river-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Peter <j...@zeus.net.au>
Subject [Report] Apache River - Draft
Date Mon, 01 May 2017 08:26:47 GMT
Hi River folks,

Draft board report for May, please make suggestions, remember this is 
only my point of view, if yours differs please say so.  It's probably a 
bit wordy, so could use improvement, but I want to be honest with the 
board about the current state of development.




## Description:

  - Apache River provides a platform for dynamic discovery and lookup 
search of network services.  Services may be implemented in a number of 
languages, while clients are required to be jvm based, to allow proxy 
jvm byte code to be provisioned dynamically.

## Issues:

  - River community has over time settled on a stable trunk development 
model.  The community tends towards risk aversion regarding code 
modifications, this has suppressed active development in the past.

- The River 3.0 release included hundreds of internal bug fixes for 
latent race conditions, with minimal breaking changes to public api 
(com.sun packages renamed to org.apache.river).  We have had one newly 
introduced bug reported (thread memory leak) since release.  River 3.0 
was developed in an experimental branch, there were some issues 
experienced during merging, which lead to an effort to migrate to git, 
however that effort has stalled as some members (now emeritus) raised 
concerns about migration, this requires further investigation and 
discussion before it can be resolved.

Some features are being developed outside the project by one pmc member, 
at the request of another member (also now emeritus) who had raised 
objections.  The current plan is to confirm feature stability outside 
the project and submit diff patches to jira once a feature has been 
accepted by the community.

We are still waiting for more user feedback regarding the 3.0 release, 
one user has reported success using River 3.0 with OSGi, while having 
been unsuccessful with earlier releases.  The com.sun -> 
org.apache.river namespace change has caused breaking changes for 
downstream projects, which may be slowing uptake of this release.  A 
compatibility layer package has been developed externally, while 
relatively new, it may assist with uptake for River 3.0.

- If River 3.0 is well recieved, it will likely lead to more confidence 
and acceptance of new features and experimental development in future.

## Activity:

  - Significant drop in interest since February (205 emails on dev), 
down to 6 in March and 8 in April.  No more emails on user, no commits 
since Feb.

- Proposed Release roadmap received positive responses:

Proposed Release roadmap:
>  River 3.0.1 - thread leak fix
>  River 3.1 - Modular build restructure (&  binary release)
>  River 3.2 - Input validation 4 Serialization, delayed unmarshalling&  safe ServiceRegistrar
lookup service.
>  River 3.3 - OSGi support

## Health report:

  - Little activity at present on dev.
  - No recent commit activity.
  - Development has continued outside the project for contraversial 
features (there seems to be more acceptance of these features recently):

    * Input validation for java deserialization - prevents DOS and
      Gadget attacks.
    * IPv6 Multicast Service Discovery (River currently only support
      IPv4 multicast discovery).
    * Delayed unmarshalling for Service Lookup and Discovery (includes
      SafeServiceRegistrar mentioned in release roadmap), so
      authentication can occur prior to downloading service proxy's,
      this addresses a long standing security issue with service lookup
      while significantly improving performance under some use cases.
    * Security fixes for SSL endpoints, updated to TLS v1.2 with removal
      of support for insecure cyphers.
    * Maven build to replace existing ant built that uses
      classdepandjar, a bytecode dependency analysis build tool.
    * Security tool to generate security policy files based on principle
      of least privilege, this has been rejected as the system is likely
      to be vulnerable to attack while the policy files are being
      generated.  The tool was written in response to requests for more
      tooling to make River easier to use.

## PMC changes:

  - Currently 11 PMC members.
  - No new PMC members added in the last 3 months
  - Last PMC addition was Bryan Thompson on Sun Aug 30 2015

## Committer base changes:

  - Currently 15 committers.
  - Zsolt Kúti was added as a committer on Wed Dec 07 2016
  - Bharath Kumar was added as a committer on the 23th March 2017

## Releases:

  - River-3.0.0 was released on Wed Oct 05 2016

## Mailing list activity:

  - Minimal.

## JIRA activity:

- Nil Activity.

View raw message