Hi Leif,
I added 2 pipes to buildin.py:
- publish_html creates static HTML views of IDPs and SPs, using XSLT based on Peter Schober’s alternative to MET;
- publish_split: similar to store, but added validUntil and creates signed XML-file per EntityDescriptor. This can be consumed dynamically by ADFS in an IDP role.
I put it directly into buildin.py because it shares some code with the sign pipe. Is this viable from your PoV - if yes, I would make an PR.
Cheers, Rainer
Hi all,
being part of Commons Conservancy brought up yet another subject,
which is whether we should add a header with license information in
every file in the projects under idpy. This is not something done in
an abstract way, there is a specific format modelling this information
(see https://spdx.org/ and https://reuse.software/ - more specifically
https://reuse.software/practices/2.0/) Still, I find it problematic.
We want to open up the question to the wider community and consider
their thoughts on this. The forwarded message below is discussing this
subject. You can see the question we posed, the answer we got and my
comments. Feel free to tell us what you think on this.
---------- Forwarded message ---------
Date: Thu, 16 May 2019 at 09:56
> ---------- Forwarded message ----------
> Date: May 8, 2019, 8:15 AM -0700
>
> > Why does CC think having a single license file per project is
> > insufficient? Our thought is that if we can avoid adding a header to
> > every single file, that would be nice, esp. given we already have this
> > info in the license file and we have the Note Well.
>
>
> this is not just our opinion, but something that is an industry and
> community standard for legal compliance these days. When companies like
> Siemens, Samsung or Honeywell use some code in one of the hundreds or
> thousands of devices and systems in their product line, they need to be
> able to provide the correct license and a download of the exact version.
> This means machine readability too.
>
I've actually observed the opposite of that. Communities abandon the
"license in every file" model, and just use a single LICENSE file in
the root of the project. The LICENSE file contains license
information, that is, it is not a single license but it has exception
sections and so on.
> To quote from https://reuse.software/practices/2.0/ :
>
> Scroll to the section "2. Include a copyright notice and license in each
> file"...
>
> "Source code files are often reused across multiple projects, taken from
> their origin and repurposed, or otherwise end up in repositories where
> they are separate from its origin. You should therefore ensure that all
> files in your project have a comment header that convey that file’s
> copyright and license information: Who are the copyright holders and
> under which license(s) do they release the file?
>
Continuing from above, the standardization of package-management
formats and tools has helped exactly with that: to avoid distribution
of single files, and instead provide packages and modules. It is bad
practice and considered a hack to copy files. Nobody liked that model
and everyone is moving away; it is unstructured, it becomes
unmanageable and it will cause problems.
> It is highly recommended that you keep the format of these headers
> consistent across your files. It is important, however, that you do not
> remove any information from headers in files of which you are not the
> sole author.
>
> You must convey the license information of your source code file in a
> standardised way, so that computers can interpret it. You can do this
> with an SPDX-License-Identifier tag followed by an SPDX expression
> defined by the SPDX specifications."
>
> (the text goes on for a while after this, to clarify the point but this
> is the basic gist of it)
>
> There is a nice Python tool to check:
>
> https://github.com/fsfe/reuse-tool
>
> I hope this makes sense
>
Well, it does not make complete sense. We're talking about licensing a
project. A project is not just code; there are data files (html, xml,
yaml, json files), binary files (archives/zip, images, audio, video,
etc), text files (configs, ini-files, etc) all "not-code". How do you
mark those files? Does the LICENSE file need a license-header? The
json format does not define comments, how do you add a header there?
If a binary file does not get a license header, why should a file with
code get one?
I would expect there to be a way to have the needed information
unified. If the files themselves cannot provide this information it
has to be external; thus the LICENSE file. If someone is worried about
somebody else re-using single files that do not have license
information (a python file, a png image, etc) there is really nothing
you can do (the DRM industry has been trying to solve for a long time;
and still your best bet is "social DRM").
Since, we're developing on open source with a permissive license, even
if someone does that, should we be happy that someone is actually
using what we built or sad that the files they copied did not have a
license header? And if they include the license information of that
copied file in their project's LICENSE file, is this solved?
Having pointed these contradictions, I am thinking that the "license
in every file" model seems to be a step backwards. It is introducing
overhead and does not really solve the problem, while at the same time
it enables a culture of bad practice (copying files around).
Cheers,
--
Ivan c00kiemon5ter Kanakarakis >:3
Attendees: Johan, Shayna, Matthew, Hannah
Due to the absence of the key developers, we talked about Matthew's work in
python release engineering with gihub actions, and how we can potentially
improve the build process / user experience in deploying docker
container-based tools (in many areas, not just the idpy world).
Next meeting is 5 December 2023.
Attendees: Johan, Shayna, Scott, Ivan, Roland, Matthew E.
