<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:DengXian;
panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Verdana;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:"\@DengXian";
panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
{font-family:remialcxesans;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0cm;
margin-right:0cm;
margin-bottom:0cm;
margin-left:36.0pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.EmailStyle22
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:115491973;
mso-list-template-ids:-346777416;}
@list l0:level1
{mso-level-start-at:2;
mso-level-tab-stop:36.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level2
{mso-level-start-at:2;
mso-level-number-format:alpha-lower;
mso-level-tab-stop:72.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l1
{mso-list-id:447044500;
mso-list-template-ids:511590630;}
@list l1:level2
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:72.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l2
{mso-list-id:517547482;
mso-list-type:hybrid;
mso-list-template-ids:-859944090 201916431 201916441 201916443 201916431 201916441 201916443 201916431 201916441 201916443;}
@list l2:level1
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l2:level2
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l2:level3
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l2:level4
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l2:level5
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l2:level6
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l2:level7
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l2:level8
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l2:level9
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
ol
{margin-bottom:0cm;}
ul
{margin-bottom:0cm;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-AU link=blue vlink=purple style='word-wrap:break-word'><div class=WordSection1><p class=MsoNormal>I’ve been thinking about this more today, and I think that I’m coming around to the plugin idea. <o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>I still think it would be a good idea to have an event-driven messaging system, but it seems to me that adding that system will take a lot more work/discussion/thinking/experimenting than just improving plugin security and plugin tooling… so I might return to looking at some of the following:<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Bug 28499 - Add support for no-UI / administrative plugins<o:p></o:p></p><p class=MsoNormal><a href="https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=28499">https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=28499</a><o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Bug 25672 - Administrators should be able to disable client-side plugin upload<o:p></o:p></p><p class=MsoNormal><a href="https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=25672">https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=25672</a><o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Bug 25370 - Create allowlist of plugins allowed to be installed by Web UI<o:p></o:p></p><p class=MsoNormal><a href="https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=25370">https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=25370</a><o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Bug 24632 - Plugins should support simple signing for security/verifiability<o:p></o:p></p><p class=MsoNormal><a href="https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=24632">https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=24632</a><o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Bug 25671 - Install 1 Koha plugin for X Koha instances using the CLI<o:p></o:p></p><p class=MsoNormal><a href="https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=25671">https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=25671</a><o:p></o:p></p><p class=MsoNormal>Bug 28498 - Add CLI counterpart for plugin actions<o:p></o:p></p><p class=MsoNormal><a href="https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=28498">https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=28498</a><o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>At the moment, I’m more concerned with security than logistics I think.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>I think the most feasible option with the least amount of work is probably going to be Bug 25370. I’ll default to allowing all plugins to be loaded, and then locally I’ll just make sure that all instances have a restricted list. That should make everyone happy… <o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal>David Cook<o:p></o:p></p><p class=MsoNormal>Senior Software Engineer<o:p></o:p></p><p class=MsoNormal>Prosentient Systems<o:p></o:p></p><p class=MsoNormal>Suite 7.03<o:p></o:p></p><p class=MsoNormal>6a Glen St<o:p></o:p></p><p class=MsoNormal>Milsons Point NSW 2061<o:p></o:p></p><p class=MsoNormal>Australia<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Office: 02 9212 0899<o:p></o:p></p><p class=MsoNormal>Online: 02 8005 0595<o:p></o:p></p></div><p class=MsoNormal><o:p> </o:p></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b><span lang=EN-US>From:</span></b><span lang=EN-US> Koha-devel <koha-devel-bounces@lists.koha-community.org> <b>On Behalf Of </b>dcook@prosentient.com.au<br><b>Sent:</b> Friday, 3 December 2021 9:59 AM<br><b>To:</b> 'Marcel de Rooy' <M.de.Rooy@rijksmuseum.nl>; 'koha-devel' <koha-devel@lists.koha-community.org><br><b>Subject:</b> Re: [Koha-devel] [Changed topic] Action hooks<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal style='margin-bottom:12.0pt'>That’s cool to hear, Marcel! Happy to share my thoughts.<o:p></o:p></p><p class=MsoNormal>A couple reasons I don’t want to use plugins:<o:p></o:p></p><ol style='margin-top:0cm' start=1 type=1><li class=MsoListParagraph style='margin-left:0cm;mso-list:l2 level1 lfo3'>I don’t want to turn on Koha plugins for 100+ different Koha instances around the world.<o:p></o:p></li><ol style='margin-top:0cm' start=1 type=a><li class=MsoListParagraph style='margin-left:0cm;mso-list:l2 level2 lfo3'>Overall, I think the Koha plugin system is insecure, and allows library staff too much control over the system. I typically keep it disabled with only a few exceptions. (I’ve opened a few bugs and provided a few patches for improving plugin security but they haven’t gone anywhere yet on Bugzilla.)<o:p></o:p></li><li class=MsoListParagraph style='margin-left:0cm;mso-list:l2 level2 lfo3'>I also wouldn’t want library staff to potentially meddle with the plugin I install. I think this plugin is really a system plugin rather than a user plugin. It should be invisible to library staff.<o:p></o:p></li></ol><li class=MsoListParagraph style='margin-left:0cm;mso-list:l2 level1 lfo3'>I’d be looking to install/upgrade plugin code on 100+ different Koha instances which presents a maintenance challenge<o:p></o:p></li><ol style='margin-top:0cm' start=1 type=a><li class=MsoListParagraph style='margin-left:0cm;mso-list:l2 level2 lfo3'>While I think some vendors use Ansible to do this, I’m not currently satisfied with the CLI plugin tooling for install/upgrade/downgrade/uninstall. (I’ve done some work on this as well on Bugzilla but the work hasn’t progressed and it’s dropped down my priority list.)<o:p></o:p></li></ol></ol><p class=MsoListParagraph style='margin-left:108.0pt;text-indent:-108.0pt;mso-text-indent-alt:-9.0pt;mso-list:l2 level3 lfo3'><![if !supportLists]><span style='mso-list:Ignore'><span style='font:7.0pt "Times New Roman"'> </span>i.<span style='font:7.0pt "Times New Roman"'> </span></span><![endif]>Using an Ansible push also isn’t an option in some security/operational contexts. In some contexts, you provide artifacts and leave deployment/operations up to a different team<o:p></o:p></p><ol style='margin-top:0cm' start=2 type=1><ol style='margin-top:0cm' start=2 type=a><li class=MsoListParagraph style='margin-left:0cm;mso-list:l2 level2 lfo3'>I rather install this “system plugin” 1 time on a server rather than X times. (I think this is something some other vendors have struggled with and worked around as well.)<o:p></o:p></li><li class=MsoListParagraph style='margin-left:0cm;mso-list:l2 level2 lfo3'>I’d need to change the instance creation process to install this plugin as well. (Not the end of the world but a bit annoying and introduces more room for errors.)<o:p></o:p></li></ol></ol><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>That said, the hooks already exist, so I can see the appeal, and I can see how they’d work well for other people, especially with fewer Koha instances to manage. <o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>I suppose it mostly comes down to control, security, and maintenance/management. <o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Also, other systems like Dspace and Fedora write out to message queues out of the box, and it makes it easy to add integrations to them without touching the core application at all. It would be great if Koha could do the same without needing a plugin. (If it were core functionality, we could use it for indexing as well and replace the “zebraqueue”.)<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal>David Cook<o:p></o:p></p><p class=MsoNormal>Senior Software Engineer<o:p></o:p></p><p class=MsoNormal>Prosentient Systems<o:p></o:p></p><p class=MsoNormal>Suite 7.03<o:p></o:p></p><p class=MsoNormal>6a Glen St<o:p></o:p></p><p class=MsoNormal>Milsons Point NSW 2061<o:p></o:p></p><p class=MsoNormal>Australia<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Office: 02 9212 0899<o:p></o:p></p><p class=MsoNormal>Online: 02 8005 0595<o:p></o:p></p></div><p class=MsoNormal><o:p> </o:p></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b><span lang=EN-US>From:</span></b><span lang=EN-US> Koha-devel <<a href="mailto:koha-devel-bounces@lists.koha-community.org">koha-devel-bounces@lists.koha-community.org</a>> <b>On Behalf Of </b>Marcel de Rooy<br><b>Sent:</b> Thursday, 2 December 2021 6:15 PM<br><b>To:</b> 'koha-devel' <<a href="mailto:koha-devel@lists.koha-community.org">koha-devel@lists.koha-community.org</a>><br><b>Subject:</b> Re: [Koha-devel] [Changed topic] Action hooks<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal><span style='font-size:12.0pt;color:black'>> I also have a use case where I want to send Koha biblio data elsewhere on create/update/delete, but Koha plugins won't be suitable. I've been thinking that it would be good to publish a message to a RabbitMQ topic on biblio create/update/delete. In fact, that could potentially replace the existing C4::Biblio::_after_biblio_action_hooks and Koha::Item::_after_item_action_hooks functions, and then the background_jobs_worker.pl or some other work could invoke the plugins.<o:p></o:p></span></p></div><div><div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>I am running plugins to do the same for some time already. They are pushing these crud actions to a message queue. Works fine for me. Could you tell what makes plugins not suitable for that task?<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div></div></div><div><table class=MsoNormalTable border=0 cellspacing=0 cellpadding=0 width="100%" style='width:100.0%'><tr><td valign=top style='padding:0cm 0cm 0cm 0cm'><table class=MsoNormalTable border=0 cellspacing=0 cellpadding=0><tr><td valign=top style='padding:0cm 0cm 0cm 0cm'><p class=MsoNormal><span style='font-family:"Verdana",sans-serif;color:#000001'> </span><span style='font-size:1.0pt;font-family:remialcxesans;color:white'></span><span style='font-family:"Verdana",sans-serif;color:#000001'><o:p></o:p></span></p></td></tr><tr><td valign=top style='padding:0cm 0cm 0cm 0cm'><p class=MsoNormal><a href="https://www.rijksmuseum.nl/nl/zien-en-doen/tentoonstellingen/vergeet-me-niet" target="_blank" id=LPlnk689713><span style='font-size:1.0pt;text-decoration:none'><img border=0 width=180 height=79 style='width:1.875in;height:.8229in' id="Picture_x0020_1" src="cid:image001.jpg@01D7ED01.C2FADE50" alt="Vergeet me niet. Van 1 oktober 2021 tot 16 januari 2022."