Sunday, October 28, 2012

Apache Karaf Update Oct 21 - Oct 27, 2012

In this Apache Karaf update report you'll find notes on development progress towards Apache Karaf 2.2.10, 2.3.1, and 3.0.0 as up coming releases. All of the information here is collected from following Karaf's issues mailing list, and cross referencing with the community's issue tracker. The summary form is presented here courtesy of Savoir Technologies to help make keeping up with the community's fast pace a little easier.

Apache Karaf 2.2.10:


New Issues:
Karaf-1965 Release Apache Karaf 2.2.10

Resolved Issues:
Karaf-1963 incorrect statement in developers-guide/branding-console.html

Updated Issues:
N/A

Apache Karaf 2.3.1:


New Issues:
Karaf-1977 Upgrade to OSGi 4.3.1

Resolved Issues:
Karaf-1963 incorrect statement in developers-guide/branding-console.html
Karaf-1930 Upgrade to Pax Web 1.1.5

Updated Issues:
Karaf-1955 Upgrade to ServiceMix Specs 2.2

Apache Karaf 3.0.0:


New Issues:
Karaf-1966 Upgrade to Pax Web 3.0
Karaf-1977 Upgrade to OSGi 4.3.1

Resolved Issues:
Karaf-1963 incorrect statement in developers-guide/branding-console.html
Karaf-1334 Use the new servicemix spec to allow the use of both the JRE implementations and implementations from bundles

Updated Issues:
Karaf-1955 Upgrade to ServiceMix Specs 2.2

Un-versioned Issues:

Karaf-1938 Lock logic should wait for start level change to occur
Karaf-1968 Uninstalling jndi feature leads to hanging Karaf
Karaf-1972 karaf-maven-plugin should respect scope
Karaf-1973 NullPointerException when performing log:clear then log:tail
Karaf-1976 Shell attempts to execute sub-shell actions as commands

Saturday, October 27, 2012

Preparing for Apache Karaf 2.3.1

The first patch release of the Apache Karaf 2.3.x branch will be soon entering the planning phase (no immediate need patch, 2.3.0 is performing wonderfully!), as such I'm preparing for the release management role.

To prepare I've selected a bottle of Marques de Casa Concha 2010 Pinot Noir to decant while listening to some Death From Above 1979 albums.

Current high lights of this patch include a multitude of updates to dependencies, such as updating to OSG 4.3.1Apache pom 11, Spring 3.1Pax-web 1.1.5, and Servicemix Specs 2.2. A complete change log will be created for the Release Candidate once the community is ready to put it to vote.

The wine will of course only be sampled after being gave proper time to breath in its container, after the first release candidate has be up loaded for voting (see our release guide for more details on our process).

Unfortunately I can't share the wine with you, but I can share a few links to some DFA 1979 videos. I'm looking forward to starting the 2.3.1 release process soon.

I'll be posting updates to our Twitter stream (#karaf) and on our IRC channel (irc.codehaus.org #karaf).

Sunday, October 21, 2012

Apache Karaf Update Oct 14 - Oct 20, 2012

In this Apache Karaf update report you'll find notes on development progress towards Apache Karaf 2.2.10, 2.3.1, and 3.0.0 as up coming releases. All of the information here is collected from following Karaf's issues mailing list, and cross referencing with the community's issue tracker. The summary form is presented here courtesy of Savoir Technologies to help make keeping up with the community's fast pace a little easier.

Announcements:

Apache Karaf 2.3.0 Released!

Apache Karaf 2.2.10:


New Issues:
N/A

Resolved Issues:
N/A

Updated Issues:
N/A

Apache Karaf 2.3.1:


New Issues:
Karaf-1921 Upgrade to Spring 3.1.x for Karaf 2.3.x
Karaf-1934 Release Apache Karaf 2.3.1
Karaf-1936 LDAPLoginModule not working in 2.3.0 due to missing import of javax.net.SocketFactory
Karaf-1939 ssh bundles should not be in startup.properties
Karaf-1940 admin/instance should be provided as a feature
Karaf-1941 Management bundles should not be in the startup.properties
Karaf-1952 Allow Karaf monitoring using host:port
Karaf-1955 Upgrade to ServiceMix Specs 2.2

Resolved Issues:
Karaf-1801 slf4j 1.7.0
Karaf-1924 Fix the WARN logs from starting a vanilla Karaf 2.3.0
Karaf-1933 Add id for Maven repository
Karaf-1117 Remove workaround for KARAF-1117
Karaf-1949 console shutdown -f hang

