CVE-2021-26291: Apache Maven: block repositories using http by default

Apache Maven may follow repositories that are defined in a dependency’s Project Object Model (pom) which may be surprising to some users, resulting in potential risk if a malicious actor takes over that repository or is able to insert themselves into a position to pretend to be that repository.

Re: [VOTE] Retire Maven Downloader

+1 On Sun, Jun 9, 2019 at 5:32 AM Karl Heinz Marbaise wrote: > > Hi, > > +1 from me. > > Kind regards > Karl Heinz Marbaise > On 07.06.19 15:32, Robert Scholte wrote: > > Hi, > > > > The Apache Maven project consist of about 90 (sub)projects. Due to the > > small number of volunteers and the

Deprecating HTTP access to Central

Last year, we deprecated old and insecure TLS protocols on Central to make access more secure. This year, we're moving things forward again by deprecating and later removing access to insecure by default HTTP access. Right now this affects less than 20% of the traffic hitting Central. To find out

Re: Maven error during Raspberry to Amazon Echo project.

Can you attach your logs as text? Most people aren't going to watch a video to see what you did and the screenshot was not sent through to the mail so there's no way to see what your error was. On Thu, Jan 3, 2019 at 8:35 PM Mikail Eryilmaz wrote: > > > > > Skickades från E-post

Re: Announcing OSSIndex plugins for Apache Maven: Scan your dependencies for known vulnerabilities

--mobile > On Jul 25, 2018, at 9:24 PM, Mark Derricutt wrote: > > On 26 Jul 2018, at 12:55, Brian Fox wrote: > > Find the Maven Plugin docs here: > https://sonatype.github.io/ossindex-maven/maven-plugin/ > > This looks awesome! One nit pick tho - the XML plu

Announcing OSSIndex plugins for Apache Maven: Scan your dependencies for known vulnerabilities

You probably know Sonatype for our work in the Maven community, Nexus Repository Manager, and for hosting Central. You may not know that for the last 7 years we've also been leading the way in solutions that allow developers to innovate faster and be able to improve security, license compliance

Re: Notice: Java 6 and 7 users: SSL Protocol upgrades coming to Central

Bumping this again. Cutover is next week. On Mon, May 21, 2018 at 2:22 PM, Brian Fox wrote: > The march of standards continues unabated. Legacy TLS protocols 1.0 > and 1.1 have varying weaknesses that could lead to a false sense of > security. > > In June, in an effort to

Notice: Java 6 and 7 users: SSL Protocol upgrades coming to Central

The march of standards continues unabated. Legacy TLS protocols 1.0 and 1.1 have varying weaknesses that could lead to a false sense of security. In June, in an effort to raise security and comply with modern standards, the insecure TLS 1.0 & 1.1 protocols will no longer be supported for SSL

Re: Looking for recommendations how to best use Maven in a muti-stagePipeline build to only deploy at the end

On Wed, Feb 14, 2018 at 9:31 PM, Eric B wrote: > Bernd, > > Nexus 3.x does not support staging repos b/c they are rewriting the entire > platform to support not just Maven artifacts, but any type of repo-based > artifact. Ex: docker images, npm dependencies, etc... This is

Re: Failure to find artifact in Nexus

You still have something wrong with the repositories in your pom or the settings.xml. Making requests to Nexus /releases would generally only be done for _your_ internal components, not for things like http client or the clean plugin. You would normally have requests to .../public instead. I'm

Re: [DISCUSS] On the Maven PMC roles... (was [DISCUSS] Should the Maven PMC be an example of how we want the Maven Community to behave...)

it official Everyone else, Time to shout out if you have any issues / suggested improvements on the content - Stephen On Friday, 2 August 2013, Stephen Connolly wrote: On 2 August 2013 16:07, Brian Fox bri...@infinity.nu javascript:_e({}, 'cvml', 'bri...@infinity.nu'); wrote: I think

Re: [DISCUSS] On the Maven PMC roles... (was [DISCUSS] Should the Maven PMC be an example of how we want the Maven Community to behave...)

I think the bulk of this is pretty good. On the fork section, specifically: As soon as changes in that fork are identified which should be brought back to the project those changes should be introduced into at least a branch hosted on the Apache Maven source control in order to facilitate the

Re: [DISCUSS] On the Maven PMC roles... (was [DISCUSS] Should the Maven PMC be an example of how we want the Maven Community to behave...)

On Fri, Aug 2, 2013 at 12:10 PM, Stephen Connolly stephen.alan.conno...@gmail.com wrote: So anyway, I now have this ultra whizzbang high performance logging API and I am aware of some deficit in the logging performance of Maven, so I spin up a private fork (it could be a hidden private fork, or

Re: [DISCUSS] On the Maven PMC roles... (was [DISCUSS] Should the Maven PMC be an example of how we want the Maven Community to behave...)

On Aug 2, 2013, at 12:30 PM, Paul Benedict pbened...@apache.org wrote: I've stated from the beginning of this thread that it's impossible to prevent someone from developing outside of Apache. I stand by that still. That can't be prevented and any attempt will fail since it's not practical.

Re: bad request return code from Sonatype doing release:perform

Looking at the logs, it appears that you are trying to actually stage the parent, not your project. You don't have permissions to stage the oss parent, hence the error. On Fri, Jul 19, 2013 at 8:25 AM, Richard Sand rs...@idfconnect.com wrote: Hi all - trying to get my first plugin released into

Re: maven deploy artifacts to Nexus repository

SCP to Nexus isn't supported, and writing directly to the storage underneath Nexus isn't really supported either. If the concern is about having a password in the settings.xml, take a look at User Token[1]. Ironically this feature started out with a desire to support SCP but for a number of

Re: My view on the relative merits of different ways to unpack jars into target/classes

That's a good post to sum up all the options. On Thu, Mar 21, 2013 at 8:15 AM, Stephen Connolly stephen.alan.conno...@gmail.com wrote: I think mailing lists are not the best way to explain why different solutions are to be preferred when ranking against what is best for the Maven ecosystem as

Re: Unpacking jars into target/classes

I haven't had time lately to follow a lot of the user list threads, but this one got my attention so I read the whole thing last night. Without having any background on Joachim's previous threads, and judging everything only based on this one, I was kind of surprised...not in a good way. If this

Re: Maven Central Stats: re Most downloaded Maven plugins?

Barrie, the stats for all maven artifacts are available to maven committers by logging in to the https://repository.apache.org instance and clicking on Central Stats On Thu, Mar 14, 2013 at 9:06 PM, Barrie Treloar baerr...@gmail.com wrote:

Re: [ANN] Apache Maven 3.0.5 released

Just wanted to bring this to the users list and ensure that those reading the release notes see the security alert for 3.0.4: CVE-2013-0253 Apache Maven Severity: Medium Vendor: The Apache Software Foundation Versions Affected: - Apache Maven 3.0.4 - Apache Maven Wagon 2.1, 2.2, 2.3

Fwd: [SECURITY] CVE-2013-0253 Apache Maven 3.0.4

-- Forwarded message -- From: Olivier Lamy ol...@apache.org Date: Sat, Feb 23, 2013 at 9:59 AM Subject: [SECURITY] CVE-2013-0253 Apache Maven 3.0.4 To: annou...@apache.org, annou...@maven.apache.org Cc: Maven Developers List d...@maven.apache.org VE-2013-0253 Apache Maven

Re: Dependency resolution kicks in too early

You've run into a non-supported edge case. On Mon, Feb 11, 2013 at 4:17 AM, Reinhard Nägele reinhard.naeg...@mgm-tp.com wrote: Hello, A couple of years ago I used a plugin execution in the validate phase to bootstrap jars that were not available on Maven Central as suggested in [1]. I

Re: snapshot versions and classpath stored in manifest

Are you positive you are using jar plugin version 2.3? On Mon, Jan 7, 2013 at 11:26 AM, Anthony Dahanne anthony.daha...@gmail.comwrote: Hello all, I am using Maven 3 with Nexus 2. I am building a cli tool (let's call it cli) , which has dependencies on some other libraries (let's call them

Re: Can not get a jar from maven central

N oone has been blacklisted in a while. Can you give us the headers like shown here: $ curl -I http://repo1.maven.org/maven2/org/apache/avalon/framework/avalon-framework-api/4.3.1/avalon-framework-api-4.3.1.jar

Re: How to optimize maven dependencies to get better performance?

