You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@maven.apache.org by "Kalle Korhonen (JIRA)" <ji...@codehaus.org> on 2010/02/11 19:50:57 UTC
[jira] Commented: (MEV-649) log4j 1.2.15 points to nonfuctional
maven-repository.dev.java.net packages breaking whole build
[ http://jira.codehaus.org/browse/MEV-649?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=209847#action_209847 ]
Kalle Korhonen commented on MEV-649:
------------------------------------
I had filed https://issues.apache.org/bugzilla/show_bug.cgi?id=48216 to mark the optional log4j dependencies as optional (but status is still NEW)
> log4j 1.2.15 points to nonfuctional maven-repository.dev.java.net packages breaking whole build
> -----------------------------------------------------------------------------------------------
>
> Key: MEV-649
> URL: http://jira.codehaus.org/browse/MEV-649
> Project: Maven Evangelism
> Issue Type: Bug
> Reporter: Jan Uhlir
> Assignee: Carlos Sanchez
>
> Log4j 2.1.15 dependency from central repository has dependencies linked to https://maven-repository.dev.java.net/nonav/repository - jmxri, jmxtools and java mail (and others?). These denpendencies are broken or the whole external repository is unaccesible by now.
> Is it even permitted to have "external" dependency for a package in central repository?
> I found it hard to find how to disable a repository (block a repository) so I am using this opportunity for a micro how to for unlucky ones like me.
> Troubled dependency definition:
> <dependency>
> <groupId>log4j</groupId>
> <artifactId>log4j</artifactId>
> <version>1.2.15</version>
> </dependency>
> Error log (shortened) ----------------------
> [INFO] Scanning for projects...
> ...
> [INFO] Copying 1 resource
> Downloading: https://maven-repository.dev.java.net/nonav/repository/com.sun.jmx/jars/jmxri-1.2.1.jar
> Downloading: https://maven-repository.dev.java.net/nonav/repository/com.sun.jdmk/jars/jmxtools-1.2.1.jar
> 353/353b
> 353b downloaded (jmxri-1.2.1.jar)
> 357/357b
> 357b downloaded (jmxtools-1.2.1.jar)
> [WARNING] *** CHECKSUM FAILED - Checksum failed on download: local = 'a55ce8e95c9bb027e78557acc9e2b973fe3c611e'; remote = '<!DOCTYPE' - RETRYING
> Downloading: https://maven-repository.dev.java.net/nonav/repository/com.sun.jmx/jars/jmxri-1.2.1.jar
> 353/353b
> 353b downloaded (jmxri-1.2.1.jar)
> [WARNING] [WARNING] *** CHECKSUM FAILED - Checksum failed on download: local = 'a55ce8e95c9bb027e78557acc9e2b973fe3c611e'; remote = '<!DOCTYPE' - IGNORING
> *** CHECKSUM FAILED - Checksum failed on download: local = '9e1dae7682d2b60d5b17b7d47e20d99d70ba65cf'; remote = '<!DOCTYPE' - RETRYING
> Downloading: https://maven-repository.dev.java.net/nonav/repository/com.sun.jdmk/jars/jmxtools-1.2.1.jar
> 357/357b
> 357b downloaded (jmxtools-1.2.1.jar)
> [WARNING] *** CHECKSUM FAILED - Checksum failed on download: local = '9e1dae7682d2b60d5b17b7d47e20d99d70ba65cf'; remote = '<!DOCTYPE' - IGNORING
> ...
> [INFO] Compilation failure
> ...
> error: error reading /opt/javalibs/com/sun/jdmk/jmxtools/1.2.1/jmxtools-1.2.1.jar; error in opening zip file
> error: error reading /opt/javalibs/com/sun/jmx/jmxri/1.2.1/jmxri-1.2.1.jar; error in opening zip file
> Solution (1) - Disable repository (settings.xml).
> Note, it is much more tricky that it seems to be! It gave me hard time before I found out. Documentation should be improved here.
> 1) Tricky, you have to do it for releases and snapshots. There is no repository wide disabling option.
> 2) You have to provide not just same (failing) repository URL but more importantly the same repository ID as it is in ill referencig POM (log4j 2.1.15 in our case)
> 3) Blacklisting repository is something completely different then disabling. Not usable in this case (?). It is not ad hoc settable by user anyway
> OK, here is the code:
> <profile>
> <id>default</id>
> ...
> <repositories>
> <repository>
> <id>java.net</id>
> <!-- IMPORTANT!!! you have to use same ID as in affected POM otherwise it does not work -->
> <url>https://maven-repository.dev.java.net/nonav/repository</url>
> <releases>
> <enabled>false</enabled>
> </releases>
> <snapshots>
> <enabled>false</enabled>
> </snapshots>
> </repository>
> </repositories>
> </profile>
> Solution (2) - exclude the "external" sub-dependencies of log4j 2.1.15, like jmxri, jmxtools and java mail. And perhaps others. It takes more time to figure out what else "external".
> Solution (3) - the best one. Use version log4j 2.1.14 instead. It seems to be OK.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira