Hi Robert Thanks a lot for the feedback. I'm out for a few days. When I get back, I'll cancel this release, review these items and try again.
Best Cris On Mon, May 31, 2021, 9:32 AM Robert Munteanu <[email protected]> wrote: > Hi, > > On Thu, 2021-05-27 at 15:06 -0400, Cris Rockwell wrote: > > Hi, > > > > We solved 3 Jira issues in this initial release: > > https://issues.apache.org/jira/projects/SLING/versions/12350210 < > > https://issues.apache.org/jira/projects/SLING/versions/12350210> > > > > Staging repository: > > https://repository.apache.org/content/repositories/orgapachesling-2457 > > Thanks for setting up the vote, I know it's been quite a journey :-) > > A couple of notes/questions from me, see below. > > 1. I tried to rebuild the source release, and it seems it's pulling in > SNAPSHOT version from various repositories > > Downloading from apache.snapshots: > https://repository.apache.org/snapshots/org/apache/sling/org.apache.sling.auth.core/1.4.1-SNAPSHOT/maven-metadata.xml > Downloaded from apache.snapshots: > https://repository.apache.org/snapshots/org/apache/sling/org.apache.sling.auth.core/1.4.1-SNAPSHOT/maven-metadata.xml > (1.0 kB at 8.5 kB/s) > Downloading from apache.snapshots: > https://repository.apache.org/snapshots/org/apache/jackrabbit/oak-auth-external/1.35-SNAPSHOT/maven-metadata.xml > Downloading from shibboleth: > https://build.shibboleth.net/nexus/content/repositories/releases/org/apache/jackrabbit/oak-auth-external/1.35-SNAPSHOT/maven-metadata.xml > Downloading from shibboleth: > https://build.shibboleth.net/nexus/content/repositories/releases/org/apache/jackrabbit/oak-parent/1.35-SNAPSHOT/maven-metadata.xml > Downloading from apache.snapshots: > https://repository.apache.org/snapshots/org/apache/jackrabbit/oak-parent/1.35-SNAPSHOT/maven-metadata.xml > > (multiple occurences) > > I think this comes from the usage of version ranges in the pom.xml, e.g. > > <dependency> > <groupId>org.apache.commons</groupId> > <artifactId>commons-lang3</artifactId> > <version>[3.5,3.9]</version> > <scope>provided</scope> > </dependency> > > Why are there version ranges used in the pom? > > 2. The depedendecy list is large, probably needed :-) but I wanted to > ask about a couple. > > There are a number of jars embedded, some of then look like could be > replaced with bundles: > > metrics-core-4.1.9.jar > velocity-1.7.jar > xmlsec-2.1.4.jar > > Also, do we need the checker framework and annotations at runtime? > > checker-qual-2.11.1.jar > error_prone_annotations-2.3.4.jar > > commons-lang 2.6 is EOL and unmaintained, but we include it in the > bundle. > > commons-lang-2.6.jar > > I think that embedding only what is needed and allowing the user to > deploy up-to-date depedencies will improve the security standing of > installations using the Sling saml bundle. > > Thanks, > Robert > >
