You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@maven.apache.org by Peter Hansson <pe...@yahoo.com.INVALID> on 2016/06/08 22:01:54 UTC
Maven Server matching
Hello
I've been looking at improving the way certain plugins (scm, release, etc) lookup credentials from a <server> in settings.xml in order to find the credentials to use for a given endpoint.
The current method - largely undocumented - is that the hostname from endpoint's URL must match the server id from settings.xml. There's optional support for port number as well in the case where e.g. multiple SCMs are running the on same endpoint. The actual code to do the matching between the server-id and the URL is scattered - and worse - replicated in several projects. For example it exists in the scm plugin but also in the release plugin.
There are a number of use case that are currently unsupported:
1. Running several *different* flavours of SCMs on the same host. Say you have a host called "repohost" which is both an SVN and a Git host. Ok, not very likely, but alas not something possible today.
2. Using different credentials *within* the same SCM endpoint. Now this is much worse. Just think of sites like GitHub and Bitbucket. It is certainly not uncommon for the same developer to have several identities on those sites.
There are probably more cases out there that won't work today.
I was about to contribute some code that could fix the problem by allowing to match to a server-id on many more elements of the URL than just hostname and port but would require changes to all SCM providers as they would have to implement at least one new method.
However, it now dawns on me that by far the best solution would be to allow a new optional element in the <scm> section of the POM, namely <serverId>. If present this will then be used to match a server-id from settings.xml. If not present the existing matching method (based on hostname and optionally the port) would prevail. This would be a much cleaner approach than allowing to match on elements of the URL ... and also a lot easier to explain to the Maven user. I can see from source code comments that certainly this thought has existed in the mind of some developer years ago but for some reason never carried out.
Any comments on this? Would you support the idea of a new optional element, <serverId>, within the <scm> section ?
Cheers
Peter
Re: Maven Server matching
Posted by Peter Hansson <pe...@yahoo.com.INVALID>.
I understand the issue in MNG-5265 as it relates to Maven repos but don't see how it relates to <scm>. Foreign <scm> sections don't just pop into your POM by accident. <scm> sections cannot be inherited from dependency resolution as is the case with Maven repos. Have I misunderstood ?
Peter
On Thursday, June 9, 2016 12:11 AM, Robert Scholte <rf...@apache.org> wrote:
Hi Peter,
there are several issues related to this, just filter in JIRA on the
component Settings[1]
One of the issues I like is MNG-5265[1] which explains that id is not
secure enough, a simple typo might lead to leaking your credentials to the
wrong party.
So the solution is probably not in the pom.xml; I expect it to be in the
settings.xml
thanks,
Robert
[1]
https://issues.apache.org/jira/browse/MNG-5265?jql=project%20%3D%20MNG%20AND%20component%20%3D%20Settings%20AND%20status%20%3D%20Open%20ORDER%20BY%20priority%20DESC
[2] https://issues.apache.org/jira/browse/MNG-5265
On Thu, 09 Jun 2016 00:01:54 +0200, Peter Hansson
<pe...@yahoo.com.invalid> wrote:
>
> Hello
> I've been looking at improving the way certain plugins (scm, release,
> etc) lookup credentials from a <server> in settings.xml in order to find
> the credentials to use for a given endpoint.
> The current method - largely undocumented - is that the hostname from
> endpoint's URL must match the server id from settings.xml. There's
> optional support for port number as well in the case where e.g. multiple
> SCMs are running the on same endpoint. The actual code to do the
> matching between the server-id and the URL is scattered - and worse -
> replicated in several projects. For example it exists in the scm plugin
> but also in the release plugin.
> There are a number of use case that are currently unsupported:
> 1. Running several *different* flavours of SCMs on the same host. Say
> you have a host called "repohost" which is both an SVN and a Git host.
> Ok, not very likely, but alas not something possible today.
> 2. Using different credentials *within* the same SCM endpoint. Now this
> is much worse. Just think of sites like GitHub and Bitbucket. It is
> certainly not uncommon for the same developer to have several identities
> on those sites.
>
> There are probably more cases out there that won't work today.
> I was about to contribute some code that could fix the problem by
> allowing to match to a server-id on many more elements of the URL than
> just hostname and port but would require changes to all SCM providers as
> they would have to implement at least one new method.
