Exist: [Master issue] Prepare eXist 5.3.0 stable release

Now updated with entries for reviewing and merging the crypto lib package, and publishing it to the public-repo.

Crypto lib needs to wait for 5.3.0 to be released - so technically we should mention this ticket over in the crypto lib PR and not the other way around. Do you agree @joewiz ?

I think Security - core+Saxon - XXE to RFI in fn:doc etc* is already addressed here
[bugfix] Change XML processing defaults for v6.0.0 by dizzzz · Pull Request #3836 · eXist-db/exist
So the question is wether to accept this for security reasons even if it might affect users of the database.

@line-o Ah, I didn't realize the crypto lib's new version had to come after the release of eXist 5.3.0. Since the crypto lib's release is an important aspect of the eXist 5.3.0 release, I think it's worth keeping a checkbox here. How about if I move that to-do item to the "Finally" section?

@line-o Regarding the briefly worded "core+saxon" item, I agree that #3836 addresses the XXE issue, but it doesn't address the RFI issue. That topic came up only in the Community Call on May 10:

Functions that can be used to perform external HTTP requests, e.g.: doc(). May need to institute a whitelist/blacklist, or disable external HTTP requests by default. Could be a configuration option—off by default in 5.3.0 but on by default in 6.0.0.

• doc, doc-available, json-doc, unparsed-text, unparsed-text-lines
• EXPath HTTP client
• xinclude
• transform:transform

AR: Suggests we solve these before the forthcoming release.

This deserves its own issue, but the idea is that eXist allows guest users to trigger HTTP requests for remote files (RFI), and the configuration option envisioned here would add a condition to all functions like doc(), limiting the ability to perform HTTP requests. Perhaps the time is right for me to open an issue for further discussion of this?

Update: Issue added: https://github.com/eXist-db/exist/issues/3927.

@joewiz re: crypto lib checkbox in Finally is good.

@joewiz regarding the introduction of new configuration option to address RFI for guest users: That deserves its separate issue, yes.

CVE-2019-17570 addresses malicious XML-RPC servers. In our scenario this is existdb itself which we ultimately trust as it is under our control, correct?

CVE-2019-17570

I fixed this on in FusionDB previously. You basically have to host patched versions of the Apache XML-RPC Jars

Is Apache XML-RPC used as a client in exist-db or as a server?

I would like to drop #3738 from the list as it introduces a breaking change (order of application of map:merge).

Indeed, #3738 is labelled as bound for 6.0.0. Ok to remove it from this list, @adamretter?

I've split the "Update core apps to use templating v1.0.0 and remove all dependencies on shared-resources" into two separate checklist sets. This way we can track which apps have met each threshold.

Is Apache XML-RPC used as a client in exist-db or as a server?

Both of course! eXist-db provides an XML-RPC API, and the XML:DB API also is implemented atop XML-RPC. The Java Admin Client is an XML-RPC client as are some of the functions in the XQuery XMLDB Extension module

Indeed, #3738 is labelled as bound for 6.0.0. Ok to remove it from this list, @adamretter?

@joewiz No, it needs to be split into two parts. The parts for 5.3.0 and the parts for 6.0.0. I will try and do that over the weekend if I can find the time.

We may want to pause on merging the PRs involving updating the core apps to use the new templating module until https://github.com/eXist-db/exist/issues/3918 is resolved. The lib:parse-params templating function is affected by this issue.

Thanks to Wolfgang’s release of templating v1.0.2, which sidesteps the performance issue in https://github.com/eXist-db/exist/issues/3918, the work on migrating core apps to templating and toward removing shared-resources from them can continue.

These PRs are ready for review & merge so far:

• https://github.com/eXist-db/documentation/pull/626
• https://github.com/eXist-db/function-documentation/pull/41
• https://github.com/eXist-db/exist-markdown/pull/7

FYI, someone checked doc and fundocs as having had their dependencies on shared-resources removed, but this is incorrect. The PRs above only switched to the new templating library; they did not fully remove shared-resources dependencies.

Oh, sorry! That was me.

@joewiz Docs have had their non templating dependency on shared resources removed about 2years ago, unless someone added them back in or I missed something

@duncdrum Yes, you were right! It was still listed as a dependency in pom.xml and xar-assembly.xml and a couple of references lingered, but there were no substantive dependencies, so it was easy to pull those out. Thanks!

The first app without shared-resources from the list above is now published - markdown v0.7.0 - to GitHub Releases and public-repo.

Status of the other core apps being tracked in this master issue:

• documentation has an approved PR #626 removing shared-resources, which passes tests locally but fails in the CI environment for unknown reasons. Attempts at resolving CI issues are in progress in #638. The repo also has 5 open security issues, but because of dependencies on old libraries (see #602 about one of these), we aren't able to advance to the newer versions that resolve the security issues. If these PRs' issues can't be resolved, we will have to release with the continued dependency on shared-resources, since at least the master branch is passing CI.
• eXide has a WIP PR #309 that comprehensively removes shared-resources. The only remaining problem is a regression preventing users from renaming resources.
• fundocs has a merged PR #41 that switches to templating, but so far we have no PR removing the remaining references to shared-resources—namely, jquery and eXist CSS.
• monex has a merged PR #153 that switches to templating, but so far we have no PR removing the remaining references to shared-resources—namely, ace, bootstrap, jquery, eXist CSS, eXist icon, eXist favicon.

As promised, I added an issue to track the feature to prevent eXist from making external HTTP requests: https://github.com/eXist-db/exist/issues/3927. I've added the link to the master description above too.

@joewiz I'll add https://github.com/eXist-db/monex/pull/155 to monex

next one on the menu is fundocs: any takers?
https://github.com/eXist-db/function-documentation/pull/42

New versions of monex and eXide are available in the public repository.

All core apps are now released and available in the public package repository.
The PR to update the bundled libraries and apps will be opened tomorrow.

When https://github.com/eXist-db/exist/pull/3939 is applied shared-resources and markdown are no longer bundled with existdb

I just unchecked "Update exist-db.org with eXist 5.3.0 and updated core apps" as it appears exist-db.org is still running 5.1.1.

All incomplete tasks have been accounted for in the new master issue. Work on these should continue there. #3968