Shibboleth Developer's Meeting, 2021-08-20

Call Administrivia

09:00 Central US / 10:00 Eastern US / 15:00 UK / 17:00 FI

Calls are normally the 1st and 3rd Fridays of each month. Next call would be Friday 2021-09-03. Any reason to deviate from this?

60 to 90 minute call window.

Call Details

This week's call will use the Zoom system at GU, see ZoomGU for access info.

AGENDA

• https://shibboleth.atlassian.net/browse/IDP-1853 (notes under “Rod”)

• Flip the default “Nashorn” plugin to be JDK based and leave graal an option. (Notes under “Rod”)

• https://shibboleth.atlassian.net/browse/JPAR-182 (Notes under “Rod”)

• Deploy to Maven Central (Tom)

Add items for discussion here

Attendees:

Brent

Daniel

Henri

Ian

• Java 17 RC is out, final RC imminent, GA on 2021-09-14

• Proposed to target Java 18: https://openjdk.java.net/jeps/400

• Debian 11 (Bullseye) released

  • Includes an up-to-date Java 11.

  • Includes an earlier EA of Java 17, to be upgraded.

  • See https://shibboleth.atlassian.net/browse/GEN-281 for details of evaluation.

  • I think we can add this to the “partially supported” list in https://shibboleth.atlassian.net/wiki/spaces/DEV/pages/1177321655/Java+Distributions#Java-Distributions-for-the-Java-11-Platform (but only for Java 11 for now, of course) and call it a day.

John

Marvin

Phil

Rod

• JavaScript

  • https://shibboleth.atlassian.net/browse/IDP-1853

  • https://shibboleth.atlassian.net/browse/JSCRIPTING-9

    • What to call it?

• Supply Chain attack. Hibernate and JBOSS worry me

  • Dependency on a 8 year old and 3 major versions out of date parser (ANTLR)

  • Recent, required jars are unsigned.

  • Do we shake their tree or suck it up? If the latter can someone sign these jars and pop the asc files into our repository)

    • NOTE that this trick only works for as long as build.shibboleth.net remains definitive for our builds. If we move to a site we don’t own we are back being open to attack at any time. (Modulo hard wired overrides for insecure jars)

• Wiki Conversion as a background activity.

Scott

• https://shibboleth.atlassian.net/browse/GEN-268

  • /wiki/spaces/DEV/pages/2765979673

  • Will shut off Jira and downsize the server after Sep 1.

  • Will archive all the Apache configs and remove the old rules, may turn off the SP, EDS, etc.

  • SP metadata is in InCommon, managed by OSU, will remove after that date.

Tom

• Deploy artifacts to Maven Central ?

  • Confirmed changes to artifacts currently in Central (removal of our <repo>s from POMs)

  • Us or someone else ?

  • Move <repo> to profile ?

    • Scheduling ?

Other