禁用 Maven 中央存储库
我公司的政策不赞成自动下载工件(它们必须经过批准),因此为了使用 Maven,我需要禁用对 Maven 中央存储库的访问。
换句话说,我不希望 Maven 尝试从中央下载任何。
我知道如何配置本地存储库(无论是否联网),我的想法是使用“有福的”机器来更新本地存储库。
PS:我可以在代理/网络级别阻止请求,但我询问如何使用 Maven 的配置来做到这一点。
更新 我终于知道该怎么做了。在maven的home中,在conf目录下是一个全局的settings.xml。 您可以将镜像设置为指向某个内部服务器的central,或者只是覆盖它的定义。
My company's policy frowns upon artifacts downloaded automatically (they have to be approved), so in order to use Maven I need to disable access to Maven's central repository.
In other words, I don't want Maven to attempt any downloads from central.
I know how to configure a local repository (networked or not), my idea is using a "blessed" machine to update the local repository.
PS: I could block requests at the proxy/network level, but I'm asking about how to do it with Maven's configuration.
UPDATE
I finally figured out how to do it. In maven's home, in the conf directory is a global settings.xml.
You can either set a mirror to central that points to some internal server or just override it's definition.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(7)
我发现配置工件解析页面很有帮助。
它声明了以下有关“镜像任意”设置的内容。
Maven 的 Super POM 定义了中央存储库。以下是您如何覆盖发布和快照的中央存储库和插件存储库:
当然,您应该配置一个替换配置,如已接受的答案所述。
I found the Configuring Artifacts Resolution page helpful.
It states the following about the "mirror any"-setup.
The Super POM of Maven defines the central respository. Here is how you can override the central repository and the plugin-repository for releases and snapshots:
Of course you should have a replacement configured, as the accepted answer stated.
如果公司范围内的存储库应处理所有工件请求,您可以配置单个存储库来镜像
$MAVEN_HOME/conf/settings.xml中的所有内容:来源
In case of a company-wide repository which should handle all and every artifact request you can configure a single repository to mirror everything in your
$MAVEN_HOME/conf/settings.xml:Source
过去我发现最可靠的解决方案是手动覆盖内置存储库。我发现这种方法比更改父 POM、settings.xml、镜像或配置文件更好。对于所有内部项目,请将以下设置放入其 POM 中。
In the past I have found that the most robust solution is to manually override the built-in repositories. I found this approach better than changing the parent POM, settings.xml, mirror, or profiles. For all internal projects put below settings into their POM.
最简单的方法是使用 -o 参数,它告诉 Maven 以离线模式运行。当然,您需要确保您的本地存储库拥有您需要的一切,但这至少可以解决您在自动连接到未经批准的存储库时可能遇到的任何安全担忧。
The simplest way is to use the -o parameter which tells maven to run in offline mode. Of course you will need to ensure your local repo has everything you need, but this at least sorts out any security worries you may have with connecting automatically to an unapproved repo.
听起来好像有人正在积极尝试执行您的开源治理政策。很高兴听到这个消息。
同意这里关于使用内部存储库管理器来托管 Maven 所需的组件的其他评论。
正如 Rory 提到的,在停止访问 Maven Central(中央存储库)或任何其他公共开源存储库之前,您需要确保该存储库中拥有所需的所有内容。
Mark 很好地阐述了 Nexus 的采购能力。使用所有“批准”组件设置内部存储库管理器后,您还可以打开 Nexus 存储库运行状况检查功能(免费),报告组件的所有组件许可证、已知安全漏洞等你的仓库。
坦白说,我在 Sonatype 工作。
Sounds like someone is actively trying to enforce your Open Source governance policy. That's good to hear.
Agree with the other comment here about using an internal repository manager to host the components needed by Maven.
As Rory mentions, you need to make sure you have everything needed in that repository before you stop access to Maven Central (The Central Repository) or any other public open source repository.
Mark makes a good point about the Nexus procurement capabilities. Once that internal repo manager is set up with all of your "approved" components, you can also turn on the Nexus Repository Health Check feature (it's free), that reports on all of the component licenses, known security vulnerabilities, etc. for components in your repos.
Full disclosure, I work for Sonatype.
我有同样的问题,但有其他原因。解决方案是停用 Avira 浏览器保护(德语为 Browser-Schutz)。我从 m2e 无法传输元数据nexus,但是maven命令行可以。
I had the same problem but with an other cause. The solution was to deactivate Avira Browser Protection (in german Browser-Schutz). I took the solusion from m2e cannot transfer metadata from nexus, but maven command line can.
同意。在您的发布版本中不应允许从外部存储库直接下载。
您的问题的具体答案是我的答案的第二部分:-)
设置存储库管理器
我建议设置一个本地 Maven 存储库管理器。好的选择如下:
所有这些都能够充当外部可用的 Maven 中央 jar 的缓存代理。
您可能还对 Nexus 的专业版感兴趣。它包括一个用于管理外部库的采购套件。它还提供 Maven 插件来集中管理 Maven 设置文件,这是我答案的第二部分...
本地 Maven 设置
更新 设置文件位于以下目录:
$HOME/.m2/settings.xml
指定所有中央请求应重定向到本地 Maven 存储库:
Agreed. No direct downloads from external repositories should be allowed in your release builds.
The specific answer to your question is the second part of my answer :-)
Setup a repository manager
I'd recommend setting up a local Maven repository manager. Good options are the following:
All of these are capable of acting as a caching proxy for the externally available Maven central jars.
You might also be interested in the Profession version of Nexus. It includes a Procurement suite for managing external libraries. It also provides Maven plugins for centrally managing the Maven settings file, which is the second part of my answer...
Local Maven settings
Update the settings file located in the following directory:
$HOME/.m2/settings.xml
Specify that all central requests should be redirected to the local Maven repository: