summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorChristopher Diaz Riveros <chrisadr@gentoo.org>2018-06-27 08:49:17 -0500
committerChristopher Diaz Riveros <chrisadr@gentoo.org>2018-06-27 08:49:17 -0500
commit5a08acdb51839ab709c500267b46c137dcd938e2 (patch)
tree083a12fe42c24927c2bab6052d5b67c22ebe3091
downloadsecurity-5a08acdb51839ab709c500267b46c137dcd938e2.tar.gz
security-5a08acdb51839ab709c500267b46c137dcd938e2.tar.bz2
security-5a08acdb51839ab709c500267b46c137dcd938e2.zip
meeting logs: Added sec-meeting-2018-02-18-log
Signed-off-by: Christopher Diaz Riveros <chrisadr@gentoo.org>
-rw-r--r--sec-meeting-2018-02-18-log231
1 files changed, 231 insertions, 0 deletions
diff --git a/sec-meeting-2018-02-18-log b/sec-meeting-2018-02-18-log
new file mode 100644
index 0000000..1fd2dc6
--- /dev/null
+++ b/sec-meeting-2018-02-18-log
@@ -0,0 +1,231 @@
+2018-02-18 14:01:52 @K_F Roll call
+2018-02-18 14:01:54 * K_F here
+2018-02-18 14:01:57 * ChrisADR here
+2018-02-18 14:02:05 @ackle here
+2018-02-18 14:02:39 ChrisADR hi ackle nice to meet you :)
+2018-02-18 14:02:45 * Pinkbyte here
+2018-02-18 14:03:16 @ackle Hi Chris, welcome aboard
+2018-02-18 14:03:27 ChrisADR nice to meet you too Pinkbyte :)
+2018-02-18 14:03:32 ChrisADR thanks :) glad to be here
+2018-02-18 14:04:11 @K_F hmm, don't think I have whissi's phone # around to send SMS..
+2018-02-18 14:04:31 @K_F so lets just start, and if he shows up he can read backlog anyways
+2018-02-18 14:04:50 @Pinkbyte ChrisADR, we are all always welcome fresh blood, so - nice to see you amongst us
+2018-02-18 14:04:58 @Pinkbyte s/fresh/for fresh/
+2018-02-18 14:05:22 @K_F the four regular agenda items I've noted for today are (in short); (i) GLEP14 updates (ChrisADR can tell a bit about the changes he has done and what he wants help on forwards, and discusion if there is anything)
+2018-02-18 14:05:44 @K_F (ii) glsamaker (iii) kernel sec and (iv) operator / access list in here (although mostly deferred until after a lead is in place)
+2018-02-18 14:06:30 @K_F are there anything else we should discuss today? as a pro-forma I listed open bugs as well, in particular #624262, but that is more to remember than to discuss today
+2018-02-18 14:07:06 @blueknight Sorry was watching a show.. here
+2018-02-18 14:07:39 @Pinkbyte K_F, it would be nice if something about #624262 would be done. I remember those days when confidential mails from bugzilla were... confidential :-)
+2018-02-18 14:08:13 @K_F Pinkbyte: right, which is why we have a bug, I just don't see anything from us being done about it today.. that said it is listed as a GSoC project this year as well
+2018-02-18 14:08:58 @K_F so, ChrisADR you've been the one most active with trying to refurbish glep 14 c.f bug 637328
+2018-02-18 14:09:00 willikins K_F: https://bugs.gentoo.org/637328 "GLEP 14 needs to be updated"; Documentation, GLEP Changes; CONF; mgorny:security
+2018-02-18 14:09:19 @K_F what is the status of the update and what is needed from us on it before we can pass it around for approval?
+2018-02-18 14:09:39 @K_F I take it everyone here has access to the updated files in git.gentoo.org/proj/security/private.git:/documentation/glep-0014.rst ?
+2018-02-18 14:09:44 @K_F or should I make a copy of it somewhere public?
+2018-02-18 14:09:52 ChrisADR ok, short and simple :) I'm a bit concerned about the implementation
+2018-02-18 14:10:34 ChrisADR quoting from the source code: " WARNING: this code is only tested by a few people and should NOT be used
+2018-02-18 14:10:34 ChrisADR # on production systems
+2018-02-18 14:10:37 ChrisADR "
+2018-02-18 14:11:04 @K_F ChrisADR: heh, indeed, that is code you don't want seen relied on in production systems :)
+2018-02-18 14:11:18 @K_F (or at least comment, presumably it actually _is_ well tested by now)
+2018-02-18 14:11:56 ChrisADR yea :) ok, the thing is that we need either to remove that comment, ensuring that glsa-check is actually tested, to be able to mark the GLEP as implemented, or keep it as "work in progress"
+2018-02-18 14:12:49 @K_F it has been used in production for a number of years, so unless it is a very specific corner case, we can likely remove the comment now
+2018-02-18 14:13:00 ChrisADR but I see that most of the work was done till 2015, except a couple of patches in 2016 and 2017
+2018-02-18 14:13:26 ChrisADR ok, sounds good to me, the rest of the GLEP is just an update to the current status
+2018-02-18 14:14:00 @Pinkbyte K_F, true. I remember exactly one breakage(which happens in this year) of glsa-check since i use it(from 2009 at least, iirc)
+2018-02-18 14:14:02 @K_F so, should we vote for an approval of it in this meeting, or do a final circulation on email for comment?
+2018-02-18 14:14:16 @K_F (approval in this context means we submit it to council)
+2018-02-18 14:14:40 ChrisADR I'd prefer a circulation, I'd appreciate a peer review and then decide if everything is ok to send to council
+2018-02-18 14:14:47 @K_F ChrisADR: actually one thing I noticed, which is nitpick when reading it is most references to GPG should be OpenPGP
+2018-02-18 14:15:04 @K_F unless it reference the specific implementation
+2018-02-18 14:15:29 @K_F e.g "verifies its OpenPGP signature" instead of "GPG signature"
+2018-02-18 14:16:13 @K_F but right, if you can send out a call for comment we can deal with it with a deadline of 1 week from you send it out?
+2018-02-18 14:16:23 ChrisADR yea, actually afaik we don't verify signatures per se, we assume that because of the signed commits in the repo
+2018-02-18 14:17:09 @K_F signed commits aren't relevant, would be the signed MetaManifest or the signature of the web download, there aren't any good ways to verify the git commit signatures, in particular in context of retired devs and revoked keyblocks
+2018-02-18 14:17:41 @K_F but if the tool doesn't check the signature, we want to update the GLEP to reflect that
+2018-02-18 14:18:06 ChrisADR There are still a couple of sections that I have not changed, I hoped to send a proposal to the mail and discuss those specific implementations since I don't have it totally clear
+2018-02-18 14:18:15 @K_F and/or write that it expects the tree consistency to be in place due to verification done during portage / gemato sync (but keep in mind that won't help paladius or pkgcore users)
+2018-02-18 14:19:33 @K_F but right, lets do that by email then, that works for me
+2018-02-18 14:19:40 ChrisADR ok, great
+2018-02-18 14:19:41 @K_F any other comments from anyone on the subject before we move on?
+2018-02-18 14:20:14 @blueknight Nothing from the peanut gallery :)
+2018-02-18 14:21:21 @K_F ChrisADR: you also brought up glsamaker, want to lead in with your thoughts?
+2018-02-18 14:22:23 @K_F i.e are there specific concerns, or just a generic discussion on whom takes responsibility for maintenance etc?
