BlazeDS release

[Josh Tynjala <jo...@bowlerhat.dev>]

I'd like to spend some time this month finishing up the recent BlazeDS
stuff so that we can get it released.

Can someone confirm that the changes listed here are still what should be
done? It looks straightforward enough.

https://lists.apache.org/thread/9h7th05wc57399jp7l7mj11c45nq8jbn

And which branch should I commit to? security-updates? develop? master?
Something else?

Thanks,

--
Josh Tynjala
Bowler Hat LLC <https://bowlerhat.dev>

Re: BlazeDS release

[Josh Tynjala <jo...@apache.org>]

Just documenting some of my findings about the BlazeDS proxy module.

The HTTProxyService class is compiled into flex-messaging-proxy.jar. BlazeDS may be configured to use HTTProxyService in services-config.xml, like this:

<service id="proxy-service" class="flex.messaging.services.HTTPProxyService">

If flex-messaging-proxy.jar is missing, and an HTTPProxyService is configured in services-config.xml, the following exception will be thrown:

flex.messaging.MessageException: Cannot create class of type 'flex.messaging.services.HTTPProxyService'. Type 'flex.messaging.services.HTTPProxyService' not found.

However, exposing an HTTPProxyService is not required by BlazeDS. If there is no HTTPProxyService configured, and flex-messaging-proxy.jar is not available on the classpath, then other services (such as RemotingService and MessageService) seem to continue to work correctly. I basically only needed to comment out the <service> element for HTTPProxyService in services-config.xml, and the other services started working again.

I have no idea how common it is to use HTTPProxyService in real-world production servers. Hopefully, it's not very likely, and removing it will have little impact. As noted above, my tests seem to indicate that it's technically possible to remove the proxy module, and BlazeDS will still be functional for other service types. I think we'll need to include three things in the release notes about this removal:

1) That flex-messaging-proxy.jar and the HTTPProxyService are removed.
2) The full text of the exception that gets thrown when services-config.xml references HTTPProxyService.
3) Instructions on how to disable HTTPProxyService in services-config.xml.

- Josh

On 2023/01/10 00:03:04 Josh Tynjala wrote:
> Okay, some updates on my progress with BlazeDS.
> 
> - I made the necessary changes to remove the vulnerable xalan dependency.
> - I looked at the proxy module issue, where we need to replace the obsolete commons-httpclient 3.x with its successor, httpcomponents-httpclient 4.x. It seems to be non-trivial to upgrade. I'm not sure that we have much test coverage either, so there would be a certain amount of risk. I can see why Piotr said that we should exclude the proxy module from the release instead. I want to do a little bit of testing/investigation to see how much impact removing the proxy module might have.
> - I moved the OWASP dependency checker into a 'with-owasp' profile. We don't want that being a default part of the build because a failing build will be confusing for users that want to build from source, if any new CVEs are issued in the future. It should be mainly for our CI and release managers instead. It can be enabled by adding `-P with-owasp` to the `mvn install` command.
> - I replaced the 'flex-ci-build' profile with a new 'with-distribution' profile. It builds not only the source distribution, but also a **new** binary distribution, which we didn't have before. The binary distribution is identical to the source distribution, except that it also has a 'lib' directory that contains all of the built .jar files and their required dependencies.
> - I merged everything from security-updates into develop. I'll continue any further work on develop.
> 
> Folks, I need help with one thing: Do we have release manager instructions/checklist for BlazeDS? Thanks!
> 
> - Josh
> 
> On 2023/01/04 20:59:29 Josh Tynjala wrote:
> > I'd like to spend some time this month finishing up the recent BlazeDS
> > stuff so that we can get it released.
> > 
> > Can someone confirm that the changes listed here are still what should be
> > done? It looks straightforward enough.
> > 
> > https://lists.apache.org/thread/9h7th05wc57399jp7l7mj11c45nq8jbn
> > 
> > And which branch should I commit to? security-updates? develop? master?
> > Something else?
> > 
> > Thanks,
> > 
> > --
> > Josh Tynjala
> > Bowler Hat LLC <https://bowlerhat.dev>
> > 
> 

RE: BlazeDS release

[Josh Tynjala <jo...@apache.org>]

After my commits today to remove the proxy module and clean up some things, I think we're pretty much ready to go for a new BlazeDS release. I don't have any further time to work on it this month, but I can make it happen in February.

