==========================
#opendaylight-meeting: tsc
==========================
Meeting started by colindixon at 17:00:07 UTC. The full logs are
available at
http://meetings.opendaylight.org/opendaylight-meeting/2017/tsc/opendaylight-meeting-tsc.2017-05-04-17.00.log.html
.
Meeting summary
---------------
* agenda bashing (colindixon, 17:00:15)
* colindixon (colindixon, 17:00:25)
* Anil Vishnoi (vishnoianil, 17:00:27)
* skitt (skitt, 17:00:28)
* jamoluhrsen (jamoluhrsen, 17:00:28)
* Hideyuki (hideyuki, 17:00:35)
* LINK:
https://wiki.opendaylight.org/index.php?title=TSC:Main&oldid=54416#Agenda
(colindixon, 17:00:35)
* LINK:
https://meetings.opendaylight.org/opendaylight-meeting/2017/tsc/opendaylight-meeting-tsc.2017-04-28-03.30.html
last week's meeting minutes (colindixon, 17:00:48)
* ACTION: colindixon, zxiiro and phrobb to come up with a proposal for
tracking project activity in a positive way (colindixon, 17:01:09)
* ACTION: phrobb and tykeal to look into an ODL infra micro-datacenter
in a box to make things work better at tutorials (colindixon,
17:01:09)
* ACTION: colindixon to try to either find people to document how to
be compatible with an OpenDaylight release with participating in the
OpenDaylight simultaneous release (colindixon, 17:01:10)
* ACTION: katiezhang to follow up with validation of M4 and M5 Status
per project here
https://docs.google.com/spreadsheets/d/1sNscMkUl1uehVF9YF_MDs2p1tWX0is0Q_hgHiHtcQHI/edit#gid=1793320165
(colindixon, 17:01:11)
* abhijitkumbhare (abhijitkumbhare, 17:01:14)
* rovarga (rovarga, 17:01:37)
* LuisGomez (LuisGomez, 17:03:02)
* LuisGomez and vrpolak are working on enabling features in the karaf
4 distribution and filing blocking bugs against projects that aren't
loading properly (colindixon, 17:03:19)
* anipbu (anipbu, 17:04:18)
* lori (lori, 17:04:30)
* events (colindixon, 17:05:06)
* LINK: https://www.opendaylight.org/global-events (colindixon,
17:05:18)
* LINK: https://wiki.opendaylight.org/view/Events:Main (colindixon,
17:05:24)
* there's an ONAP event happening now in NJ (colindixon, 17:05:33)
* openstack boson is next week (colindixon, 17:05:56)
* our DDF is at the end of the month (hopefully) after our release
(colindixon, 17:06:10)
* ONAP is working on getting a release plan and timelines for project
proposals, tentative release date of 11/2 (not approved yet)
(colindixon, 17:06:48)
* colindixon notes that ONAP is using ODL Beryllium for both App-C and
SDN-C (colindixon, 17:07:21)
* vishnoianil says that they are trying to move to ODL boron in ONAP
(colindixon, 17:09:17)
* ACTION: if you are attending OpenStack Boston, reach out to casey
since there might be a community event (colindixon, 17:10:12)
* boron (colindixon, 17:10:24)
* nothing this week (colindixon, 17:10:26)
* carbon (colindixon, 17:10:32)
* LINK:
https://meetings.opendaylight.org/opendaylight-meeting/2017/carbon_release_sync/opendaylight-meeting-carbon_release_sync.2017-05-04-15.01.html
from the release sync this morning (colindixon, 17:11:08)
* LINK:
https://lists.opendaylight.org/pipermail/release/2017-May/010691.html
(colindixon, 17:11:36)
* LINK: https://git.opendaylight.org/gerrit/#/c/56541/ skitt has a
patch which makes dependency=true default (colindixon, 17:14:11)
* rovarga asks if this is true also for bulk feature installation,
incremental feature installation, or both (colindixon, 17:16:09)
* LuisGomez says he's seen both fail in this way, LuisGomez also
thinks just adding a feature repo (colindixon, 17:16:52)
* colindixon wonders if adding repos is really just ascribing blame to
specific things for random/sporadic failures, LuisGomez says he
