summaryrefslogtreecommitdiff
blob: 1fd2dc65024f8119a7f2f0ef98bbc3e6dfbc0938 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
2018-02-18 14:01:52	@K_F	Roll call
2018-02-18 14:01:54	 *	K_F here
2018-02-18 14:01:57	 *	ChrisADR here
2018-02-18 14:02:05	@ackle	here
2018-02-18 14:02:39	ChrisADR	hi ackle nice to meet you :)
2018-02-18 14:02:45	 *	Pinkbyte here
2018-02-18 14:03:16	@ackle	Hi Chris, welcome aboard
2018-02-18 14:03:27	ChrisADR	nice to meet you too Pinkbyte :)
2018-02-18 14:03:32	ChrisADR	thanks :) glad to be here
2018-02-18 14:04:11	@K_F	hmm, don't think I have whissi's phone # around to send SMS..
2018-02-18 14:04:31	@K_F	so lets just start, and if he shows up he can read backlog anyways
2018-02-18 14:04:50	@Pinkbyte	ChrisADR, we are all always welcome fresh blood, so - nice to see you amongst us
2018-02-18 14:04:58	@Pinkbyte	s/fresh/for fresh/
2018-02-18 14:05:22	@K_F	the four regular agenda items I've noted for today are (in short); (i) GLEP14 updates (ChrisADR can tell a bit about the changes he has done and what he wants help on forwards, and discusion if there is anything)
2018-02-18 14:05:44	@K_F	(ii) glsamaker (iii) kernel sec and (iv) operator / access list in here (although mostly deferred until after a lead is in place)
2018-02-18 14:06:30	@K_F	are there anything else we should discuss today? as a pro-forma I listed open bugs as well, in particular #624262, but that is more to remember than to discuss today
2018-02-18 14:07:06	@blueknight	Sorry was watching a show.. here
2018-02-18 14:07:39	@Pinkbyte	K_F, it would be nice if something about #624262 would be done. I remember those days when confidential mails from bugzilla were... confidential :-)
2018-02-18 14:08:13	@K_F	Pinkbyte: right, which is why we have a bug, I just don't see anything from us being done about it today.. that said it is listed as a GSoC project this year as well
2018-02-18 14:08:58	@K_F	so, ChrisADR you've been the one most active with trying to refurbish glep 14 c.f bug 637328
2018-02-18 14:09:00	willikins	K_F: https://bugs.gentoo.org/637328 "GLEP 14 needs to be updated"; Documentation, GLEP Changes; CONF; mgorny:security
2018-02-18 14:09:19	@K_F	what is the status of the update and what is needed from us on it before we can pass it around for approval?
2018-02-18 14:09:39	@K_F	I take it everyone here has access to the updated files in git.gentoo.org/proj/security/private.git:/documentation/glep-0014.rst ?
2018-02-18 14:09:44	@K_F	or should I make a copy of it somewhere public?
2018-02-18 14:09:52	ChrisADR	ok, short and simple :) I'm a bit concerned about the implementation
2018-02-18 14:10:34	ChrisADR	quoting from the source code: " WARNING: this code is only tested by a few people and should NOT be used
2018-02-18 14:10:34	ChrisADR	# on production systems
2018-02-18 14:10:37	ChrisADR	"
2018-02-18 14:11:04	@K_F	ChrisADR: heh, indeed, that is code you don't want seen relied on in production systems :)
2018-02-18 14:11:18	@K_F	(or at least comment, presumably it actually _is_ well tested by now)
2018-02-18 14:11:56	ChrisADR	yea :) ok, the thing is that we need either to remove that comment, ensuring that glsa-check is actually tested, to be able to mark the GLEP as implemented, or keep it as "work in progress"
2018-02-18 14:12:49	@K_F	it has been used in production for a number of years, so unless it is a very specific corner case, we can likely remove the comment now
2018-02-18 14:13:00	ChrisADR	but I see that most of the work was done till 2015, except a couple of patches in 2016 and 2017
2018-02-18 14:13:26	ChrisADR	ok, sounds good to me, the rest of the GLEP is just an update to the current status
2018-02-18 14:14:00	@Pinkbyte	K_F, true. I remember exactly one breakage(which happens in this year) of glsa-check since i use it(from 2009 at least, iirc)
2018-02-18 14:14:02	@K_F	so, should we vote for an approval of it in this meeting, or do a final circulation on email for comment?
2018-02-18 14:14:16	@K_F	(approval in this context means we submit it to council)
2018-02-18 14:14:40	ChrisADR	I'd prefer a circulation, I'd appreciate a peer review and then decide if everything is ok to send to council
2018-02-18 14:14:47	@K_F	ChrisADR: actually one thing I noticed, which is nitpick when reading it is most references to GPG should be OpenPGP
2018-02-18 14:15:04	@K_F	unless it reference the specific implementation
2018-02-18 14:15:29	@K_F	e.g "verifies its OpenPGP signature" instead of "GPG signature"
2018-02-18 14:16:13	@K_F	but right, if you can send out a call for comment we can deal with it with a deadline of 1 week from you send it out?
2018-02-18 14:16:23	ChrisADR	yea, actually afaik we don't verify signatures per se, we assume that because of the signed commits in the repo
2018-02-18 14:17:09	@K_F	signed commits aren't relevant, would be the signed MetaManifest or the signature of the web download, there aren't any good ways to verify the git commit signatures, in particular in context of retired devs and revoked keyblocks
2018-02-18 14:17:41	@K_F	but if the tool doesn't check the signature, we want to update the GLEP to reflect that
2018-02-18 14:18:06	ChrisADR	There are still a couple of sections that I have not changed, I hoped to send a proposal to the mail and discuss those specific implementations since I don't have it totally clear
2018-02-18 14:18:15	@K_F	and/or write that it expects the tree consistency to be in place due to verification done during portage / gemato sync (but keep in mind that won't help paladius or pkgcore users)
2018-02-18 14:19:33	@K_F	but right, lets do that by email then, that works for me
2018-02-18 14:19:40	ChrisADR	ok, great
2018-02-18 14:19:41	@K_F	any other comments from anyone on the subject before we move on?
2018-02-18 14:20:14	@blueknight	Nothing from the peanut gallery :)
2018-02-18 14:21:21	@K_F	ChrisADR: you also brought up glsamaker, want to lead in with your thoughts?
2018-02-18 14:22:23	@K_F	i.e are there specific concerns, or just a generic discussion on whom takes responsibility for maintenance etc?
2018-02-18 14:23:35	ChrisADR	well I was thinking about the whole project implementation, I know whissi is the only one developing it right now, but it's hard for him because of ruby... at first I was thinking to prepare a new version of glsamaker, but now I'd like to propose a new idea
2018-02-18 14:23:53	 *	K_F is all ears
2018-02-18 14:24:45	@K_F	but yes, it being ruby is actually an issue on a few points, including maintenance since not too many use it, that is also a problem with a few other sites, including packages.g.o
2018-02-18 14:24:47	ChrisADR	alice sent an email announcing that we are officialy part of the Google Summer of Code, I was thinking (maybe not this year, but next one, given the availability from our team) to propose a project there and be mentors from a student
2018-02-18 14:25:26	@Whissi	_No_. :)
2018-02-18 14:25:30	@K_F	I'm not a fan of that idea, too many projects historically that have been written and not properly implemented in practice, and if we want to rewrite, it is to make sure codebase is familiar to security team
2018-02-18 14:25:46	@K_F	and having a student at gsoc is 3-5 times the work of just doing it yourself
2018-02-18 14:25:51	@K_F	or more..
2018-02-18 14:25:56	ChrisADR	I guess that if it's in Python (django at least) it may be easier for the whole developers here to have an idea of how it works?
2018-02-18 14:26:04	@K_F	in particular when we're starting from scratch, it is easier for a specific feature in existing framework
2018-02-18 14:26:23	@ackle	Not a fan either, tools from GSoC have seemed... unreliable to me in the past
2018-02-18 14:26:25	@K_F	django suffers from a number of same issues as ruby does with upgrades and compatability
2018-02-18 14:26:34	@K_F	so that also easily gets stuck, and is difficult to properly package
2018-02-18 14:26:46	@blueknight	ackle: you have a working demo version is that correct?
2018-02-18 14:26:52	ChrisADR	ok out of ideas :P
2018-02-18 14:26:58	@Pinkbyte	Well, we should feel ourselves pretty lucky that it is Ruby and not Haskell for example :-D
2018-02-18 14:27:05	@ackle	Yes, I have a working dev system for glsamaker
2018-02-18 14:27:34	@K_F	ackle: to ensure we're talking of same thing, you have a dev system of the current implementation
2018-02-18 14:27:54	@K_F	I'm personally in favor of throwing in some more resources on existing system rather than rewriting from scratch, as I know that will bring bugs on its own
2018-02-18 14:27:59	@ackle	Also to point out: in the past we've always said that a major change to glsamaker should probably be in tandum with an overhaul of the GLSA format (to make it easier to automate announcements)
2018-02-18 14:28:07	@K_F	unless we have specific features that we know needs a solid rewrite (e.g proper CVE handling)
2018-02-18 14:28:28	@K_F	but if we want to write a new system we need to do a full RFP / spec of what is needed before starting out
2018-02-18 14:28:32	@Whissi	Yes. We should first think about what we want before we think about how we reach the goal.
