2023-10-02 Meeting notes

Owned by Craig McNally
Last updated: Oct 02, 2023
8 min read

Date

Attendees 

Discussion items

TimeItemWhoNotes
1 minScribeAll

 Jakub Skoczen is next, followed by Taras Spashchenko 

5 minTCR Board Review

All

  • Have all TCR PRs been merged?  Anything else outstanding
  • Nothing new.
  • One left to merge – Jeremy will do it.
5 minLiaison Updates

Maccabee Levine / Tod Olson / Jakub Skoczen / Craig McNally 

  • CC: Maccabee Levine.  From last week's meeting:
  • PC: Tod Olson 
    • Discussing ways to be more inclusive of the global timezones, possibly alternating meeting times once or twice a month; and
    • updates from CC, TC, RMS and POs.
  • RMS Group: Jakub Skoczen
    • No meeting last week, no meeting this week either.
    • SP6 released for Orchid
  • Security Team: Craig McNally
    • RTR discussion?
5 min

Technical Council Sub Groups Updates

All

  • Need to review feedback from TCR evaluators and submitters - should we spin up another TCR process improvement subgroup?
  • AWS cost: no updates, let's check-in in two weeks from today
  • Distributed config: Julian is preparing a PR
  • Arch group: nothing new / on pause
  • Translations: no updates
5-10 minDecision LogAll
  • Let's take another look at the MinIO/S3 decision and see if we can clean that up, make the documentation match out understanding that these are the approved technologies for object storage.
  • To be reviewed at the end of the meeting if time allows
1 minRFCs

All

  • Craig: App formalization RFC will soon be published, currently in DRAFT. There will be multiple RFCs.
1 minThings Folio can do betterAll

See slack post from Tom Cramer:

At the August 25, 2023 meeting of the Tri-Council at University of Chicago, it was agreed that we would repeat the “List of Things that Could Be Better About FOLIO” survey that was conducted after WOLFcon at Hamburg (Sept ’22).

We ask all Council members to each survey three community members for a list of three things that could be better about FOLIO. Please enter the results into this document by September 29, 2023.

In October, we will report back both on this year’s responses as well as an analysis on progress made against the 2022 goals.

Thank you.
-Tom Cramer (CC), Jesse Koennecke (PC) and Maccabee Levine (TC)

Questions/Notes:

  • Deadline was last Friday.  If you haven't gotten your feedback in yet it may not be too late.  
10-15 min

Refresh Token Rotation Rollout Plan

All

We still need to discuss the target release in which we'll remove the legacy endpoints that return non-expiring tokens.

It was agreed that they would be deprecated in Poppy.  The proposal from Steve Ellis and others was to remove them in Quesnelia

Skott Klebe: having a live legacy auth-endpoint that is unused is dangerous as it provides an additional avenue for attack.

Jeremy: expects an option to "turn off" the legacy authentication endpoint in Poppy

Craig and Jakub: The ability to turn the legacy endpoint off as part of the proposal for Poppy, TC has accepted it along with the rest of the proposal. The new option is opt-in, so the system remains backward compatible by default.

Jeremy: proposes a phased roll-out where disabling the endpoint is opt-in in Poppy (as already agreed) and opt-out (endpoint is disabled by default) in Quesnelia

Jakub: we can also disable public access to the legacy endpoint and only allow known hosts

Craig: would prefer that we don't change the setting that disables the endpoint in Q but instead remove the endpoint completely

Florian: supports the idea for opt-in in Poppy and opt-out in Q and then removing the endpoint afterward

Marc: how much do we want to invest in this?

Jakub: let's avoid breaking backwards compatibility and make sure that when we ask external developers to switch their integrations to RTR, we're not asking them again when the project adopts a new authentication regime (e.g oauth2)

Marc: let's focus on the decision that has already been made but define the criteria: when are we turning it off and when we remove it

Jeremy: having two release cycles would be sufficient (so the legacy endpoint is removed in R release)

DECISION: The TC has agreed to the plan that the endpoints will be removed in the R release.

1 minUpcoming MeetingsAll
  • - No meeting, unless something comes up on the tc-internal channel.
5 min

Officially Supported Technologies

All

To be discussed next Monday.

Standing agenda item to review/discuss any requested or required changes to officially supported technology lists

  • Postgres 12 EOL Fall 2024...  
  • Handle in Quesnelia page Quesnelia - Technical Council - FOLIO Wiki
  • Typescript needs to be addressed
  • Open question: Timelines
  • Want to give people more lead time before the Poppy release

Today:

NAZoom Chat

00:11:52    Jenn Colt:    The notes said it involved a python script and some GitHub merges
00:12:12    Marc Johnson:    Reacted to "The notes said it in…" with 👍
00:12:19    Maccabee Levine:    Details here: https://folio-org.atlassian.net/wiki/display/CC/2023-09-25+Meeting+notes
00:12:29    Maccabee Levine:    i.e. details of "skills needed"
00:12:44    Maccabee Levine:    and what work is done
00:15:09    Owen Stephens:    It also seems like some of those tasks (e.g. granting access to Lokalise) could be handled separately to any mechanics of getting translations into modules - and so might be worth involving PC in aspects that aren’t technical in nature
00:15:59    sklebe:    brb
00:17:18    sklebe:    b
00:24:24    Marc Johnson:    How is it additional work if folks are already monitoring the existing endpoints?
00:25:06    Craig McNally:    Apologies Skott for mispronouncing your last name
00:26:51    Owen Stephens:    At the moment the builds on the reference environments still use the `/bl-users/login` endpoint. If it is to be deprecated in Poppy I’d suggest that the reference environments need to be updated as well (and tbh I’d have expected this to have happened by now)
00:27:44    Marc Johnson:    If you are having to pay significant any manual attention to your monitoring then that’s a concern for the monitoring 

Both endpoints are live, even under the enhanced security mode
00:29:09    Owen Stephens:    Replying to "At the moment the bu..."

