15:00:34 <ahf> #startmeeting tooling group meeting 20 october 2020
15:00:34 <MeetBot> Meeting started Tue Oct 20 15:00:34 2020 UTC.  The chair is ahf. Information about MeetBot at http://wiki.debian.org/MeetBot.
15:00:34 <MeetBot> Useful Commands: #action #agreed #help #info #idea #link #topic.
15:00:58 <ahf> there was no items on it until a few min ago, so i added one that was brought up yesterday by roger
15:01:18 * gaba going to look at the agenda
15:01:25 <ahf> #topic gitlab and git.torproject.org
15:01:33 <anarcat> can we review the dashboard again?
15:01:38 <ahf> sure
15:02:01 <ahf> added it as next item
15:02:07 <ahf> just add things to the list if there is something :-)
15:02:09 <ahf> that is easiest
15:02:25 <anarcat> so what's with gitlab and git.tpo
15:02:33 <ahf> yes, i was about to write that
15:02:39 <anarcat> sorry :)
15:02:57 <ahf> so roger asked the other day about the website specifically and for the research page and getting more people involved with that without adding more people to ldap
15:03:21 <ahf> it's easier to hand out access for users on gitlab and delegate things there, BUT, we are not ready yet with all the redirection stuff from git.torproject.org and so on
15:03:24 <ahf> this have been up before
15:03:33 <anarcat> yes, we have discussed this before :)
15:03:37 <anarcat> we even have a ticket!
15:04:06 <ahf> yep, i was about to look it up, but just gonna finish here. on the ticket we define what some of the things are that we have to do
15:04:29 <anarcat> "establish policy on git repository mirroring, hosting and, ultimately migration from gitolite" ticket https://gitlab.torproject.org/tpo/tpa/gitlab/-/issues/36
15:04:32 <ahf> i wonder when we think we can begin with a small number of projects and move those over, and ignore the big set of things we might have to clean up at first
15:04:49 <ahf> because we wont run that task like we did with the trac -> gitlab migration where i disapear from the world in 3 weeks
15:05:03 <ahf> so it has to happen slowly and a bit more ad-hoc i think
15:05:04 <anarcat> no, we won't :)
15:05:06 <anarcat> we can do small things
15:05:08 <ahf> ya
15:05:19 <anarcat> but i think we should do the small thing of agreeing on what the world will look like eventually first :p
15:05:25 <anarcat> like agreeing on what our end goal is
15:05:50 <ahf> yeah
15:05:50 <anarcat> like i have a list of questions there
15:05:53 <anarcat> i understand it's a long list
15:06:14 <ahf> no, it's a good list. i think the problem is i don't have the answer to all of it :-/
15:06:28 <ahf> for instance, i don't know if the plan with keeping a few TPA related repos around means having gitolite around forever?
15:06:31 <anarcat> the only answer i got so far was from gaba, and it was basically "postponed until june 2021"
15:06:32 <gaba> you are talking about the list in that ticket?
15:06:35 <ahf> or is this "having a public gitolite" around forever?
15:06:40 <ahf> gaba: ya, and all of its content
15:06:40 <gaba> ahh
15:06:47 <anarcat> which makes me feel like we should either do that now or reopen that discussion properly :p
15:07:13 <anarcat> my answers are in https://gitlab.torproject.org/tpo/tpa/gitlab/-/issues/36#note_2684335
15:07:32 <gaba> can we postpone this discussion to november? I have a bunch of report and stuff to finish in October and I'm moving countries in 2 weeks. I will be able to look at gitlab policies and facilitate discussion in November.
15:07:36 <anarcat> basically, what i am proposing there is that we retire gitweb and gitolite, within a 1-2 year timeline
15:07:47 <ahf> i think that is a good idea
15:07:52 <anarcat> new repositories are created on gitlab (which is basically already the case)
15:07:53 <ahf> like the 1-2 year timeframe
15:08:05 <anarcat> repositories can be mirrored, as a temporary measure
15:08:05 <ahf> and then at the end we might have the tpa ones and we can figure out ourselves what to do with those?
15:08:11 <gaba> yes, i think we should revisit this gitolite retirement with the rest of TPI
15:08:16 <gaba> before making a decision
15:08:22 <anarcat> we have a migration procedure in https://gitlab.torproject.org/tpo/tpa/team/-/wikis/howto/gitlab/#how-to-migrate-a-git-repository-from-legacy-to-gitlab
15:08:49 <ahf> i think they have said what they need? some depends on git.torproject.org because of jenkins. we do have an alternative to that now that people can slowly experiment with. and we have TB and Tor and some tpa things that is not sure if they want to move yet
15:08:54 <anarcat> but we don't have a mechanism for SSH (and HTTPS?) redirections for "git clone"
15:08:55 <gaba> \o/ for documetnation
15:09:02 <ahf> the big task for us will be to get rid of /all/ the legacy stuff on git.torproject.org :-/
15:09:05 <anarcat> so that's what i have
15:09:10 <ahf> there is some much old stuff that nobody have touched in a long time
15:09:19 <anarcat> i don't think that's a problem
15:09:19 <gaba> and there is still a big task on finishing decisions and policy on roles and permissions
15:09:24 <anarcat> you throw that in the legacy/ project
15:09:27 <gaba> i feel that right now is alittle cahotic in gitlab
15:09:29 <ahf> it's not a problem, but it is a big task i think
15:09:36 <ahf> gaba: ah
15:09:40 <ahf> right
15:09:41 <anarcat> gaba: agreed
15:09:45 <anarcat> so that's what i'm worried about here
15:09:57 <anarcat> gitolite is already a huge liability, both in terms of (non-existent) maintenance and security
15:10:13 <anarcat> now we're talking about moving projects piecemeal between gitolite and gitlab
15:10:20 <anarcat> yet we don't quite know how to operate gitlab just yet
15:10:27 <gaba> i would prefer for us to have a clear idea on how user permissions and roles work before doing any other shutdown of gitolite or even migration of big repos
15:10:28 <anarcat> so i feel we're playing with fire a bit
15:10:46 <ahf> ack, okay
15:10:55 <anarcat> well what's being proposed here is not the immediate shutdown of gitolite or migration of big repos :)
15:10:59 <gaba> i think it is ok to move repos like research
15:11:00 <anarcat> it's migrating small projects
15:11:02 <gaba> those are not a big deal
15:11:04 <ahf> i think this is good, i think we are not ready yet and we have some proposals, but there is also some other things playing in
15:11:13 <ahf> gaba: i don't think we can start moving small things now, then we lose the grand overview
15:11:14 <gaba> but we should wait longer on anything that could be a secuiryt issue
15:11:20 <ahf> that is why i brought it up
15:11:28 <anarcat> so about the security issue
15:11:31 <gaba> not moving small things? what do you mean?
15:11:35 <anarcat> i've been looking into this quite a bit
15:11:54 <ahf> yeah, not have things that are both on git.torproject.org and gitlab where the former isn't canonical
15:11:55 <anarcat> let me find that ticket
15:12:03 <gaba> ah, i see
15:12:12 <ahf> i am fine with people starting new projects on gitlab
15:12:25 <anarcat> crap, i don't have that ticket :p
15:12:34 <anarcat> but basically, what i'm proposing is we adopt OpenPGP signatures for git commits
15:12:50 <anarcat> the problem we feel we have with the security of gitlab for our code, we already have with gitolite
15:12:58 <anarcat> possibly even worse
15:13:00 <anarcat> we just don't know about it
15:13:16 <anarcat> so we should slowly start adopting git signatures
15:13:22 <anarcat> and authenticate them in various places, like CI
15:13:26 <gaba> interesting. Let's bring that up wheneever we discuss this other migration from gitolite with the rest of tpi
15:13:26 <anarcat> and in release processes
15:13:32 <anarcat> it's a team-wide question, obviously
15:13:42 <anarcat> but it's my response to "but gitlab insecure aaah" :)
15:14:02 <ahf> i think with the way we use gpg in the org that nobody will be able to do that :-/
15:14:05 <anarcat> there are many ways of checking commits too, so there will need to be some discussions on which process makes more sense based on various teams workflow
15:14:10 <anarcat> ahf: how is that?
15:14:19 <ahf> how do we handle external contributions too with that?
