...
Java 17 RC is out, final RC imminent, GA on 2021-09-14
Proposed to target Java 18: https://openjdk.java.net/jeps/400
Debian 11 (Bullseye) released
Includes an up-to-date Java 11.
Includes an earlier EA of Java 17, to be upgraded.
See https://shibboleth.atlassian.net/browse/GEN-281 for details of evaluation.
I think we can add this to the “partially supported” list in https://shibboleth.atlassian.net/wiki/spaces/DEV/pages/1177321655/Java+Distributions#Java-Distributions-for-the-Java-11-Platform (but only for Java 11 for now, of course) and call it a day.
John
Marvin
Phil
Rod
JavaScript
Jira Legacy server System JIRA columns key,summary,type,created,updated,due,assignee,reporter,priority,status,resolution serverId f52c7d31-6eab-3f0e-93c3-231b5754d506 key IDP-1853 Jira Legacy server System JIRA columns key,summary,type,created,updated,due,assignee,reporter,priority,status,resolution serverId f52c7d31-6eab-3f0e-93c3-231b5754d506 key JSCRIPTING-9 What to call it?
Supply Chain attack. Hibernate and JBOSS worry me
Dependency on a 8 year old and 3 major versions out of date parser (ANTLR)
Recent, required jars are unsigned.
Do we shake their tree or suck it up? If the latter can someone sign these jars and pop the asc files into our repository)
NOTE that this trick only works for as long as build.shibboleth.net remains definitive for our builds. If we move to a site we don’t own we are back being open to attack at any time. (Modulo hard wired overrides for insecure jars)