You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@directory.apache.org by "Brian Demers (Jira)" <ji...@apache.org> on 2023/05/30 19:32:00 UTC
[jira] [Created] (DIR-344) Use of shade plugin replaces files required for distribution
Brian Demers created DIR-344:
--------------------------------
Summary: Use of shade plugin replaces files required for distribution
Key: DIR-344
URL: https://issues.apache.org/jira/browse/DIR-344
Project: Directory
Issue Type: Bug
Reporter: Brian Demers
Assignee: Emmanuel Lécharny
The use of the shade plugin causes a handful of warnings in the `service` module's build.
Some of these may have legal concerns. For example, only one `META-INF/NOTICE` file is present in most of the dependencies, but only the one from this project is present.
There are multiple LICENSE files
- LICENSE (Apache v2.0)
- LICENSE-notice.md (refers to other non-existent license files)
- LICENSE.md - (EPL)
- LICENSE.txt (Apache v2.0)
Shading doesn't work with the Java Module System.
And also remove many security constraints that may be in place.
- Removes signatures
- Module isolation - Java Module System
- Cannot easily verify the provenance of included artifacts.
{noformat}
[WARNING] Discovered module-info.class. Shading will break its strong encapsulation.
[WARNING] jetty-http-9.4.51.v20230217.jar, jetty-io-9.4.51.v20230217.jar, jetty-security-9.4.51.v20230217.jar, jetty-server-9.4.51.v20230217.jar, jetty-servlet-9.4.51.v20230217.jar, jetty-util-9.4.51.v20230217.jar, jetty-util-ajax-9.4.51.v20230217.jar, jetty-webapp-9.4.51.v20230217.jar, jetty-xml-9.4.51.v20230217.jar define 1 overlapping resource:
[WARNING] - about.html
[WARNING] junit-jupiter-api-5.9.3.jar, junit-platform-commons-1.9.3.jar define 2 overlapping resources:
[WARNING] - META-INF/LICENSE-notice.md
[WARNING] - META-INF/LICENSE.md
[WARNING] apacheds-core-2.0.0.AM27-SNAPSHOT.jar, apacheds-core-annotations-2.0.0.AM27-SNAPSHOT.jar, apacheds-core-api-2.0.0.AM27-SNAPSHOT.jar, apacheds-core-avl-2.0.0.AM27-SNAPSHOT.jar, apacheds-core-constants-2.0.0.AM27-SNAPSHOT.jar, apacheds-core-jndi-2.0.0.AM27-SNAPSHOT.jar, apacheds-core-shared-2.0.0.AM27-SNAPSHOT.jar, apacheds-http-directory-bridge-2.0.0.AM27-SNAPSHOT.jar, apacheds-http-integration-2.0.0.AM27-SNAPSHOT.jar, apacheds-i18n-2.0.0.AM27-SNAPSHOT.jar, apacheds-interceptor-kerberos-2.0.0.AM27-SNAPSHOT.jar, apacheds-interceptors-admin-2.0.0.AM27-SNAPSHOT.jar, apacheds-interceptors-authn-2.0.0.AM27-SNAPSHOT.jar, apacheds-interceptors-authz-2.0.0.AM27-SNAPSHOT.jar, apacheds-interceptors-changelog-2.0.0.AM27-SNAPSHOT.jar, apacheds-interceptors-collective-2.0.0.AM27-SNAPSHOT.jar, apacheds