[
https://issues.apache.org/jira/browse/MNG-7375?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17471268#comment-17471268
]
Herve Boutemy edited comment on MNG-7375 at 1/9/22, 2:34 AM:
-------------------------------------------------------------
pfew, working on nice code cleanup in MPLUGIN-377 opened a big can of worms
FYI [~cstamas] & [~gnodet]: I'm not blaming, just letting you see what I
learned 10 years ago when trying to do equivalent cleanup. This does not mean
that we should refrain to do any cleanup, but I just want to be sure that
experience is shared (and I knew when I reviewed the PR and I saw this
{{GroupRepositoryMetadata}} was copied/moved, there were serious chances that
impact was not really mastered: I intentionally chose to take the risk... :) )
my analysis:
- yes, the more resilient the Maven core merging code is, the better: if we can
avoid the NPE (and let the "bad" metadata live without failing), it can be
interesting
- IMHO, Sonatype nexus-staging-plugin is more a sign of an issue in Maven
compat decision to contain the
{{org.apache.maven.artifact.repository.metadata.GroupRepositoryMetadata}}
class: perhaps this class need to be kept in Maven core (I don't know if it's
more in maven-core or maven-artifact or maven-repository-metadata)
- on Modello discrepency when generating the XSD from a MDO with required=true,
this is also some nice fix to do from the can of worms discovery :)
was (Author: hboutemy):
pfew, working on nice code cleanup in MPLUGIN-377 opened a big can of worms
FYI [~cstamas] & [~gnodet]: I'm not blaming, just letting you see what I
learned 10 years ago when trying to do equivalent cleanup. This does not mean
that we should refrain to do any cleanup, but I just want to be sure that
experience is shared (and I knew when I reviewed the PR and I saw this
{{GroupRepositoryMetadata}} was copied/moved, there were serious chances that
impact was not really mastered: I intentionally chose to take the risk... :) )
my analysis:
- yes, the more resilient the Maven core merging code is, the better: if we can
avoid the NPE (and let the "bad" metadata live without failing), it can be
interesting
- IMHO, Sonatype nexus-staging-plugin is more a sign of an issue in Maven
compat decision to contain the
{{org.apache.maven.artifact.repository.metadata.GroupRepositoryMetadata}}
class: perhaps this class need to be kept in Maven core (I don't know if it's
more in maven-core or maven-artifact or maven-repository-metadata)
> Potential NPE in o.a.m.artifact.repository.metadata.Metadata.merge(...) with
> invalid/incomplete plugin metadata
> ---------------------------------------------------------------------------------------------------------------
>
> Key: MNG-7375
> URL: https://issues.apache.org/jira/browse/MNG-7375
> Project: Maven
> Issue Type: Improvement
> Components: Artifacts and Repositories
> Affects Versions: 3.8.4
> Reporter: Konrad Windszus
> Priority: Major
> Attachments: NEXUS-30749 - Broken groupId metadata and follow-up NPE
> during
> org.sonatype.nexus.maven.staging.deploy.strategy.AbstractDeployStrategy.deployUp
> - Sonatype JIRA.pdf
>
>
> Currently the metadata at
> https://repository.apache.org/service/local/repositories/snapshots/content/org/apache/jackrabbit/maven-metadata.xml
> contains an invalid entry without a prefix:
> {code:xml}
> <metadata>
> <plugins>
> <plugin>
> <name>Apache Jackrabbit FileVault - Package Maven Plugin</name>
> <prefix>filevault-package</prefix>
> <artifactId>filevault-package-maven-plugin</artifactId>
> </plugin>
> <plugin>
> <name>filevault-package-maven-plugin</name>
> <artifactId>filevault-package-maven-plugin</artifactId>
> </plugin>
> </plugins>
> </metadata>
> {code}
> This leads to an NPE when trying to deploy a new version with
> {{org.apache.maven.artifact.deployer.DefaultArtifactDeployer.deploy(...)}}:
> {noformat}
> Caused by: java.lang.NullPointerException
> at org.apache.maven.artifact.repository.metadata.Metadata.merge
> (Metadata.java:276)
> at
> org.apache.maven.artifact.repository.metadata.AbstractRepositoryMetadata.updateRepositoryMetadata
> (AbstractRepositoryMetadata.java:121)
> at
> org.apache.maven.artifact.repository.metadata.AbstractRepositoryMetadata.storeInLocalRepository
> (AbstractRepositoryMetadata.java:67)
> at org.apache.maven.artifact.repository.metadata.MetadataBridge.merge
> (MetadataBridge.java:65)
> at org.eclipse.aether.internal.impl.DefaultDeployer.upload
> (DefaultDeployer.java:433)
> at org.eclipse.aether.internal.impl.DefaultDeployer.deploy
> (DefaultDeployer.java:321)
> at org.eclipse.aether.internal.impl.DefaultDeployer.deploy
> (DefaultDeployer.java:213)
> at org.eclipse.aether.internal.impl.DefaultRepositorySystem.deploy
> (DefaultRepositorySystem.java:386)
> at org.apache.maven.artifact.deployer.DefaultArtifactDeployer.deploy
> (DefaultArtifactDeployer.java:142)
> {noformat}
> Although this happened in the context of using
> "org.sonatype.plugins:nexus-staging-maven-plugin:1.6.8"
> (https://issues.sonatype.org/browse/NEXUS-30749, exported to [^NEXUS-30749 -
> Broken groupId metadata and follow-up NPE during
> org.sonatype.nexus.maven.staging.deploy.strategy.AbstractDeployStrategy.deployUp
> - Sonatype JIRA.pdf] ) the affected code is in Maven.
> The metadata is probably invalid but the Metadata class should be more robust
> when trying to do the merge in
> https://github.com/apache/maven/blob/951b5ee95f40147abbc2bb9d928e408b85d5aef3/maven-repository-metadata/src/main/mdo/metadata.mdo#L100
> and just ignore all plugin entries without all mandatory elements.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
