You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@maven.apache.org by "Tamás Cservenák (Jira)" <ji...@apache.org> on 2022/02/20 18:39:00 UTC

[jira] [Comment Edited] (MRESOLVER-236) Make it possible to resolve .asc on a 'fail' respository.

    [ https://issues.apache.org/jira/browse/MRESOLVER-236?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17495212#comment-17495212 ] 

Tamás Cservenák edited comment on MRESOLVER-236 at 2/20/22, 6:38 PM:
---------------------------------------------------------------------

This seems as a bug to me: for signature files (ext: asc) by default resolver should not enforce checksums (this is also configurable by {{static final String CONFIG_PROP_SIGNATURE_CHECKSUMS = "aether.checksums.forSignature";}} that by default is {{false}}. 
[~rodwiddowson] questions:
* is this a plugin on central or some private one?
* does the plugin have signature checksums published? (.asc.sha1 files). If yes, can you try using {{-Daether.checksums.forSignature=true}} on CLI?


was (Author: cstamas):
This seems as a bug to me: for signature files (ext: asc) by default resolver should not enforce checksums (this is also configurable by {{static final String CONFIG_PROP_SIGNATURE_CHECKSUMS = "aether.checksums.forSignature";}} that by default is {{false}}. 
[~rodwiddowson] questions:
* is this a plugin on central or some private one?
* does the plugin have signature checksums published? (.asc.sha1 files). If yes, can you true using {{-Daether.checksums.forSignature=true}} on CLI?

> Make it possible to resolve .asc on a 'fail' <checksumPolicy/> respository.
> ---------------------------------------------------------------------------
>
>                 Key: MRESOLVER-236
>                 URL: https://issues.apache.org/jira/browse/MRESOLVER-236
>             Project: Maven Resolver
>          Issue Type: New Feature
>          Components: Resolver
>    Affects Versions: 1.7.3
>            Reporter: Rod Widdowson
>            Priority: Minor
>
> (I'm guessing the resolver version - maven version is 3.8.4).
> We accidently made one of our repositories {{<checksumPolicy>fail</checksumPolicy>}} some time ago and over the weekend an plugin we run started failing.
> After some digging I discovered that the problem was when the code was programmatically trying to resolve a {{jar.asc}} file.  Eventually the code ended up in 
> {code}org.eclipse.aether.internal.impl.Maven2RepositoryLayoutFactory line 196
>         public List<Checksum> getChecksums {
>             if ( isSignature( artifact.getExtension() ) )
>             {
>                 return Collections.emptyList();
>             }
> {code}
> This means that when the resolution hit the correct repository it (silently) failed the checksum check and moved on to the next one, eventually falling off the end of the list and failing to resolve.
> Our work around is to set the {{<checksumPolicy>}} to warn (which is what it used to be).
> 'It would be nice if'
> * The failure was slightly less quiet
> * If it was possible - programmatically or by configuration - to resolve signatures from checksuming repositories.
> I have not dived very deeply into the code - just enough to diagnose why our CI was exploding so spectacularly so I may have missed some trick in which case I apologise for asking for existing function



--
This message was sent by Atlassian Jira
(v8.20.1#820001)