-interceptors-event-2.0.0.AM27-SNAPSHOT.jar, apacheds-interceptors-exception-2.0.0.AM27-SNAPSHOT.jar, apacheds-interceptors-hash-2.0.0.AM27-SNAPSHOT.jar, apacheds-interceptors-journal-2.0.0.AM27-SNAPSHOT.jar, apacheds-interceptors-normalization-2.0.0.AM27-SNAPSHOT.jar, apacheds-interceptors-number-2.0.0.AM27-SNAPSHOT.jar, apacheds-interceptors-operational-2.0.0.AM27-SNAPSHOT.jar, apacheds-interceptors-referral-2.0.0.AM27-SNAPSHOT.jar, apacheds-interceptors-schema-2.0.0.AM27-SNAPSHOT.jar, apacheds-interceptors-subtree-2.0.0.AM27-SNAPSHOT.jar, apacheds-interceptors-trigger-2.0.0.AM27-SNAPSHOT.jar, apacheds-jdbm-partition-2.0.0.AM27-SNAPSHOT.jar, apacheds-jdbm1-2.0.0-M3.jar, apacheds-kerberos-codec-2.0.0.AM27-SNAPSHOT.jar, apacheds-ldif-partition-2.0.0.AM27-SNAPSHOT.jar, apacheds-mavibot-partition-2.0.0.AM27-SNAPSHOT.jar, apacheds-protocol-dhcp-2.0.0.AM27-SNAPSHOT.jar, apacheds-protocol-dns-2.0.0.AM27-SNAPSHOT.jar, apacheds-protocol-ldap-2.0.0.AM27-SNAPSHOT.jar, apacheds-protocol-ntp-2.0.0.AM27-SNAPSHOT.jar, apacheds-protocol-shared-2.0.0.AM27-SNAPSHOT.jar, apacheds-server-config-2.0.0.AM27-SNAPSHOT.jar, apacheds-service-2.0.0.AM27-SNAPSHOT.jar, apacheds-service-builder-2.0.0.AM27-SNAPSHOT.jar, apacheds-xdbm-partition-2.0.0.AM27-SNAPSHOT.jar, api-asn1-api-2.1.3.jar, api-asn1-ber-2.1.3.jar, api-i18n-2.1.3.jar, api-ldap-client-api-2.1.3.jar, api-ldap-codec-core-2.1.3.jar, api-ldap-codec-standalone-2.1.3.jar, api-ldap-extras-aci-2.1.3.jar, api-ldap-extras-codec-2.1.3.jar, api-ldap-extras-codec-api-2.1.3.jar, api-ldap-extras-sp-2.1.3.jar, api-ldap-extras-trigger-2.1.3.jar, api-ldap-extras-util-2.1.3.jar, api-ldap-model-2.1.3.jar, api-ldap-net-mina-2.1.3.jar, api-ldap-schema-data-2.1.3.jar, api-util-2.1.3.jar, mavibot-1.0.0-M8.jar, mina-core-2.2.1.jar, org.apache.servicemix.bundles.antlr-2.7.7_5.jar define 1 overlapping resource:
[WARNING] - META-INF/DEPENDENCIES
[WARNING] apacheds-core-2.0.0.AM27-SNAPSHOT.jar, apacheds-core-annotations-2.0.0.AM27-SNAPSHOT.jar, apacheds-core-api-2.0.0.AM27-SNAPSHOT.jar, apacheds-core-avl-2.0.0.AM27-SNAPSHOT.jar, apacheds-core-constants-2.0.0.AM27-SNAPSHOT.jar, apacheds-core-jndi-2.0.0.AM27-SNAPSHOT.jar, apacheds-core-shared-2.0.0.AM27-SNAPSHOT.jar, apacheds-http-directory-bridge-2.0.0.AM27-SNAPSHOT.jar, apacheds-http-integration-2.0.0.AM27-SNAPSHOT.jar, apacheds-i18n-2.0.0.AM27-SNAPSHOT.jar, apacheds-interceptor-kerberos-2.0.0.AM27-SNAPSHOT.jar, apacheds-interceptors-admin-2.0.0.AM27-SNAPSHOT.jar, apacheds-interceptors-authn-2.0.0.AM27-SNAPSHOT.jar, apacheds-interceptors-authz-2.0.0.AM27-SNAPSHOT.jar, apacheds-interceptors-changelog-2.0.0.AM27-SNAPSHOT.jar, apacheds-interceptors-collective-2.0.0.AM27-SNAPSHOT.jar, apacheds-interceptors-event-2.0.0.AM27-SNAPSHOT.jar, apacheds-interceptors-exception-2.0.0.AM27-SNAPSHOT.jar, apacheds-interceptors-hash-2.0.0.AM27-SNAPSHOT.jar, apacheds-interceptors-journal-2.0.0.AM27-SNAPSHOT.jar, apacheds-interceptors-normalization-2.0.0.AM27-SNAPSHOT.jar, apacheds-interceptors-number-2.0.0.AM27-SNAPSHOT.jar, apacheds-interceptors-operational-2.0.0.AM27-SNAPSHOT.jar, apacheds-interceptors-referral-2.0.0.AM27-SNAPSHOT.jar, apacheds-interceptors-schema-2.0.0.AM27-SNAPSHOT.jar, apacheds-interceptors-subtree-2.0.0.AM27-SNAPSHOT.jar, apacheds-interceptors-trigger-2.0.0.AM27-SNAPSHOT.jar, apacheds-jdbm-partition-2.0.0.AM27-SNAPSHOT.jar, apacheds-jdbm1-2.0.0-M3.jar, apacheds-kerberos-codec-2.0.0.AM27-SNAPSHOT.jar, apacheds-ldif-partition-2.0.0.AM27-SNAPSHOT.jar, apacheds-mavibot-partition-2.0.0.AM27-SNAPSHOT.jar, apacheds-protocol-dhcp-2.0.0.AM27-SNAPSHOT.jar, apacheds-protocol-dns-2.0.0.AM27-SNAPSHOT.jar, apacheds-protocol-ldap-2.0.0.AM27-SNAPSHOT.jar, apacheds-protocol-ntp-2.0.0.AM27-SNAPSHOT.jar, apacheds-protocol-shared-2.0.0.AM27-SNAPSHOT.jar, apacheds-server-config-2.0.0.AM27-SNAPSHOT.jar, apacheds-service-2.0.0.AM27-SNAPSHOT.jar, apacheds-service-builder-2.0.0.AM27-SNAPSHOT.jar, apacheds-xdbm-partition-2.0.0.AM27-SNAPSHOT.jar, api-asn1-api-2.1.3.jar, api-asn1-ber-2.1.3.jar, api-i18n-2.1.3.jar, api-ldap-client-api-2.1.3.jar, api-ldap-codec-core-2.1.3.jar, api-ldap-codec-standalone-2.1.3.jar, api-ldap-extras-aci-2.1.3.jar, api-ldap-extras-codec-2.1.3.jar, api-ldap-extras-codec-api-2.1.3.jar, api-ldap-extras-sp-2.1.3.jar, api-ldap-extras-trigger-2.1.3.jar, api-ldap-extras-util-2.1.3.jar, api-ldap-model-2.1.3.jar, api-ldap-net-mina-2.1.3.jar, api-ldap-schema-data-2.1.3.jar, api-util-2.1.3.jar, apiguardian-api-1.1.2.jar, bcpkix-jdk15on-1.70.jar, bcprov-jdk15on-1.70.jar, bcutil-jdk15on-1.70.jar, caffeine-2.9.3.jar, commons-codec-1.15.jar, commons-collections-3.2.2.jar, commons-collections4-4.4.jar, commons-lang3-3.12.0.jar, commons-pool2-2.11.1.jar, javax.servlet-api-3.1.0.jar, jetty-http-9.4.51.v20230217.jar, jetty-io-9.4.51.v20230217.jar, jetty-security-9.4.51.v20230217.jar, jetty-server-9.4.51.v20230217.jar, jetty-servlet-9.4.51.v20230217.jar, jetty-util-9.4.51.v20230217.jar, jetty-util-ajax-9.4.51.v20230217.jar, jetty-webapp-9.4.51.v20230217.jar, jetty-xml-9.4.51.v20230217.jar, junit-jupiter-api-5.9.3.jar, junit-platform-commons-1.9.3.jar, mavibot-1.0.0-M8.jar, mina-core-2.2.1.jar, opentest4j-1.2.0.jar, org.apache.servicemix.bundles.antlr-2.7.7_5.jar, reload4j-1.2.19.jar, slf4j-api-1.7.36.jar, slf4j-reload4j-1.7.36.jar define 1 overlapping resource:
