[jira] [Commented] (INFRA-4522) Nexus should check that pom metatdata agrees with the pom in the associated jar

["Sebb (JIRA)" <ji...@apache.org>]

    [ https://issues.apache.org/jira/browse/INFRA-4522?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14255765#comment-14255765 ] 

Sebb commented on INFRA-4522:
-----------------------------

FTR: the Nexus issue has been resolved as Won't Fix

> Nexus should check that pom metatdata agrees with the pom in the associated jar
> -------------------------------------------------------------------------------
>
>                 Key: INFRA-4522
>                 URL: https://issues.apache.org/jira/browse/INFRA-4522
>             Project: Infrastructure
>          Issue Type: Bug
>      Security Level: public(Regular issues) 
>          Components: Nexus
>            Reporter: Sebb
>            Assignee: Brian Demers
>             Fix For: Initial Clearing
>
>
> Where a pom describes a jar that contains a pom, Nexus should check that the metadata agrees.
> This would have prevented some projects from releasing renamed jars using incorrect Maven metadata.
> For example, the external metadata:
> <dependency>
>   <groupId>org.apache.solr</groupId>
>   <artifactId>solr-commons-csv</artifactId>
>   <version>3.5.0</version>
> </dependency>
> actually refers to 
>   <groupId>org.apache.commons</groupId>
>   <artifactId>commons-csv</artifactId>
>   <version>1.0-SNAPSHOT</version>
>  
> Ideally, there should also be some check of the package names for jars that don't have embedded POMs, as for example:
> <dependency>
>   <groupId>org.apache.solr</groupId>
>   <artifactId>solr-carrot2-core</artifactId>
>   <version>3.5.0</version>
> </dependency>
> which uses the org.carrot2 package name space - which is unlikely to be an ASF package name.
> However, this is tricky to do accurately, so should probably only generate a warning.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)