2018-02-18 14:29:05	@K_F	not necessarily only GLSA format though, that is output format only, we have a lot of background work that never sees the public
2018-02-18 14:29:20	@ackle	K_F: yes, I keep an updated and running copy on one of my VMs for when I've made changes to glsamaker.g.o
2018-02-18 14:29:26	@blueknight	ackle: Can we replicate your dev build in to a location where others have access?
2018-02-18 14:29:43	@K_F	ackle: nice, do you have any notes for setting it up etc if others wants to replicate?
2018-02-18 14:29:47	@blueknight	or share the VM?
2018-02-18 14:30:19	@K_F	instead of sharing the VM, might want to do a replication of the pushing at infra
2018-02-18 14:30:33	@ackle	I'm sure I have notes on setting it up. If infra can provide a VM, we could get a shared test system out there
2018-02-18 14:30:34	@K_F	and have a git repo we can commit changes to for testing, instead of full access on VM
2018-02-18 14:31:07	@K_F	in my experience testing without audit is often difficult to replicate in production system due to lack of documentation
2018-02-18 14:31:27	@K_F	of course that brings question of whether we want a test system along with a dev system
2018-02-18 14:31:30	@Whissi	For me the problem is testing vs bugzilla
2018-02-18 14:32:41	@Whissi	Like testing the "close bugs" think... it requires a open bug... hard to test if you don't have a testing bugzilla ;)
2018-02-18 14:32:53	ChrisADR	and our own bugzilla for tests? 
2018-02-18 14:33:17	@ackle	There are various caveats with testing, such as connecting it to a test Bugzilla instance (as Whissi is stating) and having actual information in the database for validation (something that bit me in the butt before)
2018-02-18 14:33:36	@K_F	Whissi: iirc infra has a testing infrastructure for bugzilla, maybe we can get some resources on that?
2018-02-18 14:34:06	@K_F	but indeed, there will be references to bug numbers not existing etc etc
2018-02-18 14:34:24	@K_F	unless it is done in a testing envoronment that synchronize / copy daily or weekly or whatever
2018-02-18 14:36:13	@K_F	(I believe this is the one I'm thinking of.. http://bugstest.gentoo.org )
2018-02-18 14:38:33	@K_F	but right, I'm putting that down for another subject to continue discussing on email.. but before doing any big changes I strongly recommend we figure out if we need major new features, and if we do figure out what we need (including testing infrastructure etc) before starting a new project on it
2018-02-18 14:39:52	@K_F	So; (iii) kernel sec team
2018-02-18 14:40:06	@K_F	ChrisADR: again, you had some questions on this, want to start up discussion?
2018-02-18 14:40:15	ChrisADR	ok, sure
2018-02-18 14:40:52	ChrisADR	it may be a good idea to define a structure, like the vulnerability treatment policy
2018-02-18 14:41:01	@blueknight	I have an idea ... I am thinking we might want to put together a Trello for our team so we can put down the requirements?
2018-02-18 14:41:01	ChrisADR	I propoce 3 states right now
2018-02-18 14:41:26	ChrisADR	that's a good idea
2018-02-18 14:42:05	@K_F	what is Trello?
2018-02-18 14:42:25	ChrisADR	so, [upstream] as always, [cve] as archived in our db, and a new [backported](just basic idea) which means if we have that specific fix available in our *-sources
2018-02-18 14:42:28	@blueknight	Trello is a free on line Todo / Project management with multi edit capabilitles.
2018-02-18 14:42:36	@K_F	is it free software?
