2024-11-04 Meeting notes

Owned by Craig McNally
Last updated: Nov 08, 2024 by Julian Ladisch
9 min read

Date

Attendees 

Discussion items

TimeItemWhoNotes
1 minScribeAll

Jenn Colt is next, followed by Florian Gleixner

Reminder:  Please copy/paste the Zoom chat into the notes.  If you miss it, this is saved along with the meeting recording, but having it here has benefits.

5-10 minLiaison Updates

Maccabee Levine

Tod Olson

Jakub Skoczen

Craig McNally

Jenn Colt 

  • CC: Maccabee Levine
    • No CC this morning
  • PC: Tod Olson
    • Call for Ramsons BugFest testers, need to recruit more people to help with upcoming BugFest.
    • Claiming app: Presentation on new app to support workflows to claim missing serials, will entail a new UI module using existing backend. New functionality brought to PC while still in design phase! More detail in the presentation linked in the 2024-10-31 Product Council Meeting Notes
  • RMS Group:
    • Nothing relevant
  • Security Team: 
    • We should discuss ownership of mod-graphql see agenda item below.
  • Tri-council Application Formalization:  
    • Group has paused while POs and App Interaction work on spreadsheet from Taras
1 minUpcoming MeetingsAll
  • - Dedicated discussion:  Go continued
  • - Regular TC meeting
  • - Dedicated discussion:  Topic TBD
  • - Regular TC meeting
5 minTCR Board ReviewAllTCR-44: Julian had no time to look at it.
5-10 min

Technical Council Sub-Groups Updates


Static code analysis: No meeting

Developer documentation: Nothing new

1 min

GitHub RFCs

Wiki RFCs

All

  • Craig McNally followed up with VBar on the FQM RFC... 
    • VBar will update with current state and discussions from Wolfcon
1 minDecision LogAll

Nothing new here.

5 min

Officially Supported Technologies (OST)

All

Check Recurring Calendar...

5-10 minTC member changesAll
  • Craig McNally made progress on a couple things here...
    • Spoke to Christopher Spalding and got access to Election Runner - Setup was very easy, and free for < 20 voters.
    • Reached out to Boaz Nadav Manes wrt the google form used in the last election for nominations - Still need to see how much of this can be reused.
  • It's also come to light that Taras Spashchenko will be leaving the project soon, so we have 2 seats to fill.
  • Timing
    • Two weeks for nominations + One week to vote
    • Assuming we can get the word out (and nomination form) by  (Next Monday), we should have results by the end of the month. 
    • Does this timing work?
  • Communication/Announcement
    • Since it wasn't clearly captured in previous notes - the plan is to post to #tech-council, right?  Also maybe to the other council channels?  
      • Maccabee Levine should post to wider channels, probably developers or implementers
    • Do we need to be concerned that we may not get enough nominees, or that not posting this to a wider audience may be viewed negatively?
1 minBackport fix to Morning Glory?All

From Julian Ladisch in #tech-council... Do we need to discuss?

There's a request to get a fix being back-ported to Morning Glory (R2 2022): https://github.com/folio-org/mod-authtoken/pull/164
Does FOLIO support this, or should we suggest that people (upgrade to a supported flower release or) fork the repository, do the changes in their fork, and use their own docker hub space to publish the fixed container?

Notes:

  • Was this raised with the RMS group?  Any updates?
  • Julian Ladisch: yes, raised with RMS group
5-10 minmod-graphql ownershipAll

This is mostly an FYI, but also raising this here in hopes of finding a volunteer to help with this...

  • mod-graphql is unmaintained.  Charlotte Whitt indicates that the Thor team does not have bandwidth for this.  
  • There are several security-related issues here, dating back to 2021.  Most of this is regarding outdated, unsupported versions of 3rd party dependencies, but there are also at least one known vulnerability too.
  • It seems the project needs to find a new owner for this module.
    • Sought advice from the folio chairs.  It was suggested that we engage Khalilah Gambrell (Lead PO). 
    • Khalilah indicated that there aren't any teams with capacity to take this on, especially while hardening for a release.  She also notes that EBSCO + EPAM teams have already taken on a significant number of modules previously maintained by the now defunct Prokopovych team.
  • Noteworthy considerations:
    • This module is written in node.js
    • the z39.50 module depends on mod-graphql, so removing it from future releases may be problematic
  • Jakub Skoczen probably dependency on z3950 could be removed, so we could get rid of mod-graphql at all
  • Marc Johnson ask z3950 responsibles if they think removal is possible
  • Maccabee Levine announce a note in slack too the planned removal of mod-graphql in case someone else uses it
*Go languageAll / Jakub Skoczen

Follow-on Q & A/ discussion on approval of the Go language for module development.