doesn't think so (colindixon, 17:19:35)
* rovarga asks if we have these behaviors with reproduction
instructions documented, LuisGomez says not really yet (colindixon,
17:20:05)
* LINK:
https://docs.google.com/spreadsheets/d/1VcB12FBiFV4GAEHZSspHBNxKI_9XugJp-6Qbbw20Omk/edit#gid=259245455
bugs LuisGomez has opened so far are here (colindixon, 17:20:37)
* LINK:
https://docs.google.com/spreadsheets/d/1VcB12FBiFV4GAEHZSspHBNxKI_9XugJp-6Qbbw20Omk/edit#gid=921315511
blocking bugs tracker (colindixon, 17:23:11)
* LINK:
https://jenkins.opendaylight.org/releng/view/autorelease/job/autorelease-release-carbon/
autorelease job (colindixon, 17:23:32)
* LINK:
https://jenkins.opendaylight.org/releng/view/autorelease/job/autorelease-release-notests-carbon/
jenkins -DskipTest job (colindixon, 17:23:44)
* LINK:
https://jenkins.opendaylight.org/releng/view/autorelease/job/autorelease-release-failnever-carbon/
jenkins -fn and skip SFT job (colindixon, 17:24:01)
* LINK: https://git.opendaylight.org/gerrit/56545 (skitt, 17:25:06)
* we will merge skitt's odlparent dependency=true patch and see if it
fixe things over the course of the next day (colindixon, 17:25:29)
* colindixon asks rovarga if he thinks that featuresBoot features is
different, rovarga says he thinks so, but it's not clear if
dpendency=true will help or not (colindixon, 17:26:26)
* keep going on karaf 4? (colindixon, 17:26:57)
* we are 1 week from our original planned release date (colindixon,
17:27:11)
* we are 3.5 weeks from the DDF, so if at all possible we'd really
like to release in 3 weeks or less (colindixon, 17:27:28)
* what does that mean we should do with respect to Karaf 4
(colindixon, 17:27:42)
* skitt says that Karaf 3 still has security support from apache, but
that doesn't totally save us as it could be that karaf 3 stops us
from pulling in a dependency that would be critical for us, but
doesn't matter to Karaf (colindixon, 17:28:05)
* rovarga asks what about apache commons on the classpath that is
vulnerable and we need to upgrade (colindixon, 17:29:32)
* vrpolak asks if karaf 3 will have security support through
Carbon-SR4 (and actually it really needs to be Oxygen release)
(colindixon, 17:30:35)
* abhijitkumbhare is noting that he suspects some downstreams will not
pick up Karaf 4 (colindixon, 17:33:59)
* LuisGomez asks if we have an idea of what delay would be reasonable
and/or tolerable (colindixon, 17:36:08)
* ACTION: colindixon to reach out to the advisory group and board
about how long a delay would be OK (colindixon, 17:37:17)
* jamoluhrsen asks if we can EoL Carbon sooner than would normally
happen, colindixon says maybe, phrobb says that would probably be an
even bigger exception than a 5-week delay (colindixon, 17:38:34)
* phrobb says the biggest thing here is our reputation, we haven't
slipped this far in a long time (colindixon, 17:39:30)
* everyone basically says unless karaf 3.0.x will be supported for
security updates for another year+, we really don't have a choice
but to move to Karaf 4 and keep our word about security updates
(colindixon, 17:40:33)
* abhijitkumbhare says that if we see carbon slip long enough, then we
will not need an interim release to re-align (colindixon, 17:43:16)
* VOTE: Voted on "assuming (as we expect) that karaf 3.0.x will not
have security updates for the next year+, should we make karaf 4
migration a mandatory part of Carbon?" Results are, yes: 10
(colindixon, 17:49:37)
* AGREED: assuming Karaf 3 security support for the next year is an
issue for them, we will keep karaf 4 as mandatory for Carbon
(colindixon, 17:50:07)