2018-02-18 14:42:43	@blueknight	Free on-line service
2018-02-18 14:42:43	@Pinkbyte	K_F, proprietary online service for kanban-like tasking and stuff
2018-02-18 14:42:56	@K_F	meh, lets stick to formats people can use
2018-02-18 14:43:05	@Pinkbyte	K_F, agreed
2018-02-18 14:43:21	@K_F	but for kernel issues, its a bit of a catch 22
2018-02-18 14:43:50	@K_F	1) we don't have resources to track the vulnerabilities, and the upstream recommendation is just to always use latest point release of long term stable branch
2018-02-18 14:44:02	@K_F	2) upstream doesn't properly flag vulnerabilities (see 1)
2018-02-18 14:44:19	@K_F	3) we don't have tooling to check the running kernel on a given system and what patches are potentially applied
2018-02-18 14:44:46	@Whissi	Regarding kernel: The kernel project will move to some kind of auto-stabilizing later this year. At least we plan something like that.
2018-02-18 14:44:48	@K_F	which mostly result in , sure, we can track some, in particular for release coordination, but in general, kernel is on its own
2018-02-18 14:44:59	@Whissi	So the meaining of stable kernel in Gentoo _will_ change.
2018-02-18 14:45:13	@K_F	Whissi: iirc they are using the proposal from the stable wg ?
2018-02-18 14:45:27	@K_F	I wouldn't agree it is changing stable status if so
2018-02-18 14:45:44	@K_F	mainly due to upstream stability guarantee, and only point releases of an already stabilized LTS will be auto-stabled
2018-02-18 14:45:50	@Pinkbyte	Whissi, if it would be sticking to latest possible LTS point releases - blame me, if i will be against it :-)
2018-02-18 14:46:36	@Whissi	Currently, in Gentoo, stable kernels means something like a GA status. I.e. only mark a kernel stable if we know it works on most hardware or aren't aware of any criticial problems which may affect *some* setups.
2018-02-18 14:47:16	@Whissi	That's the reason why 4.14.x is still not being stabilized in Gentoo... because we are aware of *some* problems... however, 4.14.x is now better and works for *most* users... but still not ready to be named *GA*.
2018-02-18 14:47:38	@Whissi	But this is going to change.
2018-02-18 14:47:47	@K_F	right, 4.14 is a mess on libdrm and kernel mode buffers
2018-02-18 14:48:00	@K_F	kernel modeline*
2018-02-18 14:48:05	@blueknight	So they are going to roll the dice with automated building
2018-02-18 14:48:17	@K_F	not really
2018-02-18 14:48:39	@K_F	if they only stable latest point release as policy, it is easy to do a package mask for newer kernel branches
2018-02-18 14:48:48	@K_F	first thing I do on any system after installing is masking any higher branch
2018-02-18 14:48:56	@K_F	and only switching once LTS is EOL
2018-02-18 14:49:13	@Whissi	I.e. in future we hope to have a working CI which will start testing when upstream kernel reaches RC. Once released, we will add and mark stable within 24-48h. If we get aware of any problems we maybe decide to pause/skip this version... or add patches like before. But in general the idea is to follow upstream within 48h.
2018-02-18 14:49:27	@Whissi	(_stable_ within 48h)
2018-02-18 14:49:27	@Pinkbyte	K_F, i forced to do this on one of my HP servers. Which breaks badly on 4.12 and 4.14
2018-02-18 14:49:52	@blueknight	Well in either case... I think we stick to what we have done before
2018-02-18 14:49:55	@K_F	Pinkbyte: most server systems do it like that anyways
2018-02-18 14:50:12	@K_F	blueknight: you're not talking for security project? in which case I agree
2018-02-18 14:50:25	@K_F	we have the project more as a discussion point and placeholder, but we shouldn't give any security guarantee for actual tracking
2018-02-18 14:50:40	@blueknight	Well isn't this what we are talking about?
2018-02-18 14:50:44	@K_F	we don't have the resources for it, and the best recommendation is "use latest upstream point release"
2018-02-18 14:51:01	@K_F	blueknight: _could_ be a reference to kernel team's stable policy
2018-02-18 14:51:09	@K_F	just wanted to have the statement in proper context
2018-02-18 14:52:43	@blueknight	The non politically correct version is "no one tracks what is in the Kernel, we take whatever is available upstream and go with it"
2018-02-18 14:54:30	@K_F	so, unless there are further comments on that, the next one I have is the channel IRC modes
2018-02-18 14:55:00	@K_F	as explained in email already, that is easy to fix, but easier to do cleanup after a lead is in place as he/she would be natural Founder of channel that can then fix the other modes
2018-02-18 14:55:58	@K_F	so I propse we defer that point
2018-02-18 14:56:05	@Whissi	Well, I guess ChrisADR wants that we will write down that we track usally only focus >=A2 vulns for kernels. I.e. write down, that we don't track anything else due to lacking man power.
2018-02-18 14:56:22	@K_F	we don't officially track anything
2018-02-18 14:56:42	@blueknight	We do not track Kernel, and I would not want to track anything in Kernel
2018-02-18 14:56:54	@blueknight	If the Kernel team does not know what is fixed, how shoudl we
2018-02-18 14:57:03	@K_F	we can help coordinate etc, but we don't _track_ anything
2018-02-18 14:57:15	@Whissi	Well, I try to track anything >=A2 and especially anything I find in the media.
2018-02-18 14:57:37	@Pinkbyte	K_F, about channel modes - did i miss something? blueknight is currently team lead and can ask for channel ownership in #gentoo-groupcontacts, no?
2018-02-18 14:57:42	@K_F	right, but you do that out of the goodness of your heart and not policy :)
2018-02-18 14:57:50	@Whissi	yeah
2018-02-18 14:57:52	@blueknight	Pinkbyte: I resigned due to time constraints
2018-02-18 14:57:54	@K_F	Pinkbyte: right, but if we need to switch that anyways
2018-02-18 14:58:20	@K_F	Pinkbyte: its easier to just wait for new lead to be in place
2018-02-18 14:58:21	@blueknight	I do not feel it is right by the team since I can not dedicate a lot of time.
2018-02-18 14:58:33	@Pinkbyte	blueknight, ok then, missed that e-mail(or just forgot about reading it, i am such a dumbass these days)
2018-02-18 14:58:46	ChrisADR	blueknight: can you try to set -O on my nick?
2018-02-18 14:58:57	@K_F	+AO you mean :)
2018-02-18 14:59:01	ChrisADR	capital o letter
2018-02-18 14:59:04	@blueknight	Chris I do not have rights
2018-02-18 14:59:17	ChrisADR	well that's what the discussion is about
2018-02-18 14:59:25	@Pinkbyte	according to chanserv info - a3li and keytoaster are channel founders
2018-02-18 14:59:28	ChrisADR	I thought for one sec that you had those rights
2018-02-18 14:59:36	@Pinkbyte	so only them can fully manage channel
2018-02-18 14:59:38	ChrisADR	sorry, missed the flow 
2018-02-18 15:00:27	@blueknight	Both keytoaster and Alex can be contacted to make the rights accordingly moved... so not a big deal
2018-02-18 15:00:43	@ackle	Is there anything else to discuss?
2018-02-18 15:00:51	@K_F	blueknight: we don't even need that if a new lead is in place (or if you want to have them now)..
2018-02-18 15:00:58	@K_F	but right.. any other agenda item?
2018-02-18 15:01:14	@K_F	if not we've managed to stay at timeline outlined, which is good in itself :
2018-02-18 15:01:17	@K_F	:)
2018-02-18 15:01:32	@K_F	I generally believe a few short meetings like this more frequently is a good thing
2018-02-18 15:01:41	 *	Pinkbyte remember 2-3 hours meetings of Qt team. That was a bit of a pain...
2018-02-18 15:01:58	ChrisADR	maybe set a couple of goals till the next meet?
2018-02-18 15:02:02	@blueknight	So since we are all here.... I have one
2018-02-18 15:02:11	@K_F	blueknight: floor is yours
2018-02-18 15:02:24	@blueknight	What has been decided is going to be done with picking the new lead.
2018-02-18 15:02:35	@blueknight	lead or leads
2018-02-18 15:03:10	@K_F	I haven't seen any conclusions on anything
2018-02-18 15:03:27	@ackle	We should probably arrange for nominations and election
2018-02-18 15:03:33	@K_F	so guess someone just needs to actually call for election and chose a format (email, heliosvoting, etc etc)
2018-02-18 15:03:36	@Whissi	Well, we can start a new election already or wait the remaining 2-3 month....
2018-02-18 15:04:08	@blueknight	K_F: I propose smoke signals as the means (joke)
2018-02-18 15:04:21	@K_F	blueknight: I have my Padron 7000 currently, so I'm ready to blow smoke rings :)
2018-02-18 15:06:11	@blueknight	Ok so do you guys want to wait, or do elections. Lets vote
2018-02-18 15:06:17	@Pinkbyte	Whissi, quick note from other team's lead - e-mail voting can be 2 weeks long... But it's not the problem. Problem is when you win election, because no one else was nominated. I hope that would be not the case with security :-/
2018-02-18 15:06:22	@K_F	blueknight: I'd say it is more up to you than anything else
2018-02-18 15:06:36	@blueknight	I resigned, so it is up to the team
2018-02-18 15:07:02	@K_F	blueknight: well, if you take the resignation as a point after regular election or if you want to be freed of responsibilities already
2018-02-18 15:07:10	@blueknight	So lets vote .... who wants election, and who wants tow ait.
