On Apr 23, 2012, at 9:23 PM, Andrew Hughes wrote: > 2. Nexus will allow you to proxy/mirror a lot more than one repository, > it will also allow you to place rules on repositories and additional > configuration.
This is worth noting in a large / paranoid corporate environment from a couple of different perspectives: a) Without rules in place, it's possible to see what artifacts are being used throughout the company just by looking at the downloaded artifacts. (The results may surprise you!) b) With rules in place, it's easy to do things like limit any new artifacts from being used that are not approved. Developers can't be stopped from downloading artifacts from around the interwebs, but if they can't add them to the repository you control, they will break the build by changing POMs to reference them. For the ultra-paranoid, putting the POMs under 24x7 change control keeps any changes to the repositories from being checked in. I did this on a job at a big phone company last year. Alternatively, Maven has a unique HTTP User-Agent, and it would be easy for corporate security to configure firewalls to reject any outside access to the Maven UA except via Nexus. This would allow the POMs to remain unlocked, but any references to new repositories from the corporate LAN would be rejected (regardless of the source of the project or whether the POM was under change control). Again, it's not that you are trying to stop one person from changing their UA, but stop the majority of people from accidentally downloading malware from a rogue repo after they check out tainted source. It's hard to know what "other concerns" the original poster had, but maybe this provides some ideas if it is about security. HTH, B --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org