  • DevOps topics were discussed last wednesday
  • Discussion:
    • Craig McNally Can other teams take over go-based modules? We learned mit mod-graphql this can be a problem
    • Maccabee Levine Should be a MOU from the Organization
    • Jakub Skoczen Does not depend only on programming language. Most time the teams lack resources and not knowledge.
    • Marc Johnson Not only the programming language, but also central tooling has to be considered. Not central policy for new languages. Need guidelines for new languages
    • Jenn Colt When should a module be considered to be abandoned?
    • Craig McNally mod-graphql most security vulnerabilities raise from outdated dependencies. Unclear if this is exploitable. Upgrading dependencies is not easy.
    • Julian Ladisch At least one security issue known, but does not directly affect Folio.
    • Marc Johnson No policies for new languages regarding tooling exist
    • Jakub Skoczen As we proposed go, we figured out tooling, devops and so on. Discussion seems to be endless, we had 2 topics: CI/CD and developing of a demonstration module. Either formulate clear questions about topics in question or take a vote now or soon.
    • Craig McNally Most of questions have been raised in the RFC. Concerns about managing multiple languages have all been discussed
    • Jakub Skoczen Can invite developers from the team if there are more questions.
    • Marc Johnson Static code analysis group will look at it
    • Craig McNally Remaining questions should be answered at Wednesday and we plan to take a vote them
NAZoom Chat


17:04:39 From Maccabee Levine To Everyone:
       What dev team is doing that Claiming app?
17:05:01 From Maccabee Levine To Everyone:
       Replying to "What dev team is doi..."

       Thanks!
17:07:39 From Tod Olson To Everyone:
       Replying to "What dev team is doi..."

       For the notes: the work is being done by Thunderjet, Joseph Reimers is the PO.
17:07:49 From Maccabee Levine To Everyone:
       Reacted to "For the notes: the w..." with 👍🏻
17:17:05 From Tod Olson To Everyone:
       Unfortunate to lose Taras. : (
       I hope you have an interesting next project!
17:30:55 From Jenn Colt To Everyone:
       I think. That’s a good chairs topic
17:32:53 From Julian Ladisch To Everyone:
       The required two years support are for Spring Ways modules. For a completely new language this must be much longer.
17:36:35 From Marc Johnson To Everyone:
       Replying to "The required two yea…"
       Does the MoU refer to specific tools?

       If so, that’s probably inappropriate
17:37:41 From Julian Ladisch To Everyone:
       Replying to "The required two yea..."

       The MoU doesn't refer to specific tools, but currently for back-end modules we only have Spring Way as officially supported language.
17:39:35 From Marc Johnson To Everyone:
       AFAIK FOLIO currently supports Perl, node.js and Java

       And tooling wise, vert.x and grails are also supported
17:41:08 From Julian Ladisch To Everyone:
       https://folio-org.atlassian.net/browse/MODGQL-160 "Upgrade apollo-server-express" - raised November 2022.
17:48:30 From Maccabee Levine To Everyone:
       Side note re: security team, I think the TC charter makes it clear: "Maintain oversight of the FOLIO project's security group and other working groups to which the Technical Council delegates specific responsib
ilities."
17:49:17 From Marc Johnson To Everyone:
       Replying to "Side note re: securi…"
       We probably need to decide if the security tooling falls into the officially supported technologies
17:53:06 From Marc Johnson To Everyone:
       We should include the static analysis question into that discussion
17:53:13 From Maccabee Levine To Everyone:
       Reacted to "We should include th..." with 👍🏻
17:55:56 From Marc Johnson To Everyone:
       And lastly, document the expectations for new languages for the next time this happens
17:56:07 From Tod Olson To Everyone:
       Reacted to "And lastly, document..." with 
17:56:08 From Julian Ladisch To Everyone:
       FOLIO already has a centralized go linting GitHub workflow: https://github.com/folio-org/.github/blob/master/README-go-lint.md
17:56:49 From Julian Ladisch To Everyone:
       I don't think that we need any input from the static code analysis group.

Topic Backlog

Decision Log ReviewAll

Review decisions that are in progress.  Can any of them be accepted?  rejected?

Translation SubgroupAllSince we're having trouble finding volunteers for a subgroup, maybe we can make progress during a dedicated discussion session?
Communicating Breaking ChangesAll

Currently there is a PoC, developed by Maccabee Levine, of a utility to catalog Github PRs that have been labeled with the "breaking change" label. We would like to get developer feedback on the feasibility of this label being used more often, and the usefulness of this utility. 

Officially Supported Technologies - UpkeepAll

Previous Notes:

  • A workflow for these pages. When do they transition from one state to another. Do we even need statuses at all ?

Stripes architecture group has some questions about the Poppy release.