The problem below is because your configuration is inside an execution, which when run from the command line like mvm enforcer:enforce won't be activated. Either bind this plugin to a phase as part of your build, or move the configuration element outside the executions block. On Thu, Oct 11, 2012

Re: Maven/Nexus metadata interaction question

On Sat, Aug 25, 2012 at 6:48 AM, Robert Scholte rfscho...@apache.org wrote: This sounds like https://jira.codehaus.org/browse/MNG-5324 Agree, that looks like the same thing. I tested all different forms of this with Nexus and the metadata was verified to be correct each time. I didn't check

Re: Maven/Nexus metadata interaction question

On Fri, Aug 24, 2012 at 5:27 PM, Laird Nelson ljnel...@gmail.com wrote: On Fri, Aug 24, 2012 at 1:52 PM, David Hoffer dhoff...@gmail.com wrote: We have been having nothing but trouble with Nexus and Maven3 with the time-stamped snapshots and all the various metadata files that Nexus spits out

Re: Maven/Nexus metadata interaction question

On Fri, Aug 24, 2012 at 5:43 PM, David Hoffer dhoff...@gmail.com wrote: I can't say the whole problem is with Nexus. I can say that the requirement in Maven3 to always use timestamped snapshots has not be addressed in a complete way with tools like Nexus and my beloved IDE IntelliJ. We have

Central is now being served from a CDN

Just over a year ago we evolved the Central architecture to be globally load balanced with 2 servers in the US and 2 more in the UK. This year, we've gone even futher to increase reliability and delivery performance. We evaluated several options and ultimately settled with Edgecast as the

Re: Maven Enforcer plugin: can I make it be quiet?

Which rule spits that out? This seems unusual. On Thu, Jul 19, 2012 at 6:11 PM, Laird Nelson ljnel...@gmail.com wrote: The Maven Enforcer plugin version 1.1.1 outputs a ton of information at the INFO level that seems to me to be repetitive and uninteresting. Here is an excerpt from a normal

Re: any public nexus repo manager I can use for my project

If it's an oss project, then you can use https://docs.sonatype.org/display/Repository/Sonatype+OSS+Maven+Repository+Usage+Guide On Wed, Jun 20, 2012 at 11:37 AM, fachhoch fachh...@gmail.com wrote: we dont a local nexus repo mamnager installed , and we are developers working in remote

Re: How does one mirror a maven repository?

Nexus Pro has functionality that would allow you to do mirroring, we have a bunch of customers doing exactly what you ask. On Fri, Jun 1, 2012 at 12:53 PM, Phillip Hellewell ssh...@gmail.com wrote: Hi, Our company would like to mirror our Maven repository at a remote location. Currently

Re: why is commons-math3 jar missing from sonatype mirror of central?

Found the email Russ ;-) Anyway, repository.s.o isn't intended to be a mirror, it's just a proxy used primarily by us for internal use and for oss users building our stuff. http://search.maven.org has replaced the need to use rso's search as well. Regarding why the files aren't in the

Re: How to replicate company internal repository?

Everything is stored in the sonatype-work/nexus folder. Copy that folder to another machine and you have duplicated your entire instance. On Thu, Apr 26, 2012 at 10:01 PM, hujirong jirong...@gmail.com wrote: The one I am using in my test environment is not professional, but a free one. I don't

Re: How to get access to ALL the data in maven central?

Make a request here and I can attach the poms for you: https://issues.sonatype.org/browse/MVNCENTRAL On Tue, Apr 10, 2012 at 1:17 PM, Wayne Fay wayne...@gmail.com wrote: If you wanted to scrape Maven Central for just the poms then I'd contact Sonatype who manage the central repository. As

Re: Unable to download plugin from Nexus

It looks to me like your settings.xml isn't defining a pluginRepository. On Thu, Nov 10, 2011 at 7:09 AM, brian2011 brian@barcap.com wrote: Hi, I'm using Maven 2.2.1 and  Nexus 1.7.2. Nexus is configured as an internal repository manager with a single nexus group to external repository

Re: Maven central repository

A new version of the indexer was released and requested to be rerun over central. That means a new full index was generated, when typically it is just an incremental index. The size of the file and speed of ibiblio seems to be giving some people trouble. But it should sort itself out, besides

Re: Forbiden? http://repo1.maven.apache.org/maven2/junit/junit/3.8.2/junit-3.8.2.jar

Maybe you're behind a firewall that hasn't adjusted to the new ips? http://www.sonatype.com/people/2011/07/the-central-repository-is-getting-faster-are-you-ready-for-the-new-ips/ On Wed, Aug 31, 2011 at 5:49 PM, Jason Pyeron jpye...@pdinc.us wrote: Not sure if this is the right place to ask,

Re: -gs does not apply to the forked maven execution in release:prepare

Release forks the build and therefore not all the parameters are passed through. There is a parameter for the plugin though to specify which agurments to pass, I forget what it is, but I'm sure you know how to find it ;-) On Sun, Sep 4, 2011 at 1:48 PM, Benson Margulies bimargul...@gmail.com

Re: Authorization failed for jboss maven repository

I google'd for jboss maven repo moved and found the following blog post which explains this repo was deprecated over a year ago and was finally shut down in early June 2011. http://community.jboss.org/en/build/blog/2011/06/01/blocking-repositoryjbossorgmaven2 My money is on ^^^

Re: how to get the list of artifacts id and group id from maven repository?

If this is an external repo: If the repository publishes an index, use that. Otherwise, what you're doing would likely be perceived as scraping and get you banned from remote repositories. If this is an internal repo, then use the maven-indexer to produce an index for you. On Mon, Aug 29, 2011

Re: Nexus help

It's because Github returns a 404 on your repo: https://raw.github.com/davidhoyt/mvn-repo/master/maven2/snapshots/ and this makes Nexus think the repo isn't available. Disable the Auto blocking and it should work. On Tue, Aug 23, 2011 at 2:28 AM, Hoyt, David ho...@llnl.gov wrote: I'm trying to

Re: com.sun.jersey:jersey-project:1.1.4:pom artifact differs on Maven Central and java.net

What is the failure that you're seeing here? The changes look appropriate since the contents of maven/1 and maven/2 are now in Central, so removing those repo declarations should have no effect. On Fri, Aug 19, 2011 at 10:18 AM, Blaney, Kyle (Kyle) kbla...@avaya.com wrote: We recently

Re: com.sun.jersey:jersey-project:1.1.4:pom artifact differs on Maven Central and java.net

.  In pom.xml, specify our Nexus java.net copy as the first repository and in settings.xml, specify our Nexus java.net copy as the first mirror. Kyle -Original Message- From: Brian Fox [mailto:bri...@infinity.nu] Sent: Friday, August 19, 2011 12:33 PM To: Maven Users List Subject: Re

Re: com.sun.jersey:jersey-project:1.1.4:pom artifact differs on Maven Central and java.net

On Fri, Aug 19, 2011 at 4:35 PM, Thiessen, Todd (Todd) tthies...@avaya.com wrote: Thanks for clarifying. Hopefully we can get some advice here wrt the policies regarding different artifacts with the same GAV. This is a very rare circumstance. What happened was we merged java.net with Central.

Re: If its' not one thing it's another

It appears like you aren't using groups in Nexus. Your maven shouldn't be telling you it's looking in the jboss repo, it should be looking in your nexus group and nexus deals with the other repos. You would normally do this in your settings with a mirrorOf * - nexus/content/groups/public for

Re: Central IP number changes

As of this morning we enabled the global load balancing and users closest to the EU Nameservers will start hitting the UK server automatically. On Fri, Jul 29, 2011 at 12:24 PM, Brian Fox bri...@infinity.nu wrote: We're moving around some switching gear to have faster internet access

Central IP number changes

We're moving around some switching gear to have faster internet access for Central. Because of this, the ip numbers for the US Central servers will change. This should not affect most users unless your corporate IT has firewall rules locked to the old ips. You can see more details about the change

Re: Why would unpack-dependencies sometimes not do its job?