- Josh

On 2023/01/10 07:22:22 Yishay Weiss wrote:
> Thanks for working on this.
> 
> Chris gave some guidelines [2] for the release process.
> 
> Maybe the plc4x check-list [1] is helpful?
> 
> [1] https://plc4x.apache.org/developers/release/release.html
> 
> [2]
> The release itself should be the normal Maven release process … you can see in the plc4x release documentation on how you need to configure your system:
> https://plc4x.apache.org/developers/release/release.html
> 
> 
> The short version of a release should be:
> 
> 
> 
> mvn release:prepare
> 
> 
> 
> mvn elease:perform
> 
> And the plc4x documentation describes what has to be done in the nexus repo for staging and releasing the maven artifacts.
> 
> From: Josh Tynjala<ma...@apache.org>
> Sent: Tuesday, January 10, 2023 2:03 AM
> To: dev@flex.apache.org<ma...@flex.apache.org>
> Subject: Re: BlazeDS release
> 
> Okay, some updates on my progress with BlazeDS.
> 
> - I made the necessary changes to remove the vulnerable xalan dependency.
> - I looked at the proxy module issue, where we need to replace the obsolete commons-httpclient 3.x with its successor, httpcomponents-httpclient 4.x. It seems to be non-trivial to upgrade. I'm not sure that we have much test coverage either, so there would be a certain amount of risk. I can see why Piotr said that we should exclude the proxy module from the release instead. I want to do a little bit of testing/investigation to see how much impact removing the proxy module might have.
> - I moved the OWASP dependency checker into a 'with-owasp' profile. We don't want that being a default part of the build because a failing build will be confusing for users that want to build from source, if any new CVEs are issued in the future. It should be mainly for our CI and release managers instead. It can be enabled by adding `-P with-owasp` to the `mvn install` command.
> - I replaced the 'flex-ci-build' profile with a new 'with-distribution' profile. It builds not only the source distribution, but also a **new** binary distribution, which we didn't have before. The binary distribution is identical to the source distribution, except that it also has a 'lib' directory that contains all of the built .jar files and their required dependencies.
> - I merged everything from security-updates into develop. I'll continue any further work on develop.
> 
> Folks, I need help with one thing: Do we have release manager instructions/checklist for BlazeDS? Thanks!
> 
> - Josh
> 
> On 2023/01/04 20:59:29 Josh Tynjala wrote:
> > I'd like to spend some time this month finishing up the recent BlazeDS
> > stuff so that we can get it released.
> >
> > Can someone confirm that the changes listed here are still what should be
> > done? It looks straightforward enough.
> >
> > https://lists.apache.org/thread/9h7th05wc57399jp7l7mj11c45nq8jbn
> >
> > And which branch should I commit to? security-updates? develop? master?
> > Something else?
> >
> > Thanks,
> >
> > --
> > Josh Tynjala
> > Bowler Hat LLC <https://bowlerhat.dev>
> >
> 
> 

RE: BlazeDS release

[Josh Tynjala <jo...@apache.org>]

Thanks, Yishay. I'll check it out.

