22:02:07 <nijel> #startmeeting Monthly meeting 2017-08 22:02:08 <pmabot> Meeting started Mon Aug 7 22:02:07 2017 UTC and is due to finish in 60 minutes. The chair is nijel. Information about MeetBot at http://wiki.debian.org/MeetBot. 22:02:09 <pmabot> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 22:02:11 <pmabot> The meeting name has been set to 'monthly_meeting_2017_08' 22:03:07 <nijel> welcome everybody 22:03:11 <nijel> , #topic Contractors 22:03:17 <nijel> #topic Contractors 22:03:53 <nijel> #info We're using contracts to hire developers for few years. I think it's good time to look back and evaluate how it works and how to proceed further. 22:04:48 <madhuracj> It's best to have comments from non-contractors 22:04:49 <ibennetch> I'm very happy about the contractor relationship. It's a good way to ensure focused work happens and I think it's an efficient use of sponsor donations. 22:06:41 <DevenB> I tend to agree. I think the contractors are able (and I feel, they have been) to get good amount of work and are committed to deliver proper focused effort towards the project's development. 22:07:00 <madhuracj> We've seen quite a number of issues being fixed and enabled big changes to be practical 22:07:09 <ibennetch> When we began the process, I had fears that the non-contracted members of the team would not put as much effort in as they had been, because of not getting paid for the same type of work others were getting paid for. 22:07:27 <ibennetch> I have not seen that happen, though, which means we're all motivated by more than just financial gains :) 22:08:09 <ibennetch> I have even been quite happy to see the contracted developers getting work done because I'm glad that they could combine work they enjoy with getting paid. 22:08:35 <nijel> I was affraid of others loosing motivation a bit as well, but you're still doing amazing work ;-) 22:08:55 <nijel> The think is that for most of the time I'm really the only one who is doing the contract work, even though we've tried to hire somebody else as well several times, but that have never really worked for longer term. Dan has not really done much work under the contract (AFAIK there was just one report), though he probably didn't officially terminate the contract, am I right? 22:09:42 <madhuracj> Yes, I did not see any further reports from him. 22:10:29 <ibennetch> I wonder if there's a way to get another developer hired; it would make much better work having two contractors. 22:11:12 <ibennetch> I do recall that the last time we opened up for applications, there were very few relevant inquiries so this may not be practical 22:12:03 <nijel> Maybe you can share some details whether we got some good external applications as well last time? Or hiring somebody from the team really the only way? 22:12:24 <DevenB> As far as I remember, we had even tried to publicise this at FOSDEM as well (or were we a bit too late to do that and missed it?). 22:13:35 <nijel> Yes I did hand out flyers there, but it was really short before deadline, so I'm not sure how much people actually looked at that.... 22:13:38 <madhuracj> We had a couple of external proposals. They were mostly not up to the standard we were looking for. 22:14:32 <ibennetch> Exactly, there were a few but mostly people with little to no coding experience. 22:15:15 <ibennetch> So I have no problem hiring outside the team but we haven't had a good applicant yet. 22:16:04 <nijel> So it's quite likely that we won't get any reasonable application unless somebody from the team wants to do that ... any volunteers? ;-) 22:16:18 <ibennetch> And as far as I'm concerned, if anyone - from the team or from outside - comes to the team and says they're interested in becoming one, we can always begin the process then. We're always looking for a new developer, just not actively looking at times. 22:16:47 <nijel> (Of course we should first clarify Dan's status as he is still formally hired) 22:17:09 <madhuracj> Should we have a page in our website with this information? 22:17:26 <mauriciofauth> I have no objection to keeping contracts with developers. 22:18:33 <nijel> madhuracj you mean like having permanently open contractor position on our website? 22:18:57 <mauriciofauth> I'm interested, but I don't know how this process works. 22:19:02 <ibennetch> I think that's a good idea. 22:19:06 <madhuracj|2> Yes, like a Careers page in a corporate website :) 22:19:12 <DevenB> I too like the structure of Isaac's thought. 'We're always looking for a new developer, just not actively looking at times'. I guess madhuracj 's idea seems good. 22:19:38 <nijel> mauriciofauth: You can see previous posting here: https://www.phpmyadmin.net/news/2017/1/25/seeking-phpmyadmin-developer-one-year-contract-position/ 22:20:56 <nijel> So far it was always one time effort to hire somebody, it's one year contract, but it is expected to get renewed every year (I'm doing second year right now) 22:21:49 <ibennetch> mauriciofauth: basically we open up the application pool to anyone (by posting on our news page, through Conservancy, and so on) and filter through the applicants. When a team member applies, they basically go through the same application process as external applicants; they don't get specific favorable treatment. 22:23:04 <mauriciofauth> Then I will prepare a proposal 22:23:54 <nijel> That sounds great ;-). You can really draft conditions as you want, for example I'm working half-time on phpMyAdmin 22:25:13 <ibennetch> If no one objects, I can add a section to the website. 22:25:26 <madhuracj|2> Sounds good to me 22:25:41 <nijel> #action ibennetch will add section to website 22:26:53 <nijel> we can still use the pmadeveloper alias at conservancy as I'm pretty they didn't add mauricio there 22:26:53 <mauriciofauth> I think it's good 22:27:05 <ibennetch> The added benefit there is that we can probably streamline the hiring process instead of waiting some time for the call for applicants. 22:27:33 <nijel> ibennetch: yes, that's probably better ... 22:28:09 <nijel> anyway we were just discussing whether we should check Dan's status before and it really doesn't matter - if we get more work done, it's only better and financially it's not a problem for us 22:28:29 <madhuracj|2> Imagining this might generate quite a bit of interest it would best to mention to inquire with us before submitting a proposal? 22:29:03 <DevenB> nijel: I remember you mentioning something on the mailing list about adding a new contract@phpmyadmin.net for contract applications. Do I remember correctly? 22:29:28 <nijel> DevenB: I've added that, but never used that and sticked with conservancy one as they've updated it 22:29:50 <ibennetch> Right, but now it may be time to change to our list/alias. 22:30:34 <nijel> I really don't care which email address we will use, so choose one when wiring the webpage ;-) 22:30:59 <ibennetch> Ok 22:31:24 <ibennetch> Anything else to discuss from this point? Any contractors (or former contractors) who have feedback about the process or experience? 22:32:33 <nijel> When speaking about this I should probably mention that I'd like to continue in the contract, though I will probably ask for money increase due to USD/CZK exchange rate moving quite fast in last months (see http://www.xe.com/currencycharts/?from=USD&to=CZK&view=2Y) 22:32:57 <nijel> That's all I have :-) 22:33:12 <nijel> #save 22:33:19 <ibennetch> wow 22:34:12 <nijel> I think we can move to other topic... 22:34:24 <nijel> #topic Next Team meeting 22:34:50 <nijel> I'd really like to make all of us meet, but I'm not sure if advance planning will help that... 22:35:34 <ibennetch> I'd also like for us all to meet. 22:36:03 <ibennetch> I'm generally not able to make a meeting between September and December due to work being quite busy in the fall. 22:36:19 <ibennetch> DebConf, FOSDEM, and LinuxTag are all excellent choices. 22:36:37 <nijel> We were already talking here that next DebConf location in South Asia is quite conveniently located. 22:37:07 <ibennetch> Having a conference in North America is also quite convenient for me, although I know it wasn't for anyone else. 22:37:26 <nijel> FOSDEM is something I visit every year anyway and we might be able to get a booth there and meet our users (compared to DebConf where you can hardly find any our users) 22:37:27 <ibennetch> Taiwan for DebConf 2018 22:37:55 <ibennetch> Right, there is that aspect of it. It's good to meet with our users. DebConf is a great experience but not good for that part of it. 22:38:13 <nijel> LinuxTag worked quite well for this also 22:38:52 <ibennetch> FOSDEM is usually in February, although I don't think the dates have yet been announced. 22:38:57 <ibennetch> I agree, nijel 22:39:43 <nijel> Yes, FOSDEM is usually first weekend in February 22:40:09 <nijel> Looking at LinuxTag website, there doesn't seem to be one this year, so I'm not sure if it's good idea to rely on that happening next year... 22:40:42 <nijel> Then there is https://chemnitzer.linux-tage.de/2017/en, which is even more convenient for me as it's closer ;-) 22:41:12 <nijel> (though I haven't been there yet) 22:42:43 <nijel> Anyway we don't have to decide this right now, just look for possibilities and we should really choose something what will work for all of us 22:43:23 <DevenB> Yes. Right. Most of these aren't even announced for the next year yet. 22:43:26 <madhuracj|2> I agree, we probably should start discussing this on the team mailing list with a short list of possible events. 22:44:06 <ibennetch> DebConf would be a minimum 20 hour flight for me, which would be quite strange to experience. 22:44:19 <nijel> Okay, feel free to look on events in your area as it really doesn't matter where we travel given how widespread we're currently 22:44:20 <ibennetch> I imagine Deven and Madhura had quite long flights for Montreal. 22:44:32 <ibennetch> Yes, we should start to discuss on the mailing list as dates are announced. 22:45:47 <nijel> For me Montreal and Taiwan is both same around 15 hours (if there is good connection, what I don't have on way back...) 22:46:02 <mauriciofauth> And about the International PHP Conference? 