Konrad Windszus

As I cannot change the security level of https://issues.sonatype.org/browse/NEXUS-30749 (Sonatype change the default to private unfortunately) I also attached the PDF export to https://issues.apache.org/jira/browse/MNG-7375

@michael-o I now added a first draft of a MetadataValidator (inspired by SettingsValidator). Please tell me what you think!

Metadata is only partially handled inside Maven (core), mostly it is now handled transparently in [Maven Resolver](https://github.com/apache/maven-resolver/blob/master/maven-resolver-api/src/main/java/org/eclipse/aether/metadata/Metadata.java), so probably the validator should be part of Maven Resolver and only for...

> So, IMO maven-repository-metadata getting added components is wrong IMHO. Any suggestion where to add the default validation module then, because as you say "any validation should be next where...

> Introduce a maven-repository-metadata-builder module Done in https://github.com/apache/maven/pull/645/commits/d39be11613d20228a4e826302ef57adf19ba1194. This module currently only contains the validator interface and default implementation. Should we also have a real builder there (which would IMO...

@michael-o Any update here?

Yes, as in general metadata should be validated. This is about exposing useful error messages in case the metadata is invalid.

Just for 4.x for now.

IMHO a BOM should only manage those dependencies which cannot be overridden through the plugin classloader as they are always determined from the Maven Core classloader. That is not the...

From a plugin developer's perspective it would be nice to have one(!) BOM available for the minimum target Maven version which includes all dependencies which cannot be overwritten as they...