[
https://issues.apache.org/jira/browse/MDEPLOY-118?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17725368#comment-17725368
]
ASF GitHub Bot commented on MDEPLOY-118:
----------------------------------------
KemalSoysal commented on PR #28:
URL:
https://github.com/apache/maven-deploy-plugin/pull/28#issuecomment-1559092588
> Not sure what CVEs has to do with anything. We absolutely do **NOT** want
to address CVEs with the same pom.xml. A fix for a CVE should and MUST have a
new version so it can be clearly distinguished which version is in use and
whether it's vulnerable or not.
Well, how do you want to mark a CVE in the original problematic coordinate?
> Enable deployment of attached release artifacts if POM is identical
> -------------------------------------------------------------------
>
> Key: MDEPLOY-118
> URL: https://issues.apache.org/jira/browse/MDEPLOY-118
> Project: Maven Deploy Plugin
> Issue Type: Improvement
> Affects Versions: 2.4
> Environment: Windows XP SP3
> Reporter: Bruno Freudensprung
> Priority: Major
> Labels: contributers-welcome
>
> In the context of the build of a native application, one might have
> zip-artifacts containing several DLL or so files like:
> boost:boost_regex:1.34.1:zip
> In order to distinguish between platforms, it seems to be recommended to use
> the classifier:
> boost:boost_regex:1.34.1:zip:bin-x86-windows-vc8
> or:
> boost:boost_regex:1.34.1:zip:bin-x86-linux2.6-gcc3.3
> If a Maven repository manager is configured to prevent from re-deploying
> release artifacts (and I believe it should be), it is not possible to deploy
> attached artifacts when the POM is the same because the POM is deployed
> twice. The deploy plugin could check that the POM is already deployed and is
> the same than the local one (modulo platform-dependent line-break concerns,
> and that's important!), then choose not to deploy it but only the attached
> artifact.
> In the example above, it could enable to deploy the
> boost:boost_regex:1.34.1:zip:bin-x86-windows-vc8 artifact from a Windows
> machine(coming along with a boost:boost_regex:1.34.1:pom artifact), then to
> deploy the boost:boost_regex:1.34.1:zip:bin-x86-linux2.6-gcc3.3 artifact from
> a Linux machine (coming along with the same boost:boost_regex:1.34.1:pom
> artifact, that will not be deployed since it is identical to the first one
> deployed).
> Maybe this could be generalized to any kind of artifact? If the artifact to
> deploy is the same, the plugin should not fail and simply skip the deployment
> of that artifact?
> I post that bug here on a suggestion of Brett Porter (see the MRM-1357 bug)
> since it is quite unclear to me whether it is a MRM or deploy plugin concern.
> That bug might also be related to:
> - MDEPLOY-117
> - MDEPLOY-114
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
