On 04/08/2010 9:34 AM, david_ wrote:
Hi
I want to prevent maven from downloading dependencies from the repositories
that are configured in pom.xml files. Maven should only use the repository
configured in the settings.xml of maven.
We have a corporate repository for all jar files, but it is possible that a
pom.xml holds configuration for downloading his dependencies from other
url's. This needs to be prevented.
Is this possible?
How determined are your developers to circumvent this policy?
Do you have to assume that they will take deliberate steps to get around
this restriction?
Shutting off Internet access for developers will do this nicely. Has
some negative points!
We have removed all repository references from all POMs except for
deployment which is held in the parent POM and, of course, it points to
our repo.
This still leaves the settings.xml file as a point of vulnerability but
at least you can track bad behaviour to an individual person.
Our standard setting.xml sets our repository as a mirror for every other
repo in the world so the only repos that get referenced are the ones set
up in Nexus which is under my control.
Not a complete guarantee that someone might modify their settings.xml
but that would be a serious breach of policy and would be dealt with
administratively.
There is no practical reason for someone to do this so there would be
some "splainin" to do. (I love Lucy reference)
Ron
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
