" /> Davanum Srinivas' weblog: May 2005 Archives

« April 2005 | Main | June 2005 »

May 20, 2005

Pitfalls of open source

Here's what you get for writing the only open source Web Services Security Implementation...Moral of the story, don't write open source code, apparently this is an easy task...and if you do in spite of my advice (oh man! you are in trouble), you need to make sure there is enough documentation that is up-to-date and *BE SURE* to answer *ALL* emails. If you don't then here is what's gonna happen to you.




From:"Hamid Ben Malek" <HMalek@us.fujitsu.com>
To:shaz@bananacomputers.com
Subject: WSS4J Issue resovled
Date: Fri, 20 May 2005 12:05:42 -0700

Shaz,

Remember the NullPointerException I asked you about (the one you posted on wss4j mailing list but nobody answered you)? I had sent a request for help to the authors of WSS4J (copied here in this email), but no one of them had the courtesy of answering back, not even to say something like “Don’t know”, or “Don’t have time to investigate”. That was very disappointing and shows a lack of professionalism.  I am involved in tens of projects plus my involvement in developing Standard Specifications (at JCP, Oasis, etc…), and I did not have time to investigate that bug. If I had more time, I would have re-written a WSS implementation from scratch by myself.

 

Anyway, the bug was the result of very poor documentation. The person who listed the sample code at the end of the article http://ws.apache.org/ws-fx/wss4j/api.html forgot to mention that you need to call the method setUserInfo() on the encrypt and signer objects before trying to sign and/or encrypt a message. Having the Crypto object loaded from a crypto file in which you have specified the key alias and key password is not enough. You need to read these values (key alias and key password) from the crypto file and assign them to the signer and ecrypt object prior to signing/encrypting. Also, make sure you use the latest version of xmlsec (use this version xmlsec-1.2.1.jar) because previous version of xmlsec had a previous bug.

 

Regards,

 

Hamid.

 

--------------------------------------------------------------------------------------------------------------------------------------------------------

Exception:

 

- Using Crypto Engine [org.apache.ws.security.components.crypto.Merlin]

java.lang.NullPointerException

        at com.sun.net.ssl.internal.ssl.PKCS12KeyStore.engineGetCertificateChain (Unknown Source)

        at java.security.KeyStore.getCertificateChain(Unknown Source)

        at org.apache.ws.security.components.crypto.Merlin.getCertificates(Merlin.java:469)

        at org.apache.ws.security.message.WSSignEnvelope.build(WSSignEnvelope.java:249)

 

Posted by dims at 03:19 PM | | Comments (4) | TrackBacks (0)

May 13, 2005

Why do we need an open source Java?

Quote from Stefano on harmony-dev:


Let's analyze it on the other way: why not?

1) because it's already there. [Ask Ben how much he loves java on FreeBSD]

2) because it's hard. [Ask Linus about how easy it was to write Linux]

3) because it might fragment the space. [Ask around how many of us would
want to rewrite millions of lines of their code]

4) because it's an academic exercise [ask Larry and Sergey about thier
academic exercise called Google]

5) because it might hurt the java ecosystem [ask darwin and/or your
favorite anti-trust lawyer on how concentrations increases innovation]

6) because it's not fun [ask the people that spend their time writing
new GC algorithms!]

7) because it might take years [ask around how many are in a hurry]

Should I continue?

--
Stefano.

Posted by dims at 01:41 PM | | Comments (1) | TrackBacks (0)

May 09, 2005

Help Classpath

Original Posting from Sven de Marothy on classpath mailing list : http://article.gmane.org/gmane.comp.java.classpath.devel/5522

Hi,

GNU Classpath is a project to create a Free implementation of the core
Java class libraries. It is used by most F/OSS Java VMs out there, from
the java-to-native compiler GCJ, to Kaffe OpenVM, to the tiny JamVM, to
the French-Canadian SableVM, to experimental stuff like JNode.

Would you like to join us? We're a fun bunch, but we need more hackers!
All levels of expertise are welcome.

Facts:
1. Classpath hackers are mammals.
2. Classpath hackers code ALL the time.
3. The purpose of the Classpath hacker is to flip out and
microoptimize.

These guys are cool, and by cool I mean totally sweet.

Right now, we need lots more AWT hackers. If you're into Swingin', we've
got a big craving for those, too! Scratch that itch! Love CORBA?
'course you do! Face it: Who doesn't? We need those too!

Like debugging? It's like crossword puzzles, only funner! We've got
plenty of debugging! This is your lucky day!

