Hi, On Thu, 2021-05-27 at 15:06 -0400, Cris Rockwell wrote: > Hi, > > We solved 3 Jira issues in this initial release: > https://issues.apache.org/jira/projects/SLING/versions/12350210 < > https://issues.apache.org/jira/projects/SLING/versions/12350210> > > Staging repository: > https://repository.apache.org/content/repositories/orgapachesling-2457
Thanks for setting up the vote, I know it's been quite a journey :-) A couple of notes/questions from me, see below. 1. I tried to rebuild the source release, and it seems it's pulling in SNAPSHOT version from various repositories Downloading from apache.snapshots: https://repository.apache.org/snapshots/org/apache/sling/org.apache.sling.auth.core/1.4.1-SNAPSHOT/maven-metadata.xml Downloaded from apache.snapshots: https://repository.apache.org/snapshots/org/apache/sling/org.apache.sling.auth.core/1.4.1-SNAPSHOT/maven-metadata.xml (1.0 kB at 8.5 kB/s) Downloading from apache.snapshots: https://repository.apache.org/snapshots/org/apache/jackrabbit/oak-auth-external/1.35-SNAPSHOT/maven-metadata.xml Downloading from shibboleth: https://build.shibboleth.net/nexus/content/repositories/releases/org/apache/jackrabbit/oak-auth-external/1.35-SNAPSHOT/maven-metadata.xml Downloading from shibboleth: https://build.shibboleth.net/nexus/content/repositories/releases/org/apache/jackrabbit/oak-parent/1.35-SNAPSHOT/maven-metadata.xml Downloading from apache.snapshots: https://repository.apache.org/snapshots/org/apache/jackrabbit/oak-parent/1.35-SNAPSHOT/maven-metadata.xml (multiple occurences) I think this comes from the usage of version ranges in the pom.xml, e.g. <dependency> <groupId>org.apache.commons</groupId> <artifactId>commons-lang3</artifactId> <version>[3.5,3.9]</version> <scope>provided</scope> </dependency> Why are there version ranges used in the pom? 2. The depedendecy list is large, probably needed :-) but I wanted to ask about a couple. There are a number of jars embedded, some of then look like could be replaced with bundles: metrics-core-4.1.9.jar velocity-1.7.jar xmlsec-2.1.4.jar Also, do we need the checker framework and annotations at runtime? checker-qual-2.11.1.jar error_prone_annotations-2.3.4.jar commons-lang 2.6 is EOL and unmaintained, but we include it in the bundle. commons-lang-2.6.jar I think that embedding only what is needed and allowing the user to deploy up-to-date depedencies will improve the security standing of installations using the Sling saml bundle. Thanks, Robert
