Re: [DISCUSS] Major changed for 4.x

2023-08-29 Thread Jochen Wiedmann 
On Tue, Aug 22, 2023 at 9:35 AM Guillaume Nodet  wrote:

>   * Support for XML entities / XInclude

Careful with that one! You might open a flood of security reports like
"If the included file looks like this, or that, then ..."

Jochen

-
To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org
For additional commands, e-mail: dev-h...@maven.apache.org

Re: [DISCUSS] Major changed for 4.x

2023-08-28 Thread Guillaume Nodet 
Le lun. 28 août 2023 à 08:04, Olivier Lamy  a écrit :

> Hi,
>
> On Tue, 22 Aug 2023 at 17:36, Guillaume Nodet  wrote:
> >
> > Hi everyone,
> >
> > I hope you guys have been able to rest a bit during the summer (for those
> > that are back to work already)...
> >
> > I've pushed a few important PRs in the past months and I'd really like to
> > get the discussion going around those.  Those are major changes that I
> > think we should introduce in Maven 4 asap:
> >   * Better support for alternative POM syntaxes
> >   * Needed infrastructure to evolve the model
> >   * POM mixins
> >   * Support for XML entities / XInclude
>
> I really like the idea of being able to improve the model.
>

For the model, and I think this is the most critical part and should really
be discussed further, I've explained in more detail at
https://github.com/apache/maven/pull/1160
The major point is how to handle new models in maven central...


> I find a bit scary the idea of XML entities/XInclude especially for
> all the possible security problems that I can imagine coming with
> that.
> No real example in mind, but I had so many issues problems in the last
> 10 years with XML entities/XInclude :)
> but maybe I'm wrong.
> how do you exactly plan to do that?
>

For the XML entities / XInclude, I think the security risks can easily be
mitigated.
I've just pushed an additional commit which restricts any entity / xinclude
loading
to only files inside the rootDirectory tree.
This is easily achieved as all the loads are done through a single object:

https://github.com/apache/maven/pull/1205/commits/89544c9c3c4cedfd3cd5b4fdfd8a84d8f003ef3a#diff-afe459a772f52262ac9aac04cf7822659de5540edd2302722478358146249574R32
I've added a few unit tests to cover this at

https://github.com/apache/maven/pull/1205/commits/89544c9c3c4cedfd3cd5b4fdfd8a84d8f003ef3a#diff-2b42337852eda2ae6fd664a97ac2a0deca997ea23debfa0158af89c678d8c6e4R30

Cheers,
Guillaume


>
> >
> > The first 3 changes are stacked onto each other. The first one is the
> > support for alternative POM syntaxes [2].  Note that no syntax is
> provided
> > by the PR, but an example extension is provided in the IT PR [3], the
> > reader being generated using the maven model and the IT's project is
> using
> > it [4].  The main idea is to provide an enhanced XML syntax if we want,
> as
> > it was discussed for the POM 5.0 [5].
> >
> > The second one provides the ability to make evolution to the model
> without
> > breaking the maven ecosystem.  The model has been stuck in 4.0.0 version
> > for 15 years or so, most of the things that would have required a change
> > have been delayed or worked around.  The consumer POM that has been
> > introduced in Maven 4 is a first step, but I think we should go further.
> > Please read the details in the PR [6].
> >
> > The third one is the support for POM mixins [7].  That one is still a
> > draft.  Two ITs have been written to leverage mixins using GAV or as
> > relative paths [8].  This definitely needs some work, but the current
> state
> > definitely shows that it can be implemented and introduced in the next
> > alphas.
> >
> > The last one is a relatively small PR [9] which brings support for XML
> > entities and XInclude loaded from external files.  All loaded files are
> > loaded using relative URLs (absolute URLs are rejected for security
> > reasons). The entities and xinclude bits are all inlined during the raw
> ->
> > consumer POM transformation so that they don't appear in repositories.  I
> > wrote this PR as a possible alternative for mixins, that's the main
> reason
> > why I include it in this discussion.
> >
> > I'm not necessarily looking for in-depth reviews of the PRs, but at least
> > to find a consensus and general agreement on the way forward.
> >
> > Cheers,
> > Guillaume
> >
> > [2] https://github.com/apache/maven/pull/1197
> > [3]
> >
> https://github.com/apache/maven-integration-testing/pull/276/files#diff-ffb3dec529cab94ebf3c5830444275ad2b2e4826fe1df843454882efadd2446c
> > [4]
> >
> https://github.com/apache/maven-integration-testing/pull/276/files#diff-8d7362e60d231ad8c5d4b7746873da2855d9cf1fd5aeeca9c143ed942bd94b38
> > [5]
> >
> https://cwiki.apache.org/confluence/display/MAVEN/POM+Model+Version+5.0.0
> > [6] https://github.com/apache/maven/pull/1160
> > [7]
> >
> https://github.com/apache/maven/pull/1209/commits/211e27acd21a6cb8cee30ccd066499fc613a5c82
> > [8]
> >
> https://github.com/apache/maven-integration-testing/tree/b2642d74caae854051dc77acd19b972dfe66b1cd/core-it-suite/src/test/resources/mng-5102-mixins
> > [9] https://github.com/apache/maven/pull/1205
> >
> > --
> > 
> > Guillaume Nodet
>
> -
> To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org
> For additional commands, e-mail: dev-h...@maven.apache.org
>
>

-- 

Guillaume Nodet

Re: [DISCUSS] Major changed for 4.x

2023-08-28 Thread Olivier Lamy 
Hi,

On Tue, 22 Aug 2023 at 17:36, Guillaume Nodet  wrote:
>
> Hi everyone,
>
> I hope you guys have been able to rest a bit during the summer (for those
> that are back to work already)...
>
> I've pushed a few important PRs in the past months and I'd really like to
> get the discussion going around those.  Those are major changes that I
> think we should introduce in Maven 4 asap:
>   * Better support for alternative POM syntaxes
>   * Needed infrastructure to evolve the model
>   * POM mixins
>   * Support for XML entities / XInclude

I really like the idea of being able to improve the model.
I find a bit scary the idea of XML entities/XInclude especially for
all the possible security problems that I can imagine coming with
that.
No real example in mind, but I had so many issues problems in the last
10 years with XML entities/XInclude :)
but maybe I'm wrong.
how do you exactly plan to do that?

>
> The first 3 changes are stacked onto each other. The first one is the
> support for alternative POM syntaxes [2].  Note that no syntax is provided
> by the PR, but an example extension is provided in the IT PR [3], the
> reader being generated using the maven model and the IT's project is using
> it [4].  The main idea is to provide an enhanced XML syntax if we want, as
> it was discussed for the POM 5.0 [5].
>
> The second one provides the ability to make evolution to the model without
> breaking the maven ecosystem.  The model has been stuck in 4.0.0 version
> for 15 years or so, most of the things that would have required a change
> have been delayed or worked around.  The consumer POM that has been
> introduced in Maven 4 is a first step, but I think we should go further.
> Please read the details in the PR [6].
>
> The third one is the support for POM mixins [7].  That one is still a
> draft.  Two ITs have been written to leverage mixins using GAV or as
> relative paths [8].  This definitely needs some work, but the current state
> definitely shows that it can be implemented and introduced in the next
> alphas.
>
> The last one is a relatively small PR [9] which brings support for XML
> entities and XInclude loaded from external files.  All loaded files are
> loaded using relative URLs (absolute URLs are rejected for security
> reasons). The entities and xinclude bits are all inlined during the raw ->
> consumer POM transformation so that they don't appear in repositories.  I
> wrote this PR as a possible alternative for mixins, that's the main reason
> why I include it in this discussion.
>
> I'm not necessarily looking for in-depth reviews of the PRs, but at least
> to find a consensus and general agreement on the way forward.
>
> Cheers,
> Guillaume
>
> [2] https://github.com/apache/maven/pull/1197
> [3]
> https://github.com/apache/maven-integration-testing/pull/276/files#diff-ffb3dec529cab94ebf3c5830444275ad2b2e4826fe1df843454882efadd2446c
> [4]
> https://github.com/apache/maven-integration-testing/pull/276/files#diff-8d7362e60d231ad8c5d4b7746873da2855d9cf1fd5aeeca9c143ed942bd94b38
> [5]
> https://cwiki.apache.org/confluence/display/MAVEN/POM+Model+Version+5.0.0
> [6] https://github.com/apache/maven/pull/1160
> [7]
> https://github.com/apache/maven/pull/1209/commits/211e27acd21a6cb8cee30ccd066499fc613a5c82
> [8]
> https://github.com/apache/maven-integration-testing/tree/b2642d74caae854051dc77acd19b972dfe66b1cd/core-it-suite/src/test/resources/mng-5102-mixins
> [9] https://github.com/apache/maven/pull/1205
>
> --
> 
> Guillaume Nodet

-
To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org
For additional commands, e-mail: dev-h...@maven.apache.org

Re: [DISCUSS] Major changed for 4.x

2023-08-23 Thread Mark Derricutt 
 Interesting - I see between alpha-5 and alpha-7 - tiles-maven-pllugin
seems to work again (noticed this building alpha-8-SNAPSHOT).

That’s good to know - will make evaluating the new mixins easier as well.

-- 
"Great artists are extremely selfish and arrogant things" — Steven Wilson,
Porcupine Tree


On 24/08/2023 at 11:41:25 AM, Mark Derricutt  wrote:

> On 23/08/2023 at 9:46:16 PM, Guillaume Nodet  wrote:
>
>> The two ITs for mixins are available at
>>
>> https://github.com/apache/maven-integration-testing/pull/280/commits/13173969007b5e3b307ef5b191ac2d52a23dce6c
>>
>
>
> Nice - that looks like it should work - does that unfold into the
> effective-pom at all?  Look forward to trying it out - might have to go
> build up a SNAPSHOT for myself.
>
> Mark
>
> --
> "Great artists are extremely selfish and arrogant things" — Steven Wilson,
> Porcupine Tree
>
>

Re: [DISCUSS] Major changed for 4.x

2023-08-23 Thread Mark Derricutt 
 On 23/08/2023 at 9:46:16 PM, Guillaume Nodet  wrote:

> The two ITs for mixins are available at
>
> https://github.com/apache/maven-integration-testing/pull/280/commits/13173969007b5e3b307ef5b191ac2d52a23dce6c
>


Nice - that looks like it should work - does that unfold into the
effective-pom at all?  Look forward to trying it out - might have to go
build up a SNAPSHOT for myself.

Mark

-- 
"Great artists are extremely selfish and arrogant things" — Steven Wilson,
Porcupine Tree

Re: [DISCUSS] Major changed for 4.x

2023-08-23 Thread Guillaume Nodet 
The two ITs for mixins are available at
https://github.com/apache/maven-integration-testing/pull/280/commits/13173969007b5e3b307ef5b191ac2d52a23dce6c

Le mar. 22 août 2023 à 23:30, Mark Derricutt  a écrit :

>  Definitely keen on seeing this, or the approach taken - as Maven 4.x
> breaks the existing usage of tiles-maven-plugin so having something
> supported, that covers the same featureset would be good.
>
> Where in GIthub can I see the IT’s mentioned here?
>
> On 22/08/2023 at 7:32:12 PM, Guillaume Nodet  wrote:
>
> > The third one is the support for POM mixins [7].  That one is still a
> > draft.  Two ITs have been written to leverage mixins using GAV or as
> > relative paths [8].  This definitely needs some work, but the current
> state
> > definitely shows that it can be implemented and introduced in the next
> > alphas.
> >
>
>
> --
> "Great artists are extremely selfish and arrogant things" — Steven Wilson,
> Porcupine Tree
>


-- 

Guillaume Nodet

Re: [DISCUSS] Major changed for 4.x

2023-08-22 Thread Mark Derricutt 
 Definitely keen on seeing this, or the approach taken - as Maven 4.x
breaks the existing usage of tiles-maven-plugin so having something
supported, that covers the same featureset would be good.

