Release Meeting: 26 Jun 2017

(09:00:37 AM) gac410: Hi all - Anyone here for a release meeting?
(09:05:32 AM) MichaelDaum: Hi George
(09:05:45 AM) gac410: Hi Michael
(09:07:26 AM) gac410: I'm considering stopping these regular meetings. The last two have had very limited attendance. There really is not much going on. Last meeting I didn't even capture the logs - vrurg stopped by, as did jomo, but no dev. discussion.
(09:07:57 AM) gac410: I'm puttering on my feature proposal, but really nothing to report. There have been no new urgent tasks, and no progress on features.
(09:08:18 AM) vrurg: Hi gac410
(09:08:28 AM) gac410: hi vrurg
(09:09:33 AM) MichaelDaum: well we should keep the meeting in place, imho, just to give us a date to stop by to sync
(09:09:44 AM) MichaelDaum: even when there is nothing specific to report
(09:09:46 AM) gac410: Anyway, we are starting to resemble the t* release meetings, 2 people run through an agenda, approve each other's proposals, and chat about not much.
(09:10:10 AM) MichaelDaum: I have no problem with that ... other than resembling the t* project
(09:10:40 AM) MichaelDaum: we have to face the situation that there are very few contributors atm
(09:11:23 AM) gac410: y, not sure how to deal with that. we've somewhat faded away a bit.
(09:12:16 AM) gac410: daemon was suggesting that we start to talk up the project on some of the perl lists. try to entice new blood.
(09:12:23 AM) vrurg: I tried to give a lighting talk at YAPC/TPC last Tuesday and invite people. But lack of experience & lack of time - failed to say one of two the most important things. :(
(09:12:52 AM) gac410: At the same time that also brings some turmoil, and we do try to stay somewhat stable for the install base.
(09:12:53 AM) vrurg: Don't think it would work out.
(09:13:44 AM) MichaelDaum: honestly, the perl community is tough to get by
(09:13:56 AM) MichaelDaum: at least that is what I sensed
(09:14:15 AM) gac410: We do seem to have new installs happening. I was recently contacted by two businesses asking for install assistance. One I turned down, wanted it integrated into an old windows small business server. Not my cup of tea.
(09:14:17 AM) vrurg: MichaelDaum: I wouldn't say so.
(09:14:40 AM) gac410: The other one was nearby, and wanted to convert from twiki. I reviewed their configuration, and they never got back to me.
(09:14:52 AM) MichaelDaum: gac410, yes, there is no lack for paid work
(09:15:56 AM) MichaelDaum: I recently worked for telecom ... hewlett packard ships documentation as foswiki content together with some of their products
(09:16:16 AM) gac410: wow. That's a surprise.
(09:16:29 AM) MichaelDaum: I'll be in Finnland next week working for a research company.
(09:17:18 AM) gac410: hp actually bundles foswiki on a product?
(09:17:55 AM) MichaelDaum: they ship docu as a web that telekom loads into their wiki as static content
(09:18:19 AM) gac410: cool.
(09:19:14 AM) MichaelDaum: Intel keeps on providing dynamic security scans via rocketboards.org ... paying to fix issues.
(09:19:40 AM) gac410: anyway, might as well touch on some dev stuff :D I've been working on the password manager changes. I think I'm doing it right - adding functions to all the modules
(09:20:05 AM) gac410: cool Are those filtering back into core? I've not seen much in the way of security fixes recently.
(09:20:27 AM) MichaelDaum: all I want to say: foswiki as a brand & product is still highly important and appreciated by lots of companies ... dont forget that!
(09:21:05 AM) gac410: good. Thanks. I needed a pep talk :D
(09:21:35 AM) gac410: We just need to figure out how to turn some of that back into activity.
(09:22:24 AM) MichaelDaum: yea. I am constantly shifting priorities with stuff being developed during projects piling up to be committed back. my problem ...
(09:22:32 AM) vrurg: But without new developer, without new entusiasts it may end up nowhere. Even with all the appreciation from the business.
(09:23:17 AM) vrurg: Advertising is necessary.
(09:23:24 AM) MichaelDaum: there are quite a few high value open source projects out there that face the same dilemma ... last but not least ntp.
(09:23:32 AM) gac410: y. With the current status of devs tbh, I've been considering dropping away. Hard to get motivated with same ol same ol every two weeks.
(09:24:04 AM) MichaelDaum: gac410, that would be terrible :(
(09:24:31 AM) gac410: [off] y. I was trying to help out ntp recently. They have a bunch of servers they want upgraded for foswiki and one converted from twiki, but they seem to have gone quiet.
(09:25:25 AM) gac410: well I'll hang in there for a while. But I'm very concerned that we have lost "critical mass" ...
(09:25:28 AM) MichaelDaum: [off] NTP is not well funded and Harlan can't promise much of payment.
(09:26:16 AM) gac410: [off] y. I've been paid some. and have done some gratis. The VHC work I did was for my own sanity trying to get ready to migrate some of his stuff.