+2018-02-18 14:23:35 ChrisADR well I was thinking about the whole project implementation, I know whissi is the only one developing it right now, but it's hard for him because of ruby... at first I was thinking to prepare a new version of glsamaker, but now I'd like to propose a new idea
+2018-02-18 14:23:53 * K_F is all ears
+2018-02-18 14:24:45 @K_F but yes, it being ruby is actually an issue on a few points, including maintenance since not too many use it, that is also a problem with a few other sites, including packages.g.o
+2018-02-18 14:24:47 ChrisADR alice sent an email announcing that we are officialy part of the Google Summer of Code, I was thinking (maybe not this year, but next one, given the availability from our team) to propose a project there and be mentors from a student
+2018-02-18 14:25:26 @Whissi _No_. :)
+2018-02-18 14:25:30 @K_F I'm not a fan of that idea, too many projects historically that have been written and not properly implemented in practice, and if we want to rewrite, it is to make sure codebase is familiar to security team
+2018-02-18 14:25:46 @K_F and having a student at gsoc is 3-5 times the work of just doing it yourself
+2018-02-18 14:25:51 @K_F or more..
+2018-02-18 14:25:56 ChrisADR I guess that if it's in Python (django at least) it may be easier for the whole developers here to have an idea of how it works?
+2018-02-18 14:26:04 @K_F in particular when we're starting from scratch, it is easier for a specific feature in existing framework
+2018-02-18 14:26:23 @ackle Not a fan either, tools from GSoC have seemed... unreliable to me in the past
+2018-02-18 14:26:25 @K_F django suffers from a number of same issues as ruby does with upgrades and compatability
+2018-02-18 14:26:34 @K_F so that also easily gets stuck, and is difficult to properly package
+2018-02-18 14:26:46 @blueknight ackle: you have a working demo version is that correct?
+2018-02-18 14:26:52 ChrisADR ok out of ideas :P
+2018-02-18 14:26:58 @Pinkbyte Well, we should feel ourselves pretty lucky that it is Ruby and not Haskell for example :-D
+2018-02-18 14:27:05 @ackle Yes, I have a working dev system for glsamaker
+2018-02-18 14:27:34 @K_F ackle: to ensure we're talking of same thing, you have a dev system of the current implementation
+2018-02-18 14:27:54 @K_F I'm personally in favor of throwing in some more resources on existing system rather than rewriting from scratch, as I know that will bring bugs on its own
+2018-02-18 14:27:59 @ackle Also to point out: in the past we've always said that a major change to glsamaker should probably be in tandum with an overhaul of the GLSA format (to make it easier to automate announcements)
+2018-02-18 14:28:07 @K_F unless we have specific features that we know needs a solid rewrite (e.g proper CVE handling)
+2018-02-18 14:28:28 @K_F but if we want to write a new system we need to do a full RFP / spec of what is needed before starting out
+2018-02-18 14:28:32 @Whissi Yes. We should first think about what we want before we think about how we reach the goal.
+2018-02-18 14:29:05 @K_F not necessarily only GLSA format though, that is output format only, we have a lot of background work that never sees the public
+2018-02-18 14:29:20 @ackle K_F: yes, I keep an updated and running copy on one of my VMs for when I've made changes to glsamaker.g.o
+2018-02-18 14:29:26 @blueknight ackle: Can we replicate your dev build in to a location where others have access?
+2018-02-18 14:29:43 @K_F ackle: nice, do you have any notes for setting it up etc if others wants to replicate?
+2018-02-18 14:29:47 @blueknight or share the VM?
+2018-02-18 14:30:19 @K_F instead of sharing the VM, might want to do a replication of the pushing at infra
+2018-02-18 14:30:33 @ackle I'm sure I have notes on setting it up. If infra can provide a VM, we could get a shared test system out there
+2018-02-18 14:30:34 @K_F and have a git repo we can commit changes to for testing, instead of full access on VM
+2018-02-18 14:31:07 @K_F in my experience testing without audit is often difficult to replicate in production system due to lack of documentation
+2018-02-18 14:31:27 @K_F of course that brings question of whether we want a test system along with a dev system
+2018-02-18 14:31:30 @Whissi For me the problem is testing vs bugzilla
+2018-02-18 14:32:41 @Whissi Like testing the "close bugs" think... it requires a open bug... hard to test if you don't have a testing bugzilla ;)
+2018-02-18 14:32:53 ChrisADR and our own bugzilla for tests?