- Josh

On 2023/01/10 07:22:22 Yishay Weiss wrote:
> Thanks for working on this.
> 
> Chris gave some guidelines [2] for the release process.
> 
> Maybe the plc4x check-list [1] is helpful?
> 
> [1] https://plc4x.apache.org/developers/release/release.html
> 
> [2]
> The release itself should be the normal Maven release process … you can see in the plc4x release documentation on how you need to configure your system:
> https://plc4x.apache.org/developers/release/release.html
> 
> 
> The short version of a release should be:
> 
> 
> 
> mvn release:prepare
> 
> 
> 
> mvn elease:perform
> 
> And the plc4x documentation describes what has to be done in the nexus repo for staging and releasing the maven artifacts.
> 
> From: Josh Tynjala<ma...@apache.org>
> Sent: Tuesday, January 10, 2023 2:03 AM
> To: dev@flex.apache.org<ma...@flex.apache.org>
> Subject: Re: BlazeDS release
> 
> Okay, some updates on my progress with BlazeDS.
> 
> - I made the necessary changes to remove the vulnerable xalan dependency.
> - I looked at the proxy module issue, where we need to replace the obsolete commons-httpclient 3.x with its successor, httpcomponents-httpclient 4.x. It seems to be non-trivial to upgrade. I'm not sure that we have much test coverage either, so there would be a certain amount of risk. I can see why Piotr said that we should exclude the proxy module from the release instead. I want to do a little bit of testing/investigation to see how much impact removing the proxy module might have.
> - I moved the OWASP dependency checker into a 'with-owasp' profile. We don't want that being a default part of the build because a failing build will be confusing for users that want to build from source, if any new CVEs are issued in the future. It should be mainly for our CI and release managers instead. It can be enabled by adding `-P with-owasp` to the `mvn install` command.
> - I replaced the 'flex-ci-build' profile with a new 'with-distribution' profile. It builds not only the source distribution, but also a **new** binary distribution, which we didn't have before. The binary distribution is identical to the source distribution, except that it also has a 'lib' directory that contains all of the built .jar files and their required dependencies.
> - I merged everything from security-updates into develop. I'll continue any further work on develop.
> 
> Folks, I need help with one thing: Do we have release manager instructions/checklist for BlazeDS? Thanks!
> 
> - Josh
> 
> On 2023/01/04 20:59:29 Josh Tynjala wrote:
> > I'd like to spend some time this month finishing up the recent BlazeDS
> > stuff so that we can get it released.
> >
> > Can someone confirm that the changes listed here are still what should be
> > done? It looks straightforward enough.
> >
> > https://lists.apache.org/thread/9h7th05wc57399jp7l7mj11c45nq8jbn
> >
> > And which branch should I commit to? security-updates? develop? master?
> > Something else?
> >
> > Thanks,
> >
> > --
> > Josh Tynjala
> > Bowler Hat LLC <https://bowlerhat.dev>
> >
> 
> 

RE: BlazeDS release

[Yishay Weiss <yi...@hotmail.com>]

Thanks for working on this.

Chris gave some guidelines [2] for the release process.

Maybe the plc4x check-list [1] is helpful?

[1] https://plc4x.apache.org/developers/release/release.html

[2]
The release itself should be the normal Maven release process … you can see in the plc4x release documentation on how you need to configure your system:
https://plc4x.apache.org/developers/release/release.html


The short version of a release should be:



mvn release:prepare



mvn elease:perform

And the plc4x documentation describes what has to be done in the nexus repo for staging and releasing the maven artifacts.

From: Josh Tynjala<ma...@apache.org>
Sent: Tuesday, January 10, 2023 2:03 AM
To: dev@flex.apache.org<ma...@flex.apache.org>
Subject: Re: BlazeDS release

Okay, some updates on my progress with BlazeDS.

- I made the necessary changes to remove the vulnerable xalan dependency.
- I looked at the proxy module issue, where we need to replace the obsolete commons-httpclient 3.x with its successor, httpcomponents-httpclient 4.x. It seems to be non-trivial to upgrade. I'm not sure that we have much test coverage either, so there would be a certain amount of risk. I can see why Piotr said that we should exclude the proxy module from the release instead. I want to do a little bit of testing/investigation to see how much impact removing the proxy module might have.
- I moved the OWASP dependency checker into a 'with-owasp' profile. We don't want that being a default part of the build because a failing build will be confusing for users that want to build from source, if any new CVEs are issued in the future. It should be mainly for our CI and release managers instead. It can be enabled by adding `-P with-owasp` to the `mvn install` command.
- I replaced the 'flex-ci-build' profile with a new 'with-distribution' profile. It builds not only the source distribution, but also a **new** binary distribution, which we didn't have before. The binary distribution is identical to the source distribution, except that it also has a 'lib' directory that contains all of the built .jar files and their required dependencies.
- I merged everything from security-updates into develop. I'll continue any further work on develop.

Folks, I need help with one thing: Do we have release manager instructions/checklist for BlazeDS? Thanks!

- Josh

On 2023/01/04 20:59:29 Josh Tynjala wrote:
> I'd like to spend some time this month finishing up the recent BlazeDS
> stuff so that we can get it released.
>
> Can someone confirm that the changes listed here are still what should be
> done? It looks straightforward enough.
>
> https://lists.apache.org/thread/9h7th05wc57399jp7l7mj11c45nq8jbn
>
> And which branch should I commit to? security-updates? develop? master?
> Something else?
>
> Thanks,
>
> --
> Josh Tynjala
> Bowler Hat LLC <https://bowlerhat.dev>
>

Re: BlazeDS release

[Josh Tynjala <jo...@apache.org>]

Okay, some updates on my progress with BlazeDS.

- I made the necessary changes to remove the vulnerable xalan dependency.
- I looked at the proxy module issue, where we need to replace the obsolete commons-httpclient 3.x with its successor, httpcomponents-httpclient 4.x. It seems to be non-trivial to upgrade. I'm not sure that we have much test coverage either, so there would be a certain amount of risk. I can see why Piotr said that we should exclude the proxy module from the release instead. I want to do a little bit of testing/investigation to see how much impact removing the proxy module might have.
- I moved the OWASP dependency checker into a 'with-owasp' profile. We don't want that being a default part of the build because a failing build will be confusing for users that want to build from source, if any new CVEs are issued in the future. It should be mainly for our CI and release managers instead. It can be enabled by adding `-P with-owasp` to the `mvn install` command.
- I replaced the 'flex-ci-build' profile with a new 'with-distribution' profile. It builds not only the source distribution, but also a **new** binary distribution, which we didn't have before. The binary distribution is identical to the source distribution, except that it also has a 'lib' directory that contains all of the built .jar files and their required dependencies.
- I merged everything from security-updates into develop. I'll continue any further work on develop.

Folks, I need help with one thing: Do we have release manager instructions/checklist for BlazeDS? Thanks!

- Josh

On 2023/01/04 20:59:29 Josh Tynjala wrote:
> I'd like to spend some time this month finishing up the recent BlazeDS
> stuff so that we can get it released.
> 
> Can someone confirm that the changes listed here are still what should be
> done? It looks straightforward enough.
> 
> https://lists.apache.org/thread/9h7th05wc57399jp7l7mj11c45nq8jbn
> 
> And which branch should I commit to? security-updates? develop? master?
> Something else?
> 
> Thanks,
> 
> --
> Josh Tynjala
> Bowler Hat LLC <https://bowlerhat.dev>
> 

Re: BlazeDS release

[Harbs <ha...@gmail.com>]

Sounds good to me.

> On Jan 5, 2023, at 11:06 PM, Josh Tynjala <jo...@apache.org> wrote:
> 
> I figured out the necessary the changes on my local computer, tests are passing, and it seems to be successfully exchanging messages with clients, so I'm ready to commit. As I mentioned, I just need to know the expected branch. I'm leaning toward security-updates, but I'm not sure.
> 
> - Josh
> 
> On 2023/01/04 20:59:29 Josh Tynjala wrote:
>> I'd like to spend some time this month finishing up the recent BlazeDS
>> stuff so that we can get it released.
>> 
>> Can someone confirm that the changes listed here are still what should be
>> done? It looks straightforward enough.
>> 
>> https://lists.apache.org/thread/9h7th05wc57399jp7l7mj11c45nq8jbn
>> 
>> And which branch should I commit to? security-updates? develop? master?
>> Something else?
>> 
>> Thanks,
>> 
>> --
>> Josh Tynjala
>> Bowler Hat LLC <https://bowlerhat.dev>
>> 

Re: BlazeDS release

[Josh Tynjala <jo...@apache.org>]

I figured out the necessary the changes on my local computer, tests are passing, and it seems to be successfully exchanging messages with clients, so I'm ready to commit. As I mentioned, I just need to know the expected branch. I'm leaning toward security-updates, but I'm not sure.

- Josh

On 2023/01/04 20:59:29 Josh Tynjala wrote:
> I'd like to spend some time this month finishing up the recent BlazeDS
> stuff so that we can get it released.
> 
> Can someone confirm that the changes listed here are still what should be
> done? It looks straightforward enough.
> 
> https://lists.apache.org/thread/9h7th05wc57399jp7l7mj11c45nq8jbn
> 
> And which branch should I commit to? security-updates? develop? master?
> Something else?
> 
> Thanks,
> 
> --
> Josh Tynjala
> Bowler Hat LLC <https://bowlerhat.dev>
>