2024-10-24 Meeting notes

All public Working Group meetings follow the Recording Policy for Open edX Meetings

 Date

Oct 24, 2024

 Participants

  • @Feanil Patel

Previous TODOs

 Discussion topics

Item

Presenter

Notes

Item

Presenter

Notes

Github Action Auto Update Using Dependabot OSPRs

Michelle

  • Who can take the unmaintained repos?

    • Ask CCs to review and approve even if they can’t merge and then @Feanil Patel can go click merge for now until we have real maintainers for things.

Maintanier at-large

Feanil

  • This is all set and solves the problem that was brought to us. We’ll check back in after we’ve got some folks in this role for a bit.

Ubuntu Upgrade

 

 

Node 20

 

Also completed and is currently on nightly and ready to be a part of the Sumac release.

Other Upgrade

 

  • Enzyme done everywhere except for edx-platform

  • Jest done on all repos except for the ecom ones which are going to be archived shortly.

Ubuntu-latest vs ubuntu-<version>

 

RCA Info from Diana about the ubuntu-latest vs ubuntu-<version> upgarde

  • Our mongo setup was OS specific (hardcoded apt repository)

  • xmlsec and python-xmlsec version mismatch

  • https://github.com/openedx/edx-platform/pull/35713

  • Proposal: When we need to run on multiple OS versions, we should run the minimal set on the older version once we have gotten everything working on the newer OS version.

  • We should also have a failing test in edx-platform for codejail given how critical it is.

  • Smoke test that should be done

    • Test apparmor by trying to access disk resources you can and cannot access.

    • Testing sudo/rlimit for the child process by trying to fork or use other rlimit resources ( Memory)

    • Test network access with and without DNS resolution

  • Should we deprecate running codejail in the edx-platform system.

#cc- channels

@Kyle McCormick

https://docs.google.com/spreadsheets/d/1ryqbaxMp4x-8Apwss2Br2IOU2UA7zXEI-VDo8dJPb9U/edit?gid=0#gid=0

  • #cc-edx-platform

  • #cc-frontend-apps

  • #cc-openedx-utils

  • #cc-xblocks

  • #cc-core-applications

Can we consolidate / have fewer?

  • Robert watches cc-edx-platform

  • Jeremy appreciates 30-min heads up from edx-platform and frontend-apps, but gets notifcations on most repo merges separately

    • OK with nixing the bottom 3 channels

 Action items

@Feanil Patel follow-up with Ed/Felipe about the codejail service and whether we should make it part of Openedx
@Kyle McCormick Consolidate down to 2 channels: #cc-edx-platform and #cc-frontend-apps

Recording and Transcript

Recording Link: https://drive.google.com/file/d/1W0NEqg9tm48AIvip2TaMXFZ7wEHyPunX/view?usp=sharing

Maintenance Working Group Meeting – 2024/10/24 09:00 EDT – Transcript

Attendees

Adolfo Brandes, Awais Qureshi, Feanil Patel, Feanil Patel's Presentation, Jeremy Ristau, Kyle McCormick, Michelle Philbrick, Robert Raposa

Transcript

Feanil Patel: Yeah. How you doing?

Awais Qureshi: If an interview.

Awais Qureshi: I'm good. You are busy. Last couple of weeks.

Feanil Patel: Yeah. We're having issues with the code jail stuff.

Awais Qureshi: Release. okay.

Feanil Patel: With the release. So as a Very tiny corner of our software but very critical. So I'm spending a lot of time trying to debug how we can upgrade it for the Ubuntu upgrade. But I should be back to reviews now. Much more quickly.

Awais Qureshi: Great great.

Robert Raposa: Was that serving issues for the upgrade that we actually got out the door or for looking into the next one?

Feanil Patel: So we were able to land the 22:04 part of at least.

Robert Raposa: Okay.

Feanil Patel: 

Feanil Patel: But we're still seeing failures on 2404 for coach jail. So there's further. Investigation that needs to happen there.

Feanil Patel: Peace Meeting notes page is coming up now.

Feanil Patel: You should see that. Okay, make a little bigger.

Feanil Patel: Cool.

Feanil Patel: So Kyle, you had this issue for tutor related images. I think that's mostly good now, but confirm.

Feanil Patel: You're talking. I can't hear you.

Robert Raposa: Maybe, okay.

Feanil Patel: can you hear me yet?

Robert Raposa: Are you?

Robert Raposa: I think you need to put.

Feanil Patel: Kyle and Jeremy. Yeah.

Kyle McCormick: Yes, I can hear you.

Feanil Patel: Okay there we go. I would say, Do you have? I think this insurer service images using 22 is good. Now I posted on the forums once the Ubuntu upgrade ticket closed and that would Also confirmed that they acknowledge that in the PRS are in place.

Kyle McCormick: Yep. it been on it and…

Feanil Patel: but, I'm gonna.

Kyle McCormick: we have I think one or two peers remaining to review.