+2018-02-18 14:33:17 @ackle There are various caveats with testing, such as connecting it to a test Bugzilla instance (as Whissi is stating) and having actual information in the database for validation (something that bit me in the butt before)
+2018-02-18 14:33:36 @K_F Whissi: iirc infra has a testing infrastructure for bugzilla, maybe we can get some resources on that?
+2018-02-18 14:34:06 @K_F but indeed, there will be references to bug numbers not existing etc etc
+2018-02-18 14:34:24 @K_F unless it is done in a testing envoronment that synchronize / copy daily or weekly or whatever
+2018-02-18 14:36:13 @K_F (I believe this is the one I'm thinking of.. http://bugstest.gentoo.org )
+2018-02-18 14:38:33 @K_F but right, I'm putting that down for another subject to continue discussing on email.. but before doing any big changes I strongly recommend we figure out if we need major new features, and if we do figure out what we need (including testing infrastructure etc) before starting a new project on it
+2018-02-18 14:39:52 @K_F So; (iii) kernel sec team
+2018-02-18 14:40:06 @K_F ChrisADR: again, you had some questions on this, want to start up discussion?
+2018-02-18 14:40:15 ChrisADR ok, sure
+2018-02-18 14:40:52 ChrisADR it may be a good idea to define a structure, like the vulnerability treatment policy
+2018-02-18 14:41:01 @blueknight I have an idea ... I am thinking we might want to put together a Trello for our team so we can put down the requirements?
+2018-02-18 14:41:01 ChrisADR I propoce 3 states right now
+2018-02-18 14:41:26 ChrisADR that's a good idea
+2018-02-18 14:42:05 @K_F what is Trello?
+2018-02-18 14:42:25 ChrisADR so, [upstream] as always, [cve] as archived in our db, and a new [backported](just basic idea) which means if we have that specific fix available in our *-sources
+2018-02-18 14:42:28 @blueknight Trello is a free on line Todo / Project management with multi edit capabilitles.
+2018-02-18 14:42:36 @K_F is it free software?
+2018-02-18 14:42:43 @blueknight Free on-line service
+2018-02-18 14:42:43 @Pinkbyte K_F, proprietary online service for kanban-like tasking and stuff
+2018-02-18 14:42:56 @K_F meh, lets stick to formats people can use
+2018-02-18 14:43:05 @Pinkbyte K_F, agreed
+2018-02-18 14:43:21 @K_F but for kernel issues, its a bit of a catch 22
+2018-02-18 14:43:50 @K_F 1) we don't have resources to track the vulnerabilities, and the upstream recommendation is just to always use latest point release of long term stable branch
+2018-02-18 14:44:02 @K_F 2) upstream doesn't properly flag vulnerabilities (see 1)
+2018-02-18 14:44:19 @K_F 3) we don't have tooling to check the running kernel on a given system and what patches are potentially applied
+2018-02-18 14:44:46 @Whissi Regarding kernel: The kernel project will move to some kind of auto-stabilizing later this year. At least we plan something like that.
+2018-02-18 14:44:48 @K_F which mostly result in , sure, we can track some, in particular for release coordination, but in general, kernel is on its own
+2018-02-18 14:44:59 @Whissi So the meaining of stable kernel in Gentoo _will_ change.
+2018-02-18 14:45:13 @K_F Whissi: iirc they are using the proposal from the stable wg ?
+2018-02-18 14:45:27 @K_F I wouldn't agree it is changing stable status if so
+2018-02-18 14:45:44 @K_F mainly due to upstream stability guarantee, and only point releases of an already stabilized LTS will be auto-stabled
+2018-02-18 14:45:50 @Pinkbyte Whissi, if it would be sticking to latest possible LTS point releases - blame me, if i will be against it :-)
+2018-02-18 14:46:36 @Whissi Currently, in Gentoo, stable kernels means something like a GA status. I.e. only mark a kernel stable if we know it works on most hardware or aren't aware of any criticial problems which may affect *some* setups.
