BTW, a more robust set up you can work with is to put a repository manager in place - you can direct all your maven requests to it and then filter out bad repositories such as this (since commons-pool can easily be found on the existing Maven repositories).
- Brett On 22/09/2009, at 6:19 PM, Richard Taylor wrote:
Nick I have followed the tutorials on the ServiceMix site to the letter. The repositories in the pom.xml file are: <repositories> <repository> <releases /> <snapshots> <enabled>false</enabled> </snapshots> <id>apache</id> <name>Apache Repository</name> <url>http://people.apache.org/repo/m2-ibiblio-rsync-repository</url> </repository> <repository> <releases> <enabled>false</enabled> </releases> <snapshots /> <id>apache.snapshots</id> <name>Apache Snapshots Repository</name> <url>http://people.apache.org/repo/m2-snapshot-repository</url> </repository> </repositories> <pluginRepositories> <pluginRepository> <releases /> <snapshots> <enabled>false</enabled> </snapshots> <id>apache</id> <name>Apache Repository</name> <url>http://people.apache.org/repo/m2-ibiblio-rsync-repository</url> </pluginRepository> <pluginRepository> <releases> <enabled>false</enabled> </releases> <snapshots /> <id>apache.snapshots</id> <name>Apache Snapshots Repository</name> <url>http://people.apache.org/repo/m2-snapshot-repository</url> </pluginRepository> </pluginRepositories> these were generated by mvn archetype:create -DarchetypeArtifactId=servicemix-service-unit -DarchetypeGroupId=org.apache.servicemix.tooling -DartifactId=tutorial-file-su Hunting through the build logs I find this: Downloading: http://people.apache.org/repo/m2-ibiblio-rsync-repository/commons-pool/commons-pool/1.3/commons-pool-1.3.pom [INFO] Unable to find resource 'commons-pool:commons-pool:pom:1.3' in repository apache (http://people.apache.org/repo/m2-ibiblio-rsync-repository) Downloading: http://svn.apache.org/repos/asf/servicemix/m2-repo/commons-pool/commons-pool/1.3/commons-pool-1.3.pom [INFO] Unable to find resource 'commons-pool:commons-pool:pom:1.3' in repository servicemix-m2-repo (http://svn.apache.org/repos/asf/servicemix/m2-repo) Downloading: http://people.apache.org/repo/m2-incubating-repository/commons-pool/commons-pool/1.3/commons-pool-1.3.pom [INFO] Unable to find resource 'commons-pool:commons-pool:pom:1.3' in repository apache-incubating (http://people.apache.org/repo/m2-incubating-repository) Downloading: http://repository.codehaus.org/commons-pool/commons-pool/1.3/commons-pool-1.3.pom [INFO] Unable to find resource 'commons-pool:commons-pool:pom:1.3' in repository codehaus (http://repository.codehaus.org) Downloading:http://download.java.net/maven/1/commons-pool/poms/commons- pool-1.3.pom[INFO] Unable to find resource 'commons-pool:commons-pool:pom:1.3' in repository java.net (http://download.java.net/maven/1) Downloading: http://servicemix.org/m2-repo/commons-pool/commons-pool/1.3/commons-pool-1.3.pom [WARNING] *** CHECKSUM FAILED - Checksum failed on download: local = '1559863a375499e55c9adee606c51a69e546b69a'; remote = '<!DOCTYPE' - RETRYING Downloading: http://servicemix.org/m2-repo/commons-pool/commons-pool/1.3/commons-pool-1.3.pom 8K downloaded (commons-pool-1.3.pom) [WARNING] *** CHECKSUM FAILED - Checksum failed on download: local = '1559863a375499e55c9adee606c51a69e546b69a'; remote = '<!DOCTYPE' - IGNORING [WARNING] POM for 'commons-pool:commons-pool:pom:1.3:provided' is invalid. The project pom.xml file has a <url>http://servicemix.org/</url>. This site resolves to a site for a car performance chip company. Their web site always returns the home page regardless of the page requested, rather than a 404. Does maven's repository resolution fallback to the project pom.xml URL as a last resort if a file can't be found in one of the other repositories? Why would it keep the file that failed the checksum anyway? Thanks for the quick response. Regards Richard On Tue, 2009-09-22 at 10:09 +0200, Nick Stolwijk wrote:As you are the first one to notice this, I would think it would be oryour local computer or your company repository. Which repositories areyou using for your project? With regards, Nick Stolwijk ~Java Developer~ IPROFS BV. Claus Sluterweg 125 2012 WS Haarlem http://www.iprofs.nl On Tue, Sep 22, 2009 at 9:47 AM, Richard Taylor <[email protected]> wrote:Hi I am completely new to maven, just running through some ServiceMix tutorials (completely new to that too). Tracking down a 'mvn install' failure that said: [INFO] ------------------------------------------------------------------------ [ERROR] BUILD FAILURE [INFO] ------------------------------------------------------------------------ [INFO] Compilation failure error: errorreading /home/rjt/.m2/repository/org/springframework/spring-dao/ 2.0.6/spring-dao-2.0.6.jar; error in opening zip fileerror: errorreading /home/rjt/.m2/repository/org/springframework/spring- support/2.0.6/spring-support-2.0.6.jar; error in opening zip fileerror: errorreading /home/rjt/.m2/repository/xerces/xerces/2.0.2/ xerces-2.0.2.jar;error in opening zip fileI discover that the contents of these files are all spam web pages withthe title: "Truck Performance Chips". I then searched my local repository for the same string and I get: grep -r Truck\ Performance\ Chips *commons-collections/commons-collections/2.1/commons- collections-2.1.pom:<title>Car & Truck Performance Chips</title>commons-pool/commons-pool/1.2/commons-pool-1.2.pom:<title>Car & Truck Performance Chips</title> commons-pool/commons-pool/1.3/commons-pool-1.3.pom:<title>Car & Truck Performance Chips</title>org/springframework/spring-beans/2.0.6/spring- beans-2.0.6.pom:<title>Car& Truck Performance Chips</title>org/springframework/spring-core/2.0.6/spring- core-2.0.6.pom:<title>Car& Truck Performance Chips</title> org/springframework/spring-dao/2.0.6/spring-dao-2.0.6.pom:<title>Car & Truck Performance Chips</title> org/springframework/spring-dao/2.0.6/spring-dao-2.0.6.jar:<title>Car & Truck Performance Chips</title>org/springframework/spring-context/2.0.6/spring- context-2.0.6.pom:<title>Car & Truck Performance Chips</title> org/springframework/spring-support/2.0.6/spring- support-2.0.6.jar:<title>Car & Truck Performance Chips</title> org/springframework/spring-support/2.0.6/spring- support-2.0.6.pom:<title>Car & Truck Performance Chips</title> xerces/xerces/2.0.2/xerces-2.0.2.jar:<title>Car & Truck PerformanceChips</title>xerces/xerces/2.0.2/xerces-2.0.2.pom:<title>Car & Truck PerformanceChips</title> This all looks very worrying. It suggests that one of the online repositories has been infiltrated. Is there anyway to discover which repository these files came from? I am beginning to worry about safety of using all this code pulled automatically from online repositories :-( Regards Richard The information contained in this E-Mail and any subsequent correspondence is private and is intended solely for the intended recipient(s). The information in this communication may be confidential and/or legally privileged. Nothing in this e-mail is intended to conclude a contract on behalf of QinetiQ or make QinetiQ subject to any other legally binding commitments, unless the e-mailcontains an express statement to the contrary or incorporates a formal Purchase Order.For those other than the recipient any disclosure, copying, distribution, or any action taken or omitted to be taken in reliance on such information is prohibited and may be unlawful. Emails and other electronic communication with QinetiQ may bemonitored and recorded for business purposes including security, auditand archival purposes. Any response to this email indicates consent to this. Telephone calls to QinetiQ may be monitored or recorded for quality control, security and other business purposes. QinetiQ Limited Registered in England & Wales: Company Number:3796233Registered office: 85 Buckingham Gate, London SW1E 6PD, United Kingdom Trading address: Cody Technology Park, Cody Building, Ively Road, Farnborough, Hampshire, GU14 0LX, United Kingdomhttp://www.qinetiq.com/home/notices/legal.html --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]The QinetiQ e-mail privacy policy and company information is detailed elsewhere in the body of this email.--------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
--------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
