Re: enforcer-rules: standard vs. extra-enforcer-rules

2014-05-29 Thread Wang YunFeng 
Hi, Karl,

Real case happened in our company is:
There are bunch of repositories using. For specific application, need to
limit specific set of repositories.

Those invalid repositories could be defined anywhere.
like settings.xml, application's pom files or even in dependency's pom
files.

So point is: this rule will ban repositories from maven session level,
instead of only application pom and its parent.
Also attached some comments below from Paul.

I create a demo project to show how to use this rule:
1. clone https://github.com/wangyf2010/maven-enforcer, "mvn clean install
-DskipTests" it.
2. clone
https://github.com/wangyf2010/maven-shared/tree/banned-repos/maven-dependency-analyzer
3. run "mvn enforcer:enforce" for "maven-dependency-analyzer".

Of course, you can try to add banned repositories into settings.xml as well.

Regards
Simon


I think banning repositories is a great idea. The example givem may not be
too useful -- the system architects should just turn off access to the repo
they don't want anyone to acesss -- but I more than once wanted to stop
some live repos (out of my control) from being accessed. +1.


Cheers,
Paul


2014-05-30 2:36 GMT+08:00 Karl Heinz Marbaise :

> Hi Simon,
>
>
> after diving into this a little bit more...
>
> Can you give an real example of the use case for your rule, cause if you
> are in an enterprise environment you should use already a repository
> manager which means only having a mirror entry in your settings.xml
> (usually looks like this here: http://books.sonatype.com/
> nexus-book/reference/maven-sect-single-group.html)
>  no repositories in your pom's (which can be checked by the
> requireNoRepositories rule).
>
> Apart from that I have tried your rule, but unfortunately it does not
> identify repositories defined in the pom file (ok that was not the
> intention) nor does it realize that i have defined supplemental
> repositories in my settings.xml file
>
> May be you can give an full example in which cases it will help...or may
> be i mistaken things here...
>
> Kind regards
> Karl-Heinz Marbaise
>
>
> On 5/29/14 4:24 PM, Wang, Simon wrote:
>
>> Hi, Robert,
>>
>> Karl asked same question, please refer below mail about this question.
>> Hope that help.
>>
>> Regards
>> Simon
>> 
>> Hi, Karl,
>>
>> Thanks for your comments.
>>
>> I did dig into requireNoRepositories.html, the purpose for that rule is:
>> detect whether pom and pom’s parents contains repositories definition.
>> That make sense to guide users to use correct convention (not define
>> repositories in pom files).
>>
>> But “BannedRepositories” is different purpose, it’s just like
>> “BannedDependencies”.
>> This rule is major for those “maven repository migration” case.
>> Some users used to have old repositories, those repositories might be
>> defined in pom.xml or settings.xml.
>> This rule could benefit on these cases a lot.
>> It will detect banned repositories from maven session context instead of
>> only pom.xml and parents.
>>
>> After all, requireNoRepositories.html is trying to help users to follow
>> correct maven convention.
>> but “BannedRepositories” is trying to avoid misuse incorrect
>> repositories. Especially in enterprise environment.
>>
>> Regards
>> Simon
>>
>> 
>> Hi Simon,
>>
>>
>> I have taken a look into your suggestions I have a couple of thoughts
>> about it ...
>>
>> First there exists already a rule to avoid repositories (
>> http://maven.apache.org/enforcer/enforcer-rules/
>> requireNoRepositories.html) which can be used and is has an option
>> to allow particular repositories by using a  white-list of allowed
>> repository based on the repository id.
>>
>> like this:
>>
>> 
>>   
>> codehausSnapshots
>>   
>>   ...
>> 
>>
>>
>> So the question is why adding a complete new rule instead of enhancing
>> the existing by your idea using the url as identification for the
>> repository which i think is a really good idea...so users are not able to
>> forge the repository they use by using a different id only the url is used
>> to identify the allowed repositories.
>>
>>
>> Kind regards
>> Karl-Heinz Marbaise
>>
>> On May 29, 2014, at 10:15 PM, Robert Scholte 
>> wrote:
>>
>>  http://maven.apache.org/enforcer/enforcer-rules/
>>> requireNoRepositories.html seems to cover this, right?
>>>
>>> Robert
>>>
>>> Op Wed, 28 May 2014 22:19:07 +0200 schreef Mirko Friedenhagen <
>>> mfriedenha...@gmail.com>:
>>>
>>>  Hello everybody,