15:14:31 <ahf> well, if people do rebasing as part of their review policy, it breaks signatures right away
15:14:40 <ahf> tor.git have tons of signed commits that are borked in various ways iirc
15:14:51 <anarcat> ahf: that's what i'm saying, there are various ways of implementing that :)
15:14:58 <anarcat> you could sign tags, for example
15:14:59 <ahf> i have never seen a good problem that was solved by using pgp
15:15:04 <anarcat> or sign merge commits
15:15:13 <ahf> nod
15:15:14 <anarcat> oh god, really
15:15:24 <anarcat> "pgp doesn't solve anything" is not exactly constructive right now
15:15:35 <anarcat> but i hear you
15:15:36 <anarcat> pushback :)
15:15:38 <ahf> yeah :-S i am open to do the idea, but my gut feeling is that i wont be a fan. but it is something we can look at
15:15:49 <anarcat> i can open an issue and throw a few links in there
15:15:51 <ahf> i tried for some years with the gpg and git signing of things
15:15:53 <ahf> yeah, please do!
15:16:06 <anarcat> honestly, i don't see any other solution that doesn't involve a billion insanities
15:16:09 <ahf> i think it would be interesting. it might be something have changed and the integration is better
15:16:16 <anarcat> for what it's worth, i'm proposing to use this for TPA as well
15:16:19 <gaba> should we move to next item in the agenda?
15:16:20 <ahf> it was in 2015 i messed around with it
15:16:32 <anarcat> i don't think the integration changed significantly
15:16:33 <ahf> i'm ok with that - it sounds like anarcat will add some info on this
15:16:49 <anarcat> could we just see if we can agree on at least *some* of the questiosn i outlined in the issue already?
15:16:53 <anarcat> i think we do agree on some stuff
15:17:10 <ahf> i think we agree on most of it from what i could tell
15:17:22 <anarcat> 11:09:20 <+anarcat> basically, what i am proposing there is that we retire gitweb and gitolite, within a 1-2 year timeline
15:17:24 <ahf> i don't think there was anything i actually flat out disagree with
15:17:37 <anarcat> anyone disagrees with that?
15:17:49 <gaba> i totally agree in looking for 1-2 years to retire it
15:17:57 <anarcat> i also think we clearly agree that new repos are created on gitlab
15:18:01 <gaba> and figuring out a process on what needs to happen before it
15:18:03 <anarcat> and that people can mirror repos
15:18:06 <gaba> right
15:18:18 <anarcat> so i'll check those boxes and document that in the ticket
15:18:27 <anarcat> i'm not sure we agree on "can people migrate their git repositories from gitolite to gitlab?" just yet
15:18:36 <anarcat> i was blocking on that before we made sure we have a plan
15:18:54 <anarcat> and i'm not sure we do, but if we agree we eventually retire gitolite, then i agree with starting to migrate small projects
15:19:10 <ahf> yep
15:19:15 <gaba> i think it would depend on which repo we are talking about
15:19:26 <gaba> yes on small projects
15:19:50 <ahf> no? we can't *move* things. people can start new projects there? otherwise in 2 years we have to sit and decide which repos belongs where and why and what is canonical
15:19:58 <ahf> and we can do the syncing we do today
15:20:11 <gaba> mmm
15:20:20 <gaba> so what do you think we should do with repos like research?
15:20:45 <ahf> nothing i think. because they still depend on jenkins they can merge things on gitlab and then manually sync from gitlab to git.tpo
15:20:47 <ahf> a bit like we do in tor
15:20:50 <ahf> with tor.git*
15:21:28 <ahf> there will be chaos when we migrate it because i think some projects are already gitlab only, but i think the goal is to minimize the chaos as much as possible 8)
15:21:31 <anarcat> i'm updating the ticket's summary
15:21:39 <gaba> ok
15:22:40 <anarcat> done
15:22:45 <ahf> ok bueno
15:22:48 <ahf> can we jump to next one
15:22:52 <gaba> sure
15:22:54 <anarcat> 7 of 10 tasks completed in https://gitlab.torproject.org/tpo/tpa/gitlab/-/issues/36
15:23:07 <ahf> #agenda outreachy reviews
15:23:22 <anarcat> ahf: ITYM "#topic"
15:23:25 <ahf> ugh
15:23:26 <anarcat> ahf: also, i think we *can* move things
15:23:31 <ahf> #topic outreachy reviews
15:23:43 <anarcat> it's just tricky with jenkins projects, obviously, but hopefully those projects can migrate to gitlab ci on their own?
15:23:49 * ahf went over a few of them yesterday, some via email, some via gitlab
15:24:01 <ahf> also found some things in there that i had to handle via email and i am still waiting for some response on that
15:24:25 <ahf> and i have a bit of an issue that i am not sure how to solve without having to do a TON of git support to the contributors
15:24:45 <gaba> I'm mostly interesting in discussing a little more on what we want from the lobby
15:24:55 <anarcat> ahf: what is the issue?
15:24:56 <gaba> are all the issues in that list something we want
15:25:03 <ahf> anarcat: let us take that one in PM after the meeting
15:25:12 <gaba> https://gitlab.torproject.org/tpo/tpa/gitlab-lobby/-/issues?scope=all&utf8=%E2%9C%93&state=opened&label_name[]=Outreachy
15:25:13 <anarcat> okay
15:25:46 <anarcat> whoa that's a lot of tickets
15:25:48 <ahf> yeah
15:25:56 <ahf> so, we are using the lobby for two things:
15:26:05 <ahf> 1) we have a need for it and there is a lot of small issues we need solved
15:26:11 <gaba> those are many tickets related to the lobby but not to the anonymous submissions
15:26:19 <ahf> 2) we are trying to find a person who seems capable of diving into the django world
15:26:29 * gaba looking for the ticket on submissions
15:26:40 <ahf> gaba: yeah, that is the plan? :-) the project we accept people into will be doing the anonymous tickets system from scratch with the person we pick
15:26:47 <gaba> https://gitlab.torproject.org/tpo/tpa/gitlab-lobby/-/issues/1
15:26:54 <gaba> yep
15:27:32 <ahf> i think so far the contributions are good and i also think i have some ideas about who is capable and so on for the bigger project
15:27:40 <ahf> a lot of the interns is PM'ing and emailing me too
15:27:59 <gaba> please remember to not give names as we are in a public channel with logs
15:28:03 <gaba> ok
15:28:13 <ahf> yeah, no names
15:28:59 <gaba> anarcat: any question/comment about this?
15:29:24 <anarcat> apart from "whoa that's a lot of tickets" you mean? :)
15:29:25 <anarcat> not really
15:30:37 <gaba> ok :)
15:30:59 <ahf> ok, next item?
15:31:03 <anarcat> i opened this ticket regarding the openpgp signing stuff https://gitlab.torproject.org/tpo/tpa/gitlab/-/issues/81 "evaluate mitigation strategies to work around GitLab's attack surface for git hosting"
15:31:12 <anarcat> so the dashboard
15:31:20 <anarcat> https://gitlab.torproject.org/groups/tpo/tpa/-/boards
15:31:23 <anarcat> i think i'm going to give up on it
15:31:35 <ahf> #topic dashboard
15:31:51 <gaba> the issues i have in next will have to wait until november
15:31:57 <anarcat> because it's not really working
15:32:23 <anarcat> i keep poking people to triage their stuff
15:32:28 <anarcat> and it seems no one does it
15:32:36 <anarcat> so i'm going to retreat to https://gitlab.torproject.org/tpo/tpa/team/-/boards
15:32:42 <anarcat> and stop triaging non-tpa tickets
15:33:10 <anarcat> gaba: could you move those tickets to backlog?
15:33:11 <gaba> anarcat: the issue is that we do not have so much time for this.
15:33:37 <ahf> yeah, you're right. i by no means prioritize this, it gets pushed down my list all the time
15:33:42 <gaba> ok. moving my tickets and unassign tickets to backlog
15:33:47 <gaba> i will get them back in november
15:33:53 <anarcat> well you can keep the tickets
15:33:58 <anarcat> just move them out of "next" :)
15:34:21 <anarcat> also this implies i should probably just close https://gitlab.torproject.org/tpo/tpa/gitlab/-/issues/10 again
15:34:30 <anarcat> because i can't move to subprojects
15:34:33 <gaba> yes
15:34:38 <anarcat> otherwise i wouldn't be able to ignore the gitlab and lobby issues
15:35:03 <anarcat> also, i understand we don't have time to process all the gitlab issues
15:35:11 <anarcat> obviously, there's a lot more work than what we have available
15:35:20 <gaba> yes and that is why we have this meetings
15:35:24 <anarcat> but
15:35:29 <gaba> to prioritize this work and figure out what needs to be done first
15:35:34 <anarcat> that doesn't mean we can schedule stuff properly
15:35:42 <anarcat> i think we've been overly optimistic with our scheduling so far
15:35:53 <gaba> yes :/
15:35:55 <anarcat> and what i was asking is basically to have the board reflect a more realistic availabilty
15:36:12 <anarcat> even the backlog is too big right now
15:36:16 <anarcat> those 60 issues won't be done in november
15:36:29 <anarcat> last week i proposed to move everything one step back
15:36:38 <anarcat> all of backlog to icebox, all next to backlog
15:36:44 <gaba> can we close https://gitlab.torproject.org/tpo/tpa/gitlab/-/issues/48
15:36:51 <anarcat> then pick only some stuff in next
15:36:52 <ahf> i moved some of my stuff t obacklog; maybe it should just go straight to icebox
15:36:58 <anarcat> and then from there, once "doing" is empty, move some stuff
15:37:02 <gaba> i think we should focus on the permissions/user roles stuff
15:37:36 <anarcat> if we close #48, it means we're happy with using the lobby, no?
