+1 I have some remarks though:
1. We should disable external entity processing in VaultContentXmlReader (https://sonarcloud.io/project/issues?id=apache_sling-scriptingbundle-maven-plugin&open=AXwCdaTmnSy41Wx6i_Vn&resolved=false&types=VULNERABILITY <https://sonarcloud.io/project/issues?id=apache_sling-scriptingbundle-maven-plugin&open=AXwCdaTmnSy41Wx6i_Vn&resolved=false&types=VULNERABILITY>) 2. I read the documentation at https://github.com/apache/sling-scriptingbundle-maven-plugin/blob/master/src/site/markdown/bnd.md#working-with-filevault-content-package-projects <https://github.com/apache/sling-scriptingbundle-maven-plugin/blob/master/src/site/markdown/bnd.md#working-with-filevault-content-package-projects> and tried the example at https://github.com/apache/sling-org-apache-sling-scripting-bundle-tracker-it <https://github.com/apache/sling-org-apache-sling-scripting-bundle-tracker-it>, IIUC this excludes the scripts from the content package by just not listing the root node path in the filter.xml. On the other hand, everything below target/classes ends up in the bundle jar. In reality this is too simplified as often the resource type node folders contain additional information which would be lost that way like additional properties (not reflected in the bundle jar metadata) or configuration structures. Also profiles used for deployment need to be adjusted. I would instead recommend to keep the package as is (i.e. make it still contain the resource type nodes even if redundant) and rely on the service ranking to make the bundled (precompiled) scripts take precedence? Do you see a drawback with that approach? Thanks Konrad > On 21. Sep 2021, at 20:21, Radu Cotescu <[email protected]> wrote: > > Hi, > > We solved 3 issues in this release: > https://issues.apache.org/jira/browse/SLING/fixforversion/12350606 > > Staging repository: > https://repository.apache.org/content/repositories/orgapachesling-2531/ > > You can use this UNIX script to download the release and verify the > signatures: > https://gitbox.apache.org/repos/asf?p=sling-tooling-release.git;a=blob;f=check_staged_release.sh;hb=HEAD > > Usage: > sh check_staged_release.sh 2531 /tmp/sling-staging > > Please vote to approve this release: > > [ ] +1 Approve the release > [ ] 0 Don't care > [ ] -1 Don't release, because ... > > This majority vote is open for at least 72 hours. > > Regards, > Radu Cotescu
