Bug: SecDispatcher is managed by legacy Plexus DI #11711
Conversation
And as Plexus DI is capable only of field injection, and 2.0 of SecDispatcher contains `final` field as it was converted to JSR330, it causes WARNINGs on Java 26 due JEP 500. Fix: drop component from Plexus XML (this was our last managed Plexus component) and provide a drop in replacement, a supplier w/ name "maven".
|
Current maven-3.9.x built maven emits warning: This PR makes maven-3.9.x built maven not warn anymore: |
| public SecDispatcherProvider( | ||
| PlexusCipher plexusCipher, | ||
| Map<String, PasswordDecryptor> decryptors, | ||
| @Named("${maven.settings.security.configurationFile:-~/.m2/settings-security.xml}") |
There was a problem hiding this comment.
Is the - before ~/.m2/settings-security.xml intentional? Just out of curiosity
There was a problem hiding this comment.
Yes, Sisu specialty: ${key:-defValue}:
https://eclipse.dev/sisu/apidocs/org/eclipse/sisu/wire/package-summary.html
There was a problem hiding this comment.
AFAIR, origin was bash https://linux.die.net/man/1/bash
Was long time ago 😄
${parameter:-word}
Use Default Values. If parameter is unset or null, the expansion of word is substituted. Otherwise, the value of parameter is substituted.
| import org.sonatype.plexus.components.sec.dispatcher.SecDispatcher; | ||
|
|
||
| /** | ||
| * Provides Maven own security dispatcher. It is configured slightly differently than the default one, as |
There was a problem hiding this comment.
"Maven own security dispatcher" is unclear. Consider rewriting
There was a problem hiding this comment.
It refers to the fact that managed component is not named "default", as it is almost always the case, but is named "maven". Hence "maven own" component. Am fine to reformulate this in whatever way you want.
The (somewhat confusing) fact is that plexus-sec-dispatcher.jar itself carries a "default" version of SecDispatcher component (and is named "default"), as it contains Sisu index file, so is discovered and on request created and injected, but it is not configured in the proper way.
There was a problem hiding this comment.
Reformulated javadoc, to something hopefully better.
| import org.sonatype.plexus.components.sec.dispatcher.SecDispatcher; | ||
|
|
||
| /** | ||
| * Provides "maven" named security dispatcher, used by Maven. This component is configured slightly differently than the |
There was a problem hiding this comment.
Provides a security dispatcher named "maven". Maven uses this security dispatcher instead of the default. The default security dispatcher is unaware of Maven specific configuration file locations and should not be used...
|
But why not cherry-picking what we have in 4.x: compat/maven-settings-builder/src/main/java/org/apache/maven/settings/crypto/MavenSecDispatcher.java |
cherry-pick? you mean copy/pasta, no? also, you imply we need to "pull" sec dispatcher 4.1.0 to Maven 3? |
4 participants
And as Plexus DI is capable only of field injection, and 2.0 of SecDispatcher contains
finalfield as it was converted to JSR330, it causes WARNINGs on Java 26 due JEP 500.Fix: drop component from Plexus XML (this was our last managed Plexus component) and provide a drop in replacement, a provider w/ name "maven".