Wikimedia Platform Engineering/MediaWiki Core Team/Quarterly review, April 2014/Notes

Notes for meeting to be held April 15 at 1:30pm PDT (sometime UTC...math is hard) Antoine, Brad, Bryan, Chris M., Chris S., Dan G, Faidon, Greg, RobLa, Aaron, Erik M, Ori, Gabriel, Sumana, Howie, Yongle, Nik, Mark Bergsma (starting 30 min in), and others

Agenda: https://www.mediawiki.org/wiki/Wikimedia_MediaWiki_Core_Team/Quarterly_review,_April_2014 Slides: https://docs.google.com/a/wikimedia.org/presentation/d/1DCJ5QyfAYXZZYfFjeVeAjD43qy1aMRoLTCJp-lknumE/edit#slide=id.g26ef6a8f4_0105

CentralCssJs

 * allows some population to globally change all JS/CSS across all WMF wikis. Warning!

Architecture/RFC

 * next quarter: Sumana aims to have clear, usable architecture/security/performance guidelines that people use; be closing old RfCs at a reasonable rate; get non-WMF parties involved more in RfC creation & discussion

Scap

 * https://logstash.wikimedia.org/#/dashboard/elasticsearch/scap
 * To watch stuff in action (ie: during a deploy) do (on fluorine.eqiad.wmnet):
 * tail -50f /a/mw-log/scap.log | python ~bd808/scaplog.py

Trebuchet, deployment, salt

 * Faidon wants us to find a way to support teams deploying with Trebuchet - talk with Ops
 * Erik suggests looking at short-term vs long-term needs, support
 * Ori points out the amount of technical debt we're working off
 * e.g. version file went from plain text with odd semantics to json file.
 * Gabriel brings up issues with Trebuchet over the last few months that required root to resolve, but past that
 * Ori points out that SOA suggests both homogeneity from perspective of consumers AND deployers, and that salt/trebuchet could work towards that; suggests improving setup on beta
 * Beta now has a functional Trebuchet system that can be used to test deployments and changes; it has been used by Andrew Otto to test changes
 * (discussion of overlap with HHVM work & deployment)
 * https://www.mediawiki.org/wiki/Deployment_tooling/Notes/Deployment_system_requirements
 * Faidon wants someone to coordinate with the Ops contractor who would work on this
 * salt is the remaining blocker for Parsoid - nonroots canot call things that take longer than a second, so salt root has to do it
 * See https://github.com/saltstack/salt/pull/10815 Possibly resolved upstream
 * Ops has asked Giuseppe to coordinate on relevant issues; he will be the main contact on deployment-related issues, especially around salt (he is ramping up)
 * SUMMARY: talk to Giuseppe

Security

 * https://www.mediawiki.org/wiki/Security_auditing_and_response
 * Training - new wiki page written by CSteipp that includes some of the design notes from the training
 * https://www.mediawiki.org/wiki/Security_for_developers/SDLC
 * slowly investigating static analysis/metrics on security.
 * next quarter: continuing responsibilities + figuring out how to empower good security decisions as people build architecture
 * Gabriel asks: let's talk about auth! Chris responds: will work on that as part of RFC process & with the SOA designers/implementers.
 * right now there's only 1 auth-related RFC (AuthStack)
 * ACTION: Gabriel to write/discuss RFC with CSteipp/RobLa about JSONWebToken (?) or whatever re auth


 * Faidon: what about emergency revocation of passwords? e.g. MySQL password revocation, Redis password
 * ACTION: Dan Garry, RobLa to put emergency revocation on the team backlog


 * RobLa: Platform needs to choose the right backlog, & Ops has a Platform backlog that Platform & Ops need to work together better on
 * Ops's liaison to Platform for next quarter is ..... Faidon! \o/
 * ACTION: RobLa to invite Faidon to MW Core weekly meeting (done)

SecurePoll

 * ACTION: Dan G to talk with Philippe to figure out urgency

Performance

 * 300 milliseconds was Ori's target for the quarter -- we are close?
 * seems like a stronger commitment to perf across org -- see Gilles's multimedia work
 * are we right now ~2 seconds (2000ms)? unsure.
 * We used to be all about caching, but this won't work for fast performance for contributors, making site interactive. See https://www.mediawiki.org/wiki/Wikimedia_MediaWiki_Core_Team/Quarterly_review,_April_2014#HHVM
 * Discussion of SPDY support. Would help with asset delivery, front-end perf
 * Upcoming: workshop at Zurich, in-person meetup in SF, hopefully a Wikimania talk
 * a todo: pkgs from upstream suck.
 * Alex will be helping with upgrade to Ubuntu 14.04
 * (discussion of upgrades & dependencies)
 * ACTION: Platform & Ops to work on HHVM/upgrade/Trusty strategy

Search

 * Everything that we can put into core will be

Misc
Discussion of Rashomon - more independent from (?)


 * ACTION: Phabricator meeting in June-ish

Notes copied from http://etherpad.wikimedia.org/p/MWCore2014April