You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@river.apache.org by Peter Firmstone <pe...@zeus.net.au> on 2019/03/19 23:58:14 UTC

River Board Report

Hello River folk, please review / comment / suggest / changes for the 
draft board report for March below.

Regards,

Peter.

## Description:
  - Apache River provides a platform for dynamic discovery and lookup
     search of network services.  Services may be implemented in a number
     of languages, while clients are required to be jvm based (presently at
     least), to allow proxy jvm byte code to be provisioned dynamically.

## Issues:
  - Answers to board questions:
idf: It's been a year since the last committer addition. Are there a
      new prospects?
  - Not at present, due to low activity and the complexity of the unique 
monolithic build system.  We are working to resolve this with a Maven 
modular build structure.

rs: given 12 vs 16 members of PMC and committership roster, is there
     anything preventing the remaining 4 committers to consider
     joining the PMC?
  - There are no blockers, I will ask them to join the PMC.

## Activity:

  -  Minimal activity at present, initial work on the modular build 
structure has commenced.  The current monolithic build is complex, with 
it's own build tool classdepandjar, it adds complexity for new 
developers. In recent months I have had work committments that have 
limited my ability to integrate the modular build.  The other committers 
are waiting for the modular build and I have done a lot of work on this 
locally, this work has been a significant undertaking integrating the 
works of Dennis Reedy, Dan Rollo and myself.  This is also a mature 
codebase, having been in development since the late 1990's.

Release roadmap:

River 3.1 - Modular build restructure (&   binary release)
River 3.2 - Input validation 4 Serialization, delayed unmarshalling&
safe ServiceRegistrar  lookup service.River 3.3 - OSGi support

## Health report:

  - River is a mature codebase with existing deployments, it was 
primarily designed for dynamic discovery of services on private 
networks.  IPv4 NAT limitations historically prevented the use of River 
on public networks, however the use of IPv6 on public networks removes 
these limitations.  Web services evolved with the publish subscribe 
model of todays internet, River has the potential to dynamically 
discover services on IPv6 networks, peer to peer, blurring current 
destinctions between client and server, it has the potential to address 
many of the security issues currently experienced with IoT and avoid any 
dependency on the proprietary cloud for "things".

- Future Direction:

    * Target IOT space with support for OSGi and IPv6 (security fixes
      required prior to announcement)
    * Input validation for java deserialization - prevents DOS and
      Gadget attacks.
    * IPv6 Multicast Service Discovery (River currently only supports
      IPv4 multicast discovery).
    * Delayed unmarshalling for Service Lookup and Discovery (includes
      SafeServiceRegistrar mentioned in release roadmap), so
      authentication can occur prior to downloading service proxy's,
      this addresses a long standing security issue with service lookup
      while significantly improving performance under some use cases.
    * Security fixes for SSL endpoints, updated to TLS v1.2 with removal
      of support for insecure cyphers.
    * Secure TLS SocketFactory's for RMI Registry, uses
      the currently logged in Subject for authentication.
      The RMI Registry still plays a minor role in service activation,
      this allows those who still use the Registry to secure it.
    * Maven build to replace existing ant built that uses
      classdepandjar, a bytecode dependency analysis build tool.
    * Updating the Jini specifications.

## PMC changes:

  - Currently 12 PMC members.
  - No new PMC members added in the last 3 months
  - Last PMC addition was Dan Rollo on Fri Dec 01 2017

## Committer base changes:

  - Currently 16 committers.
  - No new committers added in the last 3 months
  - Last committer addition was Dan Rollo at Thu Nov 02 2017

## Releases:

  - Last release was River-3.0.0 on Thu Oct 06 2016

## /dist/ errors: 4
  - TODO - Developer certificates expired, investigate solution.   I 
created new certificates, prior to the expiry of my old certificates, 
should I resign the release artifacts with the new certificates?

## Mailing list activity:

  - Relatively quiet

  - dev@river.apache.org:
     - 89 subscribers (down -1 in the last 3 months):
     - 5 emails sent to list (9 in previous quarter)

  - user@river.apache.org:
     - 92 subscribers (up 0 in the last 3 months):
     - 1 emails sent to list (0 in previous quarter)