Date

14 Dec 2021

Call-in Information

Time: 10:00 am, Eastern Time (New York, GMT-04:00)

To join the online meeting:

• https://lyrasis.zoom.us/j/84378615572?pwd=bGUxSjlyRTdjOGl5U1B6L0Yva3RQdz09

  Meeting ID: 843 7861 5572
  Passcode: 556561
  One tap mobile
  +16699006833,,84378615572#,,,,*556561# US (San Jose)
  +19292056099,,84378615572#,,,,*556561# US (New York)

  Dial by your location
          +1 669 900 6833 US (San Jose)
          +1 929 205 6099 US (New York)
          +1 253 215 8782 US (Tacoma)
          +1 301 715 8592 US (Washington DC)
          +1 312 626 6799 US (Chicago)
          +1 346 248 7799 US (Houston)
          877 853 5257 US Toll-free
          888 475 4499 US Toll-free
  Meeting ID: 843 7861 5572
  Passcode: 556561
  Find your local number: https://lyrasis.zoom.us/u/kerqtGDrJ4

Slack

• https://vivo-project.slack.com
  • Self-register at: http://bit.ly/vivo-slack
    

Attendees

 Indicating note-taker

1. Brian Lowe 
2. Dragan Ivanovic  
3. Georgy Litvinov
4. William Welling  
5. Benjamin Kampe 
6. Matthias Lühr 
7. Andreas Czerniak
8. Veljko Maksimovic 
9. Dominik Feldschnieders 
10. Serbajit Dutta
11. Florian Kotschka

Agenda

1. Questions/Issues/Pull requests
   1. Log4j  severe vulnerability 
      1. VIVO
      2. Solr
         1. Ralph's fix at slack - https://vivo-project.slack.com/archives/C8RL9L98A/p1639198280115200
         2. Any other
      3. Tomcat
      4. Docker instances
      5. How to disseminate
         1. Slack - done
         2. Mailing list
         3. Web site
2. The preparation for the February sprint
   1. Wiki page
      1. 2022 - VIVO Sprints
         1. https://forms.gle/GKBCDznBF2KtsEQR7
   2. Date for the sprint
      1. February 21st - March 11th
   3. Georgy's document - https://docs.google.com/document/d/1vtNIVEYWdBgV11N-wiPk_UNKpiFQ4sKetJ8elJ6xy2E/edit#heading=h.k389x4cotzuw

Notes

Dragan: Welcome to the meeting. I would like to share a message about log4j issue. VIVO core code is not influenced by this issue. Only Solr is affected. It can be fixed with the approach Ralph provided in the Slack channel. Some Tomcat instances may be affected by the issue if they use log4j2.

Dragan:  We can send messages with different channels. Maybe I can copy some of messages to General slack channel. I will communicate with people responsible for OpenVIVO to check if it is affected, fix and run it again. 

Solr also might be affected by forwarded requests from VIVO. 

Dragan: I created some wiki pages. Topic is Dynamic API. I also created forms for registration. Please fill out the forms and register to participate in the sprint.

Michel: It is not fixed what we are doing in this sprint? 

Dragan: If you have some other ideas we can discuss it. You can find the basic plan here https://docs.google.com/document/d/1hJSWAa3ENoFOYyp0GyvDqBdehra3AmFBAD9X2dX3cSo/edit#

Dragan: My idea is to use Tuesday’s meetings for pre and post sprint meetings. The first Tuesday after the sprint to have a retrospective meeting. During the sprint we should use Slack to exchange messages about the progress. We also will have standup reports. There is Slack standup template Michel posted last time. We can arrange additional meetings if that would be necessary.

I also prepared google form for self registration and corrected sprint dates to 21 of February. I noticed some comments from Christian and Mattias for specification of use cases for building custom entry forms by using Dynamic API request. That can be useful to better specify requirements. 

Any other opinions from your sides are welcome!

I also started reviewing VIVO tasks and assigning reviewers that will be on our Thursday’s agenda.

Next Tuesday should be the last meeting in this group this year.

Georgy: Should we use jena4 ? Should we use Java 11 for this?

Michel: From Jena 4 is based on Java 11.

Michel: My opinion of moving to Jena 4. It is too soon to move to Java 11 right now. TDB works well.

William Welling: I usually like to upgrade as soon as possible. What is wrong with VIVO causing an upgrade poorly? You don’t want to wait until it is too late.

Brian: Are we aware of that particular issues?

William: Michel what problems have you faced with Java 11?

Michel: It works with Java 11. Sometimes when you mix with something from Java 8 it can become problematic. I try to stay with Java 8 as long as we can and move to Java 11 later, now it is too soon.

William: Only concern I have is that it is inconvenient to support old versions. I think it is mostly a development concern to stick to the java version.

Brian: There was some library that changed dependency so we switched on java 8. To me the most interesting piece is fixing performance issues. If we could do that as a fairly low effort thing, that could be a really big push to Java 11. 

Michel: Structure of the package is different from Java 8. So a lot is different, so it is not just integrations we did before. It is a big step. Maven works not the same. We should test to know the implications of that kind of switching. 

William: There are a lot of opportunities to think about that upgrade. At some point we will need dependency that would require new java.

Michel: We can include evaluation of Java 11 as a topic for the next sprint? Take some time to do this evaluation to have an idea should we move to Java 11. One person can be assigned to work on that and make an evaluation of this. 

Dragan: We should focus on the main task of the sprint. If we would have some space one person could allocate on that problem that could be evaluated. But my suggestion is to be focused on dynamic api. We should have the result at the end of the sprint.

William: We can fail-fast try to use Java 11 without spending much time on this, if it works then we just use it, otherwise switch back to Java 8.

Serbajit Dutta: We use VIVO instance containerized with Solr. There is still no docker image to fix it. How can we fix it? According to their release it is 11.0 is vulnerable but there is no 11.1 solr docker container yet. There are other options to modify the solr.sh file but I look for other ways to solve that.

Michel: I tried to find 11.1 but didn’t find it. 

Serbajit: We pulled solr.sh. Another way to remove jndi file from jar file. But we haven’t tried this yet.

Georgy: I think so far there are no other ways to solve this.

Serbajit: Thanks everyone.

Dragan: Thanks everyone for coming. See you next time.

Draft notes on Google Drive

Task List

• Dragan Ivanovic to disseminate log4Shell warning message to the VIVO community and provide links to solutions
• All - to review/update Sprint - Dynamic API based on an ontology wiki page
• All - to consider to register and participate in the sprint. Registration is here: https://forms.gle/LQjiyMFd1NL3B63v5
• All - to review Roadmap 1.x document and provide comments
• All - to review VIVO development priorities and provide comments 
• All - Add comments to Georgy's document