Re: SAML auth handler and additional Maven repo (was: [git] New git repository - org-apache-sling-auth-saml2)

2021-05-20 Thread Robert Munteanu
On Wed, 2021-05-19 at 15:10 -0400, Cris Rockwell wrote: > > I would not agree here, but it's not critical to do so. My > > reasoning is > > that if we have a dependency that is on the authentication > > processing > > stack, e.g. OpenSAML using commons-lang, the commons-lang is also a > > an > > at

Re: SAML auth handler and additional Maven repo (was: [git] New git repository - org-apache-sling-auth-saml2)

2021-05-19 Thread Cris Rockwell
Hi Robert > Maybe use the releases group instead of the public one? > https://build.shibboleth.net/nexus/content/repositories/releases/ > Yes that’s > a good idea. > Is that ticket public? I could not find anything on Maven Cen

Re: SAML auth handler and additional Maven repo (was: [git] New git repository - org-apache-sling-auth-saml2)

2021-05-19 Thread Robert Munteanu
Hi Cris, Sorry for taking so long to reply. tl;dr - I'm not opposed to validating signatures, and I think we need some tweaks to it. On Mon, 2021-04-26 at 16:16 -0400, Cris Rockwell wrote: > >  They are getting the Sling dependency from Maven Central, and they > > would also be betting > > the Op

Re: SAML auth handler and additional Maven repo (was: [git] New git repository - org-apache-sling-auth-saml2)

2021-04-26 Thread Cris Rockwell
Hi This is lot. So thanks to all who might be following this. > 1. Are the users getting the right Sling dependencies? Maybe or maybe not. That’s why verifying the artifacts’ signatures is important. I added fingerprint files for Sling and Shibboleth to the SAML project, so at least this bundl

Re: SAML auth handler and additional Maven repo (was: [git] New git repository - org-apache-sling-auth-saml2)

2021-04-26 Thread Robert Munteanu
Hi Cris, (I find that top-posting makes long conversations hard to follow, please try to reply inline) On Fri, 2021-04-23 at 17:17 -0400, Cris Rockwell wrote: > Hi Robert > > There are a few things the Shibboleth devs wanted to reinforce with me. > A) > They don’t upload artifacts to Maven Centr

Re: SAML auth handler and additional Maven repo (was: [git] New git repository - org-apache-sling-auth-saml2)

2021-04-23 Thread Cris Rockwell
Hi Robert There are a few things the Shibboleth devs wanted to reinforce with me. A) They don’t upload artifacts to Maven Central. The canonical way to get their latest libraries is through the Shibboleth repo. The v4.0.1 was uploaded to Central by other parties, and they don't know anything about

Re: SAML auth handler and additional Maven repo (was: [git] New git repository - org-apache-sling-auth-saml2)

2021-04-23 Thread Cris Rockwell
Ok Thanks for the clarification. Let me take a bit of time to review the hashes. For example, comparing this https://build.shibboleth.net/nexus/content/groups/public/org/opensaml/opensaml-xmlsec-impl/4.0.1/opensaml-xmlsec-impl-4.0.1.jar.sha1 to this https://repo1.maven.org/mave

SAML auth handler and additional Maven repo (was: [git] New git repository - org-apache-sling-auth-saml2)

2021-04-23 Thread Robert Munteanu
Hi Cris, On Fri, 2021-04-23 at 09:31 -0400, Cris Rockwell wrote: > The OpenSAML library was selected because of the support the Shibboleth > Consortium has within higher education[0]. > My institution is a member of the consortium. I am confident about the > ongoing support the project has and the

Re: [git] New git repository - org-apache-sling-auth-saml2

2021-04-23 Thread Cris Rockwell
Hi Robert Regarding "Note that we still need to clarify the status of the additional Maven artifact repository [1] and probably need to review the deps (there are lots of them) before starting a release. But that's for later." I aware there are many dependencies in this project [1]: https://git

Re: [git] New git repository - org-apache-sling-auth-saml2

2021-04-17 Thread Daniel Klco
Hi Chris, Sorry for the confusion, I see that I didn't remove that old shell script. The new correct way to add the badges to the project is: ./generate-project-badges.groovy [REPO_DIR] On Fri, Apr 16, 2021 at 1:34 PM Cris Rockwell wrote: > Hi Robert > > FYI, when I ran `groovy collect-sling-r

Re: [git] New git repository - org-apache-sling-auth-saml2

2021-04-16 Thread Cris Rockwell
Hi Robert FYI, when I ran `groovy collect-sling-repos.groovy > default.xml` as mentioned in sling-aggregator, I saw more changed to default.xml than just this new repo. Three entries added and one removed see below for the diff. Those seemed like valid changes, so I committed them [0] diff --

Re: [git] New git repository - org-apache-sling-auth-saml2

2021-04-16 Thread Robert Munteanu
On Tue, 2021-04-13 at 10:32 -0400, Cris Rockwell wrote: > Thank you, Robert. > I look forward to the new repo, and discussing the project’s use > of the Shibboleth repository and it’s dependencies. Done - see https://github.com/apache/sling-org-apache-sling-auth-saml2 . You should be able to pro

Re: [git] New git repository - org-apache-sling-auth-saml2

2021-04-13 Thread Cris Rockwell
Thank you, Robert. I look forward to the new repo, and discussing the project’s use of the Shibboleth repository and it’s dependencies. Cris > On Apr 13, 2021, at 6:40 AM, Robert Munteanu wrote: > > Hi Cris, > > Overall this looks good, I'll create a repo later this week unless > someone obj

Re: [git] New git repository - org-apache-sling-auth-saml2

2021-04-13 Thread Robert Munteanu
Hi Cris, Overall this looks good, I'll create a repo later this week unless someone objects. Note that we still need to clarify the status of the additional Maven artifact repository [1] and probably need to review the deps (there are lots of them) before starting a release. But that's for later.

Re: [git] New git repository - org-apache-sling-auth-saml2

2021-04-12 Thread Cris Rockwell
Hi Robert The whiteboard PR is merged. Let me know if you have other questions about creating the repository. Thanks Cris > On Apr 8, 2021, at 12:14 PM, Cris Rockwell wrote: > > Hi, > > Currently org-apache-sling-auth-saml2 build runs about 65 seconds on my local > workstation, > and se

Re: [git] New git repository - org-apache-sling-auth-saml2

2021-04-09 Thread Robert Munteanu
Hi Cris. On Thu, 2021-04-08 at 12:14 -0400, Cris Rockwell wrote: > Therefore, I'd like to create a new repo for the code currently > living in the > whiteboard at [0]. I would suggest that you merge the PR first - it's the whiteboard, after all, so reviewing is easier. Thanks, Robert

[git] New git repository - org-apache-sling-auth-saml2

2021-04-08 Thread Cris Rockwell
Hi, Currently org-apache-sling-auth-saml2 build runs about 65 seconds on my local workstation, and several minuted in the Jenkins CI pipeline. My understanding is that projects in the Sling Whiteboard repo should be moved to another repo before releasing to Maven Central. Therefore, I'd like