+2018-02-18 14:47:16 @Whissi That's the reason why 4.14.x is still not being stabilized in Gentoo... because we are aware of *some* problems... however, 4.14.x is now better and works for *most* users... but still not ready to be named *GA*.
+2018-02-18 14:47:38 @Whissi But this is going to change.
+2018-02-18 14:47:47 @K_F right, 4.14 is a mess on libdrm and kernel mode buffers
+2018-02-18 14:48:00 @K_F kernel modeline*
+2018-02-18 14:48:05 @blueknight So they are going to roll the dice with automated building
+2018-02-18 14:48:17 @K_F not really
+2018-02-18 14:48:39 @K_F if they only stable latest point release as policy, it is easy to do a package mask for newer kernel branches
+2018-02-18 14:48:48 @K_F first thing I do on any system after installing is masking any higher branch
+2018-02-18 14:48:56 @K_F and only switching once LTS is EOL
+2018-02-18 14:49:13 @Whissi I.e. in future we hope to have a working CI which will start testing when upstream kernel reaches RC. Once released, we will add and mark stable within 24-48h. If we get aware of any problems we maybe decide to pause/skip this version... or add patches like before. But in general the idea is to follow upstream within 48h.
+2018-02-18 14:49:27 @Whissi (_stable_ within 48h)
+2018-02-18 14:49:27 @Pinkbyte K_F, i forced to do this on one of my HP servers. Which breaks badly on 4.12 and 4.14
+2018-02-18 14:49:52 @blueknight Well in either case... I think we stick to what we have done before
+2018-02-18 14:49:55 @K_F Pinkbyte: most server systems do it like that anyways
+2018-02-18 14:50:12 @K_F blueknight: you're not talking for security project? in which case I agree
+2018-02-18 14:50:25 @K_F we have the project more as a discussion point and placeholder, but we shouldn't give any security guarantee for actual tracking
+2018-02-18 14:50:40 @blueknight Well isn't this what we are talking about?
+2018-02-18 14:50:44 @K_F we don't have the resources for it, and the best recommendation is "use latest upstream point release"
+2018-02-18 14:51:01 @K_F blueknight: _could_ be a reference to kernel team's stable policy
+2018-02-18 14:51:09 @K_F just wanted to have the statement in proper context
+2018-02-18 14:52:43 @blueknight The non politically correct version is "no one tracks what is in the Kernel, we take whatever is available upstream and go with it"
+2018-02-18 14:54:30 @K_F so, unless there are further comments on that, the next one I have is the channel IRC modes
+2018-02-18 14:55:00 @K_F as explained in email already, that is easy to fix, but easier to do cleanup after a lead is in place as he/she would be natural Founder of channel that can then fix the other modes
+2018-02-18 14:55:58 @K_F so I propse we defer that point
+2018-02-18 14:56:05 @Whissi Well, I guess ChrisADR wants that we will write down that we track usally only focus >=A2 vulns for kernels. I.e. write down, that we don't track anything else due to lacking man power.
+2018-02-18 14:56:22 @K_F we don't officially track anything
+2018-02-18 14:56:42 @blueknight We do not track Kernel, and I would not want to track anything in Kernel
+2018-02-18 14:56:54 @blueknight If the Kernel team does not know what is fixed, how shoudl we
+2018-02-18 14:57:03 @K_F we can help coordinate etc, but we don't _track_ anything
+2018-02-18 14:57:15 @Whissi Well, I try to track anything >=A2 and especially anything I find in the media.
+2018-02-18 14:57:37 @Pinkbyte K_F, about channel modes - did i miss something? blueknight is currently team lead and can ask for channel ownership in #gentoo-groupcontacts, no?
