You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@sling.apache.org by Radu Cotescu <ra...@apache.org> on 2021/09/21 18:21:01 UTC

[VOTE] Release Apache Sling Scripting Bundle Maven Plugin 0.5.0

Hi,

We solved 3 issues in this release:
https://issues.apache.org/jira/browse/SLING/fixforversion/12350606

Staging repository:
https://repository.apache.org/content/repositories/orgapachesling-2531/

You can use this UNIX script to download the release and verify the signatures:
https://gitbox.apache.org/repos/asf?p=sling-tooling-release.git;a=blob;f=check_staged_release.sh;hb=HEAD

Usage:
sh check_staged_release.sh 2531 /tmp/sling-staging

Please vote to approve this release:

  [ ] +1 Approve the release
  [ ]  0 Don't care
  [ ] -1 Don't release, because ...

This majority vote is open for at least 72 hours.

Regards,
Radu Cotescu

Re: [VOTE] Release Apache Sling Scripting Bundle Maven Plugin 0.5.0

Posted by Radu Cotescu <ra...@apache.org>.

Done. See https://github.com/apache/sling-org-apache-sling-scripting-bundle-tracker-it/commit/97cf38a <https://github.com/apache/sling-org-apache-sling-scripting-bundle-tracker-it/commit/97cf38a>.

> On 22 Sep 2021, at 09:28, Radu Cotescu <ra...@apache.org> wrote:
> 
> We can indeed allow the content package to contain all nodes (including the ones covered by [1]) and explain that the bundle providing the precompiled bundled scripts has priority over scripts from the resource tree for the same resource types/selectors.

Re: [VOTE] Release Apache Sling Scripting Bundle Maven Plugin 0.5.0

Posted by Radu Cotescu <ra...@apache.org>.

Hi Konrad,

> On 22 Sep 2021, at 09:04, Konrad Windszus <ko...@gmx.de> wrote:
> 
> I have some remarks though:
> 
> 1. We should disable external entity processing in VaultContentXmlReader (https://sonarcloud.io/project/issues?id=apache_sling-scriptingbundle-maven-plugin&open=AXwCdaTmnSy41Wx6i_Vn&resolved=false&types=VULNERABILITY <https://sonarcloud.io/project/issues?id=apache_sling-scriptingbundle-maven-plugin&open=AXwCdaTmnSy41Wx6i_Vn&resolved=false&types=VULNERABILITY>)

I think that this is a false positive, unless I miss something really obvious. External entities shouldn’t be able to load anything [0]. If I’m correct, then we should mark the issue as such in SonarCloud.


> 2. I read the documentation at https://github.com/apache/sling-scriptingbundle-maven-plugin/blob/master/src/site/markdown/bnd.md#working-with-filevault-content-package-projects <https://github.com/apache/sling-scriptingbundle-maven-plugin/blob/master/src/site/markdown/bnd.md#working-with-filevault-content-package-projects> and tried the example at https://github.com/apache/sling-org-apache-sling-scripting-bundle-tracker-it <https://github.com/apache/sling-org-apache-sling-scripting-bundle-tracker-it>, IIUC this excludes the scripts from the content package by just not listing the root node path in the filter.xml. On the other hand, everything below target/classes ends up in the bundle jar. In reality this is too simplified as often the resource type node folders contain additional information which would be lost that way like additional properties (not reflected in the bundle jar metadata) or configuration structures. Also profiles used for deployment need to be adjusted. I would instead recommend to keep the package as is (i.e. make it still contain the resource type nodes even if redundant) and rely on the service ranking to make the bundled (precompiled) scripts take precedence? Do you see a drawback with that approach?

You are right that the example is simplistic. I wanted to emphasise that the /apps scripts are not needed any more when working with precompiled bundled scripts. We can indeed allow the content package to contain all nodes (including the ones covered by [1]) and explain that the bundle providing the precompiled bundled scripts has priority over scripts from the resource tree for the same resource types/selectors.