Interested? Of course you are! Read up:
http://www.gnu.org/software/classpath/faq/faq.html#faq3_1
http://developer.classpath.org/mediation/ClasspathFirstSteps

Super-Quick start guide!

1) You need GCC and a Java compiler. GCC I think you have. GCJ might not
be up to date. I like Jikes. Get an RPM:
http://rpmfind.net/linux/rpm2html/search.php?query=jikes&submit=Search
+...

2) Get a VM, for instance JamVM. Right here:
http://prdownloads.sourceforge.net/jamvm/jamvm-1.3.0.tar.gz?download

3) Get Classpath. Latest release right here:
ftp://ftp.gnu.org/pub/gnu/classpath/classpath-0.15.tar.gz

4) Untar both files!

5) For jikes:
# ./configure --with-jikes --enable-jni
# make
# make install (better do that as root)

6) For classpath:
# ./configure --with-jikes --enable-jni --enable-gtk-peer
# make
# make install (same here!)

7) Compile your program:
jikes -classpath /usr/local/classpath/share/classpath/glibj.zip

(you might want to alias that. The +Z0 switch is good too, if you don't
want extra warnings)

8) Run it:
jamvm HelloWorld

9) Have fun!

/Sven

Posted by dims at 05:56 PM | | Comments (0) | TrackBacks (0)

Apache Harmony : The good, the bad and the ugly

PROPOSAL, FAQ, Archives


Links:
http://www.intertwingly.net/blog/2005/05/06/Apache-Harmony
http://www.advogato.org/person/robilad/diary.html?start=67
http://www.jroller.com/page/fate/20050507#death_to_apache
http://weblogs.java.net/blog/kgh/archive/2005/05/thoughts_on_the_1.html
http://weblog.ikvm.net/PermaLink.aspx?guid=3472dfab-5844-4053-9d47-a9b002656046
http://securityfocus.tranwebhost.com/2005/05/09/apache-takes-on-open-source-java/
http://www.holoweb.net/~laurie/archives/2005/05/08/no-harmony-between-java-and-open-source
http://migs.paraz.com/w/archives/2005/05/09/harmony-my-first-successful-slashdot-submission/
http://www.almaer.com/blog/archives/000934.html
http://thegoldfish.net/wordpress/?p=191
http://www.anyware-tech.com/blogs/sylvain/archives/000189.html
http://www.sauria.com/blog/2005/05/06#1296
http://www.jroller.com/page/bsnyder/20050506#apache_harmony_proposal_an_apache
http://blogs.sun.com/roller/page/webmink/20050507#harmony_tunes_up

Posted by dims at 01:03 PM | | Comments (0) | TrackBacks (0)

May 06, 2005

Apache Harmony - J2SE 5 Project

Project Harmony
===============

Motivation
----------

There is a clear need for an open-source version of Java 2, Standard
Edition (J2SE) runtime platform, and there are many ongoing efforts
to produce solutions (Kaffe, Classpath, etc). There are also efforts
that provide alternative approaches to execution of Java bytecode
(GCJ and IKVM). All of these efforts provide a diversity of
solutions, which is healthy, but barriers exist which prevent these
efforts from reaching a greater potential.

Proposal
--------

We propose that we create a new Apache project, Harmony, that will
achieve the following goals :

1) create a Compatible, independent implementation of J2SE 5
under the Apache License v2

2) create a community-developed modular runtime (VM and class library)
architecture to allow independent implementations to share runtime
components, and allow independent innovation in runtime components

In doing so, we intend to create a broad, collaborative community of
contributors, implementors and users of the modular platform
specification.

To begin, we propose the following as a basic architectural blueprint
as a starting point for our discussion :

http://people.apache.org/~geirm/harmony.jpg

We will create directly, via inclusion of independent third-party
code, or through contribution :

a) a freely implementable specification of a modular VM
and class library that allows for multiple, independent
implementations

b) a test suite for interoperability testing of the modules

c) an implementation under the Apache License of the modular VM

d) a class library under the Apache License compatible with
the J2SE 5 specification that implements the defined interfaces

We will start with this mechanism because we desire to :

- have a simple plan upon which coding can immediately begin

- ensure that we have a focal point to begin the conversation
among interested members of the community

- have a clearly defined set of technical needs to allow
potential contributors, either code contributors or
individual participants, a basis for consideration

- ensure that this is a community effort - together we will
architect and implement via fresh new code or donation

- produce a set of specifications/designs allowing multiple
interoperable implementations that allow for sharing,
extension and innovation

We propose that the following people are considered the starting
participants. This set represents members from across the community,
this diversity a factor we wish to start with and preserve as we grow.

These individuals have expressed an interest in participating in the
architecture and design work. The information in parenthesis
indicates other community participation or relevant experiences of
that individual :

Guy Churchward (individual w/ commercial VM experience)
Joakim Dahlstedt (individual w/ commercial VM experience)
Jeroen Frijters (IKVM)
Geir Magnusson Jr. (Apache)
Ricardo Morin (individual w/ commercial VM experience)
Georges Saab (individual w/ commercial VM experience)
Bruno Souza (SOUJava)
Davanum Srinivas (Apache)
Dalibor Topic (Kaffe)
Tom Tromey (GCJ)
Weldon Washburn (individual w/ commercial VM experience)
Mark Wielaard (Classpath)

and the following individuals have expressed interest in
participating as committers for the Apache-licensed implementation :

Jeroen Frijters (IKVM)
Ben Laurie (Apache)
Geir Magnusson Jr. (Apache)
Ricardo Morin (individual w/ commercial VM experience)
Bruno Souza (SOUJava)
Davanum Srinivas (Apache)
Dalibor Topic (Kaffe)
Tom Tromey (GCJ)
Weldon Washburn (individual w/ commercial VM experience)

These individuals will participate as Incubator Mentors :

Noel Bergman
Ben Laurie
Geir Magnusson Jr.
Stefano Mazzocchi
Sam Ruby
Leo Simons
Davanum Srinivas

The following Apache Members will be the sponsoring members :

Noel Bergman
Jason Hunter
Ben Laurie
Ted Leung
Geir Magnusson Jr.
Stefano Mazzocchi
Sam Ruby
Leo Simons
Davanum Srinivas

The following community members support this effort :

Danese Cooper
Brian Goetz
Doug Lea

Operating Considerations
------------------------

0) We have established a list for discussions. Unless your comment
is directed to the general Incubator community or the Incubator PMC,
please post everything to :

harmony-dev@incubator.apache.org

You can subscribe by sending an email to

harmony-dev-subscribe@incubator.apache.org

Until this proposal has been accepted by the Apache Incubator PMC,
these lists are provisional.

1) Due to the various known and unknown risk factors of this project,
we propose that in addition to the required Individual Contributor
License Agreement (ICLA) we shall require that any committer to
Harmony will have a Corporate Contributor License Agreement (CCLA),
when appropriate, on file with the ASF Secretary, and will keep that
document current with respect to current employer to preserve
committer status. We do this in order to help protect the community,
both contributors and users, from unauthorized incorporation of code
or other intellectual property.

2) Historically, there has been wide exposure to VM and class-library-
specific source code that is the property of Sun Microsystems as well
as others, as it is common for commercial J2SE implementations to be
based on licensed Sun code. We wish to make every effort to ensure
that the licenses and rights of external projects and efforts is
properly respected. To that end, we will explore additional ways to
work with the Apache Incubator to ensure that all IP is carefully
monitored and tracked as it enters the project.

Posted by dims at 06:53 PM | | Comments (0) | TrackBacks (0)

May 04, 2005

ANNOUNCE : Axis 1.2 RELEASE

Hi folks:

After *much* too long, the Axis team would like to announce the release of Axis 1.2 final. You can get it at:
http://www.apache.org/dyn/closer.cgi/ws/axis/1_2/ (if your favorite mirror doesn't have it yet try another, it's propagating now)

A few words about this release -

* A LOT of things have been cleaned up/fixed since 1.1, but 1.2 is not yet a perfect beast. We know there are still issues that, although they didn't block this release, are important to our user base. We will be working to resolve these in the near term, which brings us to...

* This took way too much time. We will (for the remainder of Axis 1.X's lifetime and hopefully all of Axis 2.0's...) be focusing much more aggressively on the "release early and often" mantra. Expect to see more fixes and more official releases near term.

* Thanks to EVERYONE who submitted bug reports, patches, and (especially) good, concise test cases. Without your help we wouldn't have been able to make half the progress we did.

* As always, please send questions/comments to axis-user@ws.apache.org, and development-related issues to axis-dev@ws.apache.org. Issues may be checked and filed at http://issues.apache.org/jira/browse/AXIS

Onwards to 1.Next...

Thanks,
--Glen

on behalf of the Axis team

Posted by dims at 05:38 AM | | Comments (0) | TrackBacks (0)