You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@maven.apache.org by Martin Höller <ma...@xss.co.at> on 2011/10/05 09:51:04 UTC
Expected behaviour when repository mirror not reachable
Hi!
What is the expected behaviour if a configured repository mirror is not
reachable? It seems maven 2.2.1 tries to contact to original repository
server, which is absolutely not what I want!
Here are some details and background information: We have a repository manager
(nexus) set up to serve all artifacts. Every user has it configured in
.m2/settings.xml like this (hostname changed):
<mirrors>
<mirror>
<id>nexus-repo</id>
<name>Internal Maven Repository</name>
<url>http://nexus.mycompany.net:8080/nexus/content/groups/public/</url>
<mirrorOf>*</mirrorOf>
</mirror>
</mirrors>
Recently we had a problem on this server, so that nexus was not reachable. If
one tried to build a project during this time, maven silently downloaded
artifacts from the internet. We only noticed this, because one remote
repository returned a 404 HTML page, which led to an invalid pom.xml. No other
errors and no warnings.
This is IMHO really bad behaviour, because you can get JARs into your local
repository from an untrusted source without notifying it!
The only related information I could find was MNG-714. But this doesn't say
anything about maven's behaviour.
Did anybody else notice this behaviour? Is it expected? How could I configure
Maven to report an error instead of going out to the internet?
The problem occured with maven 2.2.1. I didn't test it with maven 3.
Any thoughts?
- martin
Re: Expected behaviour when repository mirror not reachable
Posted by Martin Höller <ma...@xss.co.at>.
Anyone?
On Wednesday 05 October 2011 Martin Höller wrote:
> Hi!
>
> What is the expected behaviour if a configured repository mirror is not
> reachable? It seems maven 2.2.1 tries to contact to original repository
> server, which is absolutely not what I want!
>
> Here are some details and background information: We have a repository
> manager (nexus) set up to serve all artifacts. Every user has it
> configured in .m2/settings.xml like this (hostname changed):
>
> <mirrors>
> <mirror>
> <id>nexus-repo</id>
> <name>Internal Maven Repository</name>
>
> <url>http://nexus.mycompany.net:8080/nexus/content/groups/public/</url>
> <mirrorOf>*</mirrorOf>
> </mirror>
> </mirrors>
>
> Recently we had a problem on this server, so that nexus was not
> reachable. If one tried to build a project during this time, maven
> silently downloaded artifacts from the internet. We only noticed this,
> because one remote repository returned a 404 HTML page, which led to an
> invalid pom.xml. No other errors and no warnings.
>
> This is IMHO really bad behaviour, because you can get JARs into your
> local repository from an untrusted source without notifying it!
>
> The only related information I could find was MNG-714. But this doesn't
> say anything about maven's behaviour.
>
> Did anybody else notice this behaviour? Is it expected? How could I
> configure Maven to report an error instead of going out to the internet?
>
> The problem occured with maven 2.2.1. I didn't test it with maven 3.
>
> Any thoughts?
> - martin