15:37:41 <anarcat> where is the permission/user stuff if not in #48?
15:39:39 <gaba> #15
15:39:46 <gaba> and #31
15:40:21 <gaba> it seems those 2 can be merged
15:40:26 <ahf> i think we are more happy with the lobby than we were with the open rollercoaster
15:40:55 <anarcat> those do seem redundant
15:41:04 <gaba> yep
15:41:11 <anarcat> i'll close 48
15:41:27 <gaba> 16 tickets in backlog now
15:41:32 <ahf> bueno
15:43:50 <gaba> anything else?
15:43:53 * ahf has none
15:43:54 <anarcat> ahf: pro tip i just read in the "bullet journal" book: if you keep postponing a task all the time, just do it first thing tomorrow morning. it's a chore, you won't like it, but you'll feel better after :)
15:44:05 <ahf> i do use bullet journal
15:44:07 <anarcat> if you can't just do it in the morning, it's not small enough, break it down and reschedule
15:44:09 <anarcat> no way!
15:44:12 <anarcat> i don't! :)
15:44:13 <gaba> i also use bullet journal :)
15:44:16 <anarcat> i'm just reading the book
15:44:18 <anarcat> oh wow
15:44:18 <anarcat> TIL
15:44:24 <anarcat> super interesting
15:44:24 <ahf> ya, i have a small book with dots in for drawing and such
15:44:28 <ahf> and then i move things over each morning
15:44:32 <ahf> but i prioritize too
15:44:54 <kushal> I stopped doing bullet journal because I was having trouble to move things :)
15:44:57 <ahf> like today i have the vpn meeting coming up, so now i have spend some time to prepare for that, and next i need to do outreachy and then prepare some slides because they are urgent because other people are going on holiday
15:45:04 <ahf> and tomorrow i then i have to do the CI things i wont make today
15:45:07 <anarcat> maybe we have too many meetings
15:45:15 <ahf> i don't follow it strictly, but just a tiny bit
15:45:15 <anarcat> like it seems i spend more time meeting about gitlab than working on gitlab
15:45:31 <ahf> i think we handle gitlab things, but just the things that pop up rather than the big lines
15:45:32 <gaba> i wonder if we can do now the gitlab meetings every 2 weeks
15:45:34 <gaba> instead of every week
15:45:43 <gaba> at least until we have more time to work on gitlab
15:45:59 <ahf> it's OK with me to have it bi-weekly
15:46:04 <anarcat> we could just call the meeting as needed
15:46:06 <anarcat> like schedule it
15:46:16 <anarcat> and then we free a real time slot for it and we're all fully available :)
15:46:18 <gaba> the issue with calling it is that it may not just happen
15:46:31 <anarcat> then it doesn't happen
15:46:34 <anarcat> if it needs to happen, it will
15:46:34 <gaba> we can do it every 2 weeks and if we do not have anything in the agenda then it gets very short
15:46:47 <anarcat> i believe this is misfiled https://gitlab.torproject.org/tpo/tpa/gitlab/-/issues/80
15:46:50 <anarcat> (ot)
15:46:59 <gaba> also i would like this space to be a discussiong about internal toolings
15:47:01 <gaba> not only gitlab
15:47:10 <anarcat> gaba: my experience is different; what actually happens is nothing is in the agenda, then we add stuff to the agenda and discuss stuff we don't have time to do :p
15:47:27 <gaba> then let's not add it to the agenda :)
15:48:02 <anarcat> easier said than done
15:48:09 <gaba> if you are all ok with it I will change the nc event to every 2 weeks
15:48:15 <anarcat> anyways, i'm okay with 2 weeks
15:48:19 <gaba> ok
15:48:23 <ahf> yep
15:49:47 <ahf> let's call it then folks
15:49:50 <ahf> thanks for the chat!
15:50:15 <gaba> thanks!
15:50:17 <ahf> #endmeeting