Skip to end of banner
Go to start of banner

2023-10-02 Meeting notes

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 5 Current »

Date

Attendees 

Discussion items

TimeItemWhoNotes
1 minScribeAll

 Jakub Skoczen is next, followed by Taras Spashchenko 

5 minTCR Board Review

All

  • Have all TCR PRs been merged?  Anything else outstanding
  • Nothing new.
  • One left to merge – Jeremy will do it.
5 minLiaison Updates

Maccabee Levine / Tod Olson / Jakub Skoczen / Craig McNally 

  • CC: Maccabee Levine.  From last week's meeting:
  • PC: Tod Olson 
    • Discussing ways to be more inclusive of the global timezones, possibly alternating meeting times once or twice a month; and
    • updates from CC, TC, RMS and POs.
  • RMS Group: Jakub Skoczen
    • No meeting last week, no meeting this week either.
    • SP6 released for Orchid
  • Security Team: Craig McNally
    • RTR discussion?
5 min

Technical Council Sub Groups Updates

All

  • Need to review feedback from TCR evaluators and submitters - should we spin up another TCR process improvement subgroup?
  • AWS cost: no updates, let's check-in in two weeks from today
  • Distributed config: Julian is preparing a PR
  • Arch group: nothing new / on pause
  • Translations: no updates
5-10 minDecision LogAll
  • Let's take another look at the MinIO/S3 decision and see if we can clean that up, make the documentation match out understanding that these are the approved technologies for object storage.
  • To be reviewed at the end of the meeting if time allows
1 minRFCs

All

  • Craig: App formalization RFC will soon be published, currently in DRAFT. There will be multiple RFCs.
1 minThings Folio can do betterAll

See slack post from Tom Cramer:

At the August 25, 2023 meeting of the Tri-Council at University of Chicago, it was agreed that we would repeat the “List of Things that Could Be Better About FOLIO” survey that was conducted after WOLFcon at Hamburg (Sept ’22).

We ask all Council members to each survey three community members for a list of three things that could be better about FOLIO. Please enter the results into this document by September 29, 2023.

In October, we will report back both on this year’s responses as well as an analysis on progress made against the 2022 goals.

Thank you.
-Tom Cramer (CC), Jesse Koennecke (PC) and Maccabee Levine (TC)

Questions/Notes:

  • Deadline was last Friday.  If you haven't gotten your feedback in yet it may not be too late.  
10-15 min

Refresh Token Rotation Rollout Plan

All

We still need to discuss the target release in which we'll remove the legacy endpoints that return non-expiring tokens.

It was agreed that they would be deprecated in Poppy.  The proposal from Steve Ellis and others was to remove them in Quesnelia

Skott Klebe: having a live legacy auth-endpoint that is unused is dangerous as it provides an additional avenue for attack.

Jeremy: expects an option to "turn off" the legacy authentication endpoint in Poppy

Craig and Jakub: The ability to turn the legacy endpoint off as part of the proposal for Poppy, TC has accepted it along with the rest of the proposal. The new option is opt-in, so the system remains backward compatible by default.

Jeremy: proposes a phased roll-out where disabling the endpoint is opt-in in Poppy (as already agreed) and opt-out (endpoint is disabled by default) in Quesnelia

Jakub: we can also disable public access to the legacy endpoint and only allow known hosts

Craig: would prefer that we don't change the setting that disables the endpoint in Q but instead remove the endpoint completely

Florian: supports the idea for opt-in in Poppy and opt-out in Q and then removing the endpoint afterward

Marc: how much do we want to invest in this?

Jakub: let's avoid breaking backwards compatibility and make sure that when we ask external developers to switch their integrations to RTR, we're not asking them again when the project adopts a new authentication regime (e.g oauth2)

Marc: let's focus on the decision that has already been made but define the criteria: when are we turning it off and when we remove it

Jeremy: having two release cycles would be sufficient (so the legacy endpoint is removed in R release)

DECISION: The TC has agreed to the plan that the endpoints will be removed in the R release.

1 minUpcoming MeetingsAll
  • - No meeting, unless something comes up on the tc-internal channel.
5 min

Officially Supported Technologies

All

To be discussed next Monday.

Standing agenda item to review/discuss any requested or required changes to officially supported technology lists

  • Postgres 12 EOL Fall 2024...  
  • Handle in Quesnelia page Quesnelia - Technical Council - FOLIO Wiki
  • Typescript needs to be addressed
  • Open question: Timelines
  • Want to give people more lead time before the Poppy release

Today:

NAZoom Chat


Topic Backlog

Discuss during a Monday sessionOfficially Supported Technologies - UpkeepAll

Previous Notes:

  • A workflow for these pages. When do they transition from one state to another. Do we even need statuses at all ?
  • Stripes architecture group has some questions about the Poppy release.
  • Zak: A handshake between developers, dev ops and the TC. Who makes that decision and how do we pass along that knowledge ? E.g. changes in Nodes and in the UI boxes. How to communicate this ? We have a large number of teams, all have to be aware of it.  TC should be alerted that changes are happening. We have a couple of dedicated channels for that. Most dev ops have subscribed to these channels. How can dev ops folk raise issues to the next level of community awareness ? There hasn't been a specific piece of TC to move that along.
  • Craig: There is a fourth group, "Capacity Planning" or "Release Planning". Slack is the de facto communication channel.  There are no objections to using Slack. An example is the Java 17 RFC. 
  • Craig: The TC gets it on the agenda and we will discuss it. The TC gets the final say.
  • Marc Johnson: We shouldn’t use the DevOps Channel. The dev ops folks have made it clear that it should only be used for support requests made to them.
  • Jakub: Our responsibility is to avoid piling up technical debt.
  • Marc: Some set of people have to actually make the call. Who lowers the chequered flag ?
  • Craig: It needs to ultimately come to the TC at least for awareness. There is a missing piece. Capacity Planning needs to provide input here. 
  • Marc: Stakeholders / Capacity Planning could make that decision. Who makes the decision ? Is it the government or is it some parts of the body ?
  • Marc: the developers community, the dev ops community and sys ops are involved. For example the Spring Framework discussion or the Java 17 discussion. But it was completely separate to the TC decision. It is a coordination and communication effort.
  • Marc: Maybe the TC needs to let go that they are the decision makers so that they be a moderating group.
  • Jakub: I agree with Marc. But we are not a system operating group. Dependency management should be in the responsibility of Release management. There are structures in the project for that.
  • Jason Root: I agree with Jakub and with Marc also. Policies should drive operational/release/support aspects of Folio.
  • Jason Root: If the idea of “support” is that frameworks are supported, then of course the project should meet that.
  • Marc Johnson
    Some group needs to inform OleksAii when a relevant policy event occurs.
    These documents effectively ARE the manifestation of the policy.
  • Craig: This is a topic for the next Monday session.

  • Craig to see if Oleksii Petrenko could join us to discuss the process for updating the officially supported technologies lists.

Today Notes:


Action Items


  • No labels