SA&S Minutes 2021-01-20
Attendees: Llewellyn, Niels, Marco
George started the migration to Bootstrap 5 to prove that it could not be integrated without major problems. Instead, he found that it is possible to migrate to Bootstrap 5 already in Joomla 4.0 without causing additional delays. Most of the changes are already made (numbers vary from 90 to 98%).
The Pareto principle, on the other hand, teaches us that the time-consuming things are in the remaining few percentage points, so after all the effort and discussion, it is still not easy to make a final decision. We see three options:
- Integrate Bootstrap 5 in Joomla 4.0, hoping that the remaining work can and will be done fast
- Integrate Bootstrap 5 in 4.1 (if needed with a compatibility layer) to give more time for proper development without delaying the release of Joomla 4
- Stay with Bootstrap 4 for the lifetime of Joomla 4.
We do not see option 3 as advantageous and therefore give the following advice:
Software Architecture and Strategy Team recommends that the involved developers should have two weeks to integrate BS5 into J4.0. If this is not successful by then, the aim should be to introduce BS5 with J4.1 (possibly with a BC layer).
Most of the nearly 50 packages currently have a 1.x branch serving Joomla 3 and a 2.0 branch serving Joomla 4. Since in Joomla 4, the framework packages are drawn in using composer individually, it does not add value to couple the version numbers of framework packages to the evolution of the CMS.
Software Architecture and Strategy Team recommends that the versioning of the individual packages be decoupled from each other and from the CMS so that they can evolve at their own pace.
Expansion of Test Areas
We perform security tests based on static code analysis using RIPS. This could be complemented by dynamic tests using a tool like OWASP ZAP. Since ZAP is quite resource hungry, it may not make sense to run it on every pull request, but it would be beneficial to run it at least once within the release cycle (ideally just before a release).
The Software Architecture and Strategy Team recommends that the Automated Testing Team investigate where in the release cycle OWASP ZAP can be integrated as an additional security test.
Experience shows that most reported security vulnerabilities in Joomla are caused by extensions. It would therefore be advantageous if the OWASP ZAP test (and in this context also general static code analysis including the RIPS test) could be integrated into the Joomla Extension Directory (JED) when uploading new extensions. This requires a Docker image containing a Joomla instance and the required analysis and test tools, which takes the uploaded zip package as input and generates a report and/or metrics as output.
The Software Architecture and Strategy team recommends creating a (set of) Docker image(s) that takes the uploaded zip package as input and generates a report and/or metrics as output.
These images should be available to third-party developers to encourage them to test their extensions.