Updated Issues:
Karaf-1930 Upgrade to Pax Web 1.1.5


Apache Karaf 3.0.0:


New Issues:
Karaf-1512 enhancement: add self to generated feature in "features-generate-descriptor" goal
Karaf-1936 LDAPLoginModule not working in 2.3.0 due to missing import of javax.net.SocketFactory
Karaf-1940 admin/instance should be provided as a feature
Karaf-1952 Allow Karaf monitoring using host:port
Karaf-1955 Upgrade to ServiceMix Specs 2.2

Resolved Issues:
Karaf-1801 slf4j 1.7.0
Karaf-1893 Upgrade to Jetty 8.1.7.v20120910
Karaf-1903 Refactore osgicore and osgicompendium modules
Karaf-1900 create project for private compendium build for java 7
Karaf-1933 Add id for Maven repository
Karaf-1117 Remove workaround for KARAF-1117
Karaf-1655 ManagementCfg configuratoinPointers in tooling-exam are incorrect
Karaf-1489 Add an itest showing how to correctly use tinybundles with provision in paxexam-karaf

Updated Issues:
Karaf-1835 NPE in jaas:realm-manage command when multiple realm with the same name are present and not login module name is provided.
Karaf-1897 Use dynamic port allocation of integration tests

Un-versioned Issues:

Karaf-1925 Blueprint timeout exceptions after karaf startup
Karaf-1926 Web Console should show Blueprint status
Karaf-1928 Coloring in list shell command
Karaf-1927 Web Console bundles should be color coded
Karaf-1932 Color output in file logs
Karaf-1938 Lock logic should wait for start level change to occur
Karaf-1943 Add support to paxexam-karaf for testng
Karaf-1944 Add support to paxexam-karaf to attach jvm weavers to the process started
Karaf-1945 Add support to paxexam-karaf to support scanDir option for KarafTestContainer
Karaf-1946 Add pax-scanner & full pax-url support to paxexam-karaf
Karaf-1947 paxexam-karaf doesn't support to customize test probe
Karaf-1954 NullPointerException on custom Karaf shell command: ClassNotFoundException: org.apache.felix.service.command.Function not found
Karaf-1957 Allow to mark features as 'aggregate' features
Karaf-1902 Add a friendly option to point karaf-pax-exam to a already unpacked directory

Monday, October 15, 2012

Apache Karaf 2.3.0 Released!

The Apache Karaf team is pleased to announce the availability of Apache Karaf 2.3.0.


This release of Apache Karaf sets the stage for the 3.0.x line, introducing OSGi rev 4.3 support, new commands, features, improvements, and a multitude of dependency updates. At Karaf's core you'll find Equinox 3.8.0.v20120529-1548 and Apache Felix framework 4.0.3. New additions such as Karaf-pax-exam, commands back ported from Karaf 3.x, and command aliases to help make migrating between 2.3.x and 3.x easier, and a multitude of supporting libraries updates.

All of the updates seen in this kit would have broke compatibility if applied to the Karaf 2.2.x line, hence this new branch (command syntax remains the same however, so its part of the 2.x family - see Karaf 3.x for major changes).


For more information please see the release notes.

As discussed in my prior Apache Karaf 2.3.0 preparation post, I enjoyed listening to Esthero albums throughout the release process and was delighted to try the La Cour Pavillon Bordeaux Merlot - Cabernet Sauvignon 2009. I think the music and wine pairings are really working well for these releases, that being said if anyone has suggestions for future music or wine selections please post them below :)

Now that this 'dot oh' release is out, I can't wait for the up coming 3.0.0.RC1! Rest assured that patches for 2.2.x and 2.3.x will continue (and in the later case begin) on a regular basis.

Happy developing!

Sunday, October 14, 2012

Apache Karaf Update Oct 7 - Oct 13, 2012

In this Apache Karaf update report you'll find notes on development progress towards Apache Karaf 2.2.10, 2.3.0, and 3.0.0 as up coming releases. All of the information here is collected from following Karaf's issues mailing list, and cross referencing with the community's issue tracker. The summary form is presented here courtesy of Savoir Technologies to help make keeping up with the community's fast pace a little easier.

