[ http://jira.codehaus.org/browse/MEV-406?page=comments#action_68968 ]
Steve Loughran commented on MEV-406: ------------------------------------ Brett says >Should we write some properties in to the artifact metadata that says who >submitted the current POM, and the >MEV/MAVENUPLOAD issue number? Extra >content will just be ignored by Maven so this is ok. You need to get the metadata into the POM before the MD5 sum is created, and before that MD5 sum is emailed out in a GPG signed release announcement. Otherwise the security chain is broken. Maybe today people dont email the MD5 sum of the pom alongside the binary, but, when you think about it, they ought to.. > XMLBeans pom is missing dependency > ---------------------------------- > > Key: MEV-406 > URL: http://jira.codehaus.org/browse/MEV-406 > Project: Maven Evangelism > Type: Bug > Components: Dependencies > Reporter: David Jencks > Attachments: xbean-2.0.0.pom > > > The xmlbeans 2.0.0 pom is missing the one required dependency on the stax > api. xmlbeans seems to ship a jsr-173-api jar that is of AFAICT unknown > provenance. AFAIK everyone has been using the stax-api jar with no problems > for years: certainly geronimo has. > To see that this is the single required dependency, consult > http://xmlbeans.apache.org/documentation/conInstallGuide.html and look at the > bottom of the page at the suggested classpath setup, e.g.: > export > CLASSPATH=$XMLBEANS_HOME/lib/xbean.jar:$XMLBEANS_HOME/lib/jsr173_1.0_api.jar:$CLASSPATH > Here's the pom, the instructions at > http://maven.apache.org/guides/mini/guide-maven-evangelism.html point to > invalid svn locations so I cannot check out the original and supply a patch. > The pom goes at ~/.m2/repository/xmlbeans/xbean/2.0.0/xbean-2.0.0.pom in a > local repo. I'll attach it as well. > <project> > <modelVersion>4.0.0</modelVersion> > <groupId>xmlbeans</groupId> > <artifactId>xbean</artifactId> > <version>2.0.0</version> > <dependencies> > <dependency> > <groupId>stax</groupId> > <artifactId>stax-api</artifactId> > <version>1.0</version> > </dependency> > </dependencies> > </project> -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira
