Re: .sha256 artifact checksums on Central
Sorry, talked prematurely (and not at desk, only phone)... this is a sonatype issue it seems. Will take a deeper look tomorrow. T On Tue, Nov 21, 2023, 21:11 Tamás Cservenák wrote: > Sha1s are present as well... Unsure what the problem is here, what do i > miss? > > T > > On Tue, Nov 21, 2023, 20:10 Bernd Eckenfels > wrote: > >> >> >> Bernd Eckenfels wrote on 21. Nov 2023 19:44 (GMT +01:00): >> > Strange enough central did accept those, but seems to not support it >> with >> > Remote Included Strategy (X- headers): >> >> Now that I thought about it, another possible explanation: I think >> -Daether.checksums.algo= >> rithms=SHA-256 is effectiv, all downloads WARN. >> >> So I suspect maven with direct connections to Central use the synthetic >> SHA-1 checksum >> Headers and does never miss the .sha1 files. but with a proxy-repo in >> between it fails to do >> that. >> >> I guess I need to trace more interactions along those lines. >> Will it somehow know not to request .sha256 or does my nexus just not >> mirror them? >> >> For my testing convinience, do I need a dummy Pom or can I trigger the >> resolve with cli in exactly the same way? >> >> >> Gruß >> Bernd >> — >> https://bernd.eckenfels.net >> >> - >> To unsubscribe, e-mail: users-unsubscr...@maven.apache.org >> For additional commands, e-mail: users-h...@maven.apache.org >> >>
Re: .sha256 artifact checksums on Central
Sha1s are present as well... Unsure what the problem is here, what do i miss? T On Tue, Nov 21, 2023, 20:10 Bernd Eckenfels wrote: > > > Bernd Eckenfels wrote on 21. Nov 2023 19:44 (GMT +01:00): > > Strange enough central did accept those, but seems to not support it with > > Remote Included Strategy (X- headers): > > Now that I thought about it, another possible explanation: I think > -Daether.checksums.algo= > rithms=SHA-256 is effectiv, all downloads WARN. > > So I suspect maven with direct connections to Central use the synthetic > SHA-1 checksum > Headers and does never miss the .sha1 files. but with a proxy-repo in > between it fails to do > that. > > I guess I need to trace more interactions along those lines. > Will it somehow know not to request .sha256 or does my nexus just not > mirror them? > > For my testing convinience, do I need a dummy Pom or can I trigger the > resolve with cli in exactly the same way? > > > Gruß > Bernd > — > https://bernd.eckenfels.net > > - > To unsubscribe, e-mail: users-unsubscr...@maven.apache.org > For additional commands, e-mail: users-h...@maven.apache.org > >
Re: .sha256 artifact checksums on Central
Bernd Eckenfels wrote on 21. Nov 2023 19:44 (GMT +01:00): > Strange enough central did accept those, but seems to not support it with > Remote Included Strategy (X- headers): Now that I thought about it, another possible explanation: I think -Daether.checksums.algo= rithms=SHA-256 is effectiv, all downloads WARN. So I suspect maven with direct connections to Central use the synthetic SHA-1 checksum Headers and does never miss the .sha1 files. but with a proxy-repo in between it fails to do that. I guess I need to trace more interactions along those lines. Will it somehow know not to request .sha256 or does my nexus just not mirror them? For my testing convinience, do I need a dummy Pom or can I trigger the resolve with cli in exactly the same way? Gruß Bernd — https://bernd.eckenfels.net - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org
.sha256 artifact checksums on Central
