Hi all,
This week, we're sending out a more detailed version of the TechCom
meeting minutes. Let us know if you find this helpful.
Present: Dan Andreescu, Daniel Kinzler, Timo Tijhof, Alex Paskulin,
Niklas Laxstrom
== RFC Frontend build step ==
<https://phabricator.wikimedia.org/T199004> ==
* Recently moved from open to stalled
* Discussion of the issues presented in the RFC from a process perspective:
* DA: The question on the RFC was originally: How can we implement a build
step? The discussion on the RFC has been centered around whether we should
implement a build step. The authors are trying to address concerns to enable
them to implement it since it’s an industry-wide practice.
* TT: We should focus on the underlying problems this is trying to solve.
A build step is inevitable. Many problems discussed so far on the RFC don’t
call for a build step. There are some architecture issues in the things
proposed that can’t be reconciled. We can build towards a deliverable of
compiling a Vue component.
* DK: Process-wise, what is the problem with a team deciding that they want
a server side build step? What’s the impact? In theory, we want to maximize
coherence and autonomy; there’s a polarity between the two.
* DA: If they find a mainstream way, they’ll migrate to it. I don’t think
it’s problematic. They’re saying that they’ll address all the concerns if
they can.
* TT: This impacts security for the developers running insecure code on
developer host machines, security for production (can be contained/network
isolated), and security for the end-user (this isn’t just helping create
commits or run tests, it modifies and adds code we sent to a billion
people’s
devices). Reproducing the same locally, in CI and prod. Workflow problems
like cherry-pick and revert in production branches.
* DK: To what extent are we willing to run arbitrary code on our systems?
Which communities do we trust? (Example: Debian maintainers are vetted, NPM
packages are not)
* TT: NPM packages are known for depending on a lot of unreviewed/unknown
code. See <https://phabricator.wikimedia.org/T199004#6045136>. But, there
are communities within the NPM ecosystem that follow different principles,
and use fewer dependencies.
* DA: We could set a policy about reviewing and vendoring such service,
run in a sandbox, pinned to specific versions. We could set a requirement
that packages need to be vetted.
== Send regular overview about Wikimedia development policies ==
<https://phabricator.wikimedia.org/T164538>
* Moved from Inbox to In progress on TechCom board
== RFC: Amendment to the Stability interface policy ==
<https://phabricator.wikimedia.org/T255803>
* On last call ending July 8
* Discussion ongoing
== RFC: Hybrid extension management ==
<https://phabricator.wikimedia.org/T250406>
* In Phase 3: Explore
* Discussion ongoing
== Next week public IRC discussion ==
No discussion scheduled for next week
See also the TechCom RFC board
<https://phabricator.wikimedia.org/tag/mediawiki-rfcs/>.
--
Alex Paskulin
Technical Writer
Wikimedia Foundation