Feanil Patel: That, okay, so Mark, that is done. Haven't been able to do the update from the Elasticsearch or the cron ticket, but I'm hoping that now that the code jail stuff is sufficiently at the door. That an Xbox platform can be upgraded to the 22204. I'm going to start picking some of this back up. and then, Jeremy any updates on planning the front end, stepper work.

Jeremy Ristau: no, not

Feanil Patel: For the studio presentation.

Feanil Patel: All right, and then michelle, you've got a thing and then

Feanil Patel: we do. Santa posted about this latest versus Ubuntu. At a specific version and I have some more information on that. So let's talk about that.

00:05:00

Feanil Patel: That's going on.

Feanil Patel: Various as absolute. We'll talk about that in front part. Okay, let's talk about maintenance.

Feanil Patel: All right, Michelle do you want to start with your github actions? The issue.

Michelle Philbrick: Yeah, this should be quick. There's a bunch of these tickets hanging out on the contributions board.

Michelle Philbrick: A chunk of them are for unmaintained repo. So I was just wondering if there's somebody that I can have. I don't know if they're easy enough to review and merge for someone to take the unmaintained ones. So I figured I'd check here first

Feanil Patel: Yeah. I think you can try to drop them into the park contributor channel as these are all the things that anybody can review because we don't have a clear maintenance for them.

Michelle Philbrick: Okay.

Feanil Patel: And that's probably a good first step and hopefully other CC's can chime in but I can try to pick up some of them. Based on capacity…

Michelle Philbrick: Okay, I'll

Feanil Patel: but yeah, they shouldn't be too complicated. So I think it's a matter of if CC's can approve them, even if they can't merge them, and we have a list of things that are approved that need to be merged. I'm happy to go push that button to sort of Accelerate this while we're trying to get maintenance for all of those repos set up.

Michelle Philbrick: Okay Sounds good. Thank you.

Feanil Patel: So I think that part makes sure it's really clear. we don't expect you to be able to merge everything, but if you can review and verify that it's good to go and put an approval on it, that'll speed up the process of that final review and I can do the final review and merging part.

Michelle Philbrick: Okay, awesome. Thank you.

Feanil Patel: Yeah.

Feanil Patel: But And then the maintenance at large position now exists and people can be nominated for it. so I wanted to sort of circle back with you Jeremy about. I believe that's sufficient and it probably just needs to be integrated into the CC rollout plan stuff. We've been talking about to you.

Feanil Patel: But if there's any other Things to discuss or change or talk about there. I want to make sure we had some space for that.

Jeremy Ristau: I mean, from my perspective, it's a solution to the problem that I brought to you.

Feanil Patel: Yeah.

Jeremy Ristau: So I really appreciate that.

Jeremy Ristau: The proposal seems totally fine. So,

Feanil Patel: All right, then.

Feanil Patel: Yeah, I think we can check in on it after we put Through its paces a bit.

Feanil Patel: So anybody else have any general maintenance issues, I can provide a quick update on the Ubuntu upgrade issue, which I didn't close yesterday. When I do that real quick.

Feanil Patel: so, where we ended up is essentially 2404 is the Ubuntu version for Everything except for EDX platform and one of its dependencies at this point. As far as I know, everything else was running tests on 224, when there is running tests on 2404 now that I'm going to latest points to that without any issues, which in my mind confirms these sort of, os agnosticness of most of our Python and node code, which is great, the places where we have I think some OS specific issues are unsurprisingly EDX platform which has an extremely deep dependency tree as well as

Feanil Patel: Code jail, which has a lot of dependencies on the underlying OS security systems.

00:10:00

Feanil Patel: For the Ubuntu 2204, especially for operators. I want to really highlight that there was a change that needed to happen to go jail for that and they've updated the Readme with that change and link to the relevant commit message where I made the fix. But if you are an operator, who runs code jail in production, You should definitely look at that. Pull request and the relevant notes on discourse. And I can try to find and link to that again, but it was in the maintenance announcements. So the post I made yesterday is

Feanil Patel: yeah.

Feanil Patel: So yeah so I think all in all super good, the note 20 upgrade similarly is a thing. Fully done Adolfo. I believe you you've got the Dr. MFP plug-in running on on note, 20 now.

Feanil Patel: 

Adolfo Brandes: Yeah, that's correct.

Adolfo Brandes: By which, I mean it's on tutor nightly and it'll be on sumac.

Feanil Patel: Yeah. Yeah.

Feanil Patel: Yeah. Similarly, I believe the other two sort of minor upgrades that we have been trying to complete, which were sort of long running from beforehand was enzyme and Most the other Windows enzyme and just I believe were the two upgrades and…

Adolfo Brandes: Yeah.

Feanil Patel: the enzyme upgrade is completed everywhere except for commerce related repos. Which are going to be archived soon. And the just upgrade I believe just upgrades complete everywhere except for the ecommerce Repos. The enzyme upgrade is completed everywhere except for EDX platform. Alex Platform has one enzyme-based test. And so that needs to happen before that's fully done.

