XSS bundle is broken in trunk (was: Re: [VOTE] Release Apache Sling XSS Protection Bundle 1.0.12)

[Radu Cotescu <ra...@apache.org>]

Hi Karl,

Yes, we should find a different approach since your commit makes the
SLING-INF folder not to be contained any more by the jar, which makes the
XSS bundle more or less useless since some of its components cannot be
activated.

I'll fix this now as I want to release version 1.0.14.

Cheers,
Radu

On Sat, 20 Aug 2016 at 00:19 Karl Pauls <ka...@gmail.com> wrote:

>
> Done.
>
> I guess I went the easy way for now by adding a Include-Resource statement
> to the maven-bundle-plugin instructions (a better way probably would be to
> move the LICENSE and NOTICE files to src/main/resources/appended-resources
> and use the remote resources plugin but oh well).
>
> regards,
>
> Karl
>
>
> > -Bertrand
> >
>
>
>
> --
> Karl Pauls
> karlpauls@gmail.com
>

Re: XSS bundle is broken in trunk

[Karl Pauls <ka...@gmail.com>]

On Fri, Aug 26, 2016 at 1:31 PM, Oliver Lietz <ap...@oliverlietz.de> wrote:

> On Friday 26 August 2016 13:14:01 Carsten Ziegeler wrote:
> > Karl Pauls wrote:
> > > Well, you cant't have only one place as each module needs to be able to
> > > (if
> > > needed) declare what other licensed code it contains. You can only do
> that
> > > for bundles that don't have anything to declare which actually (at
> least
> > > in
> > > theory) we have - that is the point of the appended-resources. You
> > > over-right LICENSE and NOTICE on a case by case basis when it is needed
> > > (i.e., the module contains external/differently licensed code).
> > >
> > > At least, appended-resources is what we probably should be using for
> that
> > > -
> > > however, as far as I can see a lot of bundles do follow a different
> > > approach (probably for historic reasons) namely, they duplicate the
> > > LICENSE
> > > and NOTICE files in the root of the bundle svn dir and inside
> > > src/main/resources/META-INF. In the case of the css bundle, it was
> > > probably
> > > forgotten to do the duplication.
> >
> > Yes, that's for historic reasons and we simply never went through the
> > whole code base to use appended-resources.
> >
> > > Obviously, that is probably not the best way to do it - hence, if you
> are
> > > talking about clean-up I would recommend to rework all bundles to have
> > > their LICENSE and NOTICE appended by default and override it on a case
> by
> > > case basis via appended-resources if needed. I don't think we are
> talking
> > > about a lot of work in that regard so if others think it is worthwhile
> we
> > > might want to create a JIRA issues to list what bundles needed to be
> > > changed and just do it in one go (If others agree, I'd be willing to
> look
> > > into it)...
> >
> > That would be awesome, +1 :)
>
> Indeed, much appreciated!
>
> O.
>
> > Carsten
>

Ok, I'll try to get to it before too long.

regards,

Karl

-- 
Karl Pauls
karlpauls@gmail.com

Re: XSS bundle is broken in trunk

[Oliver Lietz <ap...@oliverlietz.de>]

On Friday 26 August 2016 13:14:01 Carsten Ziegeler wrote:
> Karl Pauls wrote:
> > Well, you cant't have only one place as each module needs to be able to
> > (if
> > needed) declare what other licensed code it contains. You can only do that
> > for bundles that don't have anything to declare which actually (at least
> > in
> > theory) we have - that is the point of the appended-resources. You
> > over-right LICENSE and NOTICE on a case by case basis when it is needed
> > (i.e., the module contains external/differently licensed code).
> > 
> > At least, appended-resources is what we probably should be using for that
> > -
> > however, as far as I can see a lot of bundles do follow a different
> > approach (probably for historic reasons) namely, they duplicate the
> > LICENSE
> > and NOTICE files in the root of the bundle svn dir and inside
> > src/main/resources/META-INF. In the case of the css bundle, it was
> > probably
> > forgotten to do the duplication.
> 
> Yes, that's for historic reasons and we simply never went through the
> whole code base to use appended-resources.
> 
> > Obviously, that is probably not the best way to do it - hence, if you are
> > talking about clean-up I would recommend to rework all bundles to have
> > their LICENSE and NOTICE appended by default and override it on a case by
> > case basis via appended-resources if needed. I don't think we are talking
> > about a lot of work in that regard so if others think it is worthwhile we
> > might want to create a JIRA issues to list what bundles needed to be
> > changed and just do it in one go (If others agree, I'd be willing to look
> > into it)...
> 
> That would be awesome, +1 :)

Indeed, much appreciated!

