Jakarta Security 4.0

[arjantijms]

Specification PR template

When creating a specification project release review, create PRs with the content defined as follows.

Include the following in the PR:

• A directory in the form wombat/x.y where x.y is the release major.minor version, and the directory contains the following.
• Specification PDF in the form of jakarta-wombat-spec-x.y.pdf
• Specification HTML in the form of jakarta-wombat-spec-x.y.html
• A specification page named _index.md following the template at:
  https://github.com/jakartaee/specification-committee/blob/master/spec_page_template.md
• For a Progress Review, that sufficient progress has been made on a Compatible Implementation and TCK, to ensure that the spec is implementable and testable.
• For a Release Review, a summary that a Compatible Implementation is complete, passes the TCK, and that the TCK includes sufficient coverage of the specification. The TCK users guide MUST include the instructions to run the compatible implementations used to validate the release.
  Instructions MAY be by reference.
  • Updated release record
  • Email to PMC
  • Start release review by emailing EMO
• The URL of the OSSRH staging repository for the api, javadoc:
  https://jakarta.oss.sonatype.org/content/repositories/staging/jakarta/security/enterprise/jakarta.security.enterprise-api/4.0.0/
• The URL of the staging directory on downloads.eclipse.org for the proposed EFTL TCK binary:
  https://download.eclipse.org/es/jakartaee11/staged/eftl/
• The URL of the compatibility certification request issue:
  Compatibility certification request for Soteria 4.0.0 security#338
• Specification JavaDoc in the wombat/x.y/apidocs directory.
  If desired, an optional second PR can be created to contain just the JavaDoc in the apidocs directory.

Note: If any item does not apply, check it and mark N/A below it.

[netlify]

✅ Deploy Preview for jakartaee-specifications ready!

Name	Link
🔨 Latest commit	a0c8e31
🔍 Latest deploy log	https://app.netlify.com/sites/jakartaee-specifications/deploys/6658590e68cf450008b1feef
😎 Deploy Preview	https://deploy-preview-741--jakartaee-specifications.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site configuration.

[mtdelgadoa]

Hello all,
the EMO is trying to avoid duplication of release records, so we will be providing our feedback and comments related to this release directly here.

EMO REVIEW CHECKLIST

EDP Review status: EMO Completed - waiting on ballot results

EMO review checklist

PMI record: URL

EF Specification Process

• Spec Committee Ballot completed

Intellectual Property Management

• All project code has copyright and license headers correctly applied. ** EMO will scan the code at their discretion **
• All distributed third-party content has been vetted by the IP Due Diligence process (i.e., IP Log has been approved)

Open Source Rules of Engagement

• PMC approval on the mailing list

General:

• Project is operating within the mission and scope defined in its top-level project’s charter
• Project is operating within the bounds of its own scope
• Project is operating in an open and transparent manner
• Overall the project is operating according to the Eclipse Development Process.

Things to check:

• Communication channels advertised
• Advertised communication channels used
• Committers are responding to questions
• Committers are responding to issues
• Committers are responding to pull/merge/review requests

Branding and Trademarks
The following applies when the project has a custom website.
To the best of our knowledge:

• Project content correctly uses Eclipse Foundation trademarks
• Project content (code and documentation) does not violate trademarks owned by other organizations

Things to check:

• Project website uses the project's formal name in first and all prominent references
• Project website includes a trademark attribution statement
• Project website footers contain all necessary elements

Legal Documentation
Required files:

• License files in all repository roots
• README
• CONTRIBUTING (or equivalent)

Recommended files:

• NOTICES or equivalent (you can use the Legal Documentation generator available under committer tools)
• CODE_OF_CONDUCT
• SECURITY

See examples for Security file and Code of Conduct.

Required elements:

• ECA is referenced/described

Recommended elements:

• Build instructions provided
• Security policy is described

Metadata (PMI)

• The formal name, e.g. "Eclipse Foo™", is used in the project title
• The formal name including appropriate marks (e.g, "™") is used in the first mention in the text of the project description, and scope
• The project description starts with a single paragraph that can serve as an executive summary
• Source code repository references are up-to-date
• Download links and information are up-to-date (see EF handbook for more information on how-to do this)
• Communication channels listed in the PMI (i.e. public mailing list, forums, etc.)

