[
https://issues.apache.org/jira/browse/MNG-8182?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17872460#comment-17872460
]
ASF GitHub Bot commented on MNG-8182:
-------------------------------------
cstamas merged PR #1632:
URL: https://github.com/apache/maven/pull/1632
> Missing or mismatching Trusted Checksum for some artifacts is not properly
> reported
> -----------------------------------------------------------------------------------
>
> Key: MNG-8182
> URL: https://issues.apache.org/jira/browse/MNG-8182
> Project: Maven
> Issue Type: Bug
> Components: Core
> Affects Versions: 3.9.8
> Reporter: Marcono1234
> Assignee: Tamas Cservenak
> Priority: Minor
> Fix For: 4.0.0, 3.9.9, 4.0.0-beta-4
>
> Attachments: checksums-test.zip
>
>
> h3. Description
> When using Maven Artifact Resolver's ["Trusted Checksums"
> feature|https://maven.apache.org/resolver/expected-checksums.html#trusted-checksums],
> but the checksum for {{maven-shared-incremental}} is missing, the error is
> not properly reported on the console:
> {quote}
> [ERROR] Failed to execute goal
> org.apache.maven.plugins:maven-compiler-plugin:3.13.0:compile
> (default-compile) on project my-app: Execution default-compile of goal
> org.apache.maven.plugins:maven-compiler-plugin:3.13.0:compile failed: Plugin
> org.apache.maven.plugins:maven-compiler-plugin:3.13.0 or one of its
> dependencies could not be resolved:
> [ERROR]
> [ERROR]
> [ERROR] -> [Help 1]
> [ERROR]
> [ERROR] To see the full stack trace of the errors, re-run Maven with the -e
> switch.
> [ERROR] Re-run Maven using the -X switch to enable full debug logging.
> {quote}
> Note how there are no details about why resolution failed.
> When running with {{-X}} / {{\--debug}} the information is visible in the
> stack trace, however I think this information should be shown by default.
> {quote}
> Caused by: org.eclipse.aether.resolution.DependencyResolutionException: The
> following artifacts could not be resolved:
> org.apache.maven.shared:maven-shared-incremental:jar:1.1 (present): Missing
> from summaryFile trusted checksum(s) [SHA-1] for artifact
> org.apache.maven.shared:maven-shared-incremental:jar:1.1
> {quote}
> It seems
> {{org.apache.maven.plugin.internal.DefaultPluginDependenciesResolver#resolveInternal}}
> is ommitting the cause when throwing a new exception. Therefore I reported
> it as Maven bug, though maybe the underlying issue is with Maven Artifact
> Resolver?
> I also haven't fully understood the internal details of the Artifact Resolver
> "Trusted Checksums" feature yet. It seems the checksum for
> {{maven-shared-incremental}} is stored in a separate {{checksums-local.sha1}}
> file. Either way, regardless of the implementation details, the fact that it
> is a separate file makes it more likely that users accidentally forget to
> commit it for example in Git and then get the irritating error mentioned
> above.
> h3. How to reproduce
> I have performed this on Windows 10, but the OS might not matter.
> # Download the attached [^checksums-test.zip] and extract it
> # Inside it, run
> {code}
> ./mvnw compile
> {code}
> (x) Bug: An error occurs, but the error message does not explain why the
> dependencies could not be resolved
> # Run
> {code}
> ./mvnw compile -X
> {code}
> (i) Note: The stack trace now reveals that the cause for the error is the
> missing checksum for {{maven-shared-incremental}}
> # Run
> {code}
> ./mvnw compile
> "-Daether.artifactResolver.postProcessor.trustedChecksums.record=true"
> {code}
> (i) Note: An additional {{checksums-local.sha1}} file was created and the
> build succeeded
> As side note: Maybe the way this sample project uses the "Trusted Checksums"
> feature is not proper (see also related [Stack Overflow
> question|https://stackoverflow.com/q/78746427]), though either way, the
> incomplete error message is confusing.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
