On the one hand, GIT and Subversion can have different SCM URIs for read and write access.
This is what is supposed to be used for different URIs <connection> and <developerConnection> . The first is the URI, guaranteed read access. The second is the URI, guaranteed write access.
Very often, canonical URIs cannot be inferred from an unloaded repository.
For example, I can check the Subversion repository internally through the svn: protocol and the IP address of the server, but external participants should use https:// with the host name.
Or even with GIT repositories, on Github you have different URIs for different access mechanisms, for example
https://github.com/stephenc/eaio-uuid.git (read / write using Username / Password or OAuth)git@github.com :stephenc/eaio-uuid.git (read and write using the SSH private key)git://github.com/stephenc/eaio-uuid.git (anonymous read only)
Do not pay attention to the fact that you may have checked git://github.com/zznate/eaio-uuid.git or cloned a local check, in other words, your local GIT repository may have the value "upstream" ../eaio-uuid-from-nate , not git@github.com :stephenc/eaio-uuid.git
I agree that for some SCM tools you can automatically detect ... for example, if you know that the source is derived from, for example. AccuRev, you should be fine in accepting your data ... until you remove the Subversion module or GIT or CVS or etc code into the AccuRev workspace (true story) so that the tag that was retracted can be updated.
So, the discovery code must be sure that you did not use two SCM systems at the same time to make sure that it is the main SCM ... and the other SCM may not even leave the marker files on the disk to sniff out (AccuRev, for example, does not ... hence why I chose it)
The only safe way is to require pom to define at least the SCM system and for those SCM systems where the URI cannot be reliably inferred (I think CVS, Subversion, GIT, HG, in fact most of them) require a URI .