Tech Call Agenda - 2025-12-15

[cdils]

Meeting Purpose: Deep-dive, hands-on technical work & implementation for FAIR.

Audience: All technical contributors (not just committee members).

Please add agenda items as comments below and up-vote on the items you'd like to discuss.

Meeting details

• Meeting is December 15, 2025 – 17:30 UTC (see it in your time zone)
• Link to Join Meeting via Zoom
• Link to Calendar

How to join

This call is open to anyone, but note that you need to have a profile/account at OpenProfile.dev to join the call.

Reminders

FAIR is part of the Linux Foundation. Meeting attendees are subject to both the Code of Conduct and the LF Antitrust Policy.

This meeting is recorded and publicly available via your OpenProfile.dev account.

[toderash]

For FAIR Beacon: Summarize Slack discussion with @afragen @costdev @namithj @jdevalk concerning 403 Errors and potentially caching zip files in Beacon. Add discussion of caching image assets as well due to potential PI leakage with hotlinking.

[afragen]

I think we need to actually determine the cause of the 403 errors before deciding on a solution.

[toderash]

For FAIR Connect & Beacon: (from Slack thread) propose we deprecate sha256 now in favour of sha384 or better (in addition to Ed25519). While sha256 is still widely used, it's gradually falling out of favour with stronger options being readily available. The FAIR Protocol docs call for supporting sha256, but security recommendations suggest we don't. We're starting fresh with no burden of backward compatibility, so it makes sense to start high and avoid having to deprecate later.

[toderash]

primarily a documentation-update task at this stage.

[namithj]

Fair Onboarding Github Action

1. Repo needs creation
2. Decision on the parser to use (consensus on slack is to adopt https://github.com/afragen/wordpress-plugin-readme-parser)
3. Name for Project
4. Do we want to publish this to GitHub Actions Marketplace
5. License to use

[jazzsequence]

Video demo https://fair.slack.com/files/U09925J1MFA/F0A39TUR9PD/video_2025-12-14_142632.mp4

[rmccue]

License here needs to be GPL as we're using the GPL-licensed readme parser.

[jazzsequence]

Name to be determined in Slack

[rmccue]

Name we'll discuss in Slack further; idea from me is "FAIR Pulse", because a pulse is like a really light version of a beacon.

[afragen]

1.2.1??

[rmccue]

tldr: yes, let's do it.

[rmccue]

@cdils will release-lead this.

[rmccue]

AI-generated notes:

GitHub Asset Caching & Rate Limiting Solutions

• Fair Beacon experiencing 403 errors when updating GitHub-hosted plugins via Fair Plugin Connect
  • GitHub release asset URLs change every 5 minutes creating API call issues
  • Rate limiting hits when multiple sites on same IP check updates simultaneously
• Proposed solution: Content-addressable caching system
  • Store zip files with hash-based addressing for immutability
  • Add signed query parameters to prevent abuse as arbitrary redirector
  • 10-minute grace period before caching new releases (prevents immediate re-releases from propagating)
• Implementation considerations:
  • Use SHA-384 for signing (WordPress requirement - SHA-256 won’t work)
  • Make caching optional for beacon operators who want to be canonical host
  • Design hierarchical cache system that can be mirrored across SpireCloud network

WordPress Plugin Metadata & Protocol Updates

• Bug discovered in 1.2 release: plugin failed when optional metadata missing
  • Issue caused by strict protocol adherence - missing “suggests” header broke loops
  • Patch ready for 1.0.1 release to handle missing optional fields gracefully
• Protocol requirements discussion:
  • Need to define which WordPress metadata fields are required vs optional
  • Should match [WordPress.org](http://WordPress.org) core requirements as baseline
  • Add guardrails for incomplete configurations - fail gracefully rather than break
• Two PRs pending review for installation checks (#227, #329 from issue #228)
  • Both functional, stylistic differences only
  • Need team feedback by Wednesday or Colin’s version will be committed

Infrastructure & Deployment Improvements

• Server deployment process needs documentation and simplification
  • Ryan to walk team through current confusing setup (1 hour session needed)
  • No documentation exists for adding new plugins to system
• Proposed stack modernization:
  • Chuck working on new Franken PHP + Caddy setup to replace current two-container system
  • Uses Roots Bedrock with environment-specific directories
  • Eliminates complex FPM tuning issues
  • Draft PR available for team review in server repo
• Additional infrastructure work:
  • Staging environment setup in progress
  • Self-hosted Playground version being developed
  • Auto-deployment pipeline needed
• Schema addition planned for all JSON configuration files