Feanil Patel: for the purposes of, I think, most people that's done, but if we had Some front-end resources on the EDX platform side that we could spare that would be a good thing to get over the line so that we're fully out of that. those were long-running upgrades that were in process a year ago when we started this working group, He's trying to get them to close.

Feanil Patel: And I think Those are the big targets we had for Sumac, so I think really awesome. Job on everybody's parts Brian Smith who is not here but who has been leading the new 20 upgrade? Did an amazing job coordinating all of that.

Feanil Patel: and so now, I'm hoping we can find other people to help support the next couple of upgrades Django being the biggest one.

Feanil Patel: Somebody else have any other issues they want to talk through for maintenance.

Feanil Patel: If not, this might be a pretty short meeting today. I know we're trying to cut schemack later today, so,

Feanil Patel: You can just get some time back.

Feanil Patel: What's right? What's up, Jeremy?

Jeremy Ristau: and I just say that.

Jeremy Ristau: The back boundary feels much healthier than the redwood boundary from a maintenance perspective. I'd like to at least knowledge that I think, there was some impact, from this group of people. So Yeah,…

00:15:00

Feanil Patel: Yeah.

Jeremy Ristau: really good. the feature part, that's like a different conversation and I think trying to get features at a boundary is the right thing to be rushing for instead of trying to get maintenance and for the boundary so really awesome.

Feanil Patel: Yeah and I think the enzyme stuff neither of these work in the considered blocking upgrades because they will be fine. It's just not ideal to have long running tasks. So we'll try to get these closed out as soon as we can. But yeah we didn't consider the note in the country, ones were blocking, but we're in a really good shape now because we have a release and a half where we won't have any blocking maintenance work done, which is, I think, The longest we've had in a while where there's not a major thing needed to be landed.

Feanil Patel: One of the other things that we should talk about at some point, but I think there's already other conversations happening is the elasticsearch versus melee a search stuff, which is a bit of a product feature question. But also a bit of a maintenance question because we have so much elastic search in our platform. Would have to talk about it today, but I'm sort of planting a seed that if you haven't been following what's going on with elastic, surgery would be good carve out some time for that because that's probably a question we need to answer given how old the version of elasticsearch we're currently running on is

Feanil Patel: so, Yeah, no, I think we've done a really good job and I am hoping that we can take advantage of this extra time to define work for maintenance without having to sort of, Be on top of them to landed immediately. And the next couple of upgrades go a little bit smoother, that's kind of the next maturity goal in my mind for this group.

Jeremy Ristau: Good stuff.

Feanil Patel: yeah, and hopefully find more maintenance which will have more time for now that we're not 100% focused on getting these major upgrades landed.

Feanil Patel: In that case, I think we should transition to EDX platform related stuff. And anybody who wants to Drop off. Should feel free to do so.

Feanil Patel: And we've got a bunch of topics in that particular.

Feanil Patel: so, we have

Feanil Patel: It done to this person.

Feanil Patel: And we do have timeline with links from Diana, so we can close that. and then,

Feanil Patel: I think that's the only thing to talk about. So yeah. Fine.

Feanil Patel: I looked at the RCA and I looked at I put up another PR just to try to get a better handle on this and There are a couple of different things that happen. One was the way.

Feanil Patel: The way we set up Mongo was OS specific because we had a hard coded URL to the Act repository that the mango binaries live in.

Feanil Patel: This I think of fairly easy solve because there are now Reusable actions that will let us install Mongo and not have to think about that. And I think if we switch to one of those, then we can Not care about what version of Ubuntu we're on, and it will take care of that. and so that sort of moves us more towards reduce maintenance less more agnostic to the OS version but the other big thing was

Feanil Patel: the XML SEC package which It looks like it's used by the one login saml stuff that is. I haven't figured out exactly which package it's part of yet, but I think it's part of the OAuth package that lets you do OAuth with any given provider, but the XML SEC package Relies on a statically linked by Debian package on disk. So when you move OS versions, that has to like the version of the OS package and the version of the Python package, have to match up and align. So that is a place where I think we're in this situation where We can't just rely on automatic upgrade that being fine because it's

00:20:00

Feanil Patel: not resilient, it doesn't seem currently resilient to that. Static length, braking across OS versions. but I need to look into it a little bit further, I just was able to produce the error and start digging into it but to me, that's enough for now to say that we should Do named versions on EDX platform of Ubuntu until we get a better handle on it, or that package improves, how it manages. That link between the static library, and the Python Library.

Feanil Patel: in that, but I kind of want to not run double tests. So I don't want to run the entire suite twice for two different OS versions. So I think this is going to revive A thing we did with Mongo where it's kind of relation.

Feanil Patel: We essentially picked a couple of shards that we would run. Through the old version. Once we got everything passing on the new version to make sure we essentially like smoke tested and didn't break anything, but that we wouldn't run the full test suite on the older version. And if we identify specific tests, that it makes sense to keep on the old version we can. Do that. But

Jeremy Ristau: sounds like awfully Related stuff would make sense.

Feanil Patel: The PRS.

Feanil Patel: Yeah, yeah, but it was like if it's able to pick it up during the install phase, that there's this mismatch. So this one is pretty easy to be as long as any single shard of our tests pass on the old version, we're fine. But for other future cases that we might be like, we need to run this set of unit tests to actually detect it. So let's make sure we're still running those on the old version and the new one. And we may have to sort of maybe a little bit more sort of on the fly figuring out what makes sense. Instead of we always run X on both versions…

Jeremy Ristau: Yeah.

Feanil Patel: but But not running everything I think is the point of discussion that I want to sort of get feedback on

Jeremy Ristau: If I think I'm learning, let's as acceptance as a terrible practice and I'll say, I have no issue fundamentally with what you just described that makes total sense to me. Optimize test running. Yeah.

Robert Raposa: Business. …

Feanil Patel: there.

Robert Raposa: I also agree with Everything that you're approach. Posing is codegel, a third issue here or no? but,

Feanil Patel: Yeah, jails is fully independent issue from this issue.

Robert Raposa: the only thing that's maybe not fully independent, but I don't actually know is Coachella is its own.

Robert Raposa: but EDX platform. Relies on it. It's just making sure that Because the test for EDX platform are run all the time and the test for code gel are not run all of the time. Yeah, so that's the only thing that makes it less independent to me of how do we make sure that we actually know about the code jail issue at the right time?

Feanil Patel: Right.

Feanil Patel: you're saying because We might not see if a thing breaks code jail, when we make a change on the platform side.

Robert Raposa: right. I mean

Kyle McCormick: I don't think anything in the Code Gel Test, suite uses that X platform.

Kyle McCormick: or in Coachella itself, if we're talking about their repository,

Feanil Patel: Right. Right. Coachella in theory can work outside of it as platform…

Kyle McCormick: it does for execute watcher.

Feanil Patel: but I think we're Right.

Robert Raposa: So I guess, maybe I'm just, Understanding. Right.

00:25:00

Feanil Patel: I think There's a couple of layers here. I think Kojo is a library that if Code, Jill was a third party library at EDX platform depended on, but we didn't manage.

Robert Raposa: Yeah.

Feanil Patel: We would be paying extremely close attention to which Os's it supports and making decisions about what EDX platform. Does based on that critical library to our project, Right.

Feanil Patel: Because it's so critical to how we secure.

Robert Raposa: Yep.

Feanil Patel: The user input because it's a first-party library and I guess it's related to that. There's a question of this is the third party library that we want to expect to work a certain way with EDX platform. is that a integration test that we need to have exist on the EDX platform side. So that we know when we've broken that and the answer I think is probably yes, but we need to figure out how to resource and make that happen. The other question is like because they're Codegel is a first party library as the maintainer of that library. I think just making sure that library communicates what it supports more clearly and easily is an important step for us to be taking. And I did some of that when I did the maintenance over there, making sure that the docs were up to date with how to set up code jail, properly.

Robert Raposa: this make upgrade and just dealing first dealing with dependencies within Python Block on OS, support. So, if

Feanil Patel: You can. in the same way as you can do, A specifier you can do an OS version.

Robert Raposa: It. Yeah.

Robert Raposa: so, I…

Feanil Patel: What I believe.

Robert Raposa: maybe if that solves my issue of, If Codegel, Had that then EDX platform couldn't mistakenly upgrade and pull in. Code jail, break it because I can't…

Feanil Patel: Yeah. Yeah.

Robert Raposa: because I can't upgrade the gel. I mean, I install it because it doesn't support this OS yet.

Feanil Patel: I mean, I think we need to confirm that but that seems like a reasonable thing to do is make those Dependencies more explicit and those requirements more. If we can make those explicit in the actual requirements files, that sounds great to me.

Robert Raposa: Is that?

Robert Raposa: Yeah notes that helps clarify…

Feanil Patel: Yeah. Yeah.

Robert Raposa: what my issue is but my issue is EDX platform. Getting an OS upgrade and not knowing about it Codegel. Problem, because an impressive.

Feanil Patel: Right, right. it's implied but not Right. Yeah. I mean, I think the two ways to solve it are, if there is a way for us to do this, limitation in the target OS version, which I thought was possible, but I'm not quickly finding on Google Search and somebody can dig into more later and the other option is to simply A codegio integration test with the correct OS with whatever OS version. We're running at this platform as a part of the EDX platform. Testing And that if we tried to bump at the version of the OS, on the other platform side, should catch the error, which if we can't do it with the requirements, then that feels like a worthy effort.

Robert Raposa: And sort of either way that that really seems like a safer, let's make career that failing test on good job.

Feanil Patel: Yeah.

Feanil Patel: Yeah.

Feanil Patel: So yeah, I mean, I think that makes sense.

Robert Raposa: and then that would be if it could have a feeling test that would be one that would go and both interesting.

