QEMU Summit Minutes

QEMU Summit Minutes

[Peter Maydell]

As usual, we held a QEMU Summit meeting at KVM Forum.
This is an invite-only meeting for the most active maintainers
and submaintainers in the project, and we discuss various
project-wide issues, usually process stuff. We then post
the minutes of the meeting to the list as a jumping off point
for wider discussion and for those who weren't able to attend.

Attendees:
Peter Maydell
Kevin Wolf
Richard Henderson
Markus Armbruster
Gerd Hoffmann
Eduardo Habkost
Laurent Vivier
Mike Roth
Alex Bennée
David Gibson
Stefan Hajnoczi
Thomas Huth
Cornelia Huck
Paolo Bonzini
Daniel Berrangé
Aleksandar Markovic
Paul Durrant
Juan Quintela

1. QEMU Leadership Committee

The Leadership Committee represents QEMU in the Software Freedom
Conservancy (the legal home for our project). Generally it doesn't
have much to do as we luckily don't have active legal problems :-)
One of the rules for the committee is that it mustn't have more
than two members employed by the same company at once; since IBM
acquired Red Hat that put them over the two-person limit and we
needed to adjust the membership. Mike Roth has now stepped down,
and Alex Bennée has agreed to take up the now-vacant seat.
I'd like to thank Mike for his past work and Alex for agreeing
to take on the role.
(The full list of members is at https://wiki.qemu.org/Conservancy)

2. Sharing qemu.git/master maintainership duties

Something I've talked about on the list before is that I'd like to
move away from doing all the work on merging pull requests and
wrangling releases, but we hadn't made much forward progress on this.
The concrete next thing we need to do is move the testing of merges
away from my ad-hoc setup onto a proper CI system.

Markus Armbruster told us that Red Hat is willing to help set up the
generic parts of the CI plus builders for the host architectures
they care about. Host architecture/OS maintainers will need to keep
other builders running and triage failures.  Red Hat is interested in
x86, ppc, s390, and aarch64.

There was a discussion of various possible approaches, mostly
centring on patchew vs gitlab, with the consensus being that
we should prefer gitlab unless the issues with running on non-x86
hosts turn out to be unsolvable.

Mike Roth noted that CI/release handling for stable releases is separate
from the testing done for mainline, and the stable release process is
separate from the regular release process. Once we have working
CI on mainline we should look at using the same mechanisms for stable.

I've written up a draft requirements wiki page for the CI work:
 https://wiki.qemu.org/Requirements/GatingCI

3. QEMU Security

We had a general discussion about our current security process,
and various people raised pain points/issues. Most of them were
familiar from the discussion of the previous year...

Daniel Berrangé noted that CVEs are hard to spot upstream.  Some
commits may not contain CVE numbers because the CVEs were filed after
the commit - this makes it hard to be sure your QEMU build is
secure. We could do a better job of documenting project security
issues, as libvirt does.

I (re)raised my view from last year, which is that upstream QEMU
doesn't provide timely stable releases when security issues are
fixed. The practical effect of this is that users are forced to use
distro releases of QEMU, unless they want to take on the large burden
of tracking CVEs and the commits that fix them and rolling their own
versions of QEMU. I think that it would be better as a project for our
users if we provided releases with security fixes (it's what most
projects do), but in practice we don't seem to have anybody who cares
enough to put in the work that would require.

The suggestion was made that we should document on the website what
the purpose/scope of our stable releases is.

4. GPL circumvention via plugins and out-of-process devices

Markus Armbruster noted that we now have several "plugin" like
interfaces, and these raise a risk of a situation where the GPL is
circumvented via proprietary features.  How to resist circumvention?
(Plugin-like interfaces include the "modules" system we have already,
the new "TCG plugins", vhost-user, and usb-redir.)