></span></a><span style='font-size:1.0pt;color:#000001'><o:p></o:p></span></p></td></tr><tr><td valign=top style='padding:0cm 0cm 0cm 0cm'><p class=MsoNormal><span style='font-family:"Verdana",sans-serif;color:#000001'><br></span><span style='font-family:"Arial",sans-serif;color:#000001'></span><span style='font-family:"Verdana",sans-serif;color:#000001'>Ook in het Rijksmuseum:<br></span><span style='font-family:"Arial",sans-serif;color:#000001'></span><span style='font-family:"Verdana",sans-serif;color:#000001'><a href="https://www.rijksmuseum.nl/nl/zien-en-doen/tentoonstellingen/henk-wildschut" target="_blank" id=LPlnk689713><strong><span style='font-family:"Verdana",sans-serif;color:#000001;font-weight:normal;text-decoration:none'>Document Nederland 2021: Afstand. Henk Wildschut fotografeert corona</span></strong></a><br></span><span style='font-family:"Arial",sans-serif;color:#000001'></span><span style='font-family:"Verdana",sans-serif;color:#000001'><a href="https://www.rijksmuseum.nl/nl/zien-en-doen?filter=familiemaand" target="_blank" id=LPlnk689713><span style='color:#000001;text-decoration:none'><br></span></a></span><span style='font-family:"Arial",sans-serif;color:#000001'></span><span style='font-family:"Verdana",sans-serif;color:#000001'><o:p></o:p></span></p></td></tr><tr><td valign=top style='padding:0cm 0cm 0cm 0cm'></td></tr><tr><td valign=top style='padding:0cm 0cm 0cm 0cm'><table class=MsoNormalTable border=0 cellspacing=0 cellpadding=0><tr><td valign=top style='padding:0cm 0cm 0cm 0cm'><p class=MsoNormal><a href="https://www.instagram.com/rijksmuseum/" target="_blank" id=LPlnk689713><span style='font-size:1.0pt;text-decoration:none'><img border=0 width=25 height=25 style='width:.2604in;height:.2604in' id="Picture_x0020_2" src="cid:image002.png@01D7ED01.C2FADE50"></span></a><span style='font-size:1.0pt'><o:p></o:p></span></p></td><td valign=top style='padding:0cm 0cm 0cm 0cm'><table class=MsoNormalTable border=0 cellspacing=0 cellpadding=0 width=2 style='width:1.5pt'><tr><td style='padding:0cm 0cm 0cm 0cm'><p class=MsoNormal><span style='font-family:"Verdana",sans-serif;color:white'>x<o:p></o:p></span></p></td></tr></table></td><td valign=top style='padding:0cm 0cm 0cm 0cm'><p class=MsoNormal><a href="https://www.facebook.com/rijksmuseum" target="_blank" id=LPlnk689713><span style='font-size:1.0pt;text-decoration:none'><img border=0 width=25 height=25 style='width:.2604in;height:.2604in' id="Picture_x0020_3" src="cid:image003.png@01D7ED01.C2FADE50"></span></a><span style='font-size:1.0pt'><o:p></o:p></span></p></td><td nowrap valign=top style='padding:0cm 0cm 0cm 0cm'><p class=MsoNormal><span style='font-family:"Verdana",sans-serif;color:white'>x<o:p></o:p></span></p></td><td valign=top style='padding:0cm 0cm 0cm 0cm'><p class=MsoNormal><a href="https://www.linkedin.com/company/rijksmuseum/" target="_blank" id=LPlnk689713><span style='font-size:1.0pt;text-decoration:none'><img border=0 width=25 height=25 style='width:.2604in;height:.2604in' id="Picture_x0020_4" src="cid:image004.png@01D7ED01.C2FADE50"></span></a><span style='font-size:1.0pt'><o:p></o:p></span></p></td><td nowrap valign=top style='padding:0cm 0cm 0cm 0cm'><p class=MsoNormal><span style='font-family:"Verdana",sans-serif;color:white'>x<o:p></o:p></span></p></td><td valign=top style='padding:0cm 0cm 0cm 0cm'><p class=MsoNormal><a href="https://twitter.com/rijksmuseum" target="_blank" id=LPlnk689713><span style='font-size:1.0pt;text-decoration:none'><img border=0 width=25 height=25 style='width:.2604in;height:.2604in' id="Picture_x0020_5" src="cid:image005.png@01D7ED01.C2FADE50"></span></a><span style='font-size:1.0pt'><o:p></o:p></span></p></td></tr></table></td></tr><tr><td valign=top style='padding:0cm 0cm 0cm 0cm'><p class=MsoNormal><b><span style='font-size:9.0pt;font-family:"Verdana",sans-serif;color:#00B050'><br></span></b><b><span style='font-size:9.0pt;font-family:"Arial",sans-serif;color:#00B050'></span></b><b><span style='font-size:9.0pt;font-family:"Verdana",sans-serif;color:#00B050'>Please think before you print<o:p></o:p></span></b></p></td></tr></table></td></tr></table><p class=MsoNormal><o:p> </o:p></p></div></div></body></html>