GitHunt
HB

hboutemy/todo

My Maven TODO list

past

Core 3.5.x

details

Core 3.6

3.6.0
  • MNG-5951 add an option to avoid path addition to inherited URLs
    • more flexible idea would be to have multiple strategies with a Plexus role and multiple hints:
      by default, appends artifactId (or project.directory) like currently, another would not add anything (hint id to be found),
      another hint could work with git specific url rules. Interface = String getInheritedUrl( String parentUrl, MavenProject parent, MavenProject child )
      issue: this would create a dependency on Plexus container/Sisu
  • MNG-4508 No way to avoid adding artifactId to site urls
3.6.1
3.6.2
  • MNG-6636 NPE on reporting convertion (DefaultReportingConverter) when inheritance of with no reports
  • MNG-6668 Modello PR#31 Make location handling more memory efficient
  • MNG-6629 PR Make ID validation faster
  • MNG-6630 PR Make ComparableVersion faster
  • MNG-6631 PR Make DefaultArtifactVersion faster
  • MNG-6632 PR Remember artifact handlers after they've been used once
  • MNG-6633 PR Reduce memory usage of excludes
  • MNG-6638 PR Prevent reparsing POMs in MavenMetadataSource
  • MNG-6681 dependency type documentation
  • MNG-6549 Remove unused transitive dependencies of Guava
3.6.3
  • MNG-6765 Regression tycho pom-less builds fails with 3.6.2
  • MNG-6771 licensing issues (not really "up for grabs", but quite specific issue)
  • MNG-6584 Maven version 3.6.0 does not show ReasonPhrase anymore
  • MNG-6789 Maven Reproducible Build
3.8.0
  • MNG-7118 Block HTTP repositories by default

3.9

  • MNG-7438 add execution id to "Configuring mojo xxx with basic configurator" debug message
  • MNG-7353 add support for "mvn plugin:version:goal"
  • MNG-7501 display relative path to pom.xml

3.9.1

  • MNG-5185 Improve "missing dependency" error message when _maven.repositories/_remote.repositories contains other repository ids than requested: if artifact not found, display which repositories were searched, with info on where the repository was defined (settings, pom) and how settings' mirrorOf affected the result)

3.9.5

  • MNG-7875 Downloading/downloaded messages: darker ANSI display
    • MNG-8300 broken in 4.0.0-alpha-11 to 4.0.0-beta-4
  • MPH-183 / MNG-7344 Effective-pom + verbose should show import path to BOM dependencyManagement import
  • MNG-7001 more...

3.9.10

  • MNG-8712 POM dependency version is a requirement

Core 4

4.0.0-alpha-2

Core future

  • relocation (poi:poi becomes officially org.apache.poi:poi)
    vs unofficial release (someone publishes a release in my.personal.group:poi, independently from original project and with same java package names)
    vs fork with classes conflict (a wanted fork but keeping same package names for compatibility)
    vs fork with package names rework (to avoid any conflict)
  • MNG-5814 check signature of plugins against trusted list
  • ascii progress bar, probably using ansi escape codes
  • check artifact magic numbers, at least for zips, to detect download failures without downloading sha1 files (see test case)
  • MNG-5689 define strict checksum per repository
  • MNG-6679/MRESOLVER-90 HTML content in POM: Maven should validate content before storing in local repo
  • provide CLI test demo program to do artifact resolution then easily debug in an IDE
  • provide CLI test demo program to launch a Maven build then easily debug in an IDE
  • import mvnsh
  • mvnd daemon and multi-threaded display
  • MNG-7129 Deutsche Bank incremental build and cache
  • MVNCENTRAL-1365 Olaf ApacheCon BigData Sevilla 2016 talk slides and ApacheCon Berlin 2018 IoT update

Reproducible/Verifiable Builds

done
  • MRELEASE-1029 maven-release-plugin update outputTimestamp
  • PR 522 versions-maven-plugin/issues/453 add an option to update Reproducible Build project.build.outputTimestamp while updating version
  • ASF 22 parent POM release, with RB activated
  • ASF 23 parent POM release, with RB fix
  • Maven parent POM 34, with RB activated
  • Artifact plugin
    • ability to generate buildinfo file
    • ability to check local build output against reference build
    • ability to detect JDK+OS from reference build, display (from reference buildinfo or manifest) and add to generated minimal buildinfo when no reference available
    • MARTIFACT-20 refactor to add separate check mojo in addition to check during buildinfo
    • add explanations on how to test locally reproducibility (deploy reference to local dir)
    • save comparison result of local build vs reference artifact
    • detect that a Maven module is not installed or deployed, then should not be part of buildinfo
    • move code from studies buildinfo:buildinfo to maven-artifact-plugin:buildinfo
    • artifact:check-buildplan detect used plugins/goals and display if known non-reproducible
    • add a goal to report on dependencies reproducibility (against a trusted list...)
  • effective reproducibility tracking:
    • track Maven Central for (effective) pom with reproducible timestamp
    • track Maven Central for projects built with Maven, that could be enhanced to have reproducible build
    • test reproducibility of these, manually or with containers
    • Git repo to track and share rebuild recipes: reproducible-central
    • statistics on reproduced builds in reproducible-central
    • buildpsec for GuicedEE (daily) releases
    • statistics on Maven-owned projects reproducibility reproducible-maven-HEAD
    • statistics on Plexus-owned projects reproducibility reproducible-plexus-HEAD
    • statistics on MojoHaus-owned projects reproducibility reproducible-mojohaus-HEAD

CycloneDX SBOM

  • ActiveMQ
  • Apache Directory Server
  • Camel
  • JSPWiki
  • Hadoop
  • Accumulo

Doxia/site/pdf

Misc

Conf

2018
2019
  • 2-3/2/2019 FOSDEM
  • 15/6/2019 Hack Commit Push contributions expected:
    • site content fixes and improvement
    • README.md améliorations et généralisation
    • low hanging fruits: see up-for-grabs issues
    • Jansi (console color) performance measure and improvement (particularly on Windows)
    • Reproducible Builds: archive entries timestamp configuration
    • depending on contributor knowledge or interest (web design <== WANTED!!!, performance, some specific plugins), oriented contribution
    • looking for help on scripting Google Storage work...
  • 15/6/2019 Hack Commit Push actual contributions:
    • MSKINS-107 up-for-grabs generator meta tag, done by Antoine
    • DOXIATOOLS-59 up-for-grabs linkcheck issue, wip by Chris
    • MNGSITE-353 up-for-grabs Document maven.repo.local system property, wip by Elmehdi
    • how to get full Maven sources on Windows, given Google Repo does not work here? wip by Joseph
    • MSKINS-97 upgrade Fluido Skins Bootstrap version from 2.3 to 4, wip by Vasile
    • check of pgp signatures for plugins, wip by Andrei and Charles
    • Reproducible Builds force archive entries timestamp in plexus-archiver: explain/review/improve PR #113 in light of pre-existing PR #49, wip by Arnaud
    • Jansi improvements explanations/review (see PR 146 to 153), wip by Arnaud
  • 22-24/10/2019 ApacheCon Europe 2019
2020
  • 25/2/2020 Hackergarten
    • PR #58 make Quickperf build reproducible (Minh-Trieu Ha)
    • make Logback build reproducible (Bakary Djiba)
    • make Felix bundle-maven-plugin output reproducible (Arnaud)
  • 31/03/2020 Hackergarten
  • 14/4/2020 Hackergarten
    • MKSINS-167 add anchors to headers (Bakary Djiba)
  • 11-15/3/2020 JChateau
  • 27/6/2020 Hack Commit Push
  • 11/2021 Open Source Experience
    • 30/3/2021 comité programme
  • 29/5/2021 Hack Commit Push 2021
  • 2021 Hackergarten

projects.apache.org

  • index.html fast display (no need for every .json)
  • INFRA-16355 Git mirror

Other

scope of dependencies: Maven (scope), Gradle (configuration), NPM (development), Composer (isDevRequirement), Poetry (group) and Pipenv (category)
n the SBOM via property (because every ecosystem has an own name, own well-known values, ...)

  • Attic

Contributors

HB
Created May 11, 2018
Updated July 24, 2025