default is: overWriteIfNewer=true overWriteReleases = false overWriteSnapshots=false Setting the releases or snapshots to true will cause it to ignore the if newer check. On Wed, Jul 27, 2011 at 11:13 AM, KARR, DAVID (ATTSI) dk0...@att.com wrote: -Original Message- From: Brian Fox

Re: dependency:copy and transitive dependencies of artifactItems

the dependencies of another project (not the current one). Thanks, Gili Brian Fox-2 wrote: It does not support transitivity yet. You can use copy-dependencies and combinations of the filters to get the artifacts you need Chris Burroughs wrote: I assumed from the frequent references

Re: Why would unpack-dependencies sometimes not do its job?

you can set a flag to tell it to always unpack. I forget the exact param, but it's in the docs. On Tue, Jul 26, 2011 at 5:01 PM, KARR, DAVID (ATTSI) dk0...@att.com wrote: -Original Message- From: GALLAGHER, RON (ATTSI) Sent: Tuesday, July 26, 2011 12:03 PM To: Maven Users List

Re: Dependency Plugin behavior changed to copy timestamped snapshot jars

If the snapshot was resolved from a repo then it will be timestamped, if it came from the reactor or local repo, then it will be -SNAPSHOT. The plugin calls into the maven resolution logic so this is core maven behavior. In 2.2, resolution from the reactor was introduced for these goals,

Re: Mirrors and repositories

One reason you might do it is to enable a repository to be searched for snapshots.  By default, Maven's built-in definition of 'central' only has releases enabled.  Unless you define another repository somewhere that has snapshots enabled, Maven will never retrieve any snapshots. This is

Re: Unable to ping Maven Central repository's index location

You should always fetch from repo1.maven.org/maven2/.index On Tue, Jun 21, 2011 at 5:50 AM, amaresh mourya amaresh.mou...@gmail.com wrote: Hi, I am unable to ping [ http://repo2.maven.org.s3.amazonaws.com/.index/ ] location. Whereas ping to [ http://repo1.maven.org/maven2/.index ] is

Re: Local repo or central repo

local first, then it starts looking in configured repositories (from settings, pom, super-pom) On Tue, May 24, 2011 at 10:45 AM, uday shankar adonis.u...@gmail.com wrote: Hi, Where does maven pick the jars from (first) local repo or central repo? Regards, Uday -- View this message in

Re: Bootstraping a repository manager

It's also worth mentioning that Nexus Professional's Procurement feature is built for exactly the use case you have. It's meant to have a hard firewall like separation between internal and external artifacts and rules that allow you to approve whitelist/blacklist style, or by wildcard or other

Re: why I love the maven-dependency plugin

On Tue, May 17, 2011 at 3:50 PM, Russ Tremain ru...@releasetools.org wrote: I use the maven-dependency plugin for jar and war packaging. It is flexible and non-judgmental. This is particularly important when you are converting a large project over to maven and cannot follow some maven

Re: Bootstraping a repository manager

You don't need to bootsrap it, just setup a repo like Nexus and let it proxy on demand the things you need. In that case a bootstrap might simply mean run all our builds and/or run mvn dependency:go-offline to resolve everything you need. On Wed, May 18, 2011 at 5:21 PM, Heck, Gus (Patrick)

Re: central repo?

I just wanted to close the loop on this, http://search.maven.org is now updated incrementally in lockstep with the contents of Central. On Fri, May 6, 2011 at 9:53 AM, Brian Fox bri...@infinity.nu wrote: On Fri, May 6, 2011 at 3:54 AM, Nord, James jn...@nds.com wrote: Hi Brian, we incorporate

Improvements to Central failover: Temporary IP Change to Central on Monday Night

In short, we're moving to a clustered IP for the US Central machines to improve the reliability and get automatic failover. We know some users have firewall rules locked to the existing IP, if that's you, pay attention: We're failing over to the backover IP tonight so we can install the clustered

Re: central repo?

On 2011-05-05, at 12:52 PM, Brian Fox wrote: Than you, i'll let the team know. Also, we've adjusted how the redirects work and included a static page so people don't feel like the repo was hijacked: http://repo2.maven.org/maven2/org/ Deeper links to artifact folders will show the older index

Re: central repo?

is minimal. Just don't want it forgotten that just as it is in repo1.m.o it may not be in uk.m.o  (and if it is in the process of being synced could be only be partially there?) Thanks for the quick workaround. /James -Original Message- From: Brian Fox [mailto:bri...@infinity.nu

Re: central repo?

This was an attempt to block the constant scrapers that are attempting to crawl the entire repository for no good reason, and the bandwidth isn't free. The index used to serve the search is not the same index used by M2e. Fwiw, the m2e indexes are updated daily now, but I need to see why this

Re: central repo?

system. Regards,        /james -Original Message- From: Brian Fox [mailto:bri...@infinity.nu] Sent: 05 May 2011 12:06 To: Maven Users List Subject: Re: central repo? This was an attempt to block the constant scrapers that are attempting to crawl the entire repository for no good

Re: central repo?

On Thu, May 5, 2011 at 7:09 AM, Anders Hammar and...@hammar.net wrote: Regarding the m2e indexes, at what time are they updated? 3:22 CST daily. - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional

Re: central repo?

with IE8 and it worked fine.  Needless to say Chrome and FF work just fine. -Jim -Original Message- From: Brian Fox [mailto:bri...@infinity.nu] Sent: Thursday, May 05, 2011 8:50 AM To: Maven Users List Subject: Re: central repo? On Thu, May 5, 2011 at 7:09 AM, Anders Hammar

Re: Problem resolving snapshot version of plugin thru a Mirror

After debuging Maven I noticed that even having the mirror defined, SNAPSTHOP version of plugins always were resolved agains Maven`s central repository (repo1.apache.org). So we found a workaround  overriding central and snapshot repositories in the setting xml. After that, it worked. is

Re: Enforcer banned dependencies... Not working ?

The warning is talking about the plugin versions rule. Off hand nothing jumps out as being wrong with the config to me. It's been too long since I wrote this rule to recall off the top of my head how it's processed. Take a look at the code and see how includes, excludes are handled. There may be

Re: maven-dependency-plugin uses target dir instead of artifacts from repository

on the multiproject I get target/classes. That seems to be the opposite to what you have described? /Lucas On 04/08/2011 07:52 PM, Brian Fox wrote: It's not a hack, the plugin asks maven core to resolve the artifacts and the objects it gets back have file handles. In reactor builds with sibling

Re: maven-dependency-plugin uses target dir instead of artifacts from repository

It's not a hack, the plugin asks maven core to resolve the artifacts and the objects it gets back have file handles. In reactor builds with sibling dependencies, those handles point to the sibling target folder. If you do a compile reactor build, those handles will point to the /target/classes

Re: Central Repository IP Address Change?

The ip change is part of some networking and hosting upgrades that we've undertaken to ensure the stability of the repository. We actually have 4 systems now that could be serving Central at any given time. There are 2 hosts in the UK and two virtual machines in the US (served from a 6 node

Re: Build Site for parent module, but skip the children?

mvn -N site-deploy On Tue, Mar 1, 2011 at 4:50 PM, Brian Ferris bdfer...@gmail.com wrote: I have a large multi-module project that I wish to build a site for using Maven's site functionality.  The trick is that I'd like to avoid building the sub-module sites as well.  Building the individuals

[Announce] Maven Dependency Plugin 2.2

The Maven team is pleased to announce the 2.2 release of the Maven Dependency Plugin: http://maven.apache.org/plugins/maven-dependency-plugin Release Notes - Maven 2.x Dependency Plugin - Version 2.2 ** Bug * [MDEP-138] - unpack of tar files fail with ArchiverException: chmod exit code

Re: Deployment in Repository without version in file name?

you can also use the dependency plugin to copy/fetch files and strip off the version. On Wed, Feb 16, 2011 at 3:37 AM, Marc Rohlfs pomar...@googlemail.com wrote: Another idea might be: 1. In Your Maven project, create a text file with the following content:

Re: java.net versus central

We are working on this already --mobile On Feb 11, 2011, at 8:34 PM, Benson Margulies bimargul...@gmail.com wrote: I am hoping that some person who works at Sonatype will have pity on me. People who work for Oracle seem to have strong feeling that they are only supposed to deliver things to