Jeremy Ristau: 

Feanil Patel: Yeah, I'm not sure what that test would look like yet and how much of it is just running. the code gel test suite in EDX platform which feels quite right.

Robert Raposa: And I think we have a tiny smoke test for deployment and I don't know…

Feanil Patel: Yeah, you do.

Robert Raposa: if that's A good enough test. if it's like

Feanil Patel: Yeah. we can easily do a very small test. My. Recent debugging of co jail made me realize that we need to run. Probably most of those tests because there's testing lots of different limits and those limits are set by different. Tools. And there's …

00:30:00

Robert Raposa: Good.

Feanil Patel: at least four or five different sort of security components at play to make go jail, fully do what it is doing.

Robert Raposa: I mean, if so two things that means the dependency. One would be a great one if we could limit it in that way.

Feanil Patel: Yeah. Yeah.

Robert Raposa: And also, after your work, if you have any quick, proposals of if you want to smoke test, you probably want these four smoke tests. That would be awesome.

Feanil Patel: Because I think there's a

Feanil Patel: Yeah, those smoke test that's there right now is testing app armor.

Feanil Patel: But there's also testing pseudos/r limit.

Kyle McCormick: Do I understand That the only difference There would be here. If we ran these smoke test regularly, Is that they'd be running with the EDX platform Ubuntu versions, rather than the code gel reposibundi versions.

Feanil Patel: Yeah. Yeah.

Kyle McCormick: That seems like a lot. Of setup. For something that could be a process solution.

Kyle McCormick: With process solution is just make sure we're running the right. it's versions for coachell tests.

Feanil Patel: and I think what we need to do is probably put a constraint on code jail. in the constraints file with a giant comment explaining that Do not bump this unless you confirm that the OS version

Feanil Patel: No that wouldn't help us because it's the OS version that's getting bumped on the other platform The problem I think is that when you're bumping the OS version on EDX platform, you don't know to look for code jail. there's nothing obvious that tells you that when you're bumping Ubuntu, you need to check that this specific library needs to support that version of Ubuntu. And nothing in our tests would have caught that. And I think of the concern that Robert does. Which I think is very reasonable.

Feanil Patel: Yeah.

Kyle McCormick: I'm still not.

Kyle McCormick: I don't know,

Kyle McCormick: The only. thing that code jail. So if you're deploying code jail,

Kyle McCormick: So in one of two ways you're doing it as a separate service,…

Feanil Patel: Yeah.

Kyle McCormick: which is what tutor encourages with the plug-in or you're doing it. You're running EDX platform with EDX sandbox requirements. Instead of the EDX requirements. And I think that's the only thing in EDX platform that

Kyle McCormick: I think the only thing in the EDX platform repository that Code jail needs is PIP The NX sandboxpip requirements list. And operator could theoretically run two different Ubuntu versions one for EDX App. And one for EDX Sandbox, the service running code jail. So, I

Feanil Patel: If they're running it as separate service, but if they're running it as a part of the Annex platform The app spawns, the fork process. So it needs to be on the same. Machine.

Feanil Patel: but I think what you've said sort of sparks a different question in my mind, which is, should we be deprecating running code In the EDX runtime and only support running it via the service, which architecturally I think makes a lot of sense and I would love to understand sort of the cost benefit of that question.

Kyle McCormick: Yeah. Yeah.

Robert Raposa: and I mean, Architecturally and from a security standpoint. it's where we would wish to go and we may go at some point with a large amount of priorities.

00:35:00

Robert Raposa: This one has not. Been one yet.

Feanil Patel: I can write you a desperate to make it a priority.

Robert Raposa: or been a high end, high enough to Question. I'm not asking for that but I understand.

Feanil Patel: Yeah.

Robert Raposa: So it's another possible solution.

Jeremy Ristau: Specifically.

Jeremy Ristau: Just so I understand we're saying here,…

Feanil Patel: Right.

Jeremy Ristau: there's a preferred way of running code jail. And that is as a plugin And we are saying it doesn't make a lot of sense to have community tests run against the way that one instance is running code jail, which is against the preferred way of running Co jail.

Kyle McCormick: I'm not gonna say not that…

Feanil Patel: yeah, I mean, I think it's like

Kyle McCormick: but Trying to, it's not really what I was going for. I guess, what I'm saying is there's already a process decision so if we test an ex platform on it, don't do 22. And I'm going to do 24. That doesn't prevent http://Edx.org from running Ubuntu. 309, There's a decision at every shop that runs open at X to look at the support of going to versions, and then decide what they run, And I guess I step could be added to that decision to say. I'm going to look what supported at the attics platform repo and I'm going to look at what supporting the Kojo repo. And those two decisions together, make me decide what version I run on my site.

Feanil Patel: Right. Yeah.

Jeremy Ristau: but the way that you run, it can also Have an impact on what version work together.

Feanil Patel: so, Yeah,…

Jeremy Ristau: So yeah.

