Any update for this PR? Please let me know if have any concerns.
Regards Simon On Jun 2, 2014, at 10:16 PM, Wang, Simon <[email protected]> wrote: > Thanks for your comments, Karl! > > I added document for this rule, please review it. > https://github.com/apache/maven-enforcer/pull/13 > > About enhance the rule to detect repository entries in settings.xml/pom > independent of mirrorOf settings. > I think it’s out of scope for this rule, because this rule is trying to > detect whether current maven session contains banned repositories. > mirrorOf is part of maven settings, and the result is: all banned > repositories are redirected to correct one. > > Then result is: current maven session hasn’t invalid repositories of course. > > I’d prefer to note it in document, but hold enhancement to detect > pom/settings.xml only instead of maven session context. > > Regards > Simon > > On May 31, 2014, at 1:47 AM, Karl Heinz Marbaise <[email protected]> wrote: > >> Hi Simon, >> >> so after checking it i found the point... >> >> I have defined mirrorOf * as usual in case of using a repository >> manager...in my settings.xml which looks like the following: >> >> <mirrors> >> <mirror> >> <id>nexus</id> >> <mirrorOf>*</mirrorOf> >> <url>http://.../nexus/..</url> >> </mirror> >> </mirrors> >> >> So with the above i can add as much repository entries in my settings >> as well as in my pom.xml and the rule will NOT warning/break my build with >> it...except if i explicitly exclude them in the mirrorOf via things like >> this: >> >> <mirrorOf>*,!WhatEver</mirrorOf> >> >> This brings me to two points: >> >> First: >> >> It would be nice if you could add an appropriate documentation >> (enforcer-rules/src/site/apt/) which exactly describes the differences to >> the requireNoRepository rule and give a good examples of the use cases which >> means not using mirrorOf as above etc. >> >> After this enhancement of the patch (? submission to large for patch) i >> would appreciate to pick up your patch(?) and add it to extra-enforcer-rules >> (this will get a release faster i think) or may be the default rules (after >> discussion on the dev list with the other dev's) I don't know the exact >> procedure with such kind of submissions without paper.... >> >> Apart from the above you might can check if it's possible to >> enhance the rule in that way to identify the repository entries in >> settings.xml/pom independent of the mirrorOf settings (may be via an option). >> >> >> Kind regards >> Karl-Heinz Marbaise >> PS.: It's not necessary to quote the answers of the others here on the dev >> list to posts cause obviously I'm subscribed on the dev list and I'm >> following the discussion. >> >> On 5/29/14 1:52 PM, Wang, Simon wrote: >>> Hi, Karl, >>> >>> Thanks for your comments. >>> >>> I did dig into requireNoRepositories.html, the purpose for that rule is: >>> detect whether pom and pom’s parents contains repositories definition. >>> That make sense to guide users to use correct convention (not define >>> repositories in pom files). >>> >>> But “BannedRepositories” is different purpose, it’s just like >>> “BannedDependencies”. >>> This rule is major for those “maven repository migration” case. >>> Some users used to have old repositories, those repositories might be >>> defined in pom.xml or settings.xml. >>> This rule could benefit on these cases a lot. >>> It will detect banned repositories from maven session context instead of >>> only pom.xml and parents. >>> >>> After all, requireNoRepositories.html is trying to help users to follow >>> correct maven convention. >>> but “BannedRepositories” is trying to avoid misuse incorrect repositories. >>> Especially in enterprise environment. >>> >>> Regards >>> Simon >>> On May 29, 2014, at 7:21 PM, Karl Heinz Marbaise <[email protected]> wrote: >>> >>>> Hi Simon, >>>> >>>> >>>> I have taken a look into your suggestions ....I have a couple of thoughts >>>> about it ... >>>> >>>> First there exists already a rule to avoid repositories >>>> (http://maven.apache.org/enforcer/enforcer-rules/requireNoRepositories.html) >>>> which can be used and is has an option >>>> to allow particular repositories by using a white-list of allowed >>>> repository based on the repository id. >>>> >>>> like this: >>>> >>>> <requireNoRepositories> >>>> <allowedRepositories> >>>> <allowedRepository>codehausSnapshots</allowedRepository> >>>> </allowedRepositories> >>>> ... >>>> </requireNoRepositories> >>>> >>>> >>>> So the question is why adding a complete new rule instead of enhancing the >>>> existing by your idea using the url as identification for the repository >>>> which i think is a really good idea...so users are not able to forge the >>>> repository they use by using a different id only the url is used to >>>> identify the allowed repositories. >>>> >>>> >>>> Kind regards >>>> Karl-Heinz Marbaise >>>> >>>> --------------------------------------------------------------------- >>>> To unsubscribe, e-mail: [email protected] >>>> For additional commands, e-mail: [email protected] >>>> >>> >>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: [email protected] >>> For additional commands, e-mail: [email protected] >>> >>> >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: [email protected] >> For additional commands, e-mail: [email protected] >> >