 there is an outstanding MENFORCER-193[0] request for a new standard
 rule, which will allow to ban repositories. What is your opinion about
 adding new standard rules in enforcer vs. adding to Mojo's
 extra-enforcer-rules?

 Regards Mirko
 [0] https://jira.codehaus.org/browse/MENFORCER-193
 --
 http://illegalstateexception.blogspot.com/
 https://github.com/mfriedenhagen/ (http://osrc.dfm.io/mfriedenhagen)
 https://bitbucket.org/mfriedenhagen/

 ---

[Maven Project Info Report Plugin]: Enhancements on Dependency Convergence Report

2014-05-19 Thread Wang YunFeng 
hi, Team,

I open a pull request, that enhance dependency convergence report,
anybody could help review and merge it?

*Pull request: https://github.com/apache/maven-plugins/pull/23
*
*JIRA: http://jira.codehaus.org/browse/MPIR-295
*

*Below are detail info:*
Previously, dependency convergence report have below problems:
1. Only take care directive dependencies, not include transive dependencies
into analyzing.
   In fact, more version conflicting cases are happening on transive
dependencies.
2. Only effective for reactor build.
   For those single maven project, also need to analyze version conflicting.
3. Show all dependencies in report, even it is a good dependency.
   That would confuse users.
4. Without dependency hierachy, it's hard for users to resolve version
conflicting issues.

To resolve above problems, have these enhancements:
1. include transive dependencies.
2. effective for both reactor build and single build.
3. only show version conflicting dependency & snapshot dependency in report.
4. show clear dependency hierachy for version conflicting dependency.

Regards
Simon

Re: how to listen to local maven repo's changes?

2011-09-13 Thread Wang YunFeng 
Thanks lgor, RespositoryListener is what I'm looking for!

*I'm trying to get maven session from m2eclipse*, and then I could add my
own repo listener into session.
but I haven't found right API to get maven session.
Do you have any suggestions?

*what I'm trying to do is:*
create a eclipse plugin to listen to local repo's changes. I think it should
work with m2eclipse,
new plugin should get m2eclipse's maven session and then add its own repo
listener into it.
Am I correct?

Regards
Simon

2011/9/14 Igor Fedorenko 

> Have a look at org.sonatype.aether.**RepositoryListener, this is what we
> use in m2e to track changes to the local repository. This, of course,
> does not receive events from builds running concurrently in other vms,
> but I don't have a solution for that.
>
> --
> Regards,
> Igor
>
>
> On 11-09-13 8:46 PM, Wang YunFeng wrote:
>
>> Hi, All,
>>
>> I want to listen to changes of local maven repo.
>> Then I could invoke some customized script. My question is: is there any
>> hook for maven to listen to whether maven is downloading new artifactsfrom
>> remote repo?
>>
>> Regards
>> Simon
>>
>>
> --**--**-
> To unsubscribe, e-mail: 
> dev-unsubscribe@maven.apache.**org
> For additional commands, e-mail: dev-h...@maven.apache.org
>
>

how to listen to local maven repo's changes?

2011-09-13 Thread Wang YunFeng 
Hi, All,

I want to listen to changes of local maven repo.
Then I could invoke some customized script. My question is: is there any
hook for maven to listen to whether maven is downloading new artifactsfrom
remote repo?

Regards
Simon