ctubbsii opened a new pull request, #5709: URL: https://github.com/apache/accumulo/pull/5709
This change avoids unnecessarily accessing the configured repository.apache.org/snapshots snapshot repository. To do this, it affixes a specific version from the range in one of the transitive dependencies (in this case, bouncycastle), so Maven does not query all of the configured repositories for the versions they contain. The apparent behavior of Maven's dependency resolution is to query all repositories, whether they are configured for snapshots or releases, in order to resolve dependency ranges. However, this [may be a bug in Maven](https://github.com/apache/maven-enforcer/issues/906) It is important to avoid unnecessary accesses to repository.apache.org/snapshots, because Apache's INFRA team blocks network clients for too many accesses to repository.apache.org that result in 404s. Any attempt to resolve bouncycastle dependencies from repository.apache.org is certainly going to fail with 404 responses, because bouncycastle is not an Apache project that publishes anything to this server. So, the version range in that dependency, is likely to contribute to getting Apache projects blocked who use the Apache parent POM, because the Apache parent POM adds the repository.apache.org/snapshots as a snapshot repository by default. The workaround in this commit sets a specific version that is *not* a SNAPSHOT version, so the snapshot repository should not be used. Unfortunately, it appears this will need to be done for *any* version ranges anywhere in our project's dependency tree. This commit also adds an enforcer rule to detect new version ranges showing up in the dependency tree. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@accumulo.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
