-
Notifications
You must be signed in to change notification settings - Fork 43
CDM 2020 11
{Thurs 5th Nov 5pm} (US) / {Fri 6th Oct Nov} (AU)
- Chair: Nick Charles
- Scribe: Samantha Fisher
List of attendees: Samantha Fisher,Nick Charles,Penghai Zhang,Chris Beach,Ian Stevenson,Cath Fitzgerald,Christian Murphy,Mathew Miles
- Review Action Items
- Specific Topics (Please add to below list, or email the equella dev list to have an item added)
- Discuss code enhancements since last CDM
- Review tech choices, code structures, direction
- Any tech debt concerns
- Open PRs to discuss
- Q&A
- Assign next Chair and Scribe
- Code freeze / release schedule for 2020.2.0 (CB)
- Auto-creation DDL migration concerns (CB)
- Please add more
- Request Apereo give an answeer to Moodle copywright questions
No movement at the moment from Ian at Apereo.
- IS: Decouple the frontend and the Rest API from the backend into NPM modules
Continues as part of 2020.2
- Research governance and committership tools similar to unifiedjs for OEQ
The advisory board felt it was too subjective - how do we as a community a committer, and if something goes awry, how to we remove them again? The advisory board is meeting this month, and this will be brought up again.
- IS Add Autotest License headers
No movement this month.
- Setup Issue to flag move to upgrade to java LTS
No movement this month.
- Code freeze / release schedule for 2020.2.0 (CB)
CB was able to attend Edalexpo, wonders if release date leaves enough time for testing. CF will supply a tentative code freeze date by Monday. The hotfixes have blindsided Edalex somewhat; since they came at a critical time for 2020.2. Selection sessions are still underway. Blackboard integration has been approved on the unicon side. Mat Miles' student is currently working on adding functionality to openEQUELLA to set a URL name on creation.
- Auto-creation DDL migration concerns (CB)
As Unicon upgraded Hibernate, so many files changed because there was package changes, but the Spring update was fairly straightforward - it was the Hibernate update that was the complicated aspect of the updates. In the future, openEQUELLA should perhaps do a better DDL migration - rather than using the custom migration helper, use something existing and maintained, such as liquibase. The problem is all the migration code is tightly coupled to a specific version of Hibernate - high risk involved with refactoring these migrations to work with later versions of Hibernate. Potentially at the point we switch migration techniques we would require admins to upgrade to the second last version of equella - to get all the previous migrations - and then upgrade to the later version.
- Security issues (IS)
Two security issues were found recently - one was general access to the filesystem based on the Tomcat basedir. A fix has been released all the way back to 6.6. Has a security advisory. The other one was being able to browse users through the select user dialog unauthenticated. To address that, we lock it down to an Acl relevant to the context of the browser. However - since the user dialog is used throughout openEQUELLA, we added a catch-all default of a new ACL - LIST_USERS. This Acl has no migration as we can't predict for a given organisation how we want to lock those down, so admins will need to set this Acl to relevant users/groups/roles. The GitHub Security functionality allowed us to privately fork equella and make the fixes, set up pull requests, and when you publish the advisory all the PRs are merged at once. A problem occured with the publish button hanging indefinitely with an angry unicorn page. IS asked GitHub support but they didn't move on it in time, and so we had to merge manually, remove the Pull Requests (wiping commit history unfortunately) and publish the advisory without the PR. The CI integrations are all turned off on the private repo - since that would externalise the sensitive security fix code. So we had to build and test manually. This highlighted a longer-running concern around setting up a vagrant environment to run the CI locally in a VM - as not having CI caused issues and reduced code confidence.
- Large new search UI component branch was merged since last PR Reducing amount of Purescript in the code, which eased work Christian was doing. Most of the changes Christian made related to that went into treeshaking which reduced the JS bundle size.
No new ones this CDM.
-
In Penghai's work on selection sessons for the new UI, a little bit of tidy up was done to reduce tech debt for JS bundle setup - two entrybuild and entrydev folders were now merged so we have an entry point folder now.
-
Potentially space for improvement regarding pulp - potentially made more sense during heavier reliance on Purescript, so this looks like something that will be cleared up as we tackle further areas on Purescript.
npm run cleanhas also been improved as part of this - entrybuild was never cleaned which could cause map files to become out of sync
- lodash dependency update
Causes tough-cookie to be missing, not sure why that is but it needs some manual investigation.
- Add a script to initialise Postgres using in Docker database
Hopefully addresses problems with spinning up equella in the docker. CM will look into it.
- Spring 5 / Hib 5 Initial Efforts
There's some deprecation warnings that come into the logs (regarding the tech debt for the DDL migration) which don't seem to be a big problem (yet). Added two filters that remove two certain hibernate logs for the deprecation warnings. Also added hibernate.id.new_generator_mappings=boolean. Without this the logs will be filled up with the deprecation warnings. Charlie points out it is possible to write a migration to add things to properties files, and this is going to be required if extra configuration is required. The branch will be retargeted to develop.
- A few PRs related to updating dependencies are ready for testing
Just need to be pulled down and ensured to be still working.
No questions this CDM. Next chair: Nick Charles Next scribe: Samantha Fisher