Thanks for your comments, Karl! I added document for this rule, please review it. https://github.com/apache/maven-enforcer/pull/13
About enhance the rule to detect repository entries in settings.xml/pom independent of mirrorOf settings. I think it’s out of scope for this rule, because this rule is trying to detect whether current maven session contains banned repositories. mirrorOf is part of maven settings, and the result is: all banned repositories are redirected to correct one. Then result is: current maven session hasn’t invalid repositories of course. I’d prefer to note it in document, but hold enhancement to detect pom/settings.xml only instead of maven session context. Regards Simon On May 31, 2014, at 1:47 AM, Karl Heinz Marbaise <[email protected]> wrote: > Hi Simon, > > so after checking it i found the point... > > I have defined mirrorOf * as usual in case of using a repository manager...in > my settings.xml which looks like the following: > > <mirrors> > <mirror> > <id>nexus</id> > <mirrorOf>*</mirrorOf> > <url>http://.../nexus/..</url> > </mirror> > </mirrors> > > So with the above i can add as much repository entries in my settings > as well as in my pom.xml and the rule will NOT warning/break my build with > it...except if i explicitly exclude them in the mirrorOf via things like this: > > <mirrorOf>*,!WhatEver</mirrorOf> > > This brings me to two points: > > First: > > It would be nice if you could add an appropriate documentation > (enforcer-rules/src/site/apt/) which exactly describes the differences to the > requireNoRepository rule and give a good examples of the use cases which > means not using mirrorOf as above etc. > > After this enhancement of the patch (? submission to large for patch) i would > appreciate to pick up your patch(?) and add it to extra-enforcer-rules (this > will get a release faster i think) or may be the default rules (after > discussion on the dev list with the other dev's) I don't know the exact > procedure with such kind of submissions without paper.... > > Apart from the above you might can check if it's possible to > enhance the rule in that way to identify the repository entries in > settings.xml/pom independent of the mirrorOf settings (may be via an option). > > > Kind regards > Karl-Heinz Marbaise > PS.: It's not necessary to quote the answers of the others here on the dev > list to posts cause obviously I'm subscribed on the dev list and I'm > following the discussion. > > On 5/29/14 1:52 PM, Wang, Simon wrote: >> Hi, Karl, >> >> Thanks for your comments. >> >> I did dig into requireNoRepositories.html, the purpose for that rule is: >> detect whether pom and pom’s parents contains repositories definition. >> That make sense to guide users to use correct convention (not define >> repositories in pom files). >> >> But “BannedRepositories” is different purpose, it’s just like >> “BannedDependencies”. >> This rule is major for those “maven repository migration” case. >> Some users used to have old repositories, those repositories might be >> defined in pom.xml or settings.xml. >> This rule could benefit on these cases a lot. >> It will detect banned repositories from maven session context instead of >> only pom.xml and parents. >> >> After all, requireNoRepositories.html is trying to help users to follow >> correct maven convention. >> but “BannedRepositories” is trying to avoid misuse incorrect repositories. >> Especially in enterprise environment. >> >> Regards >> Simon >> On May 29, 2014, at 7:21 PM, Karl Heinz Marbaise <[email protected]> wrote: >> >>> Hi Simon, >>> >>> >>> I have taken a look into your suggestions ....I have a couple of thoughts >>> about it ... >>> >>> First there exists already a rule to avoid repositories >>> (http://maven.apache.org/enforcer/enforcer-rules/requireNoRepositories.html) >>> which can be used and is has an option >>> to allow particular repositories by using a white-list of allowed >>> repository based on the repository id. >>> >>> like this: >>> >>> <requireNoRepositories> >>> <allowedRepositories> >>> <allowedRepository>codehausSnapshots</allowedRepository> >>> </allowedRepositories> >>> ... >>> </requireNoRepositories> >>> >>> >>> So the question is why adding a complete new rule instead of enhancing the >>> existing by your idea using the url as identification for the repository >>> which i think is a really good idea...so users are not able to forge the >>> repository they use by using a different id only the url is used to >>> identify the allowed repositories. >>> >>> >>> Kind regards >>> Karl-Heinz Marbaise >>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: [email protected] >>> For additional commands, e-mail: [email protected] >>> >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: [email protected] >> For additional commands, e-mail: [email protected] >> >> > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] >
