[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
[alf-dev] Eclipse IP Process questions
|
Hi Darin,
We met earlier this year at the Committers Boot Camp at
the start of EclipseCon. I'm taking a harder look at the OpenSAML CQ
to get it right, but am running into some questions, and would appreciate some
guidance.
Our end objective is to get the opensaml-1.1.jar
approved by Eclipse for use in ALF, since it provides a useful Java object model
interface for marshalling and unmarshalling a SAML Assertion to and from an
XML representation. Another reason for using OpenSAML is
that Internet2 seems just a concerned as Eclipse is about the
provenance of the modules. My questions involve how to properly represent
the dependencies of that openSAML jar in the Eclipse CQ
system.
An analysis of the opensaml-1.1.jar shows it depends on
the following Java packages:
org.w3c.dom
junit.framework
junit.textui
org.apache.log4j
org.xml.sax
org.apache.xml.security
org.apache.xml.security.c14n
org.apache.commons.codec.binary
org.apache.xml.security.exceptions
org.apache.xml.security.utils
org.apache.xml.security.signature
org.apache.xml.security.transforms
org.apache.xml.security.transforms.params
org.apache.xml.security.keys.content
org.apache.xml.security.keys
org.apache.xml.security.keys.content.x509
org.apache.xml.security.algorithms
In a consistent set of jars we have
been using for builds and runtime, these dependencies are satisfed by the
following jar versions:
jaxen-1.1-beta-10.jar
junit-4.1.jar
log4j-1.2.8.jar
xml-apis-1.3.03.jar
xmlsec-1.4.0.jar
commons-codec-1.3.jar
However, these are not the only versions of
those dependent jars that could provide those packages. For example,
Eclipse has approved log4j-1.2.8.jar, although there is a pending request for
log4j-1.2.13.jar that we found also works. So, do we need to search
ipZilla for each of these jars to find a version that has either been approved
or is pending approval and then do the testing to see whether those are
compatible? And if so, do we only need to list those dependent jars on the
CQ that have not already been approved?
Second, the other place (as you mention) is
Orbit. However, there seems to be a descrepancy (or simply a lag) between
when a jar is marked in ipZilla as "approved for use by all projects", and when
it appears in Orbit.
What happens when a project, such as Apache Axis2
project uses a module, in this case Rampart.mar, which ALF will also
need, includes an opensaml-1.1.jar file that has slightly different file
timestamps from those in the official downloads from the Internet2
website? We don't have much visibility into whether the Ramparts version
of opensaml-1.1.jar was simply rebuilt from source unchanged or whether they
made patches. Do we need to submit both versions and investigate the
provenance of what the Rampart team did to its version of the
jar?
Finally, while ipZilla indicates that Apache Axis 2 1.1
has been approved for all projects, we have found critical bugs that are
solved in Axis 2 1.2. Do we need to initiate a CQ for the later
version of Axis 2 that has the fixes or is there a short cut process for
upgrading IP approvals to later versions of approved jars?
Even after listening to Janet's talks, the process is
not as straigtforward as it sounds, so I would appreciate any guidance on how to
make the process easier for all involved parties.
Thanks,
Brian
Brian Carroll
ALF Project Lead
Serena Fellow
Serena Software
From: alf-dev-bounces@xxxxxxxxxxx
[mailto:alf-dev-bounces@xxxxxxxxxxx] On Behalf Of Darin
Swanson
Sent: Thursday, May 10, 2007 8:44 AM
To:
alf-dev@xxxxxxxxxxx
Subject: [alf-dev] Apache Ant IP request
questions
Good
morning, I am a committer
representative on the Eclipse board. Therefore I take part in the review for proposals for Eclipse projects
usage of non-epl code. My
understanding is that ALF has requested to use Ant JARs from version 1.6.3 and
ant-contrib.jar 1.6.3 I would like to know the reasons the ALF project is
looking to contribute Ant 1.6.3? This code base is over 2 years old and is no longer recommended to be
used by Apache Ant. As well, with Ant
1.7.0 being put into Orbit it would possibly seem unnecessary?
Also I am not sure what is "ant-contrib.jar
1.6.3"?
My understanding is that Ant contrib is a separate
project from Apache Ant that is hosted at SourceForge.
I believe
it is either in release 0.6 or beta for 1.0. Thank you for your
time Darins
**********************************************************************
This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.