Bad jar in maven central?

[Steve Cohen <sc...@javactivity.org>]

I had a build adventure today which manifested itself as a
NoClassFoundException.  Trying to get to the bottom of this, I was
looking into the code on a different machine from the one where this
build took place.  I wanted to try to determine what jar contained the
class I was missing, to try and figure out where my dependencies were
messed up.  I could see no reason for it.  I looked at the dependent
jars in Eclipse and it looked like everything was in order

Back at the machine where the problem occurred, I tried to do the same
thing.  I couldn't find the missing class in my dependent jars.  I
looked at the jar where the class had been found on the other machine,
and was surprised to see that it was a 7K shell of what was supposed to
be a 383K jar.  It was a well-formed jar, with only a META-INF folder.
The jar in question was cxf-rt-core-2.2.5.jar from apache cxf.

This jar can only have come from a public repository
(http://repo1.maven.org/maven2) that my local installation points to.  I
deleted it (looking back I should have probably saved a copy) and the
next build brought the correct jar down.  How often do obviously
incorrect jars make it into public repositories and what can be done
about such a thing?


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
For additional commands, e-mail: users-help@maven.apache.org

Re: Bad jar in maven central?

[Steve Cohen <sc...@javactivity.org>]

I now think I know what must have happened.  There wasn't anything wrong
with Maven Central.

To debug an earlier flaw in my build it was suggested to me that I
download the entire cxf distribution, so that I might run wsdl2java from
the command line.  I downloaded the source distribution and tried to run
the build.  It eventually succeeded (?).  I wasn't expecting it to
update my local repository but it did.  I'm supposing that somehow it
created this  bad jar.  Had I kept a copy of it I could have at least
seen the date and studied its provenance.  But this explanation makes
more sense.


Christoph Kutzinski wrote:
> If your 2nd build (after deleting the corrupted jar) worked, then
> obviously the jar on maven central is correct - where would the 2nd
> build get otherwise the correct jar from?
> Did you check directly on Maven central that the jar in question is the
> 'correct' one?
> 
> Which leaves us with 4 options, I guess:
> 1) the previously downloaded jar on your machine got somehow corrupted
> while downloading it from central. I never had seen this happen and it
> would be highly unlikely that it would in a correct JAR format afterwards
> 2) the JAR was somehow corrupted while being in your local repository.
> Also very unlikely
> 3) you got the jar from somewhere else than central
> 4) you used another version of the jar before - do you and did you have
> the version fixed to 2.2.5 in your POM?
> 
> Regarding what can be done to prevent this - I can only speak
> theoretically as I don't know the Maven code which handles this:
> 
> - Maven (central) can obviously do very little against uploads of
> 'incomplete' - i.e. syntactically correct, but missing some content -
> JARs as it cannot guess what should be in it
> - Maven should check for corruptions of downloaded JARs. I pretty sure
> it does that already otherwise build hell would break loose.
> - You should seriously consider using a repository manager like
> Artifactory or Nexus
> 
> HTH
> Christoph
> 
> Steve Cohen schrieb:
>> I had a build adventure today which manifested itself as a
>> NoClassFoundException.  Trying to get to the bottom of this, I was
>> looking into the code on a different machine from the one where this
>> build took place.  I wanted to try to determine what jar contained the
>> class I was missing, to try and figure out where my dependencies were
>> messed up.  I could see no reason for it.  I looked at the dependent
>> jars in Eclipse and it looked like everything was in order
>>
>> Back at the machine where the problem occurred, I tried to do the same
>> thing.  I couldn't find the missing class in my dependent jars.  I
>> looked at the jar where the class had been found on the other machine,
>> and was surprised to see that it was a 7K shell of what was supposed to
>> be a 383K jar.  It was a well-formed jar, with only a META-INF folder.
>> The jar in question was cxf-rt-core-2.2.5.jar from apache cxf.
>>
>> This jar can only have come from a public repository
>> (http://repo1.maven.org/maven2) that my local installation points to.  I
>> deleted it (looking back I should have probably saved a copy) and the
>> next build brought the correct jar down.  How often do obviously
>> incorrect jars make it into public repositories and what can be done
>> about such a thing?
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
>> For additional commands, e-mail: users-help@maven.apache.org
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
> For additional commands, e-mail: users-help@maven.apache.org
> 
> 
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
For additional commands, e-mail: users-help@maven.apache.org

Re: Bad jar in maven central?

[Christoph Kutzinski <ku...@gmx.de>]

If your 2nd build (after deleting the corrupted jar) worked, then 
obviously the jar on maven central is correct - where would the 2nd 
build get otherwise the correct jar from?
Did you check directly on Maven central that the jar in question is the 
'correct' one?

Which leaves us with 4 options, I guess:
1) the previously downloaded jar on your machine got somehow corrupted 
while downloading it from central. I never had seen this happen and it 
would be highly unlikely that it would in a correct JAR format afterwards
2) the JAR was somehow corrupted while being in your local repository. 
Also very unlikely
3) you got the jar from somewhere else than central
4) you used another version of the jar before - do you and did you have 
the version fixed to 2.2.5 in your POM?

Regarding what can be done to prevent this - I can only speak 
theoretically as I don't know the Maven code which handles this:

- Maven (central) can obviously do very little against uploads of 
'incomplete' - i.e. syntactically correct, but missing some content - 
JARs as it cannot guess what should be in it
- Maven should check for corruptions of downloaded JARs. I pretty sure 
it does that already otherwise build hell would break loose.
- You should seriously consider using a repository manager like 
Artifactory or Nexus

HTH
Christoph

Steve Cohen schrieb:
> I had a build adventure today which manifested itself as a
> NoClassFoundException.  Trying to get to the bottom of this, I was
> looking into the code on a different machine from the one where this
> build took place.  I wanted to try to determine what jar contained the
> class I was missing, to try and figure out where my dependencies were
> messed up.  I could see no reason for it.  I looked at the dependent
> jars in Eclipse and it looked like everything was in order
> 
> Back at the machine where the problem occurred, I tried to do the same
> thing.  I couldn't find the missing class in my dependent jars.  I
> looked at the jar where the class had been found on the other machine,
> and was surprised to see that it was a 7K shell of what was supposed to
> be a 383K jar.  It was a well-formed jar, with only a META-INF folder.
> The jar in question was cxf-rt-core-2.2.5.jar from apache cxf.
> 
> This jar can only have come from a public repository
> (http://repo1.maven.org/maven2) that my local installation points to.  I
> deleted it (looking back I should have probably saved a copy) and the
> next build brought the correct jar down.  How often do obviously
> incorrect jars make it into public repositories and what can be done
> about such a thing?
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
> For additional commands, e-mail: users-help@maven.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
For additional commands, e-mail: users-help@maven.apache.org