Call for vote: xml-security-c-2.0.0

["Cantor, Scott" <ca...@osu.edu>]

I'd like to ask for a vote to release RC3, posted at [1], as the final release of V2.0.0 of the C++ Santuario library. It was built from svn revision 1833740 of the trunk.

There are no features removed from this release, though some APIs have been removed to hide unrelated details and to eliminate a lot of enumerations in the library and replace them with the full XML-Signature/Encryption standard URIs for better extensibility. Applications using the older version will require generally minor changes to use this version. The old version will not be maintained by me beyond the end of 2018 at the latest, and likely sooner, it depends on my project's timelines.

This release formally deprecates the XKMS support and the NSS and WinCAPI security library support pending the appearance of a maintainer for those sections of code (and the XKMS support can now be compiled out as an option). I would note that both the NSS and WinCAPI support are lacking in capability, in some cases not offering any "considered-secure" algorithms for particular functions, so this is more of a mercy killing than an act of hostile intent.

This is my +1.

-- Scott

[1] https://dist.apache.org/repos/dist/dev/santuario/c-library/

Re: Call for vote: xml-security-c-2.0.0

["Cantor, Scott" <ca...@osu.edu>]

On 6/22/18, 12:39 PM, "Colm O hEigeartaigh" <co...@apache.org> wrote:

> Ubuntu 18.04 bionic. 

I have not tested Ubuntu but if there's a vagrant VM for it I'll try a quick test later.

> It's not a big deal though if it works on other platforms. If you want I can create a JIRA for it?

Not necessary, I'll hold the vote until I have a chance to check it.

> It's more normal at Apache to create a tag and call a vote referencing the tag. That way no changes are allowed 
> afterwards to the artifacts we are voting on. But it's fine here so long as you do it after.

The problem is then if the vote fails, I can't release that version later without violating the assumption you're trying to prevent being violated, so I believe the revision is the only real point of reference we have.

> Yes my mistake, I missed the first sentence in it.

I'll revise if we end up fixing something.

-- Scott

Re: Call for vote: xml-security-c-2.0.0

[Colm O hEigeartaigh <co...@apache.org>]

On Fri, Jun 22, 2018 at 5:17 PM, Cantor, Scott <ca...@osu.edu> wrote:

>
> On what OS?
>
> It's been built all over the place at this point. There's not likely I lot
> I can do to debug it unless I have access to the OS involved, and my list
> of supported ones is fairly narrow, but I'll do what I can. It isn't a
> general bug on at least RH5+, SUSE 11+, Debian, Mac, and Windows.
>

Ubuntu 18.04 bionic.
g++ (Ubuntu 7.3.0-16ubuntu3) 7.3.0
GNU Make 4.1

It's not a big deal though if it works on other platforms. If you want I
can create a JIRA for it?


>
> > * Could you create an official SVN Tag for the release as well?
>
> Not until it's released. I believe it is wrong to ever touch a tag after
> it's produced, so by definition I can't tag something that hasn't been
> released. The tag would be a copy of the noted revision, pending me making
> the change to the change log or fixing something else.
>

It's more normal at Apache to create a tag and call a vote referencing the
tag. That way no changes are allowed afterwards to the artifacts we are
voting on. But it's fine here so long as you do it after.


>
> > * The CHANGELOG is not updated for 2.0.0.
>
> I thought I had gutted that to not contain anything needing update but
> I'll correct if not. I don't want to have to touch files like that when new
> versions come out.
>

Yes my mistake, I missed the first sentence in it.

Colm.


>
> -- Scott
>
>
>
>


-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

Re: Call for vote: xml-security-c-2.0.0

["Cantor, Scott" <ca...@osu.edu>]

On 6/22/18, 6:37 AM, "Colm O hEigeartaigh" <co...@apache.org> wrote:

> When trying to build the source distribution with "make" I get an error:

On what OS?

It's been built all over the place at this point. There's not likely I lot I can do to debug it unless I have access to the OS involved, and my list of supported ones is fairly narrow, but I'll do what I can. It isn't a general bug on at least RH5+, SUSE 11+, Debian, Mac, and Windows.

> * Could you create an official SVN Tag for the release as well? 

Not until it's released. I believe it is wrong to ever touch a tag after it's produced, so by definition I can't tag something that hasn't been released. The tag would be a copy of the noted revision, pending me making the change to the change log or fixing something else.

> * Also don't forget to include digests

That's just a release issue, I would do that once the actual publication is done.

> * The CHANGELOG is not updated for 2.0.0.

I thought I had gutted that to not contain anything needing update but I'll correct if not. I don't want to have to touch files like that when new versions come out.

-- Scott

Re: Call for vote: xml-security-c-2.0.0

["Cantor, Scott" <ca...@osu.edu>]

>* The CHANGELOG is not updated for 2.0.0.

I was correct. It already says "see issue tracker, and has for the last several releases". I'm happy to remove the file outright for a 2.0.0 release if preferred but I won't keep it up to date inside the distribution, it's just duplicative work.

I'll await more info on the build issue you ran into.

-- Scott

Re: Call for vote: xml-security-c-2.0.0

[Colm O hEigeartaigh <co...@apache.org>]

Hi Scott,

When trying to build the source distribution with "make" I get an error:

g++ -DHAVE_CONFIG_H   -I.. -I.. -DXSEC_BUILDING_TOOLS     -Wall  -O2
-DNDEBUG -pthread -MT tools/templatesign/xsec_templatesign-templatesign.o
-MD -MP -MF tools/templatesign/.deps/xsec_templatesign-templatesign.Tpo -c
-o tools/templatesign/xsec_templatesign-templatesign.o `test -f
'tools/templatesign/templatesign.cpp' || echo
'./'`tools/templatesign/templatesign.cpp
tools/templatesign/templatesign.cpp: In function ‘int main(int, char**)’:
tools/templatesign/templatesign.cpp:786:13: error: ‘hmacKey’ was not
declared in this scope
             hmacKey->setKey((unsigned char *) argv[paramCount + 1],
(unsigned int) strlen(argv[paramCount + 1]));
             ^~~~~~~

A few other points (none of them blocking):

 * Could you create an official SVN Tag for the release as well?
 * Also don't forget to include digests
 * The CHANGELOG is not updated for 2.0.0.

Colm.


-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

On Wed, Jun 20, 2018 at 5:54 PM, Cantor, Scott <ca...@osu.edu> wrote:

> I'd like to ask for a vote to release RC3, posted at [1], as the final
> release of V2.0.0 of the C++ Santuario library. It was built from svn
> revision 1833740 of the trunk.
>
> There are no features removed from this release, though some APIs have
> been removed to hide unrelated details and to eliminate a lot of
> enumerations in the library and replace them with the full
> XML-Signature/Encryption standard URIs for better extensibility.
> Applications using the older version will require generally minor changes
> to use this version. The old version will not be maintained by me beyond
> the end of 2018 at the latest, and likely sooner, it depends on my
> project's timelines.
>
> This release formally deprecates the XKMS support and the NSS and WinCAPI
> security library support pending the appearance of a maintainer for those
> sections of code (and the XKMS support can now be compiled out as an
> option). I would note that both the NSS and WinCAPI support are lacking in
> capability, in some cases not offering any "considered-secure" algorithms
> for particular functions, so this is more of a mercy killing than an act of
> hostile intent.
>
> This is my +1.
>
> -- Scott
>
> [1] https://dist.apache.org/repos/dist/dev/santuario/c-library/
>
>
>