Zak: A handshake between developers, dev ops and the TC. Who makes that decision and how do we pass along that knowledge ? E.g. changes in Nodes and in the UI boxes. How to communicate this ? We have a large number of teams, all have to be aware of it.  TC should be alerted that changes are happening. We have a couple of dedicated channels for that. Most dev ops have subscribed to these channels. How can dev ops folk raise issues to the next level of community awareness ? There hasn't been a specific piece of TC to move that along.

Craig: There is a fourth group, "Capacity Planning" or "Release Planning". Slack is the de facto communication channel.  There are no objections to using Slack. An example is the Java 17 RFC. 

Craig: The TC gets it on the agenda and we will discuss it. The TC gets the final say.

Marc Johnson: We shouldn’t use the DevOps Channel. The dev ops folks have made it clear that it should only be used for support requests made to them.

Jakub: Our responsibility is to avoid piling up technical debt.

Marc: Some set of people have to actually make the call. Who lowers the chequered flag ?

Craig: It needs to ultimately come to the TC at least for awareness. There is a missing piece. Capacity Planning needs to provide input here. 

Marc: Stakeholders / Capacity Planning could make that decision. Who makes the decision ? Is it the government or is it some parts of the body ?

Marc: the developers community, the dev ops community and sys ops are involved. For example the Spring Framework discussion or the Java 17 discussion. But it was completely separate to the TC decision. It is a coordination and communication effort.

Marc: Maybe the TC needs to let go that they are the decision makers so that they be a moderating group.

Jakub: I agree with Marc. But we are not a system operating group. Dependency management should be in the responsibility of Release management. There are structures in the project for that.

Jason Root: I agree with Jakub and with Marc also. Policies should drive operational/release/support aspects of Folio.

Jason Root: If the idea of “support” is that frameworks are supported, then of course the project should meet that.

Marc Johnson
Some group needs to inform OleksAii when a relevant policy event occurs.
These documents effectively ARE the manifestation of the policy.

Craig: This is a topic for the next Monday session.

Craig to see if Oleksii Petrenko could join us to discuss the process for updating the officially supported technologies lists.


Dev Documentation VisibilityAll

Possible topic/activity for a Wednesday session:

Discuss/brainstorm:

  • Ideas for the type of developer-facing documentation we think would be most helpful for new developers
  • How we might bring existing documentation up to date and ensure it's consistent 
  • etc.
API linting within our backend modulesAll

https://folio-project.slack.com/archives/CAQ7L02PP/p1713343461518409


Hello team, I would like to discuss API linting within our backend modules. Some time ago, we transitioned our linting process from Jenkins to GitHub Actions as outlined in https://folio-org.atlassian.net/browse/FOLIO-3678. I am assuming that this move was done via some technical council decision. Please correct me if I'm wrong.
In my observations, I've found two problems:
  1. Schema linting does not occur if the schemas are in YAML format.
  2. There are issues with resolving some deeper references during API linting.
Although I'm unsure about how to improve the existing linting implementations within Folio, I propose to consider an open-source solution that handles OpenAPI linting effectively and allows us to define custom rules. For your reference: https://stoplight.io/open-source/spectral A test of this solution can be found in this PR: https://github.com/folio-org/mod-search/pull/567. The same PR also provides an example of custom rule definition: https://github.com/folio-org/mod-search/pull/567/files#diff-d5da7cb43c444434994b76f3b04aa6e702c09e938de09dbc09d72569d611d9ab.Also, by employing 'Spectral', I discovered AsyncAPI (https://www.asyncapi.com/en), an API design tool similar to OpenAPI but for asynchronous interactions. I suggest that we consider using AsyncAPI in FOLIO to generate documentation for Kafka interactions.


PR TemplatesAll

https://folio-project.slack.com/archives/CAQ7L02PP/p1713445649504769

Hello team, Small request to consider.
Regarding pr templates.
  1. From my perspective, pr template is not good idea. Even the biggest open source projects that are contributed by many people don't have any pr template. Currently what we have for acq modules https://github.com/folio-org/mod-orders-storage/blob/master/PULL_REQUEST_TEMPLATE.md
  2. These pr template is inconsistent in different teams.
What I suggest is that, pr template shouldn't be any instructions, because most developer who are creating pr have already understand the rules. If we put just two section into template, it will encourage developers to write more about their work and that lead to knowledge  sharing among developers.
Proposed Mod KafkaAll

https://folio-project.slack.com/archives/CAQ7L02PP/p1714471592534689

Mike Taylor

Proposal. If and only if a FOLIO instance is running Kafka, it should insert and enable a module called mod-kafka, which consists entirely of a module descriptor that says it provides the interface kafka. The purpose is so that other modules can use the standard <IfInterface> and similar tools to determine whether they should attempt Kafka operations. Rationale: the FOLIO ILS depends absolutely on Kafka, but other uses of the platform will not. One such example: a dev platform that includes only mod-users, used as a source of change events for Metadb.