2018-02-18 15:07:29	@Whissi	Pinkbyte: I would propose a different way this time: Everyone is nominated... and has _one_ week to accept. After the week we would start normal voting via mail.
2018-02-18 15:07:42	@Whissi	But this would be pre-announced
2018-02-18 15:07:43	@K_F	blueknight: if you don't expect to be able to be around, I recommend just having election now
2018-02-18 15:07:50	@Pinkbyte	I suppose that in that case we should roll election earlier. One week for nomination, two weeks of voting... Around a month will be only procedure going...
2018-02-18 15:08:16	@Pinkbyte	Whissi, well, we are(not all of us, blame me) pretty active and responding team, so your proposal make sense
2018-02-18 15:08:17	@Whissi	You really want 2 weeks voting?
2018-02-18 15:08:47	@Whissi	7d should be enough, not?
2018-02-18 15:09:03	@K_F	I generally would expect members to be able to respond in a week, in particular since it is pre-announced periode
2018-02-18 15:09:15	@blueknight	7d does not account for anyone that has vacation (Holiday) or a business trip
2018-02-18 15:09:18	@K_F	so 2 weeks since announcement ,if 1w acceptance periode)
2018-02-18 15:09:23	@Pinkbyte	Whissi, i am not. I am just saying how it is in QA team. Last time there was no voting, because there are only me nominated
2018-02-18 15:09:44	@K_F	blueknight: well, it is 2 weeks announcement since beginning of voting process
2018-02-18 15:09:45	@blueknight	I recommend 2 weeks.
2018-02-18 15:09:49	@K_F	s/voting/election/
2018-02-18 15:10:06	@K_F	people should be in a position to read their email in that time
2018-02-18 15:10:10	@blueknight	No but if I go on vacation or a business trip and do not have my GPG key to vote with me (because I forgot it or something),...
2018-02-18 15:10:24	@ackle	Is there a reason why 2w is not reasonable? Or is it just impatience?
2018-02-18 15:11:02	@Whissi	Well, with announcement we actual have >7d... but an actual voting period for >7d is a bit long, given that the "big" elections like council will happen in just 7d... not sure why security would need 14d...
2018-02-18 15:11:04	@K_F	blueknight: right, but arguably that is more a question of whether we should require OpenPGP signatures, although I'm somewhat biased in that and mean everyone should have that pretty accessible in security project :)
2018-02-18 15:11:46	@K_F	council voting is upen for 15 days
2018-02-18 15:12:04	@K_F	after a 15 day nomination periode
2018-02-18 15:12:09	@blueknight	But when I go on vacation I purposly disconnect for 7 days ... (usually on a cruise ship, where I do not buy internet)>
2018-02-18 15:12:10	@Pinkbyte	Whissi, nobody denies shortening voting period IF all of team members are already voted or if clear winner is discovered
2018-02-18 15:12:29	@Whissi	OK. I am not against 2 weeks. Just wondered :)
2018-02-18 15:12:41	ChrisADR	council voting?
2018-02-18 15:12:57	@ackle	I have to run... have fun painting that shed, folks ;)
2018-02-18 15:13:03	@Whissi	I'll send my proposol for the election later tonight.
2018-02-18 15:13:06	@K_F	ChrisADR: election
2018-02-18 15:13:15	@K_F	ChrisADR: the voting part of the election process for council
2018-02-18 15:13:21	ChrisADR	sorry, bad translation, ok got it
2018-02-18 15:13:35	@K_F	Whissi: ok, putting you down to organize it then :)
2018-02-18 15:13:43	@blueknight	OK.. with this meeting being done... Have a good day everyone.
2018-02-18 15:13:57	@Whissi	No problem. Will be my 3rd Gentoo election I organized this year ;)
2018-02-18 15:14:07	@K_F	sounds good, then I have 15 minutes until next meeting
2018-02-18 15:14:08	@Pinkbyte	blueknight, you too. I should go to bed, though, it's 23:15 on my clock :-)
2018-02-18 15:14:12	@K_F	have a nice evening everyone
2018-02-18 15:14:15	 *	K_F bangs gavel