Shibboleth 2.x packages updated in unstable

Russ Allbery rra at debian.org
Tue Sep 15 19:04:09 UTC 2009 

Kristof BAJNOK <bajnokk at niif.hu> writes:

> I've upgraded some of our lenny boxes to 2.2.1 today (from squeeze), no
> problems so far.

Thank you for testing!

> The only thing I had to do manually after the upgrades is to apply the
> following patch on shibboleth2.xml to get rid of the startup warning
> about the (now) legacy Policy syntax:

> -        <!-- The predefined policy enforces replay/freshness and permits 
> signing and client TLS. -->
> +        <!--
> +        The predefined policy enforces replay/freshness, standard
> +        condition processing, and permits signing and client TLS.
> +        -->
>          <Policy id="default" validate="false">
> -            <Rule type="MessageFlow" checkReplay="true" expires="60"/>
> -            <Rule type="ClientCertAuth" errorFatal="true"/>
> -            <Rule type="XMLSigning" errorFatal="true"/>
> -            <Rule type="SimpleSigning" errorFatal="true"/>
> +            <PolicyRule type="MessageFlow" checkReplay="true" 
> expires="60"/>
> +            <PolicyRule type="Conditions">
> +                <PolicyRule type="Audience"/>
> +                <!-- Enable Delegation rule to permit delegated access. -->
> +                <!-- <PolicyRule type="Delegation"/> -->
> +            </PolicyRule>
> +            <PolicyRule type="ClientCertAuth" errorFatal="true"/>
> +            <PolicyRule type="XMLSigning" errorFatal="true"/>
> +            <PolicyRule type="SimpleSigning" errorFatal="true"/>
>          </Policy>
>      </SecurityPolicies>

Should we say something in NEWS.Debian about this?  It looks like it's
just a change of Rule to PolicyRule except that the defaults added a new
rule.  Maybe we should just say something along the lines of:

    With this release, the <Rule> tag in /etc/shibboleth/shibboleth2.xml
    was deprecated.  If you have not modified your default <Policy> entry,
    replace it with:

        <!--
        The predefined policy enforces replay/freshness, standard
        condition processing, and permits signing and client TLS.
        -->
        <Policy id="default" validate="false">
            <PolicyRule type="MessageFlow" checkReplay="true" expires="60"/>
            <PolicyRule type="Conditions">
                <PolicyRule type="Audience"/>
                <!-- Enable Delegation rule to permit delegated access. -->
                <!-- <PolicyRule type="Delegation"/> -->
            </PolicyRule>
            <PolicyRule type="ClientCertAuth" errorFatal="true"/>
            <PolicyRule type="XMLSigning" errorFatal="true"/>
            <PolicyRule type="SimpleSigning" errorFatal="true"/>
        </Policy>

    to match the new upstream defaults.  If you have modified it, replace
    any instance of <Rule> in the <Policy> section with <PolicyRule>.

-- 
Russ Allbery (rra at debian.org)               <http://www.eyrie.org/~eagle/>

More information about the Pkg-shibboleth-devel mailing list