>
> However, it now dawns on me that by far the best solution would be to
> allow a new optional element in the <scm> section of the POM, namely
> <serverId>. If present this will then be used to match a server-id from
> settings.xml. If not present the existing matching method (based on
> hostname and optionally the port) would prevail. This would be a much
> cleaner approach than allowing to match on elements of the URL ... and
> also a lot easier to explain to the Maven user. I can see from source
> code comments that certainly this thought has existed in the mind of
> some developer years ago but for some reason never carried out.
> Any comments on this? Would you support the idea of a new optional
> element, <serverId>, within the <scm> section ?
>
> Cheers
> Peter
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
For additional commands, e-mail: dev-help@maven.apache.org
Re: Maven Server matching
Posted by Robert Scholte <rf...@apache.org>.
Hi Peter,
there are several issues related to this, just filter in JIRA on the
component Settings[1]
One of the issues I like is MNG-5265[1] which explains that id is not
secure enough, a simple typo might lead to leaking your credentials to the
wrong party.
So the solution is probably not in the pom.xml; I expect it to be in the
settings.xml
thanks,
Robert
[1]
https://issues.apache.org/jira/browse/MNG-5265?jql=project%20%3D%20MNG%20AND%20component%20%3D%20Settings%20AND%20status%20%3D%20Open%20ORDER%20BY%20priority%20DESC
[2] https://issues.apache.org/jira/browse/MNG-5265
On Thu, 09 Jun 2016 00:01:54 +0200, Peter Hansson
<pe...@yahoo.com.invalid> wrote:
>
> Hello
> I've been looking at improving the way certain plugins (scm, release,
> etc) lookup credentials from a <server> in settings.xml in order to find
> the credentials to use for a given endpoint.
> The current method - largely undocumented - is that the hostname from
> endpoint's URL must match the server id from settings.xml. There's
> optional support for port number as well in the case where e.g. multiple
> SCMs are running the on same endpoint. The actual code to do the
> matching between the server-id and the URL is scattered - and worse -
> replicated in several projects. For example it exists in the scm plugin
> but also in the release plugin.
> There are a number of use case that are currently unsupported:
> 1. Running several *different* flavours of SCMs on the same host. Say
> you have a host called "repohost" which is both an SVN and a Git host.
> Ok, not very likely, but alas not something possible today.
> 2. Using different credentials *within* the same SCM endpoint. Now this
> is much worse. Just think of sites like GitHub and Bitbucket. It is
> certainly not uncommon for the same developer to have several identities
> on those sites.
>
> There are probably more cases out there that won't work today.
> I was about to contribute some code that could fix the problem by
> allowing to match to a server-id on many more elements of the URL than
> just hostname and port but would require changes to all SCM providers as
> they would have to implement at least one new method.
>
> However, it now dawns on me that by far the best solution would be to
> allow a new optional element in the <scm> section of the POM, namely
> <serverId>. If present this will then be used to match a server-id from
> settings.xml. If not present the existing matching method (based on
> hostname and optionally the port) would prevail. This would be a much
> cleaner approach than allowing to match on elements of the URL ... and
> also a lot easier to explain to the Maven user. I can see from source
> code comments that certainly this thought has existed in the mind of
> some developer years ago but for some reason never carried out.
> Any comments on this? Would you support the idea of a new optional
> element, <serverId>, within the <scm> section ?
>
> Cheers
> Peter
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
For additional commands, e-mail: dev-help@maven.apache.org
Re: Maven Server matching
Posted by Robert Scholte <rf...@apache.org>.
Hmmm, and fixed by me along time ago :|
The question didn't ring a bell, but the answer seems to be at the right
place, the FAQ :)
Be aware that this is a maven-release-plugin specific fix, other related
plugins need to fix this by themselves since the scm section in the pom is
missing the id-element.
Robert
On Sun, 26 Jun 2016 22:00:14 +0200, Peter Hansson
<pe...@yahoo.com.invalid> wrote:
> I can't believe no one has pointed me to the 'project.scm.id' feature
> which was introduced with maven-release-plugin v2.3. This is exactly
> what I wanted.