Re: Adding upward compat to maven 2.2.x for settings.xml

What new features specifically? On Fri, Feb 11, 2011 at 10:56 AM, Benson Margulies bimargul...@gmail.com wrote: Would there be any sympathy for a JIRA asking for a maven 2.2.x change so that the new features of settings.xml (e.g. mirrors) would be tolerated by maven 2? Since you all didn't

Re: Dependencies get unpacked over and over again

fyi, I'll try to cut the release this weekend. On Thu, Feb 3, 2011 at 2:31 PM, Wayne Fay wayne...@gmail.com wrote: Good news.  I delved into this last week and came up with an even better patch, and the developer Brian Fox just applied it! Great job, Phillip. We need more people like you

Re: Using Apache parent pom

Hi Craig, there's also release-disc...@apache.org to talk about release processes specific to Apache. On Tue, Feb 1, 2011 at 5:54 PM, Craig L Russell craig.russ...@oracle.com wrote: Thanks Kalle, looks like the right level for me to master before I ask more detailed questions. Craig On Feb

uk.maven.org mirror ip change

AIRN is requiring that Contegix renumber our machines in the UK so tonight one of them will change and tomorrow the other will change. As always, you should address them using http://uk.maven.org to allow failover but I know occasionally people have to poke holes in their firewalls based on ip.

Re: dependency:build-classpath seems to ignore configuration

i don't think the classpath is filtered based on those values in this goal, it just dumps the actual classpath that would match the desired scope. On Mon, Jan 17, 2011 at 10:52 AM, John Anderson dayt...@comcast.net wrote: I am trying to use dependency:build-classpath. If I run mvn

Welcome Wayne Fay to the Maven PMC

so good at answering questions ;-) Welcome Wayne! --Brian Fox Apache Maven PMC Chair - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org

Re: Maven 3: deploy-file error 500 on Nexus Repo

The 500 is an internal error on the Nexus side. We'll need to see your Nexus logs to see what happened. You should send those to the nexus user list for a quicker answer. On Fri, Jan 14, 2011 at 9:01 AM, martib bruno.ma...@evard.ch wrote: I'm facing a problem under M3.0.2 or 3.0.1 with Nexus

Re: How to resolve 'LATEST'

Don't use RELEASE or LATEST. On Fri, Dec 17, 2010 at 7:43 AM, Asmann, Roland roland.asm...@adesso.at wrote: Hi all, I'm writing an enforcer-rule, that should check if my parent is the LATEST version. How can I get the actual version for 'LATEST'? Thanks! -- Roland Asmann Senior Software

Re: SNAPSHOT with latest timestamp is used, right?

You shouldn't mix unique and non-unique versions of the same snapshot artifact --mobile On Dec 6, 2010, at 5:22 PM, KARR, DAVID (ATTSI) dk0...@att.com wrote: If I have an artifact with version n.n.n-SNAPSHOT in my user repo and the same artifact with version n.n.n-SNAPSHOT in the local nexus

Re: How to download transitive dependencies

dependency:copy-dependencies sounds like what you want. On Fri, Dec 3, 2010 at 7:41 AM, amaresh mourya amaresh.mou...@gmail.com wrote: Hi, dependencyManagement    dependencies      !-- Internal project dependencies --      dependency        groupId${project.groupId}/groupId        

Re: Maven Central Repository Bad Checksums

We do a little bit of sleuthing when resolving these types of issues to make sure the file hasn't been changed, which is why automatic correction isn't implemented. We are working on process to ensure that no new things come in this way. It can only happen today via the old rsync mechanisms and

Re: maven-dependency-plugin 2.2 release?

Soon. I resolved a ton of issues at ApacheCon and just ran out of time to wrap it up. I'll be getting back to it in the next week or so. On Wed, Dec 1, 2010 at 10:19 PM, Dan Tran dant...@gmail.com wrote: me too :-) On Wed, Dec 1, 2010 at 10:04 AM, Jim McCaskey jim.mccas...@pervasive.com

Re: webservice for maven artifact search?

