You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@maven.apache.org by "Benjamin Bentmann (JIRA)" <ji...@codehaus.org> on 2010/12/31 14:16:07 UTC
[jira] Commented: (MNG-4716) Make the interpolated POM of a
deployed artifact embedded too
[ http://jira.codehaus.org/browse/MNG-4716?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=250059#action_250059 ]
Benjamin Bentmann commented on MNG-4716:
----------------------------------------
This is troublesome as the interpolated/effective POM can contain sensitive information like passwords embedded into SCM URLs or plugin configuration.
> Make the interpolated POM of a deployed artifact embedded too
> -------------------------------------------------------------
>
> Key: MNG-4716
> URL: http://jira.codehaus.org/browse/MNG-4716
> Project: Maven 2 & 3
> Issue Type: Improvement
> Components: Deployment
> Reporter: Tamás Cservenák
> Fix For: Issues to be reviewed for 3.x
>
>
> Make the interpolated POM of a deployed artifact embedded too. Actually, the "original" POM embedded into deployed JAR does not have much purpose, think about following:
> * deploy the module's POM next to deployed artifact (just like happens now)
> * embed the _effective_ POM in effect in the moment of building the deployed JAR (instead of current "plain" uninterpolated POM). Or just next to it.
> Reasoning: the interpolated POM embedded is not for "downstream consumers" like Maven clients (builds consuming this artifact as dependency), it is about "how this build was built" and _should be frozen_, just like the deployed JAR is (eternal, not changing, just potentially being deleted in case of snapshots).
> I'd like to have an interpolated POM of a _deployed_ artifact that would describe me _how this artifact was built_.
> If we do not store interpolated POM along with the built artifact, we effectively loose the state of Maven project doing the build. Moreover, while the _repeated_ calculation of effective POM for deployed artifact _is_ possible, for snapshot repositories, that have continuously deploys, there will be a moment when a _calculated effective POM_ (using the repository artifacts) and a state of a given snapshot may fall completely out-of-sync (the way JAR was built will not correspond to the effective POM you are able to calculate for it). This is true not for snapshot repositories, but also for "wrongly managed" release repositories, and also, think about staging too.
> So, ultimately, POM is "changing", yes, but only when it is consumed by a client (like Maven build referencing it as dependency). But during deploy, it is assembled in a way that is actually eternal, frozen, and JAR will stay like that after deployed (JARs in maven repo does NOT change, hence it's effective POM should not change either), since all it's parent POM, deps, plugins are deployed, are not "moving targets" anymore, at least from aspect of that one JAR being deployed.
> In short: not having effective POM for deployed artifacts makes you to recalculate effective POM, but the result and the effective POM of the build that did deploy (somewhere in past) may very well be different.
> Again, this is only to "persist the build state" of an artifact, and should not interfere with any of the existing way how maven uses artifact-version.pom in repositories. It is only about embedding the "how this jar was done" in the exact moment when deploy (hence build) happened.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira