...
Dependency Drift Fitness Function (Adopt) - We’re really close to this with all the package upgrade management we have in place. +2
Tailored service templates (Adopt)
Security Policy as Code (Adopt): We have it for edx-platform for XSS, but not for much else (we’ve looked at using it w/ tfsec) +1
Data mesh (Trial)
Diagrams as Code (Trial) - would be nice to see more of this in our docs, potentially easier to keep up to date +3
edX has been in the experimental phase
We’ve used SequenceDiagrams website and PlantUML
Benefits
Version control
Would it encourage people to create and update diagrams?
How might we incorporate into our process?
Drawbacks
Not as much control on customizing the diagram.
Next steps
Could we do a Trial on this?
Maybe with the diagrams on the Arch Onboarding course
Zero Trust Architecture (Trial) +
Parallel run with reconciliation (Trial) - we’ve talked about this before, but a Python tool for it seems to have matured since then: https://github.com/joealcorn/laboratory (inspired by GitHub Scientist, which is for Ruby) +3
Distroless Docker Images (Trial): We have a lot of stuff in our docker containers, even more than just the distro. Maybe multistage builds would let us compress our existing (or our newly built) containers to have smaller layer footprints?
Kube-managed cloud services (Assess) - I think prefect is one of these
Log Aggregation for business analytics (Hold): Are we still building any business analytics off the raw event logs? Can/should we prioritize moving those into dedicated events and/or using DBT to extract consistent data from the tracking logs? +
Microfrontend Anarchy (Hold) - where is edX with this? Seems relevant to us. +1
Platforms
JupyterLab (Trial) - heard good things about this but fuzzy on how it differs from Jupyter Notebooks +
Backstage (Assess) - seems potentially useful, this also came up when we were looking at how other places do “devstack” +2
Is edX using something like this today?
No - we currently have multiple sites (NR, confluence, etc)
Benefits
Developer onboarding to understanding how we do services
Central place to manage ownership of services
This would address a weak spot of edX
Drawbacks
May be hidden from the Open edX community
Next steps
Pulumi (Assess) - they seemed to like this as a Terraform alternative that addresses some of its drawbacks, is it something worth considering at this point?
Tekton (Assess) - Kubernetes-based CI/CD platform, is this useful to us? Travis and Jenkins aren’t a great fit in this space. (Argo is a pretty good fit though) +1
Node overload (Hold) - Node has come up several times recently, and it’s worth noting that it shouldn’t be blindly adopted for the wrong reasons. +1
Tools
Airflow (Adopt) - Though we are using Prefect and Argo currently
Dependabot (Adopt) - Though we don’t use dependabot, should we be considering different dependency management (I techniques to better use off-the-shelf tools here? (I thought we did use dependabot…?) +
There’s a brief note on Dependabot in https://openedx.atlassian.net/wiki/spaces/AT/pages/1529741317/Handling+Automated+Pull+Requests#Dependabot-PRs . Last we looked, it didn’t do JS upgrade PRs as well as Renovate and was missing some key features for Python upgrade PRs that led us to write our own tooling for that instead.
Helm (Adopt) - Specifically Helm 3 +Kustomize
Trivy (Adopt) - this came up recently, seemed pretty easy to turn on (it’s on now) +
Kustomize (Trial)
Concourse (Trial) - this came up previously as a compelling alternative to Travis and Jenkins for CI/CD, they rate it even stronger now +2
edX uses Travis and Jenkins today
Next Steps
Hold off on doing anything on this for edX
Yet another tool for SRE to support to manage - WIP with k8s rollout right now that we probably don’t want to also take on CI/CD changes
The CI/CD industry is also in flux right now - may be better to wait
ShellCheck (Trial) - for shell script linting, this routinely trips us up for new scripts +1
LGTM - looks for coding patterns prone to security problems
Yarn
Sentry Yarn (Trial)
Sentry (Trial) - We don’t use this yet (some engineers have used it at previous organizations) +
LGTM (Assess) - looks for coding patterns prone to security problems
Languages & Frameworks
+1 single-spa (Trial) - +1
Rust (Trial) - we don’t use this yet, but it keeps moving up the scale (now at Trial) and has some nice properties +1
+1 Redux (Trial) - Our findings seem to mirror Thoughtworks’. +1
Recoil (Assess) - We don’t use this yet, but may want to access it too.
LitElement (Assess) & web components in general
Testing Library (Assess)