2023-02-15

1

Summary of development activities

Summary of ongoing development activities.

2

Release of X-Road patch versions 7.2.1 and 7.1.2

X-Road patch versions 7.2.1 and 7.1.2 are going to be released by February 17. The patch versions provide the following fixes:

• Fix to the ocspFreshnessSeconds issue.

• gpg is not defined as a Security Server dependency so initial configuration may fail.

• Update Sidecar base image.

• Updates to 3rd party libraries with vulnerabilities.

Also, starting from March, NIIS begins to publish an updated version of the Sidecar image on a monthly basis. The updated image includes updating the base image (if new version is available) and installing OS level patches, but no application level changes. The updated image is published for all the supported X-Road versions.

In addition, NIIS starts to look into implementing a custom Sidecar-specific base image instead of using the public Ubuntu base image. In that way, the base image would contain only the dependencies required by the Security Server which makes the image smaller and decreases the exposure to security vulnerabilities in 3rd party components.

3

X-Road Catalog Collector extension

X-Road Catalog Collector is an X-Road extension that harvests member, subsystem and service related data from an X-Road ecosystem, stores the data centrally and provides an X-Road compatible SOAP and REST interfaces to query the data. The interfaces can be used to export the data to a separate service catalog portal. In addition, the interfaces can be made available to all the member of the ecosystem as a regular X-Road service.

Every X-Road ecosystem requires a service catalog. The most efficient way to populate and maintain the content is to collect the data available on Security Servers automatically. Collecting the data requires crawling all the Security Servers since X-Road doesn't currently provide a single interface to query the data of the whole ecosystem. Providing the collector component as an official X-Road extension provides an easy way to publish service related metadata through a service that could be used by an external service catalog portal and members of the X-Road ecosystem. In this way, the service related metadata can be easily consumed by different service catalog implementations utilising various technologies. In this way, X-Road operators only need to implement the portal component.

The extension is developed and currently maintained by the Finnish Digital Agency (DVV). It has been agreed that the extension will be handed over from DVV to NIIS. The aim is to complete the handover during Q1 / 2023. After the handover, the extension will be transferred to the NIIS GitHub account and it will published in the NIIS package repository.

4

Replacing Akka with gRPC

In September 2022, it was announced that one of the third-party open-source libraries (Akka) that X-Road heavily depends on will change its licensing model. The new licensing model is commercial, but open-source projects meeting a specific criteria may apply for an exception. However, the conditions of the license granted to open-source projects are different from the Apache 2.0 open-source license that Akka currently uses. From X-Road's perspective the new license includes some unfavorable conditions and therefore, the X-Road Working Group has decided that Akka will be replaced with another technology in X-Road.

The last open-source version of Akka (published under the Apache 2.0 open-source license) will be officially supported until September 2023. Using the version after the official support has ended is possible, but there won't be updates available anymore in case of bugs and/or vulnerabilities.

NIIS has looked into three different alternatives for replacing Akka and results are presented below.

1. Use REST based APIs. Spring MVC would be go-to framework as it is already used by X-Road.

   1. Well known, easy to maintain.

   2. There will be performance impact in highly concurrent scenarios.

   3. Requires full regression where Akka was used.

   4. Use cases which require queueing (actions cannot be done in parallel or order matters), scheduling has to be rewritten.

2. Use protobuf based RPC. gRPC seems to be most widely used implementation, in development since 2015.

   1. Theoretically should have little to no performance impact.

   2. Supports both blocking and async service calls out of the box.

   3. Easier to maintain compared to Akka.

   4. Requires full regression where Akka was used.

      1. Currently automated test coverage is limited.

   5. Use cases which require queueing (actions cannot be done in parallel or order matters), scheduling has to be rewritten.

3. Keep everything as-is. Migrate to Pekko.

   1. Advertised as compatible with Akka 2.6.x

   2. Dependencies, packages, class names will change. It will still require code changes.

   3. New player in the field, still in Apache incubator.

      1. It is unclear how quickly they will solve issues, especially security vulnerabilities.

      2. Version 1.0 is not yet released (2023 Q1).

   4. Code complexity remains the same.

The X-Road Working Group has decided that Akka will be replaced with gRPC (option 2). Migration from Akka to gRPC will be implemented gradually one feature at a time, e.g., starting from signer. In that way, gRPC based implementation can be included in X-Road releases iteratively in multiple phases, if needed. It means that in some X-Road releases both Akka and gRPC may coexist. However, the aim is to replace Akka in a single release.

The aim is to replace Akka with gRPC in X-Road version 7.4.0 schedule for Q4 / 2023.

5

Open topics

• In January, NIIS has started a technical study on making the X-Road Message Transport Protocol compatible with the eDelivery REST profile. The study is expected to be completed by mid April.

• The X-Road Bug Bounty program on the Intigriti platform has been closed at the end of January. A new bug bounty program will be announced in the nearest future.

Next meetings

• Meeting 10, March 15, 15:00-16:00 (EET, UTC +2)