maven-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Karl Heinz Marbaise (JIRA)" <j...@apache.org>
Subject [jira] [Comment Edited] (MNG-6397) Maven Transitive Dependency Resolution Does Not Respect Repository Definition
Date Wed, 09 May 2018 18:42:00 GMT

    [ https://issues.apache.org/jira/browse/MNG-6397?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16469279#comment-16469279
] 

Karl Heinz Marbaise edited comment on MNG-6397 at 5/9/18 6:41 PM:
------------------------------------------------------------------

If you don't like my "work around" sorry...the {{settings.xml}} is the solution to that particular
problem. If you have already a build system this should already being configured correctly
that way otherwise it not correctly configured (for example you should use config file provider
plugin which offers this exactly for the settings.xml) ...

I would suggest to define a {{<mirrorOf>*</mirrorOf>}} which is easier...

The point is that you are expecting to overwrite the repository definitions of the dependencies/transitive
dependencies which is not possible by using a repository entry in the pom.

The point is that each pom/artifact maintainer can put repository definitions into their pom
file (which is not a good idea cause it exactly happens what here is described...different
story)...which results in exactly this situation. There for you have the option via {{settings.xml}}
and define a mirror which redirects all request from each pom through the given mirror.

If you don't like the solution or is not acceptable for you than please provide a patch(es)
to solve it the way you like it...


was (Author: khmarbaise):
If you don't like my "work around" sorry...the {{settings.xml}} is the solution to that particular
problem. If you have already a build system this should already being configured correctly
that way otherwise it not correctly configured (for example you should use config file provider
plugin which offers this exactly for the settings.xml) ...

The point is that you are expecting to overwrite the repository definitions of the dependencies/transitive
dependencies which is not possible by using a repository entry in the pom.

The point is that each pom/artifact maintainer can put repository definitions into their pom
file (which is not a good idea cause it exactly happens what here is described...different
story)...which results in exactly this situation. There for you have the option via {{settings.xml}}
and define a mirror which redirects all request from each pom through the given mirror.

If you don't like the solution or is not acceptable for you than please provide a patch(es)
to solve it the way you like it...