Feanil Patel: I think there's sort of two things happening here. and I think we're starting to mix and match a little bit, so let's separate them. there are two ways of running coachell right now one which was the historic way to do it and one that was added a couple years ago now and that In order for tutor to be able to run it, more safely of these two ways, we've never made it. there has not been a value judgment on the two ways in the past. So I don't want to say that we're like this, we've made the new thing, no code, Jill versus Coachella. Includes a different thing that we should not talk about right…

Jeremy Ristau: All right. Just one. Yeah.

Feanil Patel: Yeah, it's whatever the configuration repo and EDX platform for to you is doing versus the Tutor Code Jail. Plug-in

Jeremy Ristau: Okay, to say this, a different way. Should I be prioritizing something in the H1 roadmap to change the way that http://Edx.org runs code jail to do away with this problem?

Feanil Patel: just,

Jeremy Ristau: is there a preferred way and then a non-preferred way. And we need to catch up to the preferred way and then this isn't a problem for our instance anymore. Yeah.

Feanil Patel: Yeah. And the question that was asking, is, Do we want to decide that? This is that the other way is the And this is the not preferred way,…

Jeremy Ristau: All…

Feanil Patel: because of the problems that we're discussing,…

Jeremy Ristau: Okay yeah.

Feanil Patel: can we Step a lot of them if we just say that this way is no longer preferred and…

Jeremy Ristau: Yeah. Right.

Feanil Patel: deprecate and get rid of it and that's the conversation that I was trying to have right now is we could talk about it.

Jeremy Ristau: Yeah. Okay right. Thanks. Just trying to catch up.

Feanil Patel: Yeah, I know you're good. we could talk about how to improve the process for the s The, I think not preferred way, but we could instead just declare it. Then not, Deprecated. We already have an alternative that I think and we could sort of invest more in a singular more preferred way and then essentially code jail and the codegel plug-in would have to Coaline about what OS versions they support. But then it becomes independent of the EDX platform testing and the X platform versions that we support.

Robert Raposa: All right, and then from a security perspective Jeremy the two. Things that go along with that is one you have.

Robert Raposa: Less of a chance of a problem happening in the way that we're describing, where you've got these two, things that care about different OS or on different oasis and that might open up a whole. And then to this Potential proposed.

Robert Raposa: A way of doing to use the term plug-in it wouldn't be that we would convert it to a typical plugin where something gets pulled out of the platform that still gets deployed with the platform. The other security problem is when Codegel and all of this stuff is running on the same boxes as at a platform. If there is a security problem with Codegel, it's a security problem on a box that has EDX platform and everything else on it versus. If you deploy it in a different way, it's much more secure. Because if there's an app armor problem,…

00:40:00

Jeremy Ristau: Right. Yeah.

Robert Raposa: you're not on a box that has all of that. Exactly.

Feanil Patel: That's your database credentials.

Jeremy Ristau: Yeah, makes total sense.

Feanil Patel: Yeah, So I think holistically if I were Here are two ways to do this thing, which The one way is better, and I think every way except for potentially performance and I don't know if we've tested that at the level of scale.

Jeremy Ristau: Of course.

Feanil Patel: that you guys might be running it up and that's part of why nobody has made that decision before but I'm saying maybe we could make that decision and then if there are performance issues, figure out how we can optimize and deal with them rather than Sort of us.

Jeremy Ristau: Or accept them. Yeah.

Feanil Patel: Yeah or accept them right? they might be fine.

Jeremy Ristau: Okay, no, that's super helpful. we're in that period of time where we're proposing things for next year. And I would like to like this in,…

Feanil Patel: Yeah.

Jeremy Ristau: if there's benefit for us and a benefit for everyone in that you don't need to run, as many tests or as many convoluted tests or anything like that, it seems like a Good thing.

Feanil Patel: Yeah.

Jeremy Ristau: Ryan Prioritize.

Kyle McCormick: Yeah, I would if you're looking for internal expertise on this Jeremy I know Tim McCormick had done some discovery into Coachella as a service in the past and I think he has some security opinions there too.

Feanil Patel: Then.

Jeremy Ristau: Yeah.

Feanil Patel: And I think What I'm leaning toward after this conversation is that I think we should deprecate running code jail. In the EDX platform runtime. And move towards the as the default recommendation, FedEx platform that has some implications because that plug-in is not a part of the Core group plug-in stuff, maybe, but It feels like that sort of.

Kyle McCormick: It's also. I think we need a run book for running it without tutor. We can't just deprecate and Use tutor.

Feanil Patel: Yeah, no that's fair. I think we can. Yeah. And that there's essentially an underlying service that the Tutor control code gel plug-in runs. And anybody can run that service. So, I think that's actually the supported way that we would sort of move towards. Is that the code deal service can be run? Yeah.

Kyle McCormick: yeah, and that

Kyle McCormick: And to add a lot of confusion to the conversation. that service could be Based on what code jail includes is right now. What's the requirements for medics and…

Feanil Patel: Yeah. Yeah. Right? the sandbox requirements can go away and…

Kyle McCormick: Because that's the thing that we need.

Feanil Patel: can be part of codegl service. If we pull the Code Jail service into the opened X or which is a conversation, we need to have with that your next, I think. But

Kyle McCormick: Yeah.

Feanil Patel: Make it an official service. Since I think I consider Coachella core feature, so it feels like those things should come in.

Kyle McCormick: Yeah, it's cool feature.

Jeremy Ristau: Sounds good, I'll do what I can to see where we can get the evolution activity on Earth.

Feanil Patel: Okay, I'll take an action item to Follow-up about code, jail service, and co jail.

Jeremy Ristau: and it was a good note to do the Non-tutor run book as well just so that doesn't get

Feanil Patel: yeah, yeah, yeah I think we should always Have documentation that is then powering our automation.

Jeremy Ristau: This is the kind of stuff that happens when we get some maintenance breathing room.

Feanil Patel: Yeah, And simplify.

Jeremy Ristau: Be like why not go to jail? Yeah sure.

Jeremy Ristau: Crazy.

Feanil Patel: Make things more secure.

Feanil Patel: Okay.

Jeremy Ristau: One way to do things, It's crazy.

Feanil Patel: Yeah. Yeah.

Feanil Patel: I think that's all I have. Is there anything else? Robert.

Robert Raposa: This is just a quick note to Jeremy. we can check on this later, but I think they'll be the question of The relationship between this and Containerization, like wrapping up the containerization work of Xbox one,…

Feanil Patel: Then. Yeah.

Robert Raposa: how much?

Jeremy Ristau: Yeah.

Robert Raposa: It might save us to do that. as part of the containerization or versus trying to do it without containers,

00:45:00

Feanil Patel: and for what it's worth, based on my recent research with code jail and containerization you should switch to the service before you containerize that x-platform because containerization and app armor. And network limitations, do not play well together. and there is I haven't. that's the reason we couldn't go to 2404 is because something has changed where essentially docker, even if you have an app armor profile that says, Don't give any network access to this process docker Because of the way docker's namespacing of networks works. It is ignored. And the underlying process gets access to whatever network the base system is on.

Robert Raposa: So I think you're saying the opposite of what I was saying because I didn't know the details that you knew. So you're saying Containerization is going to make it harder versus easier. Or.

Feanil Patel: what I'm saying is if you want to containerize, you probably want to switch to the service first. because,

Robert Raposa: got it. Yeah, That's useful know. I understand.

Feanil Patel: Yeah, because that when you have the service, you can use AWS security controls to manage the network stuff. If Docker doesn't do it, sufficiently from within the Docker container.

Robert Raposa: Okay.

Feanil Patel: And there's notes on that in I linked. For code jail. Where I made the upgrade about why we didn't go to 24, what's going on there?

Robert Raposa: so if I repeat back…

Feanil Patel: But yeah.

Robert Raposa: what I'm hearing you say, is if you containerize don't do it in the sandbox way, Definitely get to a separate service as part of that effort.

Feanil Patel: I think if you try to run code jail and EDX platform in the same docker container the code gel service will not be sufficiently contained.

Robert Raposa: Yeah.

Feanil Patel: I've had to deal with that happening in the past and I don't wish that on you.

Robert Raposa: Appreciate that.

Feanil Patel: Kyle, you got another thing.

Kyle McCormick: so, Yeah, this is not Alex platform specific, but it so happens that I have exactly the people in the room that we need to talk about this. So I'm gonna take the opportunity. These CC channels. We have five of them.

Feanil Patel: 

Kyle McCormick: CC EDX platform is definitely used consistently in front an apps to a slightly lesser degrees, use very consistently. The other three seem like a little murkier in terms of what they're for. I see Jill from open craft using them because she's, extremely conscientious as a developer. But I think a lot of us are merging to package repos and not even realizing that we're supposed to be announcing merges. I guess. What do you guys? Find valuable Is there a way we can consolidate from five channels to two channels or drop some of them or would it be nice to you have selected announcements for merges for every repo whether or not it's subject to? A deployment pipeline.

Robert Raposa: I mean, I'll just say from my end, the only one that I watch is CC EDX platform because it's Related to the deployment pipeline. So, I don't know about the others and if Jeremy can speak more to them or

Jeremy Ristau: yeah, I mean I can speak about me and not the general audience but what I would say is I'm kind of like, A slack person. So I monitor them all actively I've stopped acknowledging every post because it feels, unnecessary at some point and it just a small burden that adds up. it's

Jeremy Ristau: I will agree that Utils and X blocks net. they never get used. I also have slack notifications for merges on most repos so I see the merges whether they're announced or not what I like about headaches platform in front of naps is that I'll get a 30 minute heads up. That's really useful for EDX platform solely because of the i/cd Do we have a pipeline problem. Do we have something happening? We can ask you to wait. The front end abs of their own pipelines and we just wouldn't deploy, that's not as big a deal.

00:50:00

Jeremy Ristau: I have no problem if the bottom three, you just wanted to Do away with. Yeah.

Feanil Patel: .

Robert Raposa: One. No, Jeremy about what you said and this is Really up to you. But if you're looking at these things anyway and you appreciate still getting the 30 minute headset, versus just having an announcement like I'm going to merge this.

Robert Raposa: if you're like, I can just add an emoji as long as I know, there's not some burning problem on our side. I feel like still adding that Emoji is helpful to the other person to know. I don't have to wait the 30 minutes.

Jeremy Ristau: I know, I know but …

Robert Raposa: Okay, okay.

Jeremy Ristau: it's five up, five thousand flag messages a day and it's a lot. I definitely,…

Robert Raposa: I hear, but

Jeremy Ristau: I definitely would love to do that. Ideally and putting a thumb as someone in my seat. Kind of says, I accept all risk associated with this. And generally I'm appreciative of the heads up so that I can think about it but I don't want to think about it. So deeply that I want to accept all the risks associated with the broken build. But

Robert Raposa: I got you.

Jeremy Ristau: if I will say this, when you were talking this popped into my head, if I appreciate the 30 minute heads up, There are likely other people in the community who also appreciate the 30-minute heads up. And so it's a nice practice, but if we consolidated down to one or two channels, I think that's just as good as what we have now. Yeah.

Robert Raposa: yeah, this is just a brainstorm There's the possibility of adding an emoji that is like there are no fires to you at this time. That's not like we accept everything but you know that there's not a problem on our side but we're not saying anything about

Kyle McCormick: I think But is it useful information for things that don't Have a deployment pipeline. if we're talking about an X block, whose version is 10,…

Feanil Patel: No. I think he suggesting correct platform in particular.

Robert Raposa: Yeah. Yeah. Specifically for the pipeline.

Kyle McCormick: For example,…

Feanil Patel: Yeah, yeah.

Kyle McCormick: got it. Okay.

Jeremy Ristau: Yeah, yeah the Cicd pipeline is the tricky one,

Robert Raposa: I mean, for the other ones, Are we still giving a 30 minute heads up and is that still useful to Jeremy?

Jeremy Ristau: I feel bad when I see Brayden and Dave, and Kyle all being like, I'm an emergency 30 minutes. I'm gonna March 30 minutes because you're trying to get stuff in for sumac and you have to just keep saying it over and over and over again. And I'm like, man, I would really hate my teams to have to do that. as I appreciate it but I wouldn't go so far as to say, I expected to be a requirement and get upset when I see emerge without a 30 minute announcement,

Feanil Patel: Usually, for me.

Robert Raposa: On the nun employment. Reboot, we're saying yeah.

Jeremy Ristau: Yeah, in front of specifically, I think would be when I

Feanil Patel: Right.

Jeremy Ristau: Yeah.

Kyle McCormick: I think what we're coalescing on is the bottom three? Not valuable front and…

Feanil Patel: Yeah.

Kyle McCormick: apps, fairly valuable 30 minutes appreciated. Not a hard requirement CCX platform. No changes to the current process. Cool.

Jeremy Ristau: You got it?

Feanil Patel: Sounds good to me.

Robert Raposa: Cool.

Kyle McCormick: if you want to, I had an action item to handle that sometimes the next day or two and put us some communication about it.

Jeremy Ristau: Thank you very much.

Feanil Patel: Thanks Kyle.

Robert Raposa: Efficiently.

Jeremy Ristau: It was actually really good idea…

Feanil Patel: 

Jeremy Ristau: though to have those channels and the way that they've sort of evolved I think is a nice sort of public communication practice sites.

Feanil Patel: Yeah.

Kyle McCormick: Yeah, definitely, perhaps this arena.

Jeremy Ristau: They're all. Five channels. That was a lot. It's so

Feanil Patel: Yeah. just imagine if we had one person service per repo,

Jeremy Ristau: Yeah, yeah that was a talk about one point. I think everyone.

Feanil Patel: And I was like, we should not do that.

Feanil Patel: Yeah, All right. I think we're done.

Jeremy Ristau: Have a great day everybody.

Feanil Patel: Have a good day, everyone.

Robert Raposa: It's a signal.

Kyle McCormick: But yeah, see you later.

Robert Raposa: Do you want to add that? I mean, maybe Kyle Sandler, but do you want to add that topic to the next maintenance group? Because most of those weren't EDX platform, Channels, right? So just whether or not you want to but Okay.

Feanil Patel: I think it's fun.

00:55:00

Kyle McCormick: You guys are the audience.

Kyle McCormick: I think we have the deciders in the room

Feanil Patel: Yeah, I think it's fine.

Robert Raposa: Sounds good. All right.

Feanil Patel: yeah, yeah,…

Feanil Patel: I don't think

Kyle McCormick: Right. Do it.

Robert Raposa: All right. Thanks everyone. Later.

Feanil Patel: All Thank you. Bye.

Kyle McCormick: All right, see you later finale.

Meeting ended after 00:55:23 👋

This editable transcript was computer generated and might contain errors. People can also change the text after it was created.