Hello, I have noticed that Microsoft started to add .sha256 checksums to their POMs instead of .sha1. It looks like Maven Central accepts this, so is this a global policy change? https://repo.maven.apache.org/maven2/com/microsoft/sqlserver/mssql-jdbc/12.4.1.jre11/mssql-jdbc-12.4.1.jre11.pom.sha1 https://repo.maven.apache.org/maven2/com/microsoft/sqlserver/mssql-jdbc/12.4.2.jre11/mssql-jdbc-12.4.2.jre11.pom.sha256 Strange enough central did accept those, but seems to not support it with Remote Included Strategy (X- headers): curl -I https://repo.maven.apache.org/maven2/com/microsoft/sqlserver/mssql-jdbc/12.4.2.jre11/mssql-jdbc-12.4.2.jre11.pom HTTP/1.1 200 OK Connection: keep-alive Content-Length: 19942 ETag: "61cb3f21b65ec7957c85f899a7f5cbc4" Content-Type: text/xml Last-Modified: Fri, 27 Oct 2023 02:53:09 GMT X-Checksum-MD5: 61cb3f21b65ec7957c85f899a7f5cbc4 X-Checksum-SHA1: 70d487ee6dd908c60527158246d03baf18269511 Via: 1.1 varnish, 1.1 varnish Accept-Ranges: bytes Date: Tue, 21 Nov 2023 18:30:23 GMT Age: 1531300 X-Served-By: cache-iad-kiad7000176-IAD, cache-fra-eddf8230077-FRA X-Cache: HIT, HIT X-Cache-Hits: 3, 1 X-Timer: S1700591424.912411,VS0,VE1 In any case Maven 3.8 seems to not like it, it prints: Warning: Could not validate integrity of download from https://repo.maven.apache.org/maven2/com/microsoft/sqlserver/mssql-jdbc/12.4.2.jre11/mssql-jdbc-12.4.2.jre11.pom org.eclipse.aether.transfer.ChecksumFailureException: Checksum validation failed, no checksums available at org.eclipse.aether.internal.impl.AbstractChecksumPolicy.onNoMoreChecksums (AbstractChecksumPolicy.java:64) at org.eclipse.aether.connector.basic.ChecksumValidator.validate (ChecksumValidator.java:107) at org.eclipse.aether.connector.basic.BasicRepositoryConnector$GetTaskRunner.runTask (BasicRepositoryConnector.java:460) at org.eclipse.aether.connector.basic.BasicRepositoryConnector$TaskRunner.run (BasicRepositoryConnector.java:364) at org.eclipse.aether.util.concurrency.RunnableErrorForwarder$1.run (RunnableErrorForwarder.java:75) at org.eclipse.aether.connector.basic.BasicRepositoryConnector$DirectExecutor.execute (BasicRepositoryConnector.java:628) at org.eclipse.aether.connector.basic.BasicRepositoryConnector.get (BasicRepositoryConnector.java:262) at org.eclipse.aether.internal.impl.DefaultArtifactResolver.performDownloads (DefaultArtifactResolver.java:514) ... This happens with 3.8.8 in Github Action: (Example for that, here Line 19:) https://github.com/seeburger-ag/bis-resources/actions/runs/6947706560/job/18902089277?pr=20#step:4:20 but not sure if this is somehow GH cache related (since there are no downloads) With 3.9.4 directly, the warning seems to not happen - even when I specify mvn -Daether.checksums.algorithms=SHA-1 to a empty local repo I get no warning. When I use the same version through a nexus 3 mirror, it does fail. So questions: - is this a policy change in central or does central neglect to enforce sha1? - does central need to include a sha2 header? - since when does maven resolver test for both? - is it still controlled with aether.checksums.algorithms? - Does anybody know if nexus3 can support that? Gruss Bernd -- https://bernd.eckenfels.net - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org
Re: Maven 3.9.6 release is coming soon
Howdy, Good ideas! I completely forgot about default bindings T On Tue, Nov 21, 2023 at 1:04 PM Slawomir Jaranowski wrote: > Hi, > > We can consider: > - update parent to 41 > - update versions of default bindings plugins - some can have fix support > for JDK 21 - to check > > wt., 21 lis 2023 o 12:22 Tamás Cservenák napisał(a): > > > Howdy, > > > > The 3.9.6 release will contain three important changes: > > - Resolver 1.9.x is hopefully "tamed" on Windows, no more sporadic > > AccessDeniedEx to fail the builds > > - Sisu DI is upgraded to support bytecode higher than Java 14. This makes > > writing Maven components (extensions, plugins, Sisu managed JSR330 > > components) using bytecode higher than Java 14 possible. Naturally, to > have > > those used in your build, you will also have to raise the Maven runtime > > Java requirement, and have it aligned with your new components. > > - ability to exclude plugin from plugin validation (as an "escape hatch") > > > > As usual, if anyone has anything to add, please speak up! > > > > Thanks > > T > > > > > -- > Sławomir Jaranowski >
Re: Maven 3.9.6 release is coming soon
Hi, We can consider: - update parent to 41 - update versions of default bindings plugins - some can have fix support for JDK 21 - to check wt., 21 lis 2023 o 12:22 Tamás Cservenák napisał(a): > Howdy, > > The 3.9.6 release will contain three important changes: > - Resolver 1.9.x is hopefully "tamed" on Windows, no more sporadic > AccessDeniedEx to fail the builds > - Sisu DI is upgraded to support bytecode higher than Java 14. This makes > writing Maven components (extensions, plugins, Sisu managed JSR330 > components) using bytecode higher than Java 14 possible. Naturally, to have > those used in your build, you will also have to raise the Maven runtime > Java requirement, and have it aligned with your new components. > - ability to exclude plugin from plugin validation (as an "escape hatch") > > As usual, if anyone has anything to add, please speak up! > > Thanks > T > -- Sławomir Jaranowski
Maven 3.9.6 release is coming soon
Howdy, The 3.9.6 release will contain three important changes: - Resolver 1.9.x is hopefully "tamed" on Windows, no more sporadic AccessDeniedEx to fail the builds - Sisu DI is upgraded to support bytecode higher than Java 14. This makes writing Maven components (extensions, plugins, Sisu managed JSR330 components) using bytecode higher than Java 14 possible. Naturally, to have those used in your build, you will also have to raise the Maven runtime Java requirement, and have it aligned with your new components. - ability to exclude plugin from plugin validation (as an "escape hatch") As usual, if anyone has anything to add, please speak up! Thanks T
[ANN] Maven Resolver 1.9.17 released
The Apache Maven team is pleased to announce the release of the Maven Resolver 1.9.17: The 1.x resolver lineage is in "bugfix only" maintenance mode. === https://maven.apache.org/resolver/ Release Notes - Maven Resolver - Version 1.9.17 ** Bug * [MRESOLVER-372] - Sporadic AccessDeniedEx on Windows ** Task * [MRESOLVER-433] - Expose configuration for inhibiting Expect-Continue handshake in 1.x * [MRESOLVER-435] - Refresh download page ** Dependency upgrade * [MRESOLVER-434] - Upgrade Parent to 41 Have fun, -The Apache Maven team
[ANN] Apache Maven Doxia Sitetools 2.0.0-M16 released
The Apache Maven team is pleased to announce the release of the Apache Maven Doxia Sitetools, version 2.0.0-M16 https://maven.apache.org/doxia/doxia-sitetools/ Release Notes - Maven Doxia Sitetools - Version 2.0.0-M16 ** Task * [DOXIASITETOOLS-319] - Improve DocumentRenderer interface/DocumentRenderingContext class API ** Dependency upgrade * [DOXIASITETOOLS-317] - Upgrade to Parent 41 * [DOXIASITETOOLS-318] - Upgrade to Maven Reporting API 4.0.0-M9 Enjoy, -The Apache Maven team - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org
[ANN] Maven Project Info Reports Plugin 3.5.0 released
The Apache Maven team is pleased to announce the release of the Maven Project Info Reports Plugin version 3.5.0. https://maven.apache.org/plugins/maven-project-info-reports-plugin/ You should specify the version in your project's plugin configuration: org.apache.maven.plugins maven-project-info-reports-plugin 3.5.0 Release Notes - Maven Project Info Reports Plugin - Version 3.5.0 ** Task * [MPIR-453] - Replace Commons IO in favor of standard APIs ** Dependency upgrade * [MPIR-446] - Update to Maven SCM 2.0.1 * [MPIR-452] - Upgrade to Parent 41 Enjoy, -The Apache Maven team - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org