0 - Agenda bash
1 - Project review
a. General -
b. OIDC libraries - https://github.com/IdentityPython (idpy-oidc,
JWTConnect-Python-CryptoJWT, etc) -
- Roland updated fedservice library to work again after some changes to
idpyoidc
- Roland is also working on openid4v (OID4VCI and OID4VP) package
testbed or example that will contain the normal components in a digital
wallet ecosystem.
- https://github.com/rohe/openid4v
- This is a moving target with specs changing from day to day
- satosa_oidcop / idpy-oidc issue on slack - about being threadsafe,
secrets not shared between threads. Keys were created on startup and not
saved to mongoDb. The fix is to make the secrets static with example
configuration.
https://github.com/UniversitaDellaCalabria/SATOSA-oidcop/pull/47
- identity assurance support for idpy-oidc:
https://github.com/IdentityPython/idpy-oidc/pull/83
- also fixes some tests.
- Waiting for Kostis to look at it. Giuseppe has approved.
c. Satosa - https://github.com/IdentityPython/SATOSA
- preparing a new release - with new OIDC backend - requirement to pull
in idpy-oidc
- Next step is to work on Roland's MR (
https://github.com/IdentityPython/SATOSA/pull/442) removing SAML
bits, replacing encryption and signing with cryptojwt. Then
crypto will be
the dependency and pysaml2 will not be a dependency. That will be a
separate, major release since it changes the default
dependencies. Include
messages so that when someone tries to import a module / use a
frontend or
backend without pulling in dependencies, they will get an error message.
- after this, consolidate SAML logout and OIDC logout
- Should think about introducing server side storage
- sql? One problem is manual cleanup required. But it is more clearly
defined.
- More specific to sessions - redis? Cleanup is handled nicely but
licensing may cause problems for some. It is "almost open
source". If it is
used in a commercial product under certain conditions, then
there is an
issue.
- Matthew prefers pure opensource solutions. Sql database helps
with clearly defined schema. Non-sql is hard to figure out.
- He has struggled with oidc figuring out how to do static
registration.
- Need to define the interface and define types - class that
defines how payload looks.
- There is also a documentation issue - someone who is
knowledgeable but new can't figure out how to do some
simple things. As
new things are developed and decisions made, Matthew will
help with the
documentation.
- Bottom line -the data model is missing.
- https://github.com/IdentityPython/SATOSA/issues/445
- passed on to Ali - concerns existing implementation of pyop and
some work that Ali had done
- Not sure if they will continue to do an work on pyop.
- There are other openMRs that need follow-up.
- Typing from Fredrik and Johan is still waiting - will get to it
after next release.
d. pySAML2 - https://github.com/IdentityPython/pysaml2
- Fixing MR/PR issues regarding changes in the modules and dependencies
used. Things like the python version changes, modules change
behavior, etc.
- https://github.com/IdentityPython/pysaml2/issues/917
- https://github.com/IdentityPython/pysaml2/issues/904
- https://github.com/IdentityPython/pysaml2/issues/934
- https://github.com/IdentityPython/pysaml2/issues/921
- user gets a response from idp - with attributes - one defines type
of value of attribute - within the type it mentions a prefix.
Prefix is
defined with an xml namespace. This is called QName
-awareness. The built
in xml parser removes the namespace.
- xsi:type - python parser is not QName-aware
- xpath - c implementation that python uses. Smaller than lxml
but limited.
- this can be fixed by using lxml, xml library with c-bindings,
but it also adds other issues and complexity. Has to be configured
correctly. To make this a compatible change is not easy.
- there is also a schema checker that may be of help. Ivan will
check with the developer.
- Ivan could make lxml an optional dependency.
- Ivan has done half the work but he is concerned about whether he
should invest more time.
- A fundamental issue is that python garbage collection does not
work well with C layer memory management. Deployers using
SATOSA with that
library would need to restart their servers frequently. For
example pyff ,
which uses lxml, needs to be restarted hourly in a production
Scott has.
- https://github.com/IdentityPython/pysaml2/pull/924
- need to get to this one - to configure the encryption algorithms.
Same should be done for signing algorithms.
- Issues around how temporary files are deleted - mostly affecting
Windows users. Proposal on how to make it independent of
platform. Usually
these temp files are certificates or templated xml that will be signed.
Ideally we could work in memory for these types of things.
e. Any other project (pyFF, djangosaml2, pyMDOC-CBOR, etc)
- Leif made two new pyff releases - 2.1.0 and 2.1.1. We should get him
to summarize the changes for us.
- RDCT/SCG is making a standalone seamless access deployment, using
pyff, thiss-mdq and thiss.js . Once in production it will be
packaged up in
a reusable way for others to deploy. Arlen Johnson is working on some of
the packaging and Hannah S will work on an all inclusive docker compose
project. Generalizing to contribute to docker official images library or
something similar.
2 - AOB
- Next meeting is 21 November 2023. There is a wallet meeting that day
but it is scheduled to be done by the time of this meeting.
