+ 1 Dan
> From: Peter Firmstone <peter.firmst...@zeus.net.au> > Subject: November Board Report > Date: November 17, 2018 at 5:03:05 AM EST > To: "<dev@river.apache.org>" <dev@river.apache.org> > > > Hello River folk, please review / comment / suggest / changes for the draft > board report for November below. > > Regards, > > Peter. > > ## Description: > > - Apache River provides a platform for dynamic discovery and lookup > search of network services. Services may be implemented in a number > of languages, while clients are required to be jvm based (presently at > least), to allow proxy jvm byte code to be provisioned dynamically. > > ## Issues: > > - No significant issues requiring board attention at this time. > > ## Activity: > > - Minimal activity at present, initial work modular build structure has > commenced, awaiting to be populated with River 3.0 code. > > Release roadmap: > > River 3.1 - Modular build restructure (& binary release) > River 3.2 - Input validation 4 Serialization, delayed unmarshalling& > safe ServiceRegistrar lookup service.River 3.3 - OSGi support > > ## Health report: > > - River is a mature codebase with existing deployments, it was primarily > designed for dynamic discovery of services on private networks. IPv4 NAT > limitations historically prevented the use of River on public networks, > however the use of IPv6 on public networks removes these limitations. Web > services evolved with the publish subscribe model of todays internet, River > has the potential to dynamically discover services on IPv6 networks, peer to > peer, blurring current destinctions between client and server, it has the > potential to address many of the security issues currently experienced with > IoT and avoid any dependency on the proprietary cloud for "things". > > - Future Direction: > > * Target IOT space with support for OSGi and IPv6 (security fixes > required prior to announcement) > * Input validation for java deserialization - prevents DOS and > Gadget attacks. > * IPv6 Multicast Service Discovery (River currently only supports > IPv4 multicast discovery). > * Delayed unmarshalling for Service Lookup and Discovery (includes > SafeServiceRegistrar mentioned in release roadmap), so > authentication can occur prior to downloading service proxy's, > this addresses a long standing security issue with service lookup > while significantly improving performance under some use cases. > * Security fixes for SSL endpoints, updated to TLS v1.2 with removal > of support for insecure cyphers. > * Secure TLS SocketFactory's for RMI Registry, uses > the currently logged in Subject for authentication. > The RMI Registry still plays a minor role in service activation, > this allows those who still use the Registry to secure it. > * Maven build to replace existing ant built that uses > classdepandjar, a bytecode dependency analysis build tool. > * Updating the Jini specifications. > > > > ## PMC changes: > > - Currently 12 PMC members. > - No new PMC members added in the last 3 months > - Last PMC addition was Dan Rollo on Fri Dec 01 2017 > > ## Committer base changes: > > - Currently 16 committers. > - No new committers added in the last 3 months > - Last committer addition was Dan Rollo at Thu Nov 02 2017 > > ## Releases: > > - Last release was River-3.0.0 on Thu Oct 06 2016 > > ## Mailing list activity: > > - Relatively quiet. > > - dev@river.apache.org: > - 91 subscribers (down -3 in the last 3 months): > - 7 emails sent to list (6 in previous quarter) > > - u...@river.apache.org: > - 92 subscribers (up 0 in the last 3 months): > - 1 emails sent to list (3 in previous quarter) > > > ## JIRA activity: > > - 1 JIRA tickets created in the last 3 months > - 0 JIRA tickets closed/resolved in the last 3 months > > >