[WARNING] - META-INF/MANIFEST.MF
[WARNING] commons-codec-1.15.jar, commons-collections-3.2.2.jar, commons-collections4-4.4.jar, commons-lang3-3.12.0.jar, commons-pool2-2.11.1.jar, javax.servlet-api-3.1.0.jar define 1 overlapping resource:
[WARNING] - META-INF/LICENSE.txt
[WARNING] apacheds-core-2.0.0.AM27-SNAPSHOT.jar, apacheds-core-annotations-2.0.0.AM27-SNAPSHOT.jar, apacheds-core-api-2.0.0.AM27-SNAPSHOT.jar, apacheds-core-avl-2.0.0.AM27-SNAPSHOT.jar, apacheds-core-constants-2.0.0.AM27-SNAPSHOT.jar, apacheds-core-jndi-2.0.0.AM27-SNAPSHOT.jar, apacheds-core-shared-2.0.0.AM27-SNAPSHOT.jar, apacheds-http-directory-bridge-2.0.0.AM27-SNAPSHOT.jar, apacheds-http-integration-2.0.0.AM27-SNAPSHOT.jar, apacheds-i18n-2.0.0.AM27-SNAPSHOT.jar, apacheds-interceptor-kerberos-2.0.0.AM27-SNAPSHOT.jar, apacheds-interceptors-admin-2.0.0.AM27-SNAPSHOT.jar, apacheds-interceptors-authn-2.0.0.AM27-SNAPSHOT.jar, apacheds-interceptors-authz-2.0.0.AM27-SNAPSHOT.jar, apacheds-interceptors-changelog-2.0.0.AM27-SNAPSHOT.jar, apacheds-interceptors-collective-2.0.0.AM27-SNAPSHOT.jar, apacheds-interceptors-event-2.0.0.AM27-SNAPSHOT.jar, apacheds-interceptors-exception-2.0.0.AM27-SNAPSHOT.jar, apacheds-interceptors-hash-2.0.0.AM27-SNAPSHOT.jar, apacheds-interceptors-journal-2.0.0.AM27-SNAPSHOT.jar, apacheds-interceptors-normalization-2.0.0.AM27-SNAPSHOT.jar, apacheds-interceptors-number-2.0.0.AM27-SNAPSHOT.jar, apacheds-interceptors-operational-2.0.0.AM27-SNAPSHOT.jar, apacheds-interceptors-referral-2.0.0.AM27-SNAPSHOT.jar, apacheds-interceptors-schema-2.0.0.AM27-SNAPSHOT.jar, apacheds-interceptors-subtree-2.0.0.AM27-SNAPSHOT.jar, apacheds-interceptors-trigger-2.0.0.AM27-SNAPSHOT.jar, apacheds-jdbm-partition-2.0.0.AM27-SNAPSHOT.jar, apacheds-jdbm1-2.0.0-M3.jar, apacheds-kerberos-codec-2.0.0.AM27-SNAPSHOT.jar, apacheds-ldif-partition-2.0.0.AM27-SNAPSHOT.jar, apacheds-mavibot-partition-2.0.0.AM27-SNAPSHOT.jar, apacheds-protocol-dhcp-2.0.0.AM27-SNAPSHOT.jar, apacheds-protocol-dns-2.0.0.AM27-SNAPSHOT.jar, apacheds-protocol-ldap-2.0.0.AM27-SNAPSHOT.jar, apacheds-protocol-ntp-2.0.0.AM27-SNAPSHOT.jar, apacheds-protocol-shared-2.0.0.AM27-SNAPSHOT.jar, apacheds-server-config-2.0.0.AM27-SNAPSHOT.jar, apacheds-service-2.0.0.AM27-SNAPSHOT.jar, apacheds-service-builder-2.0.0.AM27-SNAPSHOT.jar, apacheds-xdbm-partition-2.0.0.AM27-SNAPSHOT.jar, api-asn1-api-2.1.3.jar, api-asn1-ber-2.1.3.jar, api-i18n-2.1.3.jar, api-ldap-client-api-2.1.3.jar, api-ldap-codec-core-2.1.3.jar, api-ldap-codec-standalone-2.1.3.jar, api-ldap-extras-aci-2.1.3.jar, api-ldap-extras-codec-2.1.3.jar, api-ldap-extras-codec-api-2.1.3.jar, api-ldap-extras-sp-2.1.3.jar, api-ldap-extras-trigger-2.1.3.jar, api-ldap-extras-util-2.1.3.jar, api-ldap-model-2.1.3.jar, api-ldap-net-mina-2.1.3.jar, api-ldap-schema-data-2.1.3.jar, api-util-2.1.3.jar, apiguardian-api-1.1.2.jar, caffeine-2.9.3.jar, jetty-http-9.4.51.v20230217.jar, jetty-io-9.4.51.v20230217.jar, jetty-security-9.4.51.v20230217.jar, jetty-server-9.4.51.v20230217.jar, jetty-servlet-9.4.51.v20230217.jar, jetty-util-9.4.51.v20230217.jar, jetty-util-ajax-9.4.51.v20230217.jar, jetty-webapp-9.4.51.v20230217.jar, jetty-xml-9.4.51.v20230217.jar, mavibot-1.0.0-M8.jar, mina-core-2.2.1.jar, org.apache.servicemix.bundles.antlr-2.7.7_5.jar, reload4j-1.2.19.jar define 1 overlapping resource:
[WARNING] - META-INF/LICENSE
[WARNING] bcpkix-jdk15on-1.70.jar, bcprov-jdk15on-1.70.jar, bcutil-jdk15on-1.70.jar define 1 overlapping classes:
[WARNING] - META-INF.versions.9.module-info
[WARNING] apacheds-core-2.0.0.AM27-SNAPSHOT.jar, apacheds-core-annotations-2.0.0.AM27-SNAPSHOT.jar, apacheds-core-api-2.0.0.AM27-SNAPSHOT.jar, apacheds-core-avl-2.0.0.AM27-SNAPSHOT.jar, apacheds-core-constants-2.0.0.AM27-SNAPSHOT.jar, apacheds-core-jndi-2.0.0.AM27-SNAPSHOT.jar, apacheds-core-shared-2.0.0.AM27-SNAPSHOT.jar, apacheds-http-directory-bridge-2.0.0.AM27-SNAPSHOT.jar, apacheds-http-integration-2.0.0.AM27-SNAPSHOT.jar, apacheds-i18n-2.0.0.AM27-SNAPSHOT.jar, apacheds-interceptor-kerberos-2.0.0.AM27-SNAPSHOT.jar, apacheds-interceptors-admin-2.0.0.AM27-SNAPSHOT.jar, apacheds-interceptors-authn-2.0.0.AM27-SNAPSHOT.jar, apacheds-interceptors-authz-2.0.0.AM27-SNAPSHOT.jar, apacheds-interceptors-changelog-2.0.0.AM27-SNAPSHOT.jar, apacheds-interceptors-collective-2.0.0.AM27-SNAPSHOT.jar, apacheds-interceptors-event-2.0.0.AM27-SNAPSHOT.jar, apacheds-interceptors-exception-2.0.0.AM27-SNAPSHOT.jar, apacheds-interceptors-hash-2.0.0.AM27-SNAPSHOT.jar, apacheds-interceptors-journal-2.0.0.AM27-SNAPSHOT.jar, apacheds-interceptors-normalization-2.0.0.AM27-SNAPSHOT.jar, apacheds-interceptors-number-2.0.0.AM27-SNAPSHOT.jar, apacheds-interceptors-operational-2.0.0.AM27-SNAPSHOT.jar, apacheds-interceptors-referral-2.0.0.AM27-SNAPSHOT.jar, apacheds-interceptors-schema-2.0.0.AM27-SNAPSHOT.jar, apacheds-interceptors-subtree-2.0.0.AM27-SNAPSHOT.jar, apacheds-interceptors-trigger-2.0.0.AM27-SNAPSHOT.jar, apacheds-jdbm-partition-2.0.0.AM27-SNAPSHOT.jar, apacheds-jdbm1-2.0.0-M3.jar, apacheds-kerberos-codec-2.0.0.AM27-SNAPSHOT.jar, apacheds-ldif-partition-2.0.0.AM27-SNAPSHOT.jar, apacheds-mavibot-partition-2.0.0.AM27-SNAPSHOT.jar, apacheds-protocol-dhcp-2.0.0.AM27-SNAPSHOT.jar, apacheds-protocol-dns-2.0.0.AM27-SNAPSHOT.jar, apacheds-protocol-ldap-2.0