Shibboleth Developer's Meeting, 2018-04-06

Call Administrivia

10:00 Central US / 11:00 Eastern US / 16:00 UK

Calls are normally the 1st and 3rd Fridays of each month. Next call would be Friday 2018-04-20. Any reason to deviate from this?

60 to 90 minute call window.

Call Details

This week's call will use the Zoom system at GU, see ZoomGU for access info.

AGENDA

1. Multiple CVE reports published for the Spring Framework

Attendees:

Brent

• SOAP Client and SAML 2 Artifact decoder

  • Lots o' progress.  It's functional now in SP testing.  Still some work remaining on TLS vs signing, plus some unit tests and other odds/ends.

  • When we ship this in 3.4, should we enable the artifact index in batch metadata resolvers now by default?  There are arguments both ways.
    
    

Daniel

• OSJ-227 - Getting issue details... STATUS
   

  • Fix pushed to cryptacular

Ian

• Java 9 now "old and busted":

  • 9.0.4 last patch release.

  • I'd nevertheless suggest that we continue to cross-test against Java 9 until we think we have moved completely past it; Java 11 release perhaps?

• Java 10 is "the new hotness".

• Java 11:

  • "Proposed to target Java 11": new HTTP client, incubated as JEP 110, now JEP 321. Introduction here. Includes HTTP/2, Not clear if this is actually a replacement for Apache HttpClient for our purposes, but that seems to be the intention. Do we want to investigate, given that the Apache client needs to be bumped anyway?

• New wiki page on Java Product Platforms:

  • Please review; I'd like to convert this to policy "soon" in some sense. Agenda item next time?

  • Critical decision points:

    • What we say about support of post-Java-11 non-LTS releases

    • Support of Java 11 by Java 7 platform

    • IdP V4: Java 8 or Java 11?

• New set of wiki pages on Java Versions:

  • Java 7 (LTS), Java 8 (LTS), Java 9, Java 10, Java 11 (18.9 LTS).

  • Idea is to have a place to collate all information that might be significant to us about what happens in each release.

• JPAR-116 - Getting issue details... STATUS
   from last meeting: any thoughts since then? If not, will remove links to our products from parent project and rebuild them in each dependent project.

• Researching OAuth, OIDC. Brain hurts.

Marvin

Rod

• SP Odds and Sods.  

• SSPCPP-761 - Getting issue details... STATUS
   

• To paraphrase Ian 

  SSPCPP-730 - Getting issue details... STATUS
   encoding: Brain hurts

Scott

• SP package mirroring

• SSPCPP-731 - Getting issue details... STATUS
  , 8 hours for one missing character

• SSPCPP-350 - Getting issue details... STATUS

• Exploring dynamic metadata in IdP, several issues opened

• joda-time replacement

Tom

• Not much change since last week

  • Jetty 9.4 tests pass on Windows

  • Some Java 10 tests do not

  • Reviewed Jetty and Tomcat default TLS cipher suites and protocols

  • TODO Windows and conditional:resources

• Prob will ask Ian to take a second-look at Jenkins' Windows Slave config and OpenJDK JAVA_HOME

• Jenkins : should we attempt building the IdP including the Maven site with each version of Java ?

Other