[GitHub] [maven-verifier] slawekjaranowski opened a new pull request, #52: Code cleanup
slawekjaranowski opened a new pull request, #52: URL: https://github.com/apache/maven-verifier/pull/52 - missing Deprecated annotations - use diamond operator - remove unused fields -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@maven.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [maven-verifier] michael-o commented on pull request #52: Code cleanup
michael-o commented on PR #52: URL: https://github.com/apache/maven-verifier/pull/52#issuecomment-1254709636 Looking through... -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@maven.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [maven-verifier] michael-o commented on a diff in pull request #52: Code cleanup
michael-o commented on code in PR #52:
URL: https://github.com/apache/maven-verifier/pull/52#discussion_r977371524
##
src/main/java/org/apache/maven/shared/verifier/Verifier.java:
##
@@ -355,7 +352,7 @@ private BufferedReader getReader( String filename, String
encoding ) throws IOEx
if ( StringUtils.isNotEmpty( encoding ) )
{
-return new BufferedReader( new InputStreamReader( new
FileInputStream( file ), encoding ) );
+return new BufferedReader( new InputStreamReader(
Files.newInputStream( file.toPath() ), encoding ) );
Review Comment:
https://docs.oracle.com/javase/7/docs/api/java/nio/file/Files.html#newBufferedReader(java.nio.file.Path,%20java.nio.charset.Charset)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscr...@maven.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
[jira] [Commented] (SUREFIRE-2116) Surefire release notes page gives Page Not Found error
[ https://issues.apache.org/jira/browse/SUREFIRE-2116?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17608188#comment-17608188 ] Slawomir Jaranowski commented on SUREFIRE-2116: --- There is an inconsistency to see release notes - user should be logged but to see generated report logging is not needed, eg: [https://issues.apache.org/jira/projects/SUREFIRE/versions/12351502] [https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12317927&version=12351502] > Surefire release notes page gives Page Not Found error > -- > > Key: SUREFIRE-2116 > URL: https://issues.apache.org/jira/browse/SUREFIRE-2116 > Project: Maven Surefire > Issue Type: Bug > Components: documentation >Reporter: Matt Watson >Assignee: Michael Osipov >Priority: Minor > Attachments: image-2022-09-21-10-03-00-527.png, > image-2022-09-21-11-23-07-512.png > > > When trying to view the release notes for the maven-surefire-plugin I am > shown a Page Not Found error rather than the release notes > ([https://maven.apache.org/surefire/maven-surefire-plugin/jira-report.html)] > > !image-2022-09-21-10-03-00-527.png! -- This message was sent by Atlassian Jira (v8.20.10#820010)
[GitHub] [maven-resolver] raphw commented on pull request #191: [MRESOLVER-268] Allow for checksum validation upon artifact resolution.
raphw commented on PR #191: URL: https://github.com/apache/maven-resolver/pull/191#issuecomment-1254893057 As for the overhead: I use a Maven extension today that does the same thing - that is evaluating the sha256 of each file - and it causes an overhead of about 300 milliseconds on a build time of about 1 minute and 10 seconds. I think this is defensible; assuming that people can choose to not provide checksums. As for the local repository: the easiest "hack" is to define a custom repository is a settings.xml. But this will trigger a new download on each build, and not everybody can rely on GitHub Actions, even though they get it right. From a security perspective, the best model is one of zero trust. And the beauty of being able to evaluate checksums upon resolution is that you do not need to trust the build server to be configured correctly. All you need to do is to create a Maven project, and all code that is loaded from outside the project will be evaluated to be legitimate, independent of the build server's setup. As for making this an extension: this is a bit of a chicken and egg problem. the extension needs to be downloaded, and normally is via Maven Central. If this extension is invalid, the security model is broken. This is why I would want it to be a part of Maven Resolver. If Maven Wrapper is validating the checksums of its downloaded artifacts, the validation chain would be complete and a zero trust model is established for any Maven build. (Gradle offers the same feature.) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@maven.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[jira] [Commented] (MRESOLVER-268) Apply artifact checksum verification for any resolved artifact
[ https://issues.apache.org/jira/browse/MRESOLVER-268?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17608228#comment-17608228 ] ASF GitHub Bot commented on MRESOLVER-268: -- raphw commented on PR #191: URL: https://github.com/apache/maven-resolver/pull/191#issuecomment-1254893057 As for the overhead: I use a Maven extension today that does the same thing - that is evaluating the sha256 of each file - and it causes an overhead of about 300 milliseconds on a build time of about 1 minute and 10 seconds. I think this is defensible; assuming that people can choose to not provide checksums. As for the local repository: the easiest "hack" is to define a custom repository is a settings.xml. But this will trigger a new download on each build, and not everybody can rely on GitHub Actions, even though they get it right. From a security perspective, the best model is one of zero trust. And the beauty of being able to evaluate checksums upon resolution is that you do not need to trust the build server to be configured correctly. All you need to do is to create a Maven project, and all code that is loaded from outside the project will be evaluated to be legitimate, independent of the build server's setup. As for making this an extension: this is a bit of a chicken and egg problem. the extension needs to be downloaded, and normally is via Maven Central. If this extension is invalid, the security model is broken. This is why I would want it to be a part of Maven Resolver. If Maven Wrapper is validating the checksums of its downloaded artifacts, the validation chain would be complete and a zero trust model is established for any Maven build. (Gradle offers the same feature.) > Apply artifact checksum verification for any resolved artifact > -- > > Key: MRESOLVER-268 > URL: https://issues.apache.org/jira/browse/MRESOLVER-268 > Project: Maven Resolver > Issue Type: Improvement > Components: Resolver >Reporter: Rafael Winterhalter >Assignee: Tamás Cservenák >Priority: Major > > Maven resolver currently only verifies provided checksums (via > ProvidedChecksumsSource) when artifacts are downloaded from a remote > repository. While this strategy is efficient when working with a clean local > repository, it can create problems if two Maven projects share a local > repository, where only one project validates hashes. If the first project has > downloaded a corrupted artifact, the second project would now use this > corrupted artifact despite knowing a non-matching checksum. > With the proposed change, artifacts are validated whenever they are resolved. > This allows to retain the integrity of a project also when sharing a local > Maven repository with other, unsecured projects. > The current PR only activates this general validation if a global validation > policy is defined. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[GitHub] [maven-verifier] slawekjaranowski merged pull request #52: Code cleanup
slawekjaranowski merged PR #52: URL: https://github.com/apache/maven-verifier/pull/52 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@maven.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[jira] [Updated] (MSHARED-1124) Add new version of methods filterFile and newDefaultFilterMap
[
https://issues.apache.org/jira/browse/MSHARED-1124?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Slawomir Jaranowski updated MSHARED-1124:
-
Issue Type: Improvement (was: Task)
> Add new version of methods filterFile and newDefaultFilterMap
> -
>
> Key: MSHARED-1124
> URL: https://issues.apache.org/jira/browse/MSHARED-1124
> Project: Maven Shared Components
> Issue Type: Improvement
> Components: maven-verifier
>Reporter: Slawomir Jaranowski
>Assignee: Slawomir Jaranowski
>Priority: Major
> Fix For: maven-verifier-2.0.0-M1
>
>
> Deprecated method
> {code}
> Verifier#filterFile(java.lang.String, java.lang.String, java.lang.String,
> java.util.Properties)
> {code}
> is used about 262 times by Maven core integration test, most of case we have
> code, like:
> {code}
> verifier.filterFile( "settings-template.xml", "settings.xml", "UTF-8",
> verifier.newDefaultFilterProperties() );
> {code}
> With a new method can be replaced by:
> {code}
> verifier.filterFile( "settings-template.xml", "settings.xml", "UTF-8" );
> {code}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Updated] (MSHARED-1137) Revise Verifier#getDefaultMavenHome()/#getExecutable()
[
https://issues.apache.org/jira/browse/MSHARED-1137?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Slawomir Jaranowski updated MSHARED-1137:
-
Issue Type: Improvement (was: Task)
> Revise Verifier#getDefaultMavenHome()/#getExecutable()
> --
>
> Key: MSHARED-1137
> URL: https://issues.apache.org/jira/browse/MSHARED-1137
> Project: Maven Shared Components
> Issue Type: Improvement
> Components: maven-verifier
>Reporter: Michael Osipov
>Assignee: Slawomir Jaranowski
>Priority: Major
> Fix For: maven-verifier-2.0.0-M1
>
>
> This method contains relics from the past:
> * {{M2_HOME}} has be removed years ago, so can this go
> * In the last 10 years we have never advocated a Maven installation on
> \{{${user.home}/.m2/}}, so this can go as well
> All we care about is {{{}maven.home{}}}.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Updated] (MSHARED-1127) Remove main method from Verifier
[
https://issues.apache.org/jira/browse/MSHARED-1127?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Slawomir Jaranowski updated MSHARED-1127:
-
Issue Type: Improvement (was: Task)
> Remove main method from Verifier
>
>
> Key: MSHARED-1127
> URL: https://issues.apache.org/jira/browse/MSHARED-1127
> Project: Maven Shared Components
> Issue Type: Improvement
> Components: maven-verifier
>Reporter: Slawomir Jaranowski
>Assignee: Slawomir Jaranowski
>Priority: Major
> Fix For: maven-verifier-2.0.0-M1
>
>
> There is {{main}} method in Verifier, it is undocumented feature and probably
> not used.
> Verifier should be called form test code not from command line.
> We can also remove code used only for it.
> Code use in main method parse arguments for command line.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Updated] (MSHARED-1142) Remove e.getMessage() duplication when e is passed as object
[
https://issues.apache.org/jira/browse/MSHARED-1142?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Slawomir Jaranowski updated MSHARED-1142:
-
Issue Type: Improvement (was: Task)
> Remove e.getMessage() duplication when e is passed as object
>
>
> Key: MSHARED-1142
> URL: https://issues.apache.org/jira/browse/MSHARED-1142
> Project: Maven Shared Components
> Issue Type: Improvement
> Components: maven-verifier
>Reporter: Michael Osipov
>Priority: Major
> Labels: up-for-grabs
> Fix For: maven-verifier-2.0.0-M1
>
>
> In many spots this is code:
> {noformat}
> throw new Exception( "Failed to run Maven: " + e.getMessage(), e ); {noformat}
> {{e.getMessage()}} is redundant because {{e}} is already passed to the new
> exception. It will duplicate the message. Zero benefit. We shall remove them.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Updated] (MSHARED-1135) Deprecate Verifier#setMavenDebug(boolean) for removal
[
https://issues.apache.org/jira/browse/MSHARED-1135?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Slawomir Jaranowski updated MSHARED-1135:
-
Issue Type: Improvement (was: Task)
> Deprecate Verifier#setMavenDebug(boolean) for removal
> -
>
> Key: MSHARED-1135
> URL: https://issues.apache.org/jira/browse/MSHARED-1135
> Project: Maven Shared Components
> Issue Type: Improvement
> Components: maven-verifier
>Reporter: Michael Osipov
>Assignee: Slawomir Jaranowski
>Priority: Major
> Labels: up-for-grabs
> Fix For: maven-verifier-2.0.0-M1
>
>
> This method has two issues:
> * The used option has been deprecated in favor of {{-X}}
> * The code overhead for just passing {{-X}} is not justified. This can
> simply be added by client code.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[GitHub] [maven-verifier] slawekjaranowski merged pull request #51: Bump junit-jupiter from 5.9.0 to 5.9.1
slawekjaranowski merged PR #51: URL: https://github.com/apache/maven-verifier/pull/51 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@maven.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[jira] [Closed] (MSHARED-1148) Bump junit-jupiter from 5.9.0 to 5.9.1
[ https://issues.apache.org/jira/browse/MSHARED-1148?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Slawomir Jaranowski closed MSHARED-1148. Resolution: Fixed > Bump junit-jupiter from 5.9.0 to 5.9.1 > -- > > Key: MSHARED-1148 > URL: https://issues.apache.org/jira/browse/MSHARED-1148 > Project: Maven Shared Components > Issue Type: Dependency upgrade > Components: maven-verifier >Reporter: Slawomir Jaranowski >Assignee: Slawomir Jaranowski >Priority: Major > Fix For: maven-verifier-2.0.0-M1 > > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Created] (MSHARED-1148) Bump junit-jupiter from 5.9.0 to 5.9.1
Slawomir Jaranowski created MSHARED-1148: Summary: Bump junit-jupiter from 5.9.0 to 5.9.1 Key: MSHARED-1148 URL: https://issues.apache.org/jira/browse/MSHARED-1148 Project: Maven Shared Components Issue Type: Dependency upgrade Components: maven-verifier Reporter: Slawomir Jaranowski Assignee: Slawomir Jaranowski Fix For: maven-verifier-2.0.0-M1 -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Assigned] (MSHARED-1142) Remove e.getMessage() duplication when e is passed as object
[
https://issues.apache.org/jira/browse/MSHARED-1142?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Slawomir Jaranowski reassigned MSHARED-1142:
Assignee: Michael Osipov
> Remove e.getMessage() duplication when e is passed as object
>
>
> Key: MSHARED-1142
> URL: https://issues.apache.org/jira/browse/MSHARED-1142
> Project: Maven Shared Components
> Issue Type: Improvement
> Components: maven-verifier
>Reporter: Michael Osipov
>Assignee: Michael Osipov
>Priority: Major
> Labels: up-for-grabs
> Fix For: maven-verifier-2.0.0-M1
>
>
> In many spots this is code:
> {noformat}
> throw new Exception( "Failed to run Maven: " + e.getMessage(), e ); {noformat}
> {{e.getMessage()}} is redundant because {{e}} is already passed to the new
> exception. It will duplicate the message. Zero benefit. We shall remove them.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Created] (MRESOURCES-290) Configuration to Redact Environment Variable Values
Alan Zimmer created MRESOURCES-290: -- Summary: Configuration to Redact Environment Variable Values Key: MRESOURCES-290 URL: https://issues.apache.org/jira/browse/MRESOURCES-290 Project: Maven Resources Plugin Issue Type: New Feature Reporter: Alan Zimmer Add a configuration, or set by default, which controls whether environment variables are redacted in debugging. Right now when debugging is enabled it's very easy to accidentally leak credentials and other PII when maven-resource-plugin runs. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (MRESOURCES-290) Configuration to Redact Environment Variable Values
[ https://issues.apache.org/jira/browse/MRESOURCES-290?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Alan Zimmer updated MRESOURCES-290: --- Priority: Major (was: Minor) > Configuration to Redact Environment Variable Values > --- > > Key: MRESOURCES-290 > URL: https://issues.apache.org/jira/browse/MRESOURCES-290 > Project: Maven Resources Plugin > Issue Type: New Feature >Reporter: Alan Zimmer >Priority: Major > > Add a configuration, or set by default, which controls whether environment > variables are redacted in debugging. Right now when debugging is enabled it's > very easy to accidentally leak credentials and other PII when > maven-resource-plugin runs. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[GitHub] [maven-javadoc-plugin] michael-o commented on pull request #164: MJAVADOC-731 update parent, get rid of legacy
michael-o commented on PR #164: URL: https://github.com/apache/maven-javadoc-plugin/pull/164#issuecomment-1255228097 @kwin Should I test again? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@maven.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [maven-javadoc-plugin] kwin commented on pull request #164: MJAVADOC-731 update parent, get rid of legacy
kwin commented on PR #164: URL: https://github.com/apache/maven-javadoc-plugin/pull/164#issuecomment-1255255739 It still fails for me locally and on Jenkins and I don't know why exactly. The mrm-maven-plugin should IMHO deliver the missing artifact but the source in https://github.com/apache/maven-javadoc-plugin/tree/master/src/it/mrm/3rdparty seems incomplete to me. I run into ``` DEBUG] Resolving artifact org.apache.maven.plugins.javadoc.its:lib:jar:1.0 from [mrm-maven-plugin (http://localhost:51146, default, releases+snapshots)] [DEBUG] Skipped remote request for org.apache.maven.plugins.javadoc.its:lib:jar:1.0, already updated during this session [INFO] [INFO] Reactor Summary for mjavadoc494 1.0-SNAPSHOT: [INFO] [INFO] mjavadoc494 FAILURE [ 1.394 s] [INFO] mjavadoc494-module1 SKIPPED [INFO] [INFO] BUILD FAILURE [INFO] [INFO] Total time: 1.531 s [INFO] Finished at: 2022-09-22T18:09:27+02:00 [INFO] [ERROR] Failed to execute goal org.apache.maven.plugins:maven-javadoc-plugin:3.4.2-SNAPSHOT:aggregate (default-cli) on project mjavadoc494: An error has occurred in Javadoc report generation: org.apache.maven.plugins.javadoc.its:lib:jar:1.0 was not found in http://localhost:51146 during a previous attempt. This failure was cached in the local repository and resolution is not reattempted until the update interval of mrm-maven-plugin has elapsed or updates are forced -> [Help 1] org.apache.maven.lifecycle.LifecycleExecutionException: Failed to execute goal org.apache.maven.plugins:maven-javadoc-plugin:3.4.2-SNAPSHOT:aggregate (default-cli) on project mjavadoc494: An error has occurred in Javadoc report generation: org.apache.maven.plugins.javadoc.its:lib:jar:1.0 was not found in http://localhost:51146 during a previous attempt. This failure was cached in the local repository and resolution is not reattempted until the update interval of mrm-maven-plugin has elapsed or updates are forced... ``` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@maven.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[jira] [Updated] (MRESOURCES-290) Configuration to Redact Environment Variable Values
[ https://issues.apache.org/jira/browse/MRESOURCES-290?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Alan Zimmer updated MRESOURCES-290: --- Description: Add a configuration which controls whether environment variables are redacted in debugging, or change the logging behavior to always redact the value. Right now when debugging is enabled it's very easy to accidentally leak credentials and other PII when maven-resource-plugin runs. (was: Add a configuration, or set by default, which controls whether environment variables are redacted in debugging. Right now when debugging is enabled it's very easy to accidentally leak credentials and other PII when maven-resource-plugin runs.) > Configuration to Redact Environment Variable Values > --- > > Key: MRESOURCES-290 > URL: https://issues.apache.org/jira/browse/MRESOURCES-290 > Project: Maven Resources Plugin > Issue Type: New Feature >Reporter: Alan Zimmer >Priority: Major > > Add a configuration which controls whether environment variables are redacted > in debugging, or change the logging behavior to always redact the value. > Right now when debugging is enabled it's very easy to accidentally leak > credentials and other PII when maven-resource-plugin runs. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[GitHub] [maven-assembly-plugin] dependabot[bot] opened a new pull request, #93: Bump postgresql from 42.3.3 to 42.3.7 in /src/it/projects/bugs/massembly-730
dependabot[bot] opened a new pull request, #93: URL: https://github.com/apache/maven-assembly-plugin/pull/93 Bumps [postgresql](https://github.com/pgjdbc/pgjdbc) from 42.3.3 to 42.3.7. Changelog Sourced from https://github.com/pgjdbc/pgjdbc/blob/master/CHANGELOG.md";>postgresql's changelog. Changelog Notable changes since version 42.0.0, read the complete https://jdbc.postgresql.org/documentation/changelog.html";>History of Changes. The format is based on http://keepachangelog.com/en/1.0.0/";>Keep a Changelog. [Unreleased] Changed Added Fixed [42.5.0] (2022-08-23 11:20:11 -0400) Changed fix: revert change in [PR https://github-redirect.dependabot.com/pgjdbc/pgjdbc/issues/1986";>#1986](https://github-redirect.dependabot.com/pgjdbc/pgjdbc/pull/1986";>pgjdbc/pgjdbc#1986) where float was aliased to float4 from float8. float now aliases to float8 [PR https://github-redirect.dependabot.com/pgjdbc/pgjdbc/issues/2598";>#2598](https://github-redirect.dependabot.com/pgjdbc/pgjdbc/pull/2598";>pgjdbc/pgjdbc#2598) fixes [Issue https://github-redirect.dependabot.com/pgjdbc/pgjdbc/issues/2597";>#2597](https://github-redirect.dependabot.com/pgjdbc/pgjdbc/issues/2597";>pgjdbc/pgjdbc#2597) [42.4.2] (2022-08-17 10:33:40 -0400) Changed fix: add alias to the generated getUDT() query for clarity (PR https://github-redirect.dependabot.com/pgjdbc/pgjdbc/issues/2553";>#2553)[https://github-redirect.dependabot.com/pgjdbc/pgjdbc/pull/2553] Added fix: make setObject accept UUID array [PR https://github-redirect.dependabot.com/pgjdbc/pgjdbc/issues/2587";>#2587](https://github-redirect.dependabot.com/pgjdbc/pgjdbc/pull/2587";>pgjdbc/pgjdbc#2587) Fixed fix: regression with GSS. Changes introduced to support building with Java 17 caused failures [Issue https://github-redirect.dependabot.com/pgjdbc/pgjdbc/issues/2588";>#2588](https://github-redirect.dependabot.com/pgjdbc/pgjdbc/issues/2588";>pgjdbc/pgjdbc#2588) fix: set a timeout to get the return from requesting SSL upgrade. [PR https://github-redirect.dependabot.com/pgjdbc/pgjdbc/issues/2572";>#2572](https://github-redirect.dependabot.com/pgjdbc/pgjdbc/pull/2572";>pgjdbc/pgjdbc#2572) feat: synchronize statement executions (e.g. avoid deadlock when Connection.isValid is executed from concurrent threads) [42.4.1] (2022-08-01 16:24:20 -0400) Security fix: CVE-2022-31197 Fixes SQL generated in PgResultSet.refresh() to escape column identifiers so as to prevent SQL injection. Previously, the column names for both key and data columns in the table were copied as-is into the generated SQL. This allowed a malicious table with column names that include statement terminator to be parsed and executed as multiple separate commands. Also adds a new test class ResultSetRefreshTest to verify this change. Reported by https://github.com/kato-sho";>Sho Kato Changed chore: skip publishing pgjdbc-osgi-test to Central chore: bump Gradle to 7.5 test: update JUnit to 5.8.2 Added chore: added Gradle Wrapper Validation for verifying gradle-wrapper.jar chore: added "permissions: contents: read" for GitHub Actions to avoid unintentional modifications by the CI chore: support building pgjdbc with Java 17 feat: synchronize statement executions (e.g. avoid deadlock when Connection.isValid is executed from concurrent threads) ... (truncated) Commits https://github.com/pgjdbc/pgjdbc/commit/0afaa71d5254804f8bab7caab96735c5f7d11aa1";>0afaa71 backpatch changes from GHSA-r38f-c4h4-hqq2 security advisory for CVE-2022-311... https://github.com/pgjdbc/pgjdbc/commit/7714d035b2123bbf5e5461d3ea162af946191941";>7714d03 Created release notes for 42.3.6 [SKIP-CI] (https://github-redirect.dependabot.com/pgjdbc/pgjdbc/issues/2515";>#2515) https://github.com/pgjdbc/pgjdbc/commit/85f85813a4092eaf37e9fcc5b479eb6ff94fe963";>85f8581 fix: close refcursors when underlying cursor==null instead of relying on defa... https://github.com/pgjdbc/pgjdbc/commit/12541c4d2e8549426207b212dbc7963b0cc780f6";>12541c4 bumped version number https://github.com/pgjdbc/pgjdbc/commit/0872ad0ed33d3df355948282420f09ff8cb9ff50";>0872ad0 Fix heading format for version numbers (https://github-redirect.dependabot.com/pgjdbc/pgjdbc/issues/2504";>#2504) https://github.com/pgjdbc/pgjdbc/commit/0d6ccb194a94cebe1cc0add461382b91f13c2a4a";>0d6ccb1 More changlog additions added chore to terminate CI jobs on fast PR pushes [S... https://github.com/pgjdbc/pgjdbc/commit/2bd774e8ea2f8732b5eaee233487a73b5389cc1f";>2bd774e Releasenotes 42.3.5 (https://github-redirect.dependabot.com/pgjdbc/pgjdbc/issues/2502";>#2502) https://github.com/pgjdbc/pgjdbc/commit/c04582eb64ef8771f7e09d2900eaa20883d64400";>c04582e chore: use GitHub Action concurrency feature to terminate CI jobs on fast PR ... https://github.com/pg
[GitHub] [maven-assembly-plugin] dependabot[bot] closed pull request #86: Bump postgresql from 42.3.3 to 42.4.1 in /src/it/projects/bugs/massembly-730
dependabot[bot] closed pull request #86: Bump postgresql from 42.3.3 to 42.4.1 in /src/it/projects/bugs/massembly-730 URL: https://github.com/apache/maven-assembly-plugin/pull/86 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@maven.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [maven-assembly-plugin] dependabot[bot] commented on pull request #86: Bump postgresql from 42.3.3 to 42.4.1 in /src/it/projects/bugs/massembly-730
dependabot[bot] commented on PR #86: URL: https://github.com/apache/maven-assembly-plugin/pull/86#issuecomment-1255349947 Superseded by #93. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@maven.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[jira] [Commented] (MRESOURCES-290) Configuration to Redact Environment Variable Values
[ https://issues.apache.org/jira/browse/MRESOURCES-290?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17608387#comment-17608387 ] Michael Osipov commented on MRESOURCES-290: --- This applies to many components actually... > Configuration to Redact Environment Variable Values > --- > > Key: MRESOURCES-290 > URL: https://issues.apache.org/jira/browse/MRESOURCES-290 > Project: Maven Resources Plugin > Issue Type: New Feature >Reporter: Alan Zimmer >Priority: Major > > Add a configuration which controls whether environment variables are redacted > in debugging, or change the logging behavior to always redact the value. > Right now when debugging is enabled it's very easy to accidentally leak > credentials and other PII when maven-resource-plugin runs. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Created] (MEAR-309) Support JakartaEE 10
Wolfgang Knauf created MEAR-309:
---
Summary: Support JakartaEE 10
Key: MEAR-309
URL: https://issues.apache.org/jira/browse/MEAR-309
Project: Maven EAR Plugin
Issue Type: Improvement
Affects Versions: 3.2.0
Reporter: Wolfgang Knauf
Please add support for JakartaEE 10, so that a valid "application.xml" can be
created.
As WildFly 27 defaults to JakartaEE 10, I am in the process of updating the
archetype for a blank WildFly EAR project. And to keep it clean, I want the
maven-ear-plugin to create a JakartaEE 10 "application.xml" instead of the
JavaEE8 version.
In the moment, I think I will switch off generating this file
("false") in order to avoid
confusion.
I see that [https://issues.apache.org/jira/projects/MEAR/issues/MEAR-302]
already added support for JakartaEE9, so I could even try to send a similar
pull request for 10.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Commented] (MSHARED-1139) Calculate baseurl by means of Path and URI in Verifier#newDefaultFilterMap()/#verifyFilePresence()
[
https://issues.apache.org/jira/browse/MSHARED-1139?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17608398#comment-17608398
]
Edward Lynch-Milner commented on MSHARED-1139:
--
[~michael-o] I've made changes to newDefaultFilterMap but unsure what needs to
be changed in verifyFilePresence(). Could you clarify?
> Calculate baseurl by means of Path and URI in
> Verifier#newDefaultFilterMap()/#verifyFilePresence()
> --
>
> Key: MSHARED-1139
> URL: https://issues.apache.org/jira/browse/MSHARED-1139
> Project: Maven Shared Components
> Issue Type: Improvement
> Components: maven-verifier
>Reporter: Michael Osipov
>Priority: Major
> Labels: up-for-grabs
> Fix For: maven-verifier-2.0.0
>
>
> The code does some hacks to calculate the baseurl. It can be much easier
> achieved with {{Path}} and {{{}URI{}}}.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Commented] (MWRAPPER-68) MVNW_REPOURL improperly formed distributionUrl
[ https://issues.apache.org/jira/browse/MWRAPPER-68?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17608400#comment-17608400 ] Jimisola Laursen commented on MWRAPPER-68: -- Any idea when 3.2.0 can/will be released? There are couple of [bugs|https://issues.apache.org/jira/issues/?jql=project%20%3D%20MWRAPPER%20AND%20fixVersion%20%3D%203.2.0] that stops us from upgrading to 3.1.1 > MVNW_REPOURL improperly formed distributionUrl > -- > > Key: MWRAPPER-68 > URL: https://issues.apache.org/jira/browse/MWRAPPER-68 > Project: Maven Wrapper > Issue Type: Bug > Components: Maven Wrapper Jar >Affects Versions: 3.1.1 >Reporter: HumanFund >Assignee: Slawomir Jaranowski >Priority: Major > Fix For: 3.2.0 > > > In Maven Wrapper v3.1.1, Installer::createDist(), file > maven-wrapper/src/main/java/org/apache/maven/wrapper/Installer.java, was > updated on line 74 to be: > distributionUrl = new URI( mvnwRepoUrl ).resolve( "/" ).resolve( mvnPath ); > The above update is causing the distributionUrl to be improperly formed based > on the MVNW_REPOURL environment variable and the mvnPath which is extracted > from the distributionUrl in maven-wrapper.properties, specifically the > substring starting with "org/apache/maven". > The update was introduced in the following commit: > [https://github.com/apache/maven-wrapper/commit/22a3268def96e5e648aa97a49d9e146e529b7c87#diff-193f3775e6efb0b6ed01219b21272f9eb3861965ce3af3586a0ce8eb153359c0] > An example of the results are shown below. Note the "Downloading" URI does > not include the entire repo url, only the scheme, host, and port, then the > maven path is appended. > The repo url is getting truncated by the call to resolve( "/" ) on line 74. > I do not currently see a purpose for having this call in place. I made the > following update to line 74 and it works fine: > distributionUrl = new URI( mvnwRepoUrl ).resolve( mvnPath ); > Note that in Maven Wrapper v3.1.0, the distributionUrl was formed simply by > appending the maven path to the MVNW_REPOURL: > distributionUrl = new URI( mvnwRepoUrl + "/" + mvnPath ); > Example output demonstrating issue: > [exec] [INFO] Apache Maven Wrapper 3.1.1 > [exec] [INFO] Detected MVNW_REPOURL environment variable > [http://localhost:8081/repository/repo-maven-apache-org-maven2/] > [exec] [INFO] Installing Maven distribution > /home/myexamplehome/maven/wrapper/dists/apache-maven-3.6.3-bin/cf3cf814 > [exec] [INFO] Downloading > [http://localhost:8081/org/apache/maven/apache-maven/3.6.3/apache-maven-3.6.3-bin.zip] > > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[GitHub] [maven-verifier] michael-o opened a new pull request, #53: [MSHARED-1139] Calculate baseurl by means of Path and URI in Verifier…
michael-o opened a new pull request, #53: URL: https://github.com/apache/maven-verifier/pull/53 …#newDefaultFilterMap()/#verifyFilePresence() -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@maven.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [maven-verifier] michael-o commented on pull request #53: [MSHARED-1139] Calculate baseurl by means of Path and URI in Verifier…
michael-o commented on PR #53: URL: https://github.com/apache/maven-verifier/pull/53#issuecomment-1255514161 @slawekjaranowski Which project would be best to test with? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@maven.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [maven-verifier] slawekjaranowski commented on pull request #53: [MSHARED-1139] Calculate baseurl by means of Path and URI in Verifier…
slawekjaranowski commented on PR #53: URL: https://github.com/apache/maven-verifier/pull/53#issuecomment-1255531533 both `baseurl`, `basedir` are used in core its -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@maven.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [maven-verifier] michael-o commented on pull request #53: [MSHARED-1139] Calculate baseurl by means of Path and URI in Verifier…
michael-o commented on PR #53: URL: https://github.com/apache/maven-verifier/pull/53#issuecomment-126964 Here it is: https://github.com/apache/maven-integration-testing/pull/201 I have a few failures locally... -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@maven.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[jira] [Updated] (MNG-6965) Extensions suddenly have org.codehaus.plexus:plexus-utils:jar:1.1 on their classpath
[
https://issues.apache.org/jira/browse/MNG-6965?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Herve Boutemy updated MNG-6965:
---
Issue Type: Wish (was: Bug)
> Extensions suddenly have org.codehaus.plexus:plexus-utils:jar:1.1 on their
> classpath
>
>
> Key: MNG-6965
> URL: https://issues.apache.org/jira/browse/MNG-6965
> Project: Maven
> Issue Type: Wish
> Components: Plugins and Lifecycle
>Affects Versions: 3.6.0, 3.6.3
> Environment: Win7, Win10, at least one variant of Linux (not sure
> which)
>Reporter: Mark Nolan
>Assignee: Sylwester Lachiewicz
>Priority: Major
> Labels: archetype
> Fix For: 3.9.0, 4.0.0-alpha-1, 4.0.0
>
> Attachments: pom.xml
>
>
> A simple minimal archetype pom following the manual pages downloads
> plexus-utils 1.1, even though it is not (apparently) declared anywhere. This
> version is banned at my organization (edited to add: due to vulnerabilities),
> meaning such a pom always fails.
>
> {code:xml}
> http://maven.apache.org/POM/4.0.0";
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
> xsi:schemaLocation="http://maven.apache.org/POM/4.0.0
> http://maven.apache.org/xsd/maven-4.0.0.xsd";>
> 4.0.0
> test
> test
> 0.0.1-SNAPSHOT
> maven-archetype
> test
>
>
>
> org.apache.maven.archetype
> archetype-packaging
> 3.1.2
>
>
>
>
>
> org.apache.maven.plugins
> maven-archetype-plugin
> 3.1.2
>
>
>
>
>
> {code}
> Running any goal, such as mvn -X clean, produces the following before the
> goal is executed:
> {code}
> [DEBUG] Dependency collection stats: {ConflictMarker.analyzeTime=952800,
> ConflictMarker.markTime=586900, ConflictMarker.nodeCount=1,
> ConflictIdSorter.graphTime=549200, ConflictIdSorter.topsortTime=586700,
> ConflictIdSorter.conflictIdCount=1, ConflictIdSorter.conflictIdCycleCount=0,
> ConflictResolver.totalTime=3313100, ConflictResolver.conflictItemCount=1,
> DefaultDependencyCollector.collectTime=66890900,
> DefaultDependencyCollector.transformTime=8523500}
> [DEBUG] org.apache.maven.archetype:archetype-packaging:jar:3.1.2:
> [DEBUG]org.codehaus.plexus:plexus-utils:jar:1.1:runtime
> {code}
>
> As far as I can see, there is no declared dependency on plexus-utils:1.1.
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] (MNG-6965) Extensions suddenly have org.codehaus.plexus:plexus-utils:jar:1.1 on their classpath
[ https://issues.apache.org/jira/browse/MNG-6965 ]
Herve Boutemy deleted comment on MNG-6965:
was (Author: hudson):
Build unstable in Jenkins: Maven » Maven TLP » maven » PR-756 #6
See https://ci-maven.apache.org/job/Maven/job/maven-box/job/maven/job/PR-756/6/
> Extensions suddenly have org.codehaus.plexus:plexus-utils:jar:1.1 on their
> classpath
>
>
> Key: MNG-6965
> URL: https://issues.apache.org/jira/browse/MNG-6965
> Project: Maven
> Issue Type: Wish
> Components: Plugins and Lifecycle
>Affects Versions: 3.6.0, 3.6.3
> Environment: Win7, Win10, at least one variant of Linux (not sure
> which)
>Reporter: Mark Nolan
>Assignee: Sylwester Lachiewicz
>Priority: Major
> Labels: archetype
> Fix For: 3.9.0, 4.0.0-alpha-1, 4.0.0
>
> Attachments: pom.xml
>
>
> A simple minimal archetype pom following the manual pages downloads
> plexus-utils 1.1, even though it is not (apparently) declared anywhere. This
> version is banned at my organization (edited to add: due to vulnerabilities),
> meaning such a pom always fails.
>
> {code:xml}
> http://maven.apache.org/POM/4.0.0";
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
> xsi:schemaLocation="http://maven.apache.org/POM/4.0.0
> http://maven.apache.org/xsd/maven-4.0.0.xsd";>
> 4.0.0
> test
> test
> 0.0.1-SNAPSHOT
> maven-archetype
> test
>
>
>
> org.apache.maven.archetype
> archetype-packaging
> 3.1.2
>
>
>
>
>
> org.apache.maven.plugins
> maven-archetype-plugin
> 3.1.2
>
>
>
>
>
> {code}
> Running any goal, such as mvn -X clean, produces the following before the
> goal is executed:
> {code}
> [DEBUG] Dependency collection stats: {ConflictMarker.analyzeTime=952800,
> ConflictMarker.markTime=586900, ConflictMarker.nodeCount=1,
> ConflictIdSorter.graphTime=549200, ConflictIdSorter.topsortTime=586700,
> ConflictIdSorter.conflictIdCount=1, ConflictIdSorter.conflictIdCycleCount=0,
> ConflictResolver.totalTime=3313100, ConflictResolver.conflictItemCount=1,
> DefaultDependencyCollector.collectTime=66890900,
> DefaultDependencyCollector.transformTime=8523500}
> [DEBUG] org.apache.maven.archetype:archetype-packaging:jar:3.1.2:
> [DEBUG]org.codehaus.plexus:plexus-utils:jar:1.1:runtime
> {code}
>
> As far as I can see, there is no declared dependency on plexus-utils:1.1.
