That really sucks . How is specifying an url via cmdline considered a security risk ? Whether I specify it on cmdline or settings.xml is same "risky", no?
Please describe how this can be used as an attack vector - for my better understanding.
Besides that, I now can't just paste a cmdline and create a project from a non-central archetype repository anymore. I now have to add that custom archetype repository to my settings.xml first, before I can invoke the generate step. And I will do that most likely only once, maybe twice. So I have to remove it after the project has been generate. Yay! That's what I call making your life more difficult than it has to be.
Sorry for sounding that harsh, but I'm currently not getting the reason for such a breaking change.
BTW: tried org.apache.maven.plugins:maven-archetype-plugin:2.4:generate as a workaround, but then it seems that the post-groovy script isn't working anymore .
BTW2: This still comes as a warning, which is also quite misleading:
[WARNING] Archetype not found in any catalog. Falling back to central repository (http://repo.maven.apache.org/maven2).
[WARNING] Use -DarchetypeRepository=<your repository> if archetype's repository is elsewhere.