07:34:31 #startmeeting 07:34:31 Meeting started Tue Feb 2 07:34:31 2016 UTC. The chair is anitsirk. Information about MeetBot at http://wiki.debian.org/MeetBot. 07:34:31 Useful Commands: #action #agreed #help #info #idea #link #topic. 07:34:34 Hello and welcome to the 50th(!) Mahara developer meeting and the first in 2016. So: Happy round meeting number and happy new year! Please say who you are and prefix that with "#info" so that the meeting minutes pick it up. 07:34:34 #info anitsirk is Kristina Hoeppner, Catalyst in Wellington, New Zealand 07:34:45 #info robertl_ is Robert Lyon, Catalyst in Wellington, New Zealand 07:34:47 #info anzeljg is Gregor Anželj, developer and translator, Ljubljana, Slovenia 07:35:11 #info yuliya is Yuliya Bozhko from Totara Learning Solutions (Wellington, New Zealand) 07:35:12 #info aarowlaptop is Aaron Wells, from Catalyst IT in Wgtn NZ 07:35:20 #topic Topics from previous meeting 07:35:21 #info aarowlaptop to update the wiki and readme file to reflect the addition of the two mobile browsers in the supported software. (It was agreed to start smoke-testing Mahara on mobile devices in the latest Safari (iOS) and Android Chrome [Android] browsers.) 07:35:50 over to you aarowlaptop on that. 07:36:28 I haven't updated those yet. :) 07:36:43 But it should be a pretty small change 07:36:43 ok. then we'll leave them as action item for next time? 07:36:46 sure 07:36:58 #action aarowlaptop to update the wiki and readme file to reflect the addition of the two mobile browsers in the supported software. (It was agreed to start smoke-testing Mahara on mobile devices in the latest Safari (iOS) and Android Chrome [Android] browsers.) 07:37:10 next one is also yours, aarowlaptop 07:37:12 #info aarowlaptop to ask the front-end devs to write up instructions for building a theme under windows 07:37:44 Haven't done that one either... 07:37:54 I'll fire off an email after this meeting 07:37:54 do you want me to check with them? 07:38:09 Hm, maybe that would be good. I'm not sure which of them to ask at this point 07:38:24 #action anitsirk to ask the front-end devs to write up instructions for building a theme under windows 07:38:38 and to complete three: 07:38:39 #info aarowlaptop to collate information on use of Postgres 8.3 in LTS of the top 5-7 operating systems to determine whether support can be dropped or not. also take a look at Mahara rego data to see if those using Postgres 8.3 are on unsupported Mahara versions. 07:38:43 That I *have* done 07:38:51 :-) 07:39:12 here's the link: https://docs.google.com/spreadsheets/d/1LIoLFuWBOtjdVIPSRuFnFdKirr2RpIl7oTarYxlhzgY/edit?usp=sharing 07:39:34 https://docs.google.com/spreadsheets/d/1LIoLFuWBOtjdVIPSRuFnFdKirr2RpIl7oTarYxlhzgY/edit?usp=sharing 07:40:02 doesn't look too bad 07:40:28 aarowlaptop: did you also look at the rego data? 07:40:31 Yeah, the only ones I noticed that are still under support and with pre-8.4, are RHEL and CentOS (which I think is tied to RHEL) 07:41:00 Ah, no, I didn't compare it to the stats data from mahara.org 07:41:37 hm, but we have some data from a previous meeting, about the most common OS's rpeorted to mahara.org... 07:42:23 https://docs.google.com/spreadsheets/d/1MTQmnDczefBzRzGWIYtWotEeIJTavEMegNkeHqGhgvE/edit?usp=sharing 07:43:17 there wasn't anyone with a postgres 8.x 07:43:47 yeah 07:43:58 and all of the ones that reported their OSes, were using fairly recent ones 07:44:48 so: shall we drop the support for 8.3 or maybe even more of the 8.x series? 07:45:18 that's in the next major release, right? 07:45:20 If we raise our support level to 9.0, then the only still-in-support Linux OS we'd lose is RHEL 07:45:33 yeah, that would be for 16.04, or even 16.10 07:45:40 but that would only be for postgres. 07:45:43 right 07:46:00 do we know of anyone on rhel on postgres? 07:46:08 There was a RHEL user who I was talking to on Launchpad, who mentioned that there is a compatibility package available for RHEL that makes the later Postgres versions available 07:46:09 on an old version? 07:46:28 and removing official support may not effect 8.4 until we add some tricky 9.0 specific code 07:46:32 Yes, there was one user who reported a bug in our 8.3 compatibility 07:46:37 9.1, there is no 9.0 07:47:04 ok 9+ specific postgres code 07:47:10 9.x 07:47:21 oh wait, there is 9.0. never heard of it :) 07:48:03 because we tend to write sql to be compatible with postgres and mysql we tend to shy away from too fancy stuff 07:48:33 that is true 07:48:46 rhel supports 8.4 until 2020. that's four years out! no innovation possible 07:49:07 wow 07:49:09 let me see if I can find that bug... 07:49:20 that's some decent long term support 07:49:24 https://bugs.launchpad.net/mahara/+bug/1517658 07:49:40 https://bugs.launchpad.net/mahara/+bug/1517658/comments/14 07:50:10 RHEL has a service called "Red Hat Software Collections", which adds Postgres 9.2 07:50:49 So, if someone complains, we can direct them to that 07:51:39 should we adopt a similar support for databases as we have for browsers? i.e. only support versions that are supported by the provider, in this case postgres? 07:52:04 postgres aims to support major releases for 5 years. 07:52:38 that would mean though that 9.1 reaches its end of life in september this year 07:52:52 http://www.postgresql.org/support/versioning/ 07:53:22 I think there isn't much harm in us supporting older DB versions 07:53:32 I guess we realistically have two tiers of "support" 07:53:37 there's the systems we actually test on 07:53:45 and then there's the systems we will implement bug fixes for 07:54:10 when those bugs are reported to us by members of the community 07:54:14 #info aarowlaptop thinks there isn't much harm in us supporting older DB versions. 07:54:45 I guess the main harm in supporting older versions, is when we have to implement bug fixes for them, but that isn't very often 07:54:54 #info RHEL has a service called "Red Hat Software Collections", which adds Postgres 9.2 and thus a more modern version of postgres can be used on RHEL if there are issues with an older one that we don't support anymore 07:55:04 and the other harm is that it prevents us from using the features of newer versions of the software 07:55:24 but as robertl said, we tend not to use the extended functionality of the databases anyway, in order to maintain compatibility across postgres & mysql 07:55:41 #info as robertl said, we tend not to use the extended functionality of the databases anyway, in order to maintain compatibility across postgres & mysql 07:56:01 decision making time then? 07:56:16 Yeah, let's raise it to... either 9.0 or 9.1 07:56:33 hm, there must be a mistake in my table. I said that FreeBSD 9.3 has Postgres 8.4, and FreeBSD has Postgres 9.0 07:56:37 let me fix that... 07:56:39 robertl_ and yuliyabozhko as the two other voting members, what do you think? 07:56:43 yep 9.1 sounds good 07:56:50 I would go with 9.1 07:57:02 from 16.04 on? 07:57:20 next major, so 16.04, I guess? 07:57:41 aarowlaptop and robertl_ ^ 07:57:49 yep, might as well say from next release 07:58:36 according to my source of data (distrowatch.com) the still-supported versions of FreeBSD are on Postgres 9.0.22 07:58:45 so let's say Postgres 9.0 07:58:46 we switched to 9.1 in Totara last year as a min Postgres version. no issues so far 07:58:52 oh yeah? 07:59:00 If the community come back with a bug report for older version and supply a good fix then I imagine we'll add it - but anything hard/heavy we will politely decline 07:59:14 I remember 9.1 was because of some specific security fix 07:59:14 for 8.x versions 07:59:45 interesting 07:59:52 or performance improvements. smth like that 07:59:56 I don't think I've encountered that many institutions running FreeBSD anyway 08:00:08 okay, let's say 9.1 then. No objections? 08:00:20 none from me 08:00:26 nope 08:00:29 #agree Lowest supported PostgreSQL version will be 9.1 starting in Mahara 16.04. 08:00:48 ok. onto the next action item from last time. 08:00:49 #info Kristin to check with Jen and Julius and also go through the demos [of HTML5 player possibilities] and ask Brian that we can also get a UX person to go through. 08:01:02 I've done that and the result was that VideoJS was the best for accessibility. 08:01:14 There wasn't much difference for sighted users. 08:01:29 #info VideoJS is the replacement for Flowplayer to provide an HTML5 media player. 08:01:53 #info son started on the implementation and put up two patches for review. https://reviews.mahara.org/5988 and the child patch linked off it. 08:02:33 the idea is to replace the remove the flash player and slot in the html5 player for the existing items for which flowplayer is used. 08:02:52 #info the html5 player is pegged for the 16.04 release. 08:02:57 that was it from me on this topic. 08:03:16 any questions or comments? 08:03:42 nope 08:04:08 not from me 08:04:19 no. it's a bit funny. but that's exactly the player that I selected for Totara Social after doing some research. it is quite a good one and easy to integrate 08:04:49 their audio support is not great though... 08:05:03 in which way? 08:05:19 it requires a poster otherwise it looks like an empty video 08:05:53 mhh. maybe there's a plugin? 08:05:54 I just use a generic audio file icon as a poster 08:06:00 a 'poster'? you mean a still image? 08:06:03 yep 08:06:24 yeah a generic audio image would be the way to go 08:06:32 poster/still image: a mahara logo with smaller audio icon? 08:06:43 exactly :) 08:06:58 it's simple and hopefully they will improve later 08:07:05 other than that I found no issues 08:07:14 #info VideoJS requires a still image for audio files. A simple icon image can be used. 08:07:16 I am not sure they have RTL support though 08:07:22 that's great to know, yuliyabozhko 08:08:13 let's move on. there's still lots on the agenda. last item from last time 08:08:15 #info Kristina to check with patk about the character set for Raw. 08:08:15 #info actually, anzeljg has investigated this and came up with a solution: https://reviews.mahara.org/5977 - The custom fonts that don't display necessary characters now have them. 08:08:15 The fonts work fine. Thank you, anzeljg. I only had a question for where to put the information about the original fonts so it doesn't get lost and that the credit appears in the proper place. 08:08:58 i thought the info about the original font might be good in the license file so that people would have all the info in one place. 08:10:15 anzeljg / Gregor_: do you want to add anything? 08:11:13 info is inside font files, inside font file license files and in separate README file. that should do it :) 08:11:48 and I am not Gregor_ BTW :) that is somebody else 08:11:56 :) 08:12:00 :) 08:12:00 oh good to know anzeljg. and hello Gregor_ 08:12:20 anzeljg: thanks for the latest patch. i'll take a look tomorrow. 08:12:27 :-) hi 08:12:32 then that's it for that i would say. 08:12:36 yep 08:12:54 would those file need updating from the originals in the future or are they completely separate now? 08:13:26 eg if the originals got updated, would we need to update our ones? 08:13:43 as far as I understand they are completely separate, but somebody could double check OFL license... 08:13:46 the original font files still seem to be in the patch. 08:14:25 anitsirk: there are no original font in the patch. they should be marked as deleted?!? 08:14:48 anzeljg: ah. that's what the D stands for at the beginning of the line. 08:14:58 :) 08:15:00 never noticed it before 08:15:14 hello mingard. 08:15:30 right on time. we are starting with the new items any second now. 08:15:31 hello :) am I late? couldn't remember the start time ... 08:15:36 OK cool 08:16:23 mingard and Gregor_: it would be great if you could briefly introduce yourself so we have you in the minutes. prefix your name with #info please so it's logged. 08:17:10 in the meantime let's move to the next topic. 08:17:12 #info mingard is Jono Mingard from Powershop, Wellington, New Zealand 08:17:12 #topic Support for Internet Explorer 9 and 10 (End of life support: 12 January 2016) - Kristina 08:17:13 #info Microsoft ended the support for Internet Explorer lower than version 11 on 12 January 2016. 08:17:13 https://www.microsoft.com/en-us/WindowsForBusiness/End-of-IE-support 08:17:13 #idea We should drop official support for non-supported versions as well. Our general support info could also include: Latest 3 versions of browsers XYZ or that are still supported, whichever is the most recent (not quite sure about that wording yet). Mahara may still work on unsupported / older browsers, but you may not be able to use all functionality as designed. 08:17:30 :D 08:17:33 <-- Gregor Pirker I am the side admin from Mahara.at 08:18:10 hey. great that you could make it, gregor. thanks for your registration today / yesterday. 08:18:15 anitsirk, I am all for dropping support for IE versions :) 08:18:24 do we have any stats for how many institutions are still using it? 08:18:35 mingard: hold on for a minute 08:18:36 anitsirk: I think MS still supports IE9 and 10 on Enterprise editions 08:18:40 I suspect a lot will continue to do so despite everything (given Edge is only on windows 10) 08:18:40 it is not that simple 08:18:49 but saying that - the versions 10 hasn't given us too much grief 08:19:06 yeah, I think we should drop 9 but not sure about 10 and 11 08:19:16 be great to forget version 9 though 08:19:29 :) true 08:19:39 is anyone testing with Edge yet? 08:19:41 top 10 browsers for demo.mahara.org for the last 3 months: 08:19:44 1. chrome 47 08:19:48 2. chrome 46 08:19:54 heh 08:19:54 3. firefox 42 08:19:59 4. firefox 43 08:20:14 5. IE 11 (4.9%) 08:20:20 6. Safari 9.0 08:20:25 7. Firefox 41 08:20:30 8. Mobile Safari 08:20:33 9.0 08:20:41 10. Chrome 48 08:20:46 and that is 1.7% 08:20:57 oh man, you are so lucky you don't have to deal with corporates :( 08:21:06 the next IE is actually IE 8 with less than 0.9% 08:21:27 and we haven't supported that anymore for some time already 08:21:33 really? ok, looks like most average people are on IE11 at least 08:21:35 and it's below 1% 08:21:46 so maybe drop IE 9 and 10 but keep 11? would that be much effort? 08:21:47 mingard: yep. that's what piwik tells me :-) 08:22:24 and it looks very similar for mahara.org as well 08:23:07 the effort in the past has been dealing with IE 6,7,8 oldness - and some ie 9 weirdness - I don't recall any html/css specific things for IE 10+ 08:23:13 well, mahara 15.04 and 15.10 will still run on those browsers. for our supported versions it's more like do we drop suport for IE 9-10 at a minor point release, i.e. in particular for 15.04 and 15.10. 08:23:38 We would still support IE11 because that is the second last supported version of IE 08:24:11 btw, dropping old IEs will improve the output of HTML5 media player :) just saying 08:24:18 oh true 08:24:25 IE9 is pretty bad with video and audio tags 08:24:45 is this helpful in any way: #link https://support.microsoft.com/en-us/lifecycle#gp/Microsoft-Internet-Explorer 08:25:00 for mahara 15.04 we sill have IE9, 10 and 11 as supported browsers. for 15.10 we have 10, 11 and 12. 08:26:05 this also looks interesting: https://msdn.microsoft.com/en-us/library/dn467846(v=vs.85).aspx 08:26:09 I think dropping official support for IE9 and 10 for 15.04 and 15.10 would be good. mahara doesn't suddenly stop working for those as they were designed to work with these browsers, but we wouldn't necessarily have to worry about issues esp. since microsoft doesn't support those browsers. we should not encourage people to stay on unsupported browser versions. 08:26:28 agree 08:26:48 sounds good 08:27:46 aarowlaptop and robertl_? 08:28:11 sounds fine. and if IE11 turns out to have problems/incompatibilities going forward we can revisit it then 08:28:17 #idea anitsirk: think dropping official support for IE9 and 10 for 15.04 and 15.10 would be good. mahara doesn't suddenly stop working for those as they were designed to work with these browsers, but we wouldn't necessarily have to worry about issues esp. since microsoft doesn't support those browsers. we should not encourage people to stay on unsupported browser versions. 08:28:19 I agree 08:29:12 oops. lost a voting member. let's see if aarow comes back 08:30:14 aarowlaptop: do you agree? 08:30:42 (you hadn't missed any info while you were off the channel) 08:30:52 sorry, I was disconnected for a minute there 08:30:57 what's the question? 08:31:16 we were discussing dropping official support for IE9 & 10 for 15.04 and 15.10 08:31:31 drop support for IE9 and 10 for 15.04 next minor release and for IE10 for next 15.10 release? 08:31:47 see my comment at 21:28:16 08:32:38 I hate to say it, but we probably shouldn't change the system requirements in a minor release 08:32:54 that's the kind of change that is meant to be limited to major releases 08:33:09 aarowlaptop: that would mean though to support IE9 and 10 until October next year for 15.04. 08:33:24 do we still get many IE9/10 bugs for 15.04? 08:33:24 and no user will get support from microsoft on these browser versions. 08:34:13 or change the wording for 15.04 and 15.10 that mahara will work with these browser versions but we recommend to use a supported version or different browser? 08:34:24 Yeah, I'd prefer that 08:34:38 robertl_ and yuliyabozhko: OK with that? 08:35:03 yep 08:35:05 that sounds fine 08:35:14 and then for 16.04 we only go with the officially supported recent browsers by microsoft, i.e. at the moment IE11 and 12? 08:35:55 Sure, I'm okay with that 08:36:00 #agree change the wording for 15.04 and 15.10 that mahara will work with IE9 and 10 (Mahara 15.04) and IE10 (Mahara 15.10) browser versions but we recommend to use a supported version or different browser 08:36:09 I'm fine with that 08:36:21 #action anitsirk to update the readme for 15.04 and 15.10 and master 08:36:59 #agree Change wording for Mahara 16.04 that only Microsoft supported browsers are supported to a maximum of the three most recent ones. in this case right now it would be IE 11 and 12. 08:37:11 alright. thank you. onto the next topic. :-) 08:37:16 #topic Password policy (currently 3-30 characters long) - Kristina 08:37:17 #info you can set a password that is only 3 characters long on your account settings page. When you set up your first password though you are already asked for a longer one. 08:37:17 #idea We should make the minimum length consistent (I think right now it is 6 characters) and not limit the length of the password. 30 characters may not be enough anymore when people are encouraged to choose phrases rather than short passwords. 08:37:55 yes please! is there a reason the length limit exists? 08:38:11 probably some historical reason 08:38:12 mingard: no idea. probably from the old days when that was a thing 08:38:25 why not make a config setting and let admin decide? 08:38:27 no idea why it exists, maybe the db column was 30 chars 08:38:43 gavin said we shouldn't have to worry about the length as a hash is stored anyway 08:38:51 It'd be smoother if we set up some admin settings for password requirements... but I don't think that's really necessary 08:39:03 yuliyabozhko: many admins may make bad / user friendly decisions? ;-) 08:39:04 but now it's encrypted so it should end up saved as a set length anyway 08:39:08 there was a point early on where Mahara wasn't hashing passwords, so it could be from that 08:39:35 funny, the "password" column is actually 255 characters 08:39:43 presumably the length of the hash 08:39:53 oh hang on, didn't see the previous comment 08:40:11 i don't think we need to implement a password policy like moodle since a number of recommendations are these days to go with phrases rather than just cap / special char etc. 08:40:18 anyway, yeah, we may as well lift the password length limit, for internal account passwords 08:40:19 =-O not hashing passwords?! 08:40:52 normal practice nowdays is to have a password min length as well as a check that it's got non-alphanumeric chars 08:40:54 Yeah, I think I've seen some git commit messages relating to the implementation of hashed passwords, circa Mahara 0.6 or so 08:41:27 #agree lift the password length limit for internal account passwords. 08:41:50 #action anitsirk to create a bug report for the password length 08:41:52 By "lift the password limit", I mean we'll raise the length limit to a something large enough that it's unlikely anyone will hit it 08:41:57 like... well, 255 characters 08:42:11 :) 08:42:15 just for form processing reasons 08:42:24 and then in 10 years time when we all need 1000-character passwords to beat quantum computers we'll change it again! 08:42:29 heh, yep 08:42:32 ok. that should be well beyond what anybody wants to type every single time ;-) 08:42:38 It's longer than a tweet 08:42:43 yup 08:42:54 let's move to mingard's topic 08:42:55 #topic Mochikit replacement - Kristina 08:42:56 #info mingard started on the Mochikit replacement 08:42:56 https://reviews.mahara.org/#/q/owner:reason.koan%2540gmail.com+status:open 08:42:56 #idea There are basically two approaches: 1) Replace Mochikit with equivalent modern JS but not change the structure of PHP. 2) Remove Mochikit and all JS from the PHP files. Approach 2 takes longer and wouldn't be possible to do for Mahara 16.04. Approach 1 might still be doable for 16.04. 08:42:56 Over to you mingard for the details. 08:43:06 ok 08:43:42 for anyone who's unfamiliar, we currently have both MochiKit and jQuery javascript libraries, which both do similar things. MochiKit hasn't been updated in ages so we should be removing it 08:44:12 that is a big chunk of work... 08:44:25 a secondary problem is that Mahara's JS generally is quite hard to understand and debug because a lot is embedded in PHP, and there are a lot of different conventions used throughout the project 08:45:00 removing MochiKit isn't as big as it sounds because most functions have direct jQuery equivalents (it's just going through and replacing the ~1600 instances of MochiKit functions being used, then checking nothing breaks) 08:45:40 however, I've discovered a lot of places where large chunks of functionality is duplicated, so it might make more sense to turn common functionality into jQuery plugins at the same time as removing MochiKit, which would be a lot more work 08:45:52 Moodle tried to keep JS code into YUI modules more or less separated from PHP code 08:46:13 TL;DR removing MochiKit is mostly straightforward, but it wouldn't make Mahara's JS significantly better or easier to understand 08:46:19 so, plugins might be a way to go 08:46:40 yeah, I think that would make sense 08:47:24 that's a quick summary - anitsirk you mentioned possibly getting another JS dev for 16.10? 08:47:34 mingard, have you documented where the most duplication is happening? 08:47:47 mingard: yes. the plan is to work with one of our senior front-end devs at catalyst to do that work. 08:48:13 we wouldn't be able to do that for 16.04 though due to the volume of the work and feature freeze is also at the end of next week. 08:48:44 but mingard, you suggested that it might still be worthwhile replacing mochikit with jquery in place for 16.04 as a start. would that still be true? 08:49:10 #info we currently have both MochiKit and jQuery javascript libraries, which both do similar things. MochiKit hasn't been updated in ages so we should be removing it. a secondary problem is that Mahara's JS generally is quite hard to understand and debug because a lot is embedded in PHP, and there are a lot of different conventions used throughout the project 08:49:38 #info removing MochiKit isn't as big as it sounds because most functions have direct jQuery equivalents (it's just going through and replacing the ~1600 instances of MochiKit functions being used, then checking nothing breaks). however, mingard discovered a lot of places where large chunks of functionality is duplicated, so it might make more sense to turn common functionality into jQuery plugins at the same time as removing MochiKit, which would be a 08:49:58 #info TL;DR removing MochiKit is mostly straightforward, but it wouldn't make Mahara's JS significantly better or easier to understand 08:50:06 #idea make plugins 08:50:12 robertl_: no, I should do that. as an example, htdocs/admin/site/menu.php and htdocs/admin/groups/groupcategories.php have a big chunk of code to deal with lists which is basically doing the same thing 08:50:52 so is the duplication lots of places doing small duplication or a few places doing big duplication? 