> Maven Transitive Dependency Resolution Does Not Respect Repository Definition
> -----------------------------------------------------------------------------
>
>                 Key: MNG-6397
>                 URL: https://issues.apache.org/jira/browse/MNG-6397
>             Project: Maven
>          Issue Type: Bug
>          Components: Artifacts and Repositories, Dependencies, POM
>    Affects Versions: 3.5.0, 3.5.2, 3.5.3
>         Environment: Apache Maven 3.5.0 (ff8f5e7444045639af65f6095c62210b5713f426; 2017-04-03T15:39:06-04:00)
> Maven home: /usr/local/share/maven
> Java version: 1.8.0_161, vendor: Oracle Corporation
> Java home: /Library/Java/JavaVirtualMachines/jdk1.8.0_161.jdk/Contents/Home/jre
> Default locale: en_US, platform encoding: UTF-8
> OS name: "mac os x", version: "10.10.5", arch: "x86_64", family: "mac"
>            Reporter: Alan Czajkowski
>            Priority: Critical
>              Labels: maven
>
> _*Note:* I am trying to do a build behind a firewall which means I cannot access the
Internet, I can only access my internal Maven repository inside my network, so:_
> - _grabbing artifacts from https://artifacts.example.com/repository/maven/ works fine_
> - _grabbing artifacts from anywhere fails due to firewall restrictions_
> Let's begin:
> My {{pom.xml}} has the following:
> {code:xml}
> ...
>     <dependencies>
> ...
>         <dependency>
>             <groupId>org.springframework.boot</groupId>
>             <artifactId>spring-boot-starter-web</artifactId>
>             <version>2.0.0.RELEASE</version>
>         </dependency>
> ...
>     </dependencies>
> ...
>     <repositories>
> ...
>         <repository>
>             <id>central</id>
>             <name>Public</name>
>             <url>https://artifacts.example.com/repository/maven/</url>
>             <releases>
>                 <enabled>true</enabled>
>             </releases>
>             <snapshots>
>                 <enabled>true</enabled>
>             </snapshots>
>         </repository>
> ...
>     </repositories>
> ...
> {code}
> The {{dependency:tree}} for the {{spring-boot-starter-web}} is as follows:
> {code:java}
> +- org.springframework.boot:spring-boot-starter-web:jar:2.0.0.RELEASE:compile
> |  +- org.springframework.boot:spring-boot-starter-json:jar:2.0.0.RELEASE:compile
> |  |  +- com.fasterxml.jackson.datatype:jackson-datatype-jdk8:jar:2.9.4:compile
> |  |  +- com.fasterxml.jackson.datatype:jackson-datatype-jsr310:jar:2.9.4:compile
> |  |  \- com.fasterxml.jackson.module:jackson-module-parameter-names:jar:2.9.4:compile
> |  +- org.springframework.boot:spring-boot-starter-tomcat:jar:2.0.0.RELEASE:compile
> |  |  \- org.apache.tomcat.embed:tomcat-embed-websocket:jar:8.5.28:compile
> |  +- org.hibernate.validator:hibernate-validator:jar:6.0.7.Final:compile
> |  |  +- javax.validation:validation-api:jar:2.0.1.Final:compile
> |  |  +- org.jboss.logging:jboss-logging:jar:3.3.0.Final:compile
> |  |  \- com.fasterxml:classmate:jar:1.3.1:compile
> |  \- org.springframework:spring-web:jar:5.0.4.RELEASE:compile
> {code}
> How is it that the build fails as such:
> {code:java}
> ...
> Downloading: https://repo.spring.io/milestone/org/jboss/shrinkwrap/shrinkwrap-bom/1.2.3/shrinkwrap-bom-1.2.3.pom
> Downloading: https://repo.spring.io/snapshot/org/jboss/shrinkwrap/shrinkwrap-bom/1.2.3/shrinkwrap-bom-1.2.3.pom
> Downloading: https://dl.bintray.com/rabbitmq/maven-milestones/org/jboss/shrinkwrap/shrinkwrap-bom/1.2.3/shrinkwrap-bom-1.2.3.pom
> Downloading: https://repo.maven.apache.org/maven2/org/jboss/shrinkwrap/shrinkwrap-bom/1.2.3/shrinkwrap-bom-1.2.3.pom
> ...
> [ERROR] Failed to execute goal on project maven-multi-module-demo-backend: Could not
resolve dependencies for project com.example.pipe:maven-multi-module-demo-backend:war:1.0.0-SNAPSHOT:
Failed to collect dependencies at org.springframework.boot:spring-boot-starter-web:jar:2.0.0.RELEASE
-> org.hibernate.validator:hibernate-validator:jar:6.0.7.Final: Failed to read artifact
descriptor for org.hibernate.validator:hibernate-validator:jar:6.0.7.Final: Could not transfer
artifact org.jboss.shrinkwrap:shrinkwrap-bom:pom:1.2.3 from/to spring-milestone (https://repo.spring.io/milestone):
Connection reset -> [Help 1]
> ...
> {code}
> when I did not even reference this repo {{spring-milestone ([https://repo.spring.io/milestone])}}
anywhere in my {{pom.xml}}?
> When you go down the Spring Boot rabbit hole (go into the {{spring-boot-starter-web}}'s
{{pom.xml}} and then traverse up its parent-pom structure a few jumps) you'll eventually get
to a parent-pom {{spring-boot-dependencies}} with this definition:
> {code:xml}
> ...
>     <repositories>
>         <repository>
>             <snapshots>
>                 <enabled>false</enabled>
>             </snapshots>
>             <id>spring-milestone</id>
>             <name>Spring Milestone</name>
>             <url>https://repo.spring.io/milestone</url>
>         </repository>
>         <repository>
>             <snapshots>
>                 <enabled>true</enabled>
>             </snapshots>
>             <id>spring-snapshot</id>
>             <name>Spring Snapshot</name>
>             <url>https://repo.spring.io/snapshot</url>
>         </repository>
>         <repository>
>             <snapshots>
>                 <enabled>false</enabled>
>             </snapshots>
>             <id>rabbit-milestone</id>
>             <name>Rabbit Milestone</name>
>             <url>https://dl.bintray.com/rabbitmq/maven-milestones</url>
>         </repository>
>     </repositories>
> ...
> {code}
> How is it that the Maven build does _not_ even attempt to reach out to [https://artifacts.example.com/repository/maven/]
to try to find the missing dependency {{shrinkwrap-bom}}? and only reaches out to the above
repos only and not the one defined in my own {{pom.xml}}?
> *This seems like a transitive dependency resolution bug to me as the Maven build does
not even make a single attempt at trying to get {{shrinkwrap-bom}} from the {{<repository>}}
that I have explicitly defined in my {{pom.xml}}. The (grand)parents of the {{spring-boot-starter-web}}
dependency completely hi-jack the repository list that the build pulls from (this type of
hi-jacking should not be allowed). The {{shrinkwrap-bom}} artifact does exist in [https://artifacts.example.com/repository/maven/]
and can be fetched no problem if it is explicitly defined in my {{pom.xml}} but defining it
explicitly would be a work-around and I cannot use this work-around in my situation.*



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message