The last month has primarily been continuing the post-release work I mentioned last month. We have landed the feature branches that were being worked on for what will eventually be IdP and OpenSAML V5.1 and are on track to deliver those either in December or early next year, primarily based on what other bug reports or requests come in that fit the time scale or are serious enough to need addressing. We know adoption isn’t that widespread at this point but the feedback we do have on V5 is generally that it’s a non-event, and it definitely was for me.
The main change in 5.1 is the CSP support which I have not as of yet documented, but we have largely completed the technical work. This work will not impact upgraded systems. The plugins that contain views will also be addressed in time, without requiring the use of 5.1 as they will handle things themselves for now until we move beyond compatibility with 5.0. One of them (the TOTP plugin) was already updated with some of this new work because it needed to be patched for compatibility with 5.0 due to a mistake on my part.
We have mostly finished our plans for the generation and publication of Javadocs going forward and at least for now we intend not to build and publish javadoc artifacts to our Nexus repository to allow is to decouple the Javadoc process from the releases. This is an experiment as we don’t fully know what the impact might be on IDEs like Eclipse if the jars aren’t there. We will of course continue to deploy source artifacts, it’s only the javadoc jars we intend to omit. If that presents a significant problem, we will revisit it, otherwise we expect to publish them directly to the web site as a separate process during releases. A side benefit is that our CI builds are faster and should take less compute resources in AWS.
We have started work on prototyping WebAuthn support in a new plugin project, and hope to see some concrete results from that by early next year. In parallel we are continuing work on smaller enhancements to the OIDC plugins driven by requests from members who are heavily utilizing that code, and as time permits also continuing with the static code analysis and remediation work that we spent time on for the IdP and OpenSAML this year. This process is labor intensive but has contined to flush out a lot of bugs so it has been a reasonable investment in time when we have the time to spend.
Another area of work right now is to automate as much as possible the process of building the Windows installers for the IdP and Jetty. These are quite labor intensive, often under pressure due to security vulnerabilities, so automating that process is very important for project maturity. Doing so securely, of course, is why it’s not easy.
The official announcement of the planned rate increases for non-NREN memberships for 2025 was sent to the members list, though the web site needs to be updated to reflect those plans. The work on estimating and proposing future budget options to the membership will take much of this month and the Board will be taking up that task in earnest in January.