Hi all,
On 22.08.2025 10:52, Olivier Lamy wrote: > So here’s an idea: what if projects could include > documented/formalised metadata in their POMs that Maven core and/or > plugins could use? Since we can’t change the POM structure itself, we > could start with some standardised properties, for example: > > <properties> > <support.commercial.0>URL</support.commercial.0> > <support.eol.0>DATE</support.eol.0> > <support.security.0>DATE</support.security.0> > <support.commercial.1>URL</support.commercial.1> > > <funding.url.0>URL</funding.url.0> > <funding.url.1>URL</funding.url.1> > </properties> > > We could then imagine new goals such as: > - dependency:fund > - dependency:support +1, I also believe it would be valuable to add information about a project's *sustainability* to the Maven POM schema. The motivation is not vanity or (unlikely) additional funding, but rather to help users assess and manage *risk*. Currently, the POM already supports: 1. License compliance: still the biggest risk companies see in the OSS supply chain is being sued. 2. Vulnerability management: since the network of POMs effectively resolves to an SBOM. Sustainability is another crucial dimension: it answers questions such as, “If a security issue is discovered in this library, will there be a maintainer available to fix it? Will support be available during business hours, or only sporadically on weekends?” Because this information changes over time, it should not be hard-coded in the POM, but rather linked to a living document. As some of you may know, a standard for this is being developed within ECMA, led by CPAN maintainer Salve Nilsen. The creation of TC54 Task Group 4 was confirmed just last week. While no official work has started yet (beyond early community efforts), resources are already available in the ECMA-TC54 GitHub organization: 1. TG4 repository [1] 2. Official goals of the group [2] 3. Initial draft of the standard [3] Due to limited availability (no funding to follow all TC54 groups during working hours 😅), I won’t be able to actively participate in TG4. Volunteers are very welcome to get involved. By the way, the group’s code name is Dugnag, which nicely matches the naming style of Maveniverse projects. 😉 Piotr References: [1] https://github.com/Ecma-TC54/tg4 [2] https://docs.google.com/document/d/1Dlfq1vp2xXDN1oeUPVGffMEtagUUH1CQ2jWOTg4H9UE [3] https://docs.google.com/document/d/1IZnHEwzz1N7LbChVkZTE_dfo3I2np8rULssq5I2wchM --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org
