The Gentoo Council Meeting was held on Sunday 2017-11-12 at 18:00 UTC in the #gentoo-council channel on Freenode. 1. Roll call ============ Present: dilfridge, k_f, mgorny, slyfox, tamiko, ulm, williamh Absent: (none) 2. Status of old GLEPs [1] ========================== Motion: a. mark Final: 59 Acce 2008-10-22 Manifest2 hash policies and security implications b. mark Moribund: 7 Fina 2003-07-06 New ombudsman position 8 Fina 2003-07-02 Adopt-A-Developer 36 Fina 2004-11-11 Subversion/CVS for Gentoo Hosted Projects 7 yes, 0 no, 0 abstained -- motion passed unanimously Notes: a. The following GLEP was left Final since there seems to be some activity around the topic: 6 Fina 2003-07-02 Gentoo Linux monthly bug day b. The state of the following GLEP has not been discussed as security@ team indicated that they are planning an update: 14 Acce 2003-08-18 security updates based on GLSA 3. GLEP 66 (Gentoo git workflow) ================================ Motion: mark GLEP 66 Final 7 yes, 0 no, 0 abstained -- motion passed unanimously 4. GLEP 65 (Post-install QA checks) =================================== Motion: Mark GLEP 65 Accepted, pending Final when tree-signing is implemented 7 yes, 0 no, 0 abstained -- motion passed unanimously 5. manifest-hashes ================== After a lively debate, the Council has voted on the following motion: Change manifest-hashes to 'BLAKE2 SHA512' according to the plan in [2] with the exception that the Council will vote on removing SHA512 later 7 yes, 0 no, 0 abstained -- motion passed unanimously Notes: a. The Council argued that the 36 month period for dropping SHA512 should not be set in stone. Instead, the Council should vote on doing that when it makes sense to proceed. b. slyfox has suggested getting an additional review from security@. 6. GLEP 74 (Full-tree verification using Manifest files) ======================================================== During the debate the following issues were pointed out: a. dilfridge has pointed out that the TIMESTAMP tag description is unclear it is allowed in sub-Manifests, and what is the meaning of sub-Manifest timestamps. b. k_f pointed out that the following wording could suggest that a sub-Manifest may not be included in top-level Manifest: "The sub-Manifest can also be signed using OpenPGP armored cleartext format. However, the signature verification can be omitted if it is covered by a signed top-level Manifest." dilfridge suggested changing it to: "However, the signature verification can be omitted since it already is covered by the signed top-level manifest." c. robbat2 has pointed out an additional use case for additional OpenPGP signatures and timestamp entries. They could be use to make the sub-Manifest e.g. in metadata/glsa a valid top-level Manifest so that it could be used stand-alone with partial checkout, e.g. purely for GLSA tooling. d. k_f has pointed out that the compression of top-level Manifest should be forbidden to prevent exploiting the compressor, since the signature is included inside the compressed file and therefore the compressed content is not verified. e. slyfox has suggested getting an additional review from security@. Motion: Pre-approve GLEP 74 given changes b.+d. listed above, and give green light for Infra testing 7 yes, 0 no, 0 abstained -- motion passed unanimously 7. EAPI 7 feature/spec pre-approval =================================== The Council has iterated over all the items suggested in EAPI 7. The following table lists all the votes that have taken place, grouped whenever the Council has been voting on multiple items. Feature Y N A Result =============================================== = = = ================ Runtime-modifiable USE flags (IUSE_RUNTIME) 7 0 0 accepted Automatic enforcing of REQUIRED_USE (GLEP 73) 2 2 3 rejected BDEPEND + BROOT, SYSROOT (cross-compile bits) 7 0 0 accepted Profile-defined unsetting of vars (ENV_UNSET) 7 0 0 accepted Sandbox path removal (rm* analogs to add*) 4 0 3 accepted Version manipulation & comparison commands 7 0 0 accepted ----------------------------------------------- - - - ---------------- Directory support for profiles/package.mask Directory support for profile files 6 0 1 accepted ----------------------------------------------- - - - ---------------- ||= dependency groups (binding at build time) 4 0 3 accepted ----------------------------------------------- - - - ---------------- nonfatal as a function and an external command die works in a subshell/subcommand 7 0 0 accepted ----------------------------------------------- - - - ---------------- Require bash 4.3 1 1 5 rejected Empty || ?? groups do not count as matched x x x accepted [a] Remove trailing slash from {,E}ROOT and {,E}D 6 0 1 accepted ----------------------------------------------- - - - ---------------- Require GNU patch 2.7 Require einfo & co not to pollute stdout Make domo install to /usr instead of DESTTREE Ban package.provided in profiles Ban PORTDIR and ECLASSDIR variables Ban DESTTREE and INSDESTTREE variables Ban dohtml function Ban dolib and libopts commands 7 0 0 accepted =============================================== = = = ================ [a]. The feature has been already accepted on the previous meeting. 8. Open bugs with Council involvement ===================================== The bugs covered by other agenda items were omitted from this point. a. #587226 "[PATCH] PMS: Clarify/specify when and how to store the slot/sub-slot part for equals slot operator" [3] The Council has pointed out that ||= has been approved as a proper fix for EAPI 7. Motion: approve the patch in bug #587226 0 yes, 5 no, 2 abstained -- motion did not pass b. #634406 "larrythecow.org potentially(?) profiting off of Gentoo mascot's name." [4] The Council has pointed out that it's not Council territory. Motion: un-CC from bug #634406 7 yes, 0 no, 0 abstained -- motion passed unanimously c. #629554 "HPPA arch stabilization problem" [5] The Council debated between closing it as solved or deferring to continue monitoring the situation: Motion: Close bug #629554 as fixed 4 yes, 1 no, 2 abstained -- motion passed 9. Open floor ============= The floor has been opened at 20:28 UTC. During the open floor, dwfreed asked for rationale on banning dolib. No other topics were raised. The meeting has been concluded at 20:35 UTC. References ========== [1]:https://bugs.gentoo.org/634100 [2]:https://archives.gentoo.org/gentoo-dev/message/682618f6d1cf4d63b30577cb1e9bd269 [3]:https://bugs.gentoo.org/587226 [4]:https://bugs.gentoo.org/634406 [5]:https://bugs.gentoo.org/629554