[
https://issues.apache.org/jira/browse/MRESOLVER-236?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17495946#comment-17495946
]
Tamás Cservenák commented on MRESOLVER-236:
-------------------------------------------
Reproducer: make sure demo snippets always operate with empty local repository
(to make sure remote transport happens), alter highlighted line and run the
demo snippet:
https://github.com/apache/maven-resolver/blob/maven-resolver-1.7.3/maven-resolver-demos/maven-resolver-demo-snippets/src/main/java/org/apache/maven/resolver/examples/ResolveArtifact.java#L51
It fetches this:
https://repo.maven.apache.org/maven2/org/apache/maven/resolver/maven-resolver-util/1.3.3/
Variations (on artifact value):
* as-is "org.apache.maven.resolver:maven-resolver-util:1.3.3" -- passes OK (as
expected, this is part of build tests)
* "org.apache.maven.resolver:maven-resolver-util:jar.sha1:1.3.3" -- fails*
* ""org.apache.maven.resolver:maven-resolver-util:jar.asc:1.3.3"" -- fails*
* the demo snipped WARNs about absence of checksums, but would fail if checksum
policy is FAIL.
> Make it possible to resolve .asc on a 'fail' <checksumPolicy/> respository.
> ---------------------------------------------------------------------------
>
> Key: MRESOLVER-236
> URL: https://issues.apache.org/jira/browse/MRESOLVER-236
> Project: Maven Resolver
> Issue Type: New Feature
> Components: Resolver
> Affects Versions: 1.7.3
> Reporter: Rod Widdowson
> Priority: Minor
>
> (I'm guessing the resolver version - maven version is 3.8.4).
> We accidently made one of our repositories
> {{<checksumPolicy>fail</checksumPolicy>}} some time ago and over the weekend
> an plugin we run started failing.
> After some digging I discovered that the problem was when the code was
> programmatically trying to resolve a {{jar.asc}} file. Eventually the code
> ended up in
> {code}org.eclipse.aether.internal.impl.Maven2RepositoryLayoutFactory line 196
> public List<Checksum> getChecksums {
> if ( isSignature( artifact.getExtension() ) )
> {
> return Collections.emptyList();
> }
> {code}
> This means that when the resolution hit the correct repository it (silently)
> failed the checksum check and moved on to the next one, eventually falling
> off the end of the list and failing to resolve.
> Our work around is to set the {{<checksumPolicy>}} to warn (which is what it
> used to be).
> 'It would be nice if'
> * The failure was slightly less quiet
> * If it was possible - programmatically or by configuration - to resolve
> signatures from checksuming repositories.
> I have not dived very deeply into the code - just enough to diagnose why our
> CI was exploding so spectacularly so I may have missed some trick in which
> case I apologise for asking for existing function
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
