apache
Maven allows random namespaces on project
Affected version
HEAD
Bug description
It does not only allow the correct namespace and no namespace. Any random URL or string you throw in does not cause an error:
<project xmlns="https://ff.com">
<!-- Test that we can parse a pom.xml with no namespace -->
<modelVersion>4.0.0</modelVersion>
<groupId>org.apache.maven.its</groupId>
<artifactId>missing-namespace</artifactId>
<version>1.0-SNAPSHOT</version>
<packaging>pom</packaging>
</project>
@elharo please take a look https://github.com/apache/maven/pull/11185
We need to be able to parse 4.0.0 POM files with no namespace, but that is not allowed for 4.1.0 POM files. I'm not sure we want to restrict namespaces when reading 4.0.0 files. That can be checked for build POM, but not when consuming them from a repository. So we need to make that dependent on the validationLevel to preserve compatibility.
So, this is not a bug? If there is no restriction on namespaces when reading 4.0.0 files?
We do want to restrict namespaces when parsing 4.0.0 files to only the specifically allowed namespaces and no namespace at all. But we should not allow arbitrary strings.
We do want to restrict namespaces when parsing 4.0.0 files to only the specifically allowed namespaces and no namespace at all. But we should not allow arbitrary strings.
We first want to make sure they can't go to central. If there are such files in central and they have been used for years, I'm not sure we want to not support them anymore. So we need answers to:
- can pom be uploaded with no-namespace to central ?
- can pom be uploaded with random namespace to central ?
- for how-long has that been enforced ?
- how many no-namespace or random namespace pom do we have, if any ?
If the namespace (eventually no-namespace) is enforced in central, and if there's no ill-formed pom to support, then, yes, we can certainly enforce and restrict when reading.
@brianf ?