You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@maven.apache.org by "Kalle Korhonen (JIRA)" <ji...@codehaus.org> on 2010/02/11 19:50:57 UTC

[jira] Commented: (MEV-649) log4j 1.2.15 points to nonfuctional maven-repository.dev.java.net packages breaking whole build

    [ http://jira.codehaus.org/browse/MEV-649?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=209847#action_209847 ] 

Kalle Korhonen commented on MEV-649:
------------------------------------

I had filed https://issues.apache.org/bugzilla/show_bug.cgi?id=48216 to mark the optional log4j dependencies as optional (but status is still NEW)

> log4j 1.2.15 points to nonfuctional maven-repository.dev.java.net packages breaking whole build
> -----------------------------------------------------------------------------------------------
>
>                 Key: MEV-649
>                 URL: http://jira.codehaus.org/browse/MEV-649
>             Project: Maven Evangelism
>          Issue Type: Bug
>            Reporter: Jan Uhlir
>            Assignee: Carlos Sanchez
>
> Log4j 2.1.15 dependency from central repository has dependencies linked to https://maven-repository.dev.java.net/nonav/repository -  jmxri, jmxtools and java mail (and others?). These denpendencies are broken or the whole external repository is unaccesible by now.
> Is it even permitted to have "external" dependency for a package in central repository? 
> I found it hard to find how to disable a repository (block a repository) so I am using this opportunity for a micro how to for unlucky ones like me.
> Troubled dependency definition:
> <dependency>
> 	<groupId>log4j</groupId>
> 	<artifactId>log4j</artifactId>
> 	<version>1.2.15</version>
> </dependency>
> Error log (shortened) ----------------------
> [INFO] Scanning for projects...
> ...
> [INFO] Copying 1 resource
> Downloading: https://maven-repository.dev.java.net/nonav/repository/com.sun.jmx/jars/jmxri-1.2.1.jar
> Downloading: https://maven-repository.dev.java.net/nonav/repository/com.sun.jdmk/jars/jmxtools-1.2.1.jar
> 353/353b
> 353b downloaded  (jmxri-1.2.1.jar)
> 357/357b
> 357b downloaded  (jmxtools-1.2.1.jar)
> [WARNING] *** CHECKSUM FAILED - Checksum failed on download: local = 'a55ce8e95c9bb027e78557acc9e2b973fe3c611e'; remote = '<!DOCTYPE' - RETRYING
> Downloading: https://maven-repository.dev.java.net/nonav/repository/com.sun.jmx/jars/jmxri-1.2.1.jar
> 353/353b
> 353b downloaded  (jmxri-1.2.1.jar)
> [WARNING] [WARNING] *** CHECKSUM FAILED - Checksum failed on download: local = 'a55ce8e95c9bb027e78557acc9e2b973fe3c611e'; remote = '<!DOCTYPE' - IGNORING
> *** CHECKSUM FAILED - Checksum failed on download: local = '9e1dae7682d2b60d5b17b7d47e20d99d70ba65cf'; remote = '<!DOCTYPE' - RETRYING
> Downloading: https://maven-repository.dev.java.net/nonav/repository/com.sun.jdmk/jars/jmxtools-1.2.1.jar
> 357/357b
> 357b downloaded  (jmxtools-1.2.1.jar)
> [WARNING] *** CHECKSUM FAILED - Checksum failed on download: local = '9e1dae7682d2b60d5b17b7d47e20d99d70ba65cf'; remote = '<!DOCTYPE' - IGNORING
> ...
> [INFO] Compilation failure
> ...
> error: error reading /opt/javalibs/com/sun/jdmk/jmxtools/1.2.1/jmxtools-1.2.1.jar; error in opening zip file
> error: error reading /opt/javalibs/com/sun/jmx/jmxri/1.2.1/jmxri-1.2.1.jar; error in opening zip file
> Solution (1) - Disable repository (settings.xml).
> Note, it is much more tricky that it seems to be! It gave me hard time before I found out. Documentation should be improved here.
> 1) Tricky, you have to do it for releases and snapshots. There is no repository wide disabling option.
> 2) You have to provide not just same (failing) repository URL but more importantly the same repository ID as it is in ill referencig POM (log4j 2.1.15 in our case)
> 3) Blacklisting repository is something completely different then disabling. Not usable in this case (?). It is not ad hoc settable by user anyway
> OK, here is the code: 
> <profile>
> 	<id>default</id>
> 	...
> 	<repositories>
> 		<repository>
> 			<id>java.net</id>
> 			<!-- IMPORTANT!!! you have to use same ID as in affected POM otherwise it does not work -->
> 			<url>https://maven-repository.dev.java.net/nonav/repository</url>
> 			<releases>
> 				<enabled>false</enabled>
> 			</releases>
> 			<snapshots>
> 				<enabled>false</enabled>
> 			</snapshots>
> 		</repository>
> 	</repositories>
> </profile>
> Solution (2) - exclude the "external" sub-dependencies of log4j 2.1.15, like  jmxri, jmxtools and java mail. And perhaps others. It takes more time to figure out what else "external".  
> Solution (3) - the best one. Use version log4j 2.1.14 instead. It seems to be OK.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira