don't use pom.distributionManagement.repository.url for BOM

[hboutemy]

BOM requires url to download component, pom.dM.repository is for publication (e.g. OSSRH for Maven Central)

Signed-off-by: Hervé Boutemy hboutemy@apache.org

For example, commons-compress 1.12 BOM point distribution to https://repository.apache.org/service/local/staging/deploy/maven2 which is the staging area to publish to Maven Central from Apache Software Foundation

[stevespringett]

@hboutemy Actually, I'm not sure this should have been merged. In CycloneDX, a distribution is the location where the artifact can be retrieved from. It forms the basis of provenance. So having Maven Central, etc, is what is expected.

[stevespringett]

We need to support this use case, but while ignoring snapshot repos if the artifact is not a snapshot.

[stevespringett]

I guess the confusion on my part is the difference between getDownloadUrl (which is currently still in the codebase) and getRepository, which is what was removed in this PR.

[stevespringett]

I'm going to revert this PR. For the overwhelming majority of artifacts deployed to Central, the distribution URL will be that of Maven Central. I think ASF (and possibly a few others) are unique in that they have dedicated staging environments. We cannot cripple this functionality for the majority of artifacts for the benefit of a few.

Perhaps we can include a workaround. Possibilities include:

• Replace https://repository.apache.org/service/local/staging/deploy/maven with https://repo1.maven.org/maven2.
• When https://repository.apache.org/service/local/staging/deploy/maven is encountered, add an additional distribution to https://repo1.maven.org/maven2 resulting in BOTH being present. This is technically more accurate.
• Create a configuration that would allow users to specify the distribution base URL

[hboutemy]

pom.distributionManagement.repository.url is never the url to download: for Maven Central when ussing OSSRH, it's https://s01.oss.sonatype…l/staging/deploy/maven2/ (see for example https://repo1.maven.org/maven2/io/dropwizard/dropwizard-project/4.0.0-beta.3/dropwizard-project-4.0.0-beta.3-cyclonedx.json)

reverting just adds back a value that has no interest

there is no info in Maven pom.xml or runtime to know the public url (at runtime, you'll get a local repository manager url if the user uses one)

if you really want to provide a download url for Maven Central (or any other Maven-format repository), it will require a cyclonedx-maven-plugin additional parameter

[EstherOnly]

After we upgrade this plugin, our project doesn't run well, I wish we can use pom.distributionManagement.repository.url, now I have rollback the version to 2.7.3

[hboutemy]

@EstherOnly can you define "our project doesn't run well", please?

notice that this PR has been reverted in #244 , then I don't see what has changed for you regarding this url

ideally, please open a separate issue describing your problem so we can track it more easily

[EstherOnly]

I‘ve seen it reverted, but we still seen this issue on our project, I've not figure it out why, I'll try to do more tests, if I find the reason, I'll reply or open a new issue. Thank you. ----- 原始邮件 ----- 发件人：Hervé Boutemy ***@***.***> 收件人：CycloneDX/cyclonedx-maven-plugin ***@***.***> 抄送人：EstherOnly ***@***.***>, Mention ***@***.***> 主题：Re: [CycloneDX/cyclonedx-maven-plugin] don't use pom.distributionManagement.repository.url for BOM (PR #239) 日期：2023年01月31日 16点20分 @EstherOnly can you define "our project doesn't run well", please? notice that this PR has been reverted in #244 , then I don't see what has changed for you regarding this url ideally, please open a separate issue describing your problem so we can track it more easily — Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you were mentioned.Message ID: ***@***.***>