Shibboleth Developer's Meeting, 2019-01-18
Call Administrivia
10:00 Central US / 11:00 Eastern US / 16:00 UK
Calls are normally the 1st and 3rd Fridays of each month. Next call would be Friday 2019-02-01. Any reason to deviate from this?
60 to 90 minute call window.
This week's call will use the Zoom system at GU, see ZoomGU for access info.
AGENDA
- LDAPocalypse Now
Attendees:
Brent
- Per Scott request, looking at the Spring MVC Velocity deprecation issue. Various questions:
- What should be replacement (essentially and mostly: FreeMarker vs ThymeLeaf)? Or maybe option for both?
- Replace Velocity everywhere or just Spring MVC usage?
- (radical) Join or start the "Save Velocity!" train: get Spring MVC support added to Velocity Tools. Somebody may eventually do it. Maybe that's us?
...
Jira Legacy server Shibboleth JIRA serverId 180d847f-bce4-36b2-9964-771bff586829 key JPAR-102 - New plan for "pin/key map" :
fingerprint|checksum artifact-coordinate-pattern- Use checksum rather than PGP fingerprint when unsigned or bad signature
- Use fingerprint rather than key ID because there could be collisions
- Should we use wildcards/patterns in the artifact-coordinate-pattern ?
- Yes for our artifacts
- Maybe for other artifacts (like Spring)
- Append to "pin" list or remove no longer used map entries ?
- IdP 3.4.3 has 1150 artifact dependencies in the stack (including Maven plugins)
- 250 are unsigned (22 %)
- 3 have bad signatures (org.apache.struts:struts-taglib|core|tiles:pom:1.3.8)
- no weak (as defined by the pgpverify plugin) signatures
- The count of 1150 includes POMs
- Need Jenkins to sign SNAPSHOTs (since checksums will change)
Initial install of Nexus NXRM 3 to take a look at capabilitiesJira Legacy server Shibboleth JIRA serverId 180d847f-bce4-36b2-9964-771bff586829 key INFRA-196 - Should we proxy Maven Central ? (probably, so we can discontinue use of it directly)
- Context/path name ?
/nexus3
- Some links :
- New plan for "pin/key map" :
...