Bad artifacts in Atlassian's Maven repository

["Brian E. Fox" <br...@reply.infinity.nu>]

All,

I posted a message to the Cenqua technical support forum
(http://www.cenqua.com/forums/thread.jspa?threadID=3318) with the
following content:

 

I recently came across a concerning issue regarding the Atlassian
repository used now to house the clover tools and clover maven plugin.
This repository contains many artifacts that are duplicated on the
central repository but are not authored (that I can tell) by Atlassian.
Even more concerning, I have found snapshots of certain artifacts,
specifically org.apache.maven.plugins are hosted here. 

 

This can cause lots of grief to users of the Atlassian tools by
introducing incorrect artifacts into their build. I personally observed
this today and spent some time tracing it back to this repository.

 

The repository url is: http://repository.atlassian.com/maven2/org/

 

Duplicated artifacts after a quick compare of Atlassian and
http://repo1.maven.org/maven2

 

Org/tmatesoft/svnkit

Org/openxri/

Org/openid4java

Org/jfree (jfree on repo1)

Org/codehaus/cargo ****snapshots

Org/codehaus/xfire

Org/apache/* ****Snapshots of plugins among others

 

The best practice is not to mix snapshots and releases together in the
same repository. Even though maven can be told which repos to use for
snapshots and releases, the metadata from a merged repository such as
Atlassian can contain information about snapshots that causes build
problems.

 

As a service to your users, my strong suggestion is to remove all
artifacts that already exist on central, most importantly org/apache and
org/codehaus. I would also suggest that snapshots of all artifacts be
removed from this repo and placed in a separate snapshot repository.

 

Thanks,

Brian Fox

Apache Maven PMC Member

RE: Bad artifacts in Atlassian's Maven repository

["Brian E. Fox" <br...@reply.infinity.nu>]

Even better for the users.

-----Original Message-----
From: carlossg@gmail.com [mailto:carlossg@gmail.com] On Behalf Of Carlos
Sanchez
Sent: Thursday, November 08, 2007 7:17 PM
To: Maven Developers List
Subject: Re: Bad artifacts in Atlassian's Maven repository

hey should just sync their clover stuff into central

On Nov 8, 2007 10:12 AM, Brian E. Fox <br...@reply.infinity.nu> wrote:
> All,
>
> I posted a message to the Cenqua technical support forum
> (http://www.cenqua.com/forums/thread.jspa?threadID=3318) with the
> following content:
>
>
>
> I recently came across a concerning issue regarding the Atlassian
> repository used now to house the clover tools and clover maven plugin.
> This repository contains many artifacts that are duplicated on the
> central repository but are not authored (that I can tell) by
Atlassian.
> Even more concerning, I have found snapshots of certain artifacts,
> specifically org.apache.maven.plugins are hosted here.
>
>
>
> This can cause lots of grief to users of the Atlassian tools by
> introducing incorrect artifacts into their build. I personally
observed
> this today and spent some time tracing it back to this repository.
>
>
>
> The repository url is: http://repository.atlassian.com/maven2/org/
>
>
>
> Duplicated artifacts after a quick compare of Atlassian and
> http://repo1.maven.org/maven2
>
>
>
> Org/tmatesoft/svnkit
>
> Org/openxri/
>
> Org/openid4java
>
> Org/jfree (jfree on repo1)
>
> Org/codehaus/cargo ****snapshots
>
> Org/codehaus/xfire
>
> Org/apache/* ****Snapshots of plugins among others
>
>
>
> The best practice is not to mix snapshots and releases together in the
> same repository. Even though maven can be told which repos to use for
> snapshots and releases, the metadata from a merged repository such as
> Atlassian can contain information about snapshots that causes build
> problems.
>
>
>
> As a service to your users, my strong suggestion is to remove all
> artifacts that already exist on central, most importantly org/apache
and
> org/codehaus. I would also suggest that snapshots of all artifacts be
> removed from this repo and placed in a separate snapshot repository.
>
>
>
> Thanks,
>
> Brian Fox
>
> Apache Maven PMC Member
>
>



-- 
I could give you my word as a Spaniard.
No good. I've known too many Spaniards.
                             -- The Princess Bride

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
For additional commands, e-mail: dev-help@maven.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
For additional commands, e-mail: dev-help@maven.apache.org