Thanks,
Radu

[0] - https://github.com/apache/sling-scriptingbundle-maven-plugin/blob/scriptingbundle-maven-plugin-0.5.0/src/main/java/org/apache/sling/scriptingbundle/plugin/processor/filevault/VaultContentXmlReader.java#L57-L58 <https://github.com/apache/sling-scriptingbundle-maven-plugin/blob/scriptingbundle-maven-plugin-0.5.0/src/main/java/org/apache/sling/scriptingbundle/plugin/processor/filevault/VaultContentXmlReader.java#L57-L58>
[1] - https://github.com/apache/sling-org-apache-sling-scripting-bundle-tracker-it/blob/master/examples/org-apache-sling-scripting-content-package-with-bundle-attached/src/main/content/META-INF/vault/filter.xml#L23 <https://github.com/apache/sling-org-apache-sling-scripting-bundle-tracker-it/blob/master/examples/org-apache-sling-scripting-content-package-with-bundle-attached/src/main/content/META-INF/vault/filter.xml#L23>

Re: [VOTE] Release Apache Sling Scripting Bundle Maven Plugin 0.5.0

Posted by Konrad Windszus <ko...@gmx.de>.

+1

I have some remarks though:

1. We should disable external entity processing in VaultContentXmlReader (https://sonarcloud.io/project/issues?id=apache_sling-scriptingbundle-maven-plugin&open=AXwCdaTmnSy41Wx6i_Vn&resolved=false&types=VULNERABILITY <https://sonarcloud.io/project/issues?id=apache_sling-scriptingbundle-maven-plugin&open=AXwCdaTmnSy41Wx6i_Vn&resolved=false&types=VULNERABILITY>)
2. I read the documentation at https://github.com/apache/sling-scriptingbundle-maven-plugin/blob/master/src/site/markdown/bnd.md#working-with-filevault-content-package-projects <https://github.com/apache/sling-scriptingbundle-maven-plugin/blob/master/src/site/markdown/bnd.md#working-with-filevault-content-package-projects> and tried the example at https://github.com/apache/sling-org-apache-sling-scripting-bundle-tracker-it <https://github.com/apache/sling-org-apache-sling-scripting-bundle-tracker-it>, IIUC this excludes the scripts from the content package by just not listing the root node path in the filter.xml. On the other hand, everything below target/classes ends up in the bundle jar. In reality this is too simplified as often the resource type node folders contain additional information which would be lost that way like additional properties (not reflected in the bundle jar metadata) or configuration structures. Also profiles used for deployment need to be adjusted. I would instead recommend to keep the package as is (i.e. make it still contain the resource type nodes even if redundant) and rely on the service ranking to make the bundled (precompiled) scripts take precedence? Do you see a drawback with that approach?

Thanks
Konrad

> On 21. Sep 2021, at 20:21, Radu Cotescu <ra...@apache.org> wrote:
> 
> Hi,
> 
> We solved 3 issues in this release:
> https://issues.apache.org/jira/browse/SLING/fixforversion/12350606
> 
> Staging repository:
> https://repository.apache.org/content/repositories/orgapachesling-2531/
> 
> You can use this UNIX script to download the release and verify the signatures:
> https://gitbox.apache.org/repos/asf?p=sling-tooling-release.git;a=blob;f=check_staged_release.sh;hb=HEAD
> 
> Usage:
> sh check_staged_release.sh 2531 /tmp/sling-staging
> 
> Please vote to approve this release:
> 
>  [ ] +1 Approve the release
>  [ ]  0 Don't care
>  [ ] -1 Don't release, because ...
> 
> This majority vote is open for at least 72 hours.
> 
> Regards,
> Radu Cotescu

Re: [VOTE] Release Apache Sling Scripting Bundle Maven Plugin 0.5.0

Posted by da...@apache.org.

