pkgsrc changes:
- Add missing $PKG_SYSCONFDIR/logging directory and config file
- Improve Makefile readability
Changes in 3.2.3:
- Switch access to Maven Central to HTTPS (MNG-5672)
Changes in 3.2.2:
- Support version ranges in parent elements (MNG-2199)
- Requiring multiple profile activation conditions to be true does
not work (MNG-4565)
- Support resolution of Import Scope POMs from Repo that contains
a ${parameter} (MNG-5639)
- Update maven-plugin-plugin:descriptor default binding from
generate-resources phase to process-classes (MNG-5346)
- ${maven.build.timestamp} should use UTC instead of local timezone
(or be configurable) (MNG-5452)
- ${maven.build.timestamp} uses incorrect ISO datetime separator
(MNG-5647)
Release notes for 3.2.1
Bug
[MNG-5075] - MavenProject.getParent throws undocumented ISE
[MNG-5389] - AbstractMavenLifecycleParticipant need a afterSessionEnd
[MNG-5467] - intermittent "ProtocolException: The server failed to respond
with a valid HTTP response"
[MNG-5479] - ExecutionEvent.Type.SessionEnded omited when runtime
exception thrown
[MNG-5494] - Add a license file that corresponds to each GAV
in the distribution
[MNG-5528] - Help text confuses people
[MNG-5550] - MojoExecution source is never set to LIFECYCLE
[MNG-5553] - ${map(some.key)} is not properly interpolated
[MNG-5557] - Limit the reactor to the projects that are specified
using --projects
[MNG-5559] - upgrade to last wagon 2.6
[MNG-5572] - Warn for building plugins with extensions in a reactor
Improvement
[MNG-3526] - Small change to artifact version parsing.
[MNG-4099] - Password encryption CLI switches should prompt for password
if missing
[MNG-5176] - Print build times in an ISO 8601-style manner
[MNG-5530] - mojo execution guice scope
[MNG-5549] - Provide before/after callbacks for project and mojo execution
[MNG-5574] - Write error/warning messages from mvn shell and batch scripts
to stderr
[MNG-5575] - Separate build strategies into their own implementations
[MNG-5576] - Allow continuous delivery friendly versions
[MNG-5578] - Make the ReactorReader pluggable in the core
[MNG-5581] - Provide a way to customize lifecycle mapping logic
[MNG-5582] - Continue to track all the projects in the reactor even
if the set is constrained by --projects
New Feature
[MNG-2315] - Add option to exclude all transitive dependencies for
a particular one
[MNG-3832] - Allow wildcards in dependency exclusions
[MNG-5230] - Command line option to exclude modules from reactor
Release notes for 3.1.1
Bug
[MNG-5459] - failure to resolve pom artifact from snapshotVersion
in maven-metadata.xml
[MNG-5495] - API incompatibility causes Swagger Maven Plugin (and others)
to fail under Maven 3.1.0
[MNG-5499] - maven-aether-provider leaks Sisu Plexus and ObjectWeb classes
onto the classpath when they are not required
[MNG-5500] - help for --legacy-local-repository option explains
_maven.repositories instead of _remote.repositories
[MNG-5503] - Maven 3.1.0 fails to resolve artifacts produced by reactor build
[MNG-5509] - org.apache.maven.repository.legacy.DefaultWagonManager should
set User-Agent
Release notes for 3.1.0
Major Changes
- The use of JSR330 in the core for extensions and in Maven plugins.
You can read more about it in the Maven and JSR330 document.
- The use of SLF4J in the core for logging. You can read more about it
in the Maven and SLF4J document.
- The switch in the core from Sonatype Aether to Eclipse Aether.
Known Incompatibilities with Maven 3.0.x
- The significant change in Eclipse Aether with respect to API changes
and package relocation will likely cause issues with plugins that directly depend on Aether.
