[jira] [Commented] (MSCRIPTING-7) Session is not bound in scripting bindings
[ https://issues.apache.org/jira/browse/MSCRIPTING-7?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17823471#comment-17823471 ] ASF GitHub Bot commented on MSCRIPTING-7: - rmannibucau commented on code in PR #4: URL: https://github.com/apache/maven-scripting-plugin/pull/4#discussion_r1512251552 ## src/main/java/org/apache/maven/plugins/scripting/EvalMojo.java: ## @@ -60,18 +64,27 @@ public class EvalMojo extends AbstractMojo { @Parameter String scriptResource; +@Component +private SettingsDecrypter settingsDecrypter; + // script variables @Parameter(defaultValue = "${project}", readonly = true) private MavenProject project; +// script variables +@Parameter(defaultValue = "${session}", readonly = true) Review Comment: Is there a pro? I tend to prefer to limit the API (#imports) but if there is some advantage i'll do > Session is not bound in scripting bindings > -- > > Key: MSCRIPTING-7 > URL: https://issues.apache.org/jira/browse/MSCRIPTING-7 > Project: Maven Scripting > Issue Type: Task >Affects Versions: 3.0.0 >Reporter: Romain Manni-Bucau >Assignee: Benjamin Marwell >Priority: Major > Labels: pull-request-available > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (MSCRIPTING-7) Session is not bound in scripting bindings
[ https://issues.apache.org/jira/browse/MSCRIPTING-7?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17823404#comment-17823404 ] ASF GitHub Bot commented on MSCRIPTING-7: - hboutemy commented on code in PR #4: URL: https://github.com/apache/maven-scripting-plugin/pull/4#discussion_r1512093998 ## src/main/java/org/apache/maven/plugins/scripting/EvalMojo.java: ## @@ -60,18 +64,27 @@ public class EvalMojo extends AbstractMojo { @Parameter String scriptResource; +@Component +private SettingsDecrypter settingsDecrypter; + // script variables @Parameter(defaultValue = "${project}", readonly = true) private MavenProject project; +// script variables +@Parameter(defaultValue = "${session}", readonly = true) Review Comment: @Component can replace read-only parameter > Session is not bound in scripting bindings > -- > > Key: MSCRIPTING-7 > URL: https://issues.apache.org/jira/browse/MSCRIPTING-7 > Project: Maven Scripting > Issue Type: Task >Affects Versions: 3.0.0 >Reporter: Romain Manni-Bucau >Assignee: Benjamin Marwell >Priority: Major > Labels: pull-request-available > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (MSCRIPTING-7) Session is not bound in scripting bindings
[ https://issues.apache.org/jira/browse/MSCRIPTING-7?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17823367#comment-17823367 ] ASF GitHub Bot commented on MSCRIPTING-7: - bmarwell commented on PR #4: URL: https://github.com/apache/maven-scripting-plugin/pull/4#issuecomment-1977523999 I'm somewhere between the lines here. If you have a common use case, a dedicated plugin is probably a better solution compared to the exec-, antrun-, or scripting-plugin. I'll say let's skip this pr for now... There's also #7 FWIW. If more people need such a backdoor, we can visit this and #7 again. > Session is not bound in scripting bindings > -- > > Key: MSCRIPTING-7 > URL: https://issues.apache.org/jira/browse/MSCRIPTING-7 > Project: Maven Scripting > Issue Type: Task >Affects Versions: 3.0.0 >Reporter: Romain Manni-Bucau >Assignee: Benjamin Marwell >Priority: Major > Labels: pull-request-available > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (MSCRIPTING-7) Session is not bound in scripting bindings
[ https://issues.apache.org/jira/browse/MSCRIPTING-7?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17823343#comment-17823343 ] ASF GitHub Bot commented on MSCRIPTING-7: - rmannibucau commented on PR #4: URL: https://github.com/apache/maven-scripting-plugin/pull/4#issuecomment-1977445949 @cstamas I'm on the camp to enable people to do what works for them, for me maven key is dependencies and it must stay static, rest (build pipeline) already broke maven original design and convention and it is bad to need to create a module/project for a build need so I'm clearly keen to see this kind of thing happening. No strong push from me there since I moved to exec and some companions but think it is sane. > Session is not bound in scripting bindings > -- > > Key: MSCRIPTING-7 > URL: https://issues.apache.org/jira/browse/MSCRIPTING-7 > Project: Maven Scripting > Issue Type: Task >Affects Versions: 3.0.0 >Reporter: Romain Manni-Bucau >Assignee: Benjamin Marwell >Priority: Major > Labels: pull-request-available > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (MSCRIPTING-7) Session is not bound in scripting bindings