(09:26:53 AM) MichaelDaum: well, I'll certainly be staying.
(09:27:03 AM) vrurg: Even with my weak ability to convince people I've got one guy pretty interested. Perhaps for no longer than a day, but that was just a minutes of personal conversation.
(09:27:54 AM) gac410: Without a "bench" of devs I can't see how we'll every bring vrurg's work forward. And yet it's really important for a next generation of foswiki.
(09:28:53 AM) gac410: Looking at migrating some of the twiki changes for that customer. There are some that would really need to be picked up by foswiki.
(09:29:23 AM) MichaelDaum: have you got a list of those features?
(09:30:19 AM) MichaelDaum: or could you describe at least one that would be worth it?
(09:30:37 AM) gac410: One is TOPICTITLE ... that's on our backlog. @twitter handle linking might be useful.
(09:31:03 AM) MichaelDaum: @mentioning
(09:31:29 AM) gac410: Looks like they might have "web-level" administrators now
(09:31:46 AM) MichaelDaum: what could that be good for?
(09:31:55 AM) gac410: web admins?
(09:32:06 AM) MichaelDaum: I've seen they have got a cache for web meta data
(09:32:26 AM) MichaelDaum: but I really can't see the point for it
(09:32:41 AM) MichaelDaum: nothing you could not implement using a wiki app
(09:33:18 AM) gac410: it's just stuff that needs to be dealt with if someone tries to migrate a 6.x twiki.
(09:34:01 AM) MichaelDaum: depends whether people are actually using this cruft
(09:34:23 AM) gac410: A lot of lipstick on a pig IMHO, our core changes for unicode and especially perl and cpan compatibility are much much more important.
(09:34:58 AM) MichaelDaum: and they dont have a fulltext search engine
(09:36:24 AM) gac410: the reason they contacted for migration support was they tried to upgrade their server and had major issues. (ie probably the perl deprecations and bundling of obsolete cpan)
(09:36:52 AM) MichaelDaum: y
(09:36:57 AM) gac410: I still find it hard to believe that t* is bundling back-level CGI with known CVEs rather than fixing the issues.
(09:37:12 AM) MichaelDaum: and I guess they are still running the probject on subversion
(09:37:16 AM) gac410: yes
(09:37:33 AM) MichaelDaum: yes, that one is particularly bad
(09:38:01 AM) gac410: I have a checkout here. I occasionally do an update. every month or two - mostly it's extension changes, and cosmetic tweaks. very little actual development.
(09:39:56 AM) gac410: just did an update. Last commit - june 1st. There were 12 in May. and some left-brace fixing in April.
(09:44:28 AM) gac410: Looking at their last release meeting. Just approved "excludetopic=" option to the "createweb" api.
(09:44:51 AM) gac410: Adding ability to turn off breadcrumbs in topmenu skin ... by web.
(09:45:16 AM) MichaelDaum: yawn
(09:45:23 AM) gac410: And struggling with CGI::Carp issues, and t.o is losing their hosting server
(09:49:59 AM) gac410: anyway. I'm continuing to putter along on my password expiration changes. I think I've extended the API in a way that will coexist with alternative password managers / mappers.
(09:50:49 AM) MichaelDaum: thats good to know. will try it out sooner than later.
(09:51:41 AM) gac410: If mapper or password manager don't implement the API, the base methods return false for ifPasswordDisabled and changeRequired. but throw errors if core tries to disable a password or expire an account.
(09:54:31 AM) gac410: The t* code does a redirect in Foswiki::UI::checkAccess() if a password change is required. I think that's probably the right place to do it.
(09:54:42 AM) gac410: I have not implemented that yet.
(09:55:28 AM) gac410: I was also considering reworking PasswordReset. we have several open tasks on that. Too easy to annoy someone by requesting password reset's on their behalf.
(09:56:16 AM) gac410: we should probably generate a reset confirmation rather than just doing it and mailing out a new password.
(09:58:02 AM) gac410: I've been wondering about generating a "ticket" that would allow access to ChangePassword rather than mailing out a new random pass that they then have to change.
(09:58:50 AM) gac410: still not sure how to do that though and especially not introduce any security holes.
(09:59:10 AM) MichaelDaum: what exactly is the problem with the current impl?
(10:00:10 AM) gac410: 1) I can just reset your password. and they you have to deal with it.
(10:00:10 AM) gac410: 2) It's emailed out in plain text,
(10:00:45 AM) gac410: https://foswiki.org/Tasks/FoswikiUIPasswords
(10:00:51 AM) MichaelDaum: the new password will be sent to me
(10:01:06 AM) gac410: Yes, but you then have to make a note, or change it back.
(10:01:18 AM) gac410: It's not a security hole. But it's annoying.
(10:02:27 AM) MichaelDaum: ah okay. so the problem is the old one gets nuked.
(10:03:01 AM) gac410: yes. And if I wanted to be an a**hole I could set up a cron job to reset your password at some interval.
(10:03:16 AM) MichaelDaum: hens the ticket idea.