Re: Bad artifacts in Atlassian's Maven repository

[Carlos Sanchez <ca...@apache.org>]

hey should just sync their clover stuff into central

On Nov 8, 2007 10:12 AM, Brian E. Fox <br...@reply.infinity.nu> wrote:
> All,
>
> I posted a message to the Cenqua technical support forum
> (http://www.cenqua.com/forums/thread.jspa?threadID=3318) with the
> following content:
>
>
>
> I recently came across a concerning issue regarding the Atlassian
> repository used now to house the clover tools and clover maven plugin.
> This repository contains many artifacts that are duplicated on the
> central repository but are not authored (that I can tell) by Atlassian.
> Even more concerning, I have found snapshots of certain artifacts,
> specifically org.apache.maven.plugins are hosted here.
>
>
>
> This can cause lots of grief to users of the Atlassian tools by
> introducing incorrect artifacts into their build. I personally observed
> this today and spent some time tracing it back to this repository.
>
>
>
> The repository url is: http://repository.atlassian.com/maven2/org/
>
>
>
> Duplicated artifacts after a quick compare of Atlassian and
> http://repo1.maven.org/maven2
>
>
>
> Org/tmatesoft/svnkit
>
> Org/openxri/
>
> Org/openid4java
>
> Org/jfree (jfree on repo1)
>
> Org/codehaus/cargo ****snapshots
>
> Org/codehaus/xfire
>
> Org/apache/* ****Snapshots of plugins among others
>
>
>
> The best practice is not to mix snapshots and releases together in the
> same repository. Even though maven can be told which repos to use for
> snapshots and releases, the metadata from a merged repository such as
> Atlassian can contain information about snapshots that causes build
> problems.
>
>
>
> As a service to your users, my strong suggestion is to remove all
> artifacts that already exist on central, most importantly org/apache and
> org/codehaus. I would also suggest that snapshots of all artifacts be
> removed from this repo and placed in a separate snapshot repository.
>
>
>
> Thanks,
>
> Brian Fox
>
> Apache Maven PMC Member
>
>



-- 
I could give you my word as a Spaniard.
No good. I've known too many Spaniards.
                             -- The Princess Bride

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
For additional commands, e-mail: dev-help@maven.apache.org

Re: Bad artifacts in Atlassian's Maven repository

[James William Dumay <ja...@atlassian.com>]

Hey Brian,

> I recently came across a concerning issue regarding the Atlassian
> repository used now to house the clover tools and clover maven plugin.
> This repository contains many artifacts that are duplicated on the
> central repository but are not authored (that I can tell) by Atlassian.
> Even more concerning, I have found snapshots of certain artifacts,
> specifically org.apache.maven.plugins are hosted here. 

This is also concerning to us. We have been working on an internal
project to clean up our build system and our repositories - so currently
a work in progress.

I think some developers here have ended up publishing some maven plugins
to the Atlassian public repository because they were not aware of the
Maven Snapshot repository.

> This can cause lots of grief to users of the Atlassian tools by
> introducing incorrect artifacts into their build. I personally observed
> this today and spent some time tracing it back to this repository.

We have had a lot of issues with this ourselves. Before I was hired
Atlassian did not have someone who really looked after this at all. So
in the next few months you should see these sorts of issues go away.

> 
> Duplicated artifacts after a quick compare of Atlassian and
> http://repo1.maven.org/maven2
> 
>  
> 
> Org/tmatesoft/svnkit
> 
> Org/openxri/
> 
> Org/openid4java
> 
> Org/jfree (jfree on repo1)
> 
> Org/codehaus/cargo ****snapshots
> 
> Org/codehaus/xfire
> 
> Org/apache/* ****Snapshots of plugins among others

Some of these may have been patched along the way. Ill add this to my
list of artifacts to review.

> The best practice is not to mix snapshots and releases together in the
> same repository. Even though maven can be told which repos to use for
> snapshots and releases, the metadata from a merged repository such as
> Atlassian can contain information about snapshots that causes build
> problems.

> 
> As a service to your users, my strong suggestion is to remove all
> artifacts that already exist on central, most importantly org/apache and
> org/codehaus. I would also suggest that snapshots of all artifacts be
> removed from this repo and placed in a separate snapshot repository.

The split has been made some months back - all of our builds now deploy
to either release or snapshot repositories but we have not yet separated
the existing artifacts from their released and snapshot counterparts.

Thanks for your concerns and advice. Ill the list posted on how we
progress.

Cheers
James


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
For additional commands, e-mail: dev-help@maven.apache.org