Bug
[MNG-3131] - Error message is misleading if a missing plugin parameter is
of a type like List
[MNG-5016] - A mirror's layout setting should default to 'default' since
thats' the only layout supported lay in maven 3
[MNG-5206] - plexus container never disposed
[MNG-5208] - Parallel (-T option) multi module build fires wrong
"project failed event"
[MNG-5209] - MavenProject.getTestClasspathElements can return null elements
[MNG-5212] - DefaultPluginDescriptorCache does not retain pluginDescriptor
dependencies
[MNG-5214] - Dependency resolution substitutes g🅰️v:jar for
j🅰️v:something-else when something-else isn't in the reactor
[MNG-5233] - ArtifactMetadataRetrievalException from
org.apache.maven.artifact.metadata is not anymore binary compatible.
[MNG-5258] - localRepository in settings.xml does not handle ~ as home.dir
[MNG-5261] - upgrade wagon version to 2.3 to fix issues with redirect
[MNG-5270] - README.bootstrap.txt says "Ant 1.6.5 or later" BUT 1.8 or
later is needed
[MNG-5280] - Inconsistent order of repositories and pluginRepositories
from profiles in settings (regression Maven 3)
[MNG-5289] - -Dmaven.repo.local not honored
[MNG-5312] - MavenProject.getParent intolerably slow when import scope
used heavily
[MNG-5313] - Unnecessary DefaultModelBuilder.build overload
[MNG-5314] - DefaultModelValidator misuses String.matches
[MNG-5336] - Descriptor Reference for settings.xml is incorrect
[MNG-5387] - Add ability to replace an artifact in mid-build
[MNG-5390] - mvn -rf (no argument) results in NPE
[MNG-5395] - logger name for plugins should not be DefaultMavenPluginManager
[MNG-5396] - logger name for execution events should not be MavenCli
[MNG-5398] - scriptSourceDirectory in superpom is not prefixed
with /usr/home/cmsslave/slave15/maven-site-staging/build/trunk/
[MNG-5403] - tar.gz release artifacts have wrong permissions on directories
[MNG-5418] - Can't activate a profile by checking for the presence of
a file in $myProperty
[MNG-5430] - use wagon 2.4
[MNG-5444] - ModelSource API is not sufficient to resolve project hierachies
[MNG-5445] - Missing PathTranslator @Requirement in
org.apache.maven.project.interpolation.StringSearchModelInterpolator
[MNG-5456] - Maven skips modules and reports success if parallel build
encounters java.lang.Error
[MNG-5477] - "malformed POM" warning issued when no version
in reporting section
Improvement
[MNG-4505] - use slf4j to control various logging frameworks
[MNG-5181] - New resolution from local repository is very confusing
[MNG-5239] - Maven integration developers would like to be able to override
the maven logging appender.
[MNG-5245] - upgrade default plugins versions
[MNG-5338] - Accept a directory with -f/--file
[MNG-5350] - improve @threadSafe error message: tell which goal
[MNG-5399] - Upgrade version of maven-release-plugin in superpom to 2.3.2
[MNG-5400] - Upgrade version of maven-dependency-plugin in superpom to 2.5
[MNG-5402] - Better build number for git
[MNG-5480] - document in POM descriptor reference how urls are interpolated
from parent
[MNG-5482] - Catch NoClassDefFoundError org/sonatype/aether
New Feature
[MNG-519] - Timestamps on messages
[MNG-5306] - for IDE embedding have ways of collecting model problems
without failing the process
[MNG-5343] - Allow the use of JSR330 annotation in Maven extensions
and plugins
[MNG-5344] - Allow the SLF4J loggers to be @Injected
[MNG-5354] - Integrate Eclipse Aether 0.9.0.M2
[MNG-5380] - Cannot preserve whitespace in Maven plugin configuration
[MNG-5381] - Restore MavenSession.getRepositoryCache()
[MNG-5382] - Add an IT for @Inject used in plugins
[MNG-5386] - Dispose of ClassRealms after invocation to prevent
out of Permgen errors
[MNG-5388] - Restore embedded integration tests
[MNG-5391] - Update the default WAR plugin version to avoid version 2.3
[MNG-5393] - Look at Sonar's use of SLF4J and Logback
[MNG-5397] - Use SLF4J for logging