* security mailing list (colindixon, 17:50:40)
* rovarga notes (and colindixon confirms) we simply don't have enough
people with enough free cycles on the security team and security
mailing list to address the issues that come in in the manner we
would like to (colindixon, 17:51:26)
* skitt asks about the process for handling CVEs in OpenDaylight that
we know about, colindixon says there is a process and we should have
private bugs for them, this hasn't happened flawlessly lately for
the previous reason (colindixon, 17:52:03)
* LINK: https://wiki.opendaylight.org/view/Security:Main (rovarga,
17:53:59)
* LINK:
https://wiki.opendaylight.org/view/TSC:Vulnerability_Management
(rovarga, 17:54:17)
* ACTION: colindixon to post current CVEs to the security advisories
page (colindixon, 17:55:07)
* ACTION: colindixon will also make sure security-announce is notified
(colindixon, 17:55:39)
* Happy birthday colindixon ! (abhijitkumbhare, 17:56:25)
* rovarga notes that we really need people that have this security
issue handling as a top-of-their-stack responsibility, they also
likely need at least some familiarity with OpenDaylight or a
willingness to get it to hunt and track issues (colindixon,
18:00:25)
* rovarga asks if there is another place to lean for at least the
administrative parts of the security issues and track, hound
OpenDaylight internal people (colindixon, 18:00:56)
* dfarrell07 asks if we could try to find a security manager the way
we've found release managers in the past (colindixon, 18:01:48)
* skitt also notes that he'd expect us to handle our own CVEs instead
of RedHat doing it for us (colindixon, 18:03:46)
* we also need to clean up the current people on the security mailing
list (colindixon, 18:03:55)
* ACTION: colindixon to work on maybe schedule a Beryllium-4.1 release
to handle the fixes (colindixon, 18:04:50)
* ACTION: phrobb to bring the need for a security manager to the board
(colindixon, 18:05:07)
* we have not had a successful
https://jenkins.opendaylight.org/releng/view/autorelease/job/autorelease-release-beryllium/
in 2 months (rovarga, 18:05:22)
* cookies (colindixon, 18:05:29)
Meeting ended at 18:05:43 UTC.
Action items, by person
-----------------------
* colindixon
* colindixon, zxiiro and phrobb to come up with a proposal for
tracking project activity in a positive way
* colindixon to try to either find people to document how to be
compatible with an OpenDaylight release with participating in the
OpenDaylight simultaneous release
* colindixon to reach out to the advisory group and board about how
long a delay would be OK
* colindixon to post current CVEs to the security advisories page
* colindixon will also make sure security-announce is notified
* colindixon to work on maybe schedule a Beryllium-4.1 release to
handle the fixes
* **UNASSIGNED**
* phrobb and tykeal to look into an ODL infra micro-datacenter in a
box to make things work better at tutorials
* katiezhang to follow up with validation of M4 and M5 Status per
project here
https://docs.google.com/spreadsheets/d/1sNscMkUl1uehVF9YF_MDs2p1tWX0is0Q_hgHiHtcQHI/edit#gid=1793320165
* if you are attending OpenStack Boston, reach out to casey since
there might be a community event
* phrobb to bring the need for a security manager to the board
People present (lines said)
---------------------------
* colindixon (76)
* skitt (15)
* rovarga (11)
* odl_meetbot (11)
* jamoluhrsen (6)
* abhijitkumbhare (5)
* dfarrell07 (3)
* hideyuki (3)
* lori (3)
* anipbu (3)
* vishnoianil (3)
* LuisGomez (2)
* CaseyODL (2)
* vrpolak (1)
* gzhao (1)
* vina_ermagan (1)
Generated by `MeetBot`_ 0.1.4