maven-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Wang, Simon" <>
Subject Re: [GitHub] maven-enforcer pull request: [MENFORCER-193]: Add new rule: Banned...
Date Mon, 02 Jun 2014 14:16:18 GMT
Thanks for your comments, Karl!

I added document for this rule, please review it.

About enhance the rule to detect repository entries in settings.xml/pom independent of mirrorOf
I think it’s out of scope for this rule, because this rule is trying to detect whether current
maven session contains banned repositories.
mirrorOf is part of maven settings, and the result is: all banned repositories are redirected
to correct one.

Then result is: current maven session hasn’t invalid repositories of course.

I’d prefer to note it in document, but hold enhancement to detect pom/settings.xml only
instead of maven session context.


On May 31, 2014, at 1:47 AM, Karl Heinz Marbaise <> wrote:

> Hi Simon,
> so after checking it i found the point...
> I have defined mirrorOf * as usual in case of using a repository my settings.xml
which looks like the following:
> <mirrors>
>  <mirror>
>    <id>nexus</id>
>    <mirrorOf>*</mirrorOf>
>    <url>http://.../nexus/..</url>
>  </mirror>
> </mirrors>
> So with the above i can add as much repository entries in my settings
> as well as in my pom.xml and the rule will NOT warning/break my build with it...except
if i explicitly exclude them in the mirrorOf via things like this:
> <mirrorOf>*,!WhatEver</mirrorOf>
> This brings me to two points:
> First:
> It would be nice if you could add an appropriate documentation (enforcer-rules/src/site/apt/)
which exactly describes the differences to the requireNoRepository rule and give a good examples
of the use cases which means not using mirrorOf as above etc.
> After this enhancement of the patch (? submission to large for patch) i would appreciate
to pick up your patch(?) and add it to extra-enforcer-rules (this will get a release faster
i think) or may be the default rules (after discussion on the dev list with the other dev's)
I don't know the exact procedure with such kind of submissions without paper....
> Apart from the above you might can check if it's possible to
> enhance the rule in that way to identify the repository entries in settings.xml/pom independent
of the mirrorOf settings (may be via an option).
> Kind regards
> Karl-Heinz Marbaise
> PS.: It's not necessary to quote the answers of the others here on the dev list to posts
cause obviously I'm subscribed on the dev list and I'm following the discussion.
> On 5/29/14 1:52 PM, Wang, Simon wrote:
>> Hi, Karl,
>> Thanks for your comments.
>> I did dig into requireNoRepositories.html, the purpose for that rule is:
>> detect whether pom and pom’s parents contains repositories definition.
>> That make sense to guide users to use correct convention (not define repositories
in pom files).
>> But “BannedRepositories” is different purpose, it’s just like “BannedDependencies”.
>> This rule is major for those “maven repository migration” case.
>> Some users used to have old repositories, those repositories might be defined in
pom.xml or settings.xml.
>> This rule could benefit on these cases a lot.
>> It will detect banned repositories from maven session context instead of only pom.xml
and parents.
>> After all, requireNoRepositories.html is trying to help users to follow correct maven
>> but “BannedRepositories” is trying to avoid misuse incorrect repositories. Especially
in enterprise environment.
>> Regards
>> Simon
>> On May 29, 2014, at 7:21 PM, Karl Heinz Marbaise <> wrote:
>>> Hi Simon,
>>> I have taken a look into your suggestions ....I have a couple of thoughts about
it ...
>>> First there exists already a rule to avoid repositories (
which can be used and is has an option
>>> to allow particular repositories by using a  white-list of allowed repository
based on the repository id.
>>> like this:
>>> <requireNoRepositories>
>>>  <allowedRepositories>
>>>    <allowedRepository>codehausSnapshots</allowedRepository>
>>>  </allowedRepositories>
>>>  ...
>>> </requireNoRepositories>
>>> So the question is why adding a complete new rule instead of enhancing the existing
by your idea using the url as identification for the repository which i think is a really
good users are not able to forge the repository they use by using a different id
only the url is used to identify the allowed repositories.
>>> Kind regards
>>> Karl-Heinz Marbaise
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail:
>>> For additional commands, e-mail:
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail:
>> For additional commands, e-mail:
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message