Description
Environment
Activity
Tom Zeller May 21, 2021 at 3:58 PMEdited
Discussed on today's dev call : https://wiki.shibboleth.net/confluence/display/DEV/2021-05-21
Next steps :
work through and write up how-to on deploying OpenSAML V3.4.6 and V4 as well as IdP V4 to Maven Central
report back on next dev call including summary of options
Consensus so far was that artifacts in Maven Central under our domains (org/opensaml and net/shibboleth) should be signed with our keys.
Tom Zeller May 18, 2021 at 6:12 PM
Last week we gained control of org/opensaml and net/shibboleth on Maven Central. My OSSRH account was granted access to deploy artifacts and all other accounts were revoked.
What's next is a good question.
I think the existing artifacts on Maven Central should be removed or renamed (to a different group ID).
Might be easier to work with support at OSSRH if we decided to publish artifacts to Maven Central ourselves.
But if we don't, and the current artifacts are removed, then I assume our Nexus instance would see greater usage / load. Also, taking down our Nexus instance for maintenance could break other people's builds / jobs. The OSSRH statistics do not provide much detail, but lead me to believe there is a lot of downloading going on.
Tom Zeller April 26, 2021 at 5:47 PM
The net.shibboleth artifacts in Maven Central appear to be those required to build OpenSAML :
https://repo.maven.apache.org/maven2/net/shibboleth/
https://repo.maven.apache.org/maven2/net/shibboleth/ext
https://repo.maven.apache.org/maven2/net/shibboleth/parent
https://repo.maven.apache.org/maven2/net/shibboleth/parent-v3
https://repo.maven.apache.org/maven2/net/shibboleth/utilities
Something went wrong on our end
If this keeps happening, share this information with your admin, who should contact support.
Hash D3XM4T
Trace 8ccaf2f9403147cf88bc798593956753
Submitted request to claim ownership in Maven Central of net.shibboleth and org.opensaml :
https://issues.sonatype.org/browse/OSSRH-68054