+2018-02-18 14:57:42 @K_F right, but you do that out of the goodness of your heart and not policy :)
+2018-02-18 14:57:50 @Whissi yeah
+2018-02-18 14:57:52 @blueknight Pinkbyte: I resigned due to time constraints
+2018-02-18 14:57:54 @K_F Pinkbyte: right, but if we need to switch that anyways
+2018-02-18 14:58:20 @K_F Pinkbyte: its easier to just wait for new lead to be in place
+2018-02-18 14:58:21 @blueknight I do not feel it is right by the team since I can not dedicate a lot of time.
+2018-02-18 14:58:33 @Pinkbyte blueknight, ok then, missed that e-mail(or just forgot about reading it, i am such a dumbass these days)
+2018-02-18 14:58:46 ChrisADR blueknight: can you try to set -O on my nick?
+2018-02-18 14:58:57 @K_F +AO you mean :)
+2018-02-18 14:59:01 ChrisADR capital o letter
+2018-02-18 14:59:04 @blueknight Chris I do not have rights
+2018-02-18 14:59:17 ChrisADR well that's what the discussion is about
+2018-02-18 14:59:25 @Pinkbyte according to chanserv info - a3li and keytoaster are channel founders
+2018-02-18 14:59:28 ChrisADR I thought for one sec that you had those rights
+2018-02-18 14:59:36 @Pinkbyte so only them can fully manage channel
+2018-02-18 14:59:38 ChrisADR sorry, missed the flow
+2018-02-18 15:00:27 @blueknight Both keytoaster and Alex can be contacted to make the rights accordingly moved... so not a big deal
+2018-02-18 15:00:43 @ackle Is there anything else to discuss?
+2018-02-18 15:00:51 @K_F blueknight: we don't even need that if a new lead is in place (or if you want to have them now)..
+2018-02-18 15:00:58 @K_F but right.. any other agenda item?
+2018-02-18 15:01:14 @K_F if not we've managed to stay at timeline outlined, which is good in itself :
+2018-02-18 15:01:17 @K_F :)
+2018-02-18 15:01:32 @K_F I generally believe a few short meetings like this more frequently is a good thing
+2018-02-18 15:01:41 * Pinkbyte remember 2-3 hours meetings of Qt team. That was a bit of a pain...
+2018-02-18 15:01:58 ChrisADR maybe set a couple of goals till the next meet?
+2018-02-18 15:02:02 @blueknight So since we are all here.... I have one
+2018-02-18 15:02:11 @K_F blueknight: floor is yours
+2018-02-18 15:02:24 @blueknight What has been decided is going to be done with picking the new lead.
+2018-02-18 15:02:35 @blueknight lead or leads
+2018-02-18 15:03:10 @K_F I haven't seen any conclusions on anything
+2018-02-18 15:03:27 @ackle We should probably arrange for nominations and election
+2018-02-18 15:03:33 @K_F so guess someone just needs to actually call for election and chose a format (email, heliosvoting, etc etc)
+2018-02-18 15:03:36 @Whissi Well, we can start a new election already or wait the remaining 2-3 month....
+2018-02-18 15:04:08 @blueknight K_F: I propose smoke signals as the means (joke)
+2018-02-18 15:04:21 @K_F blueknight: I have my Padron 7000 currently, so I'm ready to blow smoke rings :)
+2018-02-18 15:06:11 @blueknight Ok so do you guys want to wait, or do elections. Lets vote
+2018-02-18 15:06:17 @Pinkbyte Whissi, quick note from other team's lead - e-mail voting can be 2 weeks long... But it's not the problem. Problem is when you win election, because no one else was nominated. I hope that would be not the case with security :-/
+2018-02-18 15:06:22 @K_F blueknight: I'd say it is more up to you than anything else
+2018-02-18 15:06:36 @blueknight I resigned, so it is up to the team
+2018-02-18 15:07:02 @K_F blueknight: well, if you take the resignation as a point after regular election or if you want to be freed of responsibilities already
+2018-02-18 15:07:10 @blueknight So lets vote .... who wants election, and who wants tow ait.
+2018-02-18 15:07:29 @Whissi Pinkbyte: I would propose a different way this time: Everyone is nominated... and has _one_ week to accept. After the week we would start normal voting via mail.