Where in GIthub can I see the IT’s mentioned here?

On 22/08/2023 at 7:32:12 PM, Guillaume Nodet  wrote:

> The third one is the support for POM mixins [7].  That one is still a
> draft.  Two ITs have been written to leverage mixins using GAV or as
> relative paths [8].  This definitely needs some work, but the current state
> definitely shows that it can be implemented and introduced in the next
> alphas.
>


-- 
"Great artists are extremely selfish and arrogant things" — Steven Wilson,
Porcupine Tree

Re: [DISCUSS] Major changed for 4.x

2023-08-22 Thread Gary Gregory 
FWIW, I don't have an issue with XML in general, just the style we use.

An as aside, I find it amusing to watch the JSON folks reinvent each and
every wheel that XML has been using for decades.

Gary

On Tue, Aug 22, 2023, 10:34 AM Romain Manni-Bucau 
wrote:

> @Gary Gregory  thing is that we regularly hear
> that but nobody (as in "not significantly enough") embraced polyglot so
> means the verbosity is something you note but don't really care after all
> probably (not 100% sure it would help to solve that since attributes have
> kind of the same cons, ie make the parsing harder for generic consumers -
> and yes, in 202x xml is still not a first citizen in all languages ;)).
>
> Romain Manni-Bucau
> @rmannibucau  |  Blog
>  | Old Blog
>  | Github
>  | LinkedIn
>  | Book
> 
>
>
> Le mar. 22 août 2023 à 15:55, Gary Gregory  a
> écrit :
>
>> One of Maven's pain points (a criticism hear at least) it's verbosity due
>> to the XML style where almost everything is an element. If I can more
>> succinctly list my dependencies, I would consider that a first win in this
>> new Era that will be highly visible to even the most casual user :-)
>> Hopefully this feature will be documented.
>>
>> Gary
>>
>> On Tue, Aug 22, 2023, 9:35 AM Romain Manni-Bucau 
>> wrote:
>>
>> > @Gary it is the stage "you can do whatever you like on your side", even
>> a
>> > pom.properties flavor would work. I assume one of the most requested
>> > feature will be to flatten attributes more than inlining them
>> > ("org.apache.foo:bar:1.2.3") but on the core side the challenge can be
>> to
>> > not break too fast all the "quick parsers" out there so likely staged
>> for
>> > v5 more than v4?
>> >
>> > Romain Manni-Bucau
>> > @rmannibucau  |  Blog
>> >  | Old Blog
>> >  | Github <
>> > https://github.com/rmannibucau> |
>> > LinkedIn  | Book
>> > <
>> >
>> https://www.packtpub.com/application-development/java-ee-8-high-performance
>> > >
>> >
>> >
>> > Le mar. 22 août 2023 à 14:58, Guillaume Nodet  a
>> écrit
>> > :
>> >
>> > > Not directly, but a simple extension could allow that...
>> > >
>> > > Le mar. 22 août 2023 à 12:33, Gary Gregory  a
>> > > écrit :
>> > >
>> > > > Hi all,
>> > > >
>> > > > Would any of these changes allow me to write my POM's XML
>> dependencies
>> > > in a
>> > > > single element where the GID, AID, and version are attributes (and
>> not
>> > > > child elements)?
>> > > >
>> > > > > > > > version="2.13.0" ... />
>> > > >
>> > > > In general, I want the XML to more OO, where XML elements are
>> objects
>> > and
>> > > > attributes are, well, attributes.
>> > > >
>> > > > Gary
>> > > >
>> > > > On Tue, Aug 22, 2023, 3:36 AM Guillaume Nodet 
>> > wrote:
>> > > >
>> > > > > Hi everyone,
>> > > > >
>> > > > > I hope you guys have been able to rest a bit during the summer
>> (for
>> > > those
>> > > > > that are back to work already)...
>> > > > >
>> > > > > I've pushed a few important PRs in the past months and I'd really
>> > like
>> > > to
>> > > > > get the discussion going around those.  Those are major changes
>> that
>> > I
>> > > > > think we should introduce in Maven 4 asap:
>> > > > >   * Better support for alternative POM syntaxes
>> > > > >   * Needed infrastructure to evolve the model
>> > > > >   * POM mixins
>> > > > >   * Support for XML entities / XInclude
>> > > > >
>> > > > > The first 3 changes are stacked onto each other. The first one is
>> the
>> > > > > support for alternative POM syntaxes [2].  Note that no syntax is
>> > > > provided
>> > > > > by the PR, but an example extension is provided in the IT PR [3],
>> the
>> > > > > reader being generated using the maven model and the IT's project
>> is
>> > > > using
>> > > > > it [4].  The main idea is to provide an enhanced XML syntax if we
>> > want,
>> > > > as
>> > > > > it was discussed for the POM 5.0 [5].
>> > > > >
>> > > > > The second one provides the ability to make evolution to the model
>> > > > without
>> > > > > breaking the maven ecosystem.  The model has been stuck in 4.0.0
>> > > version
>> > > > > for 15 years or so, most of the things that would have required a
>> > > change
>> > > > > have been delayed or worked around.  The consumer POM that has
>> been
>> > > > > introduced in Maven 4 is a first step, but I think we should go
>> > > further.
>> > > > > Please read the details in the PR [6].
>> > > > >
>> > > > > The third one is the support for POM mixins [7].  That one is
>> still a
>> > > > > draft.  Two ITs have been written to leverage mixins using GAV or
>> as
>> > > > > relative paths [8].  This definitely needs some work, but the
>>

Re: [DISCUSS] Major changed for 4.x

2023-08-22 Thread Romain Manni-Bucau 
@Gary Gregory  thing is that we regularly hear that
but nobody (as in "not significantly enough") embraced polyglot so means
the verbosity is something you note but don't really care after all
probably (not 100% sure it would help to solve that since attributes have
kind of the same cons, ie make the parsing harder for generic consumers -
and yes, in 202x xml is still not a first citizen in all languages ;)).

Romain Manni-Bucau
@rmannibucau  |  Blog
 | Old Blog
 | Github  |
LinkedIn  | Book



Le mar. 22 août 2023 à 15:55, Gary Gregory  a
écrit :

> One of Maven's pain points (a criticism hear at least) it's verbosity due
> to the XML style where almost everything is an element. If I can more
> succinctly list my dependencies, I would consider that a first win in this
> new Era that will be highly visible to even the most casual user :-)
> Hopefully this feature will be documented.
>
> Gary
>
> On Tue, Aug 22, 2023, 9:35 AM Romain Manni-Bucau 
> wrote:
>
> > @Gary it is the stage "you can do whatever you like on your side", even a
> > pom.properties flavor would work. I assume one of the most requested
> > feature will be to flatten attributes more than inlining them
> > ("org.apache.foo:bar:1.2.3") but on the core side the challenge can be to
> > not break too fast all the "quick parsers" out there so likely staged for
> > v5 more than v4?
> >
> > Romain Manni-Bucau
> > @rmannibucau  |  Blog
> >  | Old Blog
> >  | Github <
> > https://github.com/rmannibucau> |
> > LinkedIn  | Book
> > <
> >
> https://www.packtpub.com/application-development/java-ee-8-high-performance
> > >
> >
> >
> > Le mar. 22 août 2023 à 14:58, Guillaume Nodet  a
> écrit
> > :
> >
> > > Not directly, but a simple extension could allow that...
> > >
> > > Le mar. 22 août 2023 à 12:33, Gary Gregory  a
> > > écrit :
> > >
> > > > Hi all,
> > > >
> > > > Would any of these changes allow me to write my POM's XML
> dependencies
> > > in a
> > > > single element where the GID, AID, and version are attributes (and
> not
> > > > child elements)?
> > > >
> > > >  > > > version="2.13.0" ... />
> > > >
> > > > In general, I want the XML to more OO, where XML elements are objects
> > and
> > > > attributes are, well, attributes.
> > > >
> > > > Gary
> > > >
> > > > On Tue, Aug 22, 2023, 3:36 AM Guillaume Nodet 
> > wrote:
> > > >
> > > > > Hi everyone,
> > > > >
> > > > > I hope you guys have been able to rest a bit during the summer (for
> > > those
> > > > > that are back to work already)...
> > > > >
> > > > > I've pushed a few important PRs in the past months and I'd really
> > like
> > > to
> > > > > get the discussion going around those.  Those are major changes
> that
> > I
> > > > > think we should introduce in Maven 4 asap:
> > > > >   * Better support for alternative POM syntaxes
> > > > >   * Needed infrastructure to evolve the model
> > > > >   * POM mixins
> > > > >   * Support for XML entities / XInclude
> > > > >
> > > > > The first 3 changes are stacked onto each other. The first one is
> the
> > > > > support for alternative POM syntaxes [2].  Note that no syntax is
> > > > provided
> > > > > by the PR, but an example extension is provided in the IT PR [3],
> the
> > > > > reader being generated using the maven model and the IT's project
> is
> > > > using
> > > > > it [4].  The main idea is to provide an enhanced XML syntax if we
> > want,
> > > > as
> > > > > it was discussed for the POM 5.0 [5].
> > > > >
> > > > > The second one provides the ability to make evolution to the model
> > > > without
> > > > > breaking the maven ecosystem.  The model has been stuck in 4.0.0
> > > version
> > > > > for 15 years or so, most of the things that would have required a
> > > change
> > > > > have been delayed or worked around.  The consumer POM that has been
> > > > > introduced in Maven 4 is a first step, but I think we should go
> > > further.
> > > > > Please read the details in the PR [6].
> > > > >
> > > > > The third one is the support for POM mixins [7].  That one is
> still a
> > > > > draft.  Two ITs have been written to leverage mixins using GAV or
> as
> > > > > relative paths [8].  This definitely needs some work, but the
> current
> > > > state
> > > > > definitely shows that it can be implemented and introduced in the
> > next
> > > > > alphas.
> > > > >
> > > > > The last one is a relatively small PR [9] which brings support for
> > XML
> > > > > entities and XInclude loaded from external files.  All loaded files
> > are
> > > > > loaded using relative URLs (absolute URLs are rejected for security
> > > > > reasons). The entities and

Re: [DISCUSS] Major changed for 4.x

2023-08-22 Thread Gary Gregory 
One of Maven's pain points (a criticism hear at least) it's verbosity due
to the XML style where almost everything is an element. If I can more
succinctly list my dependencies, I would consider that a first win in this
new Era that will be highly visible to even the most casual user :-)
Hopefully this feature will be documented.

Gary

On Tue, Aug 22, 2023, 9:35 AM Romain Manni-Bucau 
wrote:

> @Gary it is the stage "you can do whatever you like on your side", even a
> pom.properties flavor would work. I assume one of the most requested
> feature will be to flatten attributes more than inlining them
> ("org.apache.foo:bar:1.2.3") but on the core side the challenge can be to
> not break too fast all the "quick parsers" out there so likely staged for
> v5 more than v4?
>
> Romain Manni-Bucau
> @rmannibucau  |  Blog
>  | Old Blog
>  | Github <
> https://github.com/rmannibucau> |
> LinkedIn  | Book
> <
> https://www.packtpub.com/application-development/java-ee-8-high-performance
> >
>
>
> Le mar. 22 août 2023 à 14:58, Guillaume Nodet  a écrit
> :
>
> > Not directly, but a simple extension could allow that...
> >
> > Le mar. 22 août 2023 à 12:33, Gary Gregory  a
> > écrit :
> >
> > > Hi all,
> > >
> > > Would any of these changes allow me to write my POM's XML dependencies
> > in a
> > > single element where the GID, AID, and version are attributes (and not
> > > child elements)?
> > >
> > >  > > version="2.13.0" ... />
> > >
> > > In general, I want the XML to more OO, where XML elements are objects
> and
> > > attributes are, well, attributes.
> > >
> > > Gary
> > >
> > > On Tue, Aug 22, 2023, 3:36 AM Guillaume Nodet 
> wrote:
> > >
> > > > Hi everyone,
> > > >
> > > > I hope you guys have been able to rest a bit during the summer (for
> > those
> > > > that are back to work already)...
> > > >
> > > > I've pushed a few important PRs in the past months and I'd really
> like
> > to
> > > > get the discussion going around those.  Those are major changes that
> I
> > > > think we should introduce in Maven 4 asap:
> > > >   * Better support for alternative POM syntaxes
> > > >   * Needed infrastructure to evolve the model
> > > >   * POM mixins
> > > >   * Support for XML entities / XInclude
> > > >
> > > > The first 3 changes are stacked onto each other. The first one is the
> > > > support for alternative POM syntaxes [2].  Note that no syntax is
> > > provided
> > > > by the PR, but an example extension is provided in the IT PR [3], the
> > > > reader being generated using the maven model and the IT's project is
> > > using
> > > > it [4].  The main idea is to provide an enhanced XML syntax if we
> want,
> > > as
> > > > it was discussed for the POM 5.0 [5].
> > > >
> > > > The second one provides the ability to make evolution to the model
> > > without
> > > > breaking the maven ecosystem.  The model has been stuck in 4.0.0
> > version
> > > > for 15 years or so, most of the things that would have required a
> > change
> > > > have been delayed or worked around.  The consumer POM that has been
> > > > introduced in Maven 4 is a first step, but I think we should go
> > further.
> > > > Please read the details in the PR [6].
> > > >
> > > > The third one is the support for POM mixins [7].  That one is still a
> > > > draft.  Two ITs have been written to leverage mixins using GAV or as
> > > > relative paths [8].  This definitely needs some work, but the current
> > > state
> > > > definitely shows that it can be implemented and introduced in the
> next
> > > > alphas.
> > > >
> > > > The last one is a relatively small PR [9] which brings support for
> XML
> > > > entities and XInclude loaded from external files.  All loaded files
> are
> > > > loaded using relative URLs (absolute URLs are rejected for security
> > > > reasons). The entities and xinclude bits are all inlined during the
> raw
> > > ->
> > > > consumer POM transformation so that they don't appear in
> > repositories.  I
> > > > wrote this PR as a possible alternative for mixins, that's the main
> > > reason
> > > > why I include it in this discussion.
> > > >
> > > > I'm not necessarily looking for in-depth reviews of the PRs, but at
> > least
> > > > to find a consensus and general agreement on the way forward.
> > > >
> > > > Cheers,
> > > > Guillaume
> > > >
> > > > [2] https://github.com/apache/maven/pull/1197
> > > > [3]
> > > >
> > > >
> > >
> >
> https://github.com/apache/maven-integration-testing/pull/276/files#diff-ffb3dec529cab94ebf3c5830444275ad2b2e4826fe1df843454882efadd2446c
> > > > [4]
> > > >
> > > >
> > >
> >
> https://github.com/apache/maven-integration-testing/pull/276/files#diff-8d7362e60d231ad8c5d4b7746873da2855d9cf1fd5aeeca9c143ed942bd94b38
> > > > [5]
> > > >
> > >
> >
> https://cwiki.apache.org/confluence/display/MAVEN/POM+Model+Version+5.0.0
> > > > [6]

Re: [DISCUSS] Major changed for 4.x

2023-08-22 Thread Romain Manni-Bucau 
@Gary it is the stage "you can do whatever you like on your side", even a
pom.properties flavor would work. I assume one of the most requested
feature will be to flatten attributes more than inlining them
("org.apache.foo:bar:1.2.3") but on the core side the challenge can be to
not break too fast all the "quick parsers" out there so likely staged for
v5 more than v4?

Romain Manni-Bucau
@rmannibucau  |  Blog
 | Old Blog
 | Github  |
LinkedIn  | Book



Le mar. 22 août 2023 à 14:58, Guillaume Nodet  a écrit :

