[jira] [Commented] (MNG-8180) Resolver will blindly assume it is deploying a plugin by presence of META-INF/maven/plugins.xml in JAR

Thu, 11 Jul 2024 16:56:33 -0700 


    [ 
https://issues.apache.org/jira/browse/MNG-8180?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17865253#comment-17865253
 ] 

Hudson commented on MNG-8180:
-----------------------------

SUCCESS: Integrated in Jenkins build Tika ยป tika-main-jdk11 #1674 (See 
[https://ci-builds.apache.org/job/Tika/job/tika-main-jdk11/1674/])
Circumvention for MNG-8180 Maven bug (#1855) (tallison: 
[https://github.com/apache/tika/commit/4bd131803252a76f3f98b6650decfd2130b6010f])
* (edit) tika-server/tika-server-core/pom.xml
* (edit) tika-eval/tika-eval-core/pom.xml
* (edit) tika-app/pom.xml
* (edit) tika-server/tika-server-standard/pom.xml
* (edit) tika-eval/tika-eval-app/pom.xml


> Resolver will blindly assume it is deploying a plugin by presence of 
> META-INF/maven/plugins.xml in JAR
> ------------------------------------------------------------------------------------------------------
>
>                 Key: MNG-8180
>                 URL: https://issues.apache.org/jira/browse/MNG-8180
>             Project: Maven
>          Issue Type: Bug
>          Components: Artifacts and Repositories
>    Affects Versions: 3.9.0, 3.9.1, 3.9.2, 3.9.3, 3.9.4, 3.9.5, 3.9.6, 3.9.7, 
> 3.9.8
>            Reporter: Tamas Cservenak
>            Assignee: Tamas Cservenak
>            Priority: Major
>             Fix For: 3.9.9, 4.0.0-beta-4
>
>
> Resolver will generate plugin metadata based on contents of 
> META-INF/maven/plugins.xml file, that for example in case of shaded JAR may 
> be totally off.
> Circumvention: exclude this file from JAR.
> All Maven 3.9.x and 4.x are affected.
> Solution: the Artifact (checked for: has no classifier and is backed by JAR, 
> the requirements for maven-plugin JAR) and the embedded plugin metadata MUST 
> BE aligned (artifact GA == metadata GA). In this case all is happening as 
> before, happy path. In case of artifact GA != metadata GA we HARD FAIL the 
> build, as deploying "formally adhering to maven plugin JAR with rogue 
> metadata" may be very misleading. Most probably the origin of "rogue" plugin 
> metadata is by shading (like in case of Tika), or by some other rogue 
> resource, or even someone "reinventing" the plugin metadata for some other 
> purposes. Maven should simply prevent install/deploy of artifacts like these, 
> and users should fix the artifact (in case of shading, exclude that resource, 
> in other cases figure out from where it comes and eliminate it).
> More context: in Maven3 this is most we can do, as repository metadata 
> generation happens in maven-resolver-provider module that does not and cannot 
> depend on maven-core (is "pure" resolver), hence notion of packaging, 
> project, build etc is not available. In Maven4 with new API we MAY do 
> something more later. The two PRs against 3.9.x and 4.0.0 are currently 
> identical.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to