+1 Bryan
On Tue, Mar 19, 2019 at 17:10 Dan Rollo <danro...@gmail.com> wrote: > > +1 > > Dan > > > From: Peter Firmstone <peter.firmst...@zeus.net.au <mailto: > peter.firmst...@zeus.net.au>> > Subject: River Board Report > Date: March 19, 2019 at 7:58:14 PM EDT > To: "<dev@river.apache.org <mailto:dev@river.apache.org>>" < > dev@river.apache.org <mailto:dev@river.apache.org>> > > > Hello River folk, please review / comment / suggest / changes for the > draft board report for March below. > > Regards, > > Peter. > > ## Description: > - Apache River provides a platform for dynamic discovery and lookup > search of network services. Services may be implemented in a number > of languages, while clients are required to be jvm based (presently at > least), to allow proxy jvm byte code to be provisioned dynamically. > > ## Issues: > - Answers to board questions: > idf: It's been a year since the last committer addition. Are there a > new prospects? > - Not at present, due to low activity and the complexity of the unique > monolithic build system. We are working to resolve this with a Maven > modular build structure. > > rs: given 12 vs 16 members of PMC and committership roster, is there > anything preventing the remaining 4 committers to consider > joining the PMC? > - There are no blockers, I will ask them to join the PMC. > > ## Activity: > > - Minimal activity at present, initial work on the modular build > structure has commenced. The current monolithic build is complex, with > it's own build tool classdepandjar, it adds complexity for new developers. > In recent months I have had work committments that have limited my ability > to integrate the modular build. The other committers are waiting for the > modular build and I have done a lot of work on this locally, this work has > been a significant undertaking integrating the works of Dennis Reedy, Dan > Rollo and myself. This is also a mature codebase, having been in > development since the late 1990's. > > Release roadmap: > > River 3.1 - Modular build restructure (& binary release) > River 3.2 - Input validation 4 Serialization, delayed unmarshalling& > safe ServiceRegistrar lookup service.River 3.3 - OSGi support > > ## Health report: > > - River is a mature codebase with existing deployments, it was primarily > designed for dynamic discovery of services on private networks. IPv4 NAT > limitations historically prevented the use of River on public networks, > however the use of IPv6 on public networks removes these limitations. Web > services evolved with the publish subscribe model of todays internet, River > has the potential to dynamically discover services on IPv6 networks, peer > to peer, blurring current destinctions between client and server, it has > the potential to address many of the security issues currently experienced > with IoT and avoid any dependency on the proprietary cloud for "things". > > - Future Direction: > > * Target IOT space with support for OSGi and IPv6 (security fixes > required prior to announcement) > * Input validation for java deserialization - prevents DOS and > Gadget attacks. > * IPv6 Multicast Service Discovery (River currently only supports > IPv4 multicast discovery). > * Delayed unmarshalling for Service Lookup and Discovery (includes > SafeServiceRegistrar mentioned in release roadmap), so > authentication can occur prior to downloading service proxy's, > this addresses a long standing security issue with service lookup > while significantly improving performance under some use cases. > * Security fixes for SSL endpoints, updated to TLS v1.2 with removal > of support for insecure cyphers. > * Secure TLS SocketFactory's for RMI Registry, uses > the currently logged in Subject for authentication. > The RMI Registry still plays a minor role in service activation, > this allows those who still use the Registry to secure it. > * Maven build to replace existing ant built that uses > classdepandjar, a bytecode dependency analysis build tool. > * Updating the Jini specifications. > > ## PMC changes: > > - Currently 12 PMC members. > - No new PMC members added in the last 3 months > - Last PMC addition was Dan Rollo on Fri Dec 01 2017 > > ## Committer base changes: > > - Currently 16 committers. > - No new committers added in the last 3 months > - Last committer addition was Dan Rollo at Thu Nov 02 2017 > > ## Releases: > > - Last release was River-3.0.0 on Thu Oct 06 2016 > > ## /dist/ errors: 4 > - TODO - Developer certificates expired, investigate solution. I created > new certificates, prior to the expiry of my old certificates, should I > resign the release artifacts with the new certificates? > > ## Mailing list activity: > > - Relatively quiet > > - dev@river.apache.org <mailto:dev@river.apache.org>: > - 89 subscribers (down -1 in the last 3 months): > - 5 emails sent to list (9 in previous quarter) > > - u...@river.apache.org <mailto:u...@river.apache.org>: > - 92 subscribers (up 0 in the last 3 months): > - 1 emails sent to list (0 in previous quarter)