> Not directly, but a simple extension could allow that...
>
> Le mar. 22 août 2023 à 12:33, Gary Gregory  a
> écrit :
>
> > Hi all,
> >
> > Would any of these changes allow me to write my POM's XML dependencies
> in a
> > single element where the GID, AID, and version are attributes (and not
> > child elements)?
> >
> >  > version="2.13.0" ... />
> >
> > In general, I want the XML to more OO, where XML elements are objects and
> > attributes are, well, attributes.
> >
> > Gary
> >
> > On Tue, Aug 22, 2023, 3:36 AM Guillaume Nodet  wrote:
> >
> > > Hi everyone,
> > >
> > > I hope you guys have been able to rest a bit during the summer (for
> those
> > > that are back to work already)...
> > >
> > > I've pushed a few important PRs in the past months and I'd really like
> to
> > > get the discussion going around those.  Those are major changes that I
> > > think we should introduce in Maven 4 asap:
> > >   * Better support for alternative POM syntaxes
> > >   * Needed infrastructure to evolve the model
> > >   * POM mixins
> > >   * Support for XML entities / XInclude
> > >
> > > The first 3 changes are stacked onto each other. The first one is the
> > > support for alternative POM syntaxes [2].  Note that no syntax is
> > provided
> > > by the PR, but an example extension is provided in the IT PR [3], the
> > > reader being generated using the maven model and the IT's project is
> > using
> > > it [4].  The main idea is to provide an enhanced XML syntax if we want,
> > as
> > > it was discussed for the POM 5.0 [5].
> > >
> > > The second one provides the ability to make evolution to the model
> > without
> > > breaking the maven ecosystem.  The model has been stuck in 4.0.0
> version
> > > for 15 years or so, most of the things that would have required a
> change
> > > have been delayed or worked around.  The consumer POM that has been
> > > introduced in Maven 4 is a first step, but I think we should go
> further.
> > > Please read the details in the PR [6].
> > >
> > > The third one is the support for POM mixins [7].  That one is still a
> > > draft.  Two ITs have been written to leverage mixins using GAV or as
> > > relative paths [8].  This definitely needs some work, but the current
> > state
> > > definitely shows that it can be implemented and introduced in the next
> > > alphas.
> > >
> > > The last one is a relatively small PR [9] which brings support for XML
> > > entities and XInclude loaded from external files.  All loaded files are
> > > loaded using relative URLs (absolute URLs are rejected for security
> > > reasons). The entities and xinclude bits are all inlined during the raw
> > ->
> > > consumer POM transformation so that they don't appear in
> repositories.  I
> > > wrote this PR as a possible alternative for mixins, that's the main
> > reason
> > > why I include it in this discussion.
> > >
> > > I'm not necessarily looking for in-depth reviews of the PRs, but at
> least
> > > to find a consensus and general agreement on the way forward.
> > >
> > > Cheers,
> > > Guillaume
> > >
> > > [2] https://github.com/apache/maven/pull/1197
> > > [3]
> > >
> > >
> >
> https://github.com/apache/maven-integration-testing/pull/276/files#diff-ffb3dec529cab94ebf3c5830444275ad2b2e4826fe1df843454882efadd2446c
> > > [4]
> > >
> > >
> >
> https://github.com/apache/maven-integration-testing/pull/276/files#diff-8d7362e60d231ad8c5d4b7746873da2855d9cf1fd5aeeca9c143ed942bd94b38
> > > [5]
> > >
> >
> https://cwiki.apache.org/confluence/display/MAVEN/POM+Model+Version+5.0.0
> > > [6] https://github.com/apache/maven/pull/1160
> > > [7]
> > >
> > >
> >
> https://github.com/apache/maven/pull/1209/commits/211e27acd21a6cb8cee30ccd066499fc613a5c82
> > > [8]
> > >
> > >
> >
> https://github.com/apache/maven-integration-testing/tree/b2642d74caae854051dc77acd19b972dfe66b1cd/core-it-suite/src/test/resources/mng-5102-mixins
> > > [9] https://github.com/apache/maven/pull/1205
> > >
> > > --
> > > 
> > > Guillaume Nodet
> > >
> >
>
>
> --
> 
> Guillaume Nodet
>

Re: [DISCUSS] Major changed for 4.x

2023-08-22 Thread Guillaume Nodet 
Not directly, but a simple extension could allow that...

Le mar. 22 août 2023 à 12:33, Gary Gregory  a
écrit :

> Hi all,
>
> Would any of these changes allow me to write my POM's XML dependencies in a
> single element where the GID, AID, and version are attributes (and not
> child elements)?
>
>  version="2.13.0" ... />
>
> In general, I want the XML to more OO, where XML elements are objects and
> attributes are, well, attributes.
>
> Gary
>
> On Tue, Aug 22, 2023, 3:36 AM Guillaume Nodet  wrote:
>
> > Hi everyone,
> >
> > I hope you guys have been able to rest a bit during the summer (for those
> > that are back to work already)...
> >
> > I've pushed a few important PRs in the past months and I'd really like to
> > get the discussion going around those.  Those are major changes that I
> > think we should introduce in Maven 4 asap:
> >   * Better support for alternative POM syntaxes
> >   * Needed infrastructure to evolve the model
> >   * POM mixins
> >   * Support for XML entities / XInclude
> >
> > The first 3 changes are stacked onto each other. The first one is the
> > support for alternative POM syntaxes [2].  Note that no syntax is
> provided
> > by the PR, but an example extension is provided in the IT PR [3], the
> > reader being generated using the maven model and the IT's project is
> using
> > it [4].  The main idea is to provide an enhanced XML syntax if we want,
> as
> > it was discussed for the POM 5.0 [5].
> >
> > The second one provides the ability to make evolution to the model
> without
> > breaking the maven ecosystem.  The model has been stuck in 4.0.0 version
> > for 15 years or so, most of the things that would have required a change
> > have been delayed or worked around.  The consumer POM that has been
> > introduced in Maven 4 is a first step, but I think we should go further.
> > Please read the details in the PR [6].
> >
> > The third one is the support for POM mixins [7].  That one is still a
> > draft.  Two ITs have been written to leverage mixins using GAV or as
> > relative paths [8].  This definitely needs some work, but the current
> state
> > definitely shows that it can be implemented and introduced in the next
> > alphas.
> >
> > The last one is a relatively small PR [9] which brings support for XML
> > entities and XInclude loaded from external files.  All loaded files are
> > loaded using relative URLs (absolute URLs are rejected for security
> > reasons). The entities and xinclude bits are all inlined during the raw
> ->
> > consumer POM transformation so that they don't appear in repositories.  I
> > wrote this PR as a possible alternative for mixins, that's the main
> reason
> > why I include it in this discussion.
> >
> > I'm not necessarily looking for in-depth reviews of the PRs, but at least
> > to find a consensus and general agreement on the way forward.
> >
> > Cheers,
> > Guillaume
> >
> > [2] https://github.com/apache/maven/pull/1197
> > [3]
> >
> >
> https://github.com/apache/maven-integration-testing/pull/276/files#diff-ffb3dec529cab94ebf3c5830444275ad2b2e4826fe1df843454882efadd2446c
> > [4]
> >
> >
> https://github.com/apache/maven-integration-testing/pull/276/files#diff-8d7362e60d231ad8c5d4b7746873da2855d9cf1fd5aeeca9c143ed942bd94b38
> > [5]
> >
> https://cwiki.apache.org/confluence/display/MAVEN/POM+Model+Version+5.0.0
> > [6] https://github.com/apache/maven/pull/1160
> > [7]
> >
> >
> https://github.com/apache/maven/pull/1209/commits/211e27acd21a6cb8cee30ccd066499fc613a5c82
> > [8]
> >
> >
> https://github.com/apache/maven-integration-testing/tree/b2642d74caae854051dc77acd19b972dfe66b1cd/core-it-suite/src/test/resources/mng-5102-mixins
> > [9] https://github.com/apache/maven/pull/1205
> >
> > --
> > 
> > Guillaume Nodet
> >
>


-- 

Guillaume Nodet

Re: [DISCUSS] Major changed for 4.x

2023-08-22 Thread Gary Gregory 
I should have said "primitive" attributes plus Strings (and maybe
Durations).

Gary

On Tue, Aug 22, 2023, 8:03 AM Elliotte Rusty Harold 
wrote:

> On Tue, Aug 22, 2023 at 10:33 AM Gary Gregory 
> wrote:
> ="2.13.0" ... />
> >
> > In general, I want the XML to more OO, where XML elements are objects and
> > attributes are, well, attributes.
>
>
> That dog won't hunt for reasons that are not specific to Maven. In OO
> attributes can be arbitrarily complex structured objects. In XML
> attributes are strings. There's a deep mismatch here that can't be
> bridged in any sane way.
>
>
> --
> Elliotte Rusty Harold
> elh...@ibiblio.org
>
> -
> To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org
> For additional commands, e-mail: dev-h...@maven.apache.org
>
>

Re: [DISCUSS] Major changed for 4.x

2023-08-22 Thread Elliotte Rusty Harold 
On Tue, Aug 22, 2023 at 10:33 AM Gary Gregory  wrote:
="2.13.0" ... />
>
> In general, I want the XML to more OO, where XML elements are objects and
> attributes are, well, attributes.


That dog won't hunt for reasons that are not specific to Maven. In OO
attributes can be arbitrarily complex structured objects. In XML
attributes are strings. There's a deep mismatch here that can't be
bridged in any sane way.


-- 
Elliotte Rusty Harold
elh...@ibiblio.org

-
To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org
For additional commands, e-mail: dev-h...@maven.apache.org

Re: [DISCUSS] Major changed for 4.x

2023-08-22 Thread Gary Gregory 
Hi all,

Would any of these changes allow me to write my POM's XML dependencies in a
single element where the GID, AID, and version are attributes (and not
child elements)?



In general, I want the XML to more OO, where XML elements are objects and
attributes are, well, attributes.

Gary

On Tue, Aug 22, 2023, 3:36 AM Guillaume Nodet  wrote:

> Hi everyone,
>
> I hope you guys have been able to rest a bit during the summer (for those
> that are back to work already)...
>
> I've pushed a few important PRs in the past months and I'd really like to
> get the discussion going around those.  Those are major changes that I
> think we should introduce in Maven 4 asap:
>   * Better support for alternative POM syntaxes
>   * Needed infrastructure to evolve the model
>   * POM mixins
>   * Support for XML entities / XInclude
>
> The first 3 changes are stacked onto each other. The first one is the
> support for alternative POM syntaxes [2].  Note that no syntax is provided
> by the PR, but an example extension is provided in the IT PR [3], the
> reader being generated using the maven model and the IT's project is using
> it [4].  The main idea is to provide an enhanced XML syntax if we want, as
> it was discussed for the POM 5.0 [5].
>
> The second one provides the ability to make evolution to the model without
> breaking the maven ecosystem.  The model has been stuck in 4.0.0 version
> for 15 years or so, most of the things that would have required a change
> have been delayed or worked around.  The consumer POM that has been
> introduced in Maven 4 is a first step, but I think we should go further.
> Please read the details in the PR [6].
>
> The third one is the support for POM mixins [7].  That one is still a
> draft.  Two ITs have been written to leverage mixins using GAV or as
> relative paths [8].  This definitely needs some work, but the current state
> definitely shows that it can be implemented and introduced in the next
> alphas.
>
> The last one is a relatively small PR [9] which brings support for XML
> entities and XInclude loaded from external files.  All loaded files are
> loaded using relative URLs (absolute URLs are rejected for security
> reasons). The entities and xinclude bits are all inlined during the raw ->
> consumer POM transformation so that they don't appear in repositories.  I
> wrote this PR as a possible alternative for mixins, that's the main reason
> why I include it in this discussion.
>
> I'm not necessarily looking for in-depth reviews of the PRs, but at least
> to find a consensus and general agreement on the way forward.
>
> Cheers,
> Guillaume
>
> [2] https://github.com/apache/maven/pull/1197
> [3]
>
> https://github.com/apache/maven-integration-testing/pull/276/files#diff-ffb3dec529cab94ebf3c5830444275ad2b2e4826fe1df843454882efadd2446c
> [4]
>
> https://github.com/apache/maven-integration-testing/pull/276/files#diff-8d7362e60d231ad8c5d4b7746873da2855d9cf1fd5aeeca9c143ed942bd94b38
> [5]
> https://cwiki.apache.org/confluence/display/MAVEN/POM+Model+Version+5.0.0
> [6] https://github.com/apache/maven/pull/1160
> [7]
>
> https://github.com/apache/maven/pull/1209/commits/211e27acd21a6cb8cee30ccd066499fc613a5c82
> [8]
>
> https://github.com/apache/maven-integration-testing/tree/b2642d74caae854051dc77acd19b972dfe66b1cd/core-it-suite/src/test/resources/mng-5102-mixins
> [9] https://github.com/apache/maven/pull/1205
>
> --
> 
> Guillaume Nodet
>

Re: [DISCUSS] Major changed for 4.x

2023-08-22 Thread Romain Manni-Bucau 
Globally it looks good, the only minor detail I would make is that instead
of inlining params in methods considered as API (extension points, the
model reader for ex) I would use a "request" object so read(a, b) would
become read(req) to enable use to make it evolving more reliably instead of
relying on untyped and random options but that's a minor detail.

BTW, did you manage to validate the whole model graph is POJO friendly?
Idea is to make it "mapper" friendly OOTB and not require a custom model
reader more complex than new MyMapper().map(input, Model.class).

