Shibboleth Developer's Meeting, October 25, 2012
Attendees: Scott Cantor, Tom Zeller, Ian Young, Rod Widdowson, Daniel Fisher, Bill Thompson, Mike Grady
Infrastructure Update (15 min.)
Coverage of the Systems
Defer until future call, but Scott wants to make sure we have adequate coverage of all the systems we're running.
Nexus Issue Postmortem
A password issue with the nexus repository's admin account was discovered. The exploit of the account took place after our last releases, and we've reverified the signatures of all of the artifacts we published. Given monitoring of the system, and the dedicated nexus Linux account, the threat is to Nexus itself and we're going to restore the system to the state prior to the exploit and then reverify everything to identify anything that might have changed.
Jira has been upgraded to 5.1 on a test VM at 184.108.40.206. We need to verify SSO functionality and Jira behavior and then schedule an upgrade in production, probably in mid-November.
IdP Update (15 min.)
Scope of 2.4
Scott wants to add a feature to the ECP handler to support the GSS-API work that NCSA has been doing, and would also like to get the IdP moved to xmlsec-1.5 to reduce the risk of that change from impacting the V3 work. This will include making sure the core signature/encryption behavior is not impacted, and also determining the viability of some of the newer algorithms (very high chance of flushing some xmlsec-c bugs).
A second goal of the release is to socialize knowledge of the Java release process in case we're under the gun to do a patch at some point. Brent, Scott, and Tom are likely to be working together on it when the time comes.
Scott pulled together open Jira issues on the xmltooling/openws/opensaml layer and will work with Brent to identify anything worth addressing there.
Bill: Unicon would like to spend some of its "giveback" time to the project on QA on the release and also has proposed adding some additional example pages to the UI that support responsive design for newer clients.
Scott/Rod: Very concerned about avoiding new features that would be a risk to pull out of V3, but changes to the pages should be low risk.
Target timeline is to complete this work by early next year and release during Q1.
SP Update (5 min.)
Progress on 2.5.1
Apache 2.4 bug is fixed along with a other issues. Not much left to do but complete some changes to the build process for the installers. Rod will wrap that work up shortly and Scott will start on the release.
IdP V3 Project Plan (25 min.)
Scott discussed the activities (lack thereof) of the Board since Philadelphia. The meeting planned for this week was canceled, and the next proposed date is Nov 14th. Nicole indicated we have enough done for her to start building a formal project plan around, and Scott will try and provide anything else they need without bothering the developers unless it impacts our planning.
Daniel indicated he expects to have availability to work on the project, and Scott will be pushing Nicole and the Board on that. As discussed earlier, apart from completing some LDAP work, we would be interested in having him get up to speed on OpenSAML to help out Brent and provide additional depth there.
Scott thinks that the "waiting" on contributions from some prospective members is more to do with the Board demonstrating progress than the developers at this point, and he's concerned about progress being demonstrated by the end of the year.
"Closing" on Schedule
Changes to the plan have been applied based on feedback from previous meeting, with things like configuration, unit testing, and documentation built into the specific pieces more explicitly in Jira.
General sense was that it's doable, maybe even overly conservative, but we can't be more aggressive without risking a lot of unknowns at this point. Better to reassess next year after a couple of quarters once we have a chance to actually get going on the coding.
Jira Task Organization / Gaps
Scott has done a revamp of open tasks to move them into higher level tasks for the deliverables in the plan. This is primarily for use in rolling up time estimates for the project plan effort and we can revisit all of that once we get going and Tom has time to evaluate things over the next few months.
Scott's concern is that we're missing the "glue" work of actually validating APIs, making changes there, and pulling pieces together to do higher level functions in the IdP. Not captured well by the current tasks. We may have to just inflate some of our estimates to account for that time for now.
Bill reiterated past conversations about Unicon having a number of hours of engineering time to donate to the project from its Cooperative Support program. The time is spent on work that is identified by their subscribers in combination with direction from the project team.
A couple of possible items were identified in the IdP 2.4 area. In addition, some documentation on integration with particular vendors for the wiki.
Time: 15:30 UTC
Meeting ID: 534-352-638
Dial-in Phone Numbers
Australia: +61 2 8355 1040
Austria: +43 (0) 7 2088 1400
Belgium: +32 (0) 92 98 0592
Canada: +1 (416) 900-1165
Denmark: +45 (0) 69 91 88 62
Finland: +358 (0) 942 41 5778
France: +33 (0) 182 880 456
Germany: +49 (0) 811 8899 6975
Ireland: +353 (0) 14 845 976
Italy: +39 0 247 92 12 39
Netherlands: +31 (0) 208 080 379
New Zealand: +64 (0) 4 974 7215
Norway: +47 21 03 58 96
Spain: +34 911 82 9782
Sweden: +46 (0) 313 613 558
Switzerland: +41 (0) 225 3314 51
United Kingdom: +44 (0) 203 535 0621
United States: +1 (786) 358-5410