Shibboleth Developer's Meeting, 2019-01-18
Call Administrivia
10:00 Central US / 11:00 Eastern US / 16:00 UK
Calls are normally the 1st and 3rd Fridays of each month. Next call would be Friday 2019-02-01. Any reason to deviate from this?
60 to 90 minute call window.
This week's call will use the Zoom system at GU, see ZoomGU for access info.
AGENDAAdd items for discussion here
- LDAPocalypse Now
Attendees:
Brent
- Per Scott request, looking at the Spring MVC Velocity deprecation issue. Various questions:
- What should be replacement (essentially and mostly: FreeMarker vs ThymeLeaf)? Or maybe option for both?
- Replace Velocity everywhere or just Spring MVC usage?
- (radical) Join or start the "Save Velocity!" train: get Spring MVC support added to Velocity Tools. Somebody may eventually do it. Maybe that's us?
Daniel
Jira Legacy server Shibboleth JIRA serverId 180d847f-bce4-36b2-9964-771bff586829 key IDP-1357
Ian
- Been defocused for the last couple of months for various reasons I won't get into, but should be back and more active now.
- Main activity is the push to Java 11. Will hold off making the actual change as long as possible, so that the
java-parent-projectmasterbranch uses Java 8 as long as possible. - What are known blockers, if any, in our code for a Java 11 transition? Or is it solely the tooling?
- Will use the MDA, as usual, as the canary for the transition when it comes.
Marvin
Phil
- Progressing IDP-1393
- Looking at Globus Auth as an OP.
Rod
- 3.4.3
- Some rationalization in JIRA
- Keeping track with changes
- NOTE
- I'll be travelling during the call and on a train. I'll connect in as much as I can but even if I'm in the meeting I'll be silent. Apologies.
- I'll be travelling during the call and on a train. I'll connect in as much as I can but even if I'm in the meeting I'll be silent. Apologies.
Scott
- Fixed an SP macport issue
- C++ modernization issue, might be dated to last OS X version or Xcode tools bump
- Nobody reported it for weeks, implying to me we should be looking at dropping OS X support, officially speaking at least
- Started removed some dead features not involving large code changes
- Migrated "internal" AES-GCM calls to JCE
Jira Legacy server Shibboleth JIRA serverId 180d847f-bce4-36b2-9964-771bff586829 key IDP-1390 - Ended up with a less hacky version of my "reloadable" Spring scope, a Managed Bean service for user-defined reloadable beans
Tom
Jira Legacy server Shibboleth JIRA serverId 180d847f-bce4-36b2-9964-771bff586829 key JPAR-102 - New plan for "pin/key map" :
fingerprint|checksum artifact-coordinate-pattern- Use checksum rather than PGP fingerprint when unsigned or bad signature
- Use fingerprint rather than key ID because there could be collisions
- Should we use wildcards/patterns in the artifact-coordinate-pattern ?
- Yes for our artifacts
- Maybe for other artifacts (like Spring)
- Append to "pin" list or remove no longer used map entries ?
- IdP 3.4.3 has 1150 artifact dependencies in the stack (including Maven plugins)
- 250 are unsigned (22 %)
- 3 have bad signatures (org.apache.struts:struts-taglib|core|tiles:pom:1.3.8)
- no weak (as defined by the pgpverify plugin) signatures
- The count of 1150 includes POMs
- Need Jenkins to sign SNAPSHOTs (since checksums will change)
Initial install of Nexus NXRM 3 to take a look at capabilitiesJira Legacy server Shibboleth JIRA serverId 180d847f-bce4-36b2-9964-771bff586829 key INFRA-196 - Should we proxy Maven Central ? (probably, so we can discontinue use of it directly)
- Context/path name ?
/nexus3
- Some links :
- New plan for "pin/key map" :
Other