Romain Manni-Bucau
@rmannibucau  |  Blog
 | Old Blog
 | Github  |
LinkedIn  | Book



Le mar. 22 août 2023 à 09:36, Guillaume Nodet  a écrit :

> Hi everyone,
>
> I hope you guys have been able to rest a bit during the summer (for those
> that are back to work already)...
>
> I've pushed a few important PRs in the past months and I'd really like to
> get the discussion going around those.  Those are major changes that I
> think we should introduce in Maven 4 asap:
>   * Better support for alternative POM syntaxes
>   * Needed infrastructure to evolve the model
>   * POM mixins
>   * Support for XML entities / XInclude
>
> The first 3 changes are stacked onto each other. The first one is the
> support for alternative POM syntaxes [2].  Note that no syntax is provided
> by the PR, but an example extension is provided in the IT PR [3], the
> reader being generated using the maven model and the IT's project is using
> it [4].  The main idea is to provide an enhanced XML syntax if we want, as
> it was discussed for the POM 5.0 [5].
>
> The second one provides the ability to make evolution to the model without
> breaking the maven ecosystem.  The model has been stuck in 4.0.0 version
> for 15 years or so, most of the things that would have required a change
> have been delayed or worked around.  The consumer POM that has been
> introduced in Maven 4 is a first step, but I think we should go further.
> Please read the details in the PR [6].
>
> The third one is the support for POM mixins [7].  That one is still a
> draft.  Two ITs have been written to leverage mixins using GAV or as
> relative paths [8].  This definitely needs some work, but the current state
> definitely shows that it can be implemented and introduced in the next
> alphas.
>
> The last one is a relatively small PR [9] which brings support for XML
> entities and XInclude loaded from external files.  All loaded files are
> loaded using relative URLs (absolute URLs are rejected for security
> reasons). The entities and xinclude bits are all inlined during the raw ->
> consumer POM transformation so that they don't appear in repositories.  I
> wrote this PR as a possible alternative for mixins, that's the main reason
> why I include it in this discussion.
>
> I'm not necessarily looking for in-depth reviews of the PRs, but at least
> to find a consensus and general agreement on the way forward.
>
> Cheers,
> Guillaume
>
> [2] https://github.com/apache/maven/pull/1197
> [3]
>
> https://github.com/apache/maven-integration-testing/pull/276/files#diff-ffb3dec529cab94ebf3c5830444275ad2b2e4826fe1df843454882efadd2446c
> [4]
>
> https://github.com/apache/maven-integration-testing/pull/276/files#diff-8d7362e60d231ad8c5d4b7746873da2855d9cf1fd5aeeca9c143ed942bd94b38
> [5]
> https://cwiki.apache.org/confluence/display/MAVEN/POM+Model+Version+5.0.0
> [6] https://github.com/apache/maven/pull/1160
> [7]
>
> https://github.com/apache/maven/pull/1209/commits/211e27acd21a6cb8cee30ccd066499fc613a5c82
> [8]
>
> https://github.com/apache/maven-integration-testing/tree/b2642d74caae854051dc77acd19b972dfe66b1cd/core-it-suite/src/test/resources/mng-5102-mixins
> [9] https://github.com/apache/maven/pull/1205
>
> --
> 
> Guillaume Nodet
>

[DISCUSS] Major changed for 4.x

2023-08-22 Thread Guillaume Nodet 
Hi everyone,

I hope you guys have been able to rest a bit during the summer (for those
that are back to work already)...

I've pushed a few important PRs in the past months and I'd really like to
get the discussion going around those.  Those are major changes that I
think we should introduce in Maven 4 asap:
  * Better support for alternative POM syntaxes
  * Needed infrastructure to evolve the model
  * POM mixins
  * Support for XML entities / XInclude

The first 3 changes are stacked onto each other. The first one is the
support for alternative POM syntaxes [2].  Note that no syntax is provided
by the PR, but an example extension is provided in the IT PR [3], the
reader being generated using the maven model and the IT's project is using
it [4].  The main idea is to provide an enhanced XML syntax if we want, as
it was discussed for the POM 5.0 [5].

The second one provides the ability to make evolution to the model without
breaking the maven ecosystem.  The model has been stuck in 4.0.0 version
for 15 years or so, most of the things that would have required a change
have been delayed or worked around.  The consumer POM that has been
introduced in Maven 4 is a first step, but I think we should go further.
Please read the details in the PR [6].

The third one is the support for POM mixins [7].  That one is still a
draft.  Two ITs have been written to leverage mixins using GAV or as
relative paths [8].  This definitely needs some work, but the current state
definitely shows that it can be implemented and introduced in the next
alphas.

The last one is a relatively small PR [9] which brings support for XML
entities and XInclude loaded from external files.  All loaded files are
loaded using relative URLs (absolute URLs are rejected for security
reasons). The entities and xinclude bits are all inlined during the raw ->
consumer POM transformation so that they don't appear in repositories.  I
wrote this PR as a possible alternative for mixins, that's the main reason
why I include it in this discussion.

I'm not necessarily looking for in-depth reviews of the PRs, but at least
to find a consensus and general agreement on the way forward.

Cheers,
Guillaume

[2] https://github.com/apache/maven/pull/1197
[3]
https://github.com/apache/maven-integration-testing/pull/276/files#diff-ffb3dec529cab94ebf3c5830444275ad2b2e4826fe1df843454882efadd2446c
[4]
https://github.com/apache/maven-integration-testing/pull/276/files#diff-8d7362e60d231ad8c5d4b7746873da2855d9cf1fd5aeeca9c143ed942bd94b38
[5]
https://cwiki.apache.org/confluence/display/MAVEN/POM+Model+Version+5.0.0
[6] https://github.com/apache/maven/pull/1160
[7]
https://github.com/apache/maven/pull/1209/commits/211e27acd21a6cb8cee30ccd066499fc613a5c82
[8]
https://github.com/apache/maven-integration-testing/tree/b2642d74caae854051dc77acd19b972dfe66b1cd/core-it-suite/src/test/resources/mng-5102-mixins
[9] https://github.com/apache/maven/pull/1205

-- 

Guillaume Nodet