Hi all,
This week, we're sending out a more detailed version of the TechCom meeting minutes. Let us know if you find this helpful.
Present: Dan Andreescu, Daniel Kinzler, Timo Tijhof, Alex Paskulin, Niklas Laxstrom
== RFC Frontend build step == https://phabricator.wikimedia.org/T199004 == * Recently moved from open to stalled * Discussion of the issues presented in the RFC from a process perspective: * DA: The question on the RFC was originally: How can we implement a build step? The discussion on the RFC has been centered around whether we should implement a build step. The authors are trying to address concerns to enable them to implement it since it’s an industry-wide practice. * TT: We should focus on the underlying problems this is trying to solve. A build step is inevitable. Many problems discussed so far on the RFC don’t call for a build step. There are some architecture issues in the things proposed that can’t be reconciled. We can build towards a deliverable of compiling a Vue component. * DK: Process-wise, what is the problem with a team deciding that they want a server side build step? What’s the impact? In theory, we want to maximize coherence and autonomy; there’s a polarity between the two. * DA: If they find a mainstream way, they’ll migrate to it. I don’t think it’s problematic. They’re saying that they’ll address all the concerns if they can. * TT: This impacts security for the developers running insecure code on developer host machines, security for production (can be contained/network isolated), and security for the end-user (this isn’t just helping create commits or run tests, it modifies and adds code we sent to a billion people’s devices). Reproducing the same locally, in CI and prod. Workflow problems like cherry-pick and revert in production branches. * DK: To what extent are we willing to run arbitrary code on our systems? Which communities do we trust? (Example: Debian maintainers are vetted, NPM packages are not) * TT: NPM packages are known for depending on a lot of unreviewed/unknown code. See https://phabricator.wikimedia.org/T199004#6045136. But, there are communities within the NPM ecosystem that follow different principles, and use fewer dependencies. * DA: We could set a policy about reviewing and vendoring such service, run in a sandbox, pinned to specific versions. We could set a requirement that packages need to be vetted.
== Send regular overview about Wikimedia development policies == https://phabricator.wikimedia.org/T164538 * Moved from Inbox to In progress on TechCom board
== RFC: Amendment to the Stability interface policy == https://phabricator.wikimedia.org/T255803 * On last call ending July 8 * Discussion ongoing
== RFC: Hybrid extension management == https://phabricator.wikimedia.org/T250406 * In Phase 3: Explore * Discussion ongoing
== Next week public IRC discussion == No discussion scheduled for next week
See also the TechCom RFC board https://phabricator.wikimedia.org/tag/mediawiki-rfcs/.