Apache Karaf 2.2.10:

New Issues:
N/A

Resolved issues:
Karaf-1911 Wrong version of camel-example-osgi in Getting Started/Quickstart Guide - 2.7.0 doesn't work
Karaf-1915 ClassCastException when uninstalling war feature
Karaf-1853 Attached kar deploys to a different snapshot build number than the main artifact
Karaf-1917 upgrade to pax-web 1.0.12

Updated issues:
N/A

Apache Karaf 2.3.0:


New Issues:
N/A

Resolved issues:
Karaf-1226 Karaf Client cannot run a script
Karaf-1904 Upgrade to Mina 2.0.7
Karaf-1878 Feature bundle start up order by startLvl
Karaf-1905 ASM4 causes the Proxy/Weaving of Xerces, but that then causes validation factories to fail.
Karaf-1906 Compile error using IBM JDK on JAAS module.
Karaf-1907 Compile error: type ServiceReference does not take parameters on OSGi Shell ListBundleServices using JDK 7
Karaf-1354 SSH Log-In failes with "Authentication failed" with valid credentials
Karaf-1908 Upgrade to XBean 3.12
Karaf-1909 Compile error using IBM JDK on management mbeans SystemMBeanImpl
Karaf-1907 Compile error: type ServiceReference does not take parameters on OSGi Shell ListBundleServices using JDK 7
Karaf-1910 Provide Spring 3.1.2.RELEASE features
Karaf-1911 Wrong version of camel-example-osgi in Getting Started/Quickstart Guide - 2.7.0 doesn't work
Karaf-1912 Test failures in itest.OsgiTest as aries proxy api is not bundle id 10 anymore
Karaf-1853 Attached kar deploys to a different snapshot build number than the main artifact

Updated issues:
Karaf-1336 Release Apache Karaf 2.3.0
Karaf-1563 Support clean-all & clean-cache directly in karaf main jar

Apache Karaf 3.0.0:

New Issues:
Karaf-1903 Refactore osgicore and osgicompendium modules

Resolved issues:
Karaf-1226 Karaf Client cannot run a script
Karaf-1904 Upgrade to Mina 2.0.7
Karaf-1878 Feature bundle start up order by startLvl
Karaf-1905 ASM4 causes the Proxy/Weaving of Xerces, but that then causes validation factories to fail.
Karaf-1354 SSH Log-In failes with "Authentication failed" with valid credentials
Karaf-1908 Upgrade to XBean 3.12
Karaf-1914 SSH client authentication randomly fails
Karaf-1853 Attached kar deploys to a different snapshot build number than the main artifact

Updated issues:
Karaf-1900 create project for private compendium build for java 7
Karaf-1563 Support clean-all & clean-cache directly in karaf main jar
Karaf-1887 Make integration tests more reliable by making sure the boot is finished

Un-versioned Issues:

Karaf-1901 Camel stream:out route destination freezes console if you try to stop or uninstall it
Karaf-1913 https://issues.apache.org/jira/browse/KARAF-1913

Friday, October 12, 2012

Preparing for Apache Karaf 2.2.10

The tenth maintenance release of the Apache Karaf 2.2.x branch will be soon entering the planning phase, as such I'm preparing for the release management role.

To prepare I've selected a bottle of Robert Skalli Reserve Cabernet Sauvignon 2009 to decant while listening to some Alexisonfire albums.

Current high lights of this patch include better Windows client support, improved SSH support on certain *nix systems, and an improvement to the features install sequence (install, install, install... start, start, start). Of course there will also be dependency updates such as moving to pax-logging 1.6.10, Spring 2.5.6.SEC03, and pax-web 1.0.12. A complete change log will be created for the Release Candidate once the community is ready to put it to vote.

The wine will of course only be sampled after being gave proper time to breath in its container, after the first release candidate has be up loaded for voting (see our release guide for more details on our process).

Unfortunately I can't share the wine with you, but I can share a few links to some Alexisonfire videos. I'm looking forward to starting the 2.2.10 release process soon.

I'll be posting updates to our Twitter stream (#karaf) and on our IRC channel (irc.codehaus.org #karaf).

