[jira] [Commented] (MNG-6763) Restrict repositories to specific groupIds

Thu, 11 Feb 2021 16:18:07 -0800 


    [ 
https://issues.apache.org/jira/browse/MNG-6763?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17283439#comment-17283439
 ] 

James Grinter commented on MNG-6763:
------------------------------------

Furthermore, Gradle’s configuration lets you say to *never* retrieve specified 
GroupIds from a given repo. Which means it can prevent a private package ever 
being retrieved from a central repo.

With the recent wide demonstration and publicity of real (not theoretical) 
weaknesses in build system configurations for this very problem (in other 
language/ecosystems, this time) I’d like to be able to make sure it can’t ever 
happen to my organisation’s own Maven-based builds.

> Restrict repositories to specific groupIds
> ------------------------------------------
>
>                 Key: MNG-6763
>                 URL: https://issues.apache.org/jira/browse/MNG-6763
>             Project: Maven
>          Issue Type: New Feature
>            Reporter: dennis lucero
>            Priority: Major
>              Labels: intern
>
> It should be possible to restrict the repositories specified in settings.xml 
> to specific groupIds. Looking at 
> [https://maven.apache.org/ref/3.6.2/maven-settings/settings.html#class_repository],
>  it seems this is currently not the case.
> Background: We use Nexus to host our own artifacts. The settings.xml contains 
> our Nexus repository with <updatePolicy>always</updatePolicy> because 
> sometimes a project is built while a dependency is not yet in our Nexus repo 
> – without updatePolicy, it would take 24 hours or manual deletion of metadata 
> to make Maven re-check for the missing dependency.
> Additionally, we use versions-maven-plugin:2.7:display-dependency-updates in 
> our build process.
> This results in lots of queries (more than 300 in a simple Dropwizard 
> project) to our repo which will never succeed. If we could specify that our 
> repo only supplies groupIds beginning with org.example, Maven could skip 
> update checks for groupIds starting with com.fasterxml.jackson and so on, 
> speeding up the build process.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to