maven-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Reto Bachmann-Gmür <r...@gmuer.ch>
Subject Re: unwanted repository, how does maven locate it
Date Wed, 10 Feb 2010 20:24:45 GMT
ok, the evil-doer is

http://repo2.maven.org/maven2/log4j/log4j/1.2.15/log4j-1.2.15.pom

it was a bit tricky to find as an older harmless version of it showed up in
the dependency tree. Others are having the problem as well:
http://jira.codehaus.org/browse/MEV-649

Cheers,
reto

On Wed, Feb 10, 2010 at 7:57 PM, Reto Bachmann-Gmür <reto@gmuer.ch> wrote:

> thanks for the reply. I tried looking for this and found that
>
> http://repo2.maven.org/maven2/com/hp/hpl/jena/arq/2.8.2/arq-2.8.2.pom
>
> references another repo, but its not the dev.java.net one. I assumed for
> the repository to be used it would have to be defined on the path to the
> dependency, or can it be just anywhere?
>
> an extract from the output of the build process:
>
> ...
> [INFO] snapshot
> org.apache.clerezza:org.apache.clerezza.rdf.jena.storage:0.5-incubating-SNAPSHOT:
> checking for updates from ops4j
> [INFO] snapshot
> org.apache.clerezza:org.apache.clerezza.rdf.jena.storage:0.5-incubating-SNAPSHOT:
> checking for updates from apache
> [WARNING] POM for 'javax.jms:jms:pom:1.1:compile' is invalid.
>
> Its dependencies (if any) will NOT be available to the current build.
> Downloading:
> http://repository.ops4j.org/mvn-snapshots//com/sun/jmx/jmxri/1.2.1/jmxri-1.2.1.pom
> [INFO] Unable to find resource 'com.sun.jmx:jmxri:pom:1.2.1' in repository
> ops4j (http://repository.ops4j.org/mvn-snapshots/)
> Downloading:
> http://repository.apache.org/content/groups/snapshots-group/com/sun/jmx/jmxri/1.2.1/jmxri-1.2.1.pom
> [INFO] Unable to find resource 'com.sun.jmx:jmxri:pom:1.2.1' in repository
> apache (http://repository.apache.org/content/groups/snapshots-group)
> Downloading:
> http://openjena.org/repo/com/sun/jmx/jmxri/1.2.1/jmxri-1.2.1.pom
> [INFO] Unable to find resource 'com.sun.jmx:jmxri:pom:1.2.1' in repository
> repo-jena (http://openjena.org/repo)
> Downloading:
> http://openjena.org/repo-dev/com/sun/jmx/jmxri/1.2.1/jmxri-1.2.1.pom
> [INFO] Unable to find resource 'com.sun.jmx:jmxri:pom:1.2.1' in repository
> repo-jena-dev (http://openjena.org/repo-dev)
> Downloading:
> https://maven-repository.dev.java.net/nonav/repository/com.sun.jmx/poms/jmxri-1.2.1.pom
> 353b downloaded  (jmxri-1.2.1.pom)
> [WARNING] *** CHECKSUM FAILED - Checksum failed on download: local =
> 'de02d09af9d9fd6ebe64712281899f4765ff4bd7'; remote = '<!DOCTYPE' - RETRYING
> Downloading:
> https://maven-repository.dev.java.net/nonav/repository/com.sun.jmx/poms/jmxri-1.2.1.pom
> 353b downloaded  (jmxri-1.2.1.pom)
> [WARNING] *** CHECKSUM FAILED - Checksum failed on download: local =
> 'de02d09af9d9fd6ebe64712281899f4765ff4bd7'; remote = '<!DOCTYPE' - IGNORING
> [WARNING] POM for 'com.sun.jmx:jmxri:pom:1.2.1:compile' is invalid.
>
> Its dependencies (if any) will NOT be available to the current build.
> [INFO] snapshot
> org.apache.clerezza:org.apache.clerezza.rdf.core.test:0.13-incubating-SNAPSHOT:
> checking for updates from ops4j
> ...
>
> any hint on how to locate the evil doing pom?
>
> Cheers,
> reto
>
>
>
> On Wed, Feb 10, 2010 at 7:45 PM, Todd Thiessen <tthiessen@avaya.com>wrote:
>
>> A pom you depend on my have defined it in its pom. To be absolutely sure
>> you only reference the repos you want, you would need to mirror all repos to
>> your own trusted local repository using a repo manager.
>>
>> Good discussion about that here:
>>
>>
>> http://www.sonatype.com/people/2009/02/why-putting-repositories-in-your-poms-is-a-bad-idea/
>>
>> ---
>> Todd Thiessen
>>
>>
>> > -----Original Message-----
>> > From: Reto Bachmann-Gmür [mailto:reto@gmuer.ch]
>> > Sent: Wednesday, February 10, 2010 1:40 PM
>> > To: Maven Users List
>> > Subject: unwanted repository, how does maven locate it
>> >
>> > hello
>> >
>> > I have the following problem using maven 2.2.1 (on
>> > minerva.apache.org):
>> > maven continuos to download a broken jar and pom from
>> > https://maven-repository.dev.java.net/nonav/repository/com.sun
>> > .jmx/jars/
>> >
>> > Th epatch to the dependency is as follows:
>> > [INFO] +- com.hp.hpl.jena:tdb:jar:0.8.4:compile
>> > [INFO] |  \- com.hp.hpl.jena:arq:jar:2.8.2:compile
>> > [INFO] |     +- org.codehaus.woodstox:wstx-asl:jar:3.2.9:compile
>> > [INFO] |     |  \- stax:stax-api:jar:1.0.1:compile
>> > [INFO] |     +- org.apache.lucene:lucene-core:jar:2.3.1:compile
>> > [INFO] |     +- org.slf4j:slf4j-log4j12:jar:1.5.6:compile
>> > [INFO] |     \- log4j:log4j:jar:1.2.14:compile
>> > [INFO] |        +- javax.mail:mail:jar:1.4:compile
>> > [INFO] |        +- javax.jms:jms:jar:1.1:compile
>> > [INFO] |        +- com.sun.jdmk:jmxtools:jar:1.2.1:compile
>> > [INFO] |        \- com.sun.jmx:jmxri:jar:1.2.1:compile
>> >
>> > the dev.java.net repository is neither in my pom, nor its
>> > parent nor in a settings.xml file, any idea why maven tries
>> > to download artifacts from there?
>> >
>> > cheers
>> > reto
>> >
>> >
>> > ---------------------------------------------------------------------
>> > To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
>> > For additional commands, e-mail: users-help@maven.apache.org
>> >
>> >
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
>> For additional commands, e-mail: users-help@maven.apache.org
>>
>>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message