[
https://issues.apache.org/jira/browse/MNG-6397?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17181787#comment-17181787
]
Michael Osipov commented on MNG-6397:
-------------------------------------
This is highly disputed. I'd like to share my opinion on this: First of all,
all artifacts on Central must be selfcontained. If Spring Boot is not
selfcontained it breaks the contract set up on Central by Sonatype. I'd like to
cite a smart person from MNG-6772:
bq. To me a child should never have any effect on its parent. So if the parent
defines the central repository, then that is the one being used within that
scope. A child might override it, but only within its scope, that is itself and
its children.
As other have layed out, use mirrors, repo managers. If you let sub projects
influence top projects, you lose complete control over security, build, etc.
You should always in control of your build, proxy (group) repos in Nexus or
alike are the key to go. Artifactory's advise is wrong.
> Maven Transitive Dependency Resolution Does Not Respect Repository Definition
> in pom.xml
> ----------------------------------------------------------------------------------------
>
> Key: MNG-6397
> URL: https://issues.apache.org/jira/browse/MNG-6397
> Project: Maven
> Issue Type: New Feature
> Components: Artifacts and Repositories, Dependencies, POM
> Affects Versions: 3.5.0, 3.5.2, 3.5.3, 3.6.0, 3.6.1, 3.6.3
> Environment: Apache Maven 3.5.0
> (ff8f5e7444045639af65f6095c62210b5713f426; 2017-04-03T15:39:06-04:00)
> Maven home: /usr/local/share/maven
> Java version: 1.8.0_161, vendor: Oracle Corporation
> Java home:
> /Library/Java/JavaVirtualMachines/jdk1.8.0_161.jdk/Contents/Home/jre
> Default locale: en_US, platform encoding: UTF-8
> OS name: "mac os x", version: "10.10.5", arch: "x86_64", family: "mac"
> Reporter: Alan Czajkowski
> Priority: Critical
> Labels: maven
>
> _*Note:* I am trying to do a build behind a firewall which means I cannot
> access the Internet, I can only access my internal Maven repository inside my
> network, so:_
> - _grabbing artifacts from https://artifacts.example.com/repository/maven/
> works fine_
> - _grabbing artifacts from anywhere else fails due to firewall restrictions_
> Let's begin:
> My {{pom.xml}} has the following:
> {code:xml}
> ...
> <dependencies>
> ...
> <dependency>
> <groupId>org.springframework.boot</groupId>
> <artifactId>spring-boot-starter-web</artifactId>
> <version>2.0.0.RELEASE</version>
> </dependency>
> ...
> </dependencies>
> ...
> <repositories>
> ...
> <repository>
> <id>central</id>
> <name>Public</name>
> <url>https://artifacts.example.com/repository/maven/</url>
> <releases>
> <enabled>true</enabled>
> </releases>
> <snapshots>
> <enabled>true</enabled>
> </snapshots>
> </repository>
> ...
> </repositories>
> ...
> {code}
> The {{dependency:tree}} for the {{spring-boot-starter-web}} is as follows:
> {code:java}
> +- org.springframework.boot:spring-boot-starter-web:jar:2.0.0.RELEASE:compile
> | +-
> org.springframework.boot:spring-boot-starter-json:jar:2.0.0.RELEASE:compile
> | | +-
> com.fasterxml.jackson.datatype:jackson-datatype-jdk8:jar:2.9.4:compile
> | | +-
> com.fasterxml.jackson.datatype:jackson-datatype-jsr310:jar:2.9.4:compile
> | | \-
> com.fasterxml.jackson.module:jackson-module-parameter-names:jar:2.9.4:compile
> | +-
> org.springframework.boot:spring-boot-starter-tomcat:jar:2.0.0.RELEASE:compile
> | | \- org.apache.tomcat.embed:tomcat-embed-websocket:jar:8.5.28:compile
> | +- org.hibernate.validator:hibernate-validator:jar:6.0.7.Final:compile
> | | +- javax.validation:validation-api:jar:2.0.1.Final:compile
> | | +- org.jboss.logging:jboss-logging:jar:3.3.0.Final:compile
> | | \- com.fasterxml:classmate:jar:1.3.1:compile
> | \- org.springframework:spring-web:jar:5.0.4.RELEASE:compile
> {code}
> How is it that the build fails as such:
> {code:java}
> ...
