Hi! I'm wondering about use usage of feature archives in the Sling feature launcher, especially in a setting without a network and $HOME/.m2/repository. https://github.com/apache/sling-org-apache-sling-feature/blob/master/docs/feature-archives.md says the feature archives, such as the org.apache.sling.starter-12-oak_tar_far.far produced by the Sling Starter https://github.com/apache/sling-org-apache-sling-starter , are meant to contain the actual artifacts needed to run the system. Yet, when you start the system like this:
java -jar org.apache.sling.feature.launcher.jar -f org.apache.sling.starter-12-oak_tar_far.far -v the log shows that the artifacts in the FAR are completely ignored - it takes these from $HOME/.m2/repository or, failing that, they are downloaded from https://repo.maven.apache.org/maven2 . That seems not only a waste of network resources, but it has its problems. First in intranets or in a DMZ it's not guaranteed that you have internet access. Even worse: on production systems you don't want the starter to access the network or getting files from $HOME/.m2/repository, since that offers various attack avenues for injecting code into the system. So I'm wondering: shouldn't the feature launcher first check the FAR for the artifact and use that? Or even only use the code contained in a FAR? That said: there actually is a way to start the launcher without using the network, but in a quite cumbersome way. The feature launcher allows specifying the repository URLs, and you can give a jar file URL as repository URL: java -jar org.apache.sling.feature.launcher.jar -f org.apache.sling.starter-12-oak_tar_far.far -u 'jar:file:org.apache.sling.starter-12-oak_tar_far.far!' -u 'jar:file:felixcontainer.zip!' This also adds a second zip I created as a repository for the felix framework, which is required by the launcher, and just contains the file org/apache/felix/org.apache.felix.framework/7.0.1/org.apache.felix.framework-7.0.1.jar This works completely without network access, but it does feel like a workaround. So, is that actually the intended solution for this usecase, or are there plans to extend the feature launcher in some way? Or am I missing something? Thank you all for the good work and the many advances with this! Best regards, Hans-Peter PS: I was almost jumping up and down when I saw the tag org.apache.sling.starter-12 in the maven repo. Thanks for finally fixing something that can become release 12 of the Sling Starter ! I'm looking forward for it to appear in the maven repository.
