Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enhancement: Handle distribution relocation #287

Open
Giovds opened this issue Dec 1, 2023 · 2 comments
Open

Enhancement: Handle distribution relocation #287

Giovds opened this issue Dec 1, 2023 · 2 comments

Comments

@Giovds
Copy link
Contributor

Giovds commented Dec 1, 2023

When I look up a dependency it would be nice to know if I've got the most up to date source in terms of security, fixes and features.

Some pom artifacts provide a relocation element:

<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
    ... the rest removed for brevity ...
    <distributionManagement>
        <relocation>
            <groupId>group.id</groupId>
        </relocation>
    </distributionManagement>
</project>

If I search mcs search groupId:artifactId:version and it contains a relocation I would at least liked to be warned that there is a newer source available or even get both results for the query and the relocation. Though the latter may have different versioning or newer versions available.

The current search endpoint unfortunately does not give this as part of the response so we would have to get this data e.g. from the local repository and if not found fetch it from https://search.maven.org/remotecontent?filepath=com/jolira/guice/3.0.0/guice-3.0.0.pom (URL differs per artifact of course).

This would mean fetching potentially big files and parsing/reading the XML. It could however open up possibilities for other features regarding getting data from the POM.

Thoughts?
@mthmulders
Copy link
Owner

Thoughts?

I like the idea!

But (I'm a bit ashamed to admit) I don't know if distribution management is inheritable. My gut feeling is that it isn't, but I don't know for sure.

If distribution management is inheritable, this idea could quickly become quite complex to implement. It would mean that MCS needs to parse the POM and all parent projects, potentially needs to resolve them, etc. - all of that to find out if somewhere in the hierarchy, a project got relocated.

If distribution management is not inheritable, it could be a bit simpler - MCS would only need to resolve the module(s) that it found from querying Maven Central and do some find magic in the POM. Still quite a lot of work, but a lot less :-). I'm afraid that the search index of Maven Central doesn't report about relocations, does it?

@Giovds
Copy link
Contributor Author

Giovds commented Oct 4, 2024

The normal solrsearch endpoint doesn't seem to provide a way to check if the distribution management is present. Alternatively you could fetch the pom here which means you would have to parse the pom and fetch it for each dependency: https://search.maven.org/remotecontent?filepath=com/github/tomakehurst/wiremock/3.0.1/wiremock-3.0.1.pom

The distribution management seems inheritable if I inspect the effective pom of the child project.
image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mthmulders @Giovds