[alf-dev] Eclipse IP Process questions

["Brian Carroll" <BCarroll@xxxxxxxxxx>]

Hi Darin,

 

We met earlier this year at the Committers Boot Camp at the start of EclipseCon.  I'm taking a harder look at the OpenSAML CQ to get it right, but am running into some questions, and would appreciate some guidance.

 

Our end objective is to get the opensaml-1.1.jar approved by Eclipse for use in ALF, since it provides a useful Java object model interface for marshalling and unmarshalling a SAML Assertion to and from an XML representation.  Another reason for using OpenSAML is that Internet2 seems just a concerned as Eclipse is about the provenance of the modules.  My questions involve how to properly represent the dependencies of that openSAML jar in the Eclipse CQ system.

 

An analysis of the opensaml-1.1.jar shows it depends on the following Java packages:

 

                    org.w3c.dom
                    junit.framework
                    junit.textui
                    org.apache.log4j
                    org.xml.sax
                    org.apache.xml.security
                    org.apache.xml.security.c14n
                    org.apache.commons.codec.binary
                    org.apache.xml.security.exceptions
                    org.apache.xml.security.utils
                    org.apache.xml.security.signature
                    org.apache.xml.security.transforms
                    org.apache.xml.security.transforms.params
                    org.apache.xml.security.keys.content
                    org.apache.xml.security.keys
                    org.apache.xml.security.keys.content.x509
                    org.apache.xml.security.algorithms

 

In a consistent set of jars we have been using for builds and runtime, these dependencies are satisfed by the following jar versions:

                    jaxen-1.1-beta-10.jar
                    junit-4.1.jar
                    log4j-1.2.8.jar
                    xml-apis-1.3.03.jar
                    xmlsec-1.4.0.jar
                    commons-codec-1.3.jar

 

However, these are not the only versions of those dependent jars that could provide those packages.  For example, Eclipse has approved log4j-1.2.8.jar, although there is a pending request for log4j-1.2.13.jar that we found also works.  So, do we need to search ipZilla for each of these jars to find a version that has either been approved or is pending approval and then do the testing to see whether those are compatible?  And if so, do we only need to list those dependent jars on the CQ that have not already been approved?

 

Second, the other place (as you mention) is Orbit.  However, there seems to be a descrepancy (or simply a lag) between when a jar is marked in ipZilla as "approved for use by all projects", and when it appears in Orbit. 

 

What happens when a project, such as Apache Axis2 project uses a module, in this case Rampart.mar, which ALF will also need, includes an opensaml-1.1.jar file that has slightly different file timestamps from those in the official downloads from the Internet2 website?  We don't have much visibility into whether the Ramparts version of opensaml-1.1.jar was simply rebuilt from source unchanged or whether they made patches.  Do we need to submit both versions and investigate the provenance of what the Rampart team did to its version of the jar?

 

Finally, while ipZilla indicates that Apache Axis 2 1.1 has been approved for all projects, we have found critical bugs that are solved in Axis 2 1.2.  Do we need to initiate a CQ for the later version of Axis 2 that has the fixes or is there a short cut process for upgrading IP approvals to later versions of approved jars?

 

Even after listening to Janet's talks, the process is not as straigtforward as it sounds, so I would appreciate any guidance on how to make the process easier for all involved parties.

 

Thanks,

Brian

 

Brian Carroll

ALF Project Lead

Serena Fellow

Serena Software

 

---

From: alf-dev-bounces@xxxxxxxxxxx [mailto:alf-dev-bounces@xxxxxxxxxxx] On Behalf Of Darin Swanson
Sent: Thursday, May 10, 2007 8:44 AM
To: alf-dev@xxxxxxxxxxx
Subject: [alf-dev] Apache Ant IP request questions

Good 
morning, 

I am a committer 
representative on the Eclipse board. 
Therefore I take part in the review for proposals for Eclipse projects 
usage of non-epl code. 

My 
understanding is that ALF has requested to use Ant JARs from version 1.6.3 and 
ant-contrib.jar 1.6.3 

I would like to know the reasons the ALF project is 
looking to contribute Ant 1.6.3? 
This code base is over 2 years old and is no longer recommended to be 
used by Apache Ant. 
As well, with Ant 
1.7.0 being put into Orbit it would possibly seem unnecessary? 

Also I am not sure what is "ant-contrib.jar 
1.6.3"? 
My understanding is that Ant contrib is a separate 
project from Apache Ant that is hosted at SourceForge. 
I believe 
it is either in release 0.6 or beta for 1.0. 

Thank you for your 
time 
Darins

**********************************************************************

This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.