> See :
> https://issues.apache.org/jira/browse/SCM-826?focusedCommentId=15350211&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-15350211
>
>
> I do not find this feature particularly well-documented. The only place
> I could find it documented was here :
> http://maven.apache.org/maven-release/maven-release-plugin/faq.html#credentials
> and that actually didn't ring any bells with me. Perhaps my fault.
>
>
> Kind regards
> Peter
>
> On Saturday, June 11, 2016 9:12 AM, Peter Hansson
> <pe...@yahoo.com.INVALID> wrote:
>
> Ok, so adding <serverId> to <scm> section in POM would be an acceptable
> path to a solution?
>
> Consider the following:
> <scm>
>
> <connection>scm:hg:https://bitbucket.org/greatness/ambiance<connection>
>
> <developerConnection>scm:hg:https://bitbucket.org/greatness/ambiance</developerConnection>
> <url>https://bitbucket.org/greatness/ambiance</url>
> <!-- optional -->
> <serverId>bitbucket-ambiance</serverId></scm>
> and then in settings.xml you would have
> <servers> <server> <id>bitbucket-ambiance</id>
> <username>john</username> <password>67yhswpc</password
> </server>
> </servers>
> I find this to be least the intrusive solution and also the safest and
> most intuitive. If <serverId> isn't specified you would simply get
> today's functionality.
>
> Peter
>
> On Thursday, June 9, 2016 9:31 AM, Andreas Sewe
> <se...@st.informatik.tu-darmstadt.de> wrote:
>
> Hi,
>
>> 1. Running several *different* flavours of SCMs on the same host. Say
>> you have a host called "repohost" which is both an SVN and a Git host.
>> Ok, not very likely, but alas not something possible today.
>
> FYI, Github does just that. In particular, they support "git clone" and
> "svn checkout" under the same *URI*
> (<https://github.com/$USER/$REPO.git>), not just the same host.
>
> Best wishes,
>
> Andreas
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
> For additional commands, e-mail: dev-help@maven.apache.org
>
>
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
For additional commands, e-mail: dev-help@maven.apache.org
Re: Maven Server matching
Posted by Karl Heinz Marbaise <kh...@gmx.de>.
Hi Peter,
On 6/26/16 10:00 PM, Peter Hansson wrote:
> I can't believe no one has pointed me to the 'project.scm.id' feature which was
> introduced with maven-release-plugin v2.3.
> This is exactly what I wanted.
> See :
> https://issues.apache.org/jira/browse/SCM-826?focusedCommentId=15350211&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-15350211
>
> I do not find this feature particularly well-documented.
For that I have opened https://issues.apache.org/jira/browse/MRELEASE-957
May be you can make a suggestions where it should be located and what
should be part of it from a more user point of view...
>The only place I could find it documented was here :
>
http://maven.apache.org/maven-release/maven-release-plugin/faq.html#credentials
> and that actually didn't ring any bells with me. Perhaps my fault.
Kind regards
Karl Heinz Marbaise
>
>
> Kind regards
> Peter
>
> On Saturday, June 11, 2016 9:12 AM, Peter Hansson <pe...@yahoo.com.INVALID> wrote:
>
>
>
> Ok, so adding <serverId> to <scm> section in POM would be an acceptable path to a solution?
>
> Consider the following:
> <scm>
> <connection>scm:hg:https://bitbucket.org/greatness/ambiance<connection>
> <developerConnection>scm:hg:https://bitbucket.org/greatness/ambiance</developerConnection>
> <url>https://bitbucket.org/greatness/ambiance</url>
>
> <!-- optional --> <serverId>bitbucket-ambiance</serverId>
> </scm>
> and then in settings.xml you would have
> <servers> <server> <id>bitbucket-ambiance</id> <username>john</username> <password>67yhswpc</password
> </server>
> </servers>
> I find this to be least the intrusive solution and also the safest and most intuitive. If <serverId> isn't specified you would simply get today's functionality.
>
> Peter
>
> On Thursday, June 9, 2016 9:31 AM, Andreas Sewe <se...@st.informatik.tu-darmstadt.de> wrote:
>
>
>
> Hi,
>
>> 1. Running several *different* flavours of SCMs on the same host. Say you have a host called "repohost" which is both an SVN and a Git host. Ok, not very likely, but alas not something possible today.