Sunday, October 7, 2012

Anatomy of an Apache vulnerability report

Working with Savoir Technologies I get the opportunity to travel around the world helping companies, institutions, and other organizations design, implement and deploy large scale software systems. A large aspect of these deployments is introducing Apache projects as the underlying infrastructure. In general these projects are in Apache Servicemix, Karaf, ActiveMQ, CXF, and Camel as well as many other supporting libraries and frameworks. As part of this practice I've also taken to offering less formalized but highly attended lunch and learn opportunities to the sites I've visited. A pair of these talks I've bundled into a presentation I delivered at the BSides St Johns Security Conference 2012. In this post I'd like to share with you the first half of that talk "Anatomy of an Apache vulnerability report" - all of the information in this talk is available at the Apache Software Foundation's Security page (http://www.apache.org/security/), this talk's purpose is to raise awareness of the process for users and project communities alike.

Anatomy of an Apache vulnerability report

The Apache Software Foundation is the home of over 190 as of this post's writing, among them are some of the most widely deployed and relied upon software packages in the world. Chances are that you probably have some Apache software running somewhere with in your organization. This leads to an important question that all organizations must ask - what do we do if we find a security vulnerability within one of these projects? Luckily all Apache projects have a common process that they follow for addressing such situations, producing a report that other users may follow to mitigate or resolve known issues.

There is an established process for reporting security vulnerabilities to an Apache project, of which I'll now break down into it's component parts:
  1. The reporter reports the vulnerability privately to security@project.apache.org or to security@apache.org.
  2. Messages that do not relate to the reporting or management of an undisclosed security vulnerability in Apache software are ignored and no further action is required.
  3. If reported to security@apache.org the security team will forward the report (without acknowledging it) to the project’s security list or to the PMC private list if no security email list exists.
  4. The project team sends an email to the original reporter to acknowledge the report.
  5. The project team investigates the report and either rejects it or accepts it. 
  6.  If the report is rejected, the project team writes the reporter to explain why.
  7. If the report is accepted, the project team writes to reporter to let them know it is accepted and that they are working on a fix.
  8. The project team requests a Common Vulnerability and Exposures (CVE) number from security@apache.org by sending them an email with the subject “CVE request for...” and providing a short description of the vulnerability.
  9. The project team agrees the fix on their private list.
  10. The project team provides the reporter with a copy of the fix and a draft vulnerability announcement for comment.
  11. The project team agrees the fix, the announcement and the release schedule with the reporter.
  12. The project team commits the fix.
  13. The project team creates a release that includes the fix.
  14. The project team announces the release and the vulnerability: 
    • Typically this is sent to the reporter, project user, dev, and announce list. 
    • security@apache.org, full-disclosure@lists.grok.org.uk, and bugtrak@securityfocus.com are notified. 
    • Project security page is updated. 
    • This is the first point that any information is made public.
  15. The log for the svn commit that applied the fix is updated to include the CVE number.
Following this process a Common Vulnerability and Exposures report is recorded for the project. So what does a CVE include? Let's take a look at an example (click image on left for sample report - http://httpd.apache.org/security/CVE-2011-3192.txt):

  • Project website includes page titled: ${Project Name} Security Advisory
  • Header: Title, CVE #, Last change, Date created, Product, Versions affected.
  • Change log: Brief updates on verification, resolution.
  • Description: Describes the vulnerability, and how it behaves on different versions.
  • Type of Attack: DDOS, Permissions escalation, etc.
  • Background of vulnerability.
  • The Fix: What version does the fix appear in.
  • Caveats: Changes in behaviour.
  • Mitigation: Approaches to mitigating vulnerability in absence of fix.
  • OS and Vendor specific information: Platform specific reports/patches.
  • Actions: What users should do, and how to verify if susceptible.
  • Planning: future work regarding this CVE.

Each CVE will contain the sections as above, which should allow your organization to safely handle the challenges presented by any known issue.

I hope by reviewing the reporting process, and the contents of a CVE that users, developers, administrators, and operators in all organizations gain more confidence in their use of Apache projects, knowing that the community have planned for the worst case scenario and are prepared with processes and standards for addressing them in a timely manner.

Apache Karaf Update Sept 30 - Oct 6, 2012

In this Apache Karaf update report you'll find notes on development progress towards Apache Karaf 2.2.10, 2.3.0, and 3.0.0 as up coming releases. All of the information here is collected from following Karaf's issues mailing list, and cross referencing with the community's issue tracker. The summary form is presented here courtesy of Savoir Technologies to help make keeping up with the community's fast pace a little easier.

Apache Karaf 2.2.10:

New Issues:
N/A

Resolved issues:
Karaf-1815 When ssh'ing from a windows box into a unix box, arrow keys are not correctly interpreted
Karaf-1849 Some files should not have the executable flag
Karaf-1814 Cursor keys do not work when using bin/client on windows
Karaf-1796 Feature Install Sequence Should Be Install/Install/Install...Start/Start/Start
Karaf-1759 No Way To Start obr Dependencies By Default
Karaf-1765 The obr Shell Deploy And Start Commands Always Deploy Optional Dependencies

Updated issues:
Karaf-1853 Attached kar deploys to a different snapshot build number than the main artifact

Apache Karaf 2.3.0:


New Issues:
Karaf-1878 Feature bundle start up order by startLvl

Resolved issues:
Karaf-1817 Upgrade to sshd 0.8.0
Karaf-1819 Upgrade to Mina 2.0.5
Karaf-1815 When ssh'ing from a windows box into a unix box, arrow keys are not correctly interpreted
Karaf-1868 Upgrade aries bundles to 1.0.1 (blueprint-core, jmx-core, transaction-manager, jpa-container-context)
Karaf-1862 Upgrade to Felix FileInstall 3.2.6
Karaf-1814 Cursor keys do not work when using bin/client on windows
Karaf-1888 Remove aliases by default
Karaf-1796 Feature Install Sequence Should Be Install/Install/Install...Start/Start/Start
Karaf-1759 No Way To Start obr Dependencies By Default
Karaf-1765 The obr Shell Deploy And Start Commands Always Deploy Optional Dependencies
Karaf-1890 Upgrade to Jetty 7.6.7.v20120910
Karaf-1883 Upgrade to ASM 4.0
Karaf-1859 Upgrade to ServiceMix Specs 2.1

Updated issues:
Karaf-1853 Attached kar deploys to a different snapshot build number than the main artifact
Karaf-1354 SSH Log-In failes with "Authentication failed" with valid credentials

Apache Karaf 3.0.0:

New Issues:
Karaf-1884 Upgrade exam to Pax Exam 2.6.0
Karaf-1886 Create transaction-jdbc and transaction-jms enterprise features
Karaf-1887 Make integration tests more reliable by making sure the boot is finished
Karaf-1893 Upgrade to Jetty 8.1.7.v20120910
Karaf-1878 Feature bundle start up order by startLvl
Karaf-1897 Change ports of integration tests

Resolved issues:
Karaf-1843 SystemMBean reboot(time, cleanup) operation always cleanup
Karaf-1817 Upgrade to sshd 0.8.0
Karaf-1819 Upgrade to Mina 2.0.5
Karaf-1815 When ssh'ing from a windows box into a unix box, arrow keys are not correctly interpreted
Karaf-1868 Upgrade aries bundles to 1.0.1 (blueprint-core, jmx-core, transaction-manager, jpa-container-context)
Karaf-1862 Upgrade to Felix FileInstall 3.2.6
Karaf-1814 Cursor keys do not work when using bin/client on windows
Karaf-1759 No Way To Start obr Dependencies By Default
Karaf-1765 The obr Shell Deploy And Start Commands Always Deploy Optional Dependencies
Karaf-1889 Change logging in FeaturesServiceImpl
Karaf-1896 itests.EnterpriseFeaturesTest.installApplicationWithoutIsolationFeature fails with NotSerializableException
Karaf-1897 Change ports of integration tests
Karaf-1859 Upgrade to ServiceMix Specs 2.1

Updated issues:
Karaf-608 Allow for multi-stage boot features installation
Karaf-1819 Upgrade to Mina 2.0.5
Karaf-1853 Attached kar deploys to a different snapshot build number than the main artifact
Karaf-1354 SSH Log-In failes with "Authentication failed" with valid credentials

Un-versioned Issues:

Karaf-1891 Document karaf manual for registering its own MBeans
Karaf-1892 intermittent problems with feature.xml manual deploy with install="auto"
Karaf-1894 Framework's active start level is set to org.osgi.framework.startlevel.beginning too early when launching Karaf with empty bundle cache
Karaf-1898 trunk does not compile on java 7 due to compendium 4.3.0 generics
Karaf-1899 setup jenkins to build trunk for both java 6 and java 7
Karaf-1900 create project for private compendium build for java 7
Karaf-1901 Camel stream:out route destination freezes console if you try to stop or uninstall it
Karaf-1902 Occasional freeze on feature:install webconsole