You are viewing a plain text version of this content. The canonical link for it is here.
Posted to infrastructure-issues@apache.org by "Sebb (JIRA)" <ji...@apache.org> on 2014/12/22 15:11:13 UTC
[jira] [Commented] (INFRA-4522) Nexus should check that pom
metatdata agrees with the pom in the associated jar
[ https://issues.apache.org/jira/browse/INFRA-4522?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14255765#comment-14255765 ]
Sebb commented on INFRA-4522:
-----------------------------
FTR: the Nexus issue has been resolved as Won't Fix
> Nexus should check that pom metatdata agrees with the pom in the associated jar
> -------------------------------------------------------------------------------
>
> Key: INFRA-4522
> URL: https://issues.apache.org/jira/browse/INFRA-4522
> Project: Infrastructure
> Issue Type: Bug
> Security Level: public(Regular issues)
> Components: Nexus
> Reporter: Sebb
> Assignee: Brian Demers
> Fix For: Initial Clearing
>
>
> Where a pom describes a jar that contains a pom, Nexus should check that the metadata agrees.
> This would have prevented some projects from releasing renamed jars using incorrect Maven metadata.
> For example, the external metadata:
> <dependency>
> <groupId>org.apache.solr</groupId>
> <artifactId>solr-commons-csv</artifactId>
> <version>3.5.0</version>
> </dependency>
> actually refers to
> <groupId>org.apache.commons</groupId>
> <artifactId>commons-csv</artifactId>
> <version>1.0-SNAPSHOT</version>
>
> Ideally, there should also be some check of the package names for jars that don't have embedded POMs, as for example:
> <dependency>
> <groupId>org.apache.solr</groupId>
> <artifactId>solr-carrot2-core</artifactId>
> <version>3.5.0</version>
> </dependency>
> which uses the org.carrot2 package name space - which is unlikely to be an ASF package name.
> However, this is tricky to do accurately, so should probably only generate a warning.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)