Repository.apache.org exposes nexus' rest interface --mobile On Dec 2, 2010, at 4:44 PM, Russ Tremain ru...@releasetools.org wrote: anyone know of a web-service interface to any of the public maven artifact lookup services? tia, -russ

Re: FYI Repo hacked?

Lets look at this closely: On Mon, Nov 29, 2010 at 8:36 AM, Jon Strayer j...@strayer.org wrote: On the 24th of November my reports build failed.  The failure message is: Unable to read local copy of metadata: Cannot read metadata from

Re: How to download an artifact with sources and/or javadocs ?

mvn dependency:sources and/or mvn dependency:resolve -Dclassifier=sources or -Dclassifier=javadoc if you use m2eclipse, then it will get the sources/javadocs automatically as needed. On Sun, Nov 14, 2010 at 12:26 PM, piloupy GOTTAPIL pilo...@gmail.com wrote: Hi, I've search for nearly half a

GAE Service abusing public Maven repos

We've just discovered a Google App Engine app called pomyard abusing several repos. Based on the behavior and name of the service, I have reason to believe they may be attempting to scrape public all maven repos not just central, ignoring robots.txt. If you have a public repo, I suggest you block

[ANN] Maven Enforcer Plugin 1.0

The Maven team is pleased to announce the release of the Maven Enforcer Plugin, version 1.0 Maven Enforcer Plugin - The Loving Iron Fist of Maven™ The Enforcer plugin provides goals to control certain environmental constraints such as Maven version, JDK version and OS family along with many more

Re: Problems using maven-dependencies-plugin

The use of the non-standard scopes is not currently a valid use case, so I'd say it's flexmojos with the bug here. It may work for now but who knows what those scopes could do to other tools. On Fri, Nov 5, 2010 at 1:27 PM, Rafael Adson Barbosa Barros mi...@rafaeladson.com wrote: Hi, I'm

Meetup at ApacheCon in Atlanta

If you happen to find yourself in Atlanta on Wed, Nov 3rd at 8pm, and want to talk about Maven, come join the meetup. You can find details and the signup page here: http://na.apachecon.com/c/acna2010/schedule/meetups - To

Re: Classifier now required by assembly plugin

I'll add comments but I don't think this is a bug. On Mon, Oct 25, 2010 at 4:23 PM, Phillip Hellewell ssh...@gmail.com wrote: On Mon, Oct 25, 2010 at 11:07 AM, Haszlakiewicz, Eric ehas...@transunion.com wrote: I was finally able to test this with the 2.2 release version, and it fails for me

Re: Classifier now required by assembly plugin

A simple scan of the release notes reveals this was introduced intentionally by MASSEMBLY-464 On Mon, Oct 25, 2010 at 4:58 PM, Wendy Smoak wsm...@gmail.com wrote: On Mon, Oct 25, 2010 at 1:07 PM, Haszlakiewicz, Eric ehas...@transunion.com wrote: -Original Message- From: Wendy Smoak

Re: Maven Upload Requests separate binaries and sources jar restriction

That's not used anymore, you want this: https://docs.sonatype.org/display/Repository/Uploading+3rd-party+Artifacts+to+Maven+Central On Thu, Oct 21, 2010 at 5:55 PM, Stevo Slavić ssla...@gmail.com wrote: Hello Apache Maven users, On Maven Upload Request

New official Central repository in Europe

As you know, Maven Central has become an increasingly important resource for the development community at large. We've put several efforts forward earlier this year to help improve the content As you know, Maven Central has become an increasingly important resource for the development community at

Re: maven 3.0

the site, couldn't find anything. Thanks. -Original Message- From: Brian Fox [mailto:bri...@infinity.nu] Sent: Friday, October 08, 2010 2:53 PM To: Maven Users List Subject: Re: maven 3.0 It's telling you the rule doesn't work in 3.x, that's the current state. 3.x has similar

Re: ${version} in 3.0

Perhaps some -X debug output would help track down where this comes from. If it's coming from processing of a dependency's pom, then I would say that you should file a bug report since warning about a pom you can't control just makes this noise and will cause people to ignore valid warnings. On

  1   2   3   4   5   >