Publishing licensed artifact to Maven Central Repository - maven

I need to push our project API's (bundled jar) to Maven Central Repository. As Part of that,i have gone through this link . However, am quite confused whether our project is eligible to publish in maven central repo,
Our API is not open source. it need to distribute only to client who purchase from us. is Maven provides any restrictions to download jar only for specific user who has some key etc?
POM.xml is requesting for licensing information. ours is not open source, if we allowed to publish, what should be licensing content in pom.xml?
Why we have to give our repo information in pom.xml? we are using bitbucket and hence providing the repo url is not accessible for others. can we have dummy repo or it is mandatory?
Please help me out guys.

Everything you publish to maven central will be available to everyone in the world.
For your use case, you can consider hosting your own maven repository.
Check sonatype nexus, artifactory, archiva...
With your own repo, you can configure a password in your server. Then your clients will need to configure your server in their pom.xml or settings.xml to download your artifacts.

Related

health check of custom repositories in Nexus?

I have created a repository in Nexus. As I am the owner of this repository, it is of type : Hosted.
I was going through the book of Mastering Apache Maven 3.0 and it says that, it is not possible to perform a health check on the repositories which are
1.The Repository Type is Proxy.
2.The Repository Policy is not Snapshot.
3.The Repository is In Service.
I have the last 2 conditions satisfied in my repository. But, the type of my repository is Hosted as I have the repository in my local machine.
Is there anything which I can do for a health check of custom repositories in Nexus?
I have one more question. If I want to mark an artifact in my hosted repository, how should I do that? Or should I just delete the vulnerable artifact from the repository?
Thanks in Advance!
How could nexus perform a health check on your custom libs?
From the nexus docs
HDS exposes data about the components in the Central Repository and
other public repositories, including license information, security
vulnerability data, and other statistics like relative usage
popularity and age
HDS is
Hosted Data Services (HDS) run by Sonatype
None of that is available for your hosted custom libraries. You can't really expect sonatype to maintain a database about them, because it doesn't know about them. If you want this, move your libs to an open-source model with an appropriate licence and upload them to maven central.

Jars in Maven Central needs to go into Nexus OSS?

I need to set up my own maven repository, since some open sourced libraries are not in Maven Central. I want to use Nexus OSS, and then I can upload the libraries I need to Nexus OSS.
My question is, do I also need to upload those libraries that are originally in Maven Central and I can directly use in POM to Nexus OSS?
Nexus is a proxy for global repositories. You can define in Nexus configuration what repositories are you going to use. You do not need to upload libraries that are accessible from configured global repositories.
You can also host your own repository for your local libraries. Everything is configurable.
When you configure your Nexus you need to just connect to it trough maven config and all actions are done behind the scene. Don't worry about it.
All libraries that are needed to compile your project, firstly are downloaded to your Nexus and then from Nexus to your local repo.
For example this is the easiest way to configure Nexus with your maven:
Nexus - maven - Configuration
Not at all: In your local $userprofile/.m2/settings.xml file (as well as in every pom.xml, altough is not a good practice) you can define as many repositories as you want. And so, you will be able to reference artifacts published to different repositories.

Restricted access to an artifact in the Maven Repository

I have a central Maven repository which is shared by more than one Projects within the Company LAN. Now, I need to have an artifact which is licensed for a single Project, to be placed in the shared repository.
Is it possible set authorized access to that artifact, the credential can ideally be in the pom file of the desired project.
Any better solution is more than welcome.
Maven doesn't handle access rights in repositories, since it's just a client fetching data from a server. If you're using a repository manager, read its documentation. If you're just hosting files behind an Apache HTTPD server, then configure HTTPD.
Alternatively, you could move that file in a separate repository, and configure just one project's POM to use it. This doesn't fix the fact that the repository will continue to be public, so other projects/teams could get to it if they really want to.

is weblogic-maven-plugin available from maven center repository?

When i run my maven build script i get
Plugin com.oracle.weblogic:weblogic-maven-plugin:2.9.1 or one of its dependencies could not be resolved: Failed to read artifact descriptor for com.oracle.weblogic:weblogic-maven-plugin:jar:2.9.1: Could not find artifact com.oracle.weblogic:weblogic-maven-plugin:pom:2.9.1 in central (http://repo1.maven.org/maven2)
But when i search in repository i can see it there http://search.maven.org/#search|ga|1|weblogic-maven-plugin
Why this plugin is not available?
As Oracle WebLogic is not an open source product, Oracle has decided not to publish their Maven plugins in the Maven Central repository (providing the sources for each published artifact has now become a requirement, according to the Maven Central Repository Usage Guide).
Until recently, the only way was to build and install the WebLogic JAR file into the local Maven cache.
Starting from 2015, Oracle has set up a Maven repository which can be accessed by anyone having a valid OTN account - see abarisone's answer.
From the early months of 2015 Oracle has at last made its Maven repository available for Continuous Integration purposes.
This means that you will be able to find not only all Oracle Database artifacts but also those related to Fusion Middleware, Oracle Service Bus, ADF and so on.
You can find more info reading this blog post.
Obviously you need to have a valid OTN account to log in, and the same is required to configure maven proxies and Nexus.
Once registered you will have access to the following link which explains all the instructions in order to configure the repository.
About Sonatype Nexus, you need at least version 2.11.2 to be able to add the Oracle repository, as reported here

Good configuration for Archiva?

We have recently decided to use Maven as build system. I'm responsible to migrate all the projects from Ant to Maven. We also decided to use Apache Archiva to configure an internal repository in the company.
I see that Archiva create two repositories by default (internal and snapshots). I also see that it configures the internal repository to proxy the central and java.net repositories.
Are there some best practices regarding Archiva configuration?
In the Archiva documentation, there is a possibility to configure Maven to use only the internal repository and then access the remote repository through the internal repository. What do you think about this option?
Thanks for your help
A Maven repository manager is essential to support Enterprise Maven development. The Maven installer is merely a bootstrap, running Maven for the first time downloads everything it needs from the Maven Central repository in order to compile your project.
The benefits of using a Maven repository aree documented elsewhere but I'll summarize:
Efficiency. Repository acts as a cache for Maven Central artifacts
Resilience. Repository protects against remote repository failures or lack of internet connection
Repeatability. Storing common artifacts centrally, avoids shared build failures caused by developers maintaining their own local repositories.
Audit. If all 3rd party libraries used by development come from a single entry point in the build process one can assess how often they're used (based on download log files) and what kinds of licensing conditions apply.
To that end I'd encourage you to use the following Archiva features:
Locking down to only use Archiva. Configure Maven clients download everything from Archiva.
Virtual repositories for each team. Configure all the remote repositories used by teams centrally in Archiva instead of leaving the details to the teams themselves.
PS
I use Nexus for my Maven repository management, but the same concepts apply.

Resources