[ https://issues.apache.org/jira/browse/MSCRIPTING-7?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17823339#comment-17823339 ] ASF GitHub Bot commented on MSCRIPTING-7: - cstamas commented on PR #4: URL: https://github.com/apache/maven-scripting-plugin/pull/4#issuecomment-1977439877 It is not all black or white of course. We do need some "backdoors" open, for case of "emergency", if no plugin exists that does what you need. But if you google it, you will see the trend: "use hack in maven, but if you need it too often, write a plugin for it" tendency. And we must not lose this. This is why originally writing maven plugins was possible using ant scripts and beanshell as well. Beanshell, Ant script, they were all there to lower the plugin authoring barrier, BUT, those were plugins, they used plugin API, had descriptors, etc, so any future thing like build avoidance, incremental build (real one, not what we have today), etc. could rely on them. Problem is when "hacks" remain hacks, or worse, when "hacks become pattern" (of using some "special" (backdoor) plugin). So if you have ant/exec plugin in build, it is okay, as long as you do not stick with it. But in our case, I see pattern of building some "library of hacks" on top of these, that makes ANY of these "solutions" non reusable, non shared, not maven plugins If you need something special, hack it once. But second time write a plugin for it. Period. In short, we do need "stepping stone" plugins (hacks, like exec, ant plugins) to solve some ad-hoc scenarios, BUT these are stepping stones, in a sense, if pattern is repeated, they should be made into reusable plugins ultimately, while I see no intention of that happening here. In contrary, I see quite the opposite intent. > Session is not bound in scripting bindings > -- > > Key: MSCRIPTING-7 > URL: https://issues.apache.org/jira/browse/MSCRIPTING-7 > Project: Maven Scripting > Issue Type: Task >Affects Versions: 3.0.0 >Reporter: Romain Manni-Bucau >Assignee: Benjamin Marwell >Priority: Major > Labels: pull-request-available > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (MSCRIPTING-7) Session is not bound in scripting bindings
[ https://issues.apache.org/jira/browse/MSCRIPTING-7?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17823331#comment-17823331 ] ASF GitHub Bot commented on MSCRIPTING-7: - bmarwell commented on PR #4: URL: https://github.com/apache/maven-scripting-plugin/pull/4#issuecomment-1977407591 > This is a matter of principle, and IMHO, vision. > > Plugins like these are like "swiss knives" and allows hacking, in effect, like Ant or other tools allow it (and makes Maven hackable just like one would do with Ant). > > Maven IMHO should be more like "set of Un*x tools" instead: set of battle tested (but also simple) plugins, that do few things, but do them well. > > If someone is akin for "swiss knife" plugins like these, for me is clear sign that they want to even widen their "hacking", that is IMHO another sign, they should be using Gradle, Ant or whatever else. Maven is a _declarative build system_. > > And I did not even mention the reasons Robert brought up (plus multitude of other reasons). This is also already possible in the exec plugin, and no one said this was a vuln (see Romains comment). Then, this would mean you need also get rid of exec-plugin. Then, what about the requirements history? Why was this plugin released in the first place? There could have been a vote against it at that time? > Session is not bound in scripting bindings > -- > > Key: MSCRIPTING-7 > URL: https://issues.apache.org/jira/browse/MSCRIPTING-7 > Project: Maven Scripting > Issue Type: Task >Affects Versions: 3.0.0 >Reporter: Romain Manni-Bucau >Assignee: Benjamin Marwell >Priority: Major > Labels: pull-request-available > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (MSCRIPTING-7) Session is not bound in scripting bindings
[ https://issues.apache.org/jira/browse/MSCRIPTING-7?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17823329#comment-17823329 ] ASF GitHub Bot commented on MSCRIPTING-7: - cstamas commented on PR #4: URL: https://github.com/apache/maven-scripting-plugin/pull/4#issuecomment-1977397396 This is a matter of principle, and IMHO, vision. Plugins like these are like "swiss knives" and allows hacking, in effect, like Ant or other tools allow it (and makes Maven hackable just line one would do with Ant). Maven IMHO should be more like "set of Un*x tools" instead: set of battle tested (but also simple) plugins, that do few things, but do them well. If someone is akin for "swiss knife" plugins like these, for me is clear sign that they want to even widen their "hacking", that is IMHO another sign, they should be using Gradle, Ant or whatever else. Maven is a _declarative build system_. And I did not even mention the reasons Robert brought up (plus multitude of other reasons). > Session is not bound in scripting bindings > -- > > Key: MSCRIPTING-7 > URL: https://issues.apache.org/jira/browse/MSCRIPTING-7 > Project: Maven Scripting > Issue Type: Task >Affects Versions: 3.0.0 >Reporter: Romain Manni-Bucau >Assignee: Benjamin Marwell >Priority: Major > Labels: pull-request-available > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (MSCRIPTING-7) Session is not bound in scripting bindings