+1

David

On Thu, 23 Sept 2021 at 03:13, Daniel Klco <dk...@apache.org> wrote:

> +1
>
> On Wed, Sep 22, 2021 at 5:34 AM Nicolas Peltier <np...@apache.org>
> wrote:
>
> > +1
> >
> > Le mer. 22 sept. 2021 à 11:17, Robert Munteanu <ro...@apache.org> a
> > écrit :
> >
> > > On Tue, 2021-09-21 at 18:21 +0000, Radu Cotescu wrote:
> > > > Please vote to approve this release:
> > >
> > > +1
> > > Robert
> > >
> >
>

Re: [VOTE] Release Apache Sling Scripting Bundle Maven Plugin 0.5.0

Posted by Daniel Klco <dk...@apache.org>.

+1

On Wed, Sep 22, 2021 at 5:34 AM Nicolas Peltier <np...@apache.org> wrote:

> +1
>
> Le mer. 22 sept. 2021 à 11:17, Robert Munteanu <ro...@apache.org> a
> écrit :
>
> > On Tue, 2021-09-21 at 18:21 +0000, Radu Cotescu wrote:
> > > Please vote to approve this release:
> >
> > +1
> > Robert
> >
>

Re: [VOTE] Release Apache Sling Scripting Bundle Maven Plugin 0.5.0

Posted by Nicolas Peltier <np...@apache.org>.

+1

Le mer. 22 sept. 2021 à 11:17, Robert Munteanu <ro...@apache.org> a
écrit :

> On Tue, 2021-09-21 at 18:21 +0000, Radu Cotescu wrote:
> > Please vote to approve this release:
>
> +1
> Robert
>

Re: [VOTE] Release Apache Sling Scripting Bundle Maven Plugin 0.5.0

Posted by Robert Munteanu <ro...@apache.org>.

On Tue, 2021-09-21 at 18:21 +0000, Radu Cotescu wrote:
> Please vote to approve this release:

+1
Robert

Re: [VOTE] Release Apache Sling Scripting Bundle Maven Plugin 0.5.0

Posted by Carsten Ziegeler <cz...@apache.org>.

+1

Carsten

Am 21.09.2021 um 20:21 schrieb Radu Cotescu:
> Hi,
> 
> We solved 3 issues in this release:
> https://issues.apache.org/jira/browse/SLING/fixforversion/12350606
> 
> Staging repository:
> https://repository.apache.org/content/repositories/orgapachesling-2531/
> 
> You can use this UNIX script to download the release and verify the signatures:
> https://gitbox.apache.org/repos/asf?p=sling-tooling-release.git;a=blob;f=check_staged_release.sh;hb=HEAD
> 
> Usage:
> sh check_staged_release.sh 2531 /tmp/sling-staging
> 
> Please vote to approve this release:
> 
>    [ ] +1 Approve the release
>    [ ]  0 Don't care
>    [ ] -1 Don't release, because ...
> 
> This majority vote is open for at least 72 hours.
> 
> Regards,
> Radu Cotescu
> 

-- 
Carsten Ziegeler
Adobe
cziegeler@apache.org

Re: [VOTE] Release Apache Sling Scripting Bundle Maven Plugin 0.5.0

Posted by Karl Pauls <ka...@gmail.com>.

+1

regards,

Karl

On Tue, Sep 21, 2021 at 8:21 PM Radu Cotescu <ra...@apache.org> wrote:
>
> Hi,
>
> We solved 3 issues in this release:
> https://issues.apache.org/jira/browse/SLING/fixforversion/12350606
>
> Staging repository:
> https://repository.apache.org/content/repositories/orgapachesling-2531/
>
> You can use this UNIX script to download the release and verify the signatures:
> https://gitbox.apache.org/repos/asf?p=sling-tooling-release.git;a=blob;f=check_staged_release.sh;hb=HEAD
>
> Usage:
> sh check_staged_release.sh 2531 /tmp/sling-staging
>
> Please vote to approve this release:
>
>   [ ] +1 Approve the release
>   [ ]  0 Don't care
>   [ ] -1 Don't release, because ...
>
> This majority vote is open for at least 72 hours.
>
> Regards,
> Radu Cotescu



-- 
Karl Pauls
karlpauls@gmail.com