[
http://jira.codehaus.org/browse/MNG-4716?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=250059#action_250059
]
Benjamin Bentmann commented on MNG-4716:
----------------------------------------
This is troublesome as the interpolated/effective POM can contain sensitive
information like passwords embedded into SCM URLs or plugin configuration.
> Make the interpolated POM of a deployed artifact embedded too
> -------------------------------------------------------------
>
> Key: MNG-4716
> URL: http://jira.codehaus.org/browse/MNG-4716
> Project: Maven 2 & 3
> Issue Type: Improvement
> Components: Deployment
> Reporter: Tamás Cservenák
> Fix For: Issues to be reviewed for 3.x
>
>
> Make the interpolated POM of a deployed artifact embedded too. Actually, the
> "original" POM embedded into deployed JAR does not have much purpose, think
> about following:
> * deploy the module's POM next to deployed artifact (just like happens now)
> * embed the _effective_ POM in effect in the moment of building the deployed
> JAR (instead of current "plain" uninterpolated POM). Or just next to it.
> Reasoning: the interpolated POM embedded is not for "downstream consumers"
> like Maven clients (builds consuming this artifact as dependency), it is
> about "how this build was built" and _should be frozen_, just like the
> deployed JAR is (eternal, not changing, just potentially being deleted in
> case of snapshots).
> I'd like to have an interpolated POM of a _deployed_ artifact that would
> describe me _how this artifact was built_.
> If we do not store interpolated POM along with the built artifact, we
> effectively loose the state of Maven project doing the build. Moreover, while
> the _repeated_ calculation of effective POM for deployed artifact _is_
> possible, for snapshot repositories, that have continuously deploys, there
> will be a moment when a _calculated effective POM_ (using the repository
> artifacts) and a state of a given snapshot may fall completely out-of-sync
> (the way JAR was built will not correspond to the effective POM you are able
> to calculate for it). This is true not for snapshot repositories, but also
> for "wrongly managed" release repositories, and also, think about staging too.
> So, ultimately, POM is "changing", yes, but only when it is consumed by a
> client (like Maven build referencing it as dependency). But during deploy, it
> is assembled in a way that is actually eternal, frozen, and JAR will stay
> like that after deployed (JARs in maven repo does NOT change, hence it's
> effective POM should not change either), since all it's parent POM, deps,
> plugins are deployed, are not "moving targets" anymore, at least from aspect
> of that one JAR being deployed.
> In short: not having effective POM for deployed artifacts makes you to
> recalculate effective POM, but the result and the effective POM of the build
> that did deploy (somewhere in past) may very well be different.
> Again, this is only to "persist the build state" of an artifact, and should
> not interfere with any of the existing way how maven uses
> artifact-version.pom in repositories. It is only about embedding the "how
> this jar was done" in the exact moment when deploy (hence build) happened.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
