You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@maven.apache.org by hb...@apache.org on 2021/03/24 07:13:11 UTC
[maven-site] branch master updated: how to fix blocked HTTP
repositories?
This is an automated email from the ASF dual-hosted git repository.
hboutemy pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/maven-site.git
The following commit(s) were added to refs/heads/master by this push:
new 9dbda8b how to fix blocked HTTP repositories?
9dbda8b is described below
commit 9dbda8b391f15b4339c5f958ef45a027d8dac50b
Author: Hervé Boutemy <hb...@apache.org>
AuthorDate: Wed Mar 24 08:12:40 2021 +0100
how to fix blocked HTTP repositories?
---
content/markdown/docs/3.8.0/release-notes.md | 24 +++++++++++++++++++++---
1 file changed, 21 insertions(+), 3 deletions(-)
diff --git a/content/markdown/docs/3.8.0/release-notes.md b/content/markdown/docs/3.8.0/release-notes.md
index 213decb..005d582 100644
--- a/content/markdown/docs/3.8.0/release-notes.md
+++ b/content/markdown/docs/3.8.0/release-notes.md
@@ -51,8 +51,8 @@ This release covers two CVEs:
At the same time, developers are probably not aware that for some downloads an insecure URL is being used.
Because uploaded POMs to Maven Central are immutable, a change for Maven was required.
To solve this, we extended the mirror configuration with `<blocked>` parameter,
- and we added a new `external:http:*` mirror selector extending existing `external:*`, meaning any external URL using HTTP.\
- The decision was made to make this the new default behavior: this is done by providing a mirror in the `conf/settings.xml` blocking insecure HTTP external URLs by default.
+ and we added a new `external:http:*` mirror selector (like existing `external:*`), meaning "any external URL using HTTP".\
+ The decision was made to block such external HTTP repositories by default: this is done by providing a mirror in the `conf/settings.xml` blocking insecure HTTP external URLs.
- Possible Domain Hijacking due to custom repositories using abandoned domains\
Sonatype has analyzed which domains were abandoned and has claimed these domains.
@@ -74,13 +74,31 @@ This release covers two CVEs:
## Why does this version have the value 3.8.0?
- Why not 3.6.4?\
- This is not just a bugfix as it contains three features. Also due a change of default behavior (external HTTP insecure URLs are now blocked by default), it makes sense to increase the minor version.
+ This is not just a bugfix as it contains three features that **cause a change of default behavior** (external HTTP insecure URLs are now blocked by default):
+ your builds may fail when using this new Maven release, if you use now blocked repositories. Please check and eventually fix before upgrading.
- Why not 3.7.0?\
Apache Maven 3.7.0 has been advertised in the past that it would be the first release where you could optionally activate the build/consumer feature:
the version containing this feature has been renamed to 4.0.0.
Reusing 3.7.0 might lead to confusion, hence we picked the next available minor version.
+## How to fix when I get a HTTP repository blocked?
+
+ If the repository is defined in your `pom.xml`, please fix it in your source code.
+
+ If the repository is defined in one of your dependencies POM, you'll get a message like:
+
+```
+[ERROR] Failed to execute goal on project test: Could not resolve dependencies for project xxx: Failed to collect dependencies at my.test:dependency:version -> my.test.transitive:transitive:version: Failed to read artifact descriptor for my.test.transitive:transitive:jar:version: Could not transfer artifact my.test.transitive:transitive:pom:version from/to maven-default-http-blocker (http://0.0.0.0/): Blocked mirror for repositories: [blocked-repository-id (http://blocked.repository.org, [...]
+
+```
+
+ Options to fix are:
+
+ - upgrade the dependency version to a newer version that replaced the obsolete HTTP repository URL with a HTTPS one,
+
+ - keep the dependency version but [define a mirror in your settings](/guides/mini/guide-mirror-settings.html).
+
## The detailed issue list[](#Details)
New Feature