SNAPSHOT version checking is too strict for M2 checking
Key details
Basics
Logistics
Basics
Logistics
Description
I ran an M2 check on a pseudo release of idp 4.1.5 and it all went terribly wrong.
The biggest cause of failure was the rule that "though shalt not check for signatures on SNAPSHOT versions of artifacts but only if this is a SNAPSHOT version being build.
This is absolutely correct for checking signatures over distributions, but absolutely wrong for checking snapshots over m2 (where SNAPSHOTS are a way of life).
It might not matter for a real release (when the repository is much more constrained) but we need to be more relaxed about this.
I'll note that this does open a vector if we are rash enough to do a build with a SNAPSHOT versioned plugin (or something that depends on one).
I ran an M2 check on a pseudo release of idp 4.1.5 and it all went terribly wrong.
The biggest cause of failure was the rule that "though shalt not check for signatures on SNAPSHOT versions of artifacts but only if this is a SNAPSHOT version being build.
This is absolutely correct for checking signatures over distributions, but absolutely wrong for checking snapshots over m2 (where SNAPSHOTS are a way of life).
It might not matter for a real release (when the repository is much more constrained) but we need to be more relaxed about this.
I'll note that this does open a vector if we are rash enough to do a build with a SNAPSHOT versioned plugin (or something that depends on one).