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] (MNG-6965) Extensions suddenly have org.codehaus.plexus:plexus-utils:jar:1.1 on their classpath
[ https://issues.apache.org/jira/browse/MNG-6965 ]
Herve Boutemy deleted comment on MNG-6965:
was (Author: hudson):
Build failed in Jenkins: Maven » Maven TLP » maven » PR-757 #2
See https://ci-maven.apache.org/job/Maven/job/maven-box/job/maven/job/PR-757/2/
> Extensions suddenly have org.codehaus.plexus:plexus-utils:jar:1.1 on their
> classpath
>
>
> Key: MNG-6965
> URL: https://issues.apache.org/jira/browse/MNG-6965
> Project: Maven
> Issue Type: Wish
> Components: Plugins and Lifecycle
>Affects Versions: 3.6.0, 3.6.3
> Environment: Win7, Win10, at least one variant of Linux (not sure
> which)
>Reporter: Mark Nolan
>Assignee: Sylwester Lachiewicz
>Priority: Major
> Labels: archetype
> Fix For: 3.9.0, 4.0.0-alpha-1, 4.0.0
>
> Attachments: pom.xml
>
>
> A simple minimal archetype pom following the manual pages downloads
> plexus-utils 1.1, even though it is not (apparently) declared anywhere. This
> version is banned at my organization (edited to add: due to vulnerabilities),
> meaning such a pom always fails.
>
> {code:xml}
> http://maven.apache.org/POM/4.0.0";
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
> xsi:schemaLocation="http://maven.apache.org/POM/4.0.0
> http://maven.apache.org/xsd/maven-4.0.0.xsd";>
> 4.0.0
> test
> test
> 0.0.1-SNAPSHOT
> maven-archetype
> test
>
>
>
> org.apache.maven.archetype
> archetype-packaging
> 3.1.2
>
>
>
>
>
> org.apache.maven.plugins
> maven-archetype-plugin
> 3.1.2
>
>
>
>
>
> {code}
> Running any goal, such as mvn -X clean, produces the following before the
> goal is executed:
> {code}
> [DEBUG] Dependency collection stats: {ConflictMarker.analyzeTime=952800,
> ConflictMarker.markTime=586900, ConflictMarker.nodeCount=1,
> ConflictIdSorter.graphTime=549200, ConflictIdSorter.topsortTime=586700,
> ConflictIdSorter.conflictIdCount=1, ConflictIdSorter.conflictIdCycleCount=0,
> ConflictResolver.totalTime=3313100, ConflictResolver.conflictItemCount=1,
> DefaultDependencyCollector.collectTime=66890900,
> DefaultDependencyCollector.transformTime=8523500}
> [DEBUG] org.apache.maven.archetype:archetype-packaging:jar:3.1.2:
> [DEBUG]org.codehaus.plexus:plexus-utils:jar:1.1:runtime
> {code}
>
> As far as I can see, there is no declared dependency on plexus-utils:1.1.
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] (MNG-6965) Extensions suddenly have org.codehaus.plexus:plexus-utils:jar:1.1 on their classpath
[ https://issues.apache.org/jira/browse/MNG-6965 ]
Herve Boutemy deleted comment on MNG-6965:
was (Author: hudson):
Build unstable in Jenkins: Maven » Maven TLP » maven » PR-394 #18
See https://ci-maven.apache.org/job/Maven/job/maven-box/job/maven/job/PR-394/18/
> Extensions suddenly have org.codehaus.plexus:plexus-utils:jar:1.1 on their
> classpath
>
>
> Key: MNG-6965
> URL: https://issues.apache.org/jira/browse/MNG-6965
> Project: Maven
> Issue Type: Wish
> Components: Plugins and Lifecycle
>Affects Versions: 3.6.0, 3.6.3
> Environment: Win7, Win10, at least one variant of Linux (not sure
> which)
>Reporter: Mark Nolan
>Assignee: Sylwester Lachiewicz
>Priority: Major
> Labels: archetype
> Fix For: 3.9.0, 4.0.0-alpha-1, 4.0.0
>
> Attachments: pom.xml
>
>
> A simple minimal archetype pom following the manual pages downloads
> plexus-utils 1.1, even though it is not (apparently) declared anywhere. This
> version is banned at my organization (edited to add: due to vulnerabilities),
> meaning such a pom always fails.
>
> {code:xml}
> http://maven.apache.org/POM/4.0.0";
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
> xsi:schemaLocation="http://maven.apache.org/POM/4.0.0
> http://maven.apache.org/xsd/maven-4.0.0.xsd";>
> 4.0.0
> test
> test
> 0.0.1-SNAPSHOT
> maven-archetype
> test
>
>
>
> org.apache.maven.archetype
> archetype-packaging
> 3.1.2
>
>
>
>
>
> org.apache.maven.plugins
> maven-archetype-plugin
> 3.1.2
>
>
>
>
>
> {code}
> Running any goal, such as mvn -X clean, produces the following before the
> goal is executed:
> {code}
> [DEBUG] Dependency collection stats: {ConflictMarker.analyzeTime=952800,
> ConflictMarker.markTime=586900, ConflictMarker.nodeCount=1,
> ConflictIdSorter.graphTime=549200, ConflictIdSorter.topsortTime=586700,
> ConflictIdSorter.conflictIdCount=1, ConflictIdSorter.conflictIdCycleCount=0,
> ConflictResolver.totalTime=3313100, ConflictResolver.conflictItemCount=1,
> DefaultDependencyCollector.collectTime=66890900,
> DefaultDependencyCollector.transformTime=8523500}
> [DEBUG] org.apache.maven.archetype:archetype-packaging:jar:3.1.2:
> [DEBUG]org.codehaus.plexus:plexus-utils:jar:1.1:runtime
> {code}
>
> As far as I can see, there is no declared dependency on plexus-utils:1.1.
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] (MNG-6965) Extensions suddenly have org.codehaus.plexus:plexus-utils:jar:1.1 on their classpath
[ https://issues.apache.org/jira/browse/MNG-6965 ]
Herve Boutemy deleted comment on MNG-6965:
was (Author: hudson):
Build succeeded in Jenkins: Maven » Maven TLP » maven » PR-756 #7
See https://ci-maven.apache.org/job/Maven/job/maven-box/job/maven/job/PR-756/7/
> Extensions suddenly have org.codehaus.plexus:plexus-utils:jar:1.1 on their
> classpath
>
>
> Key: MNG-6965
> URL: https://issues.apache.org/jira/browse/MNG-6965
> Project: Maven
> Issue Type: Wish
> Components: Plugins and Lifecycle
>Affects Versions: 3.6.0, 3.6.3
> Environment: Win7, Win10, at least one variant of Linux (not sure
> which)
>Reporter: Mark Nolan
>Assignee: Sylwester Lachiewicz
>Priority: Major
> Labels: archetype
> Fix For: 3.9.0, 4.0.0-alpha-1, 4.0.0
>
> Attachments: pom.xml
>
>
> A simple minimal archetype pom following the manual pages downloads
> plexus-utils 1.1, even though it is not (apparently) declared anywhere. This
> version is banned at my organization (edited to add: due to vulnerabilities),
> meaning such a pom always fails.
