Versions Compared

Old Version 9

changes.mady.by.user Brent Putman

Saved on

compared with

New Version Current

changes.mady.by.user Ian Young

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Shibboleth Developer's Meeting, 2019-01-18

Call Administrivia

10:00 Central US / 11:00 Eastern US / 16:00 UK

Calls are normally the 1st and 3rd Fridays of each month. Next call would be Friday 2019-02-01. Any reason to deviate from this?

60 to 90 minute call window.


Call Details

This week's call will use the Zoom system at GU, see ZoomGU for access info.


AGENDA

  1. LDAPocalypse Now


Attendees:


Brent

  • Per Scott request, looking at the Spring MVC Velocity deprecation issue.  Various questions:
    • What should be replacement (essentially and mostly: FreeMarker vs ThymeLeaf)?  Or maybe option for both?
    • Replace Velocity everywhere or just Spring MVC usage?
    • (radical) Join or start the "Save Velocity!" train: get Spring MVC support added to Velocity Tools.  Somebody may eventually do it.  Maybe that's us?


Daniel

  • Jira Legacy
    serverShibboleth JIRA
    serverId180d847f-bce4-36b2-9964-771bff586829
    keyIDP-1357

Ian

  • Been defocused for the last couple of months for various reasons I won't get into, but should be back and more active now.
  • Main activity is the push to Java 11. Will hold off making the actual change as long as possible, so that the java-parent-project master branch uses Java 8 as long as possible.
  • What are known blockers, if any, in our code for a Java 11 transition? Or is it solely the tooling?
  • Will use the MDA, as usual, as the canary for the transition when it comes.

...

  • Jira Legacy
    serverShibboleth JIRA
    serverId180d847f-bce4-36b2-9964-771bff586829
    keyJPAR-102

    • New plan for "pin/key map" : fingerprint|checksum artifact-coordinate-pattern
      • Use checksum rather than PGP fingerprint when unsigned or bad signature
      • Use fingerprint rather than key ID because there could be collisions
      • Should we use wildcards/patterns in the artifact-coordinate-pattern ?
        • Yes for our artifacts
        • Maybe for other artifacts (like Spring)
      • Append to "pin" list or remove no longer used map entries ?
    • IdP 3.4.3 has 1150 artifact dependencies in the stack (including Maven plugins)
      • 250 are unsigned (22 %)
      • 3 have bad signatures (org.apache.struts:struts-taglib|core|tiles:pom:1.3.8)
      • no weak (as defined by the pgpverify plugin) signatures
      • The count of 1150 includes POMs
    • Need Jenkins to sign SNAPSHOTs (since checksums will change)
    • Jira Legacy
      serverShibboleth JIRA
      serverId180d847f-bce4-36b2-9964-771bff586829
      keyINFRA-196
       Initial install of Nexus NXRM 3 to take a look at capabilities
      • Should we proxy Maven Central ? (probably, so we can discontinue use of it directly)
      • Context/path name ? /nexus3 
    • Some links :

...