.0.AM27-SNAPSHOT.jar, apacheds-protocol-ntp-2.0.0.AM27-SNAPSHOT.jar, apacheds-protocol-shared-2.0.0.AM27-SNAPSHOT.jar, apacheds-server-config-2.0.0.AM27-SNAPSHOT.jar, apacheds-service-2.0.0.AM27-SNAPSHOT.jar, apacheds-service-builder-2.0.0.AM27-SNAPSHOT.jar, apacheds-xdbm-partition-2.0.0.AM27-SNAPSHOT.jar, api-asn1-api-2.1.3.jar, api-asn1-ber-2.1.3.jar, api-i18n-2.1.3.jar, api-ldap-client-api-2.1.3.jar, api-ldap-codec-core-2.1.3.jar, api-ldap-codec-standalone-2.1.3.jar, api-ldap-extras-aci-2.1.3.jar, api-ldap-extras-codec-2.1.3.jar, api-ldap-extras-codec-api-2.1.3.jar, api-ldap-extras-sp-2.1.3.jar, api-ldap-extras-trigger-2.1.3.jar, api-ldap-extras-util-2.1.3.jar, api-ldap-model-2.1.3.jar, api-ldap-net-mina-2.1.3.jar, api-ldap-schema-data-2.1.3.jar, api-util-2.1.3.jar, mavibot-1.0.0-M8.jar, mina-core-2.2.1.jar, org.apache.servicemix.bundles.antlr-2.7.7_5.jar, reload4j-1.2.19.jar define 1 overlapping resource:
[WARNING] - META-INF/NOTICE
[WARNING] commons-codec-1.15.jar, commons-collections-3.2.2.jar, commons-collections4-4.4.jar, commons-lang3-3.12.0.jar, commons-pool2-2.11.1.jar, jetty-http-9.4.51.v20230217.jar, jetty-io-9.4.51.v20230217.jar, jetty-security-9.4.51.v20230217.jar, jetty-server-9.4.51.v20230217.jar, jetty-servlet-9.4.51.v20230217.jar, jetty-util-9.4.51.v20230217.jar, jetty-util-ajax-9.4.51.v20230217.jar, jetty-webapp-9.4.51.v20230217.jar, jetty-xml-9.4.51.v20230217.jar define 1 overlapping resource:
[WARNING] - META-INF/NOTICE.txt
[WARNING] maven-shade-plugin has detected that some class files are
[WARNING] present in two or more JARs. When this happens, only one
[WARNING] single version of the class is copied to the uber jar.
{noformat}
Potential solutions
* Use a transformer to merge NOTICES and licenses.
https://maven.apache.org/plugins/maven-shade-plugin/examples/resource-transformers.html
NOTE: Non-Apache license may need to be relocated.
Replace the use of the shade plugin; for example, the spring-boot-maven-plugin creates a jar-of-jars, (think: a self-executing war).
NOTE: This would require additional changes to the ApacheDS Wrapper
{code}
<!--
Using the Spring Boot plugin to combine all dependencies into a single jar
containing everything needed to launch the server. This does NOT require
the use of Spring Framework or Spring Boot.
-->
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
<version>3.1.0</version>
<executions>
<execution>
<id>uberjar</id>
<goals>
<goal>repackage</goal>
</goals>
</execution>
</executions>
</plugin>
{code}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@directory.apache.org
For additional commands, e-mail: dev-help@directory.apache.org