>
> {code:xml}
> http://maven.apache.org/POM/4.0.0";
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
> xsi:schemaLocation="http://maven.apache.org/POM/4.0.0
> http://maven.apache.org/xsd/maven-4.0.0.xsd";>
> 4.0.0
> test
> test
> 0.0.1-SNAPSHOT
> maven-archetype
> test
>
>
>
> org.apache.maven.archetype
> archetype-packaging
> 3.1.2
>
>
>
>
>
> org.apache.maven.plugins
> maven-archetype-plugin
> 3.1.2
>
>
>
>
>
> {code}
> Running any goal, such as mvn -X clean, produces the following before the
> goal is executed:
> {code}
> [DEBUG] Dependency collection stats: {ConflictMarker.analyzeTime=952800,
> ConflictMarker.markTime=586900, ConflictMarker.nodeCount=1,
> ConflictIdSorter.graphTime=549200, ConflictIdSorter.topsortTime=586700,
> ConflictIdSorter.conflictIdCount=1, ConflictIdSorter.conflictIdCycleCount=0,
> ConflictResolver.totalTime=3313100, ConflictResolver.conflictItemCount=1,
> DefaultDependencyCollector.collectTime=66890900,
> DefaultDependencyCollector.transformTime=8523500}
> [DEBUG] org.apache.maven.archetype:archetype-packaging:jar:3.1.2:
> [DEBUG]org.codehaus.plexus:plexus-utils:jar:1.1:runtime
> {code}
>
> As far as I can see, there is no declared dependency on plexus-utils:1.1.
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] (MNG-6965) Extensions suddenly have org.codehaus.plexus:plexus-utils:jar:1.1 on their classpath
[ https://issues.apache.org/jira/browse/MNG-6965 ]
Herve Boutemy deleted comment on MNG-6965:
was (Author: hudson):
Build succeeded in Jenkins: Maven » Maven TLP » maven » master #63
See https://ci-maven.apache.org/job/Maven/job/maven-box/job/maven/job/master/63/
> Extensions suddenly have org.codehaus.plexus:plexus-utils:jar:1.1 on their
> classpath
>
>
> Key: MNG-6965
> URL: https://issues.apache.org/jira/browse/MNG-6965
> Project: Maven
> Issue Type: Wish
> Components: Plugins and Lifecycle
>Affects Versions: 3.6.0, 3.6.3
> Environment: Win7, Win10, at least one variant of Linux (not sure
> which)
>Reporter: Mark Nolan
>Assignee: Sylwester Lachiewicz
>Priority: Major
> Labels: archetype
> Fix For: 3.9.0, 4.0.0-alpha-1, 4.0.0
>
> Attachments: pom.xml
>
>
> A simple minimal archetype pom following the manual pages downloads
> plexus-utils 1.1, even though it is not (apparently) declared anywhere. This
> version is banned at my organization (edited to add: due to vulnerabilities),
> meaning such a pom always fails.
>
> {code:xml}
> http://maven.apache.org/POM/4.0.0";
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
> xsi:schemaLocation="http://maven.apache.org/POM/4.0.0
> http://maven.apache.org/xsd/maven-4.0.0.xsd";>
> 4.0.0
> test
> test
> 0.0.1-SNAPSHOT
> maven-archetype
> test
>
>
>
> org.apache.maven.archetype
> archetype-packaging
> 3.1.2
>
>
>
>
>
> org.apache.maven.plugins
> maven-archetype-plugin
> 3.1.2
>
>
>
>
>
> {code}
> Running any goal, such as mvn -X clean, produces the following before the
> goal is executed:
> {code}
> [DEBUG] Dependency collection stats: {ConflictMarker.analyzeTime=952800,
> ConflictMarker.markTime=586900, ConflictMarker.nodeCount=1,
> ConflictIdSorter.graphTime=549200, ConflictIdSorter.topsortTime=586700,
> ConflictIdSorter.conflictIdCount=1, ConflictIdSorter.conflictIdCycleCount=0,
> ConflictResolver.totalTime=3313100, ConflictResolver.conflictItemCount=1,
> DefaultDependencyCollector.collectTime=66890900,
> DefaultDependencyCollector.transformTime=8523500}
> [DEBUG] org.apache.maven.archetype:archetype-packaging:jar:3.1.2:
> [DEBUG]org.codehaus.plexus:plexus-utils:jar:1.1:runtime
> {code}
>
> As far as I can see, there is no declared dependency on plexus-utils:1.1.
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] (MNG-6965) Extensions suddenly have org.codehaus.plexus:plexus-utils:jar:1.1 on their classpath
[ https://issues.apache.org/jira/browse/MNG-6965 ]
Herve Boutemy deleted comment on MNG-6965:
was (Author: hudson):
Build unstable in Jenkins: Maven » Maven TLP » maven » MNG-7451 #6
See
https://ci-maven.apache.org/job/Maven/job/maven-box/job/maven/job/MNG-7451/6/
> Extensions suddenly have org.codehaus.plexus:plexus-utils:jar:1.1 on their
> classpath
>
>
> Key: MNG-6965
> URL: https://issues.apache.org/jira/browse/MNG-6965
> Project: Maven
> Issue Type: Wish
> Components: Plugins and Lifecycle
>Affects Versions: 3.6.0, 3.6.3
> Environment: Win7, Win10, at least one variant of Linux (not sure
> which)
>Reporter: Mark Nolan
>Assignee: Sylwester Lachiewicz
>Priority: Major
> Labels: archetype
> Fix For: 3.9.0, 4.0.0-alpha-1, 4.0.0
>
> Attachments: pom.xml
>
>
> A simple minimal archetype pom following the manual pages downloads
> plexus-utils 1.1, even though it is not (apparently) declared anywhere. This
> version is banned at my organization (edited to add: due to vulnerabilities),
> meaning such a pom always fails.
>
> {code:xml}
> http://maven.apache.org/POM/4.0.0";
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
> xsi:schemaLocation="http://maven.apache.org/POM/4.0.0
> http://maven.apache.org/xsd/maven-4.0.0.xsd";>
> 4.0.0
> test
> test
> 0.0.1-SNAPSHOT
> maven-archetype
> test
>
>
>
> org.apache.maven.archetype
> archetype-packaging
> 3.1.2
>
>
>
>
>
> org.apache.maven.plugins
> maven-archetype-plugin
> 3.1.2
>
>
>
>
>
> {code}
> Running any goal, such as mvn -X clean, produces the following before the
> goal is executed:
> {code}
> [DEBUG] Dependency collection stats: {ConflictMarker.analyzeTime=952800,
> ConflictMarker.markTime=586900, ConflictMarker.nodeCount=1,
> ConflictIdSorter.graphTime=549200, ConflictIdSorter.topsortTime=586700,
> ConflictIdSorter.conflictIdCount=1, ConflictIdSorter.conflictIdCycleCount=0,
> ConflictResolver.totalTime=3313100, ConflictResolver.conflictItemCount=1,
> DefaultDependencyCollector.collectTime=66890900,
> DefaultDependencyCollector.transformTime=8523500}
> [DEBUG] org.apache.maven.archetype:archetype-packaging:jar:3.1.2:
> [DEBUG]org.codehaus.plexus:plexus-utils:jar:1.1:runtime
> {code}
>
> As far as I can see, there is no declared dependency on plexus-utils:1.1.
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] (MNG-6965) Extensions suddenly have org.codehaus.plexus:plexus-utils:jar:1.1 on their classpath
[ https://issues.apache.org/jira/browse/MNG-6965 ]
Herve Boutemy deleted comment on MNG-6965:
was (Author: hudson):
Build unstable in Jenkins: Maven » Maven TLP » maven » maven-3.8.x #34
See
https://ci-maven.apache.org/job/Maven/job/maven-box/job/maven/job/maven-3.8.x/34/
> Extensions suddenly have org.codehaus.plexus:plexus-utils:jar:1.1 on their
> classpath
>
>
> Key: MNG-6965
> URL: https://issues.apache.org/jira/browse/MNG-6965
> Project: Maven
> Issue Type: Wish
> Components: Plugins and Lifecycle
>Affects Versions: 3.6.0, 3.6.3
> Environment: Win7, Win10, at least one variant of Linux (not sure
> which)
>Reporter: Mark Nolan
>Assignee: Sylwester Lachiewicz
>Priority: Major
> Labels: archetype
> Fix For: 3.9.0, 4.0.0-alpha-1, 4.0.0
>
> Attachments: pom.xml
>
>
> A simple minimal archetype pom following the manual pages downloads
> plexus-utils 1.1, even though it is not (apparently) declared anywhere. This
> version is banned at my organization (edited to add: due to vulnerabilities),
> meaning such a pom always fails.
>
> {code:xml}
> http://maven.apache.org/POM/4.0.0";
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
> xsi:schemaLocation="http://maven.apache.org/POM/4.0.0
> http://maven.apache.org/xsd/maven-4.0.0.xsd";>
> 4.0.0
> test
> test
> 0.0.1-SNAPSHOT
> maven-archetype
> test
>
>
>
> org.apache.maven.archetype
> archetype-packaging
> 3.1.2
>
>
>
>
>
> org.apache.maven.plugins
> maven-archetype-plugin
> 3.1.2
>
>
>
>
>
> {code}
> Running any goal, such as mvn -X clean, produces the following before the
> goal is executed:
> {code}
> [DEBUG] Dependency collection stats: {ConflictMarker.analyzeTime=952800,
> ConflictMarker.markTime=586900, ConflictMarker.nodeCount=1,
> ConflictIdSorter.graphTime=549200, ConflictIdSorter.topsortTime=586700,
> ConflictIdSorter.conflictIdCount=1, ConflictIdSorter.conflictIdCycleCount=0,
> ConflictResolver.totalTime=3313100, ConflictResolver.conflictItemCount=1,
> DefaultDependencyCollector.collectTime=66890900,
> DefaultDependencyCollector.transformTime=8523500}
> [DEBUG] org.apache.maven.archetype:archetype-packaging:jar:3.1.2:
> [DEBUG]org.codehaus.plexus:plexus-utils:jar:1.1:runtime
> {code}
>
> As far as I can see, there is no declared dependency on plexus-utils:1.1.
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Commented] (MWRAPPER-68) MVNW_REPOURL improperly formed distributionUrl
[ https://issues.apache.org/jira/browse/MWRAPPER-68?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17608556#comment-17608556 ] Slawomir Jaranowski commented on MWRAPPER-68: - [~lfvjimisola] Comment on closed issue can be missed ... for releases plan good idea is ask on dev list. By the way m-wrapper-p is on my list ... probably a will take care about it at the end of October > MVNW_REPOURL improperly formed distributionUrl > -- > > Key: MWRAPPER-68 > URL: https://issues.apache.org/jira/browse/MWRAPPER-68 > Project: Maven Wrapper > Issue Type: Bug > Components: Maven Wrapper Jar >Affects Versions: 3.1.1 >Reporter: HumanFund >Assignee: Slawomir Jaranowski >Priority: Major > Fix For: 3.2.0 > > > In Maven Wrapper v3.1.1, Installer::createDist(), file > maven-wrapper/src/main/java/org/apache/maven/wrapper/Installer.java, was > updated on line 74 to be: > distributionUrl = new URI( mvnwRepoUrl ).resolve( "/" ).resolve( mvnPath ); > The above update is causing the distributionUrl to be improperly formed based > on the MVNW_REPOURL environment variable and the mvnPath which is extracted > from the distributionUrl in maven-wrapper.properties, specifically the > substring starting with "org/apache/maven". > The update was introduced in the following commit: > [https://github.com/apache/maven-wrapper/commit/22a3268def96e5e648aa97a49d9e146e529b7c87#diff-193f3775e6efb0b6ed01219b21272f9eb3861965ce3af3586a0ce8eb153359c0] > An example of the results are shown below. Note the "Downloading" URI does > not include the entire repo url, only the scheme, host, and port, then the > maven path is appended. > The repo url is getting truncated by the call to resolve( "/" ) on line 74. > I do not currently see a purpose for having this call in place. I made the > following update to line 74 and it works fine: > distributionUrl = new URI( mvnwRepoUrl ).resolve( mvnPath ); > Note that in Maven Wrapper v3.1.0, the distributionUrl was formed simply by > appending the maven path to the MVNW_REPOURL: > distributionUrl = new URI( mvnwRepoUrl + "/" + mvnPath ); > Example output demonstrating issue: > [exec] [INFO] Apache Maven Wrapper 3.1.1 > [exec] [INFO] Detected MVNW_REPOURL environment variable > [http://localhost:8081/repository/repo-maven-apache-org-maven2/] > [exec] [INFO] Installing Maven distribution > /home/myexamplehome/maven/wrapper/dists/apache-maven-3.6.3-bin/cf3cf814 > [exec] [INFO] Downloading > [http://localhost:8081/org/apache/maven/apache-maven/3.6.3/apache-maven-3.6.3-bin.zip] > > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (MEAR-309) Support JakartaEE 10
[
https://issues.apache.org/jira/browse/MEAR-309?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17608562#comment-17608562
]
Slawomir Jaranowski commented on MEAR-309:
--
[~wknauf] PR are always welcome.
> Support JakartaEE 10
>
>
> Key: MEAR-309
> URL: https://issues.apache.org/jira/browse/MEAR-309
> Project: Maven EAR Plugin
> Issue Type: Improvement
>Affects Versions: 3.2.0
>Reporter: Wolfgang Knauf
>Priority: Major
>
> Please add support for JakartaEE 10, so that a valid "application.xml" can be
> created.
> As WildFly 27 defaults to JakartaEE 10, I am in the process of updating the
> archetype for a blank WildFly EAR project. And to keep it clean, I want the
> maven-ear-plugin to create a JakartaEE 10 "application.xml" instead of the
> JavaEE8 version.
>
> In the moment, I think I will switch off generating this file
> ("false") in order to avoid
> confusion.
>
> I see that [https://issues.apache.org/jira/projects/MEAR/issues/MEAR-302]
> already added support for JakartaEE9, so I could even try to send a similar
> pull request for 10.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[GitHub] [maven-mvnd] 1013461195 opened a new issue, #693: can't use system environment variable?
1013461195 opened a new issue, #693: URL: https://github.com/apache/maven-mvnd/issues/693 execute `mvnd clean` `mvnd -version`,tip me 'Could not get a real path from path $JAVA_HOME'  -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@maven.apache.org.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