[ivargrimstad]

Mentor Spec Review Checklist

1. Spec PR

• PR uses template
• Directory of form {spec}/x.y
• PDF of form jakarta-{spec}-spec-x.y.pdf ("-spec" preferred but not required)
• HTML of form jakarta-{spec}-spec-x.y.html ("-spec" preferred but not required)
• Index page {spec}/x.y/_index.md following template
• Index page {spec}/_index.md following template
• No other files (e.g., no jakarta_ee_logo_schooner_color_stacked_default.png)
• Staging repository link of the form https://jakarta.oss.sonatype.org/content/repositories/staging/jakarta/{spec}/jakarta.{spec}-api/x.y.z/
• EFTL TCK link of the form http://download.eclipse.org/.../+.zip
• Compatibility certification link of the form https://github.com/eclipse-ee4j/{project}/#{issue}
• (Optional) Second PR for just apidocs

2. _index.md

• Link to project release plan of the form https://projects.eclipse.org/projects/ee4j.{spec}/releases/x.y/plan
• Link to spec pdf
• Link to spec html
• Link to apidocs
• Link to final TCK download zip file of the form https://download.eclipse.org/jakartaee/{spec}/x.y/*{spec}-tck-x.y.z.zip (The folder path is required, the file name pattern is preferred.)
• Link to API jar file of the form https://search.maven.org/artifact/jakarta.{spec}/jakarta.{spec}-api/x.y.z/jar
• Name of and link to at least one Compatible Implementation
• Review summary statement to ensure it has been updated to reflect the work accomplished and does not contain proposal statements as might be found in Plan Review statement.

3. javadocs

• Footer contains Eclipse copyright and link to license
• ESFL license is included, usually as doc-files/speclicense.html
• no META-INF directory in PR
• javadocs-jar artifact matches apidocs (optional for this release)

4. Spec PDF

• Correct spec title
• Version number of the form x.y, not x.y.z
• Correct Eclipse copyright line
• No DRAFT or SNAPSHOT
• Correct Logo

5. Spec HTML

• Same as PDF

6. TCK zip file

• README file (optional for this release)
• EFTL license file, preferably named LICENSE.md
• User's Guide (or equivalent documentation)
• How to test the Compatible Implementation(s) listed in _index.md above with the TCK (may be in UG)

7. TCK User's Guide (or equivalent documentation)

• Software requirements listed
• Installation and configuration described
• How to run tests
• Where to file challenges

8. Compatibility certification request

• Request follows template
• SHA-256 fingerprint matches staged TCK zip file
• Request issue has certification label.

9. TCK results summary

• Page is hosted by Compatible Implementation project
• Includes all information from certification request
• Summary includes number of tests passed, failed, errors
• SHA-256 fingerprint matches staged TCK zip file on cert request

10. If a Release Review is required, the specification project team contacts the EMO to initiate the review by sending an email to emo@eclipse.org.
    (A Release Review is not required if the current release is a Service Release based on a previously successful Major or Minor
    release as indicated by a release record on the project's Releases page, e.g., the Jakarta Servlet releases page.)

    • The specification project team requests approval by sending an email to the EMO (with cc to the PMC) that contains a link to this PR and a request to the PMC for approval.

11. Update Jakarta EE API jar

• Update the Jakarta EE API jar by submitting a PR to the jakartaee-api project that updates the version number of your API jar file.

[jeanouii]

Left a small comment on the CSR for Soteria. Small detail.
The TCK ZIP content has a weird structure but not a blocker

there is also an old-tck/ directory in there. Not sure what it is about but it was also there before.

Finally, I don't see a link to the Maven entry for the API jar. It's usually under the TCK links.
For the rest, see the checklist.

[arjantijms]

old-tck/ directory in there. Not sure what it is about but it was also there before.

That is an embedded version of the old tck (the javatest/ant based one). Because of a lack of resources we don't have time to convert it to the new style tests. A number of other TCKs does/did the same thing.

[arjantijms]

@jeanouii is everything now correct?

[ivargrimstad]

@jeanouii is everything now correct?

It looks good to me. Please go ahead @jeanouii and start the ballot.

[ivargrimstad]

I will start the ballot now