[
https://issues.apache.org/jira/browse/MNG-8182?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17874996#comment-17874996
]
Marcono1234 commented on MNG-8182:
----------------------------------
Thanks a lot for fixing this, and for the demo project! It seems I was pretty
close then with [my Stack Overflow
answer|https://stackoverflow.com/a/78746428], except that I wasn't aware of
{{${session.rootDirectory}}}; I have adjusted my answer there.
Are there any plans to make configuring / enabling the "Trusted Checksums"
feature easier in the future? Ideally directly in the {{pom.xml}}, so that it
is not as error-prone as the current approach:
||Current approach||{{pom.xml}} approach||
| Using {{.mvn/maven.config}} to specify system properties is complicated, and
it can easily happen that the setup is wrong (e.g. missing / mistyped system
property name).| Configuration in {{pom.xml}} would be more obvious and
{{pom.xml}} schema would prevent malformed configuration and typos. |
| Requires recent Maven versions / usage of Maven wrapper. When accidentally
using older version no checksum verification is performed. | If the checksum
configuration was part of the {{pom.xml}}, then (hopefully) older Maven
versions would reject it because it is unknown to them, and you would notice
that you are using a too old Maven version. |
This is a bit similar to MNG-6026, but I am not suggesting to move this
checksum information inside the {{pom.xml}}. Instead I am suggesting to keep
the existing format and behavior of the Maven Artifact Resolver, but allow
configuring it through {{pom.xml}}, instead of / in addition to the currently
used {{-Daether.artifactResolver...}} (and similar) properties.
> Missing or mismatching Trusted Checksum for some artifacts is not properly
> reported
> -----------------------------------------------------------------------------------
>
> Key: MNG-8182
> URL: https://issues.apache.org/jira/browse/MNG-8182
> Project: Maven
> Issue Type: Bug
> Components: Core
> Affects Versions: 3.9.8
> Reporter: Marcono1234
> Assignee: Tamas Cservenak
> Priority: Minor
> Fix For: 4.0.0, 3.9.9, 4.0.0-beta-4
>
> Attachments: checksums-test.zip
>
>
> h3. Description
> When using Maven Artifact Resolver's ["Trusted Checksums"
> feature|https://maven.apache.org/resolver/expected-checksums.html#trusted-checksums],
> but the checksum for {{maven-shared-incremental}} is missing, the error is
> not properly reported on the console:
> {quote}
> [ERROR] Failed to execute goal
> org.apache.maven.plugins:maven-compiler-plugin:3.13.0:compile
> (default-compile) on project my-app: Execution default-compile of goal
> org.apache.maven.plugins:maven-compiler-plugin:3.13.0:compile failed: Plugin
> org.apache.maven.plugins:maven-compiler-plugin:3.13.0 or one of its
> dependencies could not be resolved:
> [ERROR]
> [ERROR]
> [ERROR] -> [Help 1]
> [ERROR]
> [ERROR] To see the full stack trace of the errors, re-run Maven with the -e
> switch.
> [ERROR] Re-run Maven using the -X switch to enable full debug logging.
> {quote}
> Note how there are no details about why resolution failed.
> When running with {{-X}} / {{\--debug}} the information is visible in the
> stack trace, however I think this information should be shown by default.
> {quote}
> Caused by: org.eclipse.aether.resolution.DependencyResolutionException: The
> following artifacts could not be resolved:
> org.apache.maven.shared:maven-shared-incremental:jar:1.1 (present): Missing
> from summaryFile trusted checksum(s) [SHA-1] for artifact
> org.apache.maven.shared:maven-shared-incremental:jar:1.1
> {quote}
> It seems
> {{org.apache.maven.plugin.internal.DefaultPluginDependenciesResolver#resolveInternal}}
> is ommitting the cause when throwing a new exception. Therefore I reported
> it as Maven bug, though maybe the underlying issue is with Maven Artifact
> Resolver?
> I also haven't fully understood the internal details of the Artifact Resolver
> "Trusted Checksums" feature yet. It seems the checksum for
> {{maven-shared-incremental}} is stored in a separate {{checksums-local.sha1}}
> file. Either way, regardless of the implementation details, the fact that it
> is a separate file makes it more likely that users accidentally forget to
> commit it for example in Git and then get the irritating error mentioned
> above.
> h3. How to reproduce
> I have performed this on Windows 10, but the OS might not matter.
> # Download the attached [^checksums-test.zip] and extract it
> # Inside it, run
> {code}
> ./mvnw compile
> {code}
> (x) Bug: An error occurs, but the error message does not explain why the
> dependencies could not be resolved
> # Run
> {code}
> ./mvnw compile -X
> {code}
> (i) Note: The stack trace now reveals that the cause for the error is the
> missing checksum for {{maven-shared-incremental}}
> # Run
> {code}
> ./mvnw compile
> "-Daether.artifactResolver.postProcessor.trustedChecksums.record=true"
> {code}
> (i) Note: An additional {{checksums-local.sha1}} file was created and the
> build succeeded
> As side note: Maybe the way this sample project uses the "Trusted Checksums"
> feature is not proper (see also related [Stack Overflow
> question|https://stackoverflow.com/q/78746427]), though either way, the
> incomplete error message is confusing.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