+2018-02-18 15:07:42 @Whissi But this would be pre-announced
+2018-02-18 15:07:43 @K_F blueknight: if you don't expect to be able to be around, I recommend just having election now
+2018-02-18 15:07:50 @Pinkbyte I suppose that in that case we should roll election earlier. One week for nomination, two weeks of voting... Around a month will be only procedure going...
+2018-02-18 15:08:16 @Pinkbyte Whissi, well, we are(not all of us, blame me) pretty active and responding team, so your proposal make sense
+2018-02-18 15:08:17 @Whissi You really want 2 weeks voting?
+2018-02-18 15:08:47 @Whissi 7d should be enough, not?
+2018-02-18 15:09:03 @K_F I generally would expect members to be able to respond in a week, in particular since it is pre-announced periode
+2018-02-18 15:09:15 @blueknight 7d does not account for anyone that has vacation (Holiday) or a business trip
+2018-02-18 15:09:18 @K_F so 2 weeks since announcement ,if 1w acceptance periode)
+2018-02-18 15:09:23 @Pinkbyte Whissi, i am not. I am just saying how it is in QA team. Last time there was no voting, because there are only me nominated
+2018-02-18 15:09:44 @K_F blueknight: well, it is 2 weeks announcement since beginning of voting process
+2018-02-18 15:09:45 @blueknight I recommend 2 weeks.
+2018-02-18 15:09:49 @K_F s/voting/election/
+2018-02-18 15:10:06 @K_F people should be in a position to read their email in that time
+2018-02-18 15:10:10 @blueknight No but if I go on vacation or a business trip and do not have my GPG key to vote with me (because I forgot it or something),...
+2018-02-18 15:10:24 @ackle Is there a reason why 2w is not reasonable? Or is it just impatience?
+2018-02-18 15:11:02 @Whissi Well, with announcement we actual have >7d... but an actual voting period for >7d is a bit long, given that the "big" elections like council will happen in just 7d... not sure why security would need 14d...
+2018-02-18 15:11:04 @K_F blueknight: right, but arguably that is more a question of whether we should require OpenPGP signatures, although I'm somewhat biased in that and mean everyone should have that pretty accessible in security project :)
+2018-02-18 15:11:46 @K_F council voting is upen for 15 days
+2018-02-18 15:12:04 @K_F after a 15 day nomination periode
+2018-02-18 15:12:09 @blueknight But when I go on vacation I purposly disconnect for 7 days ... (usually on a cruise ship, where I do not buy internet)>
+2018-02-18 15:12:10 @Pinkbyte Whissi, nobody denies shortening voting period IF all of team members are already voted or if clear winner is discovered
+2018-02-18 15:12:29 @Whissi OK. I am not against 2 weeks. Just wondered :)
+2018-02-18 15:12:41 ChrisADR council voting?
+2018-02-18 15:12:57 @ackle I have to run... have fun painting that shed, folks ;)
+2018-02-18 15:13:03 @Whissi I'll send my proposol for the election later tonight.
+2018-02-18 15:13:06 @K_F ChrisADR: election
+2018-02-18 15:13:15 @K_F ChrisADR: the voting part of the election process for council
+2018-02-18 15:13:21 ChrisADR sorry, bad translation, ok got it
+2018-02-18 15:13:35 @K_F Whissi: ok, putting you down to organize it then :)
+2018-02-18 15:13:43 @blueknight OK.. with this meeting being done... Have a good day everyone.
+2018-02-18 15:13:57 @Whissi No problem. Will be my 3rd Gentoo election I organized this year ;)
+2018-02-18 15:14:07 @K_F sounds good, then I have 15 minutes until next meeting
+2018-02-18 15:14:08 @Pinkbyte blueknight, you too. I should go to bed, though, it's 23:15 on my clock :-)
+2018-02-18 15:14:12 @K_F have a nice evening everyone
+2018-02-18 15:14:15 * K_F bangs gavel