I did some digging and found this regression is caused by commit: 6068b83b82475566acd4162467bcf54270f338f9 "gnu: java-jdom: Update to 2.0.6.1 [fixes CVE-2021-33813]."
Apparently the fix for this issue causes jdom to be very strict; > java.io.IOException: Invalid input descriptor for merge: > /tmp/plexus-metadata3957336728290309540xml --> > http://xml.org/sax/features/external-general-entities feature > http://xml.org/sax/features/external-general-entities not supported > for SAX driver org.codehaus.plexus.metadata.merge.Driver Which sound familiar when looking at that CVE (https://github.com/advisories/GHSA-2363-cqg2-863c): > An XXE issue in SAXBuilder in JDOM through 2.0.6 allows attackers to > cause a denial of service via a crafted HTTP request. At this time > there is not released fixed version of JDOM. As a workaround, to avoid > external entities being expanded, one can call > builder.setExpandEntities(false) and they won't be expanded. I dunno how to fix this though, I'm just a curious guixer. Easiest path seems to be to make a new java-jdom-2.0.6 var and use that as a native-input for maven. Would that be an acceptable solution? Cheers, Remco