[ https://issues.apache.org/jira/browse/MSCRIPTING-7?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17823328#comment-17823328 ] ASF GitHub Bot commented on MSCRIPTING-7: - rmannibucau commented on PR #4: URL: https://github.com/apache/maven-scripting-plugin/pull/4#issuecomment-1977388097 @cstamas any rational behind and proposal to solve the related issue (enable to do proper resolutions from the script)? > Session is not bound in scripting bindings > -- > > Key: MSCRIPTING-7 > URL: https://issues.apache.org/jira/browse/MSCRIPTING-7 > Project: Maven Scripting > Issue Type: Task >Affects Versions: 3.0.0 >Reporter: Romain Manni-Bucau >Assignee: Benjamin Marwell >Priority: Major > Labels: pull-request-available > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (MSCRIPTING-7) Session is not bound in scripting bindings
[ https://issues.apache.org/jira/browse/MSCRIPTING-7?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17823325#comment-17823325 ] ASF GitHub Bot commented on MSCRIPTING-7: - cstamas commented on PR #4: URL: https://github.com/apache/maven-scripting-plugin/pull/4#issuecomment-1977364279 A big -1 here > Session is not bound in scripting bindings > -- > > Key: MSCRIPTING-7 > URL: https://issues.apache.org/jira/browse/MSCRIPTING-7 > Project: Maven Scripting > Issue Type: Task >Affects Versions: 3.0.0 >Reporter: Romain Manni-Bucau >Assignee: Benjamin Marwell >Priority: Major > Labels: pull-request-available > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (MSCRIPTING-7) Session is not bound in scripting bindings
[ https://issues.apache.org/jira/browse/MSCRIPTING-7?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17823323#comment-17823323 ] ASF GitHub Bot commented on MSCRIPTING-7: - rmannibucau opened a new pull request, #4: URL: https://github.com/apache/maven-scripting-plugin/pull/4 Following this checklist to help us incorporate your contribution quickly and easily: - [ ] Make sure there is a [JIRA issue](https://issues.apache.org/jira/browse/MSCRIPTING) filed for the change (usually before you start working on it). Trivial changes like typos do not require a JIRA issue. Your pull request should address just this issue, without pulling in other changes. - [ ] Each commit in the pull request should have a meaningful subject line and body. - [ ] Format the pull request title like `[MSCRIPTING-XXX] - Fixes bug in ApproximateQuantiles`, where you replace `MSCRIPTING-XXX` with the appropriate JIRA issue. Best practice is to use the JIRA issue title in the pull request title and in the first line of the commit message. - [ ] Write a pull request description that is detailed enough to understand what the pull request does, how, and why. - [ ] Run `mvn clean verify` to make sure basic checks pass. A more thorough check will be performed on your pull request automatically. - [ ] You have run the integration tests successfully (`mvn -Prun-its clean verify`). If your pull request is about ~20 lines of code you don't need to sign an [Individual Contributor License Agreement](https://www.apache.org/licenses/icla.pdf) if you are unsure please ask on the developers list. To make clear that you license your contribution under the [Apache License Version 2.0, January 2004](http://www.apache.org/licenses/LICENSE-2.0) you have to acknowledge this by using the following check-box. - [ ] I hereby declare this contribution to be licenced under the [Apache License Version 2.0, January 2004](http://www.apache.org/licenses/LICENSE-2.0) - [ ] In any other case, please file an [Apache Individual Contributor License Agreement](https://www.apache.org/licenses/icla.pdf). > Session is not bound in scripting bindings > -- > > Key: MSCRIPTING-7 > URL: https://issues.apache.org/jira/browse/MSCRIPTING-7 > Project: Maven Scripting > Issue Type: Task >Affects Versions: 3.0.0 >Reporter: Romain Manni-Bucau >Assignee: Benjamin Marwell >Priority: Major > Labels: pull-request-available > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (MSCRIPTING-7) Session is not bound in scripting bindings
[ https://issues.apache.org/jira/browse/MSCRIPTING-7?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17823324#comment-17823324 ] ASF GitHub Bot commented on MSCRIPTING-7: - bmarwell commented on PR #4: URL: https://github.com/apache/maven-scripting-plugin/pull/4#issuecomment-1977359977 Re-opened for new evaluation > Session is not bound in scripting bindings > -- > > Key: MSCRIPTING-7 > URL: https://issues.apache.org/jira/browse/MSCRIPTING-7 > Project: Maven Scripting > Issue Type: Task >Affects Versions: 3.0.0 >Reporter: Romain Manni-Bucau >Assignee: Benjamin Marwell >Priority: Major > Labels: pull-request-available > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (MSCRIPTING-7) Session is not bound in scripting bindings
