The 14th Open edX community release will be named Nutmeg. It will be released June 9th, 2022. The open-release/nutmeg.master branches will be created two months earlier, on April 11th. Code on master as of April 11th will be part of Nutmeg. Code merged after that will need special handling to be part of Nutmeg.

Put stuff here that we have to remember when we start packaging up Nutmeg.  Especially important is information that system installers or operators will need to know. Please include your name when you add an item, so that we can get back to you with questions.

Operational

• Devstack updated to resolve issues like “Error: Cannot find module 'mozjpeg'” in MFE’s.

  • Run git pull on your devstack folder.

  • Restart your MFE containers: make dev.restart-container.frontend-app-gradebook+frontend-app-payment+frontend-app-publisher+frontend-app-learning

  • PR: https://github.com/edx/devstack/pull/865

  • POC: @Phillip Shiu (Deactivated)

Feature Changes

• The Dates Tab has been added as a default static tab on all courses, meaning it is stored as part of the course object in Mongo. Previously it was inserted as a dynamic tab at runtime. All new courses will automatically include the Dates Tab. In order to properly have the Dates Tab show up for all your existing courses, a backfill course tabs management command has been created. Run this command on your instance to properly update your default tabs on all of your existing courses. @Dillon Dumesnil (Deactivated)

  • To run the command, run ./manage.py cms backfill_course_tabs or python manage.py cms backfill_course_tabs from your shell.

• An internal performance improvement called “learning sequences” has been opt-in for a few releases, but is now always-on for Nutmeg. If you have any courses that have not been re-published on Koa or later, run the simulate_publish cms django command on your courses before upgrading, to populate the learning sequence data. @Michael Terry (Deactivated)

Added Features:

• Creation of User Tours (https://openedx.atlassian.net/browse/AA-1024 - edx-platform #29301) - User Tours allow the platform to create Tours in our Microfrontends (MFE) to walk users through the platform (see examples in frontend-app-learning #750). In order for User Tours to properly work, the backpopulate user tours management command should be run. The default tours that exist are: New User Tour and Existing User Tour in the Course Home of the Learning MFE and a New User Tour in the Courseware of the Learning MFE.

• The old course goals feature has been replaced with a new weekly learning goals feature. Users set a goal for how frequently they want to learn per course and get reminder emails about their goals. See 4.28. Enabling the Weekly Learning Goals Feature — Installing, Configuring, and Running the Open edX Platform documentation for instructions on how to configure this feature and more details on how the feature works. The new weekly learning goals feature is controlled with the same flag as the previous course goals feature.

• Instructor Dashboard

  • Bulk Course Email Tool

    • Added the ability to filter recipients of bulk course emails based on the last_login date of Users enrolled in a course run. This feature can be enabled by setting a value for the BULK_COURSE_EMAIL_LAST_LOGIN_ELIGIBILITY_PERIOD setting. Its value should be an integer (representing months) that represents the eligibility period from the current date to receive a message. The new setting defaults to None which keeps this new feature disabled (and there will be no change in behavior in how recipients are filtered/selected for a message).

    • Added a simple bulk_email_disabledcourse table that allows for the bulk email tool to be disabled for specific course runs, even if the bulk email flag is on and the course is enabled in the bulk_email_courseauthorization table. A course team will not be able to see the bulk email tab on the instructor dashboard for whatever course runs are in this table.

    • the setting EMAIL_USE_DEFAULT_FROM_FOR_BULK was changed to EMAIL_USE_COURSE_ID_FROM_FOR_BULK. The behavior was also changed, such that those who wish to use their course id in the from address for bulk email must now enable the flag to true.These changes were made in order to avoid non existent from address to fail in email servers. (I @Connor Haugh (Deactivated) )

    • Bug fix: when using GMSTP (Gmail) for sending bulk email. tasks.py didn’t catch retriable SMTP exception. This PR fixed it fix: make bulk_email send email task handles a retryable exception by ghassanmas · Pull Request #29080 · openedx/edx-platform. Also for context check the reporting of the bug Bulk emails sending too fast causing gmail to block account. Is there a way to rate limit? (@Ghassan Maslamani )

• SafeSessionMiddleware rejects mismatching requests and sessions @Tim McCormack

  • Background: This is an existing middleware that provides several protections against vulnerabilities that could result from cache misconfigurations or other bugs resulting in one user getting a different user's session.

  • Changed: Previously if a user mismatch was detected between request or session and response, the middleware would log warnings; now, it will invalidate the session and send an error response. The toggle ENFORCE_SAFE_SESSIONS is enabled by default, but can be disabled to return to just log warnings.

  • Before upgrade: Check that your logs do not contain warnings starting with "SafeCookieData user at request", or that these warnings are very rare. If they are common, there is likely a false positive caused by some custom login, masquerading, or registration code that needs to call mark_user_change_as_expected. Otherwise, valid requests may be rejected.

• Core extensibility (@Maria Grimaldi): add a new way of extending the core through Open edX Events & Filters (part of OEP-50: Hooks Extension Framework)

  • Open edX Events: this standardized version of Django Signals allows extension developers to extend functionality just by listening to the event that’s sent after a key process finishes, e.g after enrollment, login, register, etc.

  • Open edX Filters: through configuration only, extension developers can set a list of functions to be executed before a key process starts, e.g before enrollment, login, register, etc.

CLOSEST_CLIENT_IP_FROM_HEADERS

• New config value that all deployments should set: CLOSEST_CLIENT_IP_FROM_HEADERS in edx-platform @Tim McCormack

  • This is a security-impacting setting that tells your deployment how to determine the IP address of the client. See openedx.core.djangoapps.util.ip for documentation on how (and why) to configure this (as well as the related NUM_PROXIES setting for django-rest-framework).

  • Breaking change: Failing to set this can result in rate-limiting legitimate traffic or failing to block brute-force attacks, depending on your proxy setup.

Deprecations and Removals

Based on estimated dates 2021-10-15 to 2022-04-11.

• The edx-certificates repo was archived: GitHub - openedx-unsupported/edx-certificates: The code edX uses to generate certificates This was actually a DEPR originally meant for the Maple release: https://openedx.atlassian.net/browse/DEPR-160

• Bok-Choy was deprecated: [DEPR] bok-choy: remove supporting tooling & archive repo · Issue #13 · openedx/public-engineering . All bok-choy tests have been removed from edx-platform. By Olive, it is likely that bok-choy references will be removed from all repositories and that the bok-choy framework itself will be archived. Developers who wish to write acceptance tests for Open edX are encouraged to use a third-party framework such as Cypress. (@Kyle McCormick and @Jeremy Bowman (Deactivated) )

• The django-ratelimit-backend has been removed from edx-platform. Now django-ratelimit library will be use for rate limiting. https://openedx.atlassian.net/browse/DEPR-150. Default Django admin login window is disabled and now one has to login from LMS.

• “Old Mongo” course access has finally been fully removed. This means course runs that have keys like Org/Course/Run rather than course-v1:Org+Course+run cannot be accessed by learners. New runs of this type haven’t been able to be created since 2015, but now learner access has also been removed. See [DEPR]: DraftModuleStore (Old Mongo Modulestore) · Issue #62 · openedx/public-engineering for more information on the continuing removal of Old Mongo technology.

Deprecations

Removals