[
https://issues.apache.org/jira/browse/MNG-6397?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17187429#comment-17187429
]
Alan Czajkowski commented on MNG-6397:
--------------------------------------
[~bclozel]
To be clear, this issue that I have raised in this ticket, is something that I
believe is a bug in how Maven decides to download the entire dependency graph
if it is not rooted at your project's POM (i.e. referring to a parent POM makes
your project _not_ the root of the dependency graph).
That being said ... there's plenty to rant about Spring Boot's approach, where
this ticket is not the appropriate place to do it, but i'll do it anyway ...
As for Spring Boot, what is non-standard about referring to a parent POM for an
_external_ dependency (such as Spring Boot)?
# we can start with the hi-jacking of the resource filtering start/end tokens,
where the default is {{$\{}} and {{\}}} and Spring Boot forces you to use {{@}}
instead: this is a major intrusion to a project. I completely understand why
Spring Boot chose to do this, so that Maven's resource filtering and variable
interpolation does not conflict with Spring's Expression Language (SpEL), but
still ...
# Many enterprises create parent POMs for the entire organization, to
standardize certain build configurations across all builds for the entire
organization. Maven does not support referencing 2 parent POMs, so if you
reference the Spring Boot parent POM (which is the _highly_ recommended way to
do a Spring Boot project, then it completely breaks the ability to reference
the enterprise's parent POM to inherit important build configuration. I know
there are way around this, like creating a intermediary parent POM that sits
between the Spring Boot parent and the project, and then the project references
that intermediary parent POM, but that is just doing painful build gymnastics,
and not fun to maintain.
> Maven Transitive Dependency Resolution Does Not Respect Repository Definition
> in pom.xml
> ----------------------------------------------------------------------------------------
>
> Key: MNG-6397
> URL: https://issues.apache.org/jira/browse/MNG-6397
> Project: Maven
> Issue Type: New Feature
> Components: Artifacts and Repositories, Dependencies, POM
> Affects Versions: 3.5.0, 3.5.2, 3.5.3, 3.6.0, 3.6.1, 3.6.3
> Environment: Apache Maven 3.5.0
> (ff8f5e7444045639af65f6095c62210b5713f426; 2017-04-03T15:39:06-04:00)
> Maven home: /usr/local/share/maven
> Java version: 1.8.0_161, vendor: Oracle Corporation
> Java home:
> /Library/Java/JavaVirtualMachines/jdk1.8.0_161.jdk/Contents/Home/jre
> Default locale: en_US, platform encoding: UTF-8
> OS name: "mac os x", version: "10.10.5", arch: "x86_64", family: "mac"
> Reporter: Alan Czajkowski
> Priority: Critical
> Labels: maven
>
> _*Note:* I am trying to do a build behind a firewall which means I cannot
> access the Internet, I can only access my internal Maven repository inside my
> network, so:_
> - _grabbing artifacts from https://artifacts.example.com/repository/maven/
> works fine_
> - _grabbing artifacts from anywhere else fails due to firewall restrictions_
> Let's begin:
> My {{pom.xml}} has the following:
> {code:xml}
> ...
> <dependencies>
> ...
> <dependency>
> <groupId>org.springframework.boot</groupId>
> <artifactId>spring-boot-starter-web</artifactId>
> <version>2.0.0.RELEASE</version>
> </dependency>
> ...
> </dependencies>
> ...
> <repositories>
> ...
> <repository>
> <id>central</id>
> <name>Public</name>
> <url>https://artifacts.example.com/repository/maven/</url>
> <releases>
> <enabled>true</enabled>
> </releases>
> <snapshots>
> <enabled>true</enabled>
> </snapshots>
> </repository>
> ...
> </repositories>
> ...
> {code}
> The {{dependency:tree}} for the {{spring-boot-starter-web}} is as follows:
> {code:java}
> +- org.springframework.boot:spring-boot-starter-web:jar:2.0.0.RELEASE:compile
> | +-
> org.springframework.boot:spring-boot-starter-json:jar:2.0.0.RELEASE:compile
> | | +-
> com.fasterxml.jackson.datatype:jackson-datatype-jdk8:jar:2.9.4:compile
> | | +-
> com.fasterxml.jackson.datatype:jackson-datatype-jsr310:jar:2.9.4:compile
> | | \-
> com.fasterxml.jackson.module:jackson-module-parameter-names:jar:2.9.4:compile
> | +-
> org.springframework.boot:spring-boot-starter-tomcat:jar:2.0.0.RELEASE:compile
> | | \- org.apache.tomcat.embed:tomcat-embed-websocket:jar:8.5.28:compile
> | +- org.hibernate.validator:hibernate-validator:jar:6.0.7.Final:compile
> | | +- javax.validation:validation-api:jar:2.0.1.Final:compile
> | | +- org.jboss.logging:jboss-logging:jar:3.3.0.Final:compile
> | | \- com.fasterxml:classmate:jar:1.3.1:compile
> | \- org.springframework:spring-web:jar:5.0.4.RELEASE:compile
> {code}
> How is it that the build fails as such:
> {code:java}
> ...
> Downloading:
> https://repo.spring.io/milestone/org/jboss/shrinkwrap/shrinkwrap-bom/1.2.3/shrinkwrap-bom-1.2.3.pom
> Downloading:
> https://repo.spring.io/snapshot/org/jboss/shrinkwrap/shrinkwrap-bom/1.2.3/shrinkwrap-bom-1.2.3.pom
> Downloading:
> https://dl.bintray.com/rabbitmq/maven-milestones/org/jboss/shrinkwrap/shrinkwrap-bom/1.2.3/shrinkwrap-bom-1.2.3.pom
> Downloading:
> https://repo.maven.apache.org/maven2/org/jboss/shrinkwrap/shrinkwrap-bom/1.2.3/shrinkwrap-bom-1.2.3.pom
> ...
> [ERROR] Failed to execute goal on project maven-multi-module-demo-backend:
> Could not resolve dependencies for project
> com.example.pipe:maven-multi-module-demo-backend:war:1.0.0-SNAPSHOT: Failed
> to collect dependencies at
> org.springframework.boot:spring-boot-starter-web:jar:2.0.0.RELEASE ->
> org.hibernate.validator:hibernate-validator:jar:6.0.7.Final: Failed to read
> artifact descriptor for
> org.hibernate.validator:hibernate-validator:jar:6.0.7.Final: Could not
> transfer artifact org.jboss.shrinkwrap:shrinkwrap-bom:pom:1.2.3 from/to
> spring-milestone (https://repo.spring.io/milestone): Connection reset ->
> [Help 1]
> ...
> {code}
> when I did not even reference this repo {{spring-milestone
> ([https://repo.spring.io/milestone])}} anywhere in my {{pom.xml}}?
> When you go down the Spring Boot rabbit hole (go into the
> {{spring-boot-starter-web}}'s {{pom.xml}} and then traverse up its parent-pom
> structure a few jumps) you'll eventually get to a parent-pom
> {{spring-boot-dependencies}} with this definition:
> {code:xml}
> ...
> <repositories>
> <repository>
> <snapshots>
> <enabled>false</enabled>
> </snapshots>
> <id>spring-milestone</id>
> <name>Spring Milestone</name>
> <url>https://repo.spring.io/milestone</url>
> </repository>
> <repository>
> <snapshots>
> <enabled>true</enabled>
> </snapshots>
> <id>spring-snapshot</id>
> <name>Spring Snapshot</name>
> <url>https://repo.spring.io/snapshot</url>
> </repository>
> <repository>
> <snapshots>
> <enabled>false</enabled>
> </snapshots>
> <id>rabbit-milestone</id>
> <name>Rabbit Milestone</name>
> <url>https://dl.bintray.com/rabbitmq/maven-milestones</url>
> </repository>
> </repositories>
> ...
> {code}
> How is it that the Maven build does _not_ even attempt to reach out to
> [https://artifacts.example.com/repository/maven/] to try to find the missing
> dependency {{shrinkwrap-bom}}? and only reaches out to the above repos only
> and not the one defined in my own {{pom.xml}}?
> *This seems like a transitive dependency resolution bug to me as the Maven
> build does not even make a single attempt at trying to get {{shrinkwrap-bom}}
> from the {{<repository>}} that I have explicitly defined in my {{pom.xml}}.
> The (grand)parents of the {{spring-boot-starter-web}} dependency completely
> hi-jack the repository list that the build pulls from (this type of
> hi-jacking should not be allowed). The {{shrinkwrap-bom}} artifact does exist
> in [https://artifacts.example.com/repository/maven/] and can be fetched no
> problem if it is explicitly defined in my {{pom.xml}} but defining it
> explicitly would be a work-around and I cannot use this work-around in my
> situation.*
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
