python 3 packages for Python 3.7, should we
go and seek for modules that use Python 3 (how do I do that?) and rebuild
the packages in the modules (or even the modules?)?
Python is part of the "platform" module, so you really need
to check all the RPM stream branches used by the currently
supported modules.
The change is done now. We've checked no modules. What happens now?
How do I see what modules depend on (non modular) Python 3?
It's not easy to do at the moment.
I suggest you see what modules are tagged into
f{29|30}-modular[-updates[-candidate]]. Then, depending on what
you find out, either scan their binaries or see their modulemds
to see what packages they include and from what branches.
You do not rebuild these packages, you rebuild the modules.
If there's no change to the SPEC files, you'll have to instruct
MBS to do a full rebuild (fedpkg module-build --optional
rebuild_strategy=all). We also plan to add more options to
limit these rebuilds to specific platforms so you wouldn't be
rebuilding for all three or more releases if not required.
Is there a mass rebuild of modules like with packages?
Not yet, unfortunately. We did it manually for F30 but not
for F29. The process needs to be updated; it's on our agenda.
d) (this example is not real (yet)) We decide to retire (remove)
python2-sphinx because upstream Sphinx no longer supports Python 2. We make
sure that nothing in Fedora requires or buildrequires it, as all Fedora's
Python packages use python3-sphinx or no Sphinx at all. However there is a
Django 1.6 module where python-django uses python2-sphinx to build the docs,
while python2-sphinx is not part of the module itself. How do we find out
about this and is it our reprehensibility to keep it in rawhide or add it to
the module?
I wouldn't say it's your responsibility to resolve the issue
but it is your responsibility to file a bug for the module.
How would I know about that in the first place? How do I query it?
It will either be in the archive :) or you check the tags and
their binaries & modulemds.
This is not going to be trivial. If you could provide examples, it would
be great.
Sorry if those things are obvious, yet I don't know the answers. There might
be even more examples where traditionally we would only think rawhide, but
now with modules the problem seems more complex.
Keep them coming.
I hope this helps at least a little bit, even this late.
If you would ignore the questions entirely, I guess it would mean less work
for me :D
Apologies ;)
Don't worry. I guess my questions mean more work for you ;)
--
Miro Hrončok
--
Phone: +420777974800
IRC: mhroncok
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx