Santuario

Owned by Scott Cantor
Last updated: Jul 15, 2024
2 min read

NOTE: The below applies solely to the C++ code base formerly hosted under the Apache Santuario project. The Java xmlsec library remains an active project there and the warnings below do NOT apply to it.

TL;DR

The C++ xml-security-c library has been retired at Apache and is now solely maintained by the Shibboleth Project for our use only. Use by any other project, while permitted freely under the license, is ill-advised and unsupported by the Shibboleth Project. While we continue to publish a fork of the code in our repository, and will accept bug reports and certainly security reports, we do not promise any responsiveness to third parties, and urge that no other projects rely on this code. Existing users should seek alternatives or consider forking the code for their own use.

Longer version

The Apache Santuario project is the home of the Java xmlsec library, and formerly hosted the C++ version (xml-security-c). The C++ version is the basis of the security code in the Shibboleth SP software.

After about a decade of no other committers appearing to help maintain that code, and no response to a call for objections, a decision was taken by the Santuario PMC to retire the C++ library. If you have concerns or objections over this, you are directed to register those concerns with the Apache Santuario project.

The only maintainer (us) expects to retire our usage within the coming 5-7 years at most, and retiring the Apache version and forking the code for our use allows us to more clearly signal that no other projects should consider adopting this code without also choosing to fork it for their own use. It also frees us from the obligation to make changes in response to others' needs, or to address issues that do not impact our use of the code. In fact this may result in a major revision of the library to exclude features we do not use and were thus unable to maintain to begin with. (Examples of this include the NSS and Windows crypto support, XSLT and XPath support via Xalan, and XKMS support.)

As the longtime maintainer of the original library, we have taken the liberty of retaining the library name and versioning history, and we have converted the original subversion repository to support this. Others choosing to fork the code should rename it for their own use. The Apache license attached to the code remains the same, and we seek no changes to either copyright or license in this transition.

Â