08:51:04 as the latter will be easier to fix 08:51:04 a few places doing big duplication so far 08:51:12 cool 08:51:33 the sort of thing where it would make sense to do $(element).maharaEditableList({ options }) or something 08:52:24 anitsirk: honestly, I'm not sure, but if feature freeze is next week it probably wouldn't be worth rushing to eliminate MochiKit for 16.04 08:52:31 yep, it would be good to doc some mahara specific js snippets along with fixing up code 08:52:57 it's working fine as-is and I think it would be wasted effort to migrate all the bits that are duplicated individually 08:53:10 mingard: ok. sounds fine by me. might prevent us touching things doubly 08:54:03 mingard: we'll then ignore your patches on that for the moment and will pick them back up once we get started with the replacement if that's OK with you. 08:54:54 yep, sounds good. I'll work on finding and documenting duplicated sections, and maybe do a bit of a proposal on how we should restructure the scripts generally 08:55:12 (for example, I would *really* like a js/vendor directory for all our 3rd-party stuff) 08:55:41 #info we will tackle the mochikit replacement for Mahara 16.10 and try to do it all in one go (separate JS from PHP) and not only convert Mochikit into jQuery. 08:56:21 mingard: i think what would be good if we'll arrange a chat between you and matthew then when he's ready to get started so your pre-work and thoughts are retained and he can take them into consideration. 08:56:45 #action mingard will work on finding and documenting duplicated sections, and maybe do a bit of a proposal on how we should restructure the scripts generally 08:56:52 yep, hopefully I can give him something to go on :) 08:57:02 I'm sure you can. 08:57:17 ok. let's move on to the second last official topic. 08:57:18 #topic Sign the Contributor Covenant? - Kristina 08:57:19 http://contributor-covenant.org/ 08:57:19 #idea Chris Cormack pointed me to this document and I wanted to see if there was any interest in looking into it further. 08:57:51 I actually came across this independently the other day - looks like a really cool idea, although I have issues with some of the wording 08:58:14 for example, mingard? 08:59:57 hmm, on re-reading it, it doesn't sound so bad. I initially thought there was a strict permanent ban on contributors who broke the rules which didn't sound very nice 09:00:21 but it looks like it's more discretionary than that so I must not have understood that properly the first time 09:00:24 mingard: there might have been changes. when i first looked at it, the website looked vastly different ;-) 09:00:33 heh, probably 09:01:06 it's something we'd want to discuss in the wider community as it's not a technical issue. i just though to gauge interest here first 09:01:11 anyway, I think it's a good way of codifying what should be implicit anyway, but IMO people should always prefer discussion over following it to the letter 09:01:21 I don't have any problem with the covenant itself... it's the general set of rules I try to follow myself anyway 09:01:23 anybody else having any option? aarowlaptop, anzeljg, Gregor_, robertl_, yuliyabozhko? 09:01:57 oops. not option but opinion of course ;-) 09:02:06 we haven't actually had any issues with these things lately, as far as I know, so I guess it would be a pro-active step 09:02:36 I dont have any problems with that. I support it 09:02:36 I can't say I have any opinion right now :) need to have a look a bit more 09:02:37 yes, more pro-active than re-active 09:02:43 my only quibble is that I'm cautious to add more overhead to the project; i.e. another big page of rules that no one is going to actually read 09:03:04 but... it's probably harmless 09:03:35 would it be OK then for me to ask the wider community what they think? 09:03:39 sure 09:03:39 well, I don't think another page of rules that no one reads anyway will turn off many potential contributors ... 09:03:45 of course 09:03:54 :) 09:04:06 I hope you are right, mingard :) 09:04:16 wouldn't want to scare people off 09:04:38 well, could also encourage others to actually contribute ;-) 09:05:15 yeah, in theory there might be people who feel more welcome as a result of seeing that policy made explicit 09:05:32 #action anitsirk to start a discussion on mahara.org on whether to adopt the Contributor Covenant. 