[ 
https://issues.apache.org/jira/browse/MPOM-468?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17818080#comment-17818080
 ] 

Christopher Tubbs commented on MPOM-468:
----------------------------------------

[~michael-o], I'm using the 3.9.6, but I don't know what version was used by 
the release manager who prepared our last release candidate, where I noticed 
the issue. It was my understanding that Nexus created the .md5 and .sha1 files, 
though, not Maven. Perhaps I'm wrong? I really don't know what part creates 
that, because they don't seem to be created when I do `mvn verify` or even `mvn 
install`, so I can't really reproduce except by doing another `deploy`.

Re your general question: it's my understanding that it was added because some 
people had a desire to have Maven generate their SHA512 that was required for 
the SVN/dist area. For projects I'm on, we have no audience for this file 
whatsoever, at least not the one the Mavem build is producing.

I agree with you about how it should be presented in the dist area.

Regarding "Why does it need to be on Central at all?". That's kind of a red 
herring, because even if you intend to delete the source-release artifact, and 
not put it in Maven Central, the generation of these extra checksum files is 
still an added inconvenience. For the purposes of this issue, I think it's fine 
to just accept that there may be some use cases to have source-release 
artifacts in Maven Central, and other use cases where it doesn't make sense. 
It's not really important for this issue, though.

I think [~cstamas] has a really good point. Using this plugin isn't needed at 
all, since Maven 3.9 has the ability to produce sha512 files built-in. So, 
that's another reason to remove it... perhaps even more important than any of 
the reasons I listed.

> Remove or provide option to disable checksum-maven-plugin
> ---------------------------------------------------------
>
>                 Key: MPOM-468
>                 URL: https://issues.apache.org/jira/browse/MPOM-468
>             Project: Maven POMs
>          Issue Type: Bug
>          Components: asf
>    Affects Versions: ASF-31
>            Reporter: Christopher Tubbs
>            Priority: Critical
>
> Currently, the net.nicoulaj.maven.plugins:checksum-maven-plugin is used to 
> generate .sha512 files for the source-release classifier artifact in the 
> apache-release profile.
> There are many problems with this plugin that justify removing it or making 
> it easier to disable:
> 1. Not everybody wants this. It is intended to help construct SHA512 files in 
> the Nexus staging repository, so people can easily have something to copy 
> over into their DIST area in SVN. But, it's expected that people delete these 
> from the staging repository before releasing the staging repo to Maven 
> central after a successful release vote. Well, not everybody uses this 
> pattern. Some people, like those pushing for MPOM-282, generate sha512 files 
> differently (with the filename, so it can be easily verified with standard 
> tooling). It is inconvenient for this plugin to create extra files in the 
> staging repo that we must deal with, leading to more room for user error 
> during the release process.
> 2. In the case where users actually don't want to modify the staging repo, 
> but actually release the repo with the source-release artifact (there are 
> many use cases for that), this creates more work, because those people only 
> have to remove stuff from the staging repo *because* of this plugin. It 
> doesn't make it more convenient... it makes it less convenient... to do a 
> release.
> 3. It doesn't just generate .sha512 files. It also results in .sha512.md1 and 
> .sha512.sha1 files, which are just excessive to deal with.
> 4. The plugin has not been maintained in 2 years.
> 5. The plugin's website with all of its generated plugin documentation is no 
> longer functional.
> 6. The plugin doesn't appear to have a standard "-DmyPluginPrefix.skip" 
> method of disabling the plugin to bypass it. So, one must specifically 
> override the plugin by duplicating the apache-release profile, and creating 
> an execution with the same ID, but with different config to force it to be 
> overridden.
> 7. None (or very few) of the configuration properties seem to have user 
> properties to set them as a system property or in the POM's properties 
> section. So, that makes it cumbersome to modify the configuration.
> 8. Because of number 7, this ASF parent POM, must set everything in the XML, 
> and since it hasn't created proxy properties to set things indirectly, the 
> only way to override it is to create a local apache-release profile 
> containing the same plugin, with the same execution id, but with different 
> configuration.
> For all of these reasons, and probably more, I think this plugin should be 
> removed from the ASF parent POM. If not that, then it should at least be 
> moved to a different profile and disabled by default. If not that, then it 
> should at least be moved to a different profile so it can be easily disabled 
> by choice. If not that, then at the very least, create a proxy property to 
> set the includeClassifiers (and other important options) as properties, so we 
> don't have to jump through hoops to try to override and disable this plugin 
> when a project doesn't want to use it.
> For reference: https://github.com/nicoulaj/checksum-maven-plugin



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to