[ https://issues.apache.org/jira/browse/MSCRIPTING-7?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17822996#comment-17822996 ] ASF GitHub Bot commented on MSCRIPTING-7: - rmannibucau commented on PR #4: URL: https://github.com/apache/maven-scripting-plugin/pull/4#issuecomment-1975371685 @bmarwell this is true but this is also something the script somehow know in the context of a project. What would be more useful is a replacement for plexus container to lookup any potentially needed bean or a loose coupling like in exec:java (constructor injection runnable case) but my suspicion is maven (4) misses a container handler for these cases. > Session is not bound in scripting bindings > -- > > Key: MSCRIPTING-7 > URL: https://issues.apache.org/jira/browse/MSCRIPTING-7 > Project: Maven Scripting > Issue Type: Task >Affects Versions: 3.0.0 >Reporter: Romain Manni-Bucau >Assignee: Benjamin Marwell >Priority: Major > Labels: pull-request-available > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (MSCRIPTING-7) Session is not bound in scripting bindings
[ https://issues.apache.org/jira/browse/MSCRIPTING-7?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17822994#comment-17822994 ] ASF GitHub Bot commented on MSCRIPTING-7: - bmarwell commented on PR #4: URL: https://github.com/apache/maven-scripting-plugin/pull/4#issuecomment-1975340815 You could also add: ``` bindings.put( "pluginDescriptor", pluginDescriptor ); bindings.put( "mojoExecution", mojoExecution ); ``` from #7 if you think it adds any benefits. Needs a rebase and `spotless:apply` either way. > Session is not bound in scripting bindings > -- > > Key: MSCRIPTING-7 > URL: https://issues.apache.org/jira/browse/MSCRIPTING-7 > Project: Maven Scripting > Issue Type: Task >Affects Versions: 3.0.0 >Reporter: Romain Manni-Bucau >Assignee: Benjamin Marwell >Priority: Major > Labels: pull-request-available > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (MSCRIPTING-7) Session is not bound in scripting bindings
[ https://issues.apache.org/jira/browse/MSCRIPTING-7?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17402758#comment-17402758 ] Romain Manni-Bucau commented on MSCRIPTING-7: - Functionally i want to be able to replace any custom mojo so i need kind of inject capability. Gmavenplus plugin does it exposing the session and therefore plexus container as most plugins. > Session is not bound in scripting bindings > -- > > Key: MSCRIPTING-7 > URL: https://issues.apache.org/jira/browse/MSCRIPTING-7 > Project: Maven Scripting > Issue Type: Task >Affects Versions: 3.0.0 >Reporter: Romain Manni-Bucau >Priority: Major > Labels: pull-request-available > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (MSCRIPTING-7) Session is not bound in scripting bindings
[ https://issues.apache.org/jira/browse/MSCRIPTING-7?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17402741#comment-17402741 ] Robert Scholte commented on MSCRIPTING-7: - It looks like you want to be able to use @Inject in you scripts. Haven't seen something like that before. > Session is not bound in scripting bindings > -- > > Key: MSCRIPTING-7 > URL: https://issues.apache.org/jira/browse/MSCRIPTING-7 > Project: Maven Scripting > Issue Type: Task >Affects Versions: 3.0.0 >Reporter: Romain Manni-Bucau >Priority: Major > Labels: pull-request-available > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (MSCRIPTING-7) Session is not bound in scripting bindings
[ https://issues.apache.org/jira/browse/MSCRIPTING-7?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17402740#comment-17402740 ] Romain Manni-Bucau commented on MSCRIPTING-7: - There are operations you cant do without the session so it must be done otherwise the scripting goal to enable to extend the build with custom tasks without writing a plugin for specific cases is not reached. All other scripting plugins do generally for that reason. Minimum is to let the ioc/guice injector/plexus container be accessed. > Session is not bound in scripting bindings > -- > > Key: MSCRIPTING-7 > URL: https://issues.apache.org/jira/browse/MSCRIPTING-7 > Project: Maven Scripting > Issue Type: Task >Affects Versions: 3.0.0 >Reporter: Romain Manni-Bucau >Priority: Major > Labels: pull-request-available > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (MSCRIPTING-7) Session is not bound in scripting bindings
[ https://issues.apache.org/jira/browse/MSCRIPTING-7?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17402669#comment-17402669 ] Robert Scholte commented on MSCRIPTING-7: - There's no description, so it is unclear why the session needs to be added to the bindings. Based on the PR it seems like the real reason is to have access to the server entries. I've closed that due to security vulnerability reasons, so maybe this ticket can be closed too. > Session is not bound in scripting bindings > -- > > Key: MSCRIPTING-7 > URL: https://issues.apache.org/jira/browse/MSCRIPTING-7 > Project: Maven Scripting > Issue Type: Task >Affects Versions: 3.0.0 >Reporter: Romain Manni-Bucau >Priority: Major > Labels: pull-request-available > -- This message was sent by Atlassian Jira (v8.3.4#803005)