O.

> Carsten

Re: XSS bundle is broken in trunk

[Carsten Ziegeler <cz...@apache.org>]

Karl Pauls wrote:
> 
> Well, you cant't have only one place as each module needs to be able to (if
> needed) declare what other licensed code it contains. You can only do that
> for bundles that don't have anything to declare which actually (at least in
> theory) we have - that is the point of the appended-resources. You
> over-right LICENSE and NOTICE on a case by case basis when it is needed
> (i.e., the module contains external/differently licensed code).
> 
> At least, appended-resources is what we probably should be using for that -
> however, as far as I can see a lot of bundles do follow a different
> approach (probably for historic reasons) namely, they duplicate the LICENSE
> and NOTICE files in the root of the bundle svn dir and inside
> src/main/resources/META-INF. In the case of the css bundle, it was probably
> forgotten to do the duplication.

Yes, that's for historic reasons and we simply never went through the
whole code base to use appended-resources.

> 
> Obviously, that is probably not the best way to do it - hence, if you are
> talking about clean-up I would recommend to rework all bundles to have
> their LICENSE and NOTICE appended by default and override it on a case by
> case basis via appended-resources if needed. I don't think we are talking
> about a lot of work in that regard so if others think it is worthwhile we
> might want to create a JIRA issues to list what bundles needed to be
> changed and just do it in one go (If others agree, I'd be willing to look
> into it)...
That would be awesome, +1 :)

Carsten

-- 
Carsten Ziegeler
Adobe Research Switzerland
cziegeler@apache.org

Re: XSS bundle is broken in trunk (was: Re: [VOTE] Release Apache Sling XSS Protection Bundle 1.0.12)

[Karl Pauls <ka...@gmail.com>]

On Fri, Aug 26, 2016 at 12:43 PM, Oliver Lietz <ap...@oliverlietz.de>
wrote:

> On Thursday 25 August 2016 22:11:00 Karl Pauls wrote:
> > On Thu, Aug 25, 2016 at 5:36 PM, Radu Cotescu <ra...@apache.org> wrote:
>
> hi,
>
> > I think I finally fixed this in https://svn.apache.org/r1757708. I've
> run a
> >
> > > test with the SNAPSHOT version and everything works as expected.
> >
> > Looks good!
>
> shouldn't we have a global setting/configuration in parent which is valid
> for
> all modules? Fixing include of LICENSE and NOTICE in one module sounds
> awkward.
>

Well, you cant't have only one place as each module needs to be able to (if
needed) declare what other licensed code it contains. You can only do that
for bundles that don't have anything to declare which actually (at least in
theory) we have - that is the point of the appended-resources. You
over-right LICENSE and NOTICE on a case by case basis when it is needed
(i.e., the module contains external/differently licensed code).

At least, appended-resources is what we probably should be using for that -
however, as far as I can see a lot of bundles do follow a different
approach (probably for historic reasons) namely, they duplicate the LICENSE
and NOTICE files in the root of the bundle svn dir and inside
src/main/resources/META-INF. In the case of the css bundle, it was probably
forgotten to do the duplication.

Obviously, that is probably not the best way to do it - hence, if you are
talking about clean-up I would recommend to rework all bundles to have
their LICENSE and NOTICE appended by default and override it on a case by
case basis via appended-resources if needed. I don't think we are talking
about a lot of work in that regard so if others think it is worthwhile we
might want to create a JIRA issues to list what bundles needed to be
changed and just do it in one go (If others agree, I'd be willing to look
into it)...

regards,

Karl


>
> Regards,
> O.
>
> > regards,
> >
> > Karl
>
>


-- 
Karl Pauls
karlpauls@gmail.com

Re: XSS bundle is broken in trunk (was: Re: [VOTE] Release Apache Sling XSS Protection Bundle 1.0.12)

[Oliver Lietz <ap...@oliverlietz.de>]

On Thursday 25 August 2016 22:11:00 Karl Pauls wrote:
> On Thu, Aug 25, 2016 at 5:36 PM, Radu Cotescu <ra...@apache.org> wrote:

hi,

> I think I finally fixed this in https://svn.apache.org/r1757708. I've run a
> 
> > test with the SNAPSHOT version and everything works as expected.
> 
> Looks good!

shouldn't we have a global setting/configuration in parent which is valid for 
all modules? Fixing include of LICENSE and NOTICE in one module sounds 
awkward.

Regards,
O.

> regards,
> 
> Karl

Re: XSS bundle is broken in trunk (was: Re: [VOTE] Release Apache Sling XSS Protection Bundle 1.0.12)

[Karl Pauls <ka...@gmail.com>]

On Thu, Aug 25, 2016 at 5:36 PM, Radu Cotescu <ra...@apache.org> wrote:

I think I finally fixed this in https://svn.apache.org/r1757708. I've run a
> test with the SNAPSHOT version and everything works as expected.
>

Looks good!

regards,

Karl


-- 
Karl Pauls
karlpauls@gmail.com

Re: XSS bundle is broken in trunk (was: Re: [VOTE] Release Apache Sling XSS Protection Bundle 1.0.12)

[Radu Cotescu <ra...@apache.org>]

Hi,

I think I finally fixed this in https://svn.apache.org/r1757708. I've run a
test with the SNAPSHOT version and everything works as expected.

Have a nice day!

Cheers,
Radu

On Thu, 25 Aug 2016 at 15:06 Karl Pauls <ka...@gmail.com> wrote:

> Hi Radu,
>
> ok. I can look into it tonight as well if you like - regardless, I think we
> should use the appended resources approach.
>
> regards, Karl
>
> On Thursday, August 25, 2016, Radu Cotescu <ra...@apache.org> wrote:
>
> > Hi Karl,
> >
> > Yes, we should find a different approach since your commit makes the
> > SLING-INF folder not to be contained any more by the jar, which makes the
> > XSS bundle more or less useless since some of its components cannot be
> > activated.
> >
> > I'll fix this now as I want to release version 1.0.14.
> >
> > Cheers,
> > Radu
> >
> > On Sat, 20 Aug 2016 at 00:19 Karl Pauls <karlpauls@gmail.com
> > <javascript:;>> wrote:
> >
> > >
> > > Done.
> > >
> > > I guess I went the easy way for now by adding a Include-Resource
> > statement
> > > to the maven-bundle-plugin instructions (a better way probably would be
> > to
> > > move the LICENSE and NOTICE files to src/main/resources/appended-
> > resources
> > > and use the remote resources plugin but oh well).
> > >
> > > regards,
> > >
> > > Karl
> > >
> > >
> > > > -Bertrand
> > > >
> > >
> > >
> > >
> > > --
> > > Karl Pauls
> > > karlpauls@gmail.com <javascript:;>
> > >
> >
>
>
> --
> Karl Pauls
> karlpauls@gmail.com
> http://twitter.com/karlpauls
> http://www.linkedin.com/in/karlpauls
> https://profiles.google.com/karlpauls
>

Re: XSS bundle is broken in trunk (was: Re: [VOTE] Release Apache Sling XSS Protection Bundle 1.0.12)

[Karl Pauls <ka...@gmail.com>]

Hi Radu,

ok. I can look into it tonight as well if you like - regardless, I think we
should use the appended resources approach.

regards, Karl

On Thursday, August 25, 2016, Radu Cotescu <ra...@apache.org> wrote:

> Hi Karl,
>
> Yes, we should find a different approach since your commit makes the
> SLING-INF folder not to be contained any more by the jar, which makes the
> XSS bundle more or less useless since some of its components cannot be
> activated.
>
> I'll fix this now as I want to release version 1.0.14.
>
> Cheers,
> Radu
>
> On Sat, 20 Aug 2016 at 00:19 Karl Pauls <karlpauls@gmail.com
> <javascript:;>> wrote:
>
> >
> > Done.
> >
> > I guess I went the easy way for now by adding a Include-Resource
> statement
> > to the maven-bundle-plugin instructions (a better way probably would be
> to
> > move the LICENSE and NOTICE files to src/main/resources/appended-
> resources
> > and use the remote resources plugin but oh well).
> >
> > regards,
> >
> > Karl
> >
> >
> > > -Bertrand
> > >
> >
> >
> >
> > --
> > Karl Pauls
> > karlpauls@gmail.com <javascript:;>
> >
>


-- 
Karl Pauls
karlpauls@gmail.com
http://twitter.com/karlpauls
http://www.linkedin.com/in/karlpauls
https://profiles.google.com/karlpauls