You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@maven.apache.org by "James Grinter (Jira)" <ji...@apache.org> on 2021/02/12 00:18:00 UTC

[jira] [Commented] (MNG-6763) Restrict repositories to specific groupIds

    [ https://issues.apache.org/jira/browse/MNG-6763?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17283439#comment-17283439 ] 

James Grinter commented on MNG-6763:
------------------------------------

Furthermore, Gradle’s configuration lets you say to *never* retrieve specified GroupIds from a given repo. Which means it can prevent a private package ever being retrieved from a central repo.

With the recent wide demonstration and publicity of real (not theoretical) weaknesses in build system configurations for this very problem (in other language/ecosystems, this time) I’d like to be able to make sure it can’t ever happen to my organisation’s own Maven-based builds.

> Restrict repositories to specific groupIds
> ------------------------------------------
>
>                 Key: MNG-6763
>                 URL: https://issues.apache.org/jira/browse/MNG-6763
>             Project: Maven
>          Issue Type: New Feature
>            Reporter: dennis lucero
>            Priority: Major
>              Labels: intern
>
> It should be possible to restrict the repositories specified in settings.xml to specific groupIds. Looking at [https://maven.apache.org/ref/3.6.2/maven-settings/settings.html#class_repository], it seems this is currently not the case.
> Background: We use Nexus to host our own artifacts. The settings.xml contains our Nexus repository with <updatePolicy>always</updatePolicy> because sometimes a project is built while a dependency is not yet in our Nexus repo – without updatePolicy, it would take 24 hours or manual deletion of metadata to make Maven re-check for the missing dependency.
> Additionally, we use versions-maven-plugin:2.7:display-dependency-updates in our build process.
> This results in lots of queries (more than 300 in a simple Dropwizard project) to our repo which will never succeed. If we could specify that our repo only supplies groupIds beginning with org.example, Maven could skip update checks for groupIds starting with com.fasterxml.jackson and so on, speeding up the build process.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)