> Downloading:
> https://repo.spring.io/milestone/org/jboss/shrinkwrap/shrinkwrap-bom/1.2.3/shrinkwrap-bom-1.2.3.pom
> Downloading:
> https://repo.spring.io/snapshot/org/jboss/shrinkwrap/shrinkwrap-bom/1.2.3/shrinkwrap-bom-1.2.3.pom
> Downloading:
> https://dl.bintray.com/rabbitmq/maven-milestones/org/jboss/shrinkwrap/shrinkwrap-bom/1.2.3/shrinkwrap-bom-1.2.3.pom
> Downloading:
> https://repo.maven.apache.org/maven2/org/jboss/shrinkwrap/shrinkwrap-bom/1.2.3/shrinkwrap-bom-1.2.3.pom
> ...
> [ERROR] Failed to execute goal on project maven-multi-module-demo-backend:
> Could not resolve dependencies for project
> com.example.pipe:maven-multi-module-demo-backend:war:1.0.0-SNAPSHOT: Failed
> to collect dependencies at
> org.springframework.boot:spring-boot-starter-web:jar:2.0.0.RELEASE ->
> org.hibernate.validator:hibernate-validator:jar:6.0.7.Final: Failed to read
> artifact descriptor for
> org.hibernate.validator:hibernate-validator:jar:6.0.7.Final: Could not
> transfer artifact org.jboss.shrinkwrap:shrinkwrap-bom:pom:1.2.3 from/to
> spring-milestone (https://repo.spring.io/milestone): Connection reset ->
> [Help 1]
> ...
> {code}
> when I did not even reference this repo {{spring-milestone
> ([https://repo.spring.io/milestone])}} anywhere in my {{pom.xml}}?
> When you go down the Spring Boot rabbit hole (go into the
> {{spring-boot-starter-web}}'s {{pom.xml}} and then traverse up its parent-pom
> structure a few jumps) you'll eventually get to a parent-pom
> {{spring-boot-dependencies}} with this definition:
> {code:xml}
> ...
> <repositories>
> <repository>
> <snapshots>
> <enabled>false</enabled>
> </snapshots>
> <id>spring-milestone</id>
> <name>Spring Milestone</name>
> <url>https://repo.spring.io/milestone</url>
> </repository>
> <repository>
> <snapshots>
> <enabled>true</enabled>
> </snapshots>
> <id>spring-snapshot</id>
> <name>Spring Snapshot</name>
> <url>https://repo.spring.io/snapshot</url>
> </repository>
> <repository>
> <snapshots>
> <enabled>false</enabled>
> </snapshots>
> <id>rabbit-milestone</id>
> <name>Rabbit Milestone</name>
> <url>https://dl.bintray.com/rabbitmq/maven-milestones</url>
> </repository>
> </repositories>
> ...
> {code}
> How is it that the Maven build does _not_ even attempt to reach out to
> [https://artifacts.example.com/repository/maven/] to try to find the missing
> dependency {{shrinkwrap-bom}}? and only reaches out to the above repos only
> and not the one defined in my own {{pom.xml}}?
> *This seems like a transitive dependency resolution bug to me as the Maven
> build does not even make a single attempt at trying to get {{shrinkwrap-bom}}
> from the {{<repository>}} that I have explicitly defined in my {{pom.xml}}.
> The (grand)parents of the {{spring-boot-starter-web}} dependency completely
> hi-jack the repository list that the build pulls from (this type of
> hi-jacking should not be allowed). The {{shrinkwrap-bom}} artifact does exist
> in [https://artifacts.example.com/repository/maven/] and can be fetched no
> problem if it is explicitly defined in my {{pom.xml}} but defining it
> explicitly would be a work-around and I cannot use this work-around in my
> situation.*
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