22:46:34 <mauriciofauth> Is it a good place to meet? 22:47:10 <nijel> It really looks more like a bussiness conference (at least based on the entrance fees) 22:47:13 <ibennetch> Quite some time ago, the team met at a MySQL conference, so a PHP conference is definitely an option. 22:47:34 <ibennetch> Oh, my. That is quite expensive. 22:47:46 <nijel> 5 day pass is for 1233 EUR (with some discounts) 22:47:55 <ibennetch> All suggestions are welcome, mauriciofauth. 22:49:38 <nijel> but yes, we can certainly look for anything, so suggestions are welcome 22:50:00 <DevenB> https://mariadb.org/2017-2-developers-unconference-and-related-events-shenzhen/ or https://m18.mariadb.com/ can also be some of the options. 22:50:26 <nijel> for the MySQL conference which is similarly priced we could probably get free tickets (at least I got that offer last year, though nobody was interested in going there) 22:51:27 <nijel> #action everybody has a homework to bring few suggestions for suitable conferences in 2018 22:51:59 <nijel> and last topic is: 22:52:04 <nijel> #topic Setup script protection 22:52:21 <ibennetch> lol at that action line 22:52:48 <nijel> I was discussing this with Achilles-96, but I'm not really sure what is best approach here 22:52:55 <nijel> #url https://github.com/phpmyadmin/phpmyadmin/issues/12844 22:53:14 <nijel> Apparently he didn't make it here, but still it's probably something we should decide 22:53:59 <nijel> From security view, forcing user to define password first and then allow to use setup is better, but on the other site it's adding another step which might be complicated for some users, so I'm not really sure what is best approach here. 22:54:11 <ibennetch> That's exactly how I feel. 22:54:49 <ibennetch> One thing that I think would be beneficial to users is to _run_ the setup script even if they're not authenticated. They could then download the resulting file. 22:55:13 <ibennetch> Authentication should be to load an existing file and save a file. 22:55:23 <ibennetch> Although I can't remember if there was some security concern with that. 22:55:30 <nijel> The problem with that is mysql server probing as that opens many ways to discover network and services behind firewall... 22:55:39 <mauriciofauth> I think that usability is something very important. 22:56:17 <ibennetch> Oh, right. I remember that now. 22:59:11 <ibennetch> So, just to quickly recap here, the discussion is about how we should authenticate a user to allow them to use the setup script. If we make them create a password and manually put it in config.inc.php first, this is a rather complex step for some users. 22:59:39 <nijel> Exactly, thanks ibennetch 22:59:41 <ibennetch> If we just prompt the first user of the setup script for a password, then it's a race condition for whomever first runs the setup script. 23:00:48 <nijel> We've already spent one hour on the meeting, so if anybody is having other plans, we can end now and discuss this in the issue tracker... 23:00:52 <ibennetch> I think the second option is the user-friendly option and one area we'll just have to sacrifice security. 23:01:17 <ibennetch> Overall, it's more secure than what we've had in the past. 23:01:30 <ibennetch> I'll stay a bit longer. 23:01:50 <nijel> ibennetch: I see problem with people using phpMyAdmin completely without configuration, those would end up with setup open forever, what we probably don't want to allow... 23:02:03 <mauriciofauth> I can stay longer 23:02:05 <ibennetch> Oh 23:02:08 <ibennetch> That's a good point. 23:02:44 <madhuracj|2> How about prompting for this step when the user accesses phpMyAdmin for the first time? 23:02:57 <ibennetch> Hmmm. That might work. 23:03:52 <ibennetch> At least get a password saved, then the user still doesn't have to run setup but are protected from others doing so. 23:04:12 <nijel> Redirecting to setup if there is no configuration and the config file can be written? That would probably work well to enforce protection 23:05:02 <ibennetch> But (probably) many users run without a config.inc.php, do we want to force them to create one just for this password? 23:05:08 <nijel> I've actually proposed that in the issue some comments ago: https://github.com/phpmyadmin/phpmyadmin/issues/12844#issuecomment-320637399 23:05:27 <nijel> yes, we would force to create one in this case, just with the password 23:05:46 <nijel> that might have the benefit of people discovering setup and using more of the advanced configuration options ;-) 23:05:48 <DevenB> This does sound better. Tries to have something better from both usability and w/o compromising a lot on security. 23:06:28 <nijel> So it seems we've come to conclusion in this... 23:06:38 <ibennetch> I baseically can't improve on the proposed idea at https://github.com/phpmyadmin/phpmyadmin/issues/12844#issuecomment-320505290 23:09:33 <nijel> Great, I'll add there summary 23:09:45 <nijel> Thanks everybody for attending the meeting! 23:10:02 <madhuracj|2> Thanks and Bye 23:10:11 <DevenB> Thank you everyone! :-) 23:10:59 <ibennetch> Thanks nijel for your work helping my student :D 23:11:00 <nijel> #endmeeting