Page Comparison

...

• https://shibboleth.atlassian.net/browse/IDP-1853 (notes under “Rod”)

• Flip the default “Nashorn” plugin to be JDK based and leave graal an option. (Notes under “Rod”)

• https://shibboleth.atlassian.net/browse/JPAR-182 (Notes under “Rod”)

• Deploy to Maven Central (Tom)

  • proposal : go ahead and deploy to Maven Central as-is, and schedule moving our <repo> to a profile
    summary : proposal accepted, will update the OSSRH ticket and give it a week or so

Add items for discussion here

Attendees:

Brent

• Java socket server: Some progress integrating Scott’s DDF code for a more realistic proof-of-concept of Spring Integration. Overall, more optimistic that Integration could be the solution.

Daniel

Henri

• https://shibboleth.atlassian.net/browse/JOIDC-52

  • The bug was related to token and userinfo endpoints

  • The flow tests now improved for all backend OAuth2/OIDC flows dealing with tokens

  • Some incompatibilities with legacy tokens remain due to consent refactoring before V3, see table (currently restricted, to be added under release notes for 3.0.2)

• https://shibboleth.atlassian.net/browse/JOIDC-55

  • The custom counters/timers seem to work after adding evaluation of PopulateMetricContext after prc has been initialized

• https://shibboleth.atlassian.net/browse/JOIDC-21

  • Once this is done, could also help OIDC RP for the same topic?

Ian

• Java 17 RC is out, final RC imminent, GA on 2021-09-14

• Proposed to target Java 18: https://openjdk.java.net/jeps/400

• Debian 11 (Bullseye) released

  • Includes an up-to-date Java 11.

  • Includes an earlier EA of Java 17, to be upgraded.

  • See https://shibboleth.atlassian.net/browse/GEN-281 for details of evaluation.

  • I think we can add this to the “partially supported” list in https://shibboleth.atlassian.net/wiki/spaces/DEV/pages/1177321655/Java+Distributions#Java-Distributions-for-the-Java-11-Platform (but only for Java 11 for now, of course) and call it a day.

John

• Discussed Jenkins approaches with Tom

• Modest progress on standing up my own Jenkins instance to abuse, hindered by network troubleshooting

Marvin

Phil

• Nothing really (holidays)

• Started back on https://shibboleth.atlassian.net/browse/JCOMOIDC-23 yesterday.

• Realised I was not on the Users mailing list, and a few questions had gone by about the DuoOIDC plugin. Not sure I can respond retrospectively. I could add some input to two of them via a new mail to the list?

Rod

• JavaScript

  • https://shibboleth.atlassian.net/browse/IDP-1853

  • https://shibboleth.atlassian.net/browse/JSCRIPTING-9

    • What to call it?

• Supply Chain attack. Hibernate and JBOSS worry me

  • Dependency on a 8 year old and 3 major versions out of date parser (ANTLR)

  • Recent, required jars are unsigned.

  • Do we shake their tree or suck it up? If the latter can someone sign these jars and pop the asc files into our repository)

    • NOTE that this trick only works for as long as build.shibboleth.net remains definitive for our builds. If we move to a site we don’t own we are back being open to attack at any time. (Modulo hard wired overrides for insecure jars)

• Wiki Conversion as a background activity.

...

• Deploy artifacts to Maven Central ? yes

  • Confirmed changes to artifacts currently in Central (removal of our <repo>s from POMs)

    • (wrote script to download artifacts from Central under org/opensaml and net/shibboleth and diff with Nexus)

  • Us or someone else ?

  • Move <repo> to profile ? maybe, depends

    • Scheduling ? either parent 4.2 or 5.x

    • Versioning ?

      • minor bump to parent POM ? minor bump seems ok

  • https://issues.sonatype.org/browse/OSSRH-72201

...