>
> FYI, Github does just that. In particular, they support "git clone" and
> "svn checkout" under the same *URI*
> (<https://github.com/$USER/$REPO.git>), not just the same host.
>
> Best wishes,
>
> Andreas
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
For additional commands, e-mail: dev-help@maven.apache.org
Re: Maven Server matching
Posted by Peter Hansson <pe...@yahoo.com.INVALID>.
I can't believe no one has pointed me to the 'project.scm.id' feature which was introduced with maven-release-plugin v2.3. This is exactly what I wanted.
See :
https://issues.apache.org/jira/browse/SCM-826?focusedCommentId=15350211&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-15350211
I do not find this feature particularly well-documented. The only place I could find it documented was here : http://maven.apache.org/maven-release/maven-release-plugin/faq.html#credentials and that actually didn't ring any bells with me. Perhaps my fault.
Kind regards
Peter
On Saturday, June 11, 2016 9:12 AM, Peter Hansson <pe...@yahoo.com.INVALID> wrote:
Ok, so adding <serverId> to <scm> section in POM would be an acceptable path to a solution?
Consider the following:
<scm>
<connection>scm:hg:https://bitbucket.org/greatness/ambiance<connection>
<developerConnection>scm:hg:https://bitbucket.org/greatness/ambiance</developerConnection>
<url>https://bitbucket.org/greatness/ambiance</url>
<!-- optional --> <serverId>bitbucket-ambiance</serverId>
</scm>
and then in settings.xml you would have
<servers> <server> <id>bitbucket-ambiance</id> <username>john</username> <password>67yhswpc</password
</server>
</servers>
I find this to be least the intrusive solution and also the safest and most intuitive. If <serverId> isn't specified you would simply get today's functionality.
Peter
On Thursday, June 9, 2016 9:31 AM, Andreas Sewe <se...@st.informatik.tu-darmstadt.de> wrote:
Hi,
> 1. Running several *different* flavours of SCMs on the same host. Say you have a host called "repohost" which is both an SVN and a Git host. Ok, not very likely, but alas not something possible today.
FYI, Github does just that. In particular, they support "git clone" and
"svn checkout" under the same *URI*
(<https://github.com/$USER/$REPO.git>), not just the same host.
Best wishes,
Andreas
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
For additional commands, e-mail: dev-help@maven.apache.org
Re: Maven Server matching
Posted by Peter Hansson <pe...@yahoo.com.INVALID>.
Ok, so adding <serverId> to <scm> section in POM would be an acceptable path to a solution?
Consider the following:
<scm>
<connection>scm:hg:https://bitbucket.org/greatness/ambiance<connection>
<developerConnection>scm:hg:https://bitbucket.org/greatness/ambiance</developerConnection>
<url>https://bitbucket.org/greatness/ambiance</url>
<!-- optional --> <serverId>bitbucket-ambiance</serverId>
</scm>
and then in settings.xml you would have
<servers> <server> <id>bitbucket-ambiance</id> <username>john</username> <password>67yhswpc</password
</server>
</servers>
I find this to be least the intrusive solution and also the safest and most intuitive. If <serverId> isn't specified you would simply get today's functionality.
Peter
On Thursday, June 9, 2016 9:31 AM, Andreas Sewe <se...@st.informatik.tu-darmstadt.de> wrote:
Hi,
> 1. Running several *different* flavours of SCMs on the same host. Say you have a host called "repohost" which is both an SVN and a Git host. Ok, not very likely, but alas not something possible today.
FYI, Github does just that. In particular, they support "git clone" and
"svn checkout" under the same *URI*
(<https://github.com/$USER/$REPO.git>), not just the same host.
Best wishes,
Andreas
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
For additional commands, e-mail: dev-help@maven.apache.org
Re: Maven Server matching
Posted by Andreas Sewe <se...@st.informatik.tu-darmstadt.de>.
Hi,
> 1. Running several *different* flavours of SCMs on the same host. Say you have a host called "repohost" which is both an SVN and a Git host. Ok, not very likely, but alas not something possible today.
FYI, Github does just that. In particular, they support "git clone" and
"svn checkout" under the same *URI*
(<https://github.com/$USER/$REPO.git>), not just the same host.
Best wishes,
Andreas
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
For additional commands, e-mail: dev-help@maven.apache.org