--- Log opened Sun Jan 11 11:00:46 2026
11:00:46 * robbat2 bangs the gavel
11:00:59<@mgorny> what, we're already done?
11:01:00<@robbat2> roll-call: arthurzam, dilfridge, mgorny, robbat2, sam, soap, ulm
11:01:00 * mgorny hides
11:01:04 * sam_ here
11:01:05 * arthurzam here
11:01:06 * soap here
11:01:07<@robbat2> gavel for starting the meeting ;-)
11:01:09 * mgorny here
11:01:11 * dilfridge here
11:01:12 * ulm here
11:01:20 * robbat2 here
11:01:39<@robbat2> all present & accounted for
11:01:54<@robbat2> Agenda:
11:01:54<@robbat2> 1. Roll call
11:01:54<@robbat2> 2. Token2 evaluation: how to proceed [1]
11:01:54<@robbat2> 3. Open bugs with Council participation [2]
11:01:55<@robbat2> 4. Open floor
11:02:02<@robbat2> [1] https://bugs.gentoo.org/961811
11:02:12<@robbat2> any last minute additions?
11:02:45<@arthurzam> Works well for me
11:03:00<@arthurzam> I don't know if it will be more durable that nitrokey
11:03:35<@dilfridge> just fyi, for the card sharks among us
11:03:43<@dilfridge> https://www.token2.com/shop/category/fido2-cards
11:04:09<@soap> the nonbranded one is 3.3, which is likely what people want
11:04:26<@dilfridge> the contact card is still release 3, but the pure nfc card has firmare 3.3 which also supports ed25519
11:04:49<@arthurzam> I think it would be an issue that the mails about delivery are sent to treasures and not the person itself
11:04:53<@dilfridge> unfortunately that one is nfc-only but I guess another one will turn up
11:05:13<@arthurzam> I think the weird email in Hebrew was mistarious for those that saw it
11:05:28<@dilfridge> the package notification? 
11:05:33<@arthurzam> yes
11:05:54<@dilfridge> eh as long as it's not farsi :)
11:05:59<@robbat2> yeah; i think that was from the IL mail system
11:06:19<@sam_> I still need to set mine up, sorry; I'll try find time for it this week
11:06:26<@sam_> packaging was fine though
11:06:35<@robbat2> ulm: i don't know what workload you actually tested with yours; 
11:06:52<@soap> I still feel the build quality is substantially better than nitro
11:06:57<@robbat2> for whatever workload it was, could you do side-by-side to your nitrokey & openpgp card
11:07:12<@robbat2> the nitrokey build quality was very low so that's not really a high bar
11:07:23<@mgorny> Signature counter : 6738
11:07:36<@mgorny> much faster than nitrokey
11:07:37<@ulm> robbat2: yes, I can also do more tests with different types of keys
11:07:39<@sam_> I've been using a yubikey since I bought one like, 2? 3? years ago, because the nitrokey was so slow 
11:07:48<@sam_> (and my nitrokey then died)
11:08:01<+ztrawhcse> I still need to set mine up, hopefully it will go better than the yubikey that the OpenSSF sent me
11:08:11<@ulm> definitely faster than nitrokey 2 or 3, and faster than the zeitcontrol card
11:08:27<@robbat2> tamiko's perf numbers suggest it's still half the speed of a yubikey
11:08:35<+ztrawhcse> (that one I managed to soft brick the first day by attempting to set a pin, as I couldn't figure out how to reset the firmware after it locked me out)
11:08:49<@robbat2> but how fast do we really it to be? matters more for the heavy committers
11:08:59<@arthurzam> ztrawhcse: yeah, I needed to search the net to find the default passwords
11:09:29<@arthurzam> robbat2: good enough that I didn't feel slow down compared to without-key (direct local gpg) when doing the big AT pushs
11:10:04<@arthurzam> big AT pushs is around 200-350 commits that need rebase
11:10:07<@mgorny> robbat2: rebases with nitrokey for me was "get lucky that nobody pushed in the meantime"
11:10:12<@mgorny> now i don't have to worry about it
11:10:25<@mgorny> but curve 25519 keys are the main point
11:11:24<@arthurzam> So for mass reach to devs, we need to doc in wiki "default pins and passwords", "how to migrate to 25519" (including changes in LDAP)
11:12:47<@robbat2> ztrawhcse: the tariff issue - i'm concerned about the level of overhead there
11:12:50<@ulm> one can have a rsa4096 main key and curve25519 subkeys, correct?
11:12:56<@robbat2> for shipping to US recipients
11:13:26<@robbat2> most of that $20 was in DHL processing it, not the tariff itself
11:14:59<@robbat2> 25x US devs * $20USD/ea = extra $500 in those fees
11:15:40<@dilfridge> that makes no sense
11:16:22<@robbat2> i don't follow?
11:16:55<@dilfridge> no, I mean, sending one per dev to us makes no sense
11:17:07<@dilfridge> because of the huge fees
11:18:18<@mgorny> wouldn't sending all to one person exceed some custom limits?
11:18:22<+ztrawhcse> we'd need someone in the US to handle re-mailing if we want to batch
11:18:28<@robbat2> so mitigating that; would we be okay trusting a single dev to have a single order of 60x (2 per dev plus a few spares / next recruits)
11:18:49<@robbat2> mgorny: there is no more de minimis anyway
11:19:21<@ulm> robbat2: I don't see a problem with this (trusting a dev)
11:19:26<@dilfridge> mgorny: there is no upper limit... there was a lower one and that is gone
11:19:49<@dilfridge> err, bs
11:19:56<@dilfridge> the upper one is gone, never mind
11:20:04<@sam_> i have no issue with trusting either
11:20:12<@sam_> as long as we can find someone willing to do that remailing
11:21:01<@arthurzam> I think we could pay them a fee for the processing (in addition to mail costs)
11:23:23<@robbat2> within the bounds of the bylaws yes
11:23:39<@robbat2> does anybody else have any other sort of concern with these?
11:23:54<@robbat2> one we'll need to raise with the vendor is improving the fufillment process
11:24:14<@robbat2> as the person doing the order it was a massive pain
11:24:27<@dilfridge> we can also explicitly ask token2 about distributor in the us
11:24:47<@dilfridge> https://www.token2.com/site/page/resellers-and-distributors
11:25:02<@robbat2> they say they don't keep stock there generally
11:27:29<@robbat2> i do want to standardize on what model we order as well; likely USB-C; if you need USB-A get an adapter
11:29:05<@robbat2> we're 30 minutes into this - last call for other concerns; or should we move it to draft a motion
11:29:14<@robbat2> (writing that tenative motion in the meantime)
11:29:27<@arthurzam> Just add expl in Wiki (not concern, just action item)
11:30:42<@robbat2> Motion: Gentoo to fund 2x Token2 keys per developer as successor to the Nitrokey program; exact model & shipping details to be worked out with the vendor; estimated cost incl shipping to EUR60/dev X 100 devs = 6000EUR
11:31:06 * arthurzam yes
11:31:12 * dilfridge yes
11:31:13 * sam_ yes
11:31:18 * soap yes
11:31:21 * mgorny yes
11:31:27 * ulm yes
11:31:45 * robbat2 yes
11:32:08<@robbat2> motion passes: 7 yes, 0 no, 0 abstain
11:33:13<@robbat2> moving on to the next agenda item
11:33:40<@robbat2> 3. Open bugs with Council participation [2]
11:33:58<@robbat2> bug 936211 [Tracker] Gentoo Foundation dissolution 
11:33:59< willikins> robbat2: https://bugs.gentoo.org/936211 "[Tracker] Gentoo Foundation dissolution"; Gentoo Foundation, Proposals; CONF; ulm:trustees
11:34:07<@robbat2> no update this cycle, pending SPI responses
11:34:19<@robbat2> bug 961301 [Tracker] Requests for metadata/AUTHORS
11:34:20< willikins> robbat2: https://bugs.gentoo.org/961301 "[Tracker] Requests for metadata/AUTHORS"; Gentoo Council, unspecified; CONF; ulm:council
11:34:21<@robbat2> no changes needed
11:34:31<@robbat2> bug 961811 - token 2
11:34:32< willikins> robbat2: https://bugs.gentoo.org/961811 "Consider procuring Token2 PIN+ security keys for developers"; Gentoo Council, unspecified; CONF; tamiko:council
11:34:35<@robbat2> just discussed this
11:34:48<@robbat2> bug 965900 - glep63 key recs
11:34:49< willikins> robbat2: https://bugs.gentoo.org/965900 "GLEP 63: update key recommendations"; Documentation, GLEP Changes; CONF; mgorny:council
11:34:59<@robbat2> do we have a concrete draft for the changes?
11:35:51<@robbat2> bug 965878 - codeberg
11:35:51< willikins> robbat2: https://bugs.gentoo.org/965878 "[TRACKER] Codeberg migration"; Gentoo Council, unspecified; CONF; mgorny:council
11:36:02<@robbat2> i hadn't followed their latest responses in the lists
11:36:12<@robbat2> (end of bugs in the search)
11:36:23<@arthurzam> robbat2: they gave us green light for everything, just add expl about agit instead of forks in our docs
11:36:26<@sam_> i think codeberg is just blocked on technical stuff, laumann has got PRs for all of it or most of it up in places
11:36:35<@sam_> so we're making progress, people are starting to use it for changes that don't need CI
11:36:39<@sam_> we don't yet have the CI stuff setup there
11:37:07<@mgorny> yeah, it's mostly finding time to review and test everything
11:37:09<@mgorny> i'm moving slowly
11:37:12<@arthurzam> I've created gentoo-mirror org in codeberg just in case, will pass it to Gentoo when needed
11:37:22<@sam_> mgorny: yeah, not a criticism
11:37:25<@sam_> just saying where we are
11:37:39<@sam_> we are making progress so i have no complaints
11:37:51<@robbat2> glep63 recs - we should have them ready for shipping keys
11:38:35<@mgorny> does anyone recall what was the command to check how many devs have codeberg username set in ldap already?
11:39:05<@robbat2> not offhand but I can construct it quickly
11:39:35<+ztrawhcse> I can maybe handle re-mailing token2 keys if needed
11:39:47<@robbat2> 19 devs
11:40:00<@robbat2> ldapsearch  -Z -x  "(gentooCodebergUser=*)" dn
11:40:30<@robbat2> ztrawhcse: hold that thought, i'll come up with the plan for it seperately
11:40:41<@robbat2> based on last time we had somebody try to be available for remailing
11:40:50<@robbat2> (post-meeting)
11:41:02<@robbat2> any further discussion on the open bugs before we move to open floor?
11:41:18<@ulm> looks like everyone is CCed on all PRs? which is fine for now but doesn't scale
11:41:47<@arthurzam> ulm: you can unwatch the repo
11:42:53<@robbat2> will timeout for open floor at :44:00
11:44:07< negril> I filed bug 962281 back in September because it's not the greatest advertisement as is and has been like this for far to long. @trustees hasn't reacted so far maybe council can ask them to or suggest a policy?
11:44:18< willikins> https://bugs.gentoo.org/962281 "Clean up consultants list"; Gentoo Foundation, Proposals; CONF; negril.nx+gentoo:trustees
11:44:21< negril> Sorry for being :07s late :S
11:44:32<@robbat2> no that's the start of open floor :-)
11:44:36<@robbat2> perfectly timed
11:44:53<@robbat2> that seems like a role that should have transitioned to council
11:44:58<@robbat2> (maintaining that list)
11:45:57<@robbat2> anybody specifically want to reach out about it? most of the people on the list are devs
11:46:18< negril> drobbins being in there twice?
11:46:31<@dilfridge> clearly twice as important
11:46:42<@sam_> at a glance: drobbins is listed twice; some people are there that i haven't seen in years or ever 
11:46:50<@robbat2> personal vs their company 
11:46:54<@sam_> sorry but no
11:46:56<@robbat2> zx2c4 is twice as well
11:47:21<@robbat2> double of zero customers is still zero
11:47:47< negril> I think the question we/you should ask. Is the person able to provide advice that we/you want to promote
11:48:01<@robbat2> i'd say I get one request/year over the last 5 years, but i also don't advertise my services broadly
11:48:24<@robbat2> (and most of those didn't turn into customers)
11:48:55< negril> I'm not asking for a solution now. If you think it should go to @council an you want to mull over the list  til the next meeting that's fine
11:48:57<@robbat2> action-item: reach out to these; maintain on the page that last time they confirmed
11:49:09<@robbat2> *that states
11:49:31<@robbat2> any other open floor items?
11:49:38<@robbat2> (waiting till :52:00)
11:49:39<@dilfridge> so
11:49:46<@mgorny> there's been some positive feedback past the end-year summary
11:49:57<@mgorny> looks like people realize gentoo > arch
11:49:58 * mgorny hides
11:49:59<@dilfridge> oh yes
11:50:01<@robbat2> lol
11:50:09<@mgorny> we now need to make them realize gentoo > nixos
11:50:13<@dilfridge> we've been on top of hackernews most of today
11:50:24<@robbat2> and freshly on slashdot during this meeting
11:50:35<@dilfridge> nice :)
11:50:58<@robbat2> anything actionable needed before closing the meeting?
11:51:00<@arthurzam> Maybe integrate dev/rpm as another binpkg format for portage?
11:51:00<@arthurzam> Gentoo ate all competitors
11:51:02 * arthurzam hides
11:51:03<@robbat2> happy to keep talking after that
11:51:09<@dilfridge> the 
11:51:11<@arthurzam> none from me
11:51:17<@dilfridge> usb sticks for fosdem are ordered
11:51:35<@dilfridge> the company couldnt promise they arrive in time, but said "it should work"
11:51:38<@robbat2> who is doing logs, minutes?
11:51:50<@robbat2> i'll post my logs as the chair
11:52:02<@sam_> the chair does logs+summary
11:52:15<@robbat2> guess it's all me
11:52:20<@ulm> flyers for fosdem are in print
11:52:27<@robbat2> and i'll reach out to Token2 as the treasurer
11:52:52<@robbat2> dilfridge, ulm: submit your invoices for reimbursement as bugs per discussions please
11:52:58<@dilfridge> yup
11:53:01<@robbat2> however we're splitting with the e.v. if we still are
11:53:05<@robbat2> totally fine with those
11:53:12 * robbat2 bangs the gavel to close the meeting
11:53:12<@ulm> e.V. has paid for the flyers
11:53:24<@arthurzam> thank you
11:53:26<@robbat2> thanks all
11:53:30<@sam_> thanks!
11:53:31<@dilfridge> thank you 
11:53:39<@mgorny> thanks
11:53:50<@mgorny> so i think we're doing good on two venues