log4j 1.2.15 points to nonfuctional maven-repository.dev.java.net packages
breaking whole build
-----------------------------------------------------------------------------------------------
Key: MNG-4473
URL: http://jira.codehaus.org/browse/MNG-4473
Project: Maven 2
Issue Type: Bug
Affects Versions: 2.2.1
Reporter: Jan Uhlir
Log4j 2.1.15 dependency from central repository has dependencies linked to
https://maven-repository.dev.java.net/nonav/repository - jmxri, jmxtools and
java mail (and others?). These denpendencies are broken or the whole external
repository is unaccesible by now.
Is it even permitted to have "external" dependency for a package in central
repository?
I found it hard to find how to disable a repository (block a repository) so I
am using this opportunity for a micro how to for unlucky ones like me.
Troubled dependency definition:
<dependency>
<groupId>log4j</groupId>
<artifactId>log4j</artifactId>
<version>1.2.15</version>
</dependency>
Error log (shortened) ----------------------
[INFO] Scanning for projects...
...
[INFO] Copying 1 resource
Downloading:
https://maven-repository.dev.java.net/nonav/repository/com.sun.jmx/jars/jmxri-1.2.1.jar
Downloading:
https://maven-repository.dev.java.net/nonav/repository/com.sun.jdmk/jars/jmxtools-1.2.1.jar
353/353b
353b downloaded (jmxri-1.2.1.jar)
357/357b
357b downloaded (jmxtools-1.2.1.jar)
[WARNING] *** CHECKSUM FAILED - Checksum failed on download: local =
'a55ce8e95c9bb027e78557acc9e2b973fe3c611e'; remote = '<!DOCTYPE' - RETRYING
Downloading:
https://maven-repository.dev.java.net/nonav/repository/com.sun.jmx/jars/jmxri-1.2.1.jar
353/353b
353b downloaded (jmxri-1.2.1.jar)
[WARNING] [WARNING] *** CHECKSUM FAILED - Checksum failed on download: local =
'a55ce8e95c9bb027e78557acc9e2b973fe3c611e'; remote = '<!DOCTYPE' - IGNORING
*** CHECKSUM FAILED - Checksum failed on download: local =
'9e1dae7682d2b60d5b17b7d47e20d99d70ba65cf'; remote = '<!DOCTYPE' - RETRYING
Downloading:
https://maven-repository.dev.java.net/nonav/repository/com.sun.jdmk/jars/jmxtools-1.2.1.jar
357/357b
357b downloaded (jmxtools-1.2.1.jar)
[WARNING] *** CHECKSUM FAILED - Checksum failed on download: local =
'9e1dae7682d2b60d5b17b7d47e20d99d70ba65cf'; remote = '<!DOCTYPE' - IGNORING
...
[INFO] Compilation failure
...
error: error reading
/opt/javalibs/com/sun/jdmk/jmxtools/1.2.1/jmxtools-1.2.1.jar; error in opening
zip file
error: error reading /opt/javalibs/com/sun/jmx/jmxri/1.2.1/jmxri-1.2.1.jar;
error in opening zip file
Solution (1) - Disable repository (settings.xml).
Note, it is much more tricky that it seems to be! It gave me hard time before I
found out. Documentation should be improved here.
1) Tricky, you have to do it for releases and snapshots. There is no repository
wide disabling option.
2) You have to provide not just same (failing) repository URL but more
importantly the same repository ID as it is in ill referencig POM (log4j 2.1.15
in our case)
3) Blacklisting repository is something completely different then disabling.
Not usable in this case (?). It is not ad hoc settable by user anyway
OK, here is the code:
<profile>
<id>default</id>
...
<repositories>
<repository>
<id>java.net</id>
<!-- IMPORTANT!!! you have to use same ID as in
affected POM otherwise it does not work -->
<url>https://maven-repository.dev.java.net/nonav/repository</url>
<releases>
<enabled>false</enabled>
</releases>
<snapshots>
<enabled>false</enabled>
</snapshots>
</repository>
</repositories>
</profile>
Solution (2) - exclude the "external" sub-dependencies of log4j 2.1.15, like
jmxri, jmxtools and java mail. And perhaps others. It takes more time to figure
out what else "external".
Solution (3) - the best one. Use version log4j 2.1.14 instead. It seems to be
OK.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
