On 15/10/2015 02:03, Fjodor Versinin wrote: > Hi! Actually, I would like to continue to work on this, but not in > GSOC scope anymore, because that expirience was too stressful for > me. What about current JASPIC implementation, it is almost ready, so > I think it would be better to keep already wroten code than rewriting > it from a scratch. What about security, I'm not sure, but this code > has been accepted during the summer time, it has not be changed since > then. Security must be on the same level, I hope so.
It isn't really a case of re-writing from scratch but of validating that the new code is secure. The nature of the code is that a very small change could introduce a very large security hole. Because this code is security related it requires a degree of trust in the source. That trust was eroded when you disappeared without any communication immediately you passed the mid-term evaluation. There are two ways the code could be validated. The first is to examine line, by line, every commit based on your contributed patches. That would be extremely time consuming. The faster way is to use your patches as a guide to independently re-create the patches. Given that the changes need to be ported to the org.apache.catalina.authenticator package from their current sub-package, it looks like the best way forward is to combine that process with validating the code in the jaspic sub-package. That way you can continue to provide patches/pull-requests against the jaspic sub-package and the review / porting work can progress independently. When both are complete we can simply remove the jaspic sub-package. > However, some > places of old auth valves should be rewritten in more readable way. I'd recommend keeping re-factoring and JASPIC implementation separate. By all means progress them in parallel but don't mix the purpose of the patches. Mark > > Fjodor > > ---- Mark Thomas wrote ---- > >> On 14/10/2015 13:00, Arjan Tijms wrote: >>> Hi there, >>> >>> Haven't seen updates for some time here. Wonder what the current >>> status is and what exactly happened in the last months. Last >>> commits in the Tomcat repo are from 3 months ago. >> >> The GSoC student took the money and ran at the mid-term evaluation. >> I should have gone with my first instinct which was to fail them at >> the mid-term due to lack of effort. >> >> Getting back to this is on my TODO list for Tomcat 9. I plan to >> remove the GSoC work and start again from scratch. While that might >> seem excessive I simply do not trust the refactoring that Fjodor >> completed is secure. It will be quicker to re-do the work myself >> than it will be to check the refactoring line by line. >> >> Mark >> >> >>> >>> Kind regards, Arjan Tijms --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
