[MNG-8527] Re-enable consumer POM

[jira-importer]

Guillaume Nodet opened MNG-8527 and commented

The consumer POM has been disabled in RC-2 (see MNG-8393) for 4.0.0 models.
I think it needs to be enabled again.

But there are a few things to fix:

• some properties (including CI-friendly) may leak through from consumer to dependency POM (see MNG-8523)
• the consumer pom flattens and inline all properties, which may be a problem if the property can be modified by a profile (javafx use case)
• the flattening process also makes all poms much more heavy as they usually convey lots of (previously inherited) data such as managed dependencies.

For the leak, this happens if the property is not actually defined as a property in the pom. It may come from a Maven user property. In such case, the property value won't be in the installed POM (when not using consumer POM), which means it can be modified by a user property from the requesting POM.
This is also related to profile activation, which may be activated or deactivated using user or system properties (including OS data which can be overridden from CLI).

---

Affects: 4.0.0-rc-2

Issue Links:

• MNG-8464 [Regression] Maven 4-rc-2 breaks Maven ShrinkWrap Resolvers
  ("fixes")

• MNG-8393 Maven consumer POM transformation should be applied only if built model is greater than 4.0.0

• MNG-8523 User properties should override model properties in the model

Remote Links:

• GitHub Pull Request #2058
  

1 votes, 3 watchers

[jira-importer]

Anders Hammar commented

What happens in 4.0.0-rc-2 is that I can use the new Maven 4 features in a model 4.0.0 pom without Maven complaining. So when the build pom is published it might not be a valid pom for consumers.
For example, you cna use the 'bom' packaging and the published pom will then keep that packaging instead of transforming to 'pom'. You can also remove the modelVersion element. Etc.

If a proper consumer pom isn't generated, Maven 4 should fail on a model version 4.0.0 pom that is using 4.1.0 features.