<div dir="ltr"><div><br></div><div>LARS!</div><div><br></div><div>I have not been very involved in Koha work lately but remain a faithful lurker.</div><div><br></div><div>The first thing that comes to mind which might be an obstacle to adopting something like this is the library of SQL reports. I think this is a collection of value that the community has created and maintains and gets a lot out of.</div><div><br></div><div>I'm wondering if stepping away from that would be too great a loss / too disruptive.</div><div><br></div><div>I'm totally out of date on this topic but that's just what comes to mind first.</div><div><br></div><div>-reed</div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On 26 November 2016 at 03:56, Lars Wirzenius <span dir="ltr"><<a href="mailto:liw@qvarnlabs.com" target="_blank">liw@qvarnlabs.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi, Koha developers,<br>
<br>
some of you may remember me from the Debian packaging of Koha I made<br>
in 2010 for Catalyst IT. I've never looked much at the actual code<br>
base of Koha, but one thing that even a quick grep reveals is that SQL<br>
code is sprinkled all over the code base. To me, this indicates that<br>
the application code ("business logic") and the way data is stored are<br>
closely coupled, and that's generally not a good thing. Among other<br>
things, if there's a need so change the database schema, or database<br>
engine, the whole code base might be affected.<br>
<br>
In my current job we develop a storage system (roughly, "database, but<br>
with better access control") with an emphasis on privacy. Our software<br>
is free software released under the Affero GPL, version 3 or later. I<br>
suggest that our software (called Qvarn) would be worth considering<br>
for Koha.<br>
<br>
A summary of my impression of the situation:<br>
<br>
* Koha stores very sensitive information about people's reading<br>
habits.<br>
<br>
* In the EU the new General Data Protection Regulation (GDPR) is in<br>
effect (with a transition period until some time in 2014), which<br>
requires everyone who collects or stores personal information to<br>
take good care so the data doesn't leak and violate people's<br>
privacy. Koha, or at least libraries using Koha, would seem to fall<br>
under this (IANAL, TINLA, AYOL).<br>
<br>
* At minimum, a "privacy impact assessment" needs to be made.<br>
Basically, think about what the happens to the people whose data it<br>
is that gets leaked. (Best to assume it will be.)<br>
<br>
* Koha stores all its data (including the personal stuff) in<br>
MySQL/MariaDB. There is no clean abstraction layer, which means SQL<br>
is all over the code base, making things harder to change. I think<br>
it would be good for Koha to add an abstraction layer even if Koha<br>
stays with MySQL.<br>
<br>
* Qvarn was designed from the ground up with privacy and security in<br>
mind. It is meant to be the least weak link in the chain to protect<br>
privacy of the data it stores. It's still under active development,<br>
and doesn't have all the planned features yet. It's backed by my new<br>
company, QvarnLabs, and is in production use already, storing around<br>
a million personal identities.<br>
<br>
* Qvarn provides a RESTful HTTP(S) JSON API, meaning there's no<br>
per-client/per-user session state on the Qvarn side. Makes it really<br>
easy to use, from the client, in my opinion. All data is in JSON<br>
form, which also makes things easier to use, in my opinion. It's<br>
conceptually JSON objects, not tables/columns. Qvarn uses Postgres<br>
behind the scenes, at least for now, but that's not visible to API<br>
clients (read: we could replace it with individual files on disk and<br>
you'd not notice).<br>
<br>
* Qvarn requires the use of Gluu (see <a href="http://gluu.org" rel="noreferrer" target="_blank">gluu.org</a>) for authentication and<br>
authorization. Gluu is an identity management server, which is also<br>
free software. We aim to hide Gluu entirely behind the Qvarn API,<br>
and already mostly do that, so it's not something you need to know<br>
much about, except that operationally it's a bit tricky, since it's<br>
harder to deploy than Qvarn itself it (Qvarn comes as a .deb).<br>
<br>
Here's my thoughts about Koha using Qvarn:<br>
<br>
* First step would be to change Koha to have a suitable abstraction<br>
layer for storing data. I imagine this will be a big job.<br>
<br>
* Second step would be to model the data Koha stores in Qvarn resource<br>
types, i.e., decide which types of records should be and what they<br>
should contain.<br>
<br>
* Third step is ...<br>
<br>
* Fourth step is profit.<br>
<br>
Benefits to Koha as far as I can see:<br>
<br>
* Abstraction layer: cleaner code, easier database related changes in<br>
the future, possibly a better test suite as a side effect.<br>
<br>
* Qvarn: more privacy protection for user data, maybe (this is my<br>
highly personal and biased opinion) a nicer way to store/access the<br>
data.<br>
<br>
What do you think? Is this something that the Koha community might<br>
want? I don't want to waste your time or anyone else's time if it's<br>
not interesting. However, if it is interesting, QvarnLabs is willing<br>
to work on making sure Qvarn is good for Koha.<br>
<br>
Note: though both Qvarn and Koha are developed/supported by companies,<br>
they're free software and also free to use. This is not unlike Koha<br>
itself.<br>
<br>
I'm happy to answer any questions you may have, preferably on the<br>
koha-devel list.<br>
______________________________<wbr>_________________<br>
Koha-devel mailing list<br>
<a href="mailto:Koha-devel@lists.koha-community.org">Koha-devel@lists.koha-<wbr>community.org</a><br>
<a href="http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel" rel="noreferrer" target="_blank">http://lists.koha-community.<wbr>org/cgi-bin/mailman/listinfo/<wbr>koha-devel</a><br>
website : <a href="http://www.koha-community.org/" rel="noreferrer" target="_blank">http://www.koha-community.org/</a><br>
git : <a href="http://git.koha-community.org/" rel="noreferrer" target="_blank">http://git.koha-community.org/</a><br>
bugs : <a href="http://bugs.koha-community.org/" rel="noreferrer" target="_blank">http://bugs.koha-community.<wbr>org/</a><br>
</blockquote></div><br></div>