Hi Robert Regarding
"Note that we still need to clarify the status of the additional Maven artifact repository [1] and probably need to review the deps (there are lots of them) before starting a release. But that's for later." I aware there are many dependencies in this project [1]: https://github.com/apache/sling-org-apache-sling-auth-saml2/blob/master/pom.xml <https://github.com/apache/sling-org-apache-sling-auth-saml2/blob/master/pom.xml> Here’s some snippets about the bundle. Bundle Classpath .,metrics-core-4.1.9.jar,guava-28.2-jre.jar,failureaccess-1.0.1.jar,checker-qual-2.11.1.jar,opensaml-core-4.0.1.jar,opensaml-saml-impl-4.0.1.jar,opensaml-saml-api-4.0.1.jar,opensaml-xmlsec-api-4.0.1.jar,opensaml-xmlsec-impl-4.0.1.jar,opensaml-security-api-4.0.1.jar,opensaml-security-impl-4.0.1.jar,opensaml-storage-api-4.0.1.jar,opensaml-profile-api-4.0.1.jar,opensaml-messaging-api-4.0.1.jar,opensaml-soap-api-4.0.1.jar,opensaml-soap-impl-4.0.1.jar,java-support-8.0.0.jar,velocity-1.7.jar,commons-lang-2.6.jar,error_prone_annotations-2.3.4.jar,xmlsec-2.1.4.jar,cryptacular-1.2.4.jar Exported Packages org.apache.sling.auth.saml2,version=1.0.0 Imported Packages javax.annotation,version=1.3.0 from org.apache.geronimo.specs.geronimo-annotation_1.3_spec (7) <http://localhost:8080/system/console/bundles/7> javax.crypto,version=0.0.0.JavaSE_011 from org.apache.felix.framework (0) <http://localhost:8080/system/console/bundles/0> javax.crypto.spec,version=0.0.0.JavaSE_011 from org.apache.felix.framework (0) <http://localhost:8080/system/console/bundles/0> javax.jcr,version=2.0.0 from org.apache.sling.jcr.jcr-wrapper (112) <http://localhost:8080/system/console/bundles/112> javax.jcr,version=1.1.0 from org.apache.sling.jcr.jcr-wrapper (112) <http://localhost:8080/system/console/bundles/112> javax.lang.model.element,version=0.0.0.JavaSE_011 from org.apache.felix.framework (0) <http://localhost:8080/system/console/bundles/0> javax.naming,version=0.0.0.JavaSE_011 from org.apache.felix.framework (0) <http://localhost:8080/system/console/bundles/0> javax.net,version=0.0.0.JavaSE_011 from org.apache.felix.framework (0) <http://localhost:8080/system/console/bundles/0> javax.net.ssl,version=0.0.0.JavaSE_011 from org.apache.felix.framework (0) <http://localhost:8080/system/console/bundles/0> javax.script,version=0.0.0.JavaSE_011 from org.apache.felix.framework (0) <http://localhost:8080/system/console/bundles/0> javax.security.auth,version=0.0.0.JavaSE_011 from org.apache.felix.framework (0) <http://localhost:8080/system/console/bundles/0> javax.security.auth.callback,version=0.0.0.JavaSE_011 from org.apache.felix.framework (0) <http://localhost:8080/system/console/bundles/0> javax.security.auth.login,version=0.0.0.JavaSE_011 from org.apache.felix.framework (0) <http://localhost:8080/system/console/bundles/0> javax.security.auth.x500,version=0.0.0.JavaSE_011 from org.apache.felix.framework (0) <http://localhost:8080/system/console/bundles/0> javax.servlet,version=2.6.0 from org.apache.felix.http.servlet-api (43) <http://localhost:8080/system/console/bundles/43> javax.servlet,version=3.1.0 from org.apache.felix.http.servlet-api (43) <http://localhost:8080/system/console/bundles/43> javax.servlet,version=3.0.0 from org.apache.felix.http.servlet-api (43) <http://localhost:8080/system/console/bundles/43> javax.servlet.http,version=2.6.0 from org.apache.felix.http.servlet-api (43) <http://localhost:8080/system/console/bundles/43> javax.servlet.http,version=3.1.0 from org.apache.felix.http.servlet-api (43) <http://localhost:8080/system/console/bundles/43> javax.servlet.http,version=3.0.0 from org.apache.felix.http.servlet-api (43) <http://localhost:8080/system/console/bundles/43> javax.sql,version=0.0.0.JavaSE_011 from org.apache.felix.framework (0) <http://localhost:8080/system/console/bundles/0> javax.xml.crypto,version=0.0.0.JavaSE_011 from org.apache.felix.framework (0) <http://localhost:8080/system/console/bundles/0> javax.xml.crypto.dom,version=0.0.0.JavaSE_011 from org.apache.felix.framework (0) <http://localhost:8080/system/console/bundles/0> javax.xml.crypto.dsig,version=0.0.0.JavaSE_011 from org.apache.felix.framework (0) <http://localhost:8080/system/console/bundles/0> javax.xml.crypto.dsig.dom,version=0.0.0.JavaSE_011 