My first impression is too much technical detail. Also we had a request
from a board member last month "It would be helpful if you could expand
a little (a couple of sentences is fine) on the discussions for future
directions in your next report.". That needs to be easily identifiable
in the report.
On 5/1/2017 1:26 AM, Peter wrote:
Hi River folks,
Draft board report for May, please make suggestions, remember this is
only my point of view, if yours differs please say so. It's probably a
bit wordy, so could use improvement, but I want to be honest with the
board about the current state of development.
Regards,
Peter.
<===========================================================>
## Description:
- Apache River provides a platform for dynamic discovery and lookup
search of network services. Services may be implemented in a number of
languages, while clients are required to be jvm based, to allow proxy
jvm byte code to be provisioned dynamically.
## Issues:
- River community has over time settled on a stable trunk development
model. The community tends towards risk aversion regarding code
modifications, this has suppressed active development in the past.
- The River 3.0 release included hundreds of internal bug fixes for
latent race conditions, with minimal breaking changes to public api
(com.sun packages renamed to org.apache.river). We have had one newly
introduced bug reported (thread memory leak) since release. River 3.0
was developed in an experimental branch, there were some issues
experienced during merging, which lead to an effort to migrate to git,
however that effort has stalled as some members (now emeritus) raised
concerns about migration, this requires further investigation and
discussion before it can be resolved.
Some features are being developed outside the project by one pmc member,
at the request of another member (also now emeritus) who had raised
objections. The current plan is to confirm feature stability outside
the project and submit diff patches to jira once a feature has been
accepted by the community.
We are still waiting for more user feedback regarding the 3.0 release,
one user has reported success using River 3.0 with OSGi, while having
been unsuccessful with earlier releases. The com.sun ->
org.apache.river namespace change has caused breaking changes for
downstream projects, which may be slowing uptake of this release. A
compatibility layer package has been developed externally, while
relatively new, it may assist with uptake for River 3.0.
- If River 3.0 is well recieved, it will likely lead to more confidence
and acceptance of new features and experimental development in future.
## Activity:
- Significant drop in interest since February (205 emails on dev), down
to 6 in March and 8 in April. No more emails on user, no commits since
Feb.
- Proposed Release roadmap received positive responses:
Proposed Release roadmap:
River 3.0.1 - thread leak fix
River 3.1 - Modular build restructure (& binary release)
River 3.2 - Input validation 4 Serialization, delayed unmarshalling&
safe ServiceRegistrar
lookup service.
River 3.3 - OSGi support
## Health report:
- Little activity at present on dev.
- No recent commit activity.
- Development has continued outside the project for contraversial
features (there seems to be more acceptance of these features recently):
* Input validation for java deserialization - prevents DOS and
Gadget attacks.
* IPv6 Multicast Service Discovery (River currently only support
IPv4 multicast discovery).
* Delayed unmarshalling for Service Lookup and Discovery (includes
SafeServiceRegistrar mentioned in release roadmap), so
authentication can occur prior to downloading service proxy's,
this addresses a long standing security issue with service lookup
while significantly improving performance under some use cases.
* Security fixes for SSL endpoints, updated to TLS v1.2 with removal
of support for insecure cyphers.
* Maven build to replace existing ant built that uses
classdepandjar, a bytecode dependency analysis build tool.
* Security tool to generate security policy files based on principle
of least privilege, this has been rejected as the system is likely
to be vulnerable to attack while the policy files are being
generated. The tool was written in response to requests for more
tooling to make River easier to use.
## PMC changes:
- Currently 11 PMC members.
- No new PMC members added in the last 3 months
- Last PMC addition was Bryan Thompson on Sun Aug 30 2015
## Committer base changes:
- Currently 15 committers.
- Zsolt Kúti was added as a committer on Wed Dec 07 2016
- Bharath Kumar was added as a committer on the 23th March 2017
## Releases:
- River-3.0.0 was released on Wed Oct 05 2016
## Mailing list activity:
- Minimal.
## JIRA activity:
- Nil Activity.
