Re: Build vs Consumer POM study

2018-03-15 Thread Lennart Jörelid
Hello all, As you have reflected on earlier, it is possible although somewhat clunky to implement the Consumer vs Build POM today using the Maven Enforcer and a custom rule to identify the two types of POM. I have done one such implementation (found at GitHub

[MJAR] please add MJAR-238 to jigsaw status as an open bug

2018-03-15 Thread Bernd Eckenfels
Hello, On the Jigsaw-status page, it would be good to Add the Status of the m-jar-p, especially https://issues.apache.org/jira/browse/MJAR-238 which blocks it to be used for Setting the main Class of a modular JAR. https://cwiki.apache.org/confluence/display/MAVEN/Java+9+-+Jigsaw The Thing has

Re: Security related metadata

2018-03-15 Thread Hervé BOUTEMY
Hi Jochen, I'll try to rephrase and summarize previous ideas on this. The issue is two sided: 1. from the artifact provider point of view 2. from the artifact consumer point of view For the provider: the provider of an artifact owns its groupId in Central. Then if we do something, the data will h

Re: Security related metadata

2018-03-15 Thread Hervé BOUTEMY
I like this idea: seems reasonable, even if I don't really see yet the full implications I had a look at the 2 CVEs for Maven and could not find any CPE Is it really something used for every CVE? Regards, Hervé Le jeudi 15 mars 2018, 00:14:34 CET Bernd Eckenfels a écrit : > There is the proble

Re: Build vs Consumer POM study

2018-03-15 Thread Hervé BOUTEMY
Le jeudi 15 mars 2018, 11:18:35 CET Martijn Dashorst a écrit : > Just to throw this out there: > > The consumer POM should only contain the non-dynamic bits that can > change outside the scope of the artifacts that are described by the > POM. > > The consumer POM should consist of only the invari

Re: Build vs Consumer POM study

2018-03-15 Thread Martijn Dashorst
Just to throw this out there: The consumer POM should only contain the non-dynamic bits that can change outside the scope of the artifacts that are described by the POM. The consumer POM should consist of only the invariant parts of the released artifacts: coordinates, dependencies, license, Ther

Re: Security related metadata

2018-03-15 Thread Jochen Wiedmann
Hi, Hervé could you describe to me, what in my proposal makes you expect a "management nightmare"? My impression was, that I am describing something reasonable. Jochen On 2018/03/14 22:48:35, Hervé BOUTEMY wrote: > using a plugin like OWASP Dependency-Check (or any other tool like it), a