Re: Comments removed in consumer POM

2025-02-09 Thread Romain Manni-Bucau
Hi Anders, Not sure it can really be problematic until it is considered as sources - and it is not. But 100% agree it can be neat to keep it at some point but then it means flagging them as "keepable" to not keep the comment on build block which will be stripped for example. Romain Manni-Bucau @r

Re: Comments removed in consumer POM

2025-02-09 Thread Elliotte Rusty Harold
If the consumer pom is published at a public URL, a copyright notice is reasonable. How the file was created or edited doesn't really enter into it. Now that I think about it though, why do we have to use a comment for the copyright notice? This feels like something we should have as an element in

Re: Comments removed in consumer POM

2025-02-09 Thread Manfred Moser
I agree with idea of keeping comments. In fact I think it might be best to somehow select for each comment section to be part of the consumer pom or not. Not sure how to achieve that cleanly though Manfred On 2025-02-09 11:28 a.m., Anders Hammar wrote: Hi, I and Robert did a Maven 4 presen

Re: Comments removed in consumer POM

2025-02-09 Thread Romain Manni-Bucau
Strictly speaking it is in the xml tree ( https://maven.apache.org/pom.html#Licenses) but comments are often very useful, a common one we likely do not want to loose is why a dep was overriden or excluded. Indeed we can always add a tag but it will end up having with a 0-n cardinality which is not

Re: Comments removed in consumer POM

2025-02-09 Thread Guillaume Nodet
In case someone is looking at where the consumer POM is written, the code is here: https://github.com/apache/maven/blob/bcf5c0c4e0b6d6c53c6a07d3bf10794b0e6083a1/impl/maven-core/src/main/java/org/apache/maven/internal/transformation/impl/DefaultConsumerPomArtifactTransformer.java#L191 Le lun. 10 fé

Re: Supply Chain Attacks and Insider Threats

2025-02-09 Thread Elliotte Rusty Harold
On Sun, Feb 9, 2025 at 8:00 AM Slawomir Jaranowski wrote: > We have a simple statistic > https://ci-maven.apache.org/job/Maven/job/maven-box/job/maven-dist-tool/job/master/site/dist-tool-committers-stats.html > > To remove somebody we need a procedure for it. Great. I'm glad we already have the

Re: Supply Chain Attacks and Insider Threats

2025-02-09 Thread Fred Cooke
Excellent write up, Rusty, thank you. Peer review is always a good thing, period. It's surprising to me that anyone is allowed to push to any component directly without the opportunity to vet commit quality and other things that are hard to automate into the build. Even the very best sometimes make

Comments removed in consumer POM

2025-02-09 Thread Anders Hammar
Hi, I and Robert did a Maven 4 presentation at Jfokus here in Sweden earlier this week. One of the main topics was of course build/consumer POM. After the talk we were approached by a couple of people from the audience who raised concern about comments in the build POM being removed in the publish

Re: Supply Chain Attacks and Insider Threats

2025-02-09 Thread Slawomir Jaranowski
On Sun, 9 Feb 2025 at 13:34, Elliotte Rusty Harold wrote: > > On Sun, Feb 9, 2025 at 8:00 AM Slawomir Jaranowski > wrote: > > > We have a simple statistic > > https://ci-maven.apache.org/job/Maven/job/maven-box/job/maven-dist-tool/job/master/site/dist-tool-committers-stats.html > > > > To remove