river-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bryan Thompson <br...@blazegraph.com>
Subject Re: River Board Report
Date Wed, 20 Mar 2019 00:26:10 GMT
+1

Bryan

On Tue, Mar 19, 2019 at 17:10 Dan Rollo <danrollo@gmail.com> wrote:

>
> +1
>
> Dan
>
>
> From: Peter Firmstone <peter.firmstone@zeus.net.au <mailto:
> peter.firmstone@zeus.net.au>>
> Subject: River Board Report
> Date: March 19, 2019 at 7:58:14 PM EDT
> To: "<dev@river.apache.org <mailto:dev@river.apache.org>>" <
> dev@river.apache.org <mailto:dev@river.apache.org>>
>
>
> Hello River folk, please review / comment / suggest / changes for the
> draft board report for March below.
>
> Regards,
>
> Peter.
>
> ## Description:
> - Apache River provides a platform for dynamic discovery and lookup
>    search of network services.  Services may be implemented in a number
>    of languages, while clients are required to be jvm based (presently at
>    least), to allow proxy jvm byte code to be provisioned dynamically.
>
> ## Issues:
> - Answers to board questions:
> idf: It's been a year since the last committer addition. Are there a
>     new prospects?
> - Not at present, due to low activity and the complexity of the unique
> monolithic build system.  We are working to resolve this with a Maven
> modular build structure.
>
> rs: given 12 vs 16 members of PMC and committership roster, is there
>    anything preventing the remaining 4 committers to consider
>    joining the PMC?
> - There are no blockers, I will ask them to join the PMC.
>
> ## Activity:
>
> -  Minimal activity at present, initial work on the modular build
> structure has commenced.  The current monolithic build is complex, with
> it's own build tool classdepandjar, it adds complexity for new developers.
> In recent months I have had work committments that have limited my ability
> to integrate the modular build.  The other committers are waiting for the
> modular build and I have done a lot of work on this locally, this work has
> been a significant undertaking integrating the works of Dennis Reedy, Dan
> Rollo and myself.  This is also a mature codebase, having been in
> development since the late 1990's.
>
> Release roadmap:
>
> River 3.1 - Modular build restructure (&   binary release)
> River 3.2 - Input validation 4 Serialization, delayed unmarshalling&
> safe ServiceRegistrar  lookup service.River 3.3 - OSGi support
>
> ## Health report:
>
> - River is a mature codebase with existing deployments, it was primarily
> designed for dynamic discovery of services on private networks.  IPv4 NAT
> limitations historically prevented the use of River on public networks,
> however the use of IPv6 on public networks removes these limitations.  Web
> services evolved with the publish subscribe model of todays internet, River
> has the potential to dynamically discover services on IPv6 networks, peer
> to peer, blurring current destinctions between client and server, it has
> the potential to address many of the security issues currently experienced
> with IoT and avoid any dependency on the proprietary cloud for "things".
>
> - Future Direction:
>
>   * Target IOT space with support for OSGi and IPv6 (security fixes
>     required prior to announcement)
>   * Input validation for java deserialization - prevents DOS and
>     Gadget attacks.
>   * IPv6 Multicast Service Discovery (River currently only supports
>     IPv4 multicast discovery).
>   * Delayed unmarshalling for Service Lookup and Discovery (includes
>     SafeServiceRegistrar mentioned in release roadmap), so
>     authentication can occur prior to downloading service proxy's,
>     this addresses a long standing security issue with service lookup
>     while significantly improving performance under some use cases.
>   * Security fixes for SSL endpoints, updated to TLS v1.2 with removal
>     of support for insecure cyphers.
>   * Secure TLS SocketFactory's for RMI Registry, uses
>     the currently logged in Subject for authentication.
>     The RMI Registry still plays a minor role in service activation,
>     this allows those who still use the Registry to secure it.
>   * Maven build to replace existing ant built that uses
>     classdepandjar, a bytecode dependency analysis build tool.
>   * Updating the Jini specifications.
>
> ## PMC changes:
>
> - Currently 12 PMC members.
> - No new PMC members added in the last 3 months
> - Last PMC addition was Dan Rollo on Fri Dec 01 2017
>
> ## Committer base changes:
>
> - Currently 16 committers.
> - No new committers added in the last 3 months
> - Last committer addition was Dan Rollo at Thu Nov 02 2017
>
> ## Releases:
>
> - Last release was River-3.0.0 on Thu Oct 06 2016
>
> ## /dist/ errors: 4
> - TODO - Developer certificates expired, investigate solution.   I created
> new certificates, prior to the expiry of my old certificates, should I
> resign the release artifacts with the new certificates?
>
> ## Mailing list activity:
>
> - Relatively quiet
>
> - dev@river.apache.org <mailto:dev@river.apache.org>:
>    - 89 subscribers (down -1 in the last 3 months):
>    - 5 emails sent to list (9 in previous quarter)
>
> - user@river.apache.org <mailto:user@river.apache.org>:
>    - 92 subscribers (up 0 in the last 3 months):
>    - 1 emails sent to list (0 in previous quarter)

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message