May I know who is handling this PR? https://github.com/apache/maven-enforcer/pull/13
any comments or concerns? Regards Simon 2014-05-30 10:38 GMT+08:00 Wang YunFeng <[email protected]>: > Hi, Karl, > > Real case happened in our company is: > There are bunch of repositories using. For specific application, need to > limit specific set of repositories. > > Those invalid repositories could be defined anywhere. > like settings.xml, application's pom files or even in dependency's pom > files. > > So point is: this rule will ban repositories from maven session level, > instead of only application pom and its parent. > Also attached some comments below from Paul. > > I create a demo project to show how to use this rule: > 1. clone https://github.com/wangyf2010/maven-enforcer, "mvn clean install > -DskipTests" it. > 2. clone > https://github.com/wangyf2010/maven-shared/tree/banned-repos/maven-dependency-analyzer > 3. run "mvn enforcer:enforce" for "maven-dependency-analyzer". > > Of course, you can try to add banned repositories into settings.xml as > well. > > Regards > Simon > > ~~~~ > I think banning repositories is a great idea. The example givem may not be > too useful -- the system architects should just turn off access to the repo > they don't want anyone to acesss -- but I more than once wanted to stop > some live repos (out of my control) from being accessed. +1. > > > Cheers, > Paul > > > 2014-05-30 2:36 GMT+08:00 Karl Heinz Marbaise <[email protected]>: > > Hi Simon, >> >> >> after diving into this a little bit more... >> >> Can you give an real example of the use case for your rule, cause if you >> are in an enterprise environment you should use already a repository >> manager which means only having a mirror entry in your settings.xml >> (usually looks like this here: http://books.sonatype.com/ >> nexus-book/reference/maven-sect-single-group.html) >> no repositories in your pom's (which can be checked by the >> requireNoRepositories rule). >> >> Apart from that I have tried your rule, but unfortunately it does not >> identify repositories defined in the pom file (ok that was not the >> intention) nor does it realize that i have defined supplemental >> repositories in my settings.xml file.... >> >> May be you can give an full example in which cases it will help...or may >> be i mistaken things here... >> >> Kind regards >> Karl-Heinz Marbaise >> >> >> On 5/29/14 4:24 PM, Wang, Simon wrote: >> >>> Hi, Robert, >>> >>> Karl asked same question, please refer below mail about this question. >>> Hope that help. >>> >>> Regards >>> Simon >>> ~~~~ >>> Hi, Karl, >>> >>> Thanks for your comments. >>> >>> I did dig into requireNoRepositories.html, the purpose for that rule is: >>> detect whether pom and pom’s parents contains repositories definition. >>> That make sense to guide users to use correct convention (not define >>> repositories in pom files). >>> >>> But “BannedRepositories” is different purpose, it’s just like >>> “BannedDependencies”. >>> This rule is major for those “maven repository migration” case. >>> Some users used to have old repositories, those repositories might be >>> defined in pom.xml or settings.xml. >>> This rule could benefit on these cases a lot. >>> It will detect banned repositories from maven session context instead of >>> only pom.xml and parents. >>> >>> After all, requireNoRepositories.html is trying to help users to follow >>> correct maven convention. >>> but “BannedRepositories” is trying to avoid misuse incorrect >>> repositories. Especially in enterprise environment. >>> >>> Regards >>> Simon >>> >>> ~~~~ >>> Hi Simon, >>> >>> >>> I have taken a look into your suggestions ....I have a couple of >>> thoughts about it ... >>> >>> First there exists already a rule to avoid repositories ( >>> http://maven.apache.org/enforcer/enforcer-rules/ >>> requireNoRepositories.html) which can be used and is has an option >>> to allow particular repositories by using a white-list of allowed >>> repository based on the repository id. >>> >>> like this: >>> >>> <requireNoRepositories> >>> <allowedRepositories> >>> <allowedRepository>codehausSnapshots</allowedRepository> >>> </allowedRepositories> >>> ... >>> </requireNoRepositories> >>> >>> >>> So the question is why adding a complete new rule instead of enhancing >>> the existing by your idea using the url as identification for the >>> repository which i think is a really good idea...so users are not able to >>> forge the repository they use by using a different id only the url is used >>> to identify the allowed repositories. >>> >>> >>> Kind regards >>> Karl-Heinz Marbaise >>> >>> On May 29, 2014, at 10:15 PM, Robert Scholte <[email protected]> >>> wrote: >>> >>> http://maven.apache.org/enforcer/enforcer-rules/ >>>> requireNoRepositories.html seems to cover this, right? >>>> >>>> Robert >>>> >>>> Op Wed, 28 May 2014 22:19:07 +0200 schreef Mirko Friedenhagen < >>>> [email protected]>: >>>> >>>> Hello everybody, >>>>> >>>>> there is an outstanding MENFORCER-193[0] request for a new standard >>>>> rule, which will allow to ban repositories. What is your opinion about >>>>> adding new standard rules in enforcer vs. adding to Mojo's >>>>> extra-enforcer-rules? >>>>> >>>>> Regards Mirko >>>>> [0] https://jira.codehaus.org/browse/MENFORCER-193 >>>>> -- >>>>> http://illegalstateexception.blogspot.com/ >>>>> https://github.com/mfriedenhagen/ (http://osrc.dfm.io/mfriedenhagen) >>>>> https://bitbucket.org/mfriedenhagen/ >>>>> >>>>> --------------------------------------------------------------------- >>>>> To unsubscribe, e-mail: [email protected] >>>>> For additional commands, e-mail: [email protected] >>>>> >>>> >>>> --------------------------------------------------------------------- >>>> To unsubscribe, e-mail: [email protected] >>>> For additional commands, e-mail: [email protected] >>>> >>>> >>> >>> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: [email protected] >> For additional commands, e-mail: [email protected] >> >> >