[MNG-5407] - Change MavenITmng1830ShowVersionTest to account for SHA1
as version
Task
[MNG-5279] - add CLI options to documentation
[MNG-5365] - Replace Aether's deprecated ConfigurationProperties
with ConfigUtils
[MNG-5372] - remove classes that were added during Maven 3 alpha and beta
but were deprecated before 3.0 final release
[MNG-5373] - Document the usage and benefits of JSR330
[MNG-5374] - Fix transfer listener after the JSR330 merge
[MNG-5375] - Document use of SLF4J
[MNG-5376] - Account for changes between the Apple and Oracle JDKs on OSX
[MNG-5453] - Update Maven 3 build to use Eclipse/Sisu
Wish
[MNG-5370] - separate artifact-handlers configuration from plugin bindings
to default lifecycle
[MNG-5461] - rename _maven.repositories tracking file to _remote.repositories
http://maven.apache.org/docs/3.0.5/release-notes.html
Apache Maven 3.0.5 is a maintenance release to fix a security
issue CVE-2013-0253 Apache Maven 3.0.4
http://maven.apache.org/security.html
CVE-2013-0253 Apache Maven 3.0.4
Apache Maven 3.0.4 (with Apache Maven Wagon 2.1) has
introduced a non-secure SSL mode by default. This mode
disables all SSL certificate checking, including: host
name verification , date validity, and certificate chain.
Not validating the certificate introduces the possibility
of a man-in-the-middle attack.
All users are recommended to upgrade to Apache Maven 3.0.5
and Apache Maven Wagon 2.4.
Maven 2.2.1 aims to correct several critical regressions related to
the selection of the HttpClient-based Wagon implementation for
HTTP/HTTPS transfers in Maven 2.2.0. The new release reverts this
selection, reinstating the Sun-based - or lightweight - Wagon
implementation as the default for this sort of traffic. However, Maven
2.2.1 goes a step further to provide a means of selecting which
provider - or implementation - the user wishes to use for a particular
transfer protocol. More information on providers can be found in our
Guide to Wagon Providers.
In addition, Maven 2.2.1 addresses some long-standing problems related
to injecting custom lifecycle mappings and artifact handlers. These
custom components are now correctly loaded regardless of whether they
come from a plugin with the extensions flag enabled, or from a pure
build extension. In addition, custom artifact handlers now will be
used to configure the attributes of the main project artifact in
addition to any artifacts related to dependencies or project
attachments created during the build.
Maven 2.2.0 contains a few important changes that justify the version
upgrade, instead of simply naming it 2.1.1. First, the Java requirement
for Maven 2.2.0 has been upgraded to 1.5 or later. This upgrade was
planned for 2.1.0, but that release still contained binaries that were
compatible with JDK 1.4. In addition, due to some serious flaws in the
version-expression POM transformation included in 2.1.0, this feature
has been removed for the time being. Finally, some new default execution
IDs have been added to Maven to enable the separation of configuration
for plugins bound by the default lifecycle mappings, and for those
invoked directly from the command line.
Changes that may affect existing builds
* MNG-4143 - Starting in 2.2.0, Maven will run only on Java 1.5 and later.
You can still build projects for JDK1.4 and earlier using the approach
documented in the Guide to Building JDK 1.4 Projects on JDK 1.5.
* MNG-3401 - Executions with an id equal to default-phase (where phase is
a valid lifecycle phase) may have unexpected results as it will be merged
into the default lifecycle.
* MNG-4140/4179 - Version-expression resolution during installation and
deployment has been removed, returning to Maven 2.0.x behaviour.
Maven is a software project management and comprehension tool.
Based on the concept of a project object model (POM), Maven
can manage a project's build, reporting and documentation from
a central piece of information.