(10:03:31 AM) gac410: yes
(10:03:39 AM) MichaelDaum: I like that
(10:03:49 AM) MichaelDaum: needs an expiry time n stuff
(10:04:18 AM) gac410: yes Probably very similar to registration / approval. I can borrow a lot of that code I expect.
(10:06:54 AM) MichaelDaum: cool
(10:06:55 AM) gac410: If the "ticket" could allow access to specific topics, it might also be useful for invitation only registration, etc. But need to ponder that a bit more.
(10:07:10 AM) MichaelDaum: we need to add it to the tick-foswiki expiry route as well
(10:07:20 AM) gac410: yes
(10:07:49 AM) MichaelDaum: I wished we had a way to registerCronJob() for plugins to be called by tick-foswiki
(10:08:36 AM) gac410: y that would be nice. I think there are some old proposals around that area - an extension task scheduler.
(10:09:00 AM) gac410: I think that is what TimotheLitt was working on before he left.
(10:09:40 AM) MichaelDaum: we should keep that in the back of our mind. I keep amassing rest calls in a tools/foswiki_cronjobs.sh which is called during midnite
(10:09:42 AM) gac410: But it was a boil the ocean approach iirc. He wanted the old configure to permit unlimited nesting of menus. and the old config couldn't hanle it.
(10:10:06 AM) MichaelDaum: kiss
(10:11:38 AM) gac410: y. As I was thinking about the password expiration process. I was wondering if that might be an area for a callback / hander dispatch. during checkAccess() processing.
(10:14:24 AM) gac410: UI::checkAccess() if passwordExpired -> redirect to (configured) ChangePassword if ( registeredHandlers ) call a accessCheckHandler() returns true or can redirect. But don't want to get too complicated.
(10:15:54 AM) gac410: the "accountExpired" could fall into that. thinking of dues-paying membership organization. Didnt' pay your dues by (date). your next login redirects to membership renewal.
(10:19:59 AM) gac410: anyway, it was not part of my proposal, so I'll probably just comment a smell - might be a good place for a callback.
(10:21:31 AM) MichaelDaum: one step at a time
(10:21:38 AM) gac410: y
(10:22:52 AM) MichaelDaum: any work that has got clear boundaries, that is makes sense in its own, should be kept as non-invasive as possible.
(10:24:54 AM) gac410: y. accountExpires (which harlan wanted) is really hard to keep separate. You either need a shadow file of accounts & expirations, or have to add it to the .htpasswd file. Much cleaner to integrate it vs maintain a separate account table.
(10:25:35 AM) gac410: But it is a pretty specialized need - so a strong argument could be made to make it an extension.
(10:25:44 AM) vrurg: Ok, I need to go. If there anything for me then I'm gonna be back in a couple of hours.
(10:25:59 AM) gac410: however nobody object to my proposal so ...
(10:26:11 AM) MichaelDaum: long-term user code should write to a DBD
(10:26:17 AM) gac410: vrurg, okay thanks. I think we are ready to wrap up.
(10:26:23 AM) MichaelDaum: bye FoswikiOnSlack
(10:26:26 AM) MichaelDaum: ^vurg
(10:27:13 AM) gac410: MichaelDaum: y indeed. our topic mapper etc is badly in need of a redesign.
(10:27:21 AM) MichaelDaum: at some point we need to rewrite all of the user code and make use of DBD ... snap
(10:27:57 AM) gac410: Needs a user object too, rather than the mapper / manager approach.
(10:28:36 AM) MichaelDaum: btw Modell Aachen have abandoned LdapContrib and are using an internal-only user mapping implementation ... I guess based on UnifiedUserMappingContrib that jast once started
(10:28:46 AM) gac410: $user->wikiname() ->loginname ->emails ->isEnabled
(10:31:36 AM) gac410: Looks like their code is maintained on github https://github.com/modell-aachen/UnifiedAuthContrib/tree/sprint/riga
(10:34:03 AM) MichaelDaum: ah they'
(10:34:07 AM) MichaelDaum: ve checked in their code
(10:34:55 AM) MichaelDaum: now I see why I missed it: the bulk of their impl is hidden on a separate branch, not merged back to master
(10:35:04 AM) gac410: Yes they do keep the code updated, but not in the default branch. If you quickly check github, there seems to be no activity on their ... snap
(10:36:07 AM) gac410: At one point I tried to gather all the user mapper NG requirements into a brainstorm topic to help jast structure his code. But I don't think it went anywhere.
(10:36:18 AM) gac410: and of course now I cannot find it.
(10:37:00 AM) gac410: but really our current CUID / WikiName / LoginName triumvirate is very badly broken
(10:41:02 AM) gac410: https://foswiki.org/Development/UserAuthMapping2dot0
(10:45:00 AM) gac410: anyway Thanks everyone. it's approaching an hour 45 let's wrap up. I'll get minutes posted later today.
(10:45:27 AM) gac410: Next meeting - Monday July 10th
(10:48:38 AM) MichaelDaum: thanks gac410 for keeping up the release meetings !