maven-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Steve Cohen <>
Subject Re: Bad jar in maven central?
Date Sat, 23 Jan 2010 19:20:24 GMT
I now think I know what must have happened.  There wasn't anything wrong
with Maven Central.

To debug an earlier flaw in my build it was suggested to me that I
download the entire cxf distribution, so that I might run wsdl2java from
the command line.  I downloaded the source distribution and tried to run
the build.  It eventually succeeded (?).  I wasn't expecting it to
update my local repository but it did.  I'm supposing that somehow it
created this  bad jar.  Had I kept a copy of it I could have at least
seen the date and studied its provenance.  But this explanation makes
more sense.

Christoph Kutzinski wrote:
> If your 2nd build (after deleting the corrupted jar) worked, then
> obviously the jar on maven central is correct - where would the 2nd
> build get otherwise the correct jar from?
> Did you check directly on Maven central that the jar in question is the
> 'correct' one?
> Which leaves us with 4 options, I guess:
> 1) the previously downloaded jar on your machine got somehow corrupted
> while downloading it from central. I never had seen this happen and it
> would be highly unlikely that it would in a correct JAR format afterwards
> 2) the JAR was somehow corrupted while being in your local repository.
> Also very unlikely
> 3) you got the jar from somewhere else than central
> 4) you used another version of the jar before - do you and did you have
> the version fixed to 2.2.5 in your POM?
> Regarding what can be done to prevent this - I can only speak
> theoretically as I don't know the Maven code which handles this:
> - Maven (central) can obviously do very little against uploads of
> 'incomplete' - i.e. syntactically correct, but missing some content -
> JARs as it cannot guess what should be in it
> - Maven should check for corruptions of downloaded JARs. I pretty sure
> it does that already otherwise build hell would break loose.
> - You should seriously consider using a repository manager like
> Artifactory or Nexus
> Christoph
> Steve Cohen schrieb:
>> I had a build adventure today which manifested itself as a
>> NoClassFoundException.  Trying to get to the bottom of this, I was
>> looking into the code on a different machine from the one where this
>> build took place.  I wanted to try to determine what jar contained the
>> class I was missing, to try and figure out where my dependencies were
>> messed up.  I could see no reason for it.  I looked at the dependent
>> jars in Eclipse and it looked like everything was in order
>> Back at the machine where the problem occurred, I tried to do the same
>> thing.  I couldn't find the missing class in my dependent jars.  I
>> looked at the jar where the class had been found on the other machine,
>> and was surprised to see that it was a 7K shell of what was supposed to
>> be a 383K jar.  It was a well-formed jar, with only a META-INF folder.
>> The jar in question was cxf-rt-core-2.2.5.jar from apache cxf.
>> This jar can only have come from a public repository
>> ( that my local installation points to.  I
>> deleted it (looking back I should have probably saved a copy) and the
>> next build brought the correct jar down.  How often do obviously
>> incorrect jars make it into public repositories and what can be done
>> about such a thing?
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail:
>> For additional commands, e-mail:
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message