09:05:59 the next topic is: 09:06:00 #topic Persona shutdown (Launchpad Bug #1533377) 09:06:00 https://bugs.launchpad.net/mahara/+bug/1533377 09:06:26 #info Mozilla is shutting down Persona at the end of November 2016 09:06:31 thanks for pointing that out, yuliyabozhko 09:06:32 I added that. I thought we wanted to discuss what to do with it :) 09:06:54 aarowlaptop: made some comments on the report. 09:07:01 so I did 09:07:27 I think right now our best course is to wait for a month or two and see how things settle out, what steps other Persona users take 09:08:02 I don't know if there's an equivalent 3rd-party auth system it would make sense to switch to 09:08:07 or support instead\ 09:08:09 i made a note on the user manual for 15.10 about the shutdown to discourage new institutions from using it http://manual.mahara.org/en/15.10/administration/institutions.html#persona-authentication 09:08:25 https://wiki.mozilla.org/Identity/Persona_Shutdown_Guidelines_for_Reliers 09:08:34 #idea wait for a couple of months to see what steps other Persona users take 09:08:36 there is some info there 09:08:39 waiting is not a bad idea. OpenBadges rely on persona and Mozilla will be working on finding a replacement 09:09:26 we can always transfer persona accounts into manual mahara accounts by changing the auth method and then users doing a password reset. 09:09:54 yeah, just wondering if people would choose it because they prefer having 3rd-party auth 09:09:59 Hm, I wonder if a "passwordless email login" would be easier to do... 09:09:59 I can tell you what we are doing in Totara Social because we are removing Persona in the next release to minimise impact with the new sites 09:10:07 as described on that Mozilla page 09:10:22 "passwordless email login"? 09:11:00 interesting idea ... I haven't used a site with that so can't say whether it's useful or just annoying 09:11:12 node.js 09:11:32 but you could implement it for PHP instead (someone probably has) 09:11:45 :) wouldn't be surprised 09:12:14 yuliyabozhko: what are you doing? 09:12:28 I think the "passwordless login" technique, is basically that every time you log in, you use the equivalent of a password reset email 09:12:34 and you combine that with a "remember me" option 09:12:39 so that users don't have to "log in" very often 09:12:52 but it still uses some token 09:12:52 anitsirk: looking at the idea of https://passwordless.net/ 09:13:01 it is making an explicit practice out of something lots of people do as a matter of course ;) 09:13:10 I wonder what security is like... 09:13:39 aarowlaptop: that's what persona did essentially i think. you only provided your full details once and if you trusted the site, you then only selected your email address and could log in over the next month without your password. and in the next month, you set your password again. 09:14:03 it's just the idea of this is that you don't even have a password - that side is all hidden 09:14:11 yep 09:14:20 so you get sent an email and click a link once a month (or whatever) to stay logged in 09:14:33 to log in again, rather 09:14:41 you visit the site, you're logged out, you click the passwordless login button. It emails you a link (which contains a login token). You click that link, and now you're logged in. 09:15:12 so, it pretty much emails you a password 09:15:19 a one-time password 09:15:31 exactly as secure as having a password reset by email system 09:15:37 that is per-device and per-browser though. not sure how it would be staying logged in on a laptop, desktop, phone, tablet, etc. 09:15:38 mhh. i'd find that somewhat annoying esp. when the email doesn't arrive directly or you then need to log into your email account via 2fa... 09:15:42 or is that just me 09:16:03 BRB 09:16:10 anyway, just something to think about 09:16:19 :) anyway. I would vote to wait 09:16:24 me too 09:16:24 yeah. let's table that for the moment. :-) 09:16:35 see what's happening in this area 09:16:47