from org.apache.felix.framework (0) <http://localhost:8080/system/console/bundles/0> javax.xml.crypto.dsig.keyinfo,version=0.0.0.JavaSE_011 from org.apache.felix.framework (0) <http://localhost:8080/system/console/bundles/0> javax.xml.crypto.dsig.spec,version=0.0.0.JavaSE_011 from org.apache.felix.framework (0) <http://localhost:8080/system/console/bundles/0> javax.xml.datatype,version=2.1.0 from org.apache.felix.framework (0) <http://localhost:8080/system/console/bundles/0> javax.xml.namespace,version=2.1.0 from org.apache.felix.framework (0) <http://localhost:8080/system/console/bundles/0> javax.xml.parsers,version=2.1.0 from org.apache.felix.framework (0) <http://localhost:8080/system/console/bundles/0> javax.xml.stream,version=1.0.0 from org.apache.felix.framework (0) <http://localhost:8080/system/console/bundles/0> javax.xml.stream.events,version=1.0.0 from org.apache.felix.framework (0) <http://localhost:8080/system/console/bundles/0> javax.xml.transform,version=2.1.0 from org.apache.felix.framework (0) <http://localhost:8080/system/console/bundles/0> javax.xml.transform.dom,version=2.1.0 from org.apache.felix.framework (0) <http://localhost:8080/system/console/bundles/0> javax.xml.transform.sax,version=2.1.0 from org.apache.felix.framework (0) <http://localhost:8080/system/console/bundles/0> javax.xml.transform.stream,version=2.1.0 from org.apache.felix.framework (0) <http://localhost:8080/system/console/bundles/0> javax.xml.validation,version=2.1.0 from org.apache.felix.framework (0) <http://localhost:8080/system/console/bundles/0> javax.xml.xpath,version=2.1.0 from org.apache.felix.framework (0) <http://localhost:8080/system/console/bundles/0> org.apache.commons.codec,version=1.15.0 from org.apache.commons.commons-codec (35) <http://localhost:8080/system/console/bundles/35> org.apache.commons.codec.binary,version=1.15.0 from org.apache.commons.commons-codec (35) <http://localhost:8080/system/console/bundles/35> org.apache.commons.collections,version=3.2.2 from org.apache.commons.collections (69) <http://localhost:8080/system/console/bundles/69> org.apache.commons.collections.map,version=3.2.2 from org.apache.commons.collections (69) <http://localhost:8080/system/console/bundles/69> org.apache.commons.lang3,version=3.11.0 from org.apache.commons.lang3 (2) <http://localhost:8080/system/console/bundles/2> org.apache.commons.logging,version=1.2.0 from jcl.over.slf4j (30) <http://localhost:8080/system/console/bundles/30> org.apache.http,version=4.4.14 from org.apache.httpcomponents.httpcore (72) <http://localhost:8080/system/console/bundles/72> org.apache.http.auth,version=4.5.13 from org.apache.httpcomponents.httpclient (71) <http://localhost:8080/system/console/bundles/71> org.apache.http.client,version=4.5.13 from org.apache.httpcomponents.httpclient (71) <http://localhost:8080/system/console/bundles/71> org.apache.http.client.cache,version=4.5.13 from org.apache.httpcomponents.httpclient (71) <http://localhost:8080/system/console/bundles/71> org.apache.http.client.config,version=4.5.13 from org.apache.httpcomponents.httpclient (71) <http://localhost:8080/system/console/bundles/71> org.apache.http.client.methods,version=4.5.13 from org.apache.httpcomponents.httpclient (71) <http://localhost:8080/system/console/bundles/71> org.apache.http.client.protocol,version=4.5.13 from org.apache.httpcomponents.httpclient (71) <http://localhost:8080/system/console/bundles/71> org.apache.http.config,version=4.4.14 from org.apache.httpcomponents.httpcore (72) <http://localhost:8080/system/console/bundles/72> org.apache.http.conn,version=4.5.13 from org.apache.httpcomponents.httpclient (71) <http://localhost:8080/system/console/bundles/71> org.apache.http.conn.socket,version=4.5.13 from org.apache.httpcomponents.httpclient (71) <http://localhost:8080/system/console/bundles/71> org.apache.http.conn.ssl,version=4.5.13 from org.apache.httpcomponents.httpclient (71) <http://localhost:8080/system/console/bundles/71> org.apache.http.entity,version=4.4.14 from org.apache.httpcomponents.httpcore (72) <http://localhost:8080/system/console/bundles/72> org.apache.http.impl.client,version=4.5.13 from org.apache.httpcomponents.httpclient (71) <http://localhost:8080/system/console/bundles/71> org.apache.http.impl.client.cache,version=4.5.13 from org.apache.httpcomponents.httpclient (71) <http://localhost:8080/system/console/bundles/71> org.apache.http.params,version=4.4.14 from org.apache.httpcomponents.httpcore (72) <http://localhost:8080/system/console/bundles/72> org.apache.http.protocol,version=4.4.14 from org.apache.httpcomponents.httpcore (72) <http://localhost:8080/system/console/bundles/72> org.apache.http.util,version=4.4.14 from org.apache.httpcomponents.httpcore (72) <http://localhost:8080/system/console/bundles/72> org.apache.jackrabbit.api,version=2.6.0 from org.apache.jackrabbit.oak-jackrabbit-api (100) <http://localhost:8080/system/console/bundles/100> org.apache.jackrabbit.api.security.user,version=2.4.3 from org.apache.jackrabbit.oak-jackrabbit-api (100) <http://localhost:8080/system/console/bundles/100> org.apache.jackrabbit.oak.spi.security.authentication,version=1.5.0 from org.apache.jackrabbit.oak-security-spi (104) <http://localhost:8080/system/console/bundles/104> org.apache.log4j,version=1.2.17 from log4j.over.slf4j (31) <http://localhost:8080/system/console/bundles/31> org.apache.sling.api.resource,version=2.12.2 from org.apache.sling.api (47) <http://localhost:8080/system/console/bundles/47> org.apache.sling.auth.core,version=1.4.0 from org.apache.sling.auth.core (48) <http://localhost:8080/system/console/bundles/48> org.apache.sling.auth.core.spi,version=1.2.2 from org.apache.sling.auth.core (48) <http://localhost:8080/system/console/bundles/48> org.osgi.framework,version=1.9.0 from org.apache.felix.framework (0) <http://localhost:8080/system/console/bundles/0> org.osgi.framework.wiring,version=1.2.0 from org.apache.felix.framework (0) <http://localhost:8080/system/console/bundles/0> org.osgi.service.cm,version=1.6.0 from org.apache.felix.configadmin (3) <http://localhost:8080/system/console/bundles/3> org.osgi.service.component,version=1.4.0 from org.apache.felix.scr (33) <http://localhost:8080/system/console/bundles/33> org.slf4j,version=1.7.30 from slf4j.api (32) <http://localhost:8080/system/console/bundles/32> org.w3c.dom,version=0.0.0.JavaSE_011 from org.apache.felix.framework (0) <http://localhost:8080/system/console/bundles/0> org.w3c.dom.ls,version=0.0.0.JavaSE_011 from org.apache.felix.framework (0) <http://localhost:8080/system/console/bundles/0> org.xml.sax,version=0.0.0.JavaSE_011 from org.apache.felix.framework (0) <http://localhost:8080/system/console/bundles/0> org.xml.sax.helpers,version=0.0.0.JavaSE_011 from org.apache.felix.framework (0) <http://localhost:8080/system/console/bundles/0> The OpenSAML library was selected because of the support the Shibboleth Consortium has within higher education[0]. My institution is a member of the consortium. I am confident about the ongoing support the project has and the maintenance it receives now and in the future. When it comes to using the OpenSAML library, it’s necessary to follow the guidelines about obtaining legitimate versions of the artifacts[1] That means using library artifacts provided by the Shibboleth Repository, and not using the OpenSAML artifacts from Maven Central. It’s also important to use the library for all parts of the process when it comes to SAML protocols [2] This requires providing lots of dependencies, which the library requires. The bundle exports one package org.apache.sling.auth.saml2, so the dependencies embedded therein should not impact any other bundles. I don’t think there should be a barrier due to the use of the Shibboleth repository, the OpenSAML library or it’s dependencies. Best regards Cris [0] https://www.shibboleth.net/about-us/members/ <https://www.shibboleth.net/about-us/members/> [1] https://wiki.shibboleth.net/confluence/display/DEV/Use+of+Maven+Central <https://wiki.shibboleth.net/confluence/display/DEV/Use+of+Maven+Central> [2] https://wiki.shibboleth.net/confluence/display/OS30/Home <https://wiki.shibboleth.net/confluence/display/OS30/Home> > On Apr 13, 2021, at 6:40 AM, Robert Munteanu <[email protected]> wrote: > > Note that we still need to clarify the status of the additional Maven > artifact repository [1] and probably need to review the deps (there are > lots of them) before starting a release. But that's for later.