I mean for the user login in the UI
00:30:08    Marc Johnson:    Replying to "At the moment the bu…"
That seems like something that should’ve already been done 😃
00:31:16    Owen Stephens:    Reacted to "That seems like some..." with 💯
00:31:30    Craig McNally:    Reacted to "That seems like some..." with 💯
00:32:48    Marc Johnson:    Replying to "At the moment the bu…"
That said, that might be using the refresh token endpoint behind the scenes
00:35:26    Craig McNally:    Opt-in :  by default legacy endpoints are enabled, but you have the option to disable them
00:35:43    Craig McNally:    Opt-out:  by default legacy endpoints are disabled, but you have the option to enable them
00:36:01    Huff, Jeremy T:    Reacted to "Opt-out:  by default..." with 👍
00:37:45    Marc Johnson:    Endpoints get added and removed every release. Apart from this issuing tokens, and thus the impact on external integration, I don’t get how this is special operationally
00:38:07    Owen Stephens:    Replying to "At the moment the bu..."

I may be looking for the wrong things, but I was expecting to see the two cookies in my browser? Maybe I need to pick this up on Slack
00:39:56    Marc Johnson:    Replying to "At the moment the bu…"
Yeah, there should be. If that’s not made it to the reference environments by now, that’s not a positive indicator
00:40:06    Zak Burke:    Replying to "At the moment the bu..."

It’s WIP in stripes-core. Details at https://folio-project.slack.com/archives/C05JK4YH3A5/p1695841278260819.
00:40:55    Marc Johnson:    Replying to "At the moment the bu…"
Thanks Zak

It’s really late in the poppy release for this to still be WIP
00:41:28    Zak Burke:    Replying to "At the moment the bu..."

No argument there. I expect to have a PR up today or tomorrow. The work is done but needs to be cleaned up.
00:41:33    Owen Stephens:    What’s a reasonable timescale for libraries to migrate?
00:41:45    sklebe:    I place particular important on auth endpoints vs non-auth.

Also, if there really are endpoints cycling in and out all the time, then there should be clear messaging in every case about what endpoints are transitioning in or out.
00:41:56    Owen Stephens:    Putting a deadline on it will encourage people to prioritise it
00:41:59    Marc Johnson:    Replying to "At the moment the bu…"
I understand it’s a hangover from trying to line every duck up before merging
00:43:56    Owen Stephens:    Quesnelia is surely > 9 months away from being live anywhere
00:44:55    Jenn Colt:    Getting to have Poppy to deal with was a huge relief for us. I don’t think we would need a second release.
00:47:09    Craig McNally:    Reacted to "Getting to have Popp..." with 👍
00:55:02    Marc Johnson:    Even with comprehensive edge modules, we cannot rely on every integration using those
00:55:18    Craig McNally:    why not?
00:56:42    Marc Johnson:    Because all FOLIO APIs are public, any client can use them


Topic Backlog

Discuss during a Monday sessionOfficially Supported Technologies - UpkeepAll

Previous Notes:

  • A workflow for these pages. When do they transition from one state to another. Do we even need statuses at all ?
  • Stripes architecture group has some questions about the Poppy release.
  • Zak: A handshake between developers, dev ops and the TC. Who makes that decision and how do we pass along that knowledge ? E.g. changes in Nodes and in the UI boxes. How to communicate this ? We have a large number of teams, all have to be aware of it.  TC should be alerted that changes are happening. We have a couple of dedicated channels for that. Most dev ops have subscribed to these channels. How can dev ops folk raise issues to the next level of community awareness ? There hasn't been a specific piece of TC to move that along.
  • Craig: There is a fourth group, "Capacity Planning" or "Release Planning". Slack is the de facto communication channel.  There are no objections to using Slack. An example is the Java 17 RFC. 
  • Craig: The TC gets it on the agenda and we will discuss it. The TC gets the final say.
  • Marc Johnson: We shouldn’t use the DevOps Channel. The dev ops folks have made it clear that it should only be used for support requests made to them.
  • Jakub: Our responsibility is to avoid piling up technical debt.
  • Marc: Some set of people have to actually make the call. Who lowers the chequered flag ?
  • Craig: It needs to ultimately come to the TC at least for awareness. There is a missing piece. Capacity Planning needs to provide input here. 
  • Marc: Stakeholders / Capacity Planning could make that decision. Who makes the decision ? Is it the government or is it some parts of the body ?
  • Marc: the developers community, the dev ops community and sys ops are involved. For example the Spring Framework discussion or the Java 17 discussion. But it was completely separate to the TC decision. It is a coordination and communication effort.
  • Marc: Maybe the TC needs to let go that they are the decision makers so that they be a moderating group.
  • Jakub: I agree with Marc. But we are not a system operating group. Dependency management should be in the responsibility of Release management. There are structures in the project for that.
  • Jason Root: I agree with Jakub and with Marc also. Policies should drive operational/release/support aspects of Folio.
  • Jason Root: If the idea of “support” is that frameworks are supported, then of course the project should meet that.
  • Marc Johnson
    Some group needs to inform OleksAii when a relevant policy event occurs.
    These documents effectively ARE the manifestation of the policy.
  • Craig: This is a topic for the next Monday session.

  • Craig to see if Oleksii Petrenko could join us to discuss the process for updating the officially supported technologies lists.

Today Notes:


Action Items