There was a wide-ranging discussion, and overall we seemed to be mostly
in consensus that the philosophy the project takes is broadly:
 * it's obviously not possible to technically prevent license
   circumvention if somebody really wants to do it
 * we aim to make it require an obvious "this is not something
   we intended you to do" step across a red line
 * we don't want to have the project end up stuck with the pain
   of maintaining a stable ABI while out-of-tree plugin/device/etc
   implementations get all the benefits
 * we'd like to catch end-user accidental attempts to load
   a module/TCG plugin/etc from a mismatched version in a friendlier
   way than just crashing
 * depending on the exact situation, there might be different
   approaches to providing the 'red line', e.g.
    - specifying a clearly limited-purpose API with version-checking
    - including checks that a module/plugin was built against the
      same git hash as the QEMU binary it's used with

Since we now have an increasing number of these 'external interfaces',
Daniel Berrangé agreed to write up some guidelines explaining the
general philosophy.

5. git pull request workflow when there are multi-level sub-maintainers

This one we probably want to discuss on the mailing list, because
it was submitted by Cornelia Huck, but she had to leave the meeting
before we got to this agenda item.

Some starter points from the meeting discussion:

 * most people present seemed to be using the "we don't have
   multilevel submaintainers, usually rebase before sending pull" flow

 * as the person doing merges of pullreqs, I don't much care
   what the submaintainer's workflow is, as long as it doesn't
   produce a deeply weird git commit graph when merged, and is
   capable of handling "this fails tests, please fix" bounces
   (which in the common workflow are dealt with via 'squash
   in fix and rebase'), preferably without breaking bisection

 * Kevin Wolf notes that although they never made an explicit decision,
   in practice the block layer team has stopped doing multilevel
   submaintainers and instead just has several people sending separate
   pullrequests directly. In the common case, single level is just much
   easier because it requires less coordination (especially when a v2
   pull request is needed).

 * Alex Bennée noted that the Linux kernel development process tends
   to avoid rebasing, on the theory that testing is wasted when trees
   are rebased. However he thought that the distributed testing model
   of Linux gives more weight to the status of a "tested tree branch",
   wherease for QEMU how applicable this is depends on how much
   testing is done at different levels on the PR tree. For us
   if the maintainer re-runs the tests on re-base it is less
   of an issue, as it's unlikely many other people will have done
   much testing on that tree anyway.

 * Various people noted that the 'rebase invalidates testing' idea
   has holes in it of various kinds anyway.

6. Mentorship

Aleksandar Markovic wanted to raise the topic of mentorship as
a skill for QEMU maintainers. There was a general discussion of
things we're doing already (eg the GSOC and Outreachy internships,
the 'bitesized tasks' wiki page) and things we could do.

Aleksandar said he'd write up and share mentoring advice with the
community.
Stefan said he had a link to QEMU internship talk video.

7. Documentation pipeline discussion

Alex Bennée said it would be nice to get our docs (user and
development) being regularly re-generated and nicely hosted on our
infrastructure.  There was general agreement; the blocker has always
been that this requires somebody with interest in the documentation,
time to work on it and also access to the VM which runs out website.

Stefan agreed to create a docs container image to give us a
starting point which we can iterate on. (He's now posted some
patches to the list which do this; thanks!)

We intend to move to rST and Sphinx.  Perhaps the biggest obstacle is
converting qemu-doc.texi and its prerequisites, such as the Texinfo
embedded into the *.hx, and the Texinfo generated from QAPI schema doc
comments.

Markus said he would be okay with making the QAPI doc generator
generate rST instead of Texinfo, but lacked the bandwidth to do it
himself.

Paolo said he'd investigated a document flow where we (temporarily)
had a tool (Pandoc) which converted rST to Texinfo so we could
gradually convert parts of qemu-doc.texi to rST while still building
that document with Texinfo.

I said that I would prefer it if we could avoid the sort of
long-drawn-out changeover that that approach implies, and that
although there is a fair amount of text to convert in qemu-doc,
it would be better to try to just make it a release goal to
do the conversion. If we start with a skeleton of the new
documentation, we can then convert portions of the documentation.
During the transition we'll effectively have two 'manuals'
on the same topic with some info in one and some in the other.

thanks
-- PMM

Re: QEMU Summit Minutes

[Daniel P. Berrangé]

On Thu, Oct 27, 2022 at 01:50:37PM +0100, Peter Maydell wrote:
> Infrastructure
> ==============

snip

> Alex Bennee has successfully signed the QEMU project up for the GitLab
> Open Source Program, which grants Ultimate tier features. This includes
> 50,000 CI minutes per month, 500 GB of transfer per month, and 250 GB of
> storage. I have not seen confirmation yet that personal forks of
> qemu.git share the CI minutes but Daniel Berrangé, Alex Bennée, and I
> believe this should be the case.

NB, in case anymore missed discussion since the summit, this
is *NOT* the case for forks.

Standard user accounts or group namespaces on gitlab.com get 400
CI minutes and cost factor of 1.0 by default. NB some users / groups
might be grandfathered into a 2000 CI minute quota, but its not
clear if that's going to remain so.

With joining the OSP, QEMU gets its quota increased to 50,000 CI
minutes, and the cost factor reduced to 0.5

Forks of QEMU still consume from the user's own CI quota, but
they benefit from a reduced cost factor of 0.008.

For further details see here:

  https://lists.gnu.org/archive/html/qemu-devel/2022-10/msg00244.html

> Bug Tracking System
> ===================
> 
> We discussed the state of our bug tracker now we've had time
> to see how the migration from Launchpad to Gitlab has gone.
> 
> At point of conversion we had about ~450 bugs; we're up to
> ~650 open bugs now. Gitlab doesn't have the same kind of
> automated close-stale-bugs machinery that Launchpad did, so
> we probably have more stale bugs than we did. There was
> no consensus about whether we should be more active/automated
> about closing old bugs.
> 
> 
> It was noted that it's now harder to CC somebody on a bug
> because you can't just cc them on a reply on the mailing list.
> We agreed that we should have some way (probably in MAINTAINERS)
> for developers to note their gitlab user ID, so it's easier to
> find out the right ID to @ to get somebody's attention on a bug.

I would like to see at minimum, *all* people acting as subsystem
MAINTAINERS (ie 'Status == Supported/Maintained) having a gitlab.com
account, and be added to the /qemu-project membership list. It is
pretty unhelpful to have maintainers of subsystems be uncontactable
via / ignoring the project's official bug tracker, as that puts a
bigger burden on people doing bug triage and will lead to growing
backlog.

We've got 44 people as members in gitlab.com/qemu-project right
now.

We have 167 distinct maintainer email addrs in MAINTAINERS.

We have 192 subsystems listed as 'maintained' and 96 as 'supported',
81 'odd fixes' and '12' orphan.

This suggests there is a big gap in our gitlab.com membership wrt
supported /maintained subsystems.

With regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

QEMU Summit Minutes

[Peter Maydell]

As usual, we held a QEMU Summit meeting at KVM Forum.
This is an invite-only meeting for the most active maintainers
and submaintainers in the project, and we discuss various
project-wide issues, usually process stuff. We then post
the minutes of the meeting to the list as a jumping off point
for wider discussion and for those who weren't able to attend.

(Apologies for the somewhat delayed appearance of these
minutes: I was a bit slow about getting them written up
and circulated for additions/corrections.)


Attendees:

"Peter Maydell" <peter.maydell@linaro.org>
"Gerd Hoffmann" <kraxel@redhat.com>
"Alex Graf" <agraf@csgraf.de>
"Richard Henderson" <richard.henderson@linaro.org>
"Thomas Huth" <thuth@redhat.com>
"Alex Bennée" <alex.bennee@linaro.org>
"Alistair Francis" <alistair.francis@wdc.com>
"Kevin Wolf" <kwolf@redhat.com>
"Michael Roth" <michael.roth@amd.com>
"Paolo Bonzini" <pbonzini@redhat.com>
"Michael S. Tsirkin" <mst@redhat.com>
"Mark Cave-Ayland" <mark.cave-ayland@ilande.co.uk>
"Philippe Mathieu-Daudé" <f4bug@amsat.org>
"Stefan Hajnoczi" <stefanha@redhat.com>


Infrastructure
==============

We had a discussion about various aspects of project infrastructure:

Rackspace used to provide us with a free download quota for qemu.org,
but have recently stopped doing this. We've shifted to Azure, with
OSUOSL as a mirror.

Gitlab are clearly becoming much stricter about the CI time they
allow to both projects and individuals. We should:
 * make efforts to ensure we don't use more CI time than we
   absolutely need to for a run
 * look into increased self-hosting of CI runners and other options

Stefan agreed to ask Software Conservancy what other member projects
are doing.

Follow-ups from Stefan Hajnoczi (not discussed during the summit):

No news on a Conservancy-wide solution for project infrastructure. Samba
uses the GitLab Open Source Program with private runners. LibreHealth
uses a private runner too.

Alex Bennee has successfully signed the QEMU project up for the GitLab
Open Source Program, which grants Ultimate tier features. This includes
50,000 CI minutes per month, 500 GB of transfer per month, and 250 GB of
storage. I have not seen confirmation yet that personal forks of
qemu.git share the CI minutes but Daniel Berrangé, Alex Bennée, and I
believe this should be the case.

There is more infrastructure work to do and I'm unable to find the time
to deal with migrating virtual servers off Rackspace (it costs QEMU
money), to use the FTP mirror that OSUOSL set up for us, etc. If another
regular QEMU contributor wants to help Paolo and me with theses things,
please get in touch!


Mailing List Abuse
==================

We had a lessons-learned retrospective about an incident of
abuse on the mailing list, with two main outcomes:


 * for any mailing list users: if you feel something's not right,
   please do reach out and ping somebody. Don't assume that others
   have necessarily seen the thread and are ignoring it.

 * we're going to look at whether we can adjust some of the
   text in our code-of-conduct and similar documentation to make
   it clearer that it's OK to talk to us about an incident even
   if you're not sure whether it's "significant" enough to be
   labelled "abuse".


Leadership Committee
====================

QEMU's Leadership Committee has two roles:
 * it is the official point of contact for the project's interactions
   with the Software Freedom Conservancy
 * it is the contact point for handling problems raised via
   the project's conflict resolution policy

We do have a few committee members who are no longer as actively
involved in the project as they were when first appointed, so we
have the option to rotate some new people in if we like.
We discussed some possibilities but did not come to a conclusion.
We don't think there's any urgency to appoint a new committee
member. Input on this point is welcome.


Bug Tracking System
===================

We discussed the state of our bug tracker now we've had time
to see how the migration from Launchpad to Gitlab has gone.

At point of conversion we had about ~450 bugs; we're up to
~650 open bugs now. Gitlab doesn't have the same kind of
automated close-stale-bugs machinery that Launchpad did, so
we probably have more stale bugs than we did. There was
no consensus about whether we should be more active/automated
about closing old bugs.


It was noted that it's now harder to CC somebody on a bug
because you can't just cc them on a reply on the mailing list.
We agreed that we should have some way (probably in MAINTAINERS)
for developers to note their gitlab user ID, so it's easier to
find out the right ID to @ to get somebody's attention on a bug.


Security Process
================

As is traditional, we had a somewhat inconclusive discussion
about the project's security process.

The CSV process seems opaque, but no one has really complained or
volunteered to do more point releases, so we're not going to
change anything.

MST raised again the idea that we could help security-issue
raisers identify whether their bug report was in what we
consider to be a security issue or not, with a command line
switch (presumably using "security supported" bit on each
device?). The feedback when this has been raised on the
mailing list in the past was "not the right way to do this";
the mailing list still seems the best venue if more
discussion is required.


KVM Call Slot
=============

The project has a weekly available conference-call slot
where we could in theory discuss any kind of issue that seems
more productively handled via a video call than on the
mailing list. (For instance, perhaps some issues that we
talked about in this Summit meeting could be handled that way
rather than waiting for the KVM Forum date?) However, we don't
in practice make any use at all of the call.

We've had a few good well-focused uses of the call in the past
to work through things that would have taken much longer on
the mailing list (Avi Kivity's initial presentation of
the MemoryRegion API springs to mind).

Making the call more useful would probably involve:
 * having a standard way of writing up proposed items
   for a call discussion
 * making sure the relevant people are actually going to
   join the call (this probably means a longer notice period
   and some effort in actively flagging who is useful to
   be included)

Practical suggestions welcome.


thanks
-- PMM