Page tree
Skip to end of metadata
Go to start of metadata

Shibboleth Developer's Meeting, 2019-01-18

Call Administrivia

10:00 Central US / 11:00 Eastern US / 16:00 UK

Calls are normally the 1st and 3rd Fridays of each month. Next call would be Friday 2019-02-01. Any reason to deviate from this?

60 to 90 minute call window.

Call Details

This week's call will use the Zoom system at GU, see ZoomGU for access info.


  1. LDAPocalypse Now



  • Per Scott request, looking at the Spring MVC Velocity deprecation issue.  Various questions:
    • What should be replacement (essentially and mostly: FreeMarker vs ThymeLeaf)?  Or maybe option for both?
    • Replace Velocity everywhere or just Spring MVC usage?
    • (radical) Join or start the "Save Velocity!" train: get Spring MVC support added to Velocity Tools.  Somebody may eventually do it.  Maybe that's us?



  • Been defocused for the last couple of months for various reasons I won't get into, but should be back and more active now.
  • Main activity is the push to Java 11. Will hold off making the actual change as long as possible, so that the java-parent-project master branch uses Java 8 as long as possible.
  • What are known blockers, if any, in our code for a Java 11 transition? Or is it solely the tooling?
  • Will use the MDA, as usual, as the canary for the transition when it comes.



  • Progressing IDP-1393
  • Looking at Globus Auth as an OP. 


  • 3.4.3
  • Some rationalization in JIRA
  • Keeping track with changes
  • NOTE
    • I'll be travelling during the call and on a train.  I'll connect in as much as I can but even if I'm in the meeting I'll be silent.  Apologies.


  • Fixed an SP macport issue
    • C++ modernization issue, might be dated to last OS X version or Xcode tools bump
    • Nobody reported it for weeks, implying to me we should be looking at dropping OS X support, officially speaking at least
  • Started removed some dead features not involving large code changes
  • Migrated "internal" AES-GCM calls to JCE
  • IDP-1390 - Getting issue details... STATUS
    • Ended up with a less hacky version of my "reloadable" Spring scope, a Managed Bean service for user-defined reloadable beans


  • JPAR-102 - Getting issue details... STATUS
    • New plan for "pin/key map" : fingerprint|checksum artifact-coordinate-pattern
      • Use checksum rather than PGP fingerprint when unsigned or bad signature
      • Use fingerprint rather than key ID because there could be collisions
      • Should we use wildcards/patterns in the artifact-coordinate-pattern ?
        • Yes for our artifacts
        • Maybe for other artifacts (like Spring)
      • Append to "pin" list or remove no longer used map entries ?
    • IdP 3.4.3 has 1150 artifact dependencies in the stack (including Maven plugins)
      • 250 are unsigned (22 %)
      • 3 have bad signatures (org.apache.struts:struts-taglib|core|tiles:pom:1.3.8)
      • no weak (as defined by the pgpverify plugin) signatures
      • The count of 1150 includes POMs
    • Need Jenkins to sign SNAPSHOTs (since checksums will change)
    • INFRA-196 - Getting issue details... STATUS  Initial install of Nexus NXRM 3 to take a look at capabilities
      • Should we proxy Maven Central ? (probably, so we can discontinue use of it directly)
      • Context/path name ? /nexus3 
    • Some links :


  • No labels