Shibboleth Developer's Meeting, 2023-01-20

Call Administrivia

09:00 Central US / 10:00 Eastern US / 15:00 UK / 17:00 FI

Calls are normally the 1st and 3rd Fridays of each month. Next call would be Friday 2023-02-03. Any reason to deviate from this?

60 to 90 minute call window.

Call Details

This week's call will use the Zoom system at GU, see ZoomGU for access info.

AGENDA

1. Release post-mortem

2. Removal of Nexus endpoints from public network interface
   (GEN-299: Remove Nexus from public internetOpen )

3. Null remediation - appetite for wrappers?

Attendees:

Brent

Daniel

• Cannot attend today, meeting conflict.

Henri

• Apologies, offline today

• Will continue finishing and testing the new security configuration next week together with Phil

Ian

John

• SoW renewed for 2023 as of 2023-01-19

• No new updates.

• Next up: check for Docker image updates; work on “make clean”; and continue Jenkins-izing the SP build scripts.

Marvin

Phil

• Commons 2.2.0 seems to work fine in a running IdP 4.2.0. So maybe we can leave the versions on that.

• JCOMOIDC-60: JWT class naming conventionClosed - Possibly done. Probably still a bit more on the OP side to check.

• JCOMOIDC-62: Create new credential type for client_secretClosed - I wanted to make this change before the RP was built.

• JCOMOIDC-61: A128CBC-HS256 Potentially returning the wrong keysizeClosed - I think these just need changing.

• Tracking down a bug. Which I believe is in the Nimbus code. Issue raised. Truncation issue in SecretKeyDerivation

• Bugs in the certification suite (not really that important):

  • https://gitlab.com/openid/conformance-suite/-/issues/1157#note_1233913190

  • https://gitlab.com/openid/conformance-suite/-/issues/1156#note_1232834925

Rod

• JMVN-47: Release maven-dist-enforcer 3.2.0Closed

  • Litmus test for the failure that provoked this is now the java-versions-set-nightly (currently failing)

• JMVN-45: Investigate building a parent pom with the minimum subset of JPARClosed

  • This is hideous and requires us to track the parent pom for ever. But its still less hideous than the alternative

  • Can we do more pruning?

• Other release in support of 4.3.0

• Started afresh on then @Nonnull battle.

Scott

• SP (xmltooling) patch to block CipherReference, and close a few small issues

• Back to IdP cleanup

  • Made some revisions to the Action API and some deferred changes to BaseContext in OpenSAML

  • Started adding some methods to address null issues

Tom

• per last call need to create JIRAs for the IdP installer to :

  • “warn” about updating plugins first before the IdP

  • “warn” about plugin collisions

  • “update” page for the IdP displaying whether the IdP and/or plugins have updates available

• will add our Maven snapshot repo to <pluginRepositories> in Jenkins agent settings.xml

  • might should use a git repo to store settings.xml and authorized_keys, etc.

    • consider using a script to check out the repo at instance launch

• link to creating Javadoc w/o using site, would probably need to script scp
  https://maven.